We describe a general automata-theoretic approach for analyzing the veriÿcation problems of discrete timed automata (i.e., timed automata with integer-valued clocks) augmented with various data structures. Formally, let C be a class of nondeterministic machines with reversal-bounded counters and possibly other data structures (e.g., a pushdown stack, a queue, a read-write worktape, etc.). Let A be a discrete timed automaton and M be a machine in C. Denote by A ⊕ M the combined automaton, i.e., A augmented with M (in some precise sense to be deÿned). We show that if C has a decidable emptiness problem, then the (binary, forward, backward) reachability, safety, and invariance for A ⊕ M are solvable. We give examples of such C's and exhibit some new properties of discrete timed automata that can be veriÿed. We also brie y consider reachability in discrete timed automata operating in parallel.
Introduction
Ever since the introduction of the model of a timed automaton [1] , there have been many studies that extend the expressive power of the model (e.g. [2, 4, 5, 7, 10] ). For instance [2] considers models of hybrid systems of ÿnite automata supplied with (unbounded) discrete data structures and continuous variables and obtains decidability results for several classes of systems with control variables and observation variables. Comon and Jurski [5, 4] shows that the binary reachability of timed automata is expressible in the additive theory of the reals. Dang et al. [7] characterizes the binary reachability of discrete timed automata (i.e., timed automata with integer-valued clocks) augmented with a pushdown stack, while Ibarra et al. [10] looks at queue-connected discrete timed automata.
In this paper, we extend the ideas in [7, 10] and describe a general automata-theoretic approach for analyzing the veriÿcation problems of discrete timed automata augmented with various data structures. Formally, let C be a class of nondeterministic machines with reversal-bounded counters (i.e., each counter can be incremented or decremented by 1 and tested for zero, but the number of alternations between nondecreasing mode and nonincreasing mode is bounded by a constant, independent of the computation) and possibly other data structures, e.g., a pushdown stack, a queue, a read-write worktape, etc. Let A be a discrete timed automaton and M be a machine in C. Denote by A ⊕ M the combined automaton, i.e., A augmented with M (in some precise sense to be deÿned). We show that if C has a decidable emptiness problem, then the (binary, forward, backward) reachability, safety, and invariance for A ⊕ M are also solvable. We give examples of such C's and exhibit some new properties of discrete timed automata that can be veriÿed: 1. For example, let A be a discrete timed automaton with k clocks. For a given computation of A, let r i be the number of times clock i resets, i = 1; : : : ; k. Suppose we are interested in computations of A in which the r i 's satisfy a Presburger formula f, i.e., we are interested in the set Q of pairs of conÿgurations ( ; ÿ) such that can reach ÿ in a computation in which the clock resets satisfy f. (A conÿguration of A is a pair (q; U ), where q is a state and U is the set of clock values.) We can show that Q is Presburger. One can also put other constraints, like introducing a parameter t i for each clock i, and consider computations where the ÿrst time i resets to zero is before (or after) time t i . Then Q(t 1 ; : : : ; t k ) is Presburger. 2. As another example, suppose we are interested in the set S of pairs of conÿgurations ( ; ÿ) of a discrete timed automaton A such that there is a computation path (i.e., sequence of states) from to ÿ that satisÿes a property that can be veriÿed by a machine in a class C. If C has a decidable emptiness problem, then S is e ectively computable. For example, suppose that the property is for the path to contain three nonoverlapping subpaths (i.e., segments of computation) which go through the same sequence of states, and the length of the subpath is no less than 1 5 of the length of the entire path. We can show that S is computable. The constraints in 1 and 2 can be combined; thus, we can show that the set of pairs of conÿgurations that are in both Q and S is computable. 3. We can equip the discrete timed automaton with one-way write-only tapes which the automaton can use to record certain information about the computation of the system (and perhaps even require that the strings appearing in these tapes satisfy some properties). Such systems can e ectively be analyzed. Finally, we brie y look at reachability in machines (i.e., A 1 ⊕ M 1 and A 2 ⊕ M 2 ) operating in parallel.
