On the expressive power of invariants in parametric timed automata by André, Étienne et al.
ar
X
iv
:1
90
8.
06
63
3v
1 
 [c
s.F
L]
  1
9 A
ug
 20
19
On the expressive power of invariants in parametric
timed automata
E´tienne Andre´
Universite´ Paris 13, LIPN, CNRS,
UMR 7030, F-93430,
Villetaneuse, France
JFLI, CNRS, Tokyo, Japan
National Institute of Informatics, Tokyo, Japan
Didier Lime
E´cole Centrale de Nantes, LS2N, CNRS,
UMR 6004,
Nantes, France
Mathias Ramparison
Universite´ Paris 13, LIPN, CNRS,
UMR 7030, F-93430
Villetaneuse, France
Abstract—The verification of systems combining hard tim-
ing constraints with concurrency is challenging. This challenge
becomes even harder when some timing constants are missing
or unknown. Parametric timed formalisms, such as parametric
timed automata (PTAs), tackle the synthesis of such timing
constants (seen as parameters) for which a property holds. Such
formalisms are highly expressive, but also undecidable, and few
decidable subclasses were proposed. We propose here a syntactic
restriction on PTAs consisting in removing guards (constraints
on transitions) to keep only invariants (constraints on locations).
While this restriction preserves the expressiveness of PTAs (and
therefore their undecidability), an additional restriction on the
type of constraints allows to not only prove decidability, but also
to perform the exact synthesis of parameter valuations satisfying
reachability. This formalism, that seems trivial at first sight as
it benefits from the decidability of the reachability problem with
a better complexity than Timed Automata (TAs), suffers from
the undecidability of the whole TCTL logic that TAs, on the
contrary enjoy. We believe our formalism allows for an interesting
trade-off between decidability and practical expressiveness and
is therefore promising. We show its applicability in a small case
study.
I. INTRODUCTION
The verification of systems combining hard timing con-
straints with concurrency is challenging. This challenge be-
comes even harder when some timing constants are missing
or unknown. Parametric timed formalisms tackle the synthesis
of such timing constants (seen as parameters) for which a
property holds. A well-known such formalism is parametric
timed automata [AHV93], a formalism extending finite-state
automata with clocks [AD94], that can be compared to either
integer constants or to integer-valued or real-valued parameters
along guards (over transitions) or in invariants (in locations).
Such formalisms are highly expressive, but also highly unde-
cidable, and only a few decidable subclasses were proposed.
In the PTA literature, the main problem studied is EF-
emptiness (“is the set of valuations for which a given location
This is the author version of the manuscript of the same name published
in the proceedings of the 24th International Conference on Engineering of
Complex Computer Systems (ICECCS 2019). The final version is available
at ieeexplore.ieee.org. This work is partially supported by the ANR national
research program PACS (ANR-14-CE28-0002) and by ERATO HASUO
Metamathematics for Systems Design Project (No. JPMJER1603), JST.
is reachable for at least one run empty?”): it is “robustly” un-
decidable in the sense that, even when varying the setting, un-
decidability is preserved. For example, EF-emptiness is unde-
cidable even for a single bounded parameter [Mil00], even for
a single rational-valued or integer-valued parameter [Ben+15],
even with only one clock compared to parameters [Mil00], or
with strict constraints only [Doy07] (see [And19] for a survey).
Decidability can be obtained using two main directions.
First, reducing the number of clocks may lead to decidabil-
ity: for example, decidability is ensured in some restrictive set-
tings such as over discrete time with a single parametric clock
(i. e., compared to parameters in at least one guard) [AHV93],
or over discrete or dense time with one parametric clock and
arbitrarily many non-parametric clocks [BO14; Ben+15], or
over discrete time with two parametric clocks and a single
parameter [BO14]. But the practical power of these restrictive
settings remains unclear.
Second, restricting the syntax may also lead to decidability,
notably on two main subclasses: in [Hun+02], L/U-PTAs are
proposed as a subclass where parameters are partitioned into
upper-bound parameters (only compared to clocks as upper-
bounds, i. e., of the form x > p or x ≥ p, where x is a clock
and p a parameter) and lower-bound parameters. While L/U-
PTAs benefit from the decidability of EF-emptiness [JLR15;
BL09], AF-emptiness (“is the set of valuations for which a
given location is reachable for all runs empty?”) is undecid-
able [JLR15]; even more annoying, it is impossible to achieve
exact synthesis, even for EF: that is, it is not possible in
general to compute the set of parameter valuations for which a
given location is reachable. A second restriction of the syntax
is proposed in [ALR19]: in reset-PTAs, whenever a clock is
compared to a parameter, all clocks must be reset (possibly
to parameters, which extends the original PTA syntax). While
exact synthesis over bounded rational-valued parameters can
be achieved for EF, resetting all clocks as soon as one clock
is compared to a parameter is a strong practical restriction,
and is dedicated to systems that have some cyclic, repetitive
behavior.
a) Contribution: In this work, we propose an original
subclass of parametric timed automata, with interesting prac-
tical results. We restrict the expressive power by disallowing
1
guards in the model, therefore leaving the model with only
invariants.
On the one hand, we show that this model of PTAs with
only invariants (PTAsI ) is at least as expressive as the orig-
inal PTAs, and therefore inherits its notorious undecidability
results.
On the other hand, by restraining the shape of the constraints
in these invariants, giving PTAs with only invariants and
upper-bound constraints (PTAsUI ), we get decidability results
independently of the number of clocks or parameters used.
In addition, we show that we can synthesize the exact set of
parameters for which reachability (EF) properties hold. This
result is particularly welcome, as existing classes for which
decidability of the emptiness problems hold does usually
not guarantee the possibility to perform synthesis: the best-
known existing subclass of PTAs, i. e., L/U-PTAs, benefit from
decidability results [Hun+02; BL09] but synthesis cannot be
achieved, even over integer-valued parameters [JLR15].
Our formalism of PTAsUI is the first of its kind to allow
for exact synthesis over unbounded, rational-valued parameters
(in contrast to [Hun+02; BL09; ALR19]) without imposing
conditions on the number of clocks or parameters (in contrast
to [BO14; Ben+15]), nor imposing frequent resets (in contrast
to [ALR19]). This makes this formalism promising, together
with a still interesting expressive power. In fact, we show that
for more complex properties (e. g., nested TCTL formulas),
PTAsUI become undecidable, which shows that our formalism
is far from featuring a trivial expressiveness. We also exem-
plify our formalism on a case study, where we model a data
streaming protocol using PTAsUI .
b) Outline: Section II recalls the necessary preliminar-
ies, introduces the class of PTAs without guards (PTAsI ) and
the problems of interest. Section III proves that reachability
is undecidable for PTAI . Section IV introduces an additional
restriction (PTAsUI ), and proves decidability of the emptiness
problems of reachability, together with the possibility to per-
form synthesis. In contrast, we show that TCTL-emptiness is
undecidable for PTAsUI , making it an expressive formalism at
the border between decidability and undecidability. Section V
exemplifies our formalism on a case study. Section VI con-
cludes the paper and proposes some perspectives.
