The verification of systems combining hard timing constraints with concurrency is challenging. This challenge becomes even harder when some timing constants are missing or unknown. Parametric timed formalisms, such as parametric timed automata (PTAs), tackle the synthesis of such timing constants (seen as parameters) for which a property holds. Such formalisms are highly expressive, but also undecidable, and few decidable subclasses were proposed. We propose here a syntactic restriction on PTAs consisting in removing guards (constraints on transitions) to keep only invariants (constraints on locations). While this restriction preserves the expressiveness of PTAs (and therefore their undecidability), an additional restriction on the type of constraints allows to not only prove decidability, but also to perform the exact synthesis of parameter valuations satisfying reachability. This formalism, that seems trivial at first sight as it benefits from the decidability of the reachability problem with a better complexity than Timed Automata (TAs), suffers from the undecidability of the whole TCTL logic that TAs, on the contrary enjoy. We believe our formalism allows for an interesting trade-off between decidability and practical expressiveness and is therefore promising. We show its applicability in a small case study.
I. INTRODUCTION
The verification of systems combining hard timing constraints with concurrency is challenging. This challenge becomes even harder when some timing constants are missing or unknown. Parametric timed formalisms tackle the synthesis of such timing constants (seen as parameters) for which a property holds. A well-known such formalism is parametric timed automata [1] , a formalism extending finite-state automata with clocks [2] , that can be compared to either integer constants or to integer-valued or real-valued parameters along guards (over transitions) or in invariants (in locations). Such formalisms are highly expressive, but also highly undecidable, and only a few decidable subclasses were proposed.
In the PTA literature, the main problem studied is EFemptiness ("is the set of valuations for which a given location is reachable for at least one run empty?"): it is "robustly" undecidable in the sense that, even when varying the setting, undecidability is preserved. For example, EF-emptiness is undecidable even for a single bounded parameter [3] , even for a single rational-valued or integer-valued parameter [4] , even with only one clock compared to parameters [3] , or with strict constraints only [5] (see [6] for a survey). Decidability can be obtained using two main directions.
First, reducing the number of clocks may lead to decidability: for example, decidability is ensured in some restrictive settings such as over discrete time with a single parametric clock (i. e., compared to parameters in at least one guard) [1] , or over discrete or dense time with one parametric clock and arbitrarily many non-parametric clocks [7] , [4] , or over discrete time with two parametric clocks and a single parameter [7] . But the practical power of these restrictive settings remains unclear.
Second, restricting the syntax may also lead to decidability, notably on two main subclasses: in [8] , L/U-PTAs are proposed as a subclass where parameters are partitioned into upperbound parameters (only compared to clocks as upper-bounds, i. e., of the form x > p or x ≥ p, where x is a clock and p a parameter) and lower-bound parameters. While L/U-PTAs benefit from the decidability of EF-emptiness [9] , [10] , AFemptiness ("is the set of valuations for which a given location is reachable for all runs empty?") is undecidable [9] ; even more annoying, it is impossible to achieve exact synthesis, even for EF: that is, it is not possible in general to compute the set of parameter valuations for which a given location is reachable. A second restriction of the syntax is proposed in [11] : in reset-PTAs, whenever a clock is compared to a parameter, all clocks must be reset (possibly to parameters, which extends the original PTA syntax). While exact synthesis over bounded rational-valued parameters can be achieved for EF, resetting all clocks as soon as one clock is compared to a parameter is a strong practical restriction, and is dedicated to systems that have some cyclic, repetitive behavior. a) Contribution: In this work, we propose an original subclass of parametric timed automata, with interesting practical results. We restrict the expressive power by disallowing guards in the model, therefore leaving the model with only invariants.
On the one hand, we show that this model of PTAs with only invariants (PTAs I ) is at least as expressive as the original PTAs, and therefore inherits its notorious undecidability results.
