Abstract. We describe a general automata-theoretic approach for analyzing the verification problems (binary reachability, safety, etc.) of discrete timed automata augmented with various data structures. We give examples of such data structures and exhibit some new properties of discrete timed automata that can be verified. We also briefly consider reachability in discrete timed automata operating in parallel.
Introduction
Ever since the introduction of the model of a timed automaton [AD94] , there have been many studies that extend the expressive power of the model (e.g. [BER95,CJ98,CJ99,DIBKS00,IDS00]). For instance [BER95] considers models of hybrid systems of finite automata supplied with (unbounded) discrete data structures and continuous variables and obtains decidability results for several classes of systems with control variables and observation variables. [CJ99, CJ98] shows that the binary reachability of timed automata is expressible in the additive theory of the reals. [DIBKS00] characterizes the binary reachability of discrete timed automata (i.e., timed automata with integer-valued clocks) augmented with a pushdown stack, while [IDS00] looks at queue-connected discrete timed automata.
In this paper, we extend the ideas in [DIBKS00, IDS00] and describe a general automata-theoretic approach for analyzing the verification problems of discrete timed automata augmented with various data structures. Formally, let C be a class of nondeterministic machines with reversal-bounded counters (i.e., each counter can be incremented or decremented by 1 and tested for zero, but the number of alternations between nondecreasing mode and nonincreasing mode is bounded by a constant, independent of the computation) and possibly other data structures, e.g., a pushdown stack, a queue, a read-write worktape, etc. Let A be a discrete timed automaton and M be a machine in C. Denote by A ⊕ M the combined automaton, i.e., A augmented with M (in some precise sense to be defined). We show that if C has a decidable emptiness problem, then the (binary, forward, backward) reachability, safety, and invariance for A ⊕ M are also solvable. We give examples of such C's and exhibit some new properties of discrete timed automata that can be verified:
Supported in part by NSF grant IRI-9700370.
1. For example, let A be a discrete timed automaton with k clocks. For a given computation of A, let r i be the number of times clock i resets, i = 1, ..., k. Suppose we are interested in computations of A in which the r i 's satisfy a Presburger formula f , i.e., we are interested in the set Q of pairs of configurations (α, β) such that α can reach β in a computation in which the clock resets satisfy f . (A configuration of A is a pair (q, U ), where q is a state and U is the set of clock values.) We can show that Q is Presburger. One can also put other constraints, like introducing a parameter t i for each clock i, and consider computations where the first time i resets to zero is before (or after) time t i . Then Q(t 1 , ..., t k ) is Presburger. 2. As another example, suppose we are interested in the set S of pairs of configurations (α, β) of a discrete timed automaton A such that there is a computation path (i.e., sequence of states) from α to β that satisfies a property that can be verified by a machine in a class C. If C has a decidable emptiness problem, then S is effectively computable. For example, suppose that the property is for the path to contain three non-overlapping subpaths (i.e., segments of computation) which go through the same sequence of states, and the length of the subpath is no less than 1/5 of the length of the entire path. We can show that S is computable.
The constraints in 1 and 2 can be combined; thus, we can show that the set of pairs of configurations that are in both Q and S is computable.
3. We can equip the discrete timed automaton with one-way write-only tapes which the automaton can use to record certain information about the computation of the system (and perhaps even require that the strings appearing in these tapes satisfy some properties). Such systems can effectively be analyzed.
Finally, we briefly look at reachability in machines (i.e., A 1 ⊕ M 1 and A 2 ⊕ M 2 ) operating in parallel.
Combining Discrete Timed Automata with Other Machines
A timed automaton [AD94] is a finite-state machine augmented with finitely many real-valued clocks. All the clocks progress synchronously with rate 1, except that a clock can be reset to 0 at some transition. Here, we only consider integer-valued clocks. A clock constraint is a Boolean combination of atomic clock constraints in the following form: x#c, x − y#c, where # denotes , , <, >, or =, c is an integer, x, y are integer-valued clocks. Let L X be the set of all clock constraints on clocks X. Let Z be the set of integers with N the set of nonnegative integers. Formally, a discrete timed automaton A is a tuple S, X, E where 1. S is a finite set of (control) states, 2. X is a finite set of clocks with values in N, and 3. E ⊆ S × 2 X × L X × S is a finite set of edges or transitions.