II. PRELIMINARIES
A. Clocks, parameters and parametric clock constraints
We assume a set X = {x1, . . . , xH} of clocks, i. e., real-
valued variables that evolve at the same rate. A clock valuation
is a function w : X → R+. We identify a clock valuation w
with the point (w(x1), . . . , w(xH)) of R
H
+ . We write
~0 for the
clock valuation assigning 0 to all clocks. Given d ∈ R+, w+d
denotes the valuation s.t. (w+d)(x) = w(x)+d, for all x ∈ X.
Given R ⊆ X, we define the reset of a valuation w, denoted by
[w]R, as follows: [w]R(x) = 0 if x ∈ R, and [w]R(x) = w(x)
otherwise.
We assume a set P = {p1, . . . , pM} of parameters, i. e.,
unknown constants. A parameter valuation v is a function
v : P→ Q+.
We assume ⊲⊳ ∈ {<,≤,=,≥, >} and ⊳ ∈ {<,≤}. A para-
metric clock constraint pcc is a constraint over X∪ P defined
by a set of inequalities of the form x ⊲⊳
∑
1≤i≤M αipi + d,
with αi ∈ {0, 1} and d ∈ Z. Given pcc, we write w |= v(pcc)
if the expression obtained by replacing each x with w(x) and
each p with v(p) in pcc evaluates to true.
B. Parametric timed automata
Let AP be a set of atomic propositions. We first recall
PTAs [AHV93].
Definition 1. A PTAA is a tupleA = (Σ, L,L, ℓ0,X,P, I, E),
where:
• Σ is a finite set of actions,
• L is a finite set of locations,
• L is a label function L : L→ 2AP ,
• ℓ0 ∈ L is the initial location,
• X is a finite set of clocks,
• P is a finite set of parameters,
• I is the invariant, assigning to every ℓ ∈ L a parametric
clock constraint I(ℓ),
• E is a finite set of edges (or transitions) e =
(ℓ, g, a, R, ℓ′) where ℓ, ℓ′ ∈ L are the source and target
locations, a ∈ Σ, R ⊆ X is a set of clocks to be reset,
and the guard g is a parametric clock constraint.
Given a parameter valuation v, we denote by v(A) the non-
parametric structure where all occurrences of a parameter pi
have been replaced by v(pi). We denote as a timed automaton
any structure v(A).1 A bounded PTA is a PTA with a bounded
parameter domain that assigns to each parameter a minimum
integer bound and a maximum integer bound. That is, each
parameter pi ranges in an interval [ai, bi], with ai, bi ∈ N.
Hence, a bounded parameter domain is a hyperrectangle of
dimension M .
Let us first recall the concrete semantics of TAs.
Definition 2 (Concrete semantics of a TA). Given a PTA
A = (Σ, L,L, ℓ0,X,P, I, E), and a parameter valuation v,
the concrete semantics of v(A) is given by the timed transition
system (S, s0,→), with
• S = {(ℓ, w) ∈ L× RH+ | w |= v(I(ℓ))},
• s0 = (ℓ0,~0)
• → consists of the discrete and (continuous) delay transi-
tion relations:
– discrete transitions: (ℓ, w)
e
7→ (ℓ′, w′), if
(ℓ, w), (ℓ′, w′) ∈ S, there exists e = (ℓ, g, a, R, ℓ′) ∈
E, w′ = [w]R, and w |= v(g).
– delay transitions: (ℓ, w)
d
7→ (ℓ, w+ d), with d ∈ R+, if
∀d′ ∈ [0, d], (ℓ, w + d′) ∈ S.
Moreover we write (ℓ, w)
e
−→ (ℓ′, w′) for a combination of
a delay and discrete transition where ((ℓ, w), e, (ℓ′, w′)) ∈ →
if ∃d, w′′ : (ℓ, w)
d
7→ (ℓ, w′′)
e
7→ (ℓ′, w′).
1Technically and strictly speaking, we should use a rescaling of the
constants to avoid comparisons of clocks with rationals: by multiplying all
constants in v(A) by the least common multiple of their denominators, we
obtain an equivalent (integer-valued) TA, as defined in [AD94].
2
Given a TA v(A) with concrete semantics (S, s0,→), we
refer to the states of S as the concrete states of v(A). A run
of v(A) is a possibly infinite alternating sequence of states
of v(A) and edges starting from the initial state s0 of the
form s0
e0−→ s1
e1−→ · · ·
em−1
−→ sm
em−→ · · · , such that for
all i = 0, 1, . . . , ei ∈ E, and (si, ei, si+1) ∈ →. Given a
state s = (ℓ, w), we say that s is reachable if s appears in a
run of v(A), or simply that ℓ is reachable in v(A), if there
exists a state (ℓ, w) that is reachable. By extension, we say that
a label lb is reachable in v(A) if there exists a state (ℓ, w) that
is reachable such that lb ∈ L(ℓ).
Given a parameter valuation v and a run of v(A) ρ =
(ℓ0, w0)
e0−→ · · ·
ei−1
−→ (ℓi, wi)
ei−→ (ℓ, w) we define the length
of a run as the number of edges in ρ.
A maximal run is a run that is either infinite (i. e., contains
an infinite number of discrete transitions), or that cannot be
extended by a discrete transition. Given a run ρ of v(A),
time(ρ) gives the total sum of the delays d along ρ.
C. A new syntactic restriction
We now introduce the first main restriction of our formal-
ism, that consists in removing guards from PTAs.
Definition 3. A PTA with only invariants (PTAI) is a PTA
where, in each transition, g is always true, i. e., is an empty
set of inequalities.
D. Timed CTL
TCTL [ACD93] is the quantitative extension of CTL where
temporal modalities are augmented with constraints on dura-
tion. Formulae are interpreted over TTS.
Given ap ∈ AP and c ∈ N, a TCTL formula is given by
the following grammar:
ϕ ::= ⊤ | ap | ¬ϕ | ϕ ∧ ϕ | EϕU⊲⊳cϕ | AϕU⊲⊳cϕ
A reads “always”, E reads “exists”, and U reads “until”.
Standard abbreviations include Boolean operators as well
as EF⊲⊳cϕ for E⊤U⊲⊳cϕ, AF⊲⊳cϕ for A⊤U⊲⊳cϕ and EG⊲⊳cϕ for
¬AF⊲⊳c¬ϕ. (F reads “eventually” while G reads “globally”.)
Definition 4 (Semantics of TCTL). Given a TA v(A), the
following clauses define when a state si of its TTS (S, s0,→)
satisfies a TCTL formula ϕ, denoted by si |= ϕ, by induction
over the structure of ϕ (semantics of Boolean operators is
omitted):
1) si |= EϕU⊲⊳cΨ if there is a maximal run ρ in v(A)
with σ = si
ei−→ · · ·
ej−1
−→ sj (i < j) a prefix of ρ s.t. sj |=
Ψ, time(σ) ⊲⊳ c, and if ∀k s.t. i ≤ k < j, sk |= ϕ, and
2) si |= AϕU⊲⊳cΨ if for each maximal run ρ in v(A) there
exists σ = si
ei−→ · · ·
ej−1
−→ sj (i < j) a prefix of ρ s.t.
sj |= Ψ, time(σ) ⊲⊳ c, and if ∀k s.t. i ≤ k < j, sk |= ϕ.