On the other hand, by restraining the shape of the constraints in these invariants, giving PTAs with only invariants and upper-bound constraints (PTAs U I ), we get decidability results independently of the number of clocks or parameters used. In addition, we show that we can synthesize the exact set of parameters for which reachability (EF) properties hold. This result is particularly welcome, as existing classes for which decidability of the emptiness problems hold does usually not guarantee the possibility to perform synthesis: the bestknown existing subclass of PTAs, i. e., L/U-PTAs, benefit from decidability results [8] , [10] but synthesis cannot be achieved, even over integer-valued parameters [9] . Our formalism of PTAs U I is the first of its kind to allow for exact synthesis over unbounded, rational-valued parameters (in contrast to [8] , [10] , [11] ) without imposing conditions on the number of clocks or parameters (in contrast to [7] , [4] ), nor imposing frequent resets (in contrast to [11] ). This makes this formalism promising, together with a still interesting expressive power. In fact, we show that for more complex properties (e. g., nested TCTL formulas), PTAs U I become undecidable, which shows that our formalism is far from featuring a trivial expressiveness. We also exemplify our formalism on a case study, where we model a data streaming protocol using PTAs U I . b) Outline: Section II recalls the necessary preliminaries, introduces the class of PTAs without guards (PTAs I ) and the problems of interest. Section III proves that reachability is undecidable for PTA I . Section IV introduces an additional restriction (PTAs U I ), and proves decidability of the emptiness problems of reachability, together with the possibility to perform synthesis. In contrast, we show that TCTL-emptiness is undecidable for PTAs U I , making it an expressive formalism at the border between decidability and undecidability. Section V exemplifies our formalism on a case study. Section VI concludes the paper and proposes some perspectives.
II. PRELIMINARIES

A. Clocks, parameters and parametric clock constraints
We assume a set X = {x 1 , . . . , x H } of clocks, i. e., realvalued variables that evolve at the same rate. A clock valuation is a function w : X → R + . We identify a clock valuation w with the point (w(x 1 ), . . . , w(x H )) of R H + . We write 0 for the clock valuation assigning 0 to all clocks. Given d ∈ R + , w +d denotes the valuation s.t. (w+d)(x) = w(x)+d, for all x ∈ X. Given R ⊆ X, we define the reset of a valuation w, denoted by [w] R , as follows:
We assume a set P = {p 1 , . . . , p M } of parameters, i. e., unknown constants. A parameter valuation v is a function v : P → Q + .
We assume ∈ {<, ≤, =, ≥, >} and ∈ {<, ≤}. A parametric clock constraint pcc is a constraint over X ∪ P defined by a set of inequalities of the form x 1≤i≤M α i p i + d, with α i ∈ {0, 1} and d ∈ Z. Given pcc, we write w |= v(pcc) if the expression obtained by replacing each x with w(x) and each p with v(p) in pcc evaluates to true.
B. Parametric timed automata
Let AP be a set of atomic propositions. We first recall PTAs [1] .
• P is a finite set of parameters, • I is the invariant, assigning to every ∈ L a parametric clock constraint I( ), • E is a finite set of edges (or transitions) e = ( , g, a, R, ) where , ∈ L are the source and target locations, a ∈ Σ, R ⊆ X is a set of clocks to be reset, and the guard g is a parametric clock constraint.
Given a parameter valuation v, we denote by v(A) the nonparametric structure where all occurrences of a parameter p i have been replaced by v(p i ). We denote as a timed automaton any structure v(A). 1 A bounded PTA is a PTA with a bounded parameter domain that assigns to each parameter a minimum integer bound and a maximum integer bound. That is, each
Hence, a bounded parameter domain is a hyperrectangle of dimension M .
Let us first recall the concrete semantics of TAs.
Definition 2 (Concrete semantics of a TA). Given a PTA A = (Σ, L, L, 0 , X, P, I, E), and a parameter valuation v, the concrete semantics of v(A) is given by the timed transition system (S, s 0 , →), with
consists of the discrete and (continuous) delay transition relations:
Moreover we write ( , w) e −→ ( , w ) for a combination of a delay and discrete transition where 
such that for all i = 0, 1, . . . , e i ∈ E, and (s i , e i , s i+1 ) ∈ →. Given a state s = ( , w), we say that s is reachable if s appears in a run of v(A), or simply that is reachable in v(A), if there exists a state ( , w) that is reachable. By extension, we say that a label lb is reachable in v(A) if there exists a state ( , w) that is reachable such that lb ∈ L( ).
Given a parameter valuation v and a run of v(
we define the length of a run as the number of edges in ρ.
A maximal run is a run that is either infinite (i. e., contains an infinite number of discrete transitions), or that cannot be extended by a discrete transition. Given a run ρ of v(A), time(ρ) gives the total sum of the delays d along ρ.
C. A new syntactic restriction
We now introduce the first main restriction of our formalism, that consists in removing guards from PTAs.
Definition 3.
A PTA with only invariants (PTA I ) is a PTA where, in each transition, g is always true, i. e., is an empty set of inequalities.
D. Timed CTL
TCTL [12] is the quantitative extension of CTL where temporal modalities are augmented with constraints on duration. Formulae are interpreted over TTS.
