Interrupt Timed Automata: verification and expressiveness by Bérard, Béatrice et al.
ar
X
iv
:1
20
3.
64
53
v1
  [
cs
.FL
]  
29
 M
ar 
20
12
FMSD manuscript No.
(will be inserted by the editor)
Interrupt Timed Automata: Verification and
Expressiveness
Be´atrice Be´rard · Serge Haddad · Mathieu
Sassolas
Tuesday 1st May, 2018
Abstract We introduce the class of Interrupt Timed Automata (ITA), a subclass
of hybrid automata well suited to the description of timed multi-task systems with
interruptions in a single processor environment.
While the reachability problem is undecidable for hybrid automata we show that it
is decidable for ITA. More precisely we prove that the untimed language of an ITA is
regular, by building a finite automaton as a generalized class graph. We then establish
that the reachability problem for ITA is in NEXPTIME and in PTIME when the
number of clocks is fixed. To prove the first result, we define a subclass ITA− of ITA,
and show that (1) any ITA can be reduced to a language-equivalent automaton in
ITA− and (2) the reachability problem in this subclass is in NEXPTIME (without any
class graph).
In the next step, we investigate the verification of real time properties over ITA. We
prove that model checking SCL, a fragment of a timed linear time logic, is undecidable.
On the other hand, we give model checking procedures for two fragments of timed
branching time logic.
We also compare the expressive power of classical timed automata and ITA and
prove that the corresponding families of accepted languages are incomparable. The
result also holds for languages accepted by controlled real-time automata (CRTA),
that extend timed automata. We finally combine ITA with CRTA, in a model which
encompasses both classes and show that the reachability problem is still decidable. Ad-
ditionally we show that the languages of ITA are neither closed under complementation
nor under intersection.
Keywords Hybrid automata, timed automata, multi-task systems, interrupts,
decidability of reachability, model checking, real-time properties.
Parts of this paper have been published in the proceedings of FoSSaCS’09 [9] and Time’10 [10]
Be´atrice Be´rard · Mathieu Sassolas
Universite´ Pierre & Marie Curie, LIP6/MoVe, CNRS UMR 7606, Paris, France
E-mail: {beatrice.berard | mathieu.sassolas}@lip6.fr
Serge Haddad
E´cole Normale Supe´rieure de Cachan, LSV, CNRS UMR 8643, INRIA, Cachan, France
E-mail: haddad@lsv.ens-cachan.fr
21 Introduction
1.1 Context
The model of timed automata (TA), introduced in [4], has proved very successful due
to the decidability of several important verification problems including reachability
and model checking. A timed automaton consists of a finite automaton equipped with
real valued variables, called clocks, which evolve synchronously with time, during the
sojourn in states. When a discrete transition occurs, clocks can be tested by guards,
which compare their values with constants, and reset. The decidability results were
obtained through the construction of a finite partition of the state space into regions,
leading to a finite graph which is time-abstract bisimilar to the original transition
system, thus preserving reachability.
Consider several tasks executing on a single processor (possibly scheduled before-
hand, although this step is beyond the scope of this paper). As a result, tasks are
intertwined and may interrupt one another [37]. Since the behaviour of such systems
may depend on the current execution times of the tasks, a timed model should measure
these execution times, which involves clock suspension in case of interruptions. Unfor-
tunately, timed automata lack this feature of clock suspension, hence more expressive
models should be considered.
Hybrid automata (HA) have subsequently been proposed as an extension of timed
automata [30], with the aim to increase the expressive power of the model. In this
model, clocks are replaced by variables which evolve according to a differential equation.
Furthermore, guards consist of more general constraints on the variables and resets are
extended into (possibly non deterministic) updates. This model is very expressive, but
reachability is undecidable in HA. The simpler model obtained by allowing clocks to be
stopped and resumed, stopwatch automata (SWA), would be sufficient to model task
interruptions in a processor. However, reachability is also undecidable for SWA [18].
Many classes have been defined, between timed and hybrid automata, to obtain the
decidability of this problem.
Task automata [23] and suspension automata [31] model explicitly the scheduling
of processes. Some classes restrict the use of variation of clock rate in hybrid automata
to achieve decidability. Examples of such classes are systems with piece-wise constant
derivatives [6], controlled real-time automata [21]. Guards may also be restricted, as
in multi-rate or rectangular automata [3], some integration graphs [26], or polygonal
hybrid systems [7]. Restricting reset may also lead to decidability as in the hybrid au-
tomata with strong resets [13] or initialized stopwatch automata [24]. O-minimal hybrid
systems [28,29] provide algebraic constraints on hybrid systems to yield decidability.
Extensions of timed automata to release some constraints were also considered, as in
some updatable timed automata [12].
While untimed properties like reachability and LTL [33,38] or CTL model check-
ing [22,34,19], are useful for such models, real time verification consider more precise
requirements, for instance quantitative response time properties. Therefore, timed ex-
tensions of these logics have been defined. In the case of linear time logics, verification
of the most natural extension MTL [27] is undecidable on TA. However, several de-
cidable fragments such as MITL [5] and SCL [35] have subsequently been defined. In
the case of timed variants of branching time logics, different versions of Timed CTL
(TCTL) [2,25] have been defined. Model checking procedures on TA for both versions
of TCTL have been developed and implemented in several tools [8,15].
31.2 Contributions
In this paper, we define a subclass of hybrid automata, called Interrupt Timed Au-
tomata (ITA), well suited to the description of multi-task systems with interruptions
in a single processor environment.
The ITA model. In an ITA, the finite set of control states is organized according to
interrupt levels, ranging from 1 to n, with exactly one active clock for a given level.
The clocks from lower levels are suspended and those from higher levels are not yet
defined (thus have arbitrary value 0). On the transitions, guards are linear constraints
using only clocks from the current level or the levels below and the relevant clocks can
be updated by linear expressions, using clocks from lower levels. Finally, each state
has a policy (lazy, urgent or delayed) that rules the sojourn time. This model is rather
expressive since it combines variables with rate 1 or 0 (usually called stopwatches)
and linear expressions for guards or updates. The ITA model is formally defined in
Section 2.
Reachability problem. As said before, the reachability problem is undecidable for au-
tomata with stopwatches [24,18,16]. However, we prove that it is decidable for ITA.
More precisely, we first show that the untimed language of an ITA is effectively
regular (Section 3). The corresponding procedure significantly extends the classical
region construction of [4] by associating with each state a family of orderings over
linear expressions. This construction yields a decision algorithm for reachability in 2-
EXPTIME, and PTIME when the number of clocks is fixed. This should be compared
to TA with 3 clocks for which reachability is PSPACE complete [20].
We define a slight restriction of the model, namely ITA−, which forbids updates
of clocks other than the one of the current level. We prove that for any ITA one can
build an equivalent ITA− w.r.t. language equivalence, whose size is at most exponential
w.r.t. the size of the ITA and polynomial when the number of clocks is fixed. Based on
the existence of a bound for the length of the minimal reachability path, we then show
that reachability on ITA− can be decided in NEXPTIME without any class graph
construction. This yields a NEXPTIME procedure for reachability in ITA (Section 4).
Model checking over ITA. We then focus on the verification of real time properties for
ITA (Section 5), expressed in timed extensions of LTL and CTL.
First we show that the model checking of timed (linear time) logic MITL [5] is
undecidable. Actually, even the fragment SCL [35] cannot be verified on ITA, while the
corresponding verification problem over TA is PSPACE-complete.
We then consider two fragments of the timed (branching time) logic TCTL, intro-
duced in [25] and also studied later from the expressiveness point of view [14]. The
first one, TCTLintc , contains formulas involving comparisons of model clocks as atomic
propositions. In this logic, it is possible to express properties like: (P1) a safe state is
reached before spending 3 t.u. in handling some interruption. Decidability is obtained
by a generalized class graph construction in 2-EXPTIME (PTIME if the number of
clocks is fixed). Since the corresponding fragment cannot refer to global time, we con-
sider a second fragment, TCTLp, in which we can reason on minimal or maximal delays.
Properties like (P2) the system is error free for at least 50 t.u. or (P3) the system will
reach a safe state within 7 t.u. can be expressed. In this case, the decidability procedure
4has a complexity in NEXPTIME for the existential fragment and 2-EXPTIME for the
universal fragment (respectively NP and co-NP if the number of clocks is fixed).
Expressiveness. We also study the expressive power of the class ITA (Section 6), in
comparison with the original model of timed automata and the more general controlled
real-time automata (CRTA) proposed in [21]. In CRTA, clocks and states are colored
and a time rate is associated with every state. During the visit of a state, all clocks
colored by the color of the state evolve with the state rate while the others do not
evolve. We prove that the corresponding families of languages ITL and TL, as well as
ITL and CRTL, are incomparable. Additionally we show that ITL is neither closed
under complementation nor under intersection.
Extensions. We finally investigate compositions of ITA and other timed models (Sec-
tion 7). In the first composition, a synchronous product of an ITA and a TA, we prove
that the reachability problem becomes undecidable. We then define a more appropriate
product of ITA and CRTA. The CRTA part describes a basic task at an implicit addi-
tional level 0. For this extended model denoted by ITA+, we show that reachability is
still decidable with the same complexity and in PSPACE when the number of clocks
is fixed.
2 Interrupt Timed Automata
2.1 Notations
The sets of natural, rational and real numbers are denoted respectively by N, Q and
R. A timed word over an alphabet Σ is a finite sequence w = (a1, τ1) . . . (an, τn) where
ai is in Σ and (τi)1≤i≤n is a non-decreasing sequence of real numbers. The length of
w is n and the duration of w is τn.
For a finite set X of clocks, a linear expression over X is a term of the form∑
x∈X ax ·x+b where b and (ax)x∈X are in Q. We denote by C(X) the set of constraints
obtained by conjunctions of atomic propositions of the form C ⊲⊳ 0, where C is a
linear expression over X and ⊲⊳∈ {>,≥,=,≤, <}. The subset C0(X) of C(X) contains
constraints of the form x + b ⊲⊳ 0. An update over X is a conjunction (over X) of
assignments of the form x := Cx, where x is a clock and Cx is a linear expression over
X. The set of all updates over X is written U(X), with U0(X) for the subset containing
only assignments of the form x := 0 (reset) or of the form x := x (no update). For a
linear expression C and an update u, the expression C[u] is obtained by “applying”
u to C, i.e. substituting each x by Cx in C, if x := Cx is the update for x in u. For
instance, for the set of two clocks X = {x1, x2}, expression C = x2 − 2x1 + 3 and
update u defined by x1 := 1 ∧ x2 := 2x1 + 1, applying u to C yields the expression
C[u] = 2x1 + 2.
A clock valuation is a mapping v : X 7→ R, with 0 the valuation where all clocks
have value 0. The set of all clock valuations is RX and we write v |= ϕ when valuation
v satisfies the clock constraint ϕ ∈ C(X). For a valuation v, a linear expression C and
an update u, the value v(C) is obtained by replacing each x in C by v(x) and the
valuation v[u] is defined by v[u](x) = v(Cx) for x in X if x := Cx is the update for x
in u. Observe that an update is performed simultaneously on all clocks. For instance,
let X = {x1, x2, x3} be a set of three clocks. For valuation v = (2, 1.5,
5level 1 ∀i, xi := 0
level 2
level 3
level 4
. . .
x4 := 0
x3 := 0
x2 := 0


x1
x2
x3
x4




0
0
0
0




1.5
0
0
0




1.5
0
2.1
0




1.5
0
2.1
1.7




3.7
0
0
0

1.5 2.1 1.7 2.2
Fig. 1 Interrupt levels and clocks in an ITA.
u defined by x1 := 1 ∧ x2 := x2 ∧ x3 := 3x2 − x1, applying u to v yields the valuation
v[u] = (1, 1.5, 2.5).
2.2 Models of timed systems
The model of ITA is based on the principle of multi-task systems with interruptions,
in a single processor environment. We consider a set of tasks with different priority
levels, where a higher level task represents an interruption for a lower level task. At a
given level, exactly one clock is active (rate 1), while the clocks for tasks of lower levels
are suspended (rate 0), and the clocks for tasks of higher levels are not yet activated
and thus contain value 0. The mechanism is illustrated in Fig. 1, where irrelevant clock
values are greyed. An example of such behavior can be produced by the ITA depicted
in Fig. 2, which describes a system that answer requests according to their priority. It
starts by receiving a request for a main task of priority 1. The treatment of this task
can be interrupted by tasks of priority 2 or 3, depending on how far the system is in
the execution of the main task. Tasks of priority 2 and 3 may generate errors (modeled
by an interruption of higher level), after which the system recovers. On this system,
deciding if it is possible – or always the case – that the main task is executed in less
than a certain amount of time would give an insight on the quality of service of the
system.
Enabling of a transition depends on the clocks valuation. The enabling conditions,
called guards, are linear constraints on the clock values of levels lower than or equal
to the current level: the ones that are relevant before the firing of the transition.
Additionally, a transition can update the values of the clocks. If the transition decreases
(resp. increases) the level, then each clock which is relevant after (resp. before) the
transition can either be left unchanged or take a linear expression of clocks of strictly
lower level.
Along with its level, each state has a timing policy which indicates whether time
may (Lazy, default), may not (Urgent) or must (Delayed) elapse in a state. Note that in
TA, this kind of policy can be enforced by an additional clock while this is not possible
here because there is a single clock per level. This additional feature is needed for the
definition and further use of the model of ITA− (see Section 4). Note that the class
graph construction of Section 3 is still valid without them.
6q1, 1 q2, 1q0, 1
q3, 2
q4, 3
q5, 4
q6, 4
3 ≤ x1 ≤ 5, answer prio1request prio1, x1 := 0
x1 ≤ 1, request prio2 1 ≤ x2 ≤ 2, answer prio2
x1 ≤ 2, request prio3 2 ≤ x3 ≤ 3, answer prio3
error
x4 ≤ 2, recover
error
x4 ≤ 2, recover
Fig. 2 An ITA that produces – among others – the behavior represented in Fig. 1.
We also add a labeling of states with atomic propositions, in view of interpreting
logic formulas on these automata. In the sequel, the level of a transition is the level
of its source state. We also say that a transition is lazy (resp. urgent, delayed) if the
policy of its source state is lazy (resp. urgent, delayed).
Definition 1 An interrupt timed automaton is a tuple A = 〈Σ,AP,Q, q0, F, pol,X, λ,
lab,∆〉, where:
– Σ is a finite alphabet, AP is a set of atomic propositions
– Q is a finite set of states, q0 is the initial state, F ⊆ Q is the set of final states,
– pol : Q→ {Lazy, Urgent,Delayed} is the timing policy of states,
– X = {x1, . . . , xn} consists of n interrupt clocks,
– the mapping λ : Q → {1, . . . , n} associates with each state its level and we call
xλ(q) the active clock in state q. The mapping lab : Q → 2
AP labels each state
with a subset of AP of atomic propositions,
– ∆ ⊆ Q× C(X)× (Σ ∪ {ε})× U(X)×Q is the set of transitions. Let q
ϕ,a,u
−−−−→ q′ in
∆ be a transition with k = λ(q) and k′ = λ(q′). The guard ϕ is a conjunction of
constraints
∑k
j=1 ajxj + b ⊲⊳ 0 (involving only clocks from levels less than or equal
to k). The update u is of the form ∧ni=1xi := Ci with:
– if k > k′, i.e. the transition decreases the level, then for 1 ≤ i ≤ k′, Ci is either
of the form
∑i−1
j=1 ajxj + b or Ci = xi (unchanged clock value) and for i > k
′,
Ci = 0;
– if k ≤ k′ then for 1 ≤ i ≤ k, Ci is of the form
∑i−1
j=1 ajxj + b or Ci = xi, and
for i > k, Ci = 0.
A configuration (q, v, β) of the associated transition system consists of a state q of the
ITA, a clock valuation v and a boolean value β expressing whether time has elapsed
since the last discrete transition. This third component is needed to define the semantics
according to the policies.
Definition 2 The semantics of an ITA A is defined by the (timed) transition system
TA = (S, s0,→). The set S of configurations is
{
(q, v, β) | q ∈ Q, v ∈ RX , β ∈ {⊤,⊥}
}
,
7with initial configuration s0 = (q0,0,⊥). The relation → on S consists of two types of
steps:
Time steps: Only the active clock in a state can evolve, all other clocks are suspended.
For a state q with active clock xλ(q), a time step of duration d > 0 is defined by
(q, v, β)
d
−→ (q, v′,⊤) with v′(xλ(q)) = v(xλ(q)) + d and v
′(x) = v(x) for any other
clock x. A time step of duration 0 leaves the system TA in the same configuration.
When pol(q) = Urgent, only time steps of duration 0 are allowed from q.
Discrete steps: A discrete step (q, v, β)
a
−→ (q′, v′,⊥) can occur if there exists a transi-
tion q
ϕ,a,u
−−−−→ q′ in ∆ such that v |= ϕ and v′ = v[u]. When pol(q) = Delayed and
β = ⊥, discrete steps are forbidden.
The labeling function lab is naturally extended to configurations by lab(q, v, β) =
lab(q).
An ITA A1 is depicted in Fig. 3(a), with two interrupt levels (and two interrupt
clocks). A geometric view is given in figure 3(b), with a possible trajectory: first the
value of x1 increases from 0 in state q0 (horizontal line) and, after transition a occurs,
its value is frozen in state q1 while x2 increases (vertical line) until reaching the line
x2 = −
1
2x1 +
1
2 . The light grey zone defined by
(
0 < x1 < 1, 0 < x2 < −
1
2x1 +
1
2
)
corresponds to the set of valuations reachable in state q1 and from which state q2 is
reachable.
q0, 1
q1, 2 q2, 2x1 < 1
a
(x2 := 0)
x1 + 2x2 = 2
b
(a) An ITA A1 with two interrupt levels
x1
x2
0 1 2
1
a
b
(b) A possible trajectory in A1
Fig. 3 An example of ITA and a possible execution.