Combining discrete timed automata with other machines
A timed automaton [1] is a ÿnite-state machine augmented with ÿnitely many realvalued clocks. All the clocks progress synchronously with rate 1, except that a clock can be reset to 0 at some transition. Here, we only consider integer-valued clocks. A clock constraint is a Boolean combination of atomic clock constraints in the following form: x # c, x − y # c, where # denotes 6; ¿; ¡; ¿; or = , c is an integer, x; y are integer-valued clocks. Let L X be the set of all clock constraints on clocks X . Let Z be the set of integers and N the set of nonnegative integers. Formally, a discrete timed automaton A is a tuple S; X; E where 1. S is a ÿnite set of (control) states, 2. X is a ÿnite set of clocks with values in N, and 3. E ⊆ S × 2 X × L X × S is a ÿnite set of edges or transitions. Each edge s; ; l; s in E denotes a transition from state s to state s with enabling condition l ∈ L X and a set of clock resets ⊆ X . Note that may be empty. The meaning of a one-step transition along an edge s; ; l; s is as follows:
• The state changes from s to s .
• Each clock changes. If there are no clock resets on the edge, i.e., = ∅, then each clock x ∈ X progresses by one time unit. If = ∅, then each clock x ∈ is reset to 0 while each x = ∈ remains unchanged.
• The enabling condition l is satisÿed.
The notion of a discrete timed automaton deÿned above is slightly di erent, but easily shown equivalent to the standard deÿnition of a (discrete) timed automaton in [1] (see [7] ). Now consider a class C of acceptors, where each machine M in the class is a nondeterministic ÿnite automaton augmented with ÿnitely many counters, and possibly other data structures. Thus, M = Q; ; q 0 ; F; K; D; , where Q is the state set, is the input alphabet, q 0 is the start state, F is the set of accepting states, K is the set of counters, D the other data structures, and is the transition function. In the move (q; a; s 1 ; : : : ; s k ; loc) = {t 1 ; : : : ; t m }, • q is the state, a is or a symbol in , s i is the status of counter i (i.e., zero or non-zero), and loc is the "local" portion of the data structure(s) D that in uences (a ects) the move. The language accepted by M is denoted by L(M ). We will only be interested in C's with a decidable emptiness problem. This is the problem of deciding for a given acceptor in C, whether L(M ) is empty. Since the emptiness problem for ÿnite automata augmented with two counters is undecidable [11] , we will need to put some restrictions on the operation of the counters.
Let r be a nonnegative integer. We say that a counter is r-reversal if the counter changes mode from nondecreasing to nonincreasing and vice-versa at most r times, independent of the computation. So, for example, a counter whose values change according to the pattern 0 1 1 2 3 3 3 4 5 5 5 4 3 2 1 1 0 0 1 1 2 3 3 is 2-reversal. When we say that the counters are reversal-bounded, we mean that we are given an integer r such that each counter is r-reversal. From now on, we will assume that the acceptors in C have reversal-bounded counters.
We can extend the acceptors in C to multitape acceptors by providing them with multiple one-way read-only input tapes. Thus, a k-tape acceptor now accepts a k-tuple of words (strings). We call the resulting class of acceptors C(k). The emptiness problem for C(k) is deciding for a given k-tape acceptor M , whether it accepts an empty set of k-tuples of strings. We denote C(1) simply by C. One can easily show the following: Theorem 1. If the emptiness problem for C is decidable; then the emptiness problem for C(k) is decidable.
Proof. We give a proof for the case k = 2. Let M be a 2-tape acceptor in C(2). We may assume without loss of generality that the two tapes of M use disjoint input alphabets. We construct an acceptor M in C such that L(M ) is empty if and only if L(M ) is empty. The idea of the construction is as follows: If (x 1 ; x 2 ) is an input to M , then the input to M is a string x which is some interlacing of the symbols in x 1 and x 2 (i.e., x is a shu e of x 1 and x 2 ). Thus x with the symbols in x 1 (x 2 ) deleted reduces to x 2 (x 1 ). Clearly M can simulate the actions of the two input heads of M on input x.