Given ap ∈ AP and c ∈ N, a TCTL formula is given by the following grammar:
A reads "always", E reads "exists", and U reads "until". Standard abbreviations include Boolean operators as well as EF c ϕ for E U c ϕ, AF c ϕ for A U c ϕ and EG c ϕ for ¬AF c ¬ϕ. (F reads "eventually" while G reads "globally".) Definition 4 (Semantics of TCTL). Given a TA v(A), the following clauses define when a state s i of its TTS (S, s 0 , →) satisfies a TCTL formula ϕ, denoted by s i |= ϕ, by induction over the structure of ϕ (semantics of Boolean operators is omitted):
In EϕU c Ψ the classical until is extended by requiring that ϕ be satisfied within a duration (from the current state) verifying the constraint " c". Given v, a PTA U I A and a TCTL formula ϕ, we write v(A) |= ϕ when s 0 |= ϕ.
We define flat TCTL as the subset of TCTL where, in EϕU c ϕ and AϕU c ϕ, ϕ must be a formula of propositional logic (a Boolean combination of atomic propositions).
E. Problems
In this paper, we address the following problems:
TCTL-emptiness problem: INPUT: a PTA I A and a TCTL formula ϕ PROBLEM: is the set of valuations v such that v(A) |= ϕ empty?
TCTL-synthesis problem:
INPUT: a PTA I A and a TCTL formula ϕ PROBLEM: synthesize the set of valuations v such that v(A) |= ϕ.
We will focus notably on the TCTL formula "EF" expressing reachability [2] . That is, EF-emptiness asks whether the set of parameter locations for which a given location is reachable for at least one run is empty or not. Similarly, EF-synthesis asks to synthesize these valuations.
III. THE POWER OF INVARIANTS IN PTAS
In this section, we show that the expressive power of invariants in PTAs is surprisingly high: in fact, we show that a PTA with guards but without invariants can be transformed to an equivalent PTA I . As most undecidability results for PTAs hold even without invariants, our transformation shows that PTA I are (at least) as expressive as PTAs-and therefore as undecidable too. Notably, the simplest problem for PTAs (EFemptiness) is undecidable for PTAs I .
A. Transforming guards into invariants
Let us describe our transformation from a PTA A without invariants to a PTA I T (A). For each edge e = ( 1 , g, a, R, 2 ) of A, we add in T (A) a new location 1 with invariant I( 1 ) = g and replace e with a transition that is always true from 1 to 1 with action a and no reset: e = ( 1 , true, a, ∅, 1 ). Then we add a unique transition from 1 to 2 that is always true, without action and with the original resets R of e: e = ( 1 , true, , R, 2 ) ( denotes the silent action; note that actions do not matter much in our setting anyway as we are concerned with reachability properties). Fig. 1 . The transition (say e) from 1 to 2 in Fig. 1a is translated into 1) a new transition from 1 to a new location 1 with as invariant the guard of the original transition e, i. e., x ≤ p, and 2) a new transition from 1 to 2 with the same reset as the one of the original transition e, i. e., x := 0. This translation is exemplified in Fig. 1b .
Example 1. An example of this transformation is given in
The guard on the transition from 2 to 3 is translated similarly.
B. Characterization of the transformation
We show that, for any run of v(A), there exists in v(T (A)) a run twice as long, whose states of index 2 × i are identical to states of index i of the original run, for each i between 0 and the length of the run minus 1.
Lemma 1. Let A be a PTA without invariant, and v a parameter valuation. There is a run
Proof. Let ρ be a run of v(A) ending in a concrete state ( , w). We build by induction on n, a run ρ in v(T (A)) of length 2n If n = 0, then ρ consists only of the initial location of T (A) which has no invariant, so we can stay there forever as in the initial location of A. So any run of length 0 of v(T (A)) is a run of v(A) and conversely.
Suppose now that we have built ρ for size n and consider a run ρ with n + 1 edges. Then ρ consists of a run ρ 1 , ending in ( 1 , w 1 ) with n edges followed by a delay d and finally a discrete transition along the edge e to the concrete state ( 2 , w 2 ). From the induction hypothesis, we can build an equivalent run ρ 1 in T (A) of length 2n ending in ( 1 , w 1 ), Let w 1 be the clock valuation obtained from w 1 after the delay d. By construction, if constraints defined by the guard of e are satisfied by w 1 then in ρ 1 , we can take the transition e without guards from 1 to 1 as w 1 |= v(I( 1 )). Once in 1 , we cannot stay forever because of I( 1 ). We can also immediately in a 0-delay take the transition e from 1 to 2 and clocks in X are reset so w 2 = [w 1 ] R , and we obtain a run of length 2(n+1) in v(T (A)) ending in ( 2 , w 2 ).