We now briefly recall the classical model of Timed Automata (TA) [4] as well as
the model of Controlled Real-Time Automata (CRTA) [21]. Note that in both models,
timing policies can be enforced by clock constraints.
Definition 3 A timed automaton is a tuple A = 〈Σ,Q, q0, F,X,∆〉, where Σ, Q,
q0, F are defined as in an ITA, X is a set of clocks and the set of transitions is
∆ ⊆ Q×C0(X)× (Σ ∪{ε})×U0(X)×Q, with guards in C0(X) and updates in U0(X).
The semantics of a timed automaton is also defined as a timed transition system,
with the set Q × RX of configurations (no additional boolean value). Discrete steps
are similar to those of ITA but in time steps, all clocks evolve with same rate 1:
(q, v)
d
−→ (q, v′) iff for each clock x in X, v′(x) = v(x) + d.
8Controlled Real-Time Automata extend TA with the following features: the clocks
and the states are partitioned according to colors belonging to a set Ω and with every
state is associated a rational velocity. When time elapses in a state, the set of active
clocks (i.e. with the color of the state) evolve with rate equal to the velocity of the
state while other clocks remain unchanged. For sake of clarity, we now propose a slightly
simplified version of CRTA.
Definition 4 A CRTAA = (Σ,Q, q0, F,X, up, low, vel, λ,∆) on a finite setΩ of colors
is defined by:
– Σ, the alphabet of actions,
– Q, the set of states, with q0 ∈ Q the initial state and F ⊆ Q the set of final states,
– X the set of clocks,
– mappings up and low associate with each clock respectively an upper and a lower
bound,
– vel : Q 7→ Q the velocity mapping,
– λ : X ⊎Q 7→ Ω the coloring mapping and
– ∆ ⊆ Q × C0(X) × (Σ ∪ {ε}) × U0(X) × Q the set of transitions, with guards in
C0(X) and updates in U0(X).
Moreover, the lower and upper bound mappings satisfy low(x) ≤ 0 ≤ up(x) for each
clock x ∈ X, and low(x) ≤ b ≤ up(x) for each constant b such that x ⊲⊳ b is a constraint
in A.
The original semantics of CRTA is rather involved in order to obtain decidability of
the reachability problem. It ensures that entering a state q in which clock x is active,
the following conditions on the clock bounds hold : if vel(q) > 0 then x ≥ low(x) and if
vel(q) < 0 then x ≤ up(x). Instead (and equivalently) we add a syntactical restriction
which ensures this behavior. For instance, if a transition with guard ϕ and reset u
enters state q with vel(q) < 0 and if x is the only clock such that λ(x) = λ(q), then we
replace this transition by two other transitions: the first one has guard ϕ ∧ x > up(x)
and adds x := 0 to the reset condition u, the other has guard ϕ ∧ x ≤ up(x) and reset
u. In the general case where k clocks have color λ(q), this leads to 2k transitions. With
this syntactical condition, again the only difference from ITA concerns a time step of
duration d, defined by (q, v)
d
−→ (q, v′), with v′(x) = v(x) + vel(q)d if λ(x) = λ(q) and
v′(x) = v(x) otherwise.
A run of an automaton A in ITA, TA or CRTA is a finite or infinite path in the
associated timed transition system TA, where (possibly null) time steps and discrete
steps alternate. An accepting run is a finite run starting in s0 and ending in a con-
figuration associated with a state of F . For such a run with label d1a1d2 . . . dnan,
we say that the word (a1, d1)(a2, d1 + d2) . . . (an, d1 + · · · + dn) (where ε actions are
removed) is accepted by A. The set L(A) contains the timed words accepted by A
and Untimed(L(A)), the untimed language of A, contains the projections onto Σ∗ of
the timed words in L(A). Interrupt Timed Languages or ITL (resp. Timed Languages
or TL and Controlled Real-Time Languages or CRTL) denote the family of timed
languages accepted by an ITA (resp. a TA and a CRTA).
For instance, the language L1 accepted by the ITA A1 in Fig. 3(a) is
L1 = L(A1) = {(a, τ )(b, 1 +
τ
2
) | 0 ≤ τ < 1}.
9Languages of infinite timed words accepted by Bu¨chi or Muller conditions could be
studied but this analysis should address technical issues such as Zeno runs and infinite
sequences of ε-transitions.
In the context of model-checking, we also consider maximal runs which are either
infinite or such that no discrete step is possible from the last configuration. The set of
maximal runs starting from configuration s is denoted by Exec(s). Since maximal runs
can be finite or infinite, we do not exclude Zeno behaviors. We use the notion of (totally
ordered) positions (which allow to consider several discrete actions simultaneously)
along a maximal run [25]: for a run ρ, we denote by <ρ the strict order over positions.
For position π along ρ, the corresponding configuration is denoted by sπ, the prefix of
ρ up to π is written ρ≤π and its duration, Dur
(
ρ≤π
)
, is the sum of all delays along
the finite run ρ≤π. Similarly, the suffix of ρ starting from π is denoted by ρ≥π. For
two positions π ≤ρ π
′, the subrun of ρ between these positions is written ρ[π,π′], its
duration is Dur
(
ρ≤π
′
)
−Dur
(
ρ≤π
)
. The length of ρ, denoted by |ρ|, is the number
of discrete transitions occurring in ρ.
3 Regularity of untimed ITL
We prove in this section that the untimed language of an ITA is regular. Similarly to
TA (and to CRTA), the proof is based on the construction of a (finite) class graph
which is time abstract bisimilar to the transition system TA. This result also holds for
infinite words with standard Bu¨chi conditions. As a consequence, we obtain decidability
of the reachability problem, as well as decidability for plain CTL∗ model-checking.
The construction of classes is much more involved than in the case of TA. More
precisely, it depends on the expressions occurring in the guards and updates of the
automaton (while in TA it depends only on the maximal constant occurring in the
guards). We associate with each state q a set of expressions Exp(q) with the following
meaning. The values of clocks giving the same ordering of these expressions correspond
to a class. In order to define Exp(q), we first build a family of sets {Ek}1≤k≤n. Then
Exp(q) =
⋃
k≤λ(q) Ek (recall that λ(q) is the index of the active clock in state q).
Finally in Theorem 1 we show how to build the class graph which proves the regularity
of the untimed language. This immediately yields a reachability procedure given in
Proposition 1.
3.1 Construction of {Ek}k≤n
We first introduce an operation, called normalization, on expressions relative to some
level. As explained in the construction below, this operation will be used to order
expression values at a given level.
Definition 5 (Normalization) Let C =
∑
i≤k aixi + b be an expression over Xk =
{xi | i ≤ k}, the k-normalization of C, norm(C, k), is defined by:
– if ak 6= 0 then norm(C, k) = xk + (1/ak)(
∑
i<k aixi + b);
– else norm(C, k) = C.
10
Since guards are linear expressions with rational constants, we can assume that
in a guard C ⊲⊳ 0 occurring in a transition outgoing from a state q with level k, the
expression C is either xk +
∑
i<k aixi + b (by k-normalizing the expression and if
necessary changing the comparison operator) or
∑
i<k aixi + b. It is thus written as
αxk +
∑
i<k aixi + b, with α ∈ {0, 1}.
The construction of {Ek}k≤n proceeds top down from level n to level 1 after
initializing Ek = {xk, 0} for all k. As we shall see below, when handling the level
k, we add new terms to Ei for 1 ≤ i ≤ k. These expressions are the ones needed to
compute a (pre)order on the expressions in Ek.
– At level k, first for every expression αxk+
∑
i<k aixi+b (with α ∈ {0, 1}) occurring
in a guard of an edge leaving a state of level k, we add −
∑
i<k aixi − b to Ek.
– Then we iterate the following procedure until no new term is added to any Ei for
1 ≤ i ≤ k.
1. Let q
ϕ,a,u
−−−−→ q′ with λ(q) ≥ k and λ(q′) ≥ k. Let C ∈ Ek, then we add C[u] to
Ek (recall that C[u] is the expression obtained by applying update u to C).
2. Let q
ϕ,a,u
−−−−→ q′ with λ(q) < k and λ(q′) ≥ k. Let C and C′ be two different
expressions in Ek. We compute C
′′ = norm(C[u] − C′[u], λ(q)), choosing an
arbitrary order between C and C′ in order to avoid redundancy. Let us write
C′′ as αxλ(q)+
∑
i<λ(q) aixi+b with α ∈ {0, 1}. Then we add −
∑
i<λ(q) aixi−b
to Eλ(q).
We illustrate this construction of expressions for the automaton A1 of Fig. 3(a).
Initially, we haveE1 = {0, x1} and E2 = {0, x2}. When treating level 2, first, expression
− 12x1 + 1 is added to E2 as normalization of the guard x1 + 2x2 = 2. Then transition
labeled by a updates x2 (by reseting it to 0). As a result, we have to add to E1 all
differences of expressions of E2 updated by x2 := 0. This only produces expression
− 12x1+1− 0 which is normalized into x1− 2; thus expression 2 is added to E1. When
treating level 1, expression 1 from the guard of transition a is added to E1. As a result,
we obtain E1 = {x1, 0, 1, 2} and E2 = {x2, 0,−
1
2x1 + 1}.
Lemma 1 The construction procedure of {Ek}k≤n terminates and the size of every
Ek is bounded by (E + 2)
2n(n−k+1)+1 where E is the size of the edges of the ITA.
Proof Given some k, we prove the termination of the stage relative to k. Observe that
the second step only adds new expressions to Ek′ for k
′ < k. Thus the two steps can be
ordered. Let us prove the termination of the first step of the saturation procedure. We
define E0k as the set Ek at the beginning of this stage and E
i
k as this set after insertion
of the ith item in it. With each added item C[u] can be associated its father C. Thus
we can view Ek as an increasing forest with finite degree (due to the finiteness of the
edges) and finitely many roots. Assume that this step does not terminate. Then we
have an infinite forest and by Ko¨nig lemma, it has an infinite branch C0, C1, . . . where
Ci+1 = Ci[ui] for some update ui such that Ci+1 6= Ci. Observe that the number of
updates that change the variable xk is either 0 or 1 since once xk disappears it cannot
appear again. We split the branch into two parts before and after this update or we
still consider the whole branch if there is no such update. In these (sub)branches, we
conclude with the same reasoning that there is at most one update that change the
variable xk−1. Iterating this process, we conclude that the number of updates is at
most 2k − 1 and the length of the branch is at most 2k.
11
For the sake of readability, we set B = E + 2. The final size of Ek is thus at most
E0k ×B
2k since the width of the forest is bounded by B.
In the second step, we add at most B× (|Ek| × (|Ek| − 1))/2 to Ei for every i < k.
This concludes the proof of termination.
We now prove by a painful backward induction that as soon as n ≥ 2, |Ek| ≤
B2
n(n−k+1)+1. The doubly exponential size of En (proved above) is propagated down-
wards by the saturation procedure. We define pk = |Ek|.
Basis case k = n. We have pn ≤ p
0
n × B
2n where p0n is the number of guards of the
outgoing edges from states of level n. Thus pn ≤ B × B
2n = B2
n+1 = B2
n(n−n+1)+1
which is the claimed bound.
Inductive case. Assume that the bound holds for k < j ≤ n. Due to all executions of
the second step of the procedure at strictly higher levels, p0k expressions were added to
Ek, with:
p0k ≤ B +B × ((pk+1 × (pk+1 − 1))/2 + · · ·+ (pn × (pn − 1))/2)
p0k ≤ B +B × (B
2n(n−k)+1+2 + · · ·+B2
n+1+2)
p0k ≤ B × (n− k + 1)×B
2n(n−k)+1+2
p0k ≤ B ×B
n ×B2
n(n−k)+1+2 (here we use B ≥ 2)
p0k ≤ B
2n(n−k)+1+n+3
Taking into account the first step of the procedure for level k, we have:
pk ≤ B
2n(n−k)+1+2k+n+3.
Let us consider the term δ = 2n(n−k+1) + 1− (2n(n−k)+1 + 2k + n+ 3). Since k < n,
δ ≥ (2n−1 − 1)2n(n−k)+1 − (2k + n+ 2)
δ ≥ (2n−1 − 1)2n(n−k)+1 − (2n−1 + 2n)
δ ≥ (2n−1 − 1)2n(n−k)+1 − 2n+1 ≥ 0
Thus pk ≤ B
2n(n−k)+1+2k+n+3 ≤ B2
n(n−k+1)+1 = (E + 2)2
n(n−k+1)+1 which is the
claimed bound. ⊓⊔
3.2 Construction of the class automaton
In order to analyze the size of the class automaton defined below, we recall and adapt
a classical result about partitions of n-dimensional Euclidian spaces.
Definition 6 Let {Hk}1≤k≤m be a family of hyperplanes of R
n. A region defined by
this family is a connected component of Rn \
⋃
1≤k≤mHk. An extended region defined
by this family is a connected component of
⋂
k∈I Hk \
⋃
k/∈I Hk where I ⊆ {1, . . . ,m}.
12
Proposition 1 ([39]) The number of regions defined by the family {Hk}1≤k≤m is at
most
∑n
i=0
(m
i
)
.
We derive from this proposition:
Corollary 1 The number of extended regions defined by the family {Hk}1≤k≤m is at
most
∑n
p=0
(m
p
)∑n−p
i=0
(m−p
i
)
≤ e2mn.
Proof Observe that an extended region is a region belonging to an intersection of at
most n hyperplanes (by removing redundant hyperplanes). Thus counting the number
of such intersections and applying the previous proposition yields the following formula:
n∑
p=0
(
m
p
)
n−p∑
i=0
(
m− p
i
)
≤
n∑
p=0
mp
p!
n−p∑
i=0
mn−p
i!
= mn
n∑
p=0
1
p!
n−p∑
i=0
1
i!
≤ e2mn
⊓⊔
Theorem 1 The untimed language of an ITA is regular.
Proof First, we assume that the policy of every state is lazy. At the end of the proof,
we explain how to adapt the construction for states with urgent or delayed policies.
Class definition. Let A be an ITA with E transitions and n clocks, the decision algo-
rithm is based on the construction of a (finite) class graph which is time abstract bisim-
ilar to the transition system TA. A class is a syntactical representation of a subset of
reachable configurations. More precisely, it is defined as a pair R = (q, {k}1≤k≤λ(q))
where q is a state and k is a total preorder over Ek, for 1 ≤ k ≤ λ(q).
The class R describes the set of configurations:
JRK = {(q, v, β) | β ∈ {⊤,⊥}, ∀k ≤ λ(q) ∀(g, h) ∈ Ek, g[v] ≤ h[v] iff g k h}
The initial state of this graph is defined by the class R0 with JR0K containing
(q0, 0,⊥) which can be straightforwardly determined. For example, for ITA A1 of
Fig. 3(a), the initial class is R0 = (q0, Z0) with Z0 : x1 = 0 < 1 < 2. The final states
are all R =
(
q, {k}1≤k≤λ(q)
)
with q ∈ F .
Observe that fixing a state, the set of configurations JRK of a non empty class R is
exactly an extended region associated with the hyperplanes defined by the comparison
of two expressions of some Ek. Since (E + 2)
2n
2
+1 is an upper bound of the number
of expressions of any level, m = (E + 2)2
n2+1+2 is an upper bound of the number of
hyperplanes. So using Corollary 1, the number of semantically different classes for a
given state is bounded by:
e2mn = e2(E + 2)2
n2+1n+2n
Since one can test semantical equality between classes in polynomial time w.r.t. their
size [36], we implicitely consider in the sequel of the proof classes modulo the semantical
equivalence.
As usual, there are two kinds of transitions in the graph, corresponding to discrete
steps and time steps.
13
Discrete step. Let R = (q, {k}1≤k≤λ(q)) andR
′ = (q′, {′k}1≤k≤λ(q′)) be two classes.
There is a transition R
e
−→ R′ for a transition e : q
ϕ,a,u
−−−−→ q′ if there is some (q, v) ∈ JRK
and (q′, v′) ∈
q
R′
y
such that (q, v)
e
−→ (q′, v′). In this case, for all (q, v) ∈ JRK there is
a (q′, v′) ∈
q
R′
y
such that (q, v)
e
−→ (q′, v′). This can be decided as follows.
Firability condition. Write ϕ =
∧
j∈J Cj ⊲⊳j 0. Since we assumed normalized guards,
for every j, Cj = αxk+
∑
i<k aixi+ b (with α ∈ {0, 1} and k = λ(q)). By construction
C′j = −
∑
i<λ(q) aixi − b ∈ Ek. For each j ∈ J , we define a condition depending on
⊲⊳j . For instance, if Cj ≤ 0, we require that αxk k C
′
j , or if Cj > 0 we require that
αxk k C
′
j ∧ C
′
j  αxk.
Successor definition. R′ is defined as follows. Let k ≤ λ(q′) and g′, h′ ∈ Ek.
1. Either k ≤ λ(q), by construction, g′[u], h′[u] ∈ Ek then g
′ ′k h
′ iff g′[u] k h
′[u].
2. Or k > λ(q), let D = g′[u] − h′[u] =
∑
i≤λ(q) cixi + d, and C = norm(D,λ(q)),
and write C = αxλ(q) +
∑
i<λ(q) aixi + b (with α ∈ {0, 1}). By construction
C′ = −
∑
i<λ(q) aixi − b ∈ Eλ(q).
When cλ(q) ≥ 0 then g
′ ′k h
′ iff αxλ(q) λ(q) C
′.
When cλ(q) < 0 then g
′ ′k h
′ iff C′ λ(q) αxλ(q).
