Closed, Open, and Robust Timed Networks  by Abdulla, Parosh Aziz et al.
Closed, Open, and Robust Timed Networks
Parosh Aziz Abdulla, Johann Deneux, and Pritha Mahata 1
Dept. of Information Technology, Uppsala University, Sweden
Abstract
We consider veriﬁcation of safety properties for parameterized systems of timed processes, so called
timed networks. A timed network consists of a ﬁnite state process, called a controller, and an
arbitrary set of identical timed processes. In [3] it was shown that checking safety properties is
decidable in the case where each timed process is equipped with a single real-valued clock. In [2], we
showed that this is no longer possible if each timed process is equipped with at least two real-valued
clocks. In this paper, we study two subclasses of timed networks: closed and open timed networks.
In closed timed networks, all clock constraints are non-strict, while in open timed networks, all
clock constraints are strict (thus corresponds to syntactic removal of equality testing). We show
that the problem becomes decidable for closed timed network, while it remains undecidable for
open timed networks. We also consider robust semantics of timed networks by introducing timing
fuzziness through semantic removal of equality testing. We show that the problem is undecidable
both for closed and open timed networks under the robust semantics.
Keywords: Model Checking, Reachability, Parameterized Timed Systems, Undecidability.
1 Introduction
One of the main current challenges in model checking is to extend its ap-
plicability to parameterized systems. The description of such a system is
parameterized by the number of components, and the challenge is to check
correctness of all instances in one veriﬁcation step. Most existing methods
for model checking of parameterized systems consider the case where each
individual component is modelled as a ﬁnite-state process.
In this paper we study parameterized systems of timed processes, so called
Timed Networks (TNs). A TN represents a family of systems, each consisting
1 Email:{parosh,johannd,pritha}@it.uu.se
Electronic Notes in Theoretical Computer Science 138 (2005) 117–151
1571-0661 © 2005 Elsevier B.V. 
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2005.03.027
Open access under CC BY-NC-ND license.
of a ﬁnite-state controller, together with ﬁnitely, but arbitrarily many timed
processes (timed automata). A timed process operates on a ﬁnite number of
real-valued local clocks. Since a TN operates on an unbounded number of
clocks, its behaviour cannot be captured by that of a timed automaton [1].
The paper [3] showed decidability of the controller state reachability problem
for TNs: given a state of the controller, is there a computation from an initial
conﬁguration leading to that state? This problem is relevant since it can
be shown, using standard techniques, that checking large classes of safety
properties can be reduced to controller state reachability. The decidability
result in [3] was given subject to the restriction that each timed process has
a single clock. In [2] we show undecidability of the problem for the case of
multi-clock TNs, i.e., TNs where each timed process may have several clocks.
One may wonder what happens if we consider timed networks with clocks
over dense-timed domain, but restrict their excessive expressive power due
to their ability to diﬀerentiate points in time with inﬁnite precision. In fact,
this complaint of excessive expressive power has already been raised against
the model of timed automata [1] by [4,11]. This makes algorithmic analysis
hard in many cases. For instances, checking emptiness is PSPACE-complete,
while checking universality is undecidable. Two classes of methods have been
suggested to remedy this problem:
• The use of digitization techniques [6]. The idea is to identify subclasses of
timed automata for which veriﬁcation problems can reduced from the dense
time domain to the discrete one. This either yields speeding-up of the veri-
ﬁcation problem, or implies decidability of problems which are undecidable
in the general case. A class of timed automata which allows digitization is
closed timed automata [4,10,9] in which only non-strict clock constraints are
allowed (of the form x ≤ 3 or x ≥ 2).
• To restrict the model of timed automata so that checking exact equality
of clock values is prohibited. This restriction can be achieved syntactically
through the use of open timed automata [4,10,9]. In an open automaton
only strict clock constraints are allowed (of the form x < 3 or x > 2).
The restriction can also be achieved semantically by considering a robust
semantics [4,7,9] where a computation is accepted to be valid if and only if
neighbouring computations are also accepted. However, it is shown in [9]
that expressive powers of the timed automata under standard and robust
semantics are incomparable.
The complaint about the excessive power of timed automata is equally valid
in the case of timed networks. In this paper, we consider subclasses of timed
networks based on similar restrictions to the ones mentioned above.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151118
First, we consider closed timed networks (CTNs) and open timed networks
(OTNs). Using a similar idea to [10], we show that digitization is applicable
to CTNs. This reduces controller state reachability for CTNs to the same
problem for discrete timed networks. The latter problem is shown to be de-
cidable in [2]. This result is of practical relevance since any timed network can
be safely inﬁnitesimally over-approximated by a closed timed network. Fur-
thermore, we show undecidability of controller state reachability for OTNs.
The undecidability result is shown through a reduction from the reachability
problem for 2-counter machines. The undecidability result strengthens the
result in [2], in the sense that (i) it shows undecidability for a subclass of that
in [2]; and (ii) it uses an encoding which does not rely on using equality of
clock values.