For the other direction, starting from a run in T (A), the initial step of the induction is similar. Let ρ be a run of v(T (A)) of length 2(n + 1) ending in a concrete state ( 2 , w 2 ). Then ρ consists of a run ρ 1 , ending in ( 1 , w 1 ) with 2n edges followed by a first delay d 1 , then a discrete transition e to 1 , and a possible delay d 2 and finally a discrete transition e to 2 . Let e be the edge in A corresponding to e , e w.r.t. our construction of T (A), with guard g = I( 1 ) and the same resets as in e . Suppose now that we have built by induction hypothesis ρ in v(A) for size n equivalent to a run ρ 1 in v(T (A)) ending in ( 1 , w 1 ), Let w 1 be the clock valuation obtained after the delay d 1 from w 1 and w 1 after the delay d 2 from w 1 . By construction, if constraints defined by I( 1 ) are satisfied by w 1 then w 1 |= v(g). The first transition e in v(T (A)) to 1 can be taken, similarly e can already be taken in v(A). After the delay d 2 , we still have w 1 |= I( 1 ) therefore we still have w 1 |= v(g). The second transition e in v(T (A)) to 2 can be taken, similarly e can still be taken in v(A). Clocks are reset along e so w 2 = [w 1 ] R and we obtain a run of length n in v(A) ending in ( 2 , w 2 ). 2 Note that the fact that the length is even is a consequence of the construction: with two edges, first from to and the second from to , if the former can be taken then I( ) is satisfied, and the run cannot stay forever in because of I( ) and is forced to take the latter to .
C. Undecidability for PTAs
Proof. From Lemma 1, for any valuation v, reachability of a location in v(A) and v(T (A)) is equivalent. Therefore, EFemptiness holds for A iff EF-emptiness holds for T (A). As EF-emptiness is undecidable for PTAs without invariant [1] , EF-emptiness is undecidable for PTAs I .
IV. A NEW DECIDABLE SUBCLASS
We now consider PTAs I with only upper-bound invariants. Fig. 6 . PTAs U I can be seen as a subclass of L/U-PTAs, a formalism for which EF-emptiness is decidable [8] , [10] while AFemptiness is undecidable [9] . In addition, the synthesis of (even integer-valued) parameters for which EF holds in L/U-PTAs cannot be done [9] . PTAs U I can also be seen as a subclass of U-PTAs [10] , i. e., L/U-PTAs with only upperbound parameters, a formalism for which EF-emptiness is decidable [8] , [10] while AF-emptiness is open, and full TCTL-emptiness is undecidable [13] ; in addition, EF-synthesis of integer-valued parameter can be achieved [10] , but the possibility to perform or not the exact synthesis of rationalvalued parameters for EF remains open.
The main differences between PTAs U I and U-PTAs are 1) the absence of guards in PTAs U I , and 2) the possibility only for U-PTAs to involve constraints of the form x > c or x ≥ c in clock constraints, provided c is a constant (no parameter can be used as a lower-bound constraint). In this section, we will see that these differences will allow not only for positive decidability results but will also make exact synthesis possible.