In EϕU⊲⊳cΨ the classical until is extended by requiring
that ϕ be satisfied within a duration (from the current state)
verifying the constraint “⊲⊳ c”. Given v, a PTAUI A and a
TCTL formula ϕ, we write v(A) |= ϕ when s0 |= ϕ.
We define flat TCTL as the subset of TCTL where, in
EϕU⊲⊳cϕ and AϕU⊲⊳cϕ, ϕ must be a formula of propositional
logic (a Boolean combination of atomic propositions).
E. Problems
In this paper, we address the following problems:
TCTL-emptiness problem:
INPUT: a PTAI A and a TCTL formula ϕ
PROBLEM: is the set of valuations v such that v(A) |= ϕ
empty?
TCTL-synthesis problem:
INPUT: a PTAI A and a TCTL formula ϕ
PROBLEM: synthesize the set of valuations v such that
v(A) |= ϕ.
We will focus notably on the TCTL formula “EF” express-
ing reachability [AD94]. That is, EF-emptiness asks whether
the set of parameter locations for which a given location is
reachable for at least one run is empty or not. Similarly, EF-
synthesis asks to synthesize these valuations.
III. THE POWER OF INVARIANTS IN PTAS
In this section, we show that the expressive power of
invariants in PTAs is surprisingly high: in fact, we show that a
PTA with guards but without invariants can be transformed to
an equivalent PTAI . As most undecidability results for PTAs
hold even without invariants, our transformation shows that
PTAI are (at least) as expressive as PTAs—and therefore as
undecidable too. Notably, the simplest problem for PTAs (EF-
emptiness) is undecidable for PTAsI .
A. Transforming guards into invariants
Let us describe our transformation from a PTA A without
invariants to a PTAI T (A). For each edge e = (ℓ1, g, a, R, ℓ2)
of A, we add in T (A) a new location ℓ′1 with invariant I(ℓ
′
1) =
g and replace e with a transition that is always true from ℓ1
to ℓ′1 with action a and no reset: e
′ = (ℓ1, true, a, ∅, ℓ′1).
Then we add a unique transition from ℓ′1 to ℓ2 that is always
true, without action and with the original resets R of e:
e′′ = (ℓ′1, true, ǫ, R, ℓ2) (ǫ denotes the silent action; note that
actions do not matter much in our setting anyway as we are
concerned with reachability properties).
Example 1. An example of this transformation is given in
Fig. 1. The transition (say e) from ℓ1 to ℓ2 in Fig. 1a is
translated into 1) a new transition from ℓ1 to a new location ℓ
′
1
with as invariant the guard of the original transition e, i. e.,
x ≤ p, and 2) a new transition from ℓ′1 to ℓ2 with the same
reset as the one of the original transition e, i. e., x := 0. This
translation is exemplified in Fig. 1b.
The guard on the transition from ℓ2 to ℓ3 is translated
similarly.
3
l1 l2 l3
x ≤ p
x := 0
y ≥ p, x ≥ 3
(a) A PTA
l1 l
′
1
x ≤ p
l2 l
′
2
y ≥ p, x ≥ 3
l3
x := 0
(b) Transformed version
Fig. 1: An example of PTA without invariant and its equivalent PTAI .
B. Characterization of the transformation
We show that, for any run of v(A), there exists in v(T (A))
a run twice as long, whose states of index 2× i are identical
to states of index i of the original run, for each i between 0
and the length of the run minus 1.
Lemma 1. Let A be a PTA without invariant, and v a
parameter valuation. There is a run ρ = (ℓ0, w0)
e0−→
· · ·
ei−1
−→ (ℓi, wi)
ei−→ (ℓ, w) · · · in v(A) iff there is a
run ρ′ = (ℓ0, w0)
e′
0−→ (ℓ′0, w
′
0)
e′′
0−→ · · ·
e′′i−1
−→ (ℓi, wi)
e′i−→
(ℓ′i, w
′
i)
e′′i−→ (ℓ, w) · · · in v(T (A)).
Proof. Let ρ be a run of v(A) ending in a concrete state (ℓ, w).
We build by induction on n, a run ρ′ in v(T (A)) of length 2n
taking the same sequence of edges as ρ w.r.t. our transforma-
tion and ending in the same concrete state2.
If n = 0, then ρ′ consists only of the initial location of T (A)
which has no invariant, so we can stay there forever as in the
initial location of A. So any run of length 0 of v(T (A)) is a
run of v(A) and conversely.
Suppose now that we have built ρ′ for size n and consider
a run ρ with n + 1 edges. Then ρ consists of a run ρ1,
ending in (ℓ1, w1) with n edges followed by a delay d and
finally a discrete transition along the edge e to the concrete
state (ℓ2, w2). From the induction hypothesis, we can build an
equivalent run ρ′1 in T (A) of length 2n ending in (ℓ1, w1),
Let w′1 be the clock valuation obtained from w1 after the
delay d. By construction, if constraints defined by the guard
of e are satisfied by w′1 then in ρ
′
1, we can take the transition e
′
without guards from ℓ1 to ℓ
′
1 as w
′
1 |= v(I(ℓ
′
1)). Once in ℓ
′
1, we
cannot stay forever because of I(ℓ′1). We can also immediately
in a 0-delay take the transition e′′ from ℓ′1 to ℓ2 and clocks in X
are reset so w2 = [w
′
1]R, and we obtain a run of length 2(n+1)
in v(T (A)) ending in (ℓ2, w2).
For the other direction, starting from a run in T (A), the ini-
tial step of the induction is similar. Let ρ′ be a run of v(T (A))
of length 2(n+1) ending in a concrete state (ℓ2, w2). Then ρ
′
consists of a run ρ′1, ending in (ℓ1, w1) with 2n edges followed
by a first delay d1, then a discrete transition e
′ to ℓ′1, and a
possible delay d2 and finally a discrete transition e
′′ to ℓ2. Let e
be the edge in A corresponding to e′, e′′ w.r.t. our construction
2Note that the fact that the length is even is a consequence of the
construction: with two edges, first from ℓ to ℓ′′ and the second from ℓ′′
to ℓ′, if the former can be taken then I(ℓ′′) is satisfied, and the run cannot
stay forever in ℓ′′ because of I(ℓ′′) and is forced to take the latter to ℓ′.
of T (A), with guard g = I(ℓ′1) and the same resets as in e
′′.
Suppose now that we have built by induction hypothesis ρ
in v(A) for size n equivalent to a run ρ′1 in v(T (A)) ending
in (ℓ1, w1), Let w
′
1 be the clock valuation obtained after the
delay d1 from w1 and w
′′
1 after the delay d2 from w
′
1. By
construction, if constraints defined by I(ℓ′1) are satisfied by w
′
1
then w′1 |= v(g). The first transition e
′ in v(T (A)) to ℓ′1 can
be taken, similarly e can already be taken in v(A). After
the delay d2, we still have w
′′
1 |= I(ℓ
′
1) therefore we still
have w′′1 |= v(g). The second transition e
′′ in v(T (A)) to ℓ2
can be taken, similarly e can still be taken in v(A). Clocks are
reset along e so w2 = [w
′′
1 ]R and we obtain a run of length n
in v(A) ending in (ℓ2, w2).