Finally, we show undecidability of controller state reachability for both OTNs
and CTNs under the robust semantics. This is achieved by reducing the
problem for OTNs under the standard semantics to the problem for both
OTNs and CTNs under the robust semantics. The undecidability result for
CTNs under robust semantics is surprising, since we already show that the
problem is decidable for CTNs under standard semantics. However, it was
already pointed out by [9] that the robust semantics for timed automata is
less tractable than its standard semantics. Undecidability of controller state
reachability problem for CTNs show that the intractability of robust semantics
for timed automata even prevails for timed networks.
Outline: Section 2 gives the deﬁnition of timed networks. Section 3 details
the decidability of the controller state reachability problem for closed timed
networks. Section 4 sketches the undecidability proof of the problem for open
timed networks. Finally, Section 5 shows the undecidability of the problem
under robust semantics.
2 Deﬁnitions
In this section, we deﬁne timed networks: families of (inﬁnitely many) systems
each consisting of a controller and an arbitrary number of identical timed
processes. The controller is a ﬁnite state automaton while each process is a
timed automaton [1], i.e., a ﬁnite-state automaton which operates on a ﬁnite
number of local real-valued clocks x1, . . . , xK . The values of all clocks are
incremented continuously at the same rate. In addition, the network can
change its conﬁguration according to a ﬁnite number of rules. Each rule
describes a set of transitions in which the controller and a ﬁxed number of
processes synchronize and simultaneously change their states. A rule may be
conditioned on the local state of the controller, together with the local states
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 119
and clock values of the processes. If the conditions for a rule are satisﬁed, then
a transition may be performed where the controller and each participating
process changes its state. Also, during a transition, a process may reset some
of its clocks to 0.
We use N and R≥0 for the set of natural numbers and set of non-negative real
numbers respectively.
Timed Networks A family of timed networks (timed network for short) N
with K clocks is a pair (Q,), where:
• Q is a ﬁnite set of states. The set Q is the union of two disjoint sets; the
set Qctrl of controller states, and the set Qproc of process states. These sets
contain two distinguished initial (idle) states, namely idlec ∈ Qctrl and
idlep ∈ Qproc .
•  is a ﬁnite set of rules where each rule is of the form
2
6664
q0
→
q′
0
3
7775
2
6664
q1
g1 → R1
q′
1
3
7775 · · ·
2
6664
qn
gn → Rn
q′n
3
7775
such that q0, q
′
0 ∈ Q
ctrl , and for all i : 1 ≤ i ≤ n we have: qi, q′i ∈ Q
proc ,
and gi → Ri is a guarded command where gi is a boolean combination
of predicates of the form k  x for k ∈ N,  ∈ {=, <,≤, >,≥}, x ∈
{x1, . . . , xK} and Ri ⊆ {x1, . . . , xK}.
Intuitively, the set Qctrl represents the states of the controller and the set Qproc
represents the states of the processes. A rule of the above form describes a set
of transitions of the network. The rule is enabled if the state of the controller is
q0 and if there are n processes with states q1, · · · , qn whose clock values satisfy
the corresponding guards. The rule is executed by simultaneously changing
the state of the controller to q′0 and the states of the n processes to q
′
1, · · · , q
′
n,
and resetting the clocks belonging to the sets R1, . . . , Rn.
For a guard gi we write gi(y1, . . . , yK) to denote the Boolean expression which
results from substituting the occurrences of x1, . . . , xK in gi by y1, . . . , yK
respectively.
Conﬁgurations A conﬁguration γ of a timed network (Q,) with K clocks
is a tuple of the form (I, q,Q, X), where I is a ﬁnite index set, q ∈ Qctrl ,
Q : I → Qproc , and X : {1, . . . , K} → I → R≥0.
Intuitively, the conﬁguration γ refers to the controller whose state is q, and to
|I| processes, whose states are deﬁned by Q. The clock values of the processes
are deﬁned by X. More precisely, for k : 1 ≤ k ≤ K and i ∈ I, X(k)(i) gives
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151120
the value of clock xk in the process with index i.
We use |γ| to denote the number of processes in γ, i.e., |γ| = |I|. Also, we
shall use Xk to denote the mapping I → R≥0 such that Xk(i) = X(k)(i).
Example 2.1 Figure 1 shows graphical representation of a conﬁguration in
a timed network with two clocks, given by ({1, 2, 3} , q,Q, X) where Q(1) =
q1,Q(2) = q2,Q(3) = q3 and X1(1) = 0.1, X1(2) = 0.5, X1(3) = 5.0, X2(1) =
2.3, X2(2) = 1.4, X2(3) = 0.6.
0.1
2.3
q 1
0.5
1.4
q 2
5.0
0.6
q 3qController state
Process state
Value of x1
Value of x2
Fig. 1. Graphical representation of a conﬁguration in a timed network with two clocks.
Transition Relation The timed network N above induces a transition re-
lation −→ on the set of conﬁgurations. The relation −→ is the union of a
discrete transition relation −→Disc, representing transitions induced by the
rules, and a timed transition relation −→T imed which represents passage of
time.