In the rest of the paper, we will assume that C has a decidable emptiness problem. In the area of veriÿcation, we are mostly interested in the "behavior" of machines rather than their language-accepting capabilities. When dealing with machines in C without inputs, we shall refer to them simply as machines. Thus, when we say "a machine M in C", we mean that M has no input tape.
Let A be a discrete timed automaton and M a machine in class C (hence, M has no input tape!). Let A ⊕ M be the machine obtained by augmenting A with M . So, e.g., if M is a machine with a pushdown stack and reversal-bounded counters, then A ⊕ M will be a discrete pushdown timed automaton with reversal-bounded counters. We will describe more precisely how A ⊕ M operates later. A conÿguration of A ⊕ M is a can reach ÿ. This set is the binary reachability of A ⊕ M . We assume that the conÿgurations are represented as strings over some alphabet, where the components of a conÿguration are separated by markers, and the clock and counter values represented in unary. We also assume that each of the following tasks can be implemented on a machine M in C: 1. M , when given a conÿguration = (s; U; q; V; v(D)) of A ⊕ M on its input tape, can represent this conÿguration in its counters and data structures, i.e., M can read and record the states s and q, store the set of values of U and V in appropriate counters, and store v(D) in its data structures. 2. M , when given a conÿguration on its input tape, can check if represents its current conÿguration (this task is the converse of 1). In the following, A is a discrete timed automaton and M is a machine in C; FCA refers to a nondeterministic ÿnite automaton (acceptor) augmented with reversal-bounded counters.
Theorem 2.
We can e ectively construct a 2-tape acceptor in C(2) accepting Reach
Note that the input to the 2-tape acceptor is a pair of conÿgurations ( ; ÿ), where (ÿ) is on the ÿrst (second) tape. We illustrate the proof in the next section for a particular class C. Theorem 3. If I (the initial set) and P (the unsafe set) are two sets of conÿgurations of A ⊕ M; let BAD be the set of all conÿgurations in I that can reach conÿgurations in P. If I and P can be accepted by FCAs; then we can e ectively construct an acceptor in C accepting BAD. Hence; nonsafety is decidable with respect to P.
Proof. Let M I and M P be FCAs accepting I and P, respectively. From Theorem 2, we can construct a 2-tape acceptor B in C(2) accepting Reach(A ⊕ M ). By using additional counters, we can modify B to a 2-tape acceptor B which also checks that (ÿ) on tape1 (tape2) is accepted by M I (M P ). Now construct from B an acceptor B which deletes the second tape. Clearly, L(B ) = BAD. Then A ⊕ M is unsafe if and only if L(B ) is nonempty, which is decidable by Theorem 1.
Since the complement of a language accepted by a deterministic FCA can also be accepted by an FCA [8] , we also have: Theorem 4. If I and P (the safe set) are two sets of conÿgurations of A ⊕ M; let GOOD be the set of all conÿgurations in I that can only reach conÿgurations in P.
If I can be accepted by an FCA and P can be accepted by a deterministic FCA; then we can decide whether GOOD = I . Hence; invariance is decidable with respect to P.
We can show that forward reachability is computable.
Theorem 5. Let I be a set of conÿgurations accepted by an FCA. We can e ectively construct an acceptor in C accepting post * (A ⊕ M; I ) = the set of all conÿgurations reachable from conÿgurations in I .
Proof. Let M I be an FCA accepting I . As in Theorem 3, we can construct a 2-tape acceptor B in C(2) accepting the set of all pairs of conÿgurations ( ; ÿ) in Reach(M ) such that is accepted by M I . We can then construct from B an acceptor B in C which deletes the ÿrst tape, and L(B ) = post * (A ⊕ M; I ).
Similarly, for backward reachability we have:
Theorem 6. Let I be a set of conÿgurations accepted by an FCA. We can e ectively construct an acceptor in C accepting pre * (A ⊕ M; I ) = the set of all conÿgurations that can reach conÿgurations in I .
We can equip A ⊕ M with a one-way input tape. In order to do this, we can simply change the format of the transition edge of A by a 5-tuple s; ; l; s ; a in E, where a denotes an input symbol or (the null string). The meaning of this edge is like before, but now A can read a symbol or a null string at each transition. We also deÿne a subset of the states of A as accepting states. Then A ⊕ M becomes an acceptor. Note that A and M will now start on some prescribed initial conÿgurations (e.g., A is initialized to its start state with all clocks zero, M is initialized to its start state with all counters zero and the other data structures properly initialized). We will prove the following in the next section.