By definition of J · K,
– For any (q, v) ∈ JRK, if there exists (q, v) e−→ (q′, v′) then the firability condition is
fulfilled and (q′, v′) belongs to
q
R′
y
.
– If the firability condition is fulfilled then for each (q, v) ∈ JRK there exists (q′, v′) ∈q
R′
y
such that (q, v)
e
−→ (q′, v′).
Time step. Let R = (q, {k}1≤k≤λ(q)). There is a transition R
succ
−−−→ Post(R) for
Post(R) = (q, {′k}1≤k≤λ(q)), the time successor of R, which is defined as follows.
For every i < λ(q) ′i=i. Let ∼ be the equivalence relation λ(q) ∩ 
−1
λ(q)
induced
by the preorder. On equivalence classes, this (total) preorder becomes a (total) order.
Let V be the equivalence class containing xλ(q).
1. Either V =
{
xλ(q)
}
and it is the greatest equivalence class. Then ′λ(q)=λ(q)
(thus Post(R) = R).
2. Either V =
{
xλ(q)
}
and it is not the greatest equivalence class. Let V ′ be the next
equivalence class. Then ′λ(q) is obtained by merging V and V
′, and preserving
λ(q) elsewhere.
3. Either V is not a singleton. Then we split V into V \
{
xλ(q)
}
and
{
xλ(q)
}
and
“extend” λ(q) by V \
{
xλ(q)
}
′λ(q)
{
xλ(q)
}
.
By definition of J · K, for each (q, v) ∈ JRK, there exists d > 0 such that (q, v + d) ∈
JPost(R)K and for each d with 0 ≤ d′ ≤ d, then (q, v + d′) ∈ JRK ∪ JPost(R)K.
We now explain how the policy is handled. Given a state q such that pol(q) = U , for
every class R = (q, {k}1≤k≤λ(q)) we delete the time steps outgoing from R. The case
of a state q such that pol(q) = D, is a little bit more involved. First we partition classes
between time open classes, where for every every configuration of the class there exists
a small amount of time elapse that let the new configuration in the same class, and
14
time closed classes. The partition is performed w.r.t. the equivalence class V of xλ(q)
for the relation ∼ (see above in the proof). The class R is time open iff V = {xλ(q)}.
Then we successively replace every time closed class R by two copies R− and R+,
which capture wether time has elapsed since the last last discrete step. Thus, a time
edge entering R is redirected towards R+ while a discrete edge entering R is redirected
towards R−. A time step R
succ
−−−→ R′ is replaced by two transitions R−
succ
−−−→ R′ and
R+
succ
−−−→ R′, while a discrete step R
e
−→ R′ is replaced by the transition R+
e
−→ R′.
Time open classes allow time elapsing, hence no splitting is required for these classes.
Since there is at most one time edge outgoing from a class, the number of edges of
the new graph is at most twice the number of edges in the original graph. ⊓⊔
Proposition 2 The reachability problem for Interrupt Timed Automata is decidable
and belongs to 2-EXPTIME and PTIME when the number of clocks is fixed.
Proof The reachability problem is solved by building the class graph and applying
standard reachability algorithm. Since the number of semantically different classes is
at most doubly exponential in the size of the model and the semantical equivalence
can be checked in polynomial time w.r.t. the size of the class (also doubly exponential)
this leads to a 2-EXPTIME complexity. When the number of clocks is fixed the size
of the graph is at most polynomial w.r.t. the size of the problem leading to a PTIME
procedure. No complexity gain can be obtained by a non deterministic search without
building the graph since the size of the graph is only polynomial w.r.t. the size of a
class. ⊓⊔
Remarks. This result should be contrasted with the similar one for TA. The reacha-
bility problem for TA is PSPACE-complete and thus less costly to solve than for ITA.
However, fixing the number of clocks does not reduce the complexity for TA (when
this number is greater than or equal to 3) while this problem belongs now to PTIME
for ITA. Summarizing, the main source of complexity for ITA is the number of clocks,
while in TA it is the binary encoding of the constants [20].
Since the construction of the graph depends on a set of expressions, there is no
notion of granularity as in Timed Automata. When the only guards are comparisons to
constants and the only updates resets of clocks (as in Timed Automata), the abstraction
obtained is coarser than the region abstraction of [4]: it consists only in products of
intervals.
3.3 Example
We illustrate this construction of a class automaton for the automaton A1 of Fig. 3(a).
The resulting class automaton is depicted on Fig. 4, where dashed lines indicate time
steps.
Recall that we obtained E1 = {x1, 0, 1, 2} and E2 =
{
x2, 0,−
1
2x1 + 1
}
. In state
q0, the only relevant clock is x1 and the initial class is R0 = (q0, Z0) with Z0 : x1 =
0 < 1 < 2. Its time successor is R10 = (q0, Z
1
0 ) with Z
1
0 : 0 < x1 < 1 < 2. Transition
a leading to q1 can be taken from both classes, but not from the next time successors
R20 = (q0, 0 < x1 = 1 < 2), R
3
0 = (q0, 0 < 1 < x1 < 2), R
4
0 = (q0, 0 < 1 < x1 = 2), or
R50 = (q0, 0 < 1 < 2 < x1).
15
R0
R10
R20
...
R50
R1
q1, Z0
0 < x2 < 1
q1, Z0
0 < x2 = 1
q2, Z0
0 < x2 = 1
q2, Z0
0 < 1 < x2
R11
q1, Z
1
0
0 < x2 < −
1
2
x1 + 1
q1, Z
1
0
0 < x2 = −
1
2
x1 + 1
q2, Z
1
0
0 < x2 = −
1
2
x1 + 1
q2, Z
1
0
0 < − 1
2
x1 + 1 < x2
a
b
a
b
Fig. 4 The class automaton for A1
Transition a switches from R0 to R1 = (q1, Z0, x2 = 0 < 1), because x1 = 0, and
from R10 to R
1
1 =
(
q1, Z
1
0 , x2 = 0 < −
1
2x1 + 1
)
. Transition b is fired from those time
successors for which x2 = −
1
2x1 + 1.
On the geometric view of figure 3(b), the displayed trajectory corresponds to the
following path in the class automaton:
R0 → R
1
0
a
−→ R11 →
(
q1, Z
1
0 , 0 < x2 < −
1
2
x1 + 1
)
→
(
q1, Z
1
0 , 0 < x2 = −
1
2
x1 + 1
)
b
−→
(
q2, Z
1
0 , 0 < x2 = −
1
2
x1 + 1
)
4 A simpler model
4.1 Definition of ITA−
We introduce a restricted version of ITA, called ITA−, which is interesting both from
a theoretical and a practical point of view. When modeling interruptions in real-time
systems, the clock associated with some level measures the time spent in this level or
more generally the time spent by some tasks at this level. Thus when going to a higher
level, this clock is not updated until returning to this level. The ITA− model takes this
feature into account. Moreover, it turns out that the reachability problem for ITA−
can be solved more efficiently. This also provides a better complexity upper-bound for
the reachability problem on ITA (in the general case).
Definition 7 The subclass ITA− of ITA is defined by the following restriction on
updates. For a transition q
ϕ,a,u
−−−−→ q′ of an automaton A in ITA− (with k = λ(q) and
k′ = λ(q′)), the update u is of the form ∧ni=1xi := Ci with:
– if k > k′, then for 1 ≤ i ≤ k′, Ci := xi and for k
′+1 ≤ i ≤ n, Ci = 0, i.e. the only
updates are the resets of now irrelevant clocks;
16
– if k ≤ k′ then Ck is of the form
∑k−1
j=1 ajxj + b or Ck = xk. For k < i ≤ k
′, Ci = 0
and Ci = xi otherwise.
Thus, complex updates appear only in transitions increasing the level, and only for
the active clock of the transition level.
The proof of the following result is based on Propositions 3 and 5 proved in the
next two sections.
Theorem 2 The reachability problem for ITA belongs to NEXPTIME.
Proof Given an ITA A with transitions of size E and constants coded over b bits, we
build the ITA− A
′ of Proposition 3. Then we apply on A′ the reachability procedure
of Proposition 5. In this procedure, we consider paths of length bounded by (E′+n)3n,
where E′ is the number of transitions of A′. Since E′ ≤ 24b·E·n
2
(as shown in the proof
of Proposition 3), the length of the paths considered is bounded by
(E′ + n)3n ≤
(
24b·E·n
2
+ n
)3n
≤ (n+ 2)12b·E·n
3
which establishes the claimed upper bounds. ⊓⊔
4.2 From ITA to ITA−
In this subsection we prove that ITA and ITA− are equivalent w.r.t. the associated
(timed) languages.
Proposition 3 Given an ITA A, we build an automaton A′ in ITA− accepting the
same timed language and with the same clocks such that its number of edges (resp.
states) is exponential w.r.t. the number of edges (resp. states) in A and polynomial
when the number of clocks is fixed.
Proof Starting from ITA A = 〈Σ,AP,Q, q0, F, pol,X, λ, lab,∆〉, the construction of
automaton A′ relies on memorizing at a given level i, for every clock xj at a lower
level, an expression depending on x1, . . . , xj−1, corresponding to the delayed update
of xj . This expression is used later to replace the value of xj in guards and to restore
its correct value by update after decreasing to level j.
To this aim we associate with every pair of levels i ≥ j, a set of expressions Fi,j
inductively defined by:
– Fi,i = {xi}
– ∀i > j Fi,j = Fi−1,j ∪{e[{xk ← ek}k<j ] | e is the expression of an update of xj by
an edge of level i and ∀k, ek ∈ Fi,k}
We write Fj = Fn,j =
⋃n
i=j Fi,j . The set Fj thus contains all expressions of updates
of xj that appear at higher levels.
Although the number of expressions is syntactically doubly exponential w.r.t. the
number of clocks, one can show that the number of distinct expressions is only singly
exponential.
First we assume that ITA A has only integral constants, the case of rational con-
stants is handled at the end of the proof. It can be shown that every expression ek of
Fk can be written
ek =
∑
i0,...,ip∈sub(k)
αk,ip · αip,ip−1 · · ·αi1,i0 · xi0
17
with the convention that x0 is the constant 1, and where sub(k) is the set of all (ordered)
subsequences of 0, . . . , k − 1 and αj,i is the coefficient of xi in some update of xj .
For the family α of all integers αj,i, assume that these constants are coded over
bα bits each (including the sign of the coefficient). The expression xi0 can also be
coded into an integer of log2(n) bits (with a special symbol to indicate that it is the
expression of a clock rather than a constant). Let b = max(bα, log2(n) + 1) be the
(maximal) number of bits used to code a coefficient. Then each term of the sum is a
product of at most k such coefficients, therefore can be coded with kb bits. Summing
at most 2k such products yields an integer that can be coded over kb + k bits. Thus
there can be at most 2k(b+1) different expressions in Ek.
Automaton A′ is then defined as follows.
– The set of states is
Q′ = {(q+, e1, . . . , ei−1) | q ∈ Q, λ(q) = i and ∀j, ej ∈ Fj}
∪{(q−, e1, . . . , ei) | q ∈ Q, λ(q) = i and ∀j, ej ∈ Fj},
with pol(q+, e1, . . . , ei−1) = pol(q) and pol(q
−, e1, . . . , ei) = U .
Note that the sequence is empty if i = 1. Moreover:
λ(q+, e1, . . . , ei−1) = λ(q
−, e1, . . . , ei) = λ(q).
– The initial state of A′ is (q+0 , x1, . . . , xi−1) if λ(q0) = i. The final states of A
′ are
the states with first component q+ for q ∈ F .
– Let q
ϕ,a,u
−−−−→ q′ be a transition in A such that λ(q) = i, λ(q′) = i′ and u is defined
by
∧i
j=1 xj := Cj .
• If i ≤ i′, then for every (q+, e1, . . . , ei−1) there is a transition
(q+, e1, . . . , ei−1)
ϕ′,a,u′
−−−−−→ (q′+, e′1, . . . , e
′
i′−1)
in A′ with ϕ′ = ϕ({xj ← ej}j<i), update u
′ is defined by xi := Ci[{xj ←
ej}j<i]; for all j < i, e
′
j = Cj [{xk ← ek}k<i] and for all j such that i ≤ j < i
′,
e′j = xj .
• If i > i′ then for every (q+, e1, . . . , ei−1) there is a transition
(q+, e1, . . . , ei−1)
ϕ′,a,u′
−−−−−→ (q′−, e′1, . . . , e
′
i′)
in A′ with ϕ′ = ϕ({xj ← ej}j<i), update u
′ contains only the trivial updates
xj := xj for all clocks and for all j ≤ i
′, e′j = Cj [{xk ← ek}k<i].
• For every (q−, e1, . . . , ei) there is in A
′ a transition
(q−, e1, . . . , ei)
true,ε,xi:=ei
−−−−−−−−−→ (q+, e1, . . . , ei−1).
In words, given a transition, the guard is modified according to these expressions.
The modification of the update consists only in applying the update at the current level
and taking into account the other updates in the expressions labeling the destination
state. When the transition increases the level, the expression associated with a new
“frozen” clock (xj for i ≤ j < i
′) is the clock itself. The urgent states (q−,−) are
introduced for handling the case of a transition that decreases the level. In this case,
one reaches such a state that memorizes also the expression of the clock at the current
level. Note that the memorized expressions can correspond to an update proceeded
18
at any (higher) level. From this state a single transition must be (immediately) taken
whose effect is to perform the update corresponding to the memorized expression.
It is routine to check that the languages of the two automata are identical. Each
transition in A is replaced by several transitions in A′, which number is bounded by the
number of expressions that can be attached to the source of the original transition. In
addition, transitions decreasing level are further “split” through states (q−,−). Thus
the number E′ of transitions in A′ is bounded by
E′ ≤ 2 ·E · |Fn|
n
≤ 2 ·E ·
(
2n(b(E+1)+1)
)n
≤ 2 ·E · 2n
2(b(E+1)+1)
≤ 2n
2(b(E+1)+1)+1+log2(E)
≤ 2n
2((b+1)(E+1)+1)
E′ ≤ 24b·E·n
2
(provided E ≥ 2). This yields the exponential complexity for the number of transitions.
The case of the number of states is similar.
In the case when there are rational constants, assume each constant is coded with
a pair (r, d) of numerator and denominator. Assume each r and d can be coded over b
bits. We compute the lcm δ of all denominators: since there are at most E constants
(E, the size of ∆ contains the number of guards and updates), δ can be coded over
Eb bits. We consider ITA Aδ which is A where all constants are multiplied by δ. Thus
a constant of Aδ is an integer that can be coded over b
′ = Eb + b = b(E + 1) bits.
The above bound on the number of expressions applies on Aδ . Note that after the
construction of A′δ , A
′ can be obtained by dividing each constant in A′δ by δ. ⊓⊔
Example. We illustrate this construction on ITA A2 of Fig. 5. The sets of expressions
are computed as on Table 1 and the resulting ITA− A
′
2 is depicted on Fig. 6.
q0, 2
q1, 2
q2, 3 q3, 3
q4, 3
q5, 2
x1 := 2 2x2 + x1 > 3 ∧ x3 < 2
x2 := 2x1 + 1
x2 := x1 + 1
x3 := 2x2
x1 := 1
Fig. 5 ITA A2 containing updates of frozen clocks
The translation above of an ITA into an equivalent ITA− induces an exponential
blowup. The proposition below shows that the bound is reached.
Proposition 4 There exist a family {An}n∈N of ITA with two states, n clocks and
constants coded over b bits, where b is polynomial in n, such that the equivalent ITA−
built by the procedure above has a number of states greater than or equal to 2n.
19
q+0 , 2
q+2 , 3
x1 := 2
q+3 , 3
x1 := 2
x2 := 5
q+4 , 3
x1 := 2
x2 := 3
q+5 , 2
x1 := 1
q−5 , 2, U
x1 := 1
x2 := 5
q−5 , 2, U
x1 := 1
x2 := 2x1 + 1
q+3 , 3
x2 := 2x1 + 1
q+2 , 3q
+
1 , 2
q+4 , 3
x2 := x1 + 1
2x2 + 2 > 3
∧x3 < 2 x3 := 10
ε, x2 := 5
2x2 + x1 > 3
∧ x3 < 2 x3 := 4x1 + 2
ε, x2 := x1 + 1
Fig. 6 ITA− A′2 equivalent to A2
i \ j 1 2 3
1 {x1}
2 {x1, 2} {x2}
3 {x1, 2, 1} {x2, 2x1 + 1, 5, 3︸ ︷︷ ︸
q2
x2:=2x1+1−−−−−−−−→q3
, x1 + 1, 3, 2︸ ︷︷ ︸
q3
x2:=x1+1−−−−−−−→q4
} {x3}
Table 1 Sets of expressions Fi,j for A2.
Proof For n ∈ N, let An be the ITA with n clocks and two states qinit (initial) and q
(final) both of level n (and lazy policy) built as follows. There is a transition from qinit
to q with update
∧n
k=1 xk := 1 that sets all clocks to 1. For 1 ≤ k ≤ n there are two
loops on q with updates xk := xk−1 and xk := αkxk−1 respectively, where αk is the
kth prime number (and with the convention that x0 is the constant 1).
When building the sets of expressions, no expressions are added until level n, since
all updates occur at this level. At level k, Fn,k contains (at least) 2
k expressions: all
possible products of the first k prime numbers, namely
Fn,k ⊃
{∏
i∈I
αi
∣∣∣∣∣ I ⊆ {1, . . . , k}
}
.
Indeed, at level 1, Fn,1 = {x1, 1, 2}. Now assume that Fn,k−1 contains all products∏
i∈I αi where I ⊆ {1, . . . , k − 1}. By update xk := xk−1, Fn,k ⊃ Fn,k−1. By update
xk := αkxk−1, Fn,k contains all products αk
∏
i∈I αi =
∏
i∈I⊎{k} αi. Therefore
Fn,k ⊃
{∏
i∈I
αi
∣∣∣∣∣ I ⊆ {1, . . . , k − 1}
}
∪


∏
i∈I⊎{k}
αi
∣∣∣∣∣∣ I ⊆ {1, . . . , k − 1}


20
Fn,k ⊃
{∏
i∈I
αi
∣∣∣∣∣ I ⊆ {1, . . . , k}
}
.