Each edge s, λ, l, s in E denotes a transition from state s to state s with enabling condition l ∈ L X and a set of clock resets λ ⊆ X. Note that λ may be empty. The meaning of a one-step transition along an edge s, λ, l, s is as follows:
-The state changes from s to s .
-Each clock changes. If there are no clock resets on the edge, i.e., λ = ∅, then each clock x ∈ X progresses by one time unit. If λ = ∅, then each clock x ∈ λ is reset to 0 while each x ∈ λ remains unchanged. -The enabling condition l is satisfied.
The notion of a discrete timed automaton defined above is slightly different, but easily shown equivalent to the standard definition of a (discrete) timed automaton in [AD94] (see [DIBKS00] ). Now consider a class C of acceptors, where each machine M in the class is a nondeterministic finite automaton augmented with finitely many counters, and possibly other data structures. Thus, Note that the counters can only hold nonnegative integers. There is no loss of generality since the states can remember the signs. The language accepted by M is denoted by L(M ). We will only be interested in C's with a decidable emptiness problem. This is the problem of deciding for a given acceptor in C, whether L(M ) is empty. Since the emptiness problem for finite automata augmented with two counters is undecidable [M61] , we will need to put some restrictions on the operation of the counters.
Let r be a nonnegative integer. We say that a counter is r-reversal if the counter changes mode from nondecreasing to nonincreasing and vice-versa at most r times, independent of the computation. So, for example, a counter whose values change according the pattern 0 1 1 2 3 3 3 4 5 5 5 4 3 2 1 1 0 0 1 1 2 3 3 is 2-reversal. When we say that the counters are reversal-bounded, we mean that we are given an integer r such that each counter is r-reversal. From now on, we will assume that the acceptors in C have reversal-bounded counters.
We can extend the acceptors in C to multitape acceptors by providing them with multiple one-way read-only input tapes. Thus, a k-tape acceptor now accepts a k-tuple of words (strings). We call the resulting class of acceptors C(k). The emptiness problem for C(k) is deciding for a given k-tape acceptor M , whether it accepts an empty set of k-tuples of strings. We denote C(1) simply by C. One can easily show the following:
Theorem 1. If the emptiness problem for C is decidable, then the emptiness problem for C(k) is decidable.
In the rest of the paper, we will assume that C has a decidable emptiness problem. In the area of verification, we are mostly interested in the "behavior" of machines rather than their language-accepting capabilities. When dealing with machines in C without inputs, we shall refer to them simply as machines. Thus, when we say "a machine M in C", we mean that M has no input tape.
Let A be a discrete timed automaton and M a machine in class C (hence, M has no input tape!). Let A ⊕ M be the machine obtained by augmenting A with M . So, e.g., if M is a machine with a pushdown stack and reversalbounded counters, then A ⊕ M will be a discrete pushdown timed automaton with reversal-bounded counters. We will describe more precisely how A ⊕ M operates later. This set is the binary reachability of A ⊕ M . We assume that the configurations are represented as strings over some alphabet, where the components of a configuration are separated by markers and the clock and counter values represented in unary. We also assume that each of the following tasks can be implemented on a machine M in C: (i) M , when given a configuration α = (s, U, q, V, v(D)) of A⊕M on its input tape, can represent this configuration in its counters and data structures, i.e., M can read α and record the states s and q, store the set of values of U and V in appropriate counters, and store v(D) in its data structures. (ii) M , when given a configuration α on its input tape, can check if α represents its current configuration (this task is the converse of (i)).