Theorem 7. It is decidable to determine; given an acceptor A ⊕ M; whether A ⊕ M accepts the empty set.
One can extend the A ⊕ M acceptor to have multiple input tapes. Then, similar to Theorem 1, we have:
It is decidable to determine; given a multitape acceptor A ⊕ M; whether A ⊕ M accepts the empty set.
We can also equip the multitape A ⊕ M acceptor with one-way output tapes. But, clearly, these output tapes can also be viewed as input tapes (since writing can be simulated by reading). Hence, the analysis of a multi-input-tape multi-output-tape A ⊕ M reduces to the analysis of multi-input-tape A ⊕ M .
Examples of C
We illustrate the proof of Theorem 2 for the class C, where each machine is a nondeterministic machine with a pushdown stack and ÿnitely many reversal-bounded counters. Call a machine in this class a PCM, and PCA when it has an input tape (i.e., it is an acceptor). It is known that the emptiness problem for PCAs is decidable [8] . Let A be a discrete timed automaton and M be a PCM. We describe precisely how A ⊕ M operates.
A conÿguration of the timed automaton A is of the form (s; U ), where s is the state and U is the set of clock values. Now machine M has states, pushdown stack, and reversal-bounded counters. A move of M is deÿned by a transition function . If (q; Z; s 1 ; : : : ; s k ) = {t 1 ; : : : ; t m }, then • q is the state, Z is the topmost symbol, and s i is the status of counter i (i.e., zero or non-zero).
• t 1 ; : : : ; t m are the choices of moves (note that M is nondeterministic). Each t i is of the form (p; w; d 1 ; : : : ; d k ), which means pop Z and push string w (which is possibly empty) onto the stack, increment counter i by d i (1, 0, or −1), and enter state p. A conÿguration of M can be represented by a tuple of the form (q; V; w), where q is a state, V is the set of values of the counters, and w is the content of the stack with the rightmost symbol at the top of the stack.
A transition of the combined machine A ⊕ M is now a tuple s; ; l; s ; ENTER(M; R) , where s; ; l; s is as in a timed automaton. The combined transition is now carried out in two stages. Like before, A (the timed automaton component of the combined machine) makes the transition based on s; ; l; s . It then transfers control to machine M by executing the command ENTER(M; R), where R is a one-step transition rule: R(s; ; l; s ; q; Z; s 1 ; : : : ; s k ) = {t 1 ; : : : ; t m }. Note that the outcome of this transition (i.e., the right side of the rule) not only depends on s; ; l; s , but also on the current state, status of the counters, and the topmost symbol of the stack. This R is then followed by a sequence of transitions by M (using the transition function ). Thus the use of ENTER(M; R) allows the combined machine to update the conÿguration of M through a sequence of M 's transitions. After some amount of computation, M returns control to A by entering a special state or command RETURN. When this happens, A will now be in state s . Thus the computation of A ⊕ M is like in a timed automaton, except that between each transition of A, the system calls M to do some computation.
A conÿguration of the system is a tuple of the form = (s; U; q; V; w). Thus, a conÿguration is a result of an execution of a (possibly empty) sequence of (ENTER, RETURN) commands. Note that a conÿguration can be represented as a string where the clock values U and counter values V are represented in unary and the components of the tuple separated by markers.
As deÿned earlier, the binary reachability is Reach(A ⊕ M ) = the set of all pairs of conÿgurations ( ; ÿ), where can reach ÿ. We will show that Reach(A ⊕ M ) can be accepted by a 2-tape PCA. Note that the input to the acceptor is a pair of strings ( ; ÿ), where (ÿ) is on the ÿrst (second) tape.