The expressions thus built are distinct, since they are products of distinct prime num-
bers. Remark that the set of expression for level k is in bijection with a sequence of
updates x1 := . . . , x2 := . . . , . . . , xk := . . . , the choice of the update depending on the
choice of the set I .
Therefore all expressions of Fn,n are reached (in association with state q) and the
set of states in A′n is at least of size 2
n. In addition, it should be noted that the nth
prime number is in O(n log2(n)), therefore can be coded over O(log2(n)
2) bits. So the
size of the constants appearing in the updates (and the size of the representation of
An) is polynomial in n while the representation of A
′
n is exponential in n.
4.3 Reachability on ITA−
In this section we use counting arguments to obtain an upper bound for the reachability
problem on ITA−.
The following counting lemma does not depend on the effect of the updates but
only on the timing constraints induced by the policies.
Lemma 2 (Counting Lemma) Let A be an ITA− with E transitions and n clocks,
then in a sequence (e1, . . . , el) of transitions of A where l > (E+n)
3n, there exist i < j
with ei = ej such that the level of any transition ek with i ≤ k ≤ j is greater than or
equal to the level of ei, say p, and:
– either ei updates xp,
– either no ek with i ≤ k ≤ j updates xp and ei is delayed or lazy.
– or no ek with i ≤ k ≤ j updates xp and no time elapses for clock xp between ei and
ej.
Proof Assume that the conclusions of the lemma are not satisfied, we claim that l ≤
(E + 2n)3n.
First we prove that the number of transitions of level m that occur between two
occurrences of transitions of strictly lower level is less than or equal to (E+2)3. Indeed
there can be no more than E occurrences of transitions that update xm. Then between
two such transitions (or before the first or after the last) there can be no more than E
lazy or delayed transitions of level m that do not update xm. Finally between any kind
of previous transitions (or before the first or after the last), there can be no more than
E urgent transitions that do not update xm, since they prevent time from elapsing at
level m.
Summing up, there can be no more than E+E(E+1)+E(E(E+1)+1) ≤ (E+1)3
transitions of level m that occur between two occurrence of transitions of strictly lower
level.
Now we prove by induction that the number of transitions at level less than or
equal to m is at most (E + m)3m. This is true for m = 1 by the previous proof.
Assume the formula valid for m, then grouping the transitions of level m+ 1 between
the occurrences of transition of lower level (or before the first or after the last), we
obtain that the number of transitions at levels less than or equal to m+ 1 is at most:
(E +m)3m + ((E +m)3m + 1)(E + 1)3 ≤ (E +m)3m+3 + 2(E +m)3m
≤ (E +m+ 1)3(m+1) ⊓⊔
21
Proposition 5 The reachability problem for ITA− belongs to NEXPTIME. More pre-
cisely, reachability can be checked over paths with length less than or equal to (E+n)3n,
where E is the number of transitions and n is the number of clocks.
Proof Let A = (Σ,Q, q0, F, pol,X, λ,∆) be an ITA− with n clocks. Let E = |∆| be
the number of transitions of A. Assume that there is a run of minimal length ρ from
(q0, v0) to some configuration (qf , vf ). Suppose now that |ρ| > B = (E+n)
3n. We will
build a run ρ′ from (q0, v0) to (qf , vf ) that is strictly smaller, hence contradicting the
minimality hypothesis.
Since |ρ| > B, then one of the three cases of Lemma 2 applies. Therefore there is
a transition e at level k repeated twice, from positions π and π′ and separated by a
subrun σ containing only transitions of level higher than or equal to k. Moreover:
– Either e updates xk. In this case, all clocks have the same value after the first and
the second occurrence of e. Hence removing eσ = ρ[π,π′[ from ρ yields a valid run
ρ′ of A reaching (qf , vf ). Run ρ
′ is strictly smaller than ρ, since eσ which is of
length at least 1 was removed.
– Either no update occurred for xk and e is delayed or lazy. In this case, upon
reaching π′, the clocks of level i < k have retained the same value, while xk has
increased by Dur
(
ρ[π,π′]
)
. Hence when replacing eσ = ρ[π,π′[ by a time step of
duration Dur
(
ρ[π,π′]
)
, the configuration in π′ is unchanged. In addition, since e
was delayed or lazy, this time step is allowed in A, and this yields a shorter run of
A.
– Or no update occurred and π and π′ are at the same instant (separated by instan-
taneous actions). In this case, all clocks of level smaller than or equal to k again
have the same value after the first and the second occurrence of e. Again removing
ρ[π,π′[ yields a smaller run.
The decision procedure is as follows. It non deterministically guesses a path in the
ITA− whose length is less than or equal to the bound. In order to check that this
path yields a run, it builds a linear program whose variables are
{
xji
}
, where xji is the
value of clock xi after the jth step, and {dj} where dj is the amount of time elapsed
during the jth step, when j corresponds to a time step. The equations and inequations
are deduced from the guards and updates of discrete transitions in the path and the
delay of the time steps. The size of this linear program is exponential w.r.t. the size
of the ITA−. As a linear program can be solved in polynomial time [36], we obtain a
procedure in NEXPTIME. ⊓⊔
One could wonder whether the class graph construction would lead to a better
complexity when applied on ITA−. Unfortunately, the number of expressions occurring
in the class graph while being smaller than for ITA is still doubly exponential w.r.t.
the size of the model.
5 Timed model-checking
First observe that model-checking CTL∗ formulas on ITA can be done with classical
procedures on the class graph previously built. We now consider verification of real
time formulas.
22
In the case of linear time, the logic LTL has been extended into the Metric Temporal
Logic (MTL) [27], by adding time intervals as constraints to the U modality. However,
MTL suffers from undecidability of the model-checking problem on TA. Hence decid-
able fragments have been proposed, such as Metric Interval Temporal Logic (MITL) [5],
which prohibits the use of point intervals (of the form [a, a]). Later,MITL was restricted
into State Clock Logic (SCL) [35], in order to obtain more efficient verification proce-
dures. Model-checking MITL (thus SCL) on TA is decidable. Unfortunately, we show
here that model-checking SCL (thus MITL) on ITA is undecidable. For this, we reduce
the halting problem on a two counter machine into model-checking an SCL formula on
an ITA.
Concerning branching time logics, at least two different timed extensions of CTL
have been proposed. The first one [2] also adds time intervals to the U modality
while the (more expressive) second one considers formula clocks [25]. Model-checking
timed automata was proved decidable in both cases and compared expressiveness was
revisited later on [14].
We conjecture that model-checking of TCTL is undecidable when using two (or
more) formula clocks. Indeed, as shown in Section 7.1, the reachability problem in a
product of an ITA and a TA with two clocks is undecidable, thus prohibiting model-
checking techniques through automaton product and reachability testing as in [1]. How-
ever, contrary to what is claimed in [10], this is not enough to yield an undecidability
proof.
Two fragments for which model-checking is decidable on ITA have nonetheless been
identified. The first one, TCTLintc , accepts only internal clocks (from the automaton
on which the formulas will be evaluated) as formula clocks. The second one, TCTLp,
restricts the nesting of U modalities. We provide verification procedures in both cases.
5.1 Undecidability of State Clock Logic
We first consider the timed extension of linear temporal logic, and more particularly
the SCL fragment [35].
Definition 8 Formulas of the timed logic SCL are defined by the following grammar:
ψ = p | ψ ∧ ψ | ¬ψ | ψ Uψ | ψ Sψ |4⊲⊳aψ |2⊲⊳aψ
where p ∈ AP is an atomic proposition, ⊲⊳∈ {>,≥,=,≤, <}, and a is a rational
number.
We use the usual shorthands t for ¬(p ∧¬p), Fψ for tUψ, Gψ for ¬(F¬ψ) and ϕ⇒ ψ
for ¬(ϕ ∧ ¬ψ).
The semantics are defined in the usual manner for boolean operators and U . The
S modality is the past version of U . Modality 4⊲⊳aψ is true if the next time ψ is true
will occur in a delay that respects the condition ⊲⊳ a. Similarly, 2⊲⊳aψ is true if the
last time ψ was true occurred in a (past) delay that respects the condition ⊲⊳ a. More
23
formally, for an execution ρ, we inductively define (ρ, π) |= ϕ by:
(ρ, π) |= p iff p ∈ lab(sπ)
(ρ, π) |= ϕ ∧ ψ iff (ρ, π) |= ϕ and (ρ, π) |= ψ
(ρ, π) |= ¬ϕ iff (ρ, π) 6|= ϕ
(ρ, π) |= ϕUψ iff there is a position π′ ≥ρ π such that (ρ, π
′) |= ψ
and forall π′′ s.t. π ≤ρ π
′′ <ρ π
′, (ρ, π′′) |= ϕ ∨ ψ
(ρ, π) |= ϕ Sψ iff there is a position π′ ≤ρ π such that (ρ, π
′) |= ψ
and forall π′′ s.t. π ≥ρ π
′′ >ρ π
′, (ρ, π′′) |= ϕ ∨ ψ
(ρ, π) |=4⊲⊳aϕ iff either (ρ, π) |= ϕ and 0 ⊲⊳ a
or, there is a position π′ >ρ π such that (ρ, π
′) |= ϕ,
Dur
(
ρ[π,π′]
)
⊲⊳ a and forall π′′ s.t. π ≤ρ π
′′ <ρ π
′, (ρ, π′′) 6|= ϕ
(ρ, π) |=2⊲⊳aϕ iff either (ρ, π) |= ϕ and 0 ⊲⊳ a
or, there is a position π′ <ρ π such that (ρ, π
′) |= ϕ,
Dur
(
ρ[π′,π]
)
⊲⊳ a and forall π′′ s.t. π ≥ρ π
′′ >ρ π
′, (ρ, π′′) 6|= ϕ
Given an ITA A and an SCL formula ϕ, A |= ϕ if for all executions ρ of A, (ρ, π0) |= ϕ,
where π0 = 0 is the initial position of ρ.
Theorem 3 Model checking SCL over ITA is undecidable. Specifically, there exists a
fixed formula using only modalities U and 2=a such that checking its truth over ITA
with 3 levels is undecidable.
Proof We build an ITA and an SCL formula that together simulate a deterministic two
counter machine. More specifically, we define a formula ϕ2cm such that given a two
counter machineM, we can build an ITA AM with three clocks such that AM |= ϕ2cm
if and only if M does not halt.
Recall that such a machine M consists of a finite sequence of labeled instructions,
which handle two counters c and d, and ends at a special instruction with label Halt.
The other instructions have one of the two forms below, where e ∈ {c, d} represents
one of the two counters:
– e := e+ 1; goto ℓ′
– if e > 0 then (e := e− 1; goto ℓ′) else goto ℓ′′
Without loss of generality, we may assume that the counters have initial value zero. The
behavior of the machine is described by a (possibly infinite) sequence of configurations:
〈ℓ0, 0, 0〉〈ℓ1, n1, p1〉 . . . 〈ℓi, ni, pi〉 . . ., where ni and pi are the respective counter values
and ℓi is the label, after the i
th instruction. The problem of termination for such a
machine (“is the Halt label reached?”) is known to be undecidable [32].
The idea of the encoding is that, provided the execution satisfies the formula, clocks
of level 1 and 2 keep the values of c and d indifferently, by xi =
1
2n if n is the value of
a counter e. Level 3 will be used as the working level. Transmitting the value of clocks
to lower levels, prohibited in the ITA model, will be enforced by SCL formulas. In the
sequel, we will define:
– a module A↔ and a formula ϕ↔ such that the values contained in clocks x1 and
x2 at the beginning of an execution ρ are swapped if and only if (ρ, 0) |= ϕ↔,
– a module A+ and a formula ϕ+ such that if the value of x2 is
1
2n at the beginning
of an execution ρ, then x2 has value
1
2n+1
if and only if (ρ, 0) |= ϕ+,
– a module A− and a formula ϕ− such that if the value of x2 is
1
2n with n > 0 at
the beginning of an execution ρ, then x2 has value
1
2n−1
if and only if (ρ, 0) |= ϕ−.
24
Joining these modules according to M yields an ITA. Combining the formulas (inde-
pendently of M), we obtain an SCL formula that is satisfied if some execution, while
complying to the formulas of the modules, reaches the final state. Both constructions
are explained in details after the definitions below.
Let us define formulas Span1 = q
′ ⇒2=1q and Span2 = p
′ ⇒2=2p where p, p
′,
q, q′ are propositional variables. Let x01 and x
0
2 denote the respective values of x1 and
x2 upon entering a given module.
Swapping module. The module A↔ that swaps the values of x1 and x2 is depicted
in Fig. 7. Note that this module does not actually swap the values of x1 and x2 for
every execution. However, by imposing that state qend is reached exactly 2 time
units after q0 (or q
′
0) was left, and that q4 (resp. q
′
4) is reached exactly 1 t.u. after
q1 (resp. q
′
1) was left, the values of x1 and x2 will be swapped. This requirement
can be expressed in SCL by ϕ↔ = G (Span1 ∧ Span2). Let wi be the time elapsed
in state qi, for an execution ρ of A↔ that satisfies ϕ↔. Note that qstart and q
6=
end
are all urgent, hence no time can elapse in these states. We shall therefore consider
only what happens in the swapping submodules. We detail only the case when
x2 > x1, the case when x2 < x1 is analogous. The ITA constraints provide:
w0 = 0 (q0 is urgent)
w1 = x
0
2 − x
0
1 (update x3 := x1 and guard x3 = x2)
w2 = 1− x
0
2 (guard x3 = 1)
w4 = 0 (q4 is urgent)
The time spent between the last instant q was satisfied (upon leaving q1) and the
only instant when q′ is true (upon entering q4) is exactly the time spent in states
q2 and q3. Similarly, the time between the last instant p was satisfied (leaving q0)
and the instant p′ is true (when reaching q 6=end) is the total amount of time spent
in q1, q2, q3, q4, and q5. Hence, if ϕ↔ is satisfied then:
w2 +w3 = 1
(
q′ ⇒2=1q
)
w1 + w2 + w3 +w4 +w5 = 2
(
p′ ⇒2=2p
)
Hence w3 = x
0
2 and w5 = 1 − w1 = x
0
1 −
(
x02 − 1
)
. Since upon entering q3, clock
x1 has value 0, when leaving, x1 has value x
0
2. Similarly, when entering q5, x2 has
value x1−1 = x
0
2−1, therefore x2 has value x
0
1 when reaching q
6=
end. Note that this
module swaps x1 and x2 regardless of their coding a counter value.
Incrementation module. The same idea applies for the incrementation module A+
of Fig. 8. We force the time spent in total in r1 and r2 is one, expressed in SCL by
ϕ+ = GSpan1. The guards and updates in A+ ensure that, with the same notation
as above, time spent in r1 will be 1−
1
2x
0
2. Hence, when reaching r3, clock x2 will
have value 12x
0
2. Therefore, if x
0
2 =
1
2n , coding a counter of value n, at the end of
A+, x2 has value
1
2n+1
, thus coding a value n+ 1 for the same counter.
Decrementation module. Decrementation, for which the corresponding module is
depicted on Fig. 9, is handled in a similar manner (with ϕ− = ϕ+ = GSpan1).
The only difference is that x2 has to be compared to 1 in order to test if the value
of the counter encoded by x2 is 0.
25
qstart, ∅
3, U
q0, {p}
3, U
q′0, {p}
3, Uq
=
end
, ∅
3, U
x2 > x1 x2 < x1
x2 = x1
(a) Choice submodule.
q0, {p}
3, U
q1, {q}
3, L
q2, ∅
3, L
q3, ∅
1, L
q4, {q′}
2, U
q5, ∅
2, L
q
6=
end
, {p′}
3, U
x3 := x1 x3 = x2
x3 = 1
x1 := 0
x2 := x1 − 1
(b) Swapping submodule (x2 > x1).
q′0, {p}
3, U
q′1, {q}
3, L
q′2, ∅
3, L
q′3, ∅
1, L
q′4, {q
′}
2, U
q′5, ∅
2, L
q
6=
end
, {p′}
3, U
x3 := x1 − 1
x3 = x2
x3 = 1
x1 := 0
x2 := x1
(c) Swapping submodule (x2 < x1).
Fig. 7 Swapping module A↔. Submodules are connected through identical states (q0, q′0,
q
6=
end
).
r0, {q}
3, U
r1, ∅
3, L
r2, ∅
2, L
r3, {q′}
3, U
x3 :=
1
2
x2
x3 = 1
x2 := 0
Fig. 8 Incrementation module.
s0, {q}
3, U
s1, ∅
3, L
s2, ∅
2, L
s3, {q′}
3, U
s4, ∅
3, U
x2 < 1
x3 := 2x2
x3 = 1
x2 := 0
x2 = 1
Fig. 9 Decrementation module.
26
Since the constraints in Span1 (and Span2) are equalities, they can be satisfied only
if q′ (and p′) are true at a single point in time.
Automaton AM is then defined as the concatenation of modules according to M.
For clarity, a state (q, ℓ) denotes state q in a module corresponding to instruction ℓ.