The discrete relation −→Disc is the union
⋃
r∈ −→r , where −→r represents a
transition performed according to rule r . Let r be a rule of the form described
in the above deﬁnition of timed networks. Consider two conﬁgurations γ =
(I, q,Q, X) and γ′ = (I, q′,Q′, X ′). We use γ −→r γ′ to denote that there
is an injection h : {1, . . . , n} → I such that for each i : 1 ≤ i ≤ n and
k : 1 ≤ k ≤ K we have:
(i) q = q0, Q(h(i)) = qi, and gi(X1(h(i)), . . . , XK(h(i))) holds. That is, the
rule r is enabled.
(ii) q′ = q′0, and Q
′(h(i)) = q′i. The states are changed according to r .
(iii) If xk ∈ Ri then X ′k(h(i)) = 0, while if xk ∈ Ri then X
′
k(h(i)) = Xk(h(i)).
In other words, a clock is reset to 0 if it occurs in the corresponding set
Ri. Otherwise its value remains unchanged.
(iv) Q′(j) = Q(j) and X ′k(j) = Xk(j), for j ∈ I \ range(h), i.e., the process
states and the clock values of the non-participating processes remain
unchanged.
For a conﬁguration γ = (I, q,Q, X) and t ∈ R≥0, we use γ+t to denote the
conﬁguration (I, q,Q, X ′) where X ′k(j) = Xk(j) + t for each j ∈ I and k :
1 ≤ k ≤ K. A timed transition is of the form γ −→T=t γ
′ where γ′ = γ+t.
Such a transition lets time pass by t. We use γ −→T imed γ′ to denote that
γ −→T=t γ′ for some t ∈ R≥0.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 121
We deﬁne −→ to be −→Disc ∪ −→T imed and use
∗
−→ to denote the reﬂexive
transitive closure of −→. Notice that if γ −→ γ′ then the index sets of γ and
γ′ are identical and therefore |γ| = |γ′|. For a conﬁguration γ and a controller
state q, we use γ
∗
−→ q to denote that there is a conﬁguration γ′ of the form
(I ′, q′,Q′, X ′) such that γ
∗
−→ γ′ and q′ = q.
We say that π = γinit −→T imed−→Disc γ1 −→T imed−→Disc . . . −→T imed−→Disc
γn = γ is a γinit -computation of TN.
Reachability A conﬁguration γinit = (I, q,Q, X) is said to be initial if q =
idlec, Q(i) = idlep , and Xk(i) = 0 for each i ∈ I and k : 1 ≤ k ≤ K. This
means that an execution of a timed network starts from a conﬁguration where
the controller and all the processes are in their initial states, and the clock
values are all equal to 0. Notice that there is an inﬁnite number of initial
conﬁgurations, namely one for each index set I.
Controller State Reachability Problem (TN(K)-Reach)
Instance A timed network (Q,) with K clocks and a controller state qF .
Question Is there an initial conﬁguration γinit such that γinit
∗
−→ qF ?
Controller state reachability is relevant, since it can be shown, using stan-
dard techniques [12,5], that checking safety properties (expressed as regular
languages) can be translated into instances of the problem.
Discrete Timed Networks (DTNs) are timed networks in which the clocks
assume values from the set of natural numbers and timed transitions take only
discrete steps. A conﬁguration of a DTN has same form as that of the TN, but
the clocks have values which are natural numbers rather than real numbers.
Furthermore, timed transitions take only discrete steps, i.e, γ1 −→T=t γ2 if
γ2 = γ
+t
1 where t ∈ N. Discrete transitions are deﬁned in a similar manner to
TN. We deﬁne DTN(K)-Reach in the obvious manner.
The following results are known for timed networks.
Theorem 2.2
(i) TN(1)-Reach is decidable [3].
(ii) TN(2)-Reach is undecidable [2].
(iii) DTN(K)-Reach is decidable [2].
3 Closed Timed Networks
In this section, we show that the controller state reachability problem for a
subclass of timed networks is decidable.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151122
Closed Timed Network A closed timed network is a timed network in which
guarded commands in the rules may only contain a negation-free boolean
combination of predicates of the form k ≤ x or k ≥ x where x ∈ {x1, . . . , xK}.
We deﬁne the controller state reachability problem for closed timed networks
with K clocks (CTN(K)-Reach) in the obvious manner. We show that
Theorem 3.1 CTN(K)-Reach is decidable.
The rest of this section is devoted to the proof of Theorem 3.1.
First we recall the digitization technique introduced in [6]. Let δ ∈ R+ and let
0 ≤ ε < 1 be real numbers. If fract(δ) < ε, let [δ]ε = 	δ
, otherwise [δ]ε = δ.
The [.]ε operator therefore shifts the value of a real number δ to the preceding
or the following integer, depending on whether the fractional part of δ is less
than ε or not.