First we note that we can view the clocks in a discrete timed automaton A as counters, which we shall also refer to as clock-counters. In a reversal-bounded multicounter machine, only standard tests (comparing a counter against 0) and standard assignments (increment or decrement a counter by 1, or simply nochange) are allowed. But clockcounters in A do not have standard tests nor standard assignments. The reasons are as follows. A clock constraint allows comparison between two clocks like x 2 − x 1 ¿7. Note that using only standard tests we cannot directly compare the di erence of two clock-counter values against an integer like 7 by computing x 2 − x 1 in another counter, since each time this computation is done, it will cause at least a counter reversal, and the number of such tests during a computation can be unbounded. The clock progress x := x + 1 is standard, but the clock reset x := 0 is not. Since there is no bound on the number of clock resets, clock-counters may not be reversal-bounded (each reset causes a counter reversal).
We ÿrst prove an intermediate result. Deÿne a semi-PCA as a PCA which, in addition to a stack and reversal-bounded counters, has clock-counters that use nonstandard tests and assignments as described in the preceding paragraph.
Lemma 1.
We can e ectively construct; given a discrete timed automaton A and PCM M; a 2-tape semi-PCA B accepting Reach(A ⊕ M ).
Proof. We describe the construction of the 2-tape semi-PCA B. Given a pair of conÿgurations ( ; ÿ) on its two input tapes, B ÿrst copies into its counters and stack (these include the clock-counters). Then B simulates the ("alternating" mode of) computation of A ⊕ M starting from conÿguration as described above. It is clear that B can do this. After some time, B guesses that it has reached the conÿguration ÿ. It then checks that the values of the counters and stack match those on the second input tape. B accepts if the check succeeds. However, there is a slight complication because the pushdown stack content is in "reverse". If the stack content on the second tape is written in reversed, there is no problem. One can get around this di culty if the comparison of the stack content with the second tape is done during the simulation instead of waiting until the end of the simulation. This involves guessing, for each position of the stack, the last time M rewrites this position, i.e., that the symbol would not be rewritten further in reaching conÿguration ÿ. So, e.g., if on stack position p, the symbol changes are Z 1 ; : : : ; Z k for the entire computation, then Z k is the last symbol written on the position, and B checks after Z k is written that the pth position of the stack word in ÿ is Z k . M marks Z k in the stack and makes sure that this symbol is never popped or rewritten in the rest of the computation.
The next lemma uses a technique from [7] (see also [9] ).
Lemma 2.
We can e ectively construct from the 2-tape semi-PCA B; a 2-tape PCA C equivalent to B.
Proof. The 2-tape PCA C operates like B, but the simulation of A ⊕ M di ers in the way A is simulated. Let A have clock-counters x 1 ; : : : ; x k . Let m be one plus the maximal absolute value of all the integer constants that appear in the tests (i.e., the clock constraints on the edges of A in the form of Boolean combinations of x i # c, x i − x j # c with c an integer). Denote the ÿnite set {−m; : : : ; 0; : : : ; m} by [m] . Deÿne two ÿnite tables with entries a ij and b i for 16i; j6k. Each entry can be regarded as a ÿnite state variable with states in [m] . Intuitively, a ij is used to record the di erence between two clock values of x i and x j , and b i is used to record the clock value of x i . During the computation of A, when the di erence x i − x j (or the value x i ) goes above m or below −m, a ij (or b i ) stays the same as m or −m. The procedure for updating the entries is given below, where " ⊕ 1" means adding one if the result does not exceed m, else it keeps the same value. " 1" means subtracting one if the result is not less than −m, else it keeps the same value. We modify A as follows. Consider a transition edge in A. If on the edge the set of clock resets = ∅, the entries are updated by adding the following instructions for each 16i6k:
• a ij := a ij for each 16j6k. Recall that all the clocks progress after this edge; thus, the di erence is unchanged.
That is, clocks progress by one time unit.
If the set of clock resets is = ∅, the entries are updated by adding the following instructions for each 16i; j6k:
• a ij := 0 if i ∈ and j ∈ . In this case, both clocks x i and x j reset to 0.
• a ij := − b j if i ∈ and j = ∈ . In this case, x i resets but x j does not. So the di erence should be −x j .