Namely, an instruction ℓ incrementing c and going to ℓ′ is an incrementation mod-
ule with a transition from (r3, ℓ) to the first state of the module corresponding to ℓ
′
(either (qstart, ℓ
′), (r0, ℓ
′) or (s0, ℓ
′)). In the case of an incrementation of d, the corre-
sponding module will be the concatenation of Ain↔, A+, and A
out
↔ . Modules A
in
↔ and
Aout↔ are two copies of a swapping module A↔. The states of A
in
↔ and A
out
↔ will be
respectively denoted (q, ℓ, in) and (q, ℓ, out)) to avoid confusion. The last swap is per-
formed in order to restore that x2 contains the value of c and x1 the value of d. The
concatenation is done by transitions from (q 6=end, ℓ, in) and (q
=
end, ℓ, in) to (r0, ℓ), from
(r3, ℓ) to (qstart, ℓ, out). States (q
6=
end, ℓ, out) and (q
=
end, ℓ, out) are then linked to the
first state of the module for ℓ′.
Decrementation is handled in a similar way. The main difference resides in the fact
that (s4, ℓ) is linked to the first state of ℓ
′′. In the decrementation of d, (s4, ℓ) is linked
to a swapping module Aout
′
↔ (disjoint from A
in
↔ and A
out
↔ ), in turn linked to the first
state of ℓ′′.
The Halt instruction is encoded in a single state h labeled with {h}. The initial
state of the automaton is a new state Init of level 3. It has urgent policy and satisfies no
atomic proposition. State Init is linked to the first state of the module corresponding
to ℓ0, the initial instruction of M, by a transition that updates both x1 and x2 to 1,
simulating the initialization of both counters to 0.
Let us define formula ϕ2cm = F(¬Span1 ∨¬Span2)∨G¬h. An execution ρ of AM
satisfies ϕ2cm if either it violates at some point a constraint Spani, which means ρ
does not correspond to an execution of M, or ρ never reaches state h, which means
the execution of M is not halting.
If M has a halting execution, then it can be converted into an execution ρ that
complies to the Spani constraints and reaches the final state h. Hence ρ 6|= ϕ2cm and
AM 6|= ϕ2cm.
Conversely, if AM 6|= ϕ2cm, then consider an execution ρ that does not verify ϕ2cm.
Execution ρ both reaches h and complies to the Spani constraints, hence encodes a
halting execution of M.
As a result, M has no halting execution if and only if
AM |= F
((
¬q′ ∧ ¬2=1q
)
∨
(
¬p′ ∧ ¬2=2p
))
∨ G¬h.
Remark that this formula does not have nested history or prediction modalities (2⊲⊳a
and4⊲⊳a). Hence SCL with a discrete semantics (evaluating the subformulas only upon
entering a state) would also be undecidable. ⊓⊔
5.2 Model-checking branching time properties with internal clocks
In this section we consider the extension of CTL with model clocks, the corresponding
fragment being denoted by TCTLintc . Such a logic allows to reason about the sojourn
times in different levels which is quite useful when designing real-time operating sys-
tems. For example, formula A (x2 ≤ 3)U safe expresses that all executions reach a safe
27
state while spending less than 3 time units in level 2 (assuming x2 is not updated during
the execution). Model-checking is achieved by adapting a class graph construction for
untiming ITA (Section 3) and adding information relevant to the formula. The problem
is thus reduced to a CTL model checking problem on this graph.
Definition 9 Formulas of the timed logic TCTLintc are defined by the following gram-
mar:
ψ ::= p | ψ ∧ ψ | ¬ψ |
∑
i≥1
ai · xi + b ⊲⊳ 0 | Aψ Uψ | Eψ Uψ
where p ∈ AP is an atomic proposition, xi are model clocks, ai and b are rational
numbers such that (ai)i≥1 has finite domain, and ⊲⊳∈ {>,≥,=,≤, <}.
As before we use the classical shorthands F, G, and boolean operators.
Let A = 〈Σ,AP,Q, q0, F, pol,X, λ, lab,∆〉 be an interrupt timed automaton and
S = {(q, v, β) | q ∈ Q, v ∈ RX , β ∈ {⊤,⊥}}, the set of configurations. The formulas
of TCTLintc are interpreted over configurations
1 s = (q, v, β).
The semantics of TCTLintc is defined as follows on the transition system TA as-
sociated with A. For atomic propositions and a configuration s = (q, v, β), with
lab(s) = lab(q):
s |= p iff p ∈ lab(s)
s |=
∑
i≥1 ai · xi + b ⊲⊳ 0 iff v |=
∑
i≥1 ai · xi + b ⊲⊳ 0
and inductively:
s |= ϕ ∧ ψ iff s |= ϕ and s |= ψ
s |= ¬ϕ iff s 6|= ϕ
s |= AϕUψ iff for all ρ ∈ Exec(s), ρ |= ϕUψ
s |= EϕUψ iff there exists ρ ∈ Exec(s) s. t. ρ |= ϕUψ
with ρ |= ϕUψ iff there is a position π ∈ ρ s. t. sπ |= ψ
and ∀π′ <ρ π, sπ′ |= ϕ ∨ ψ.
The automaton A satisfies ψ if the initial configuration s0 of TA satisfies ψ.
Theorem 4 Model checking TCTLintc on interrupt timed automata can be done in
2-EXPTIME, and in PTIME when the number of clocks is fixed.
The proof relies on a refinement of the class graph according to the comparisons
in the formula to model-check. It is detailed in Appendix A and we show the resulting
graph on an example below.
Example. Consider the ITA A1 (Fig. 3(a)) and the formula ϕ1 = EF(q1 ∧ (x2 > x1).
We assume that q1 is a propositional property true only in state q1. Initially, the set of
expressions are E1 = {x1, 0} and E2 = {x2, 0}. First the expression −
1
2x1+1 is added
into E2 since x1 + 2x2 = 2 appears on the guard in the transition from q1 to q2. Then
expression 1 is added to E1 because x1 − 1 < 0 appears on the guard in the transition
from q0 to q1. Finally expression x1 is added to E2 since x2 − x1 > 0 appears in ϕ1.
The iterative part of the procedure goes as follows. Since there is a transition from q0
of level 1 to state q1 of level 2, we compute all differences between expressions of E2,
then normalize them:
1 The boolean value in the configuration is not actually used. The logic could be enriched
to take advantage of this boolean, to express for example that a run lets some time elapse in
a given state.
28
Z10 = (0 = x1 <
2
3
< 1 < 2) Z11 = (0 < x1 <
2
3
< 1 < 2) Z12 = (0 < x1 =
2
3
< 1 < 2)
Z13 = (0 <
2
3
< x1 < 1 < 2) Z
1
4 = (0 <
2
3
< x1 = 1 < 2) Z
1
5 = (0 <
2
3
< 1 < x1 < 2)
Z
1
6 = (0 <
2
3
< 1 < x1 = 2) Z
1
7 = (0 <
2
3
< 1 < 2 < x1)
Z20 = (0 = x2 < x1 < −
1
2
x1 + 1) Z
2
1 = (0 < x2 < x1 < −
1
2
x1 + 1)
Z22 = (0 < x1 = x2 < −
1
2
x1 + 1) Z
2
3 = (0 < x1 < x2 < −
1
2
x1 + 1)
Z24 = (0 < x1 < −
1
2
x1 + 1 = x2) Z
2
5 = (0 < x1 < −
1
2
x1 + 1 < x2)
Z26 = (0 = x2 < −
1
2
x1 + 1 < x1) Z
2
7 = (0 < x2 < −
1
2
x1 + 1 < x1)
Z28 = (0 < −
1
2
x1 + 1 = x2 < x1) Z
2
9 = (0 < −
1
2
x1 + 1 < x2 < x1)
Z210 = (0 < −
1
2
x1 + 1 < x1 = x2) Z
2
11 = (0 < −
1
2
x1 + 1 < x1 < x2)
Table 2 Time zones used in the class graph of A1 when checking ϕ1.
• x1 − 0 and x2 − 0 yield no new expression.
• x2 − (−
1
2x1 + 1) and 0− (−
1
2x1 + 1) with update x2 := 0 both yield expression 2,
that is added to E1.
• x1 − (−
1
2x1 + 1) yields expression
2
3 , which is also added to E1.
The sets of expressions are therefore E1 = {x1, 0, 1,
2
3 , 2} and E2 = {x2, 0,−
1
2x1 +
1, x1}. Remark that knowing the order between x1 and
2
3 will allow us to know the
order between − 12x1 + 1 and x1. The class graph G corresponding to A1 and ϕ1 is
depicted in Fig. 10. Note that we replaced x1 by its value, since it is not changed by
any update at level 2. Some time zone notations used in G are displayed in Table 2.
In the class graph, states where the comparison x2 > x1 is true are greyed. Among
these, the ones in which the class corresponds to state q1 are doubly circled, i.e. states
in which q1 ∧ (x2 > x1) is true. Applying standard CTL model checking procedure on
this graph, one can prove that one of these states is reachable, hence proving that ϕ1
is true on A1.
5.3 Model-checking TCTL with subscript
Note that in TCTLintc , it is not possible to reason about time evolution independently
of the level in which actions are performed. For example, properties (P2) the system
is error free for at least 50 t.u. or (P3) the system will reach a safe state within 7
t.u. involve global time. In order to verify such properties, we introduce the fragment
TCTLp. This fragment is expressive enough to state constraints on earliest (and latest)
execution time of particular sequences, like those reaching a recovery state after a crash.
TCTLp is the set of formulas where satisfaction of an until modality over propositions
can be parameterized by a restricted form of time intervals.
29
q0, Z
1
0
q0, Z
1
1
q0, Z
1
2
q0, Z
1
3
q0, Z
1
4 q0, Z
1
5 q0, Z
1
6 q0, Z
1
7
q1, Z
1
0
0 = x2 < 1
q1, Z
1
0
0 < x2 < 1
q1, Z
1
0
0 < x2 = 1
q1, Z
1
0
0 < 1 < x2
q2, Z
1
0
0 < x2 = 1
q2, Z
1
0
0 < 1 < x2
q1, Z
1
1 , Z
2
0 q1, Z
1
1 , Z
2
1 q1, Z
1
1 , Z
2
2 q1, Z
1
1 , Z
2
3 q1, Z
1
1 , Z
2
4 q1, Z
1
1 , Z
2
5
q2, Z
1
1 , Z
2
4 q2, Z
1
1 , Z
2
5
q1, Z
1
2
0 = x2 <
2
3
q1, Z
1
2
0 < x2 <
2
3
q1, Z
1
2
0 < x2 =
2
3
q1, Z
1
2
0 < 23 < x2
q2, Z
1
2
0 < x2 =
2
3
q2, Z
1
2
0 < 23 < x2
q1, Z
1
3 , Z
2
6 q1, Z
1
3 , Z
2
7 q1, Z
1
3 , Z
2
8 q1, Z
1
3 , Z
2
9 q1, Z
1
3 , Z
2
10 q1, Z
1
3 , Z
2
11
q2, Z
1
3 , Z
2
8 q2, Z
1
3 , Z
2
9 q2, Z
1
3 , Z
2
10 q2, Z
1
3 , Z
2
11
a
b
a
b
a
b
a
b
Fig. 10 The class automaton for A1 and formula ϕ1.
30
Definition 10 Formulas of TCTLp are defined by the following grammar:
ϕp := p | ϕp ∧ ϕp | ¬ϕp and ψ := ψ ∧ ψ | ¬ψ | ϕp | Aϕp U⊲⊳a ϕp | Eϕp U⊲⊳a ϕp
where p ∈ AP is an atomic proposition, a ∈ Q+, and ⊲⊳∈ {>,≥,≤, <} is a comparison
operator.
The properties given in introduction can be expressed by TCTLp formulas as follows.
Property P2 : the system is error free for at least 50 t.u. corresponds to A (¬error)U≥50 t,
while property P3 : the system will reach a safe state within 7 t.u. is expressed by
AF≤7safe.
Formulas of TCTLp are again interpreted over configurations of the transition sys-
tem associated with an ITA. For configuration s = (q, v, β), with lab(s) = lab(q), the
inductive definition is as follows:
s |= p iff p ∈ lab(s)
s |= ϕ ∧ ψ iff s |= ϕ and s |= ψ
s |= ¬ϕ iff s 6|= ϕ
s |= Aϕp U⊲⊳a ψp iff any execution ρ ∈ Exec(s) is such that ρ |= ϕp U⊲⊳a ψp
s |= Eϕp U⊲⊳a ψp iff there exists an execution ρ ∈ Exec(s) such that ρ |= ϕp U⊲⊳a ψp
where
ρ |= ϕp U⊲⊳a ψp iff there exists a position π along ρ such that Dur(ρ
≤π) ⊲⊳ a,
sπ |= ψp, and for any position π
′ <ρ π, sπ′ |= ϕp
Again A |= ψ if s0 |= ψ.
We now prove that:
Theorem 5 Model checking TCTLp on ITA is decidable.
The proof consists in establishing procedures dedicated to the four different subcases:
– E pU≤a r and E pU<a r (Proposition 6),
– E pU≥a r and E pU>a r (Proposition 7),
– A pU≥a r and A pU>a r (Proposition 8),
– A pU≤a r and A pU<a r (Proposition 9),
where p and r are boolean combinations of atomic propositions.
Proposition 6 Model checking formulas E pU≤a r and E pU<a r over ITA is decidable
in NEXPTIME and in NP if the number of clocks is fixed.
Proof First consider the case of ITA−. Both formulas are variants of reachability, with
the addition of a time bound. Therefore, the proof is similar to the one of Proposition 5.
Again using Lemma 2 on an ITA− with E transitions, we can look for a run satisfying
one of these formulas and bounded by B = (E + n)3n, because shortening longer
runs can be can be done while preserving the property. Thus, the decision procedure
again consists in guessing a path and building a linear program. The satisfaction of
the formula is then checked by separately verifying on one side that the run satisfies
pU r, and on the other side, that the sum of all delays dj satisfies the constraint in the
formula. The complexity is the same as in Proposition 5.
In the case of ITA, the exponential blowup of the transformation into an equivalent
ITA− does not affect the complexity of the model-checking procedure above, as in
Theorem 2. ⊓⊔
31
Note that this problem can be compared with bounded reachability as studied in [17].
However, the models seem incomparable: while the variables (that have fixed non-
negative rates in a state) are more powerful than interrupt clocks, the guards and
updates are rectangular, which in particular forbids additive and diagonal constraints.
Proposition 7 Model checking a formula E pU≥a r and E pU>a r on an ITA is decid-
able in NEXPTIME and in NP if the number of clocks is fixed.
Proof Let A be an ITA− with n interrupt clocks and E transitions, and B = (E +
n)3n. The algorithm to decide whether E pU≥a r (or E pU>a r) works as follows. It
nondeterministically guesses a path of length smaller than or equal to B and builds
the associated linear program (as in the proof of Proposition 5), then checks that:
– this path yields a run, which can be done by solving the linear program;
– there is a position π in this run at which r holds and before which p holds contin-
uously;
– the sum of delays before π exceeds a (or strictly exceed in the case of E pU>a r).
If this first procedure fails, the algorithm nondeterministically guesses a path of length
smaller or equal to 2B + 1 and checks that:
– this path yields a run, which can be checked by a linear program as before,
– p holds on this path, but not necessarily in the last state reached,
– r holds in the last state of this path,
– either there is a transition e of level k that updates xk appearing twice and sep-
arated by a sequence σ of transitions of level higher than k during which time
elapses (globally) ; this last part can be checked with a linear program on the
delays corresponding to this subrun.
– or there is a transition e of level k that does not update xk appearing twice and
separated by a sequence σ of transitions of level higher than k not updating xk
during which time elapses at levels strictly higher than k but not at level k.
The algorithm returns true if one of the previous procedure succeeds, and false other-
wise. We shall now prove that this algorithm is both sound and complete.
Soundness. If the first procedure succeeds, then the path guessed is trivially a witness
of E pU≥a r (or E pU>a r, accordingly). If the second procedure succeeds, then a witness
for the formula can be built from the path guessed. Indeed, the path guessed satisfies
pU r, but not necessarily pU≥a r. Assume the sequence σ lets elapse δ time units
(δ > 0), by repeating ⌈aδ ⌉ times
2 the sequence σe, we obtain a run satisfying pU≥a r.
Note that since either e updates the clock xk or there are no updates nor time elapsing
at level k, and σ happens at higher levels, the clock values in each instance of σe will
be identical, hence this repetition will always be possible.
Completeness. Now consider a minimal witness ρ of length h for E pU≥a r. Since ρ is
minimal, r holds in the last state of ρ and p holds (at least) in every position before. If
h ≤ B, then the first procedure will consider ρ. Otherwise, h > B, it means that one
of the following cases of Lemma 2 happens:
2 This sequence may be repeated once more in the case of pU>a r.
32
– The same transition e of level k leaving xk unchanged appears twice separated by
lazy or delayed transitions between states of level greater than or equal to k. In
that case, the corresponding subrun can be replaced by a time step of the same
duration, not changing the truth value of pU≥a r on this new smaller run, thus
violating the minimality hypothesis.
– The same transition e of level k updating clock xk appears twice on the subrun
e1 . . . eB+1, at positions i and j. In that case we have to distinguish two subcases
either some time has elapsed between the two occurrences ei and ej of e, or the
transitions were all instantaneous.
– If no time has elapsed, the subrun between ei and ej can be removed without
altering the truth value of pU≥a r on this new run, which is smaller than ρ.
Hence there is a contradiction with the minimality hypothesis.
– Or some time elapsed during this subrun. Let ρ be decomposed into ρ0eiσejρj .
Then by applying Lemma 2 to ρj there exists a run ρ
′
j of length smaller or
equal to B such that ρ′ = ρ0eiσejρ
′
j is also a run. Note that |ρ
′| ≤ 2B + 1,
that the last state of ρ′ will be the same as the last state of ρ hence will satisfy
r, and that p will also hold along ρ′. As a result ρ′ will be considered by the
second procedure.