A. Reachability (EF)
1) EF-emptiness: We first show that, while matching the decidability of L/U-PTAs (and U-PTAs) for EF-emptiness, the complexity of EF-emptiness for PTA U I is not the same as for U-PTAs, which is PSPACE-complete for integer parameter valuations [10] ; in our case, given a PTA U I A and a special parameter valuation v 1 that sets all parameters to 1, it is sufficient to test in v 1 (A) the reachability of a given location in a 0-delay (a run of duration 0), which is linear in the number of locations of A. That is, we do not perform a symbolic analysis (using the region graph [2] or the zone graph [14] ) of some TA, but we directly syntactically analyze our PTA U I . Formally, let v 1 be the parameter valuation such that ∀1 ≤ i ≤ M : v 1 (p i ) = 1. In the following lemma, we will show that there exists a valuation v such that there exists a run in v(A) reaching a given location f iff there exists a 0-delay run in v 1 (A) reaching f . By 0-delay run, we mean for which the sum of the delays along the edges is 0. This will allow us to only test 0-delay runs in v 1 (A) to decide EF-emptiness. Proof. =⇒ Assume there exists a parameter valuation v and a run ρ in v(A) reaching f . We first show that there exists a 0-delay run ρ 0 in v(A) reaching f (and, in fact, going through the same locations and edges as ρ, with only the delay being replaced with 0). This is immediate from the syntax of PTAs U I : since we only allow invariants of the form x 1≤i≤M α i p i + d, then nothing can constrain a run to spend a certain amount of time in a location. Therefore, ρ 0 can follow the same locations and edges as in ρ without letting any time elapse. This gives that there exists a 0-delay run ρ 0 in v(A) reaching f . We will now show that this run ρ 0 is also a run of v 1 (A). This is not entirely immediate, as v 1 (A) and v(A) have different invariants, coming from different parameter valuations. Indeed, in case of invariants of the form x < p, a 0-delay run is blocked in this location whenever p = 0 (as the constraint x < 0 is never satisfiable due to the non-negative nature of clocks). However, by definition, ρ 0 does not pass through any location with an invariant of the form x < p, with v(p) = 0, since this is a valid run of v(A). That is, for any location along ρ 0 with an invariant containing an inequality of the form x < p, v(p) > 0. We can finally conclude by observing that, in v 1 (A), no such invariant blocking a 0-delay run exists since, by definition of v 1 (A), all parameters evaluate to 1. Therefore ρ 0 is also a run reaching f in v 1 (A). ⇐= The opposite direction is trivial. It suffices to pick v = v 1 and, since there exists a 0-delay run in v 1 (A) reaching f , then there exists a run (in 0-delay) in v(A) reaching f .
From Lemma 2, we state the following theorem. From the nature of PTAs U I , there exists a 0-delay run in v 1 (A) iff there exists in the automaton v 1 (A) seen as a graph a syntactic path from 0 to f that features no state with an invariant involving a comparison of the form x < 0, for some x. We can therefore consider v 1 (A) as a directed graph, in which we remove all the edges to locations where there is an invariant containing a comparison of the form x < 0 for some x. In this obtained oriented graph, we perform the reachability of f from 0 which is NLOGSPACE [15] , so is EF-emptiness for PTA U I .
2) EF-synthesis: We will show that, in order to compute EF-synthesis, it suffices to test (syntactically, without semantic analysis) each automaton obtained by replacing each parameter valuation with either 0 or 1. This is a strong result, as EF-synthesis cannot be performed for L/U-PTAs with either integer or rational valued parameters [9] , and can only be performed for U-PTAs over integer-valued parameters [10] . We first define an equivalence relation for parameter valuations. We will now show that this run ρ 0 is also a run of v (A).
Definition 6. Let v, v be two parameter valuations. We say
Following again the reasoning used in the proof of Lemma 2, by definition, ρ 0 does not pass through any location with an invariant of the form x < p, with v(p) = 0, since this is a valid run of v(A). That is, for any location along ρ 0 with an invariant containing an inequality of the form x < p, v(p) > 0. We can finally conclude by observing that, in v (A), no such invariant blocking a 0-delay run exists since, from the fact
Therefore ρ 0 is also a run reaching f in v (A). ⇐= The opposite direction is similar. Since there exists a 0delay run in v (A), then following the same reasoning as above and since v ∼ v , then this same 0-delay run is also a run of v(A).
From Lemma 3, it suffices to test one valuation in each of the regions defined by Definition 6. Each region being defined by v(p) = 0 or v(p) > 0, for each parameter p, it suffices to test both 0 and a non-zero value, e. g., 1. We end up with a set V of 2 |P| parameter valuations. This gives the following theorem.
Theorem 3. We can compute the set EF-synthesis of parameter valuations for PTA U I within exponential time w.r.t. the size of the input.
Proof. From Lemma 3, given a PTA U I A it suffices to test the existence of at least one 0-delay run for one parameter valuation v in each of the regions defined by Definition 6, i. e., from the set V . From the proof of Theorem 2, this can be achieved syntactically by solving a reachability problem in the graph of v (A) . If the answer to the reachability problem is positive for this parameter valuation, the whole region is added to the result. That is, considering two parameters p 1 and p 2 , and the valuation such that v(p 1 ) = 0 and v(p 2 ) = 1, the added region is p 1 = 0∧p 2 > 0. However, iterate similarly for all valuations in V gives 2 |P| different valuated automata and we have to test the reachability for each of them. Therefore, to compute EF-synthesis, we obtain a complexity exponential in time.