In the following, A is a discrete timed automaton and M is a machine in C; FCA refers to a nondeterministic finite automaton (acceptor) augmented with reversal-bounded counters.
Theorem 2. We can effectively construct a 2-tape acceptor in C(2) accepting

Reach(A ⊕ M ). Note that the input to the 2-tape acceptor is a pair of configurations (α, β), where α (β) is on the first (second) tape.
We sketch the proof of the above theorem in the next section for a particular class C. We omit the proofs of the next four theorems in this extended abstract. We can equip A ⊕ M with a one-way input tape. In order to do this, we can simply change the format of the transition edge of A by a 5-tuple s, λ, l, s , a in E, where a denotes an input symbol or (the null string). The meaning of this edge is like before, but now A can read a symbol or a null string at each transition. We also define a subset of the states of A as accepting states. Then A ⊕ M becomes an acceptor. Note that A and M will now start on some prescribed initial configurations (e.g., A is initialized to its start state with all clocks zero, M is initialized to its start state with all counters zero and the other data structures properly initialized). We can prove: We can also equip the multitape A ⊕ M acceptor with one-way output tapes. But, clearly, these output tapes can also be viewed as input tapes (since writing can be simulated by reading). Hence, the analysis of a multi-input-tape multioutput-tape A ⊕ M reduces to the analysis of multi-input-tape A ⊕ M .
Examples of C
We sketch the proof of Theorem 2 for the class C, where each machine is a nondeterministic machine with a pushdown stack and finitely many reversalbounded counters. Call a machine in this class a PCM, and PCA when it has an input tape (i.e., it is an acceptor). It is known that the emptiness problem for PCAs is decidable [I78] . Let A be a discrete timed automaton and M be a PCM. We describe precisely how A ⊕ M operates.
A configuration of the timed automaton A is of the form (s, U ), where s is the state and U is the set of clock values. Now machine M has states, pushdown stack, and reversal-bounded counters. A move of M is defined by a transition function δ.
-q is the state, Z is the topmost symbol, and s i is the status of counter i (i.e., zero or non-zero). s, λ, l, s , q, Z, s 1 , ..., s k ) = {t 1 , . .., t m }. Note that outcome this transition (i.e., the right side of the rule) not only depends on s, λ, l, s , but also on the current state, status of the counters, and the topmost symbol of the stack). This R is then followed by a sequence of transitions by M (using the transition function δ). Thus the use of ENTER(M, R) allows the combined machine to update the configuration of M through a sequence of M 's transitions. After some amount of computation, M returns control to A by entering a special state or command RETURN. When this happens, A will now be in state s . Thus the computation of A ⊕ M is like in a timed automaton, except that between each transition of A, the system calls M to do some computation.
A configuration of the system is a tuple of the form α = (s, U, q, V, w). Thus, a configuration is one after the execution of a (possibly empty) sequence of (ENTER, RETURN) commands. Note that a configuration can be represented as a string where the clock values U and counter values V are represented in unary and the components of the tuple separated by markers.
As defined earlier, the binary reachability is Reach(A ⊕ M ) = the set of all pairs of configurations (α, β), where α can reach β. We will show that Reach(A⊕ M ) can be accepted by a 2-tape PCA. Note that the input to the acceptor is a pair of strings (α, β), where α (β) is on the the first (second) tape.
First we note that we can view the clocks in a discrete timed automaton A as counters, which we shall also refer to as clock-counters. In a reversal-bounded multicounter machine, only standard tests (comparing a counter against 0) and standard assignments (increment or decrement a counter by 1, or simply nochange) are allowed. But clock-counters in A do not have standard tests nor standard assignments. The reasons are as follows. A clock constraint allows comparison between two clocks like x 2 − x 1 > 7. Note that using only standard tests we cannot directly compare the difference of two clock-counter values against an integer like 7 by computing x 2 − x 1 in another counter, since each time this computation is done, it will cause at least a counter reversal, and the number of such tests during a computation can be unbounded. The clock progress x := x + 1 is standard, but the clock reset x := 0 is not. Since there is no bound on the number of clock resets, clock-counters may not be reversal-bounded (each reset causes a counter reversal).