C. Undecidability for PTAsI
Theorem 1. EF-emptiness is undecidable for PTAsI .
Proof. From Lemma 1, for any valuation v, reachability of
a location in v(A) and v(T (A)) is equivalent. Therefore,
EF-emptiness holds for A iff EF-emptiness holds for T (A).
As EF-emptiness is undecidable for PTAs without invari-
ant [AHV93], EF-emptiness is undecidable for PTAsI .
IV. A NEW DECIDABLE SUBCLASS
We now consider PTAsI with only upper-bound invariants.
Definition 5. A PTA with only upper-bound invariants (PTAUI )
is a PTAI where each inequality in an invariant is of the form
x ⊳
∑
1≤i≤M αipi + d.
An example of PTAUI is given in Fig. 6.
PTAsUI can be seen as a subclass of L/U-PTAs, a formalism
for which EF-emptiness is decidable [Hun+02; BL09] while
AF-emptiness is undecidable [JLR15]. In addition, the synthe-
sis of (even integer-valued) parameters for which EF holds in
L/U-PTAs cannot be done [JLR15]. PTAsUI can also be seen
as a subclass of U-PTAs [BL09], i. e., L/U-PTAs with only
upper-bound parameters, a formalism for which EF-emptiness
is decidable [Hun+02; BL09] while AF-emptiness is open, and
full TCTL-emptiness is undecidable [ALR18]; in addition, EF-
synthesis of integer-valued parameter can be achieved [BL09],
but the possibility to perform or not the exact synthesis of
rational-valued parameters for EF remains open.
The main differences between PTAsUI and U-PTAs are
1) the absence of guards in PTAsUI , and
2) the possibility only for U-PTAs to involve constraints of
the form x > c or x ≥ c in clock constraints, provided c
4
is a constant (no parameter can be used as a lower-bound
constraint).
In this section, we will see that these differences will allow
not only for positive decidability results but will also make
exact synthesis possible.
A. Reachability (EF)
1) EF-emptiness: We first show that, while matching the
decidability of L/U-PTAs (and U-PTAs) for EF-emptiness, the
complexity of EF-emptiness for PTAUI is not the same as
for U-PTAs, which is PSPACE-complete for integer parameter
valuations [BL09]; in our case, given a PTAUI A and a special
parameter valuation v1 that sets all parameters to 1, it is
sufficient to test in v1(A) the reachability of a given location in
a 0-delay (a run of duration 0), which is linear in the number of
locations of A. That is, we do not perform a symbolic analysis
(using the region graph [AD94] or the zone graph [BY03]) of
some TA, but we directly syntactically analyze our PTAUI .
Formally, let v1 be the parameter valuation such that ∀1 ≤
i ≤ M : v1(pi) = 1. In the following lemma, we will show
that there exists a valuation v such that there exists a run in
v(A) reaching a given location ℓf iff there exists a 0-delay
run in v1(A) reaching ℓf . By 0-delay run, we mean for which
the sum of the delays along the edges is 0. This will allow us
to only test 0-delay runs in v1(A) to decide EF-emptiness.
Lemma 2. Let A be a PTAUI and ℓf a goal location. There
exists a parameter valuation v and a run in v(A) reaching ℓf
iff there exists a 0-delay run in v1(A) reaching ℓf .
Proof. =⇒ Assume there exists a parameter valuation v and a
run ρ in v(A) reaching ℓf . We first show that there exists
a 0-delay run ρ0 in v(A) reaching ℓf (and, in fact, going
through the same locations and edges as ρ, with only the
delay being replaced with 0). This is immediate from the
syntax of PTAsUI : since we only allow invariants of the
form x ⊳
∑
1≤i≤M αipi + d, then nothing can constrain
a run to spend a certain amount of time in a location.
Therefore, ρ0 can follow the same locations and edges as
in ρ without letting any time elapse. This gives that there
exists a 0-delay run ρ0 in v(A) reaching ℓf .
We will now show that this run ρ0 is also a run of v1(A).
This is not entirely immediate, as v1(A) and v(A) have
different invariants, coming from different parameter val-
uations. Indeed, in case of invariants of the form x < p,
a 0-delay run is blocked in this location whenever p = 0
(as the constraint x < 0 is never satisfiable due to the
non-negative nature of clocks). However, by definition,
ρ0 does not pass through any location with an invariant
of the form x < p, with v(p) = 0, since this is a valid
run of v(A). That is, for any location ℓ along ρ0 with
an invariant containing an inequality of the form x < p,
v(p) > 0. We can finally conclude by observing that,
in v1(A), no such invariant blocking a 0-delay run exists
since, by definition of v1(A), all parameters evaluate to 1.
Therefore ρ0 is also a run reaching ℓf in v1(A).
⇐= The opposite direction is trivial. It suffices to pick v = v1
and, since there exists a 0-delay run in v1(A) reaching ℓf ,
then there exists a run (in 0-delay) in v(A) reaching ℓf .
From Lemma 2, we state the following theorem.
Theorem 2. EF-emptiness is decidable in NLOGSPACE for
PTAUI .
Proof. Let A be a PTA and ℓf be a target location. From
Lemma 2, there exists a parameter valuation v and a run
in v(A) reaching ℓf iff there exists a 0-delay run in v1(A)
reaching ℓf . That is, it suffices to test only the existence of at
least one 0-delay run in v1(A) to decide EF-emptiness in A.
From the nature of PTAsUI , there exists a 0-delay run in
v1(A) iff there exists in the automaton v1(A) seen as a graph
a syntactic path from ℓ0 to ℓf that features no state with
an invariant involving a comparison of the form x < 0, for
some x. We can therefore consider v1(A) as a directed graph,
in which we remove all the edges to locations where there
is an invariant containing a comparison of the form x < 0
for some x. In this obtained oriented graph, we perform the
reachability of ℓf from ℓ0 which is NLOGSPACE [Pap94], so
is EF-emptiness for PTAUI .
2) EF-synthesis: We will show that, in order to compute
EF-synthesis, it suffices to test (syntactically, without se-
mantic analysis) each automaton obtained by replacing each
parameter valuation with either 0 or 1. This is a strong
result, as EF-synthesis cannot be performed for L/U-PTAs
with either integer or rational valued parameters [JLR15],
and can only be performed for U-PTAs over integer-valued
parameters [BL09]. We first define an equivalence relation
for parameter valuations.
Definition 6. Let v, v′ be two parameter valuations. We say
that v ∼ v′ if, for each parameter p, v(p) = 0 iff v′(p) = 0
(i. e., v(p) > 0 iff v′(p) > 0).
Lemma 3. Let A be a PTAUI and ℓf a goal location. Let v, v
′
be two parameter valuations such that v ∼ v′.
There exists a run in v(A) reaching ℓf iff there exists a
0-delay run in v′(A) reaching ℓf .