– The same transition e of level k leaving xk unchanged appears twice, with no time
elapsing at level k between these occurrences. In that case, we again distinguish
two subcases:
– either no time elapsed (globally) the corresponding subrun can be removed, not
changing anything to the rest of the execution nor to the satisfaction of pU≥a r,
thus violating the hypothesis of minimality of ρ;
– or time elapsed at higher levels and, by minimizing the subrun after the second
occurrence as above, we deduce that the run will be considered by the second
procedure.
The completeness proof is similar in the case of E pU>a r.
When A is an ITA, the exponential blowup of the transformation from ITA to
ITA− does not affect the above complexity. ⊓⊔
While a witness is a finite path in the previous cases, it is potentially infinite for
A pU≥a r or A pU>a r. The generation of an infinite run relies on the (nondeterministic)
exploration of the class graph built in Section 3, thus has a much greater computational
complexity.
Proposition 8 Model checking a formula A pU≥a r and A pU>a r on an ITA is de-
cidable in 2-EXPTIME and in co-NP if the number of clocks is fixed.
Proof We consider an ITA A with n interrupt clocks, E transitions and the bound
B = (n+ 2)12b·E·n
3
where b is the number of bits coding the constants in A.
The algorithm to verify A pU≥a r (or A pU>a r) works as follows. It nondeterminis-
tically guesses a path of length smaller than or equal to B, builds its associated linear
program, and checks that:
– this path yields a run ρ (by solving the linear program);
– this path is maximal, that means no transition can be fired from the last configu-
ration of the run;
33
¬r
ρ:
π
Y
< a
≤ B
Fig. 11 Proof of Proposition 8: finite counterexample (Case 1).
¬r
π
¬p ∧ ¬r
π′
ρ:
Y
< a
≤ B
Fig. 12 Proof of Proposition 8: finite counterexample (Case 2).
– there is a position π in ρ occurring at a time stricly less than3 a such that
Case 1: either r does not hold from π (see Fig. 11)
Case 2: or there is a position π′ where neither p not r hold, and r does not hold
between π and π′ (see Fig. 12).
If this first procedure fails, then the algorithm guesses:
– a class K and a cycle C starting from K in the class graph (without building
neither the graph nor the cycle), such that C contains at least a discrete step and
only traverses classes where ¬r holds;
– a path in the automaton of length smaller than or equal to the bound B;
and checks that:
– the path does yield a run ρ, that reaches a configuration (q, v, β) in class K (through
a linear program);
– there is a position π in ρ occurring at time strictly less than4 a after which r no
longer holds.
Remark that the procedure cannot use solely the class graph, since the abstraction is
not precise enough to check the existence of position π.
Soundness. We prove that the algorithm is sound: when one of the procedures succeeds,
there exists a counterexample for formula A pU≥a r (or A pU>a r). In the case of the
first procedure, it is trivial that the guessed run does not satisfy pU≥a r (or pU>a r).
In the case of the second one, we show that there exists an infinite counterexample.
Consider configuration (q, v, β), which is reachable by ρ. Since (q, v, β) belongs to class
K, for any path σ starting from K in the class graph, there is a run in the automaton
starting from (q, v, β) traversing configurations which belong to the classes traversed
by σ. Since there is a cycle in the class graph, there is an infinite path in the class
graph (iterating on this cycle), so there exists an infinite run in the ITA. Also, since
¬r holds in the infinite path of the class graph, it holds in the run of the ITA, and the
run is a counterexample for the formula.
3 Less than or equal to a in the case of A pU>a r.
4 Less than or equal to a in the case of A pU>a r.
34
Completeness. Assume there exists a finite counterexample ρ. Let A′ be the ITA−
accepting the same timed language as A and let E′ denote the number of its transitions.
Let B′ = (E′ + 2n)3n (the bound of Lemma 2), we have B′ ≤ B. If |ρ| ≤ B, it will be
detected by procedure 1. Otherwise let ρ′ be the run corresponding to ρ in A′. This run
accepts the same timed word as ρ and its sequence of traversed states can be projected
onto the sequence of corresponding states of ρ, by omitting states of the form (q−,−):
any subsequence (q+0 ,−) → · · · → (q
+
m−1,−) → (q
−
m,−) → (q
+
m,−) in ρ
′ corresponds
to the subsequence q0 → · · · → qm−1 → qm in ρ. Note that |ρ| ≤ |ρ
′| and that ρ′ is
also a counterexample for the formula (although in A′). Since |ρ′| > B ≥ B′, then one
of the cases of case of Lemma 2 occurs. By removing transitions and maybe replacing
them by some time elapsing, as in the proof of Proposition 7, a counterexample σ′ of
size |σ′| ≤ B′ ≤ B exists in A′. Now consider the run σ in A which corresponds to
σ′. We have |σ| ≤ |σ′| ≤ B′ ≤ B and σ is still a counterexample. Therefore σ can be
guessed by the first procedure.
If there exists an infinite counterexample ρ, consider its counterpart σ in the class
graph. This counterpart is also infinite. More precisely, σ contains an infinite number
of discrete transitions. Since σ traverses a finite number of classes, it contains a cycle C
with at least one discrete transition. Choose any class K of this cycle and consider the
prefix ρ0 of ρ leading to a configuration in K. As in the case of a finite counterexample,
there exists ρ′0 of length smaller than B reaching the same configuration. All C, K and
ρ′0 can be guessed by the second procedure, which will therefore succeed.
Procedure 1 operates in NEXPTIME (guessing a path of length B and solving
a linear program of size polynomial w.r.t. B). Procedure 2 consists in looking for a
specific cycle in the class graph which in can be done in time polynomial w.r.t. the size
of the graph thus in 2-EXPTIME. The case where the clocks are fixed, is handled as
usual. ⊓⊔
For formulas in case 4, a specific procedure can be avoided, since the algorithms of
cases 2 and 3 can be reused:
Proposition 9 Model checking a formula A pU≤a r and A pU<a r on an ITA is de-
cidable in 2-EXPTIME and in co-NP if the number of clocks is fixed.
Proof Notice that A pU≤a r = (A pU≥0 r)∧¬(E¬rU>a t), and A pU<a r = (A pU≥0 r)∧
¬(E¬rU≥a t). ⊓⊔
6 Language properties
In this section, we compare the expressive power of the previous models with respect
to language acceptance. Recall that TL is strictly contained in CRTL. We prove that:
Theorem 6 The families TL and ITL are incomparable. The families CRTL and ITL
are incomparable.
6.1 ITL is not contained in TL, nor in CRTL
The next proposition shows that ITA cannot be reduced to TA or CRTA. Observe that
the automata used in the proof belong to ITA−. Also, the language given for the first
point of the proposition is very simple since it contains only words of length 2.
35
q0, 1 q1, 2 q2, 2
x1 < 1, a, (x2 := 0) x1 + 2x2 = 1, b
Fig. 13 An ITA A3 for L3
q0, 1 q1, 2
x1 > 0, c, x2 := 0
x2 = x1, c, x2 := 0
Fig. 14 An ITA A4 for L4
Proposition 10
1. There exists a language in ITL whose words have bounded length which is not in TL.
2. There exists a language in ITL which is not in CRTL.
Proof To prove the first point, consider the ITA A3 in Fig. 13. Suppose, by contra-
diction, that L3 = L(A3) is accepted by some timed automaton B (possibly with
ε-transitions). Note that since we consider timed languages, we cannot assume that
the granularity of B is 1. Let d be the granularity of B, i.e. the gcd of all rational
constants appearing in the constraints of B (thus each such constant can be written
k/d for some integer k). Then the word w = (a, 1− 1/d)(b, 1− 1/2d) is accepted by B
through a finite path. Consider now the automaton B′ in TA, consisting of this single
path (where states may have been renamed). We have w ∈ L(B′) ⊆ L(B) = L3 and B
′
contains no cycle. Using the result in [11], we can build a timed automaton B′′ without
ε-transition and with same granularity d such that L(B′′) = L(B′), so that w ∈ L(B′′).
The accepting path for w in B′′ contains two transitions : p0
ϕ1,a,r1
−−−−−→ p1
ϕ2,b,r2
−−−−−→ p2.
After firing the a-transition, all clock values are 1− 1/d or 0, thus all clock values are
1 − 1/2d or 1/2d when the b-transition is fired. Let x ⊲⊳ c be an atomic proposition
appearing in ϕ2. Since the granularity of B
′′ is d, the ⊲⊳ operator cannot be = oth-
erwise the constraint would be x = 1/2d or x = 1 − 1/2d. If the constraint is x < c,
x ≤ c, x > c, or x ≥ c, the path will also accept some word (a, 1 − 1/d)(b, t) for
some t 6= 1− 1/2d. This is also the case if the constraint ϕ2 is true. We thus obtain a
contradiction with L(B′′) ⊆ L3, which ends the proof.
To prove the second point, consider the language:
L4 = {(c, τ )(c, 2τ ) . . . (c, nτ ) | n ∈ N, τ > 0}
accepted by the ITA A4 in Fig. 14. This language cannot be accepted by a CRTA
(see [21]). ⊓⊔
6.2 TL is not contained in ITL
We now prove that there exists a language in TL that does not belong to ITL. Let L5
be the language defined by
L5 =
{
(a, τ1)(b, τ2) . . . (a, τ2p+1)(b, τ2p+2) | p ∈ N,
∀0 ≤ i ≤ p, τ2i+1 = i+ 1 and i+ 1 < τ2i+2 < i+ 2,
∀1 ≤ i ≤ p τ2i+2 − τ2i+1 < τ2i − τ2i−1
}
36
Hence, the untimed language of L5 is (ab)
∗, there is an occurrence of a at each time
unit and the successive occurrences of b come each time closer to the occurrence of a
than previously. This language is in TL as can be checked on the TA A5 of Fig. 15
(first proposed in [4]).
z = 1, a, z := 0 0 < z < 1, b, y := 0
z = 1, a, z := 0
0 < z ∧ y < 1, b, y := 0
Fig. 15 A timed automaton A5 for L5
Proposition 11 The language L5 does not belong to ITL.
Proof Assume, by contradiction, that L5 belongs to ITL. Then L5 is accepted by an
ITA− A with n clocks and E transitions. Let B = (E + n)
3n and consider the timed
word w = (a, τ1)(b, τ2) · · · (a, τ2B+1)(b, τ2B+2) ∈ L5. Word w is accepted by a run ρ of
A, which can be assumed of minimal size. However, we know that |ρ| > B, so one of
the three cases of Lemma 2 occurs in the B first transitions.
– Suppose a transition e of level k that updates xk appears twice, separated by a
subrun σ of level greater than or equal to k. Remark that the valuations after the
first and the second occurrence of e are identical. We distinguish several subcases,
depending on the word read along σe.
– If σe reads the empty word ε, we write δ for the time spent during σe. If δ = 0,
then σe can be deleted without affecting neither the remainder of the run nor
the accepted word, which contradicts the minimality of ρ. If δ ≥ 1, then some
interval [i, i+1] does not contain any b, which contradicts the definition of L5.
Otherwise, 0 < δ < 1. By deleting σe, we obtain an execution ρ′ (accepted by
A) in which the suffix after e is shifted by δ. Therefore the following occurrence
of letter a, which appeared in ρ at date i ∈ N \ {0}, appears in ρ′ at date
i− δ which is not integral. So the word accepted by ρ′ is not in L5, which is a
contradiction.
– If σe reads more as than bs or more bs than as, by deleting σe we obtain a run
accepting a word whose untiming is not in (ab)∗ thus does not belong to L5.
– If σe reads as many as as bs (and both letters at least once), by duplicating σe
we obtain a run accepting a word where a same duration separates an a from
the following b is repeated, thus violating the definition of L5.
– Suppose a transition e of level k delayed or lazy occurs twice, separated by a subrun
σ of level greater than or equal to k, such that σe does not update xk. Then we can
replace eσ by a time step of the same duration and obtain a new run ρ′, accepted
by A.
– If eσ reads ε, then ρ′ contradicts the minimality of ρ.
– If eσ reads the word b, then ρ′ accepts a word where a and b do not alternate,
thus not in L5.
– If eσ reads at least an a, then ρ′ accepts a word with no a at a given integral
date, therefore not in L5.
37
– Otherwise, a transition e of level k appears twice separated by a subrun σ of level
greater than or equal to k, such that σe does not update xk nor lets time elapse
at level k. The same disjunction as in the case of an update of xk can be applied,
since σe can either be deleted or duplicated.
Note that the feature preventing L5 to be in ITL lies in the decreasing delays
between the a’s and their immediately following b. A language in ITL can record
k different constant delays, using k + 1 clocks. For instance on the alphabet Σ =
{a1, . . . , ak}, the language
Mk = {(a1, τ1) . . . (ak, τk)(a1, τ1 + 1) . . . (ak, τk + 1) . . . (a1, τ1 + n) . . . (ak, τk + n)
| n ≥ 1, τ1 ≤ τ2 ≤ · · · ≤ τk ≤ τ1 + 1}
is accepted by an ITA− with k+1 clocks. Fig. 16 illustrates the case where k = 3, with
all states lazy. We conjecture that Mk cannot be accepted by an ITA with k clocks.
q0, 1 q1, 2 q2, 3
q3, 4q4, 4q5, 4
a1, (x2 := 0) x1 + x2 < 1, a2, (x3 := 0)
x1 + x2 + x3 < 1, a3, (x4 := 0)
x4 = 1− x2 − x3, a1x4 = 1− x3, a2
x4 = 1, a3, x4 := 0
Fig. 16 An interrupt timed automaton for M3
6.3 Closure under complementation and intersection
Proposition 12 ITL is not closed under complementation.
Proof We prove that the complement Lc5 of L5 belongs to ITL. A timed word belongs
to Lc5 iff one of the following assertions hold:
1. An a occurs not at a time unit.
2. An a is missing at some time unit that precedes some letter of the word.
3. A b occurs at a time unit.
4. There is no b in an interval [i, i+ 1] with an a at time i ∈ N.
5. There are two bs in an interval [i, i+ 1] with an a at time i ∈ N.
6. There is an occurrence of abab such that the time difference between the two first
occurrences is smaller than or equal to the time difference between the two last
occurrences.
Since ITL is trivially closed under union, it is enough to prove that each assertion from
the set above can be expressed by an ITA. The five first assertions are straightforwardly
modeled by an ITA with a single clock (and ε-transitions) and we present in Fig. 17
an ITA with two clocks corresponding to the last one. ⊓⊔
38
q0, 1 q1, 1
q2, 2 q3, 2 q4, 2
a, b
a, x1 := 0
b, x2 := 0
a, x2 := 0 x1 ≤ x2, b
a, b
Fig. 17 An ITA for the language defined by assertion 6
Proposition 13 ITL is not closed under intersection.
Proof L5 is the intersection of L
′
5 and L
′′
5 defined as follows:
– The words of L′5 are (a, 1)(b, τ1) . . . (a, n)(b, τn), with i < τi < i + 1 for all i,
1 ≤ i ≤ n.
– The words of L′′5 are (a, τ
′
1)(b, τ1) . . . (a, τ
′
n)(b, τn), with τi+1 − τi < 1 for all i,
1 ≤ i ≤ n− 1.
Both languages are accepted by one-clock ITA (which are also one-clock TA). In case
of L′5, (1) the clock is reset at every occurrence of an a; (2) an a must occur when the
clock is 1 and (3) a single b must occur when the clock is in (0, 1). In case of L′′5 , (1)
the clock is reset at every occurrence of a b (2) a b must occur when the clock is less
than 1 except for the first b and (3) a single a must occur before every occurrence of a
b. ⊓⊔
7 Combining ITA with CRTA
In the previous section, we proved that the class of languages defined by ITA and
CRTA are incomparable. Here we provide a class containing both ITL and CRTL. In
order to do so, we combine the models of ITA with CRTA.
7.1 An undecidable product
The first kind of combination possible is through synchronized product between an
ITA and a CRTA. However, this turns out to be a too powerful model, since combining
even a TA with an ITA yields the undecidability of the reachability problem.
Definition 11 If I = 〈Σ,QI , q
I
0 , FI , polI , X, λI ,∆I〉 is an ITA (propositional vari-
ables and labeling are omitted) and T = 〈Σ,QT , q
T
0 , FT , Y,∆T 〉 is a TA, then I×T =
〈Σ,QI ×QT , (q
I
0 , q
T
0 ), F, pol,X, Y, λ,∆〉 is an ITA×TA where:
– pol(qI , qT ) = polI(qI) and λ(qI , qT ) = λI(qI) are lifted from the ITA
– if qI
ϕ,a,u
−−−−→ q′I ∈ ∆I and qT
ψ,a,v
−−−−→ q′T ∈ ∆T , then
(qI , qT )
ϕ∧ψ,a,u∧v
−−−−−−−−→ (q′I , q
′
T ) ∈ ∆.
39
(ℓ, r1, >)
1, L
(ℓ, r2, >)
2, U
(ℓ, r3, >)
2, L
(ℓ, r4, >)
3, L
(ℓ, r5, >)
3, L
ℓ′
1, U
yc = 1
b1
ℓ
b2
ℓ
x2 := x1
yd = 1
b3
ℓ
yc := 0
x3 = x2 −
x1
2
b4
ℓ
yd := 0
x3 = 1−
x1
2
b5
ℓ
Fig. 18 Module Ac++
c≥d
(ℓ, ℓ′) incrementing the value of c when c ≥ d.
The semantics of an ITA×TA is a transition system over configurations{
(q, v, w, β) | q ∈ Q,v ∈ RX , w ∈ RY , β ∈ {⊤,⊥}
}
.
Discrete steps are defined analogously as in ITA (see Definition 2). In time steps, clocks
of X evolve as in an ITA and clocks of Y as in a TA. More precisely, a time step of
duration d > 0 is defined by (q, v, w, β)
d
−→ (q, v′, w′,⊤) where v′(xλ(q)) = v(xλ(q)) + d
and v′(x) = v(x) for any other clock x ∈ X, and w′(y) = w(y) + d for y ∈ Y .