From Theorem 2.2(iii), we know that DTN(K)-Reach is decidable. To de-
cide CTN(K)-Reach, we reduce the problem CTN(K)-Reach to the problem
DTN(K)-Reach. Given a closed timed network N1 = (Q,), we shall consider
a discrete timed network N2 = (Q,), which are syntactically identical. We
show that for any initial conﬁguration γinit and a controller state sF , there
is an γinit-computation in N1 which leads to the ﬁnal state sF iﬀ there is a
γinit-computation leading to the ﬁnal state sF in the derived N2.
The direction from right to left is straightforward.
We give the proof for the other direction. Suppose γinit
∗
−→ sF , i.e, there is a
γinit-computation π given by γinit = γ0 −→T=δ1 γ
′
1 −→r1 γ1 −→T=δ2 γ
′
2 −→r2
γ2 . . . −→T=δn γ
′
n −→rn γn = γ in N1, where δi ≥ 0 for i : 1 ≤ i ≤ n. Let γj
be of the form (I, qj,Qj , Xj).
Given any ε : 0 ≤ ε < 1, we deﬁne a χ0-computation in N2 such that
χ0 −→T=δ′
1
χ′1 −→r1 χ1 −→T=δ′2 χ
′
2 −→r2 χ2 . . . −→rn χn as follows.
Deﬁne χ0 = γ0, and for j : 1 ≤ j ≤ n, deﬁne χj =
(
I, qj,Qj , X ′j
)
:
(i) X ′j(k)(i) = [δ1 + · · ·+ δj]ε − [δ1 + · · ·+ δl]ε, where l is the largest natural
number ≤ j such that the rule rl resets the clock xk.
(ii) X ′j(k)(i) = [δ1 + · · ·+ δj]ε if the clock xk is never reset.
We deﬁne χ′j in a similar manner to γ
′
j. Furthermore, we deﬁne δ
′
1 = [δ1]ε and
δ′j = [δ1 + · · ·+ δj ]ε − [δ1 + · · ·+ δj−1]ε for j > 1.
We show that π′ is a computation in N2:
• From the deﬁnition of χj−1, χ
′
j and δ
′
j and the fact that γj−1 −→T=δj γ
′
j, it
is clear that χj−1 −→T=δ′j χ
′
j for j : 1 ≤ j < n. Notice that δ
′
j ≥ 0.
• To show χ′j −→rj χj , we conclude ﬁrst that rj is enabled from χ
′
j . This
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 123
follows from the deﬁnition of χ′j, the fact that rj is enabled from γ
′
j and the
fact that, given ξ1, ξ2, ε ∈ R≥0 and k ∈ N:
· ξ1 − ξ2 ≤ k =⇒ [ξ1]ε − [ξ2]ε ≤ k.
· ξ1 − ξ2 ≥ k =⇒ [ξ1]ε − [ξ2]ε ≥ k.
From the deﬁnition of χ′j , χj, enabling of the rule rj from χ
′
j and the fact
that γ′j −→rj γj, it is clear that χ
′
j −→rj χj for j : 1 ≤ j ≤ n.
Therefore π′ is a computation in N2. Theorem 3.1 follows from this, the fact
that each γj (γ
′
j) has the same controller state as χj (χ
′
j) and Theorem 2.2(iii).
Example 3.2 Figure 2 shows graphical representation of a computation in
a closed timed network with two clocks starting from a conﬁguration given
by ({1, 2, 3} , q,Q, X) where Q(1) = q1,Q(2) = q2,Q(3) = q3 and Xk(j) = 0
for j ∈ {1, 2, 3} and k ∈ {1, 2}. Notice that r0, r1 and r2 resets the clocks
(X1(2), X2(3)), (X2(1)) and (X1(1), X2(1)) respectively. Also, given ε = 0.8,
we have δ′0 = [1.5]ε = 1, δ
′
1 = [1.8]ε−[1.5]ε = 2−1 = 1 and δ
′
2 = [3.9]ε−[1.8]ε =
4− 2 = 2. From this, it is easy to see the eﬀect of the discrete transitions.
Example 3.3 As in Figure 2, Figure 3 shows graphical representation of a
computation in a closed timed network with two clocks starting from the
same conﬁguration given by ({1, 2, 3} , q,Q, X) with q,Q, X as before. We
also consider the same time lapses and the same set of rules. However, in this
case ε = 0.2, we have δ′0 = [1.5]ε = 2, δ
′
1 = [1.8]ε − [1.5]ε = 2 − 2 = 0 and
δ′2 = [3.9]ε− [1.8]ε = 4−2 = 2. Again, it is easy to see the eﬀect of the discrete
transitions.
4 Open Timed Networks
In this section, we strengthen the undecidability result of Theorem 2.2(ii)
by showing undecidability of the controller state reachability problem for a
subclass of timed networks, namely open timed networks.
Open Timed Network An open timed network is a timed network in which
guarded commands in the rules may only contain a negation-free boolean
combination of predicates of the form k < x or k > x where x ∈ {x1, . . . , xK}.