Proof. The proof reuses the same technique as in Lemma 2.
=⇒ Assume there exists a parameter valuation v and a run ρ
in v(A) reaching ℓf . From the reasoning used in the
proof of Lemma 2, there exists a 0-delay run ρ0 in
v(A) reaching ℓf (and, in fact, going through the same
locations and edges as ρ, with only the delay being
replaced with 0).
We will now show that this run ρ0 is also a run of v
′(A).
Following again the reasoning used in the proof of
Lemma 2, by definition, ρ0 does not pass through any
location with an invariant of the form x < p, with
v(p) = 0, since this is a valid run of v(A). That is,
for any location ℓ along ρ0 with an invariant containing
an inequality of the form x < p, v(p) > 0. We can
5
finally conclude by observing that, in v′(A), no such
invariant blocking a 0-delay run exists since, from the fact
that v ∼ v′, v(p) > 0 iff v′(p) > 0 for all p. Therefore
ρ0 is also a run reaching ℓf in v
′(A).
⇐= The opposite direction is similar. Since there exists a 0-
delay run in v′(A), then following the same reasoning as
above and since v ∼ v′, then this same 0-delay run is
also a run of v(A).
From Lemma 3, it suffices to test one valuation in each of
the regions defined by Definition 6. Each region being defined
by v(p) = 0 or v(p) > 0, for each parameter p, it suffices to
test both 0 and a non-zero value, e. g., 1. We end up with a
set V of 2|P| parameter valuations. This gives the following
theorem.
Theorem 3. We can compute the set EF-synthesis of parame-
ter valuations for PTAUI within exponential time w.r.t. the size
of the input.
Proof. From Lemma 3, given a PTAUI A it suffices to test
the existence of at least one 0-delay run for one parameter
valuation v in each of the regions defined by Definition 6,
i. e., from the set V . From the proof of Theorem 2, this can
be achieved syntactically by solving a reachability problem in
the graph of v(A). If the answer to the reachability problem
is positive for this parameter valuation, the whole region is
added to the result. That is, considering two parameters p1 and
p2, and the valuation such that v(p1) = 0 and v(p2) = 1, the
added region is p1 = 0∧p2 > 0. However, iterate similarly for
all valuations in V gives 2|P| different valuated automata and
we have to test the reachability for each of them. Therefore,
to compute EF-synthesis, we obtain a complexity exponential
in time.
This result makes the subclass of PTAUI very interest-
ing, as a subclass of PTAs where EF-synthesis can be per-
formed. Rare subclasses such as reset-update-to-parameter
PTAs [ALR19] enjoy this possibility (and only on bounded
parameters), while well-known L/U-PTAs enjoy the only de-
cidability of EF-emptiness while EF-synthesis has been proven
intractable [JLR15].
B. Undecidability of TCTL-emptiness
While EF-emptiness is decidable for PTAUI , one can wonder
whether this extends to the whole TCTL-emptiness prob-
lem. We exhibit in this section a nested TCTL formula
(by opposition to flat TCTL formula, e. g., EF or AF),
namely EGAF=0 ap for some atomic property ap and prove
that EGAF=0-emptiness is undecidable for (possibly bounded)
PTAUI . The formula EGAF=0 was already used to prove
the TCTL-emptiness of U-PTAs in [ALR18]. This implies
the undecidability of the whole TCTL-emptiness problem for
(possibly bounded) PTAUI .
Theorem 4. The EGAF=0-emptiness problem is undecidable
for bounded PTAUI .
Proof. We reduce from the boundedness problem for two-
counter machines (i. e., whether the value of the counters
remains bounded along the execution), which is undecid-
able [KC10]. Recall that a two-counter machine is a finite
state machine with two integer-valued counters c1, c2. Two
different instructions are considered, we present those for c1,
those for c2 are similar:
1) when in state qi, increment c1 and go to qj ;
2) when in state qi, if c1 = 0 go to qk, otherwise decre-
ment c1 and go to qj .
We assume w.l.o.g. that the machine halts iff it reaches a
special state qhalt.
a) General explanation of the encoding: Let ◦ and ◦
be two labels. We define a PTAUI that, under some conditions,
will encode the machine, and for which EGAF=0 ◦ -emptiness
holds iff the counters in the machine remain bounded. We will
reuse an encoding originally from [ALR16, proof of theorem
1], and apply a few modifications. In fact, recall that PTAUI
disallow the use of comparisons of the form x = p, or x = c
with c a constant.
We label our transitions with: ◦ for the locations already
present in [ALR16] (depicted in yellow in our figures), and ◦
for the newly introduced locations (depicted in white in our
figures). In [ALR16], the gadgets use edges of the form of
Fig. 2a to encode the two-counter machine instructions. To
define a PTAUI , we replace each of these edges by a special
construction given in Fig. 2b using only inequalities of the
form x ≤ k and x < k with k either a constant or a parameter.
Non guarded transitions are depicted as dotted edges. We will
show that a run will exactly encode the two-counter machine
if all transitions x ≤ a+1 (resp. x ≤ 1) to a location labeled
with ◦ are in fact taken when the clock valuation is exactly
equal to a+1 (resp. 1). Those runs are further denoted by ρ ◦ .
In the transformed version given in Fig. 2b, due to the ≤
invariant runs exist that take the guard “too early” (i. e., before
x1 = a + 1). Those are denoted by ρ◦. But, in that case,
observe that in ℓ′1, one can either take the transition to ℓ
′′ or
to ℓ′2 (as the invariant to satisfy is x1 < a + 1) and then, go
to ℓerror. Therefore on this gadget, EGAF=0 ◦ is true at ℓ′
iff the guard x1 ≤ a+ 1 from ℓ to ℓ′ is taken at the very last
moment. In our gadgets encoding the counters, there will be
for each location with invariant x ≤ k an associated location
with invariant x < k, with only a transition to ℓerror. Note
that AF=0 ◦ is trivially true in ℓ and ℓ′′ as both locations are
labeled with ◦ (many runs also exist from ℓ to ℓerror and
do not encode properly the machine; they will be discarded in
our reasoning later).
Our PTAUI A uses one parameter a and three parametric
clocks x1, x2, z. Each state qi of the two-counter machine is
encoded by a location ℓi of A. Each increment instruction
of the two-counter machine is encoded into a PTAUI frag-
ment. The decrement instruction is a modification of the one
in [ALR16] using the same modifications as the increment
gadget.