Theorem 7 Reachability is undecidable in the class ITA×TA.
Proof (Sketch) The proof consists in encoding a two counter machine into an ITA×TA.
Two classical clocks {yc, yd} will keep the value of the counters by retaining a value
1− 12n to encode n. Three interrupt clocks are used to change the value of the classical
clocks through appropriate resets. The ITA×TA is defined through basic modules,
corresponding to the four possible actions (incrementation or decrementation of c or
d). Each module is itself composed of submodules: the first one compares the value of c
to the one of d. The other one performs the action, but depends on the order between
c and d.
For example, the submodule incrementing c when c ≥ d is depicted in Fig. 18.
In this module, the value5 of classical clocks is copied into interrupt clocks, updated
thanks to linear updates allowed by ITA. the new values are copied into classical
clocks by resetting them at the appropriate moment. The valuations of clocks during
an execution of this module are given in Table 3.
Note that the policies are used in this product but they could be replaced by
classical clocks.
The detailed proof can be found in Appendix B.
Other proofs of undecidability for hybrid systems mixing clocks and stopwatches
have been developed (see for instance [24, Theorem 4.1] for a construction with a
single stopwatch and 5 clocks). While this construction could have been adapted to
5 Or rather the complement to 1 of the value.
40
(ℓ, r1, >)
yc = 1−
1
2n
yd = 1−
1
2p
x1 = 0
x2 = 0
x3 = 0
1
2n−→
(ℓ, r1, >)
yc = 1
yd = 1−
1
2p
+ 1
2n
x1 =
1
2n
x2 = 0
x3 = 0
b1ℓ−→
(ℓ, r2, >)
yc = 1
yd = 1−
1
2p
+ 1
2n
x1 =
1
2n
x2 = 0
x3 = 0
b2ℓ−→
(ℓ, r3, >)
yc = 1
yd = 1−
1
2p
+ 1
2n
x1 =
1
2n
x2 =
1
2n
x3 = 0
1
2p
− 1
2n−−−−−−→
(ℓ, r3, >)
yc = 1 +
1
2p
− 1
2n
yd = 1
x1 =
1
2n
x2 =
1
2p
x3 = 0
b3ℓ−→
(ℓ, r4, >)
yc = 0
yd = 1
x1 =
1
2n
x2 =
1
2p
x3 = 0
1
2p
− 1
2n+1−−−−−−−→
(ℓ, r4, >)
yc =
1
2p
− 1
2n+1
yd = 1 +
1
2p
− 1
2n+1
x1 =
1
2n
x2 =
1
2p
x3 =
1
2p
− 1
2n+1
b4ℓ−→
(ℓ, r5, >)
yc =
1
2p
− 1
2n+1
yd = 0
x1 =
1
2n
x2 =
1
2p
x3 =
1
2p
− 1
2n+1
1− 1
2p−→
(ℓ, r5, >)
yc = 1−
1
2n+1
yd = 1−
1
2p
x1 =
1
2n
x2 =
1
2p
x3 = 1−
1
2n+1
b5ℓ−→
ℓ′
yc = 1−
1
2n+1
yd = 1−
1
2p
x1 =
1
2n
x2 = 0
x3 = 0
Table 3 Clock values in the unique run of Ac++
c≥d
(ℓ, ℓ′). Irrelevant values of interrupt clocks
are greyed.
our setting, this would have led to an ITA×TA with 5 classical clocks and 2 interrupt
clocks.
7.2 A decidable product of ITA and CRTA: ITA+
We define another synchronized product between ITA and CRTA, in the spirit of multi-
level systems, for which reachability is decidable. This class, denoted by ITA+, includes
a set of clocks at an implicit additional level 0, corresponding to a basic task described
as in a CRTA. In the definition below, since no confusion can occur, we aggregate the
coloring function of CRTA and the level function of ITA, into a single function λ.
Definition 12 (ITA+) An extended interrupt timed automaton is a tuple A = 〈Q, q0,
F, pol,X ⊎ Y,Σ,Ω, λ, up, low, vel,∆〉, where:
– Q is a finite set of states, q0 is the initial state and F ⊆ Q is the set of final states.
– pol : Q 7→ {L, U,D} is the timing policy of states.
– X = {x1, . . . , xn} consists of n interrupt clocks and Y is a set of basic clocks,
– Σ is a finite alphabet,
– Ω is a set of colors, the mapping λ : Q ⊎ Y 7→ {1, . . . , n} ⊎ Ω associates with each
state its level or its color, with xλ(q) the active clock in state q for λ(q) ∈ N and
λ(y) ∈ Ω for y ∈ Y . For every state q ∈ λ−1(Ω), the policy is pol(q) = L.
– up and low are mappings from Y to Q with the same constraints as CRTA (see
Definition 4), and vel : Q 7→ Q is the clock rate with λ(q) /∈ Ω ⇒ vel(q) = 1
– ∆ ⊆ Q × [C(X ∪ Y ) × (Σ ∪ {ε}) × U(X ∪ Y )] × Q is the set of transitions. Let
q
ϕ,a,u
−−−−→ q′ in ∆ be a transition.
1. The guard ϕ is of the form ϕ1 ∧ ϕ2 with the following conditions. If λ(q) ∈ N,
ϕ1 is an ITA guard on X and otherwise ϕ1 = true. Constraint ϕ2 is a CRTA
guard on Y (also possibly equal to true).
41
2. The update u is of the form u1 ∧ u2 fullfilling the following conditions. Assign-
ments from u1 update the clocks in X with the constraints of ITA when λ(q)
and λ(q′) belong to N. Otherwise it is a global reset of clocks in X. Assignments
from u2 update clocks from Y , like in CRTA.
Any ITA can be viewed as an ITA+ with Y empty and λ(Q) ⊆ {1, . . . , n}, and any
CRTA can be viewed as an ITA+ with X empty and λ(Q) ⊆ Ω. Class ITA+ combines
both models in the following sense. When the current state q is such that λ(q) ∈ Ω, the
ITA part is inactive. Otherwise, it behaves as an ITA but with additional constraints
about clocks of the CRTA involved by the extended guards and updates. The semantics
of ITA+ is defined as usual but now takes into account the velocity of CRTA clocks.
Definition 13 (Semantics of ITA+) The semantics of an automaton A in ITA+
is defined by the transition system TA = (S, s0,→). The set S of configurations is{
(q, v) | q ∈ Q, v ∈ RX∪Y , β ∈ {⊤,⊥}
}
, with initial configuration (q0,0,⊥). An ac-
cepting configuration of TA is a pair (q, v) with q in F . The relation → on S consists
of time steps and discrete steps, the definition of the latter being the same as before:
Time steps: Only the active clocks in a state can evolve, all other clocks are suspended.
For a state q with λ(q) ∈ N (the active clock is xλ(q)), a time step of duration d > 0
is defined by (q, v, β)
d
−→ (q, v′,⊤) with v′(xλ(q)) = v(xλ(q)) + d and v
′(x) = v(x)
for any other clock x. For a state q with λ(q) ∈ Ω (the active clocks are Y ′ =
Y ∩ λ−1(λ(q))), a time step of duration d > 0 is defined by (q, v, β)
d
−→ (q, v′,⊤)
with v′(y) = v(y)+vel(q)d for y ∈ Y ′ and v′(x) = v(x) for any other clock x. In all
states, time steps of duration d = 0 leave the system TA in the same configuration.
When pol(q) = U , only time steps of duration 0 q are allowed.
Discrete steps: A discrete step (q, v)
a
−→ (q′, v′) occurs if there exists a transition
q
ϕ,a,u
−−−−→ q′ in ∆ such that v |= ϕ and v′ = v[u]. When pol(q) = D and β = ⊥,
discrete steps are forbidden.
In order to illustrate the interest of the combined models, an example of a (simple)
login procedure is described in Fig. 19 as a TA with interruptions at a single level.
First it immediately displays a prompt and arms a time-out of 1 t.u. handled by
clock y (transition init
p
−→ wait). Then either the user answers correctly within this
delay (transition wait
ok
−−→ log) or he answers incorrectly or let time elapse, both cases
with transition wait
er
−→ init, and the system prompts again. The whole process is
controlled by a global time-out of 6 t.u. (transition wait
to
−→ out) followed by a long
suspension (50 t.u.) before reinitializing the process (transition out
rs
−→ init). Both
delays are handled by clock z. At any time during the process (in fact in state wait),
a system interrupt may occur (transition wait
i
−→ I). If the time spent (measured by
clock x1) during the interrupt is less than 3 t.u. or the time already spent by the user is
less than 3 t.u., the login process resumes (transition I
cont
−−−→ init). Otherwise the login
process is reinitialized allowing again the 6 t.u. (transition I
rs
−→ init). In both cases,
the prompt will be displayed again. Since invariants are irrelevant for the reachability
problem we did not include them in the models. Of course, in this example state wait
should have invariant y ≤ 1 ∧ z ≤ 6 and state out should have invariant z ≤ 50.
We extend the decidability and complexity results of the previous models when
combining them with CRTA. Class ITA+− is obtained in a similar way by combining
ITA− with CRTA.
42
waitinit log
out
I, 1
y = 0, p
y ≤ 1 ∧ z < 6, er, y := 0
y < 1 ∧ z < 6, ok
y ≤ 1 ∧ z = 6, to, z := 0
y < 1 ∧ z < 6, i, x1 := 0
z = 50, rs, y := 0, z := 0
x1 < 3 ∨ z < 3, count, y := 0
x1 ≥ 3 ∧ z ≥ 3, rs, y := 0, z := 0
Fig. 19 An automaton for login in ITA+
Proposition 14 1. The reachability problem for ITA+− is decidable in NEXPTIME
and is PSPACE-complete when the number of interrupt clocks is fixed.
2. The reachability problem for ITA+ is decidable in NEXPTIME and is PSPACE-
complete when the number of interrupt clocks is fixed.
Proof
Case of ITA+−. Let A = 〈Q, q0, F, pol,X ⊎Y,Σ,Ω, λ, up, low, vel,∆〉 be an ITA
+
−, with
n = |X| the number of ITA clocks, p = |Y | the number of CRTA clocks and E = |∆|
the number of transitions.
We first consider the reachability problem for two states qi and qf on the CRTA
level (with λ(qi) ∈ Ω and λ(qf ) ∈ Ω). The procedure consists in performing a non
deterministic search along an elementary path where the vertices are graph classes of
the CRTA. Let (q, Z) be the current class, the procedure chooses non deterministically
the next class (q′, Z′) and checks that there exists a configuration of (q, Z) and an
execution only through states q′′ with λ(q′′) ∈ N that leads to a configuration of
(q′, Z′). This is solved as previously by non deterministically choosing an execution
path, building a linear program related to the path (of exponential size) and solving
it. Let us prove that such a path can be chosen whose length is in O(p(E + 2n)3n).
Assume that there is a run π from (q, v) ∈ (q, Z) to some configuration (q′, v′) ∈
(q′, Z′) such that all intermediate states q′′ are such that λ(q′′) ∈ N. We say that a
transition e of π usefully resets a clock y ∈ Y if it is the first transition of π that resets
y. Observe that there are at most p useful resetting transitions and that between two
such successive transitions (or before the first one or after the last one) the value of
the clocks of Y are unchanged when transitions are fired.
We consider a subrun ρ between two such successive transitions (or before the first
one or after the last one) from (q1, v1) to (q2, v2), with mk the number of transitions
of level k.
Using Lemma 2, we build a subrun ρ′ from (q1, v1) to (q2, v2) of length smaller than
(E+2n)3n. Concatenating the subruns, the useful resetting transitions and the initial
transition, one obtains a run π′ from (q, v) to (q′, v′) of length in O(p(E + 2n)3n).
The key point ensuring correctness of the procedure is that the existence of a
solution depends only on the starting class (q, Z) and not on the configuration inside
43
this class. This is due to the separation of guards and updates between the two kinds
of clocks on the transitions.
When state qi (resp. qf ) is not at the basis level, the procedure adds an initial
(resp. final) guess also checked by a linear program. When the number of clocks is
fixed the dominant factor is the path search in the class graph and PSPACE hardness
follows from the result in TA.
Case of ITA+. We transform the ITA part of the automaton in ITA− via the procedure
of proposition 3 and apply the procedure for ITA+−. ⊓⊔
It is also possible to build a class graph for ITA+, combining a class graph for ITA
and a region graph for TA. This yields the regularity of the untimed language of an
ITA+, hence the strict inclusion in the languages accepted by a stopwatch automaton.
Let ITL+ be the family of timed languages defined by ITA+. The class ITL+
syntactically contains ITL∪CRTL. We can however have a stronger result:
Proposition 15 The class ITL+ strictly contains ITL∪CRTL.
Proof Recall ITA A4 of Fig. 14, whose language L4 is not in CRTL, and let Q4 be its
set of states. Also recall TA A5 of Fig. 15, whose language L5 is not in ITL, with set
of states Q5. Let A4 ⊗A5 be the ITA
+ having A5 at level 0 and A4 at levels 1 and 2.
Formally, A4 ⊗A5 has set of states Q4 ∪Q5, which are all lazy. Interrupt clocks of
A4 ⊗A5 are {x1, x2} (active according to A4). Its basic clocks are {z, y} of velocity 1.
Both have the same color as states of Q5. The bounding functions up (resp. low) map
both z and y to 1 (resp. 0). Transitions of A4 ⊗A5 are the ones of A4 and A5, adding
an unguarded, unlabeled transition from A5’s final state to A4’s initial one.
A4 ⊗ A5 accepts timed words which start with an alternation of as and bs, with
the b drawing always closer to its preceding a (as in A5), and then contains only cs
separated by the same amount of time (as in A4). Since both CRTL and ITL are closed
under projection, L(A4 ⊗A5) cannot be accepted by a CRTA nor an ITA. ⊓⊔
8 Conclusion
In this paper, we introduced and studied the model of Interrupt Timed Automata. This
model is useful to represent timed systems with tasks organized over priority levels.
While ITA fall into the more general class of hybrid systems, the reachability prob-
lem is proved decidable for this subclass. For ITA, the reachability is in NEXPTIME,
and PTIME when the number of clocks is fixed by building a class graph. Similar
constructions yield decidability of the reachability problem on an extension of ITA
where the lowest priority level can behave as a Controlled Real-Timed Automata. It
also yields procedure for model checking CTL∗ formulas and timed CTL formulas con-
straining only the clocks of the system. Another fragment of interest was identified in
timed CTL as decidable: the one where the only time constraints concern global earliest
or latest execution times. On the other hand, model checking the linear time logic SCL
is proved undecidable on ITA, implying that this is also the case for MITL.
On the expressiveness point of view, the class ITL is proved incomparable with
both TL and CRTL, and is neither closed under complementation nor intersection.
The expressiveness results are summed up in Fig. 20, where the grey zone represents
undecidability of the reachability problem.
44
LHA = SWA
ITA+ = ITA+−
CRTA
TA
ITA = ITA−
LHA Linear
Hybrid
Automata
SWA Stopwatch
Automata
CRTA Controlled
Real-Time
Automata
TA Timed
Automata
ITA Interrupt
Timed
Automata
ITA+ Extended
ITA
Fig. 20 Expressiveness of several timed formalisms with respect to timed languages.
Several problems remain open on the class of ITA. First of all, the effect of having
both (limited) stopwatches and linear expressions in guards is combined in ITA, and it
is not known which is the cause of the undecidability results presented in this paper.
For instance, the undecidability of SCLmay not hold without the possibility of complex
updates. More generally, the expressive power of the subclass of ITA restricted with
rectangular guards (x+ b ⊲⊳ 0) and only resets (x := 0) should be investigated. Also, it
is conjectured that the class of ITA with n+ 1 clocks is strictly more expressive than
the class of ITA with n clocks. Regarding model-checking, the undecidability of full
TCTL remains to be established. Finally, complexity bounds presented in this paper
are only upper-bounds, and matching lower-bounds are still missing.
Acknowledgments The authors would like to thank the anonymous reviewers for their
insightful comments. This work was supported by projects Dots (ANR-06-SETI-
003, French government), ImpRo (ANR-2010-BLAN-0317, French government) and
CoChaT (Digiteo 2009-27HD, Re´gion Iˆle de France).
References
1. Aceto, L., Burguen˜o, A., Larsen, K.G.: Model checking via reachability testing for timed
automata. In: Proceedings of the 4th International Conference on Tools and Algorithms
for Construction and Analysis of Systems (TACAS’98). Volume 1384 of Lecture Notes in
Computer Science, London, UK, Springer-Verlag (1998) 263–280.
2. Alur, R., Courcoubetis, C., Dill, D.L.: Model-checking in dense real-time. Information
and Computation 104 (1993) 2–34.
3. Alur, R., Courcoubetis, C., Halbwachs, N., Henzinger, T.A., Ho, P.H., Nicollin, X., Oliv-
ero, A., Sifakis, J., Yovine, S.: The algorithmic analysis of hybrid systems. Theoretical
Computer Science 138 (1995) 3–34.
4. Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science 126
(1994) 183–235.
5. Alur, R., Feder, T., Henzinger, T.A.: The benefits of relaxing punctuality. Journal of the
ACM 43(1) (janvier 1996) 116–146.
6. Asarin, E., Maler, O., Pnueli, A.: Reachability analysis of dynamical systems having
piecewise-constant derivatives. Theoretical Computer Science 138(1) (1995) 35–65.
45
7. Asarin, E., Schneider, G., Yovine, S.: Algorithmic analysis of polygonal hybrid systems,
part I: Reachability. Theoretical Computer Science 379(1-2) (2007) 231–265.
8. Behrmann, G., David, A., Larsen, K.G.: A tutorial on uppaal. In: Formal methods for
the design of real-time systems (SFM-RT’04). Volume 3185 of Lecture Notes in Computer
Science, Springer (2004) 200–236.