This result makes the subclass of PTA U I very interesting, as a subclass of PTAs where EF-synthesis can be performed. Rare subclasses such as reset-update-to-parameter PTAs [11] enjoy this possibility (and only on bounded parameters), while wellknown L/U-PTAs enjoy the only decidability of EF-emptiness while EF-synthesis has been proven intractable [9] .
B. Undecidability of TCTL-emptiness
While EF-emptiness is decidable for PTA U I , one can wonder whether this extends to the whole TCTL-emptiness problem. We exhibit in this section a nested TCTL formula (by opposition to flat TCTL formula, e. g., EF or AF), namely EGAF =0 ap for some atomic property ap and prove that EGAF =0 -emptiness is undecidable for (possibly bounded) PTA U I . The formula EGAF =0 was already used to prove the TCTL-emptiness of U-PTAs in [13] . This implies the undecidability of the whole TCTL-emptiness problem for (possibly bounded) PTA U I . Theorem 4. The EGAF =0 -emptiness problem is undecidable for bounded PTA U I . Proof. We reduce from the boundedness problem for twocounter machines (i. e., whether the value of the counters remains bounded along the execution), which is undecidable [17] . Recall that a two-counter machine is a finite state machine with two integer-valued counters c 1 , c 2 . Two different instructions are considered, we present those for c 1 , those for c 2 are similar: 1) when in state q i , increment c 1 and go to q j ; 2) when in state q i , if c 1 = 0 go to q k , otherwise decrement c 1 and go to q j .
We assume w.l.o.g. that the machine halts iff it reaches a special state q halt . a) General explanation of the encoding: Let • and • be two labels. We define a PTA U I that, under some conditions, will encode the machine, and for which EGAF =0 • -emptiness holds iff the counters in the machine remain bounded. We will reuse an encoding originally from [16, proof of theorem 1], and apply a few modifications. In fact, recall that PTA U I disallow the use of comparisons of the form x = p, or x = c with c a constant.
We label our transitions with: • for the locations already present in [16] (depicted in yellow in our figures), and • for the newly introduced locations (depicted in white in our figures). In [16] , the gadgets use edges of the form of Fig. 2a to encode the two-counter machine instructions. To define a PTA U I , we replace each of these edges by a special construction given in Fig. 2b using only inequalities of the form x ≤ k and x < k with k either a constant or a parameter. Non guarded transitions are depicted as dotted edges. We will show that a run will exactly encode the two-counter machine if all transitions x ≤ a + 1 (resp. x ≤ 1) to a location labeled with • are in fact taken when the clock valuation is exactly equal to a+1 (resp. 1). Those runs are further denoted by ρ • . In the transformed version given in Fig. 2b , due to the ≤ invariant runs exist that take the guard "too early" (i. e., before x 1 = a + 1). Those are denoted by ρ • . But, in that case, observe that in 1 , one can either take the transition to or to 2 (as the invariant to satisfy is x 1 < a + 1) and then, go to error . Therefore on this gadget, EGAF =0 • is true at iff the guard x 1 ≤ a + 1 from to is taken at the very last moment. In our gadgets encoding the counters, there will be for each location with invariant x ≤ k an associated location with invariant x < k, with only a transition to error . Note that AF =0 • is trivially true in and as both locations are labeled with • (many runs also exist from to error and do not encode properly the machine; they will be discarded in our reasoning later).
Our PTA U I A uses one parameter a and three parametric clocks x 1 , x 2 , z. Each state q i of the two-counter machine is encoded by a location i of A. Each increment instruction of the two-counter machine is encoded into a PTA U I fragment. The decrement instruction is a modification of the one in [16] using the same modifications as the increment gadget.
Given v, our encoding is such that when in i with w(z) = 0 then w(x 1 ) (resp. w(x 2 )) represents the value of the counter c 1 (resp. c 2 ) encoded by 1 − v(a)c 1 (resp. 1 − v(a)c 2 ) with v(a) small enough so v(a)c 1 < 1 (resp. v(a)c 2 < 1). The two branches in the gadgets handle both cases w(x 1 ) > w(x 2 ) and w(x 1 ) ≤ w(x 2 ). b) Increment gadget: Depicted in Fig. 3 . We assume a ∈ [0, 1], in which case our PTA U I is bounded (if a is unbounded, then our construction proves the unbounded case). In the following, we write w as the tuple (w(x 1 ), w(x 2 ), w(z)). The initial encoding when w(z) = 0 is w(x 1 ) = 1−v(a)c 1 , w(x 2 ) = 1 − v(a)c 2 , w(z) = 0. From i , we prove that there is a unique run, going through the upper branch of the gadget, that reaches j without violating our property. It is the one that takes each transition to a location with an invariant z ≤ 0 at the exact moment w(z) = 0, the transition to a location with an invariant x 2 ≤ 1 at the exact moment w(x 2 ) = 1 and transition to a location with an invariant x 1 ≤ a + 1 at the exact moment w(x 1 ) = v(a) + 1. The other runs, that take the transitions "too early" are removed as they violate the property; indeed, if a run takes a transition before the "last moment" allowed by the invariant (e. g., x ≤ 1), then it can possibly take the successor state with invariant (x < 1) and go to error . That is, EGAF =0 does not hold, because not all runs go in 0-time to a • location.