6
ℓ ℓ′′
x1 = a+ 1
x := 0
(a) Gadget fragment of [ALR16]
ℓ ℓ
′
1
x1 ≤ a+ 1
ℓ′′
ℓ′
2
x1 < a+ 1
ℓerror
x
1
:=
0
(b) Modified gadget of [ALR16] enforcing EGAF=0 ◦
Fig. 2: A gadget fragment and its modification into a PTAUI
ℓi ℓ
i
0
z ≤ 0
ℓi
1
ℓi
2
x2 ≤ 1
ℓi
2′
x2 < 1
ℓi
3
ℓi
4
x1 ≤ a+ 1
ℓi
4′
x1 < a+ 1
ℓi
5
ℓi
6
z ≤ 1
ℓi
6′
z < 1
ℓerror
ℓj
ℓi
7
x1 ≤ a+ 1
ℓi
7′
x1 < a+ 1
ℓi
8
ℓi
9
x2 ≤ 1
ℓi
9′
x2 < 1
ℓi
10
x2
:=
0
x1 := 0
z := 0
x
1
:=
0
x2 := 0
Fig. 3: increment gadget
Given v, our encoding is such that when in ℓi with w(z) = 0
then w(x1) (resp. w(x2)) represents the value of the counter c1
(resp. c2) encoded by 1−v(a)c1 (resp. 1−v(a)c2) with v(a)
small enough so v(a)c1 < 1 (resp. v(a)c2 < 1). The two
branches in the gadgets handle both cases w(x1) > w(x2)
and w(x1) ≤ w(x2).
b) Increment gadget: Depicted in Fig. 3. We assume a ∈
[0, 1], in which case our PTAUI is bounded (if a is unbounded,
then our construction proves the unbounded case). In the fol-
lowing, we write w as the tuple (w(x1), w(x2), w(z)). The ini-
tial encoding when w(z) = 0 is w(x1) = 1−v(a)c1, w(x2) =
1 − v(a)c2, w(z) = 0. From ℓi, we prove that there is a
unique run, going through the upper branch of the gadget,
that reaches ℓj without violating our property. It is the one
that takes each transition to a location with an invariant z ≤ 0
at the exact moment w(z) = 0, the transition to a location
with an invariant x2 ≤ 1 at the exact moment w(x2) = 1 and
transition to a location with an invariant x1 ≤ a + 1 at the
exact moment w(x1) = v(a) + 1. The other runs, that take
the transitions “too early” are removed as they violate the
property; indeed, if a run takes a transition before the “last
moment” allowed by the invariant (e. g., x ≤ 1), then it can
possibly take the successor state with invariant (x < 1) and
go to ℓerror. That is, EGAF=0 does not hold, because not all
7
runs go in 0-time to a ◦ location.
So, for each transition, many runs can take it, but we only
consider from now on the only one that takes the transition
at the last moment, i. e., when the clock is exactly equal to
the parameter/constant it is compared to. The same applies at
each transition. This gives the following run for the increment
gadget:
( ℓi , w)
0
−→ (ℓi0, (1 − v(a)c1, 1 − v(a)c2, 0))
0
−→
( ℓi1 , (1 − v(a)c1, 1 − v(a)c2, 0))
v(a)c2
−→ (ℓi2, (1 −
v(a)c1 + v(a)c2, 1, v(a)c2))
0
−→ ( ℓi3 , (1 − v(a)c1 +
v(a)c2, 0, v(a)c2))
v(a)−v(a)c2+v(a)c1
−→ (ℓi4, (1 +
v(a), v(a) − v(a)c2 + v(a)c1, v(a) + v(a)c1))
0
−→
( ℓi5 , (0, v(a)−v(a)c2+v(a)c1, v(a)+v(a)c1))
1−v(a)−v(a)c1
−→
(ℓi6, (1 − v(a) − v(a)c1, 1 − v(a)c2, 1))
0
−→
( ℓj , (1− v(a)(c1 + 1), 1− v(a)c2, 0)).
We apply the same reasoning on the lower branch of Fig. 3.
c) Decrement and 0-test gadget: The decrement and 0-
test gadget, depicted in Fig. 4, is similar to the one of [ALR16]
and undergoes the same modifications as in Fig. 3, the in-
crement gadget. Assume the same requirements as for the
increment gadget. From ℓi, following the same reasoning as
for the increment gadget we prove that there is a unique run,
going through the upper branch of the decrement gadget, that
reaches ℓj without violating our property.
Assume we are in a configuration (ℓi, w) where w(z) =
0 and suppose w(x1) < 1. We can enter the configura-
tion (ℓ1i , (w(x1), w(x2), 0)) as the invariant z = 0 ensures
no time has elapsed; in its short form, the run that reaches ℓj
correctly, i. e., satisfying our property EGAF=0 is:
( ℓi , w)
0
−→ (ℓi1, (1 − v(a)c1, 1 − v(a)c2, 0))
0
−→
( ℓi2 , (1 − v(a)c1, 1 − v(a)c2, 0))
v(a)c1
−→ (ℓi3, (1, 1 −
v(a)c2 + v(a)c1, v(a)c1))
0
−→ ( ℓi4 , (0, 1 − v(a)c2 +
v(a)c1, v(a)c1))
v(a)−v(a)c1+v(a)c2
−→ (ℓi5, (v(a) − v(a)c1 +
v(a)c2, v(a)+ 1, v(a)+ v(a)c2))
0
−→ ( ℓi6 , (v(a)− v(a)c1 +
v(a)c2, 0, v(a)+v(a)c2))
1−v(a)c2
−→ (ℓi7, (1−v(a)c1+v(a), 1−
v(a)c2, v(a)+1))
0
−→ ( ℓj , (1−v(a)(c1−1), 1−v(a)c2, 0)).
We apply the same reasoning on the lower branch of Fig. 4.
d) Initial gadget: In Fig. 5, the initial gadget ensures
the same way as presented before that the counters are both
initialized to 0. Recall that w(x1) = 1−v(a)c1, and w(x2) =
1 − v(a)c2. The unique run that does not violate EGAF=0
reaches ℓ1 exactly when w(x1) = w(x2) = 1, ensuring c1 =
c2 = 0.
e) Simulating the 2-counter machine: Now, let us con-
sider the runs ρ ◦ that take each transition to a location where
there is an invariant at the very last moment; note that other
runs violate the property anyway.
• If the counters of the two-counter machine remain
bounded then,
– either the two-counter machine halts by reaching qhalt
and there exist parameter valuations v (typically a suffi-
ciently small value for v(a) to encode the value of the
counters during the computation). In the constructed
PTAUI , once valuated with v there is a (unique) run
simulating correctly the machine, reaching ℓhalt and
staying there forever.
In this first case, EGAF=0 ◦ holds for these valuations:
hence EGAF=0 ◦ -emptiness is false;
– or the two-counter machine loops forever, never
reaches qhalt, with values of the counters remaining
bounded. There exist small parameter valuations v
that encode the maximal value of the counters. In the
constructed PTAUI , once valuated with v there is an
infinite (unique) run in the PTAUI simulating correctly
the machine. As this run is infinite, we infinitely often
visit the decrement and/or the increment gadget(s).
In this second case, EGAF=0 ◦ also holds for these
valuations: hence EGAF=0 ◦ -emptiness is again false.
• Conversely, if the counters of the two-counter machine
are unbounded, then for any valuation, all runs end
in ℓerror. This happens either because all the runs took
on purpose an unguarded transition to ℓerror or because
they blocked due to the fact that counters are unbounded,
and therefore, for any arbitrarily small valuation, one
of the guards will eventually block the run and send it
to ℓerror thanks to the unguarded transitions. That is,
it is possible, e. g., in ℓi5 of Fig. 3, when the value
of w(z) = v(a)(c1+1) becomes strictly greater than 1 af-
ter a sufficient number of steps. It is no longer possible to
take the transition to ℓi6 because of the invariant z ≤ 1 and
there is no choice other than reach ℓerror again. Hence
there is no parameter valuation for which EGAF=0 ◦
holds, so EGAF=0 ◦ -emptiness is true.