9. Be´rard, B., Haddad, S.: Interrupt Timed Automata. In: Proceedings of the 12th In-
ternational Conference on Foundations of Software Science and Computation Structures
(FoSSaCS’09). Volume 5504 of Lecture Notes in Computer Science, York, GB, Springer
(March 2009) 197–211.
10. Be´rard, B., Haddad, S., Sassolas, M.: Real time properties for interrupt timed automata.
In Markey, N., Wisjen, J., eds.: Proceedings of the 17th International Symposium on
Temporal Representation and Reasoning (TIME’10), IEEE Computer Society (September
2010) 69–76.
11. Be´rard, B., Petit, A., Diekert, V., Gastin, P.: Characterization of the expressive power of
silent transitions in timed automata. Fundamenta Informaticae 36(2-3) (1998) 145–182.
12. Bouyer, P.: Forward analysis of updatable timed automata. Formal Methods in System
Design 24(3) (2004) 281–320.
13. Bouyer, P., Brihaye, Th., Jurdzin´ski, M., Lazic´, R., Rutkowski, M.: Average-price and
reachability-price games on hybrid automata with strong resets. In Cassez, F., Jard, C.,
eds.: Proceedings of the 6th International Conference on Formal Modelling and Analysis
of Timed Systems (FORMATS’08). Volume 5215 of Lecture Notes in Computer Science,
Saint-Malo, France, Springer (September 2008) 63–77.
14. Bouyer, P., Chevalier, F., Markey, N.: On the expressiveness of TPTL and MTL. In:
Proceedings of the 25th Conference on Foundations of Software Technology and Theoreti-
cal Computer Science (FSTTCS’05). Volume 3821 of Lecture Notes in Computer Science,
Springer (December 2005) 432–443.
15. Bozga, M., Daws, C., Maler, O., Olivero, A., Tripakis, S., Yovine, S.: KRONOS: A Model-
Checking Tool for Real-Time Systems. In: FTRTFT. (1998) 298–302.
16. Brihaye, T., Bruye`re, V., Raskin, J.F.: On model-checking timed automata with stopwatch
observers. Information and Computation 204(3) (2006) 408–433.
17. Brihaye, T., Doyen, L., Geeraerts, G., Ouaknine, J., Raskin, J.F., Worrell, J.: On reacha-
bility for hybrid automata over bounded time. In Aceto, L., Henzinger, M., Sgall, J., eds.:
Proceedings (part II) of the 38th International Colloquium on Automata, Languages and
Programming (ICALP’11). Volume 6756 of Lecture Notes in Computer Science, Springer
(July 2011) 416–427.
18. Cassez, F., Larsen, K.G.: The impressive power of stopwatches. In Palamidessi, C., ed.:
Proceedeings of the 11th International Conference on Concurrency Theory (CONCUR’00).
Volume 1877 of Lecture Notes in Computer Science, Springer (2000) 138–152.
19. Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebas-
tiani, R., Tacchella, A.: NuSMV version 2: An opensource tool for symbolic model check-
ing. In: Proceedings of the 14th International Conference on Computer Aided Verification
(CAV’02). Volume 2404 of Lecture Notes in Computer Science, Springer (2002) 241–268.
20. Courcoubetis, C., Yannakakis, M.: Minimum and maximum delay problems in real-time
systems. Formal Methods in System Design 1(4) (1992) 385–415.
21. Demichelis, F., Zielonka, W.: Controlled timed automata. In Sangiorgi, D., de Si-
mone Robert, eds.: Proceedings of the 9th International Conference on Concurrency The-
ory (CONCUR’98). Volume 1466 of Lecture Notes in Computer Science, London, UK,
Springer-Verlag (1998) 455–469.
22. Emerson, E.A., Halpern, J.Y.: Decision procedures and expressiveness in the temporal
logic of branching time. In: Proc. 14th annual ACM Symp. on Theory of Computing
(Stoc’82), ACM (1982) 169–180.
23. Fersman, E., Krcal, P., Pettersson, P., Yi, W.: Task automata: Schedulability, decidability
and undecidability. Information and Computation 205(8) (2007) 1149–1172.
24. Henzinger, T.A., Kopke, P.W., Puri, A., Varaiya, P.: What’s decidable about hybrid
automata? Journal of Computer and System Sciences 57(1) (1998) 94–124.
25. Henzinger, T.A., Nicollin, X., Sifakis, J., Yovine, S.: Symbolic model checking for real-time
systems. Information and Computation 111(2) (1994) 193–244.
26. Kesten, Y., Pnueli, A., Sifakis, J., Yovine, S.: Decidable integration graphs. Information
and Computation 150(2) (1999) 209–243.
27. Koymans, R.: Specifying real-time properties with metric temporal logic. Real-Time
Systems 2 (1990) 255–299.
46
28. Lafferriere, G., Pappas, G.J., Yovine, S.: A new class of decidable hybrid systems. In:
Proceedings of Hybrid Systems : Computation and Control. Volume 1569 of Lecture Notes
in Computer Science, Springer (1999) 137–151.
29. Lafferriere, G., Pappas, G.J., Yovine, S.: Symbolic reachability computation for families
of linear vector fields. Journal of Symbolic Computation 32(3) (2001) 231–253.
30. Maler, O., Manna, Z., Pnueli, A.: From timed to hybrid systems. In Rozenberg, G.,
de Roever, W.P., Huizing, C., de Bakker, J.W., eds.: Real-time: theory in practice, REX
workshop. Volume 600 of Lecture Notes in Computer Science, Springer-Verlag (1992) 447–
484.
31. McManis, J., Varaiya, P.: Suspension automata: A decidable class of hybrid automata.
In: Proceedings of the 6th International Conference on Computer Aided Verification
(CAV’94), London, UK, Springer-Verlag (1994) 105–117.
32. Minsky, M.L.: Computation: finite and infinite machines. Prentice-Hall, Inc., Upper Saddle
River, NJ, USA (1967).
33. Pnueli, A.: The temporal logic of programs. In: Proceedings of the 18th Annual Symposium
on Foundations of Computer Science (FoCS’77), Washington, DC, USA, IEEE Computer
Society (1977) 46–57.
34. Queille, J.P., Sifakis, J.: Specification and verification of concurrent systems in CESAR.
In Dezani-Ciancaglini, M., Montanari, U., eds.: Proceedings of the 5th International Sym-
posium on Programming. Volume 137 of Lecture Notes in Computer Science, London, UK,
Springer-Verlag (1982) 337–351.
35. Raskin, J.F., Schobbens, P.Y.: State clock logic: A decidable real-time logic. In Maler, O.,
ed.: Hybrid and Real-Time Systems. Volume 1201 of Lecture Notes in Computer Science.
Springer Berlin / Heidelberg (1997) 33–47.
36. Roos, C., Terlaky, T., Vial, J.P.: Theory and Algorithms for Linear Optimization. An
Interior Point Approach. Wiley-Interscience, John Wiley & Sons Ltd (1997).
37. Silberschatz, A., Galvin, P.B., Gagne, G.: Operating Systems Concepts. 8th edn. John
Wiley & Sons, Inc. (jul 2008).
38. Sistla, A.P., Clarke, E.M.M.: The complexity of propositional linear temporal logics.
Journal of the ACM 32 (jul 1985) 733–749.
39. Zaslavsky, T.: Facing up to arrangements: Face-count formulas for partitions of space by
hyperplanes. AMS Memoirs 1(154) (1975).
47
A Proof of Theorem 4
Let ϕ be a formula in TCTLintc and A an ITA with n levels and E transitions. Like in Section 3,
the proof relies on the construction of a finite class graph. The main difference is in the
computation of the n sets of expressions E1, . . . , En. Like before, each set Ek is initialized
to {xk, 0} and expressions in this set are those which are relevant for comparisons with the
current clock at level k. In this case, they include not only guards but also comparisons with
the constraints from the formula. Recall that the sets are computed top down from n to 1,
using the normalization operation.
– At level k, we may assume that expressions in guards of an edge leaving a state are of the
form αxk +
∑
i<k aixi + b with α ∈ {0, 1}. We add −
∑
i<k aixi − b to Ek.
– To take into account the constraints of formula ϕ, we add the following step: For each
comparison C ⊲⊳ 0 in ϕ, and for each k, with norm(C, k) = αxk+
∑
i<k aixi+b (α ∈ {0, 1}),
we also add expression −
∑
i<k aixi − b to Ek.
– Then we iterate the following procedure until no new term is added to any Ei for 1 ≤ i ≤ k.
1. Let q
ϕ,a,u
−−−−→ q′ with λ(q′) ≥ k and λ(q) ≥ k. If C ∈ Ek, then we add C[u] to Ek.
2. Let q
ϕ,a,u
−−−−→ q′ with λ(q′) ≥ k and λ(q) < k. For C,C′ ∈ Ek, we compute C
′′ =
norm(C[u]− C′[u], λ(q)). If C′′ = αxλ(q) +
∑
i<λ(q) aixi + b with α ∈ {0, 1}, then we
add −
∑
i<λ(q) aixi − b to Eλ(q).
The proof of termination for this construction is similar to the one in Section 3.
We now consider the transition system GA whose set of configurations are the classes
R = (q, {k}1≤k≤λ(q)), where q is a state and k is a total preorder over Ek. The class
R describes the set of valuations JRK = {(q, v) | ∀k ≤ λ(q) ∀(g, h) ∈ Ek, g[v] ≤ h[v] iff
g k h}. The set of transitions is defined as in Section 3. The transition system GA is again
finite and time abstract bisimilar to TA. Moreover, the truth value of each comparison C =∑
i≥1 ai · xi+ b ⊲⊳ 0 appearing in ϕ can be set for each class R. Indeed, since for every k, both
0 and
∑k−1
i≥1 ai · xi + b are in the set of expressions Ek, the truth value of C ⊲⊳ 0 does not
change inside a class. Therefore, introducing a fresh propositional variable qC for the constraint
C ⊲⊳ 0, each class R can be labelled with a truth value for each qC . Deciding the truth value
of ϕ can then be done by a classical CTL model-checking algorithm on GA.
The complexity of the procedure is obtained by bounding the number of expressions for
each level k by (E+ |ϕ|+2)2
n(n−k+1)+1, and applying the same reasoning as for proposition 2.
B Proof of Theorem 7
We build an automaton in ITA×TA which simulates a deterministic two counter machine M
(as in proof of Theorem 3).
Let LM be the set of labels of M. The automaton AM = 〈Σ,Q, q0, F, pol,X ∪ Y, λ,∆〉 is
built to reach its final location Halt if and only if M stops. It is defined as follows:
– Σ consists of one letter per transition.
– Q = LM ∪ (LM × {k0}) ∪ (LM × {k1, k2, r1, . . . , r5} × {>,<}), q0 = ℓ0 (the initial
instruction of M) and F = {Halt}.
– pol : Q → {Urgent, Lazy,Delayed} is such that pol(q) = Urgent iff either q ∈ LM or
q = (ℓ, q2, ⊲⊳), and pol(q) = Lazy in most other cases: some states (ℓ, ki, ⊲⊳) are Delayed,
as shown on Fig. 21 and 22.
– X = {x1, x2, x3} is the set of interrupt clocks and Y = {yc, yd} is the set of standard
clocks with rate 1.
– λ : Q→ {1, 2, 3} is the interrupt level of each state. All states in LM and LM×{k0, k1, k2}
are at level 1; so do all states corresponding to r1. States corresponding to r2 and r3 are
in level 2, while the ones corresponding to r4 and r5 are in level 3.
– ∆ is defined through basic modules in the sequel.
The transitions of AM are built within small modules, each one corresponding to one
instruction of M. The value n of c (resp. p of d) in a state of LM is encoded by the value
1− 1
2n
of clock yc (resp. 1−
1
2p
of yd).
The idea behind this construction is that for any standard clock y, it is possible to “copy”
the value of k − y in an interrupt clock xi, for some constant k, provided the value of y never
48
ℓ
1, U
(ℓ, k0)
1, L
(ℓ, r1, >)
1, L
(ℓ, r1, <)
1, L
(ℓ, k1, >)
1, L
(ℓ, k1, <)
1, D
(ℓ, k2, >)
1, L
(ℓ, k2, <)
1, L
a0ℓ
x1 := 0
yc = 1
a1ℓ,>
yc := 0
yd = 1
a1ℓ,<
yd := 0
yd = 1
a2ℓ,>
yd := 0
yc = 1
a2ℓ,<
yc := 0
x1 = 1
a3ℓ,>
x1 := 0
x1 = 1
a3ℓ,<
x1 := 0
Fig. 21 Module taking into account the order between the values of c and d when incrementing
c.
exceeds k. To achieve this, we start and reset the interrupt clock, then stop it when y = k.
Note that by the end of the copy, the value of y has changed. Conversely, in order to copy the
content of an interrupt clock xi into a clock y, we switch from level i to level i+1 and reset y
at the same time. When xi+1 = xi, the value of y is equal to the value of xi. Remark that the
form of the guards on xi+1 allows us to copy the value of a linear expression on {x1, . . . , xi}
in y.
For instance, consider an instruction labeled by ℓ incrementing c then going to ℓ′, with
the respective values n of c and p of d, from a configuration where n ≥ p. The corresponding
module Ac++
c≥d
(ℓ, ℓ′) is depicted on Fig. 18 (see main text). In this module, interrupt clock x1
is used to record the value 1
2n
while x2 keeps the value
1
2p
. Assuming that yc = 1 −
1
2n
,
yd = 1 −
1
2p
and x1 = 0 in state (ℓ, r1, >), the unique run in A
c++
c≥d
(ℓ, ℓ′) will end in state ℓ′
with yc = 1−
1
2n+1
and yd = 1−
1
2p
. The intermediate clock values are shown in Table 3 (see
main text).
The module on Fig. 18 can be adapted for the case of decrementing c by just changing
the linear expressions in guards for x3, provided that the final value of c is still greater than
the one of d. It is however also quite easy to adapt the same module when n < p: in that
case we store 1
2p
in x1 and
1
2n
in x2, since yd will reach 1 before yc. We also need to start yd
before yc when copying the adequate values in the clocks. The case of decrementing c while
n ≤ p is handled similarly. In order to choose which module to use according to the ordering
between the values of the counters, we use the modules of Fig. 21 and 22. Fig. 21 represents
the case when at label ℓ we have an increment of c whereas Fig. 22 represents the case when
ℓ corresponds to decrementing c. In that last case the value of c is compared not only to the
one of d, but also to 0, in order to know which branch of the if instruction is taken. Note that
only one of the branches can be taken until the end6. Instructions involving d are handled in
a symmetrical way.
Automaton AM is obtained by joining the modules described above through the states
of LM. Let us prove that automaton AM simulates the two counter machine M, so that M
halts iff AM reaches the Halt state.
Let 〈ℓ0, 0, 0〉〈ℓ1, n1, p1〉 . . . 〈ℓi, ni, pi〉 . . . be a run ofM. We show that this run is simulated
in AM by the run 〈l0, 0〉ρ0〈l1, v1〉ρ1 . . . where ρi is either empty or a subrun through states
in {(ℓi, rj , ⊲⊳) | j ∈ {1, . . . , 5}, ⊲⊳∈ {>,<}} (i.e. subruns in modules like A
c++
c≥d
of Fig. 18).
Moreover, it will be the case that
∀i, vi(yc) = 1−
1
2ni
and vi(yd) = 1−
1
2pi
This holds at the beginning of the execution ofAM. Suppose that we have simulated the subrun
up to 〈ℓi, ni, pi〉. Then we are in state ℓi, with clock yc being 1 −
1
2ni
and yd being 1 −
1
2pi
.
The next configuration of M, 〈ℓi+1, ni+1, pi+1〉, depends on the content of instruction ℓi, and
so does the outgoing transitions of state ℓi in AM. We consider the case where ℓi decrements c
6 State policies are used to treat the special cases, e.g. yc = yd = 0.
49
ℓ
1, U
(ℓ, k0)
1, L
(ℓ, r1, >)
1, L
(ℓ, r1, <)
1, L
(ℓ, k1, >)
1, D
(ℓ, k1, <)
1, L
(ℓ, k2, >)
1, L
(ℓ, k2, <)
1, Dℓ′′
1, U
yc > 0
a0ℓ
x1 := 0
yc = 1
a1ℓ,>
yc := 0
yd = 1
a1ℓ,<
yd := 0
yd = 1
a2ℓ,>
yd := 0
yc = 1
a2ℓ,<
yc := 0
x1 = 1
a3ℓ,>
x1 := 0
x1 = 1
a3ℓ,<
x1 := 0
yc = 0
aℓ,0
Fig. 22 Module taking into account the order between the values of c and d when decrementing
c.
and goes to ℓ′ if c is greater than 0 and goes to ℓ′′ otherwise, the other ones being similar. We
are therefore in the case of Fig. 22. If ni = 0, the next configuration of M will be 〈ℓ
′′, ni, pi〉.
Conversely, in AM, if ni = 0 then yc = 0, and there is no choice but to enter ℓ
′′, leaving
all clock values unchanged (because ℓi is an Urgent state). The configuration of AM thus
satisfies the property. If ni > 0, the next configuration of M will be 〈ℓ′, ni − 1, pi〉. In AM,
the transition chosen is the one that corresponds to the ordering between ni and pi. In both
cases, similarly to the example of Ac++
c≥d
(ℓ, ℓ′), the run reaches state ℓ′ with yc = 1 −
1
2ni−1
and yd as before, thus preserving the property. Hence M halts iff AM reaches the Halt state.
The automaton AM is indeed the product of an ITA I and a TA T , synchronized on
actions. Observe that in all the modules described above, guards never mix a standard clock
with an interrupt one. Since each transition has a unique label, keeping only guards and resets
on either the clocks of X or on those of Y yields an ITA and a TA whose product is AM. ⊓⊔