We deﬁne the controller state reachability problem for open timed networks
with K clocks (OTN(K)-Reach) in the obvious manner.
In the rest of this section, we prove the following theorem.
Theorem 4.1 OTN(2)-Reach is undecidable.
Notice that Theorem 4.1 implies Theorem 2.2(ii). However, the encoding of
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151124
1q
1q
1q
1q
1q 1q
1q
1q
1q
1q1q
1q
1q
1q
2q
2q 2q
2q
2q2q
2q
2q 2q
2q
2q2q
2q
2q3q 3q
3q3q
3q 3q
3q3q
3q 3q
3q3q
3q 3q
1.51.5
1.5
1.5
1.5
q
1.5
01.5
1.5 1.5
1.5
0
q
0.31.8
1.8 1.8
1.8
0.3
q
0.3
0
1.8
0.3
q
1.8
1.8
2.43.9
2.1 3.9
3.9
2.4
q
2.40
0 3.9
3.9
2.4
q
11
1 1
1
1
q
01
1 1
1
0
q
12
2 2
2
1
12
0 2
2
1
q
34
2 4
4
3
q
30
0 4
4
3
q
0
0 0
0
0
q
0 00
0 0
0
0
q
r1
r2
r3
δ3=2.1
δ2=0.3
q
r3
r2
r1
δ1=1.5
’
’
’
δ1=1
δ2=1
δ3=2
Fig. 2. Simulating a computation of a CTN by a computation in a DTN for ε = 0.8.
transitions in 2-counter machine is more involved for OTNs.
2-Counter Machines
First we recall the standard deﬁnition of counter machines. Here, we assume
that such a machine operates on two counters which we call c1 and c2.
A two-counter machine C is a tuple (S, sinit , {c1, c2} , I) where S is a ﬁnite set
of local states with a distinguished initial local state sinit ∈ S, and I is a ﬁnite
set of instructions. An instruction ı is a triple (s1, op, s2), where s1, s2 ∈ S
and op is either an increment (of the form c1 ++ or c2 ++); a decrement
(of the form c1−− or c2−−); or a zero testing (of the form c1 = 0? or
c2 = 0?). A conﬁguration β of a two-counter machine is a triple (s,m1, m2),
where s ∈ S represents the local state, and m1, m2 ∈ N represent the values
of the counters c1 and c2 respectively. The counter machine C induces a
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 125
1q
1q
1q
1q
1q 1q
1q
1q
1q
1q1q
1q
1q
1q
2q
2q 2q
2q
2q2q
2q
2q 2q
2q
2q2q
2q
2q3q 3q
3q3q
3q 3q
3q3q
3q 3q
3q3q
3q 3q
1.51.5
1.5
1.5
1.5
q
1.5
01.5
1.5 1.5
1.5
0
q
0.31.8
1.8 1.8
1.8
0.3
q
0.3
0
1.8
0.3
q
1.8
1.8
2.43.9
2.1 3.9
3.9
2.4
q
2.40
0 3.9
3.9
2.4
q
22
2 2
2
2
q
02
2 2
2
0
q
02
2 2
2
02
0 2
2
0
q
24
2 4
4
2
q
20
0 4
4
2
q
δ1=1.5
0
0 0
0
0
q
0 00
0 0
0
0
q
r1
r2
r3
δ3=2.1
δ2=0.3
q
r3
δ3=2
r2
δ2=0
r1
δ1=2
0
’
’
’
Fig. 3. Simulating a computation of a CTN by a computation in a DTN for ε = 0.2.
transition relation  on the set of conﬁgurations, which is deﬁned as usual
using the standard interpretations of counter operations. We use
∗
 to denote
the reﬂexive transitive closure of . In a similar manner to timed networks,
we use β
∗
 s to denote that there is a conﬁguration β ′ = (s′, m′1, m
′
2) such that
β
∗
 β ′ and s′ = s. We deﬁne the initial conﬁguration βinit to be (sinit , 0, 0).
The control state reachability problem for a 2-counter machines (CM-Reach)
is: given local state sF check whether βinit
∗
 sF . The following result [8] is
well-known.
Theorem 4.2 CM-Reach is undecidable.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151126
4.1 Encoding of Conﬁgurations
We show undecidability of OTN(2)-Reach through a reduction from CM-
Reach. Given a counter machine C = (S, sinit , {c1, c2} , I), we shall derive
an open timed network OC = (QC,C) with two clocks. First we describe
how to construct the set QC. Then, we describe how conﬁgurations of C are
encoded as conﬁgurations of OC. Finally, we introduce a special type of en-
codings, called proper encodings, which we use in our simulation of C.
States According to the model described in Section 2, the set QC will consist
of two disjoint sets of states: the set Qctrl
C
of controller states and the set Qproc
C
of process states. The set Qctrl
C
contains three types of states:
(i) The initial controller state idlec.
(ii) Local states of C: all members of S have copies in Qctrl
C
.