We conclude that EGAF=0 ◦ -emptiness is true iff the values
of the counters of the two-counter machine are unbounded.
In this section, we have proved the following properties
about PTAUI . Our first result here is that the EF-emptiness for
PTAUI is less than the same reachability problem in classical
TAs without parameters.
Paradoxically, this simpler complexity for one TCTL deci-
sion problem (EF) does not make PTAUI a trivial subclass of
(P)TAs at all. On the contrary, we proved that the decidability
of EF-emptiness does not extend to the whole TCTL logic by
exhibiting a TCTL formula for which deciding the emptiness
of parameter valuations satisfying it is undecidable, while
model-checking TCTL logic is decidable in TAs [ACD93].
V. PROOF OF CONCEPT: CASE STUDY
To illustrate the usability of PTAsUI , we describe in this
section a case study modeled and verified using PTAsUI .
8
ℓi
ℓi
0
z ≤ 0, x1 ≤ 1
ℓi
0′
x1 < 1
ℓk
ℓi
1
z ≤ 0, x1 < 1
ℓi
2
ℓi
3
x1 ≤ 1
ℓi
3′
x1 < 1
ℓi
4
ℓi
5
x2 ≤ a+ 1
ℓi
5′
x2 < a+ 1
ℓerror ℓ
i
6
ℓi
7
z ≤ a+ 1
ℓi
7′
z < a+ 1
ℓj
ℓi
8
x2 ≤ a+ 1
ℓi
8′
x2 < a+ 1
ℓi
9
ℓi
10
x1 ≤ 1
ℓi
10′
x1 < 1
x1
:=
0
x
2
:=
0
z := 0
x
2
:=
0
x
1
:=
0
Fig. 4: decrement gadget
ℓ0 ℓ
1
0
z = 0
x1 ≤ 1
x2 ≤ 1
ℓ2
0
z = 0
x1 < 1
x2 < 1
ℓerror
ℓ1
Fig. 5: initialisation gadget
a) Software support: PTAsUI are natively supported by
IMITATOR [And+12], which is a parametric model checker
performing parameter synthesis for parametric timed automata,
extended with some useful features such as synchronization,
global variables, etc.
b) Description: The idea here is to model a Real-time
Transport Protocol (RTP) using PTAsUI . RTP is a network
protocol usually used to deliver video, audio over a network.
RTP is mainly used in Voice over IP, teleconference and since
the last few years in systems that involve media streaming.
RTP is typically running over User Datagram Protocol
(UDP), which can broadcast data to several clients, and is
faster as TCP (Transmission Control Protocol) as it does not
provide guarantees for message delivery.
Fig. 6 represents a simplified version of an RTP protocol
combined with a Real-Time Control Protocol (RTCP). A server
sends audio and video data to a client, and the client has the
possibility to pause the data stream or ask for more data when
its buffer is empty. We use two clocks to model the protocol.
x represents the server, while y represents the client. In each
location, the first word represents the state of the client, while
the second represents the state of the server. The automaton
starts in location ℓ1 as the client is waiting for its data stream.
On the begin action, the server first opens the channel for the
video within pv units of time, and the channel for the audio
within ps − pv units of time, assuming otherwise audio and
video would not be synchronized at reception by the client.
Then data is streamed for at most psend units of time to
prevent overflowing the bandwidth, in location idle, sending.
At this moment, the server stops sending for an undetermined
amount of time. In the meantime, the client’s buffer is being
emptied. When running outOfData, the client switches to
location askMore, sending as the server is still sending data.
y is reset and the system has the possibility to switch to
location idle, sending again if the server is still streaming
data, i. e., the constraint x < psend is still satisfied. While
in idle, sending, the client can choose to interrupt the data
stream. When in location idle, notSending, the client still
uses the data of the buffer, but has to request more data at
some point, i. e., while y < prced is satisfied. The procedure
9
idle, notSending
y ≤ prced
ℓ2
x ≤ pv
ℓ1
ℓ3
x ≤ ps
idle, sending
x < psend
y < prced
askMore, sending
x ≤ psend
askMore, notSending
begin
start
x := 0, y := 0
sendVideo
sendSound
x := 0
interrupt
x := 0
outOfData
y := 0
Fig. 6: Model of a media streaming protocol
from start is similar to the previously described one.
From locations askMore, sending and idle, notSending the
location askMore, notSending is reachable, when the server
is not streaming and the client’s buffer is empty. This is the
bug state of the system. We are interested in computing the
concrete parameter valuations of psend, prced, ps, pv s.t. the
system can reach the “bad” state askMore, notSending—that
is, we aim at performing EF(askMore, notSending)-synthesis.
c) Experiments: We modeled the case study in Fig. 6 in
the input language of IMITATOR. Experiments were conducted
with IMITATOR 2.11 “Butter Kouign-amann”, on a 2.4GHz
Intel Core i5 processor with 2 GiB of RAM in a VirtualBox
environment running Ubuntu.3 The synthesis time is less than
1 second with four parameters.
Applying IMITATOR to Fig. 6, we obtain the following
result for EF(askMore, notSending)-synthesis:
ps ≥ 0 ∧ pv ≥ 0 ∧ psend > 0 ∧ prced > 0.
That is, for almost all parameter valuations, there exists
an execution of the system such that it reaches the bad
location askMore, notSending. This is not surprising, as it
depends on the rate of data exchanged and of the connection
quality to the network. In other words, this bug state can be
reached in any case as the data stream can be blocked at any
time, i. e., the client may have to wait for the video to load.
A more interesting question is to study whether all runs of
some valuations may eventually reach the bug location. This
would be worrying, as it would denote that the protocol has no
chances of success for these valuations. Therefore, we focus
on EF(askMore, notSending)-synthesis. This time, we obtain
that the set of valuations for which all runs eventually reach
askMore, notSending is empty, and therefore no valuation
makes the protocol entirely unsuccessful.
VI. CONCLUSION
We proposed a new parametric timed formalism to reason
about timed systems with some uncertain or unknown timing
constants, with two interesting positive results. First, the
emptiness of the valuation set for which at least one run
reaches a location i. e., EF-emptiness, is decidable in linear
time which is better than solving the reachability problem for
3Models and results are available at
https://www.imitator.fr/static/ICECCS19/
TAs, as it is PSPACE-complete. Second, we showed that exact
synthesis can be achieved in exponential time.
In contrast, we showed that (nested) TCTL-emptiness is
undecidable, making PTAsUI , as model-checking TCTL is de-
cidable for TAs, a formalism at the border between decidability
and undecidability.
Our formalism seems to allow for promising practical
applications as shown by Section V, where we successfully
modeled a simple data streaming protocol.
Future work: On the theoretical side, the emptiness of
some flat TCTL formulas remains open for PTAsUI , notably
AF, EG and AG-emptiness. Improving the complexity of EF-
synthesis is also an interesting direction.