• a ij := b i if i = ∈ and j ∈ . • a ij := a ij if i = ∈ and j = ∈ . We then add the following instructions:
The initial values of a ij and b i can be constructed directly from the values xi of clocks x i in conÿguration , for each 16i; j6k: Thus clock-counter comparisons are replaced by ÿnite table look-up and, therefore, nonstandard tests are not present in C. Finally, we show how nonstandard assignments of the form x i := 0 (clock resets) in machine C can be avoided.
Clearly after eliminating the clock comparisons, the clock-counters in C do not participate in any tests except:
• at the beginning of the simulation when the initial values of the x i 's are used to compute the initial values of the a ij 's and the b i 's as described above; • at the end of the simulation when the ÿnal values of the x i 's are compared with the second input tape to check whether they match those in ÿ. Thus, for each x i , during the simulation of A but before the last reset of x i , the actual value of x i is irrelevant. We describe how to construct a 2-tape PCA D from C such that in the simulation of A, no nonstandard assignment is used. For each clock x i in A, there are two cases. The ÿrst case is when x i will not be reset during the entire simulation of C. The second case is when x i will be reset. D guesses the case for each x i . For the ÿrst case, x i is already reversal-bounded, since the nonstandard assignment x i := 0 is not used. For the second case, D ÿrst decrements x i to 0. Then D simulates C. Whenever a clock progress x i := x i + 1 or a clock reset x i := 0 is being executed by A, D keeps x i as 0. But, at some point when a clock reset x i := 0 is being executed by A, D guesses that this is the last clock reset for x i . After this point, D faithfully simulates a clock progress x i := x i + 1 executed by A, and a later execution of a clock reset x i := 0 in A will cause D to abort abnormally (since the guess of the last reset of x i was wrong). Thus D uses only standard assignments x i := x i + 1; x i := x i , and x i := x i − 1 initially to bring x i to 0 (for the second case).
From the above lemmas, we have:
We can e ectively construct; given a discrete timed automaton A and a PCM M; a 2-tape PCA accepting Reach(A ⊕ M ).
One can generalize Theorem 8. Extend a PCA acceptor by allowing the machine to have multiple pushdown stacks. Thus the machine will have multiple reversal-bounded counters and multiple stacks (ordered by name, say S 1 ; : : : ; S m ). The operation of the machine is restricted in that it can only read the topmost symbol of the ÿrst nonempty stack. Thus a move of the machine would depend only on the current state, the input symbol (or ), the status of each counter (zero or nonzero), and the topmost symbol of the ÿrst stack, say S i , that is not empty (initially, all stacks are set to some starting top symbol). The action taken in the move consists of the input being consumed, each counter being updated (+1; −1; 0), the topmost symbol of S i being popped and a string (possibly empty) being pushed onto each stack, and the next state being entered. This acceptor, call it MPCA, was studied in [6] as a generalization of a PCA [8] and a generalization of a multipushdown acceptor [3] . Thus an MPCA with only one stack reduces to a PCA.
By combining the techniques in [8] and [3] , it was shown in [6] that the emptiness problem for MPCAs is decidable. An MPCA without an input tape will be called an MPCM. By a construction similar to that of Theorem 8, we can prove the next result. Note that checking that the contents of the stacks at the end of the simulation are the same as the stack words in the target conÿguration does not require the latter to be in reverse (or need special handling), since we can ÿrst reverse the stack contents by using another set of pushdown stacks and then check that they match the stack words in the target conÿguration.
Theorem 9.
We can e ectively construct; given a discrete timed automaton A and an MPCM M; a 2-tape MPCA accepting Reach(A ⊕ M ).
Other examples of classes C that can be shown to have a decidable emptiness problem are given below. Thus, the results in Section 2 apply. 1. Nondeterministic machines with reversal-bounded counters and a two-way read=write worktape that is restricted in that the number of times the head crosses the boundary between any two adjacent cells of the worktape is bounded by a constant, independent of the computation (thus, the worktape is ÿnite-crossing). There is no bound on how long the head can remain on a cell [9] . 2. Nondeterministic machines with reversal-bounded counters and a queue that is restricted in that the number of alternations between nondeletion phase and noninsertion phase is bounded by a constant [9] . A nondeletion (noninsertion) phase is a period consisting of insertions (deletions) and no-changes, i.e., the queue is idle. Without the restriction emptiness is undecidable since it is known that a ÿnite-state machine with an unrestricted queue can simulate a Turing machine. Finally, as mentioned in the paragraph preceeding Theorem 7, we can provide the machine A ⊕ M with an input tape. The language accepted by such an acceptor can be shown to be accepted by an acceptor M which belongs to the same class as M (the simulation is similar to the one described in Lemmas 1 and 2). Thus, Theorem 7 follows.