So, for each transition, many runs can take it, but we only consider from now on the only one that takes the transition at the last moment, i. e., when the clock is exactly equal to the parameter/constant it is compared to. The same applies at each transition. This gives the following run for the increment gadget:
We apply the same reasoning on the lower branch of Fig. 3. c) Decrement and 0-test gadget: The decrement and 0test gadget, depicted in Fig. 4 , is similar to the one of [16] and undergoes the same modifications as in Fig. 3 , the increment gadget. Assume the same requirements as for the increment gadget. From i , following the same reasoning as for the increment gadget we prove that there is a unique run, going through the upper branch of the decrement gadget, that reaches j without violating our property.
Assume we are in a configuration ( i , w) where w(z) = 0 and suppose w(x 1 ) < 1. We can enter the configuration ( 1 i , (w(x 1 ), w(x 2 ), 0)) as the invariant z = 0 ensures no time has elapsed; in its short form, the run that reaches j correctly, i. e., satisfying our property EGAF =0 is:
We apply the same reasoning on the lower branch of Fig. 4 . d) Initial gadget: In Fig. 5 , the initial gadget ensures the same way as presented before that the counters are both initialized to 0. Recall that w(x 1 ) = 1 − v(a)c 1 , and w(x 2 ) = 1 − v(a)c 2 . The unique run that does not violate EGAF =0 reaches 1 exactly when w(x 1 ) = w(x 2 ) = 1, ensuring c 1 = c 2 = 0. e) Simulating the 2-counter machine: Now, let us consider the runs ρ • that take each transition to a location where there is an invariant at the very last moment; note that other runs violate the property anyway.
• If the counters of the two-counter machine remain bounded then, either the two-counter machine halts by reaching q halt and there exist parameter valuations v (typically a sufficiently small value for v(a) to encode the value of the counters during the computation). In the constructed PTA U I , once valuated with v there is a (unique) run simulating correctly the machine, reaching halt and staying there forever. In this first case, EGAF =0 • holds for these valuations: hence EGAF =0 • -emptiness is false; or the two-counter machine loops forever, never reaches q halt , with values of the counters remaining bounded. There exist small parameter valuations v that encode the maximal value of the counters. In the constructed PTA U I , once valuated with v there is an infinite (unique) run in the PTA U I simulating correctly the machine. As this run is infinite, we infinitely often visit the decrement and/or the increment gadget(s). In this second case, EGAF =0 • also holds for these valuations: hence EGAF =0 • -emptiness is again false.
• Conversely, if the counters of the two-counter machine are unbounded, then for any valuation, all runs end in error . This happens either because all the runs took on purpose an unguarded transition to error or because they blocked due to the fact that counters are unbounded, and therefore, for any arbitrarily small valuation, one of the guards will eventually block the run and send it to error thanks to the unguarded transitions. That is, it is possible, e. g., in i 5 of Fig. 3 , when the value of w(z) = v(a)(c 1 +1) becomes strictly greater than 1 after a sufficient number of steps. It is no longer possible to take the transition to i 6 because of the invariant z ≤ 1 and there is no choice other than reach error again. Hence there is no parameter valuation for which EGAF =0 • holds, so EGAF =0 • -emptiness is true. We conclude that EGAF =0 • -emptiness is true iff the values of the counters of the two-counter machine are unbounded.
In this section, we have proved the following properties about PTA U I . Our first result here is that the EF-emptiness for PTA U I is less than the same reachability problem in classical TAs without parameters.
Paradoxically, this simpler complexity for one TCTL decision problem (EF) does not make PTA U I a trivial subclass of (P)TAs at all. On the contrary, we proved that the decidability of EF-emptiness does not extend to the whole TCTL logic by exhibiting a TCTL formula for which deciding the emptiness of parameter valuations satisfying it is undecidable, while model-checking TCTL logic is decidable in TAs [12] .