(iii) Temporary states: the set Qctrl
C
contains
• three states tmpı1, tmp
ı
2, tmp
ı
3 for each increment instruction ı ∈ I,
• two states tmpı1, tmp
ı
2 for each zero-testing instruction ı ∈ I,
• four states tmps11, tmp
s
12, tmp
s
21 and tmp
s
22, for each controller state s ∈
C, and
• three states s1init , s
2
init , s
3
init (recall that sinit is the initial local state of C).
These three states are used as intermediate states in the initialization
phase of the simulation (Section 4.2).
The set Qproc
C
contains three types of states:
(i) The initial process state idlep.
(ii) Six states fst1 , mid1 , last1 , fst2 , mid2 , and last2 , used for encoding the
two counters (as described below).
(iii) A temporary state fstı for each increment instruction ı. This state is used
as an intermediate state in the simulation of incrementing instructions.
Encodings Each conﬁguration β of C will be encoded by a set of conﬁgura-
tions in NC. The local state of β will be encoded by the controller state. Each
counter will be modelled by a counter encoding. A counter encoding arranges
a set of processes as a circular list. The ordering among elements of the list is
deﬁned by the clock values. The length of the list reﬂects to the value of the
counter. To deﬁne counter encodings, we shall use the six process states fst1 ,
mid1 , last1 (used for encoding of c1), and fst2 , mid2 , last2 (used for encoding
of c2). The states fst1 and last1 are the states of the ﬁrst and last processes
in the list encoding the value of c1. All processes in the middle of the list
will be in state mid1 . The states fst2 , mid2 , and last2 play similar roles in
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 127
the encoding of c2. Formally, a conﬁguration γ = (I, q,Q, X) is said to be a
c1-encoding of value m if there is an injection h from the set {0, . . . , m + 1}
to I such that the following conditions are satisﬁed.
• Q(h(0)) = fst1 , Q(h(m + 1)) = last1 , and Q(h(i)) = mid1 for each i : 1 ≤
i ≤ m.
• Q(j) ∈ {idlep, fst2 ,mid2 , last2} if j ∈ I \ range(h).
• X1(h(i)) < X2(h(i− 1)) for each i : 1 ≤ i ≤ m + 1.
• X2(h(i)) < X1(h((i + 2))), for each i : 0 ≤ i ≤ m− 1.
• X2(h(m + 1)) < X1(h(0)) < X1(h(1)).
The ﬁrst condition states that the processes which are part of a c1-encoding are
in one of the local states fst1 , mid1 , or last1 . The second condition states that
the processes which are not part of a c1-encoding are in one of the local states
idlep, fst2 , mid2 , or last2 . The last three conditions show how the processes
which are part of a c1-encoding are ordered as a circular list. The position
of each process in the list is reﬂected by values of its clocks x1 and x2. More
precisely, condition three says that except of the ﬁrst process, clock x1 of each
process in the list is strictly smaller than clock x2 of the previous process.
Condition four says that clock x2 of each process is less than clock x1 of the
second process to its right (except the last two processes). Finally the last
condition states that clock x2 of the last process is strictly less than the clock
x1 of the ﬁrst process, which is again strictly less than the clock x1 of the
second process. We use Val1(γ) to denote the value m of a c1-encoding γ.
(a)
(b)
x1x2x1x2x1
mid1
x1
x1
x2
fst1 mid1
x2
idlep
4.6
0.4
6.1
5.6
ps fst1
0.1
0.2
mid1
0.15
0.35
mid1
0.25
last1
0.45
0.05
last1
x2
idle
0.5
Fig. 4. (a) a c1-encoding. (b) Graphical representation of ordering among clocks in c1-encodings.
Example 4.3 Figure 4(a) shows a c1-encoding of value 2. Figure 4(b) shows
a graphical representation of the ordering among clock values. In Section 4.2,
we shall use such a graphical representation to explain the diﬀerent steps in
the simulation of C. Each process is denoted by an edge whose end points are
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151128
the values of two clocks of the process and the arrow is at clock x2. Such an
edge is labelled by the current state of the process. Clock values in the list of
clocks in Figure 4(b) are strictly increasing from left to right.
A c2-encoding and its value Val2(γ) are deﬁned in a similar manner.
A conﬁguration γ = (I, q,Q, X) is said to be an encoding if the following two
conditions are satisﬁed:
• q = s for some s ∈ S, i.e., q is the copy of a local state of C.
• γ is both a c1- and a c2-encoding.
If γ satisﬁes the above conditions (i.e. if γ is an encoding), we deﬁne the
signature sig(γ) of γ to be the triple (s,m1, m2), where m1 = Val1(γ)
and m2 = Val2(γ). Intuitively, the triple (s,m1, m2) will correspond to a
conﬁguration of C. Notice that several (in fact inﬁnitely many) conﬁgurations
may have the same signature. However, all such conﬁgurations will have the
same local states and the same orderings on clock values, and therefore will
correspond to the same conﬁguration in C.