We first prove an intermediate result. Define a semi-PCA as a PCA which, in addition to a stack and reversal-bounded counters, has clock-counters that use nonstandard tests and assignments as described in the preceding paragraph.
Lemma 1. We can effectively construct, given a discrete timed automaton A and and PCM M , a 2-tape semi-PCA B accepting Reach(A ⊕ M ).
Proof. We describe the construction of the 2-tape semi-PCA B. Given a pair of configurations (α, β) on its two input tapes, B first copies α into its counters and stack (these include the clock-counters). Then B simulates the ("alternating" mode of) computation of A ⊕ M starting from configuration α as described above. It is clear that B can do this. After some time, B guesses that it has reached the configuration β. It then checks that the values of the counters and stack match those on the second input tape. B accepts if the check succeeds. However, there is a slight complication because the pushdown stack content is in "reverse". If the stack content on the second tape is written in reversed, there is no problem. One can get around this difficulty if the comparison of the stack content with the second tape is done during the simulation instead of waiting until the end of the simulation. This involves guessing, for each position of the stack, the last time M rewrites this position, i.e., that the symbol would not be rewritten further in reaching configuration β. We omit the details.
The next lemma converts the 2-tape semi PCA to a 2-tape PCA. The proof uses a technique in [DIBKS00] (see also [IDS00] ).
Lemma 2. We can effectively construct from the 2-tape semi-PCA B, a 2-tape PCA C equivalent to B.
Proof. The 2-tape PCA C operates like B, but the simulation of A⊕M differs in the way A is simulated. Let A have clock-counters x 1 , . .., x k . Let m be one plus the maximal absolute value of all the integer constants that appear in the tests (i.e., the clock constraints on the edges of A in the form of Boolean combinations of x i #c, From the above lemmas, we have:
Theorem 8. We can effectively construct, given a discrete timed automaton A and and a PCM M , a 2-tape PCA accepting Reach(A ⊕ M ).
One can generalize Theorem 8. Extend a PCA acceptor by allowing the machine to have multiple pushdown stacks. Thus the machine will have multiple reversal-bounded counters and multiple stacks (ordered by name, say S 1 , ..., S m ) . The operation of the machine is restricted in that it can only read the topmost symbol of the first nonempty stack. Thus a move of the machine would depend only on the current state, the input symbol (or ), the status of each counter (zero or nonzero), and the topmost symbol of the first stack, say S i , that is not empty (initially, all stacks are set to some starting top symbol). The action taken in the move consists of the input being consumed, each counter being updated (+1, -1, 0), the topmost symbol of S i being popped and a string (possibly empty) being pushed onto each stack, and the next state being entered. This acceptor, call it MPCA, was studied in [D00] as a generalization of a PCA [I78] and a generalization of a multipushdown acceptor [CBCC96] . Thus an MPCA with only one stack reduces to a PCA.
By combining the techniques in [I78] and [CBCC96] , it was shown in [D00] that the emptiness problem for MPCAs is decidable. An MPCA without an input tape will be called an MPCM. By a construction similar to that of Theorem 8, we can prove the next result. Note that checking that the contents of the stacks at the end of the simulation are the same as the stack words in the target configuration does not require the latter to be in reverse (or need special handling), since we can first reverse the stack contents by using another set of pushdown stacks and then check that they match the stack words in the target configuration.
Theorem 9. We can effectively construct, given a discrete timed automaton A and an MPCM M , a 2-tape MPCA accepting Reach(A ⊕ M ).
Other examples of classes C that can be shown to have a decidable emptiness problem are given below. Thus, the results in Section 2 apply.