More practically, we are interested in proposing dedicated
efficient synthesis algorithms for PTAsUI (independently of the
underlying decidability).
REFERENCES
[ACD93] Rajeev Alur, Costas Courcoubetis, and David L. Dill.
“Model-Checking in Dense Real-Time”. In: Information
and Computation 104.1 (May 1993), pp. 2–34. DOI:
10.1006/inco.1993.1024 (cit. on pp. 3, 8).
[AD94] Rajeev Alur and David L. Dill. “A theory of timed
automata”. In: Theoretical Computer Science 126.2
(Apr. 1994), pp. 183–235. ISSN: 0304-3975. DOI:
10.1016/0304-3975(94)90010-8 (cit. on pp. 1–3, 5).
[AHV93] Rajeev Alur, Thomas A. Henzinger, and Moshe Y.
Vardi. “Parametric real-time reasoning”. In: STOC.
Ed. by S. Rao Kosaraju, David S. Johnson, and
Alok Aggarwal. San Diego, California, United States:
ACM, 1993, pp. 592–601. ISBN: 0-89791-591-7. DOI:
10.1145/167088.167242 (cit. on pp. 1, 2, 4).
[ALR16] E´tienne Andre´, Didier Lime, and Olivier H. Roux.
“Decision Problems for Parametric Timed Automata”.
In: ICFEM. Ed. by Kazuhiro Ogata, Mark Lawford, and
Shaoying Liu. Vol. 10009. Lecture Notes in Computer
Science. Tokyo, Japan: Springer, 2016, pp. 400–416.
DOI: 10.1007/978-3-319-47846-3 25 (cit. on pp. 6–8).
[ALR18] E´tienne Andre´, Didier Lime, and Mathias Rampari-
son. “TCTL model checking lower/upper-bound para-
metric timed automata without invariants”. In: FOR-
MATS. Ed. by David N. Jansen and Pavithra Prab-
hakar. Vol. 11022. Lecture Notes in Computer Sci-
ence. Beijing, China: Springer, 2018, pp. 1–17. DOI:
10.1007/978-3-030-00151-3 3 (cit. on pp. 4, 6).
10
[ALR19] E´tienne Andre´, Didier Lime, and Mathias Ramparison.
“Parametric updates in parametric timed automata”. In:
FORTE. Ed. by Jorge A. Pe´rez and Nobuko Yoshida.
Vol. 11535. Lecture Notes in Computer Science. Copen-
hagen, Denmark: Springer, 2019, pp. 39–56. DOI:
10.1007/978-3-030-21759-4 3 (cit. on pp. 1, 2, 6).
[And+12] E´tienne Andre´, Laurent Fribourg, Ulrich Ku¨hne, and
Romain Soulat. “IMITATOR 2.5: A Tool for An-
alyzing Robustness in Scheduling Problems”. In:
FM. Ed. by Dimitra Giannakopoulou and Dominique
Me´ry. Vol. 7436. Lecture Notes in Computer Science.
Paris, France: Springer, Aug. 2012, pp. 33–36. DOI:
10.1007/978-3-642-32759-9 6 (cit. on p. 8).
[And19] E´tienne Andre´. “What’s decidable about parametric
timed automata?” In: International Journal on Soft-
ware Tools for Technology Transfer 21.2 (Apr. 2019),
pp. 203–219. DOI: 10.1007/s10009-017-0467-0 (cit. on p. 1).
[Ben+15] Nikola Benesˇ, Peter Bezdeˇk, Kim Gulstrand Larsen,
and Jirˇı´ Srba. “Language Emptiness of Continuous-
Time Parametric Timed Automata”. In: ICALP, Part
II. Vol. 9135. Lecture Notes in Computer Sci-
ence. Kyoto, Japan: Springer, 2015, pp. 69–81. DOI:
10.1007/978-3-662-47666-6 6 (cit. on pp. 1, 2).
[BL09] Laura Bozzelli and Salvatore La Torre. “Decision
problems for lower/upper bound parametric timed au-
tomata”. In: Formal Methods in System Design 35.2
(2009), pp. 121–151. DOI: 10.1007/s10703-009-0074-0 (cit.
on pp. 1, 2, 4, 5).
[BO14] Daniel Bundala and Joe¨l Ouaknine. “Advances in
Parametric Real-Time Reasoning”. In: MFCS, Part
I. Ed. by Erzse´bet Csuhaj-Varju´, Martin Dietzfel-
binger, and Zolta´n E´sik. Vol. 8634. Lecture Notes
in Computer Science. Budapest, Hungary: Springer,
2014, pp. 123–134. ISBN: 978-3-662-44521-1. DOI:
10.1007/978-3-662-44522-8 (cit. on pp. 1, 2).
[BY03] Johan Bengtsson and Wang Yi. “Timed Automata:
Semantics, Algorithms and Tools”. In: Lectures on
Concurrency and Petri Nets, Advances in Petri Nets.
Ed. by Jo¨rg Desel, Wolfgang Reisig, and Grzegorz
Rozenberg. Vol. 3098. Lecture Notes in Computer Sci-
ence. Eichsta¨tt, Germany: Springer, 2003, pp. 87–124.
DOI: 10.1007/978-3-540-27755-2 3 (cit. on p. 5).
[Doy07] Laurent Doyen. “Robust Parametric Reachability for
Timed Automata”. In: Information Processing Letters
102.5 (2007), pp. 208–213. DOI: 10.1016/j.ipl.2006.11.018
(cit. on p. 1).
[Hun+02] Thomas Hune, Judi Romijn, Marie¨lle Stoelinga, and
Frits W. Vaandrager. “Linear parametric model check-
ing of timed automata”. In: Journal of Logic and
Algebraic Programming 52-53 (2002), pp. 183–220.
DOI: 10.1016/S1567-8326(02)00037-1 (cit. on pp. 1, 2, 4).
[JLR15] Aleksandra Jovanovic´, Didier Lime, and Olivier H.
Roux. “Integer Parameter Synthesis for Real-Time Sys-
tems”. In: IEEE Transactions on Software Engineering
41.5 (2015), pp. 445–461. DOI: 10.1109/TSE.2014.2357445
(cit. on pp. 1, 2, 4–6).
[KC10] E. V. Kuzmin and D. J. Chalyy. “Decidability of Bound-
edness Problems for Minsky Counter Machines”. In:
Automatic Control and Computer Sciences 44.7 (2010),
pp. 387–397. DOI: 10.3103/S0146411610070047 (cit. on
p. 6).
[Mil00] Joseph S. Miller. “Decidability and Complexity Re-
sults for Timed Automata and Semi-linear Hy-
brid Automata”. In: HSCC. Ed. by Nancy A.
Lynch and Bruce H. Krogh. Vol. 1790. Lecture
Notes in Computer Science. Pittsburgh, PA, USA:
Springer, 2000, pp. 296–309. ISBN: 3-540-67259-1. DOI:
10.1007/3-540-46430-1 26 (cit. on p. 1).
[Pap94] Christos H. Papadimitriou. Computational complexity.
Addison-Wesley, 1994. ISBN: 978-0-201-53082-7 (cit.
on p. 5).
11