Applications
In this section we exhibit some properties of timed automata that can be veriÿed using the results above. Example 1. (Real-time) pushdown timed systems with "observation" counters were studied in [2] . The purpose of these counters is to record information about the evolution of the system and to reason about certain properties (e.g., number of occurrences of certain events in some computation). The counters do not participate in the dynamic of the system, i.e., they are never tested by the system. A transition edge speciÿes for each observation counter an integral value (positive, negative, zero) to be added to the counter. Of interest are the values of the counters when the system reaches a speciÿed conÿguration. It was shown in [2] that "region" reachability is decidable for these systems.
Clearly, for the discrete case, such a system can be simulated by the machine A ⊕ M described in the previous section. We associate in M two counters for each observation counter: one counter keeps track of the positive increases and the other counter keeps track of the negative increases. When the target conÿguration is reached, the di erence can be computed in one of the counters. Note that the sign of the di erence can be speciÿed in another counter, which is set to 0 for negative and 1 for positive. Thus, from Theorems 2 -6, (binary, forward, backward) reachability, safety, and invariance are solvable for these systems.
Example 2. Let A be a discrete timed automaton and M be a nondeterministic pushdown machine with reversal-bounded counters. For a given computation of A ⊕ M , let r i be the number of times clock x i resets. Suppose we are interested in computations in which the r i 's satisfy a Presburger formula f, i.e., we are interested in ( ; ÿ) in Reach(A ⊕ M ) such that can reach ÿ in a computation in which the clock resets satisfy f. It is known that a set of k-tuples is deÿnable by a Presburger formula f if and only if it is deÿnable by a reversal-bounded multicounter machine [8] . (Thus, a machine M f with no input tape but with reversal-bounded counters can be e ectively constructed from f such that when the values of the ÿrst k counters are set to the k-tuple and all the other counters are initially zero, M f enters an accepting state if and only if the k-tuple satisÿes f. In fact, M f can be made deterministic [8] .) It follows that we can construct a 2-tape pushdown acceptor with reversal-bounded counters M accepting the set Q of pairs of conÿgurations ( ; ÿ) in Reach(A ⊕ M ) such that can reach ÿ in a computation in which the clock resets satisfy f. One can also put other constraints, like introducing a parameter t i for each clock i, and consider computations where the ÿrst time i resets to zero is before (or after) time t i . We can construct a 3-tape acceptor M from M accepting Q(t 1 ; : : : ; t k ). M ÿrst reads the parameters t i 's (which are given on the third input tape) and then simulates M , checking that the constraint on the ÿrst time clock i resets is satisÿed. Note that if M has no pushdown stack, then Q and Q(t 1 ; : : : ; t k ) are Presburger.
Example 3. As another example, suppose we are interested in the set S of pairs of conÿgurations ( ; ÿ) of a discrete timed automaton A such that there is a computation path (i.e., sequence of states) from to ÿ that satisÿes a property that can be veriÿed by an acceptor in a class C. If C has a decidable emptiness problem, then S is e ectively computable. For example, suppose that the property is for the path to contain three nonoverlapping subpaths (i.e., segments of computation) which go through the same sequence of states, and the length of the subpath is no less than 1 5 of the length of the entire path. Thus if p is the computation path, there exist subpaths p 1 ; : : : ; p 7 (some may be null) such that p = p 1 p 2 p 3 p 4 p 5 p 6 p 7 , where p 2 ; p 4 , and p 6 go through the same sequence of states, and length of p 2 = length of p 4 = length of p 6 is no less than 1 5 of the length of p. We can check this property by incorporating a ÿnite-crossing read-write tape to the machine (actually, the head need only make 5 crossings on the read-write tape).