1. Nondeterministic machines with reversal-bounded counters and a two-way read/write worktape that is restricted in that the number of times the head crosses the boundary between any two adjacent cells of the worktape is bounded by a constant, independent of the computation (thus, the worktape is finite-crossing). There is no bound on how long the head can remain on a cell [IBS00] . 2. Nondeterministic machines with reversal-bounded counters and a queue that is restricted in that the number of alternations between non-deletion phase and non-insertion phase is bounded by a constant [IBS00] . A nondeletion (non-insertion) phase is a period consisting of insertions (deletions) and no-changes, i.e., the queue is idle. Without the restriction emptiness is undecidable since it is known that a finite-state machine with an unrestricted queue can simulate a Turing machine.
Finally, as mentioned in the paragraph preceding Theorem 7, we can provide the machine A ⊕ M with an input tape. The language accepted by such an acceptor can be shown to be accepted by an acceptor M which belongs to the same class as M (the simulation is similar to the one described in Lemmas 1 and 2). Thus, Theorem 7 follows.
Applications
In this section we exhibit some properties of timed automata that can be verified using the results above.
Example 1. (Real-time) pushdown timed systems with "observation" counters were studied in [BER95] . The purpose of these counters is to record information about the evolution of the system and to reason about certain properties (e.g., number of occurrences of certain events in some computation). The counters do not participate in the dynamic of the system, i.e., they are never tested by the system. A transition edge specifies for each observation counter an integral value (positive, negative, zero) to be added to the counter. Of interest are the values of the counters when the system reaches a specified configuration. It was shown in [BER95] that region reachability is decidable for these systems.
Clearly, for the discrete case, such a system can be simulated by the machine A ⊕ M described in the previous section. We associate in M two counters for each observation counter: one counter keeps track of the positive increases and the other counter keeps track of the negative increases. When the target configuration is reached, the difference can be computed in one of the counters. Note that the sign of the difference can be specified in another counter, which is set to 0 for negative and 1 for positive. Thus, from Theorems 2-6, (binary, forward, backward) reachability, safety, and invariance are solvable for these systems.
Example 2. Let A be a discrete timed automaton and M be a nondeterministic pushdown machine with reversal-bounded counters. For a given computation of A ⊕ M , let r i be the number of times clock x i resets. Suppose we are interested in computations in which the r i 's satisfy a Presburger formula f , i.e., we are interested in (α, β) in Reach(A ⊕ M ) such that α can reach β in a computation in which the clock resets satisfy f . It is known that a set of k-tuples is definable by a Presburger formula f if and only if it is definable by a reversal-bounded multicounter machine [I78] . (Thus, a machine M f with no input tape but with reversal-bounded counters can be effectively constructed from f such that when the values of the first k counters are set to the k-tuple and all the other counters initially zero, M f enters an accepting state if and only if the k-tuple satisfies f . In fact, M f can be made deterministic [I78] .) It follows that we can construct a 2-tape pushdown acceptor with reversal-bounded counters M accepting the set Q of pairs of configurations (α, β) in Reach(A ⊕ M ) such that α can reach β in a computation in which the clock resets satisfy f . One can also put other constraints, like introducing a parameter t i for each clock i, and consider computations where the first time i resets to zero is before (or after) time t i . We can construct a 3-tape acceptor M from M accepting Q(t 1 , ..., t k ) . M first reads the parameters t i 's (which are given on the third input tape) and then simulates M , checking that the constraint on the first time clock i resets is satisfied. Note that if M has no pushdown stack, then Q and Q(t 1 , ..., t k ) are Presburger.
Example 3. As another example, suppose we are interested in the set S of pairs of configurations (α, β) of a discrete timed automaton A such that there is a computation path (i.e., sequence of states) from α to β that satisfies a property that can be verified by an acceptor in a class C. If C has a decidable emptiness problem, then S is effectively computable. For example, suppose that the property is for the path to contain three non-overlapping subpaths (i.e., segments of computation) which go through the same sequence of states, and the length of the subpath is no less than 1/5 of the length of the entire path. Thus if p is the computation path, there exist subpaths p 1 , ..., p 7 (some may be null) such that p = p 1 p 2 p 3 p 4 p 5 p 6 p 7 , where p 2 , p 4 , and p 6 go through the same sequence of states, and length of p 2 = length of p 4 = length of p 6 is no less than 1/5 of the length of p. We can check this property by incorporating a finite-crossing read-write tape to the machine (actually, the head need only make 5 crossings on the read-write tape).