V. PROOF OF CONCEPT: CASE STUDY
To illustrate the usability of PTAs U I , we describe in this section a case study modeled and verified using PTAs U I . a) Software support: PTAs U I are natively supported by IMITATOR [18] , which is a parametric model checker performing parameter synthesis for parametric timed automata, extended with some useful features such as synchronization, global variables, etc. b) Description: The idea here is to model a Real-time Transport Protocol (RTP) using PTAs U I . RTP is a network protocol usually used to deliver video, audio over a network. RTP is mainly used in Voice over IP, teleconference and since the last few years in systems that involve media streaming.
RTP is typically running over User Datagram Protocol (UDP), which can broadcast data to several clients, and is faster as TCP (Transmission Control Protocol) as it does not provide guarantees for message delivery. Fig. 6 represents a simplified version of an RTP protocol combined with a Real-Time Control Protocol (RTCP). A server 
Fig. 5: initialisation gadget
sends audio and video data to a client, and the client has the possibility to pause the data stream or ask for more data when its buffer is empty. We use two clocks to model the protocol.
x represents the server, while y represents the client. In each location, the first word represents the state of the client, while the second represents the state of the server. The automaton starts in location 1 as the client is waiting for its data stream. On the begin action, the server first opens the channel for the video within p v units of time, and the channel for the audio within p s − p v units of time, assuming otherwise audio and video would not be synchronized at reception by the client. Then data is streamed for at most p send units of time to prevent overflowing the bandwidth, in location idle, sending. At this moment, the server stops sending for an undetermined amount of time. In the meantime, the client's buffer is being emptied. When running outOfData, the client switches to location askMore, sending as the server is still sending data. y is reset and the system has the possibility to switch to location idle, sending again if the server is still streaming data, i. e., the constraint x < p send is still satisfied. While in idle, sending, the client can choose to interrupt the data stream. When in location idle, notSending, the client still uses the data of the buffer, but has to request more data at some point, i. e., while y < p rced is satisfied. The procedure from start is similar to the previously described one. From locations askMore, sending and idle, notSending the location askMore, notSending is reachable, when the server is not streaming and the client's buffer is empty. This is the bug state of the system. We are interested in computing the concrete parameter valuations of p send , p rced , p s , p v s.t. the system can reach the "bad" state askMore, notSending-that is, we aim at performing EF(askMore, notSending)-synthesis. c) Experiments: We modeled the case study in Fig. 6 in the input language of IMITATOR. Experiments were conducted with IMITATOR 2.11 "Butter Kouign-amann", on a 2.4 GHz Intel Core i5 processor with 2 GiB of RAM in a VirtualBox environment running Ubuntu. 3 The synthesis time is less than 1 second with four parameters. Applying IMITATOR to Fig. 6 , we obtain the following result for EF(askMore, notSending)-synthesis:
That is, for almost all parameter valuations, there exists an execution of the system such that it reaches the bad location askMore, notSending. This is not surprising, as it depends on the rate of data exchanged and of the connection quality to the network. In other words, this bug state can be reached in any case as the data stream can be blocked at any time, i. e., the client may have to wait for the video to load.
A more interesting question is to study whether all runs of some valuations may eventually reach the bug location. This would be worrying, as it would denote that the protocol has no chances of success for these valuations. Therefore, we focus on EF(askMore, notSending)-synthesis. This time, we obtain that the set of valuations for which all runs eventually reach askMore, notSending is empty, and therefore no valuation makes the protocol entirely unsuccessful.
VI. CONCLUSION
We proposed a new parametric timed formalism to reason about timed systems with some uncertain or unknown timing constants, with two interesting positive results. First, the emptiness of the valuation set for which at least one run reaches a location i. e., EF-emptiness, is decidable in linear time which is better than solving the reachability problem for TAs, as it is PSPACE-complete. Second, we showed that exact synthesis can be achieved in exponential time.
In contrast, we showed that (nested) TCTL-emptiness is undecidable, making PTAs U I , as model-checking TCTL is decidable for TAs, a formalism at the border between decidability and undecidability.
Our formalism seems to allow for promising practical applications as shown by Section V, where we successfully modeled a simple data streaming protocol.
Future work: On the theoretical side, the emptiness of some flat TCTL formulas remains open for PTAs U I , notably AF, EG and AG-emptiness. Improving the complexity of EFsynthesis is also an interesting direction.
More practically, we are interested in proposing dedicated efficient synthesis algorithms for PTAs U I (independently of the underlying decidability).