Proper Encodings In our simulation of C we shall rely on a particular kind
of encodings, called proper encodings. An encoding γ of the form (I, q,Q, X)
is said to be proper if it satisﬁes the following conditions:
• For each i ∈ I with Q(i) = idlep, 0 < X1(i), X2(i) < 1.
In other words, all clocks participating in the encoding have values between
(not including) zero and one. Certain steps of the simulation (see the decre-
menting operation in Section 4.2) are not possible to carry out without an
upper bound on clock values of the processes. Working with proper encodings
guarantees such an upper bound (namely an upper bound of one).
The diﬀerence of the above encoding with the encoding in the proof of
Theroem 2.2(ii) is roughly as follows. The encoding in the proof of Theo-
rem 2.2(ii) needs to have clock x2 of each process (except the last one) exactly
equal to clock x1 of the next process. For OTNs, we need clock x2 of each
process to be strictly larger than clock x1 of the next process (again, except
the last process).
4.2 Encoding of Transitions
Next we perform the second step in deriving the open timed network OC =
(QC,C) from the counter machine C = (S, sinit , {c1, c2} , I). More precisely,
we describe the set of rules C. The set C contains the following rules:
Incrementing For each instruction ı = (s1, c1++, s2) in I there are four rules
in C, namely
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 129
incı
1
:
⎡
⎢⎢⎣
s1
→
tmpı1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last1
0 < x2 → ∅
last1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
idlep
true → {x2}
fstı
⎤
⎥⎥⎦
incı2 :
⎡
⎢⎢⎣
tmpı1
→
tmpı2
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fstı
0 < x2 → ∅
fstı
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst1
true → {x1}
fst1
⎤
⎥⎥⎦
incı3 :
⎡
⎢⎢⎣
tmpı
2
→
tmpı
3
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst1
0 < x1 → ∅
mid1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fstı
true → {x1}
fst1
⎤
⎥⎥⎦
incı
4
:
⎡
⎢⎢⎣
tmpı3
→
s2
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst1
0 < x1 → ∅
fst1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last1
true → {x2}
last1
⎤
⎥⎥⎦
The total eﬀect of the four rules is to increment the value of a c1-encoding
by adding one more process to the list. The rule incı1 picks a process in state
idlep and changes its state to fstı. The new process will be placed ﬁrst in the
list. Furthermore, the rule resets clock x2 of the new process in state fstı. The
result of applying rule incı1 on a c1-encoding of value 0 is shown in Figure 5(b).
Rule incı2 resets clock x1 of the process which is now in state fst1 and will
be placed second in the list. This is done in order to maintain the invariant
that clock x1 of each process (except the ﬁrst process) is strictly less than
the clock x2 of the previous process (recall the deﬁnition of an encoding from
Section 4.1). The result of applying rule incı2 is shown in Figure 5(c).
Rule incı3 resets clock x1 of the process which is now in state fstı. It also
changes the states of the processes in fst1 and fstı to states mid1 and fst1
respectively. This is done in order to maintain the invariant that clock x1
of the ﬁrst process is strictly less than the clock x1 of the second process in
the list (recall the deﬁnition of an encoding from Section 4.1). The result
of applying rule incı3 is shown in Figure 5(d). Rule inc
ı
4 resets clock x2 of
the process which is now in state last1 . This is done in order to maintain
the invariant that clock x2 of the last process is strictly less than the clock
x1 of the ﬁrst process in the list (recall the deﬁnition of an encoding from
Section 4.1). The result of applying rule incı4 is shown in Figure 5(e).
Some remarks about rules incı1,inc
ı
2,inc
ı
3 and inc
ı
4:
• After execution of incı1 (inc
ı
2, inc
ı
3 resp.), the controller will be in state
tmpı1 (tmp
ı
2, tmp
ı
3 resp.) and therefore inc
ı
2 (inc
ı
3, inc
ı
4 resp.) is the only
rule which may eventually be enabled after execution of incı1 (inc
ı
2, inc
ı
3
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151130
(e)
mid1
last1
fst1
(d)
last1
fst1 mid1
last1last1
fst1
fst1
(c)(b)(a)
fst1
last1
fst i fst i
Fig. 5. Simulating (s1, c1++, s2) on a c1-encoding
resp.).
• The guard 0 < x2 in the deﬁnition of inc
ı
1 and inc
ı
2 is to guarantee that
all clocks have positive values before the rule is applied. This makes sure
that we avoid the scenario where we “accidentally” equate some clocks with
the ones which are reset during the application of incı1 (inc
ı
2). The same
reasoning applies to the guard 0 < x1 in the deﬁnition of the rules inc
ı
3 and
incı4. Similar guards exist in the rest of the rules described in this section.
• After application of incı4, the resulting encoding will not be proper. We can
re-create a proper encoding by letting time pass through a timed transition.
Also, for each instruction of the form (s1, c2++, s2), there are four rules similar
to the rules described above (replacing the states fst1 , mid1 , and last1 by fst2 ,
mid2 and last2 , respectively).