Example 4. We can equip A ⊕ M with one-way write-only tapes which the machine can use to record certain information about the computation of the system (and perhaps even requiring that the strings appearing in these tapes satisfy some properties). From Corollary 1, such systems can effectively be analyzed.
Reachability in Parallel Discrete Timed Automata
The technique of using the reversal-bounded counters to record and compare various integers (like the running times of the machines) in the proofs in Section 3 can be used to decide some reachability questions concerning machines operating in parallel. We give two examples below.
Let A 1 , A 2 be discrete timed automata and M 1 , M 2 be PCMs. Recall from Section 3 that a configuration of
Suppose we are given a pair of configurations (α 1 , β 1 ) of A 1 ⊕ M 1 and a pair of configurations (α 2 , β 2 ) of A 2 ⊕ M 2 , and we want to know if A i ⊕ M i when started in configuration α i can reach configuration β i at some time t i , with t 1 and t 2 satisfying a given linear relation L(t 1 , t 2 ) definable by a Presburger formula. (Thus, e.g., if the linear relation is t 1 = t 2 , then we want to determine if A 1 ⊕ M 1 when started in configuration α 1 reaches β 1 at the same time that A 2 ⊕ M 2 when started in α 2 reaches β 2 .) This reachability question is decidable. The idea is the following. First note that we can incorporate a counter in M i that records the running time t i of A i ⊕ M i . Let Z i be a 2-tape PCA accepting R(A i ⊕ M i ). We construct a 4-tape PCA Z which, when given α 1 , β 1 , α 2 , β 2 in its 4 tapes, first simulates the computation of Z 1 to check that α 1 can reach β 1 , recording the running time t 1 (which is in configuration β 1 ) of A 1 ⊕ M 1 in a counter. Z then simulates Z 2 . Finally, Z checks that the running times t 1 and t 2 satisfy the given linear relation (which can be verified since Presburger formulas can be evaluated by nondeterministic reversal-bounded multicounter machines). Since the emptiness problem for PCAs is decidable, decidability of reachability follows.
We can allow the machines A 1 ⊕ M 1 and A 2 ⊕ M 2 to share a common input tape, i.e., each machine has a one-way read-only input head (see the paragraph preceding Theorem 7). A configuration α i will now be a 7-tuple α i = (s i , U i , q i , V i , w i , h i ), h i is the position of the input head on the common input x. One can show that if both A 1 ⊕ M 1 and A 2 ⊕ M 2 have a one-turn stack (or an unrestricted counter), then reachability is undecidable, even if they have no reversal-bounded counters and the linear relation is t 1 = t 2 . However, if only one of A 1 ⊕ M 1 and A 2 ⊕ M 2 has an unrestricted pushdown stack, then reachability is decidable. The idea is to construct a 5-tape PCA which, when given α 1 , β 1 , α 2 , β 2 , x, simulates M 1 and M 2 in parallel on the input x, recording their running times and then check that the linear relation is satisfied.
Note that the above results generalize to any number, k, of machines A i ⊕ M i (i = 1, ..., k) operating in parallel.
Conclusions
We showed that a discrete timed automaton augmented with a machine with reversal-bounded counters and possibly other data structures from a class C of machines can be effectively analyzed with respect to reachability, safety, and other properties if C has a decidable emptiness problem. We gave examples of such C's and examples of new properties of discrete timed automata that can be verified. We also showed that reachability in parallel machines can be effectively decided. It would be interesting to look for other classes of C's with decidable emptiness problem.