Example 4. We can equip A ⊕ M with one-way write-only tapes which the machine can use to record certain information about the computation of the system (and perhaps even requiring that the strings appearing in these tapes satisfy some properties). From Corollary 1, such systems can e ectively be analyzed.
Reachability in parallel discrete timed automata
The technique of using the reversal-bounded counters to record and compare various integers (like the running times of the machines) in the proofs in Section 3 can be used to decide some reachability questions concerning machines operating in parallel. We give two examples below.
Let A 1 ; A 2 be discrete timed automata and M 1 ; M 2 be PCMs. Recall from Section 3 that a conÿguration of A i ⊕ M i is a 5-tuple i = (s i ; U i ; q i ; V i ; w i ). Suppose we are given a pair of conÿgurations ( 1 ; ÿ 1 ) of A 1 ⊕ M 1 and a pair of conÿgurations ( 2 ; ÿ 2 ) of A 2 ⊕ M 2 , and we want to know if A i ⊕ M i when started in conÿguration i can reach conÿguration ÿ i at some time t i , with t 1 and t 2 satisfying a given linear relation L(t 1 ; t 2 ) deÿnable by a Presburger formula. (Thus, e.g., if the linear relation is t 1 = t 2 , then we want to determine if A 1 ⊕ M 1 when started in conÿguration 1 reaches ÿ 1 at the same time that A 2 ⊕ M 2 when started in 2 reaches ÿ 2 .) This reachability question is decidable. The idea is the following. First note that we can incorporate a counter in M i that records the running time t i of A i ⊕ M i . Let Z i be a 2-tape PCA accepting R(A i ⊕ M i ). We construct a 4-tape PCA Z which, when given 1 ; ÿ 1 ; 2 ; ÿ 2 in its 4 tapes, ÿrst simulates the computation of Z 1 to check that 1 can reach ÿ 1 , recording the running time t 1 (which is in conÿguration ÿ 1 ) of A 1 ⊕ M 1 in a counter. Z then simulates Z 2 . Finally, Z checks that the running times t 1 and t 2 satisfy the given linear relation (which can be veriÿed since Presburger formulas can be evaluated by nondeterministic reversal-bounded multicounter machines). Since the emptiness problem for PCAs is decidable, decidability of reachability follows.
We can allow the machines A 1 ⊕ M 1 and A 2 ⊕ M 2 to share a common input tape, i.e., each machine has a one-way read-only input head (see the paragraph preceding Theorem 7). A conÿguration i will now be a 7-tuple i = (s i ; U i ; q i ; V i ; w i ; h i ), h i is the position of the input head on the common input x. One can show that if both A 1 ⊕ M 1 and A 2 ⊕ M 2 have a one-turn stack (or an unrestricted counter), then reachability is undecidable, even if they have no reversal-bounded counters and the linear relation is t 1 = t 2 . However, if only one of A 1 ⊕ M 1 and A 2 ⊕ M 2 has an unrestricted pushdown stack, then reachability is decidable. Again, the idea is to construct a 5-tape PCA which, when given 1 ; ÿ 1 ; 2 ; ÿ 2 ; x, ÿrst simulates M 1 and M 2 in parallel on the input x.
If one of the machines, e.g., M 1 advances its input head to the next input symbol, but M 2 has not yet read the current input symbol, M does not advance its input head and "suspends" the simulation of M 1 until M 2 has read the current symbol or M guesses that M 2 will not be reading further on the input to reach the target conÿguration.
Note that the above results generalize to any number, k, of machines A i ⊕ M i (i = 1; : : : ; k) operating in parallel.
Conclusions
We showed that a discrete timed automaton augmented with a machine with reversalbounded counters and possibly other data structures from a class C of machines can be e ectively analyzed with respect to reachability, safety, and other properties if C has a decidable emptiness problem. We gave examples of such C's and examples of new properties of discrete timed automata that can be veriÿed. We also showed that reachability in parallel machines can be e ectively decided. It would be interesting to look for other classes of C's with decidable emptiness problem.