Decrementing For each instruction ı = (s1, c1−−, s2) in I there is a rule in
C, namely
decı :
⎡
⎢⎢⎣
s1
→
s2
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last1
(0 < x2) ∧ (x1 < 1) → ∅
idlep
⎤
⎥⎥⎦
⎡
⎢⎢⎣
mid1
1 < x2 → {x2}
last1
⎤
⎥⎥⎦
The rule decı decrements the value of a c1-encoding by removing the last
process of the list. More precisely, it changes the state of the last process to
idlep (i.e. removes that process from the list), and changes the state of the
process which is next last from mid1 to last1 . In order to do that, we have to
be able to identify the process which is next last in the list. Since all processes
in the middle of the list are in state mid1 , we cannot identify the next last
process simply by checking process states. Instead, we wait until the value of
clock x2 of the process (next last) in the state mid1 is greater than one, but
the clock x1 of the process in last1 is still less than 1. Figure 6 shows the eﬀect
of applying the rule to a c1-encoding of value 2. Some remarks about the rule
decı:
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 131
mid1fst1(a) (b)mid1 mid1
last1
fst1
last1
Fig. 6. Simulating (s1, c1−−, s2) on a c1-encoding
• Identifying the next last process uses the assumption that we start from a
proper encoding. This implies that clocks of processes participating in the
encoding have all values which are less than one. If this property is violated
then the rule is not enabled (and will not become enabled through passage
of time).
• The rule is not enabled in case the value of the c1-encoding is equal to zero,
since there will be no process in state mid1 .
• Waiting for clock x1 of the next last process in the c1-encoding to become
greater than one may enforce clocks of processes in the c2-encoding to be-
come greater than one. More precisely, this happens if some clock in a
process which is part of the c2-encoding has a greater value than the clocks
of each process in c1-encoding. After applying dec
ı, the value of such clocks
will be greater than one, and therefore the resulting conﬁguration will not
be a proper encoding.
Figure 7 illustrates this scenario. We consider a proper encoding (shown
s1
s2 fst2
0.41
0.61
mid2
0.51
1.21
1.11
0.36
last2
0.41
idlefst1
0.51
0.71
last1
0.61
0.0
0.81
p
fst1
0.2
0.4
mid1
0.3
last1
0.1
fst2
0.1
0.3
mid2
0.9
0.8
0.05
last2
0.5 0.2
0.7
T=0.31
fst2
0.41
0.61
mid2
0.51
1.21 0.36
last2
1.11
s1 fst1
0.51
0.71
mid1
0.61
1.01
last1
0.41
0.81
(b)
dec
(c)
(a)
Fig. 7. Decrementing may result in an improper encoding.
in Figure 7(a)) with signature (s1, 1, 1) such that largest clock value (0.7) in
c1-encoding is less than the largest clock value (0.9) in c2-encoding. In order
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151132
to enable the rule decı, we let time pass until clock x2 of the process mid1
(with largest clock value) becomes larger than one (shown in Figure 7(b))
while clock x1 of the process is in state last1 is still less than one. However,
at this point of time, both clock x2 of a process in state mid2 and clock
x1 of the process in state last2 have become larger than one (1.21 and 1.11
respectively). Therefore, after applying the decı, we get an encoding (of
value (s2, 0, 1)) shown in Figure 7(c), which is not proper. This prevents
any later application of decrementing and zero-testing rules.
In order, to maintain the possibility of maintaining proper encodings in
our simulation, we combine the rule decı with the rotation rules described
below.
In a similar way to incrementing, there is also a rule corresponding to an in-
struction of the form (s1, c2−−, s2).
Rotation To make it always possible to obtain a proper encoding after decre-
menting the value of a c1- or a c2-encoding (see the decrementing rule above),
we add a set of rotation rules. More precisely, for each state s ∈ S, the set C
contains the following four rules
rots2,1 :
⎡
⎢⎢⎣
s
→
tmps21
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst2
true → {x1}
fst2
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last2
0 < x2 → ∅
last2
⎤
⎥⎥⎦
rots2,2 :
⎡
⎢⎢⎣
tmps
21
→
tmps
22
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst2
0 < x1 → ∅
mid2
⎤
⎥⎥⎦
⎡
⎢⎢⎣
mid2
1 < x2 → ∅
last2
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last2
x1 < 1 → {x1}
fst2
⎤
⎥⎥⎦
rots
2,3
:
⎡
⎢⎢⎣
tmps
21
→
tmps
22
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst2
(0 < x1) ∧ (1 < x2) → ∅
last2
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last2
x1 < 1 → {x1}
fst2
⎤
⎥⎥⎦
rots2,4 :
⎡
⎢⎢⎣
tmps
22
→
s
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst2
0 < x1 → ∅
fst2
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last2
true → {x2}
last2
⎤
⎥⎥⎦
These rules do not correspond to any instruction in C; nor does it change
the signature of the encoding. In simulating C, we use the rotation rules in
connection with decrementing. Recall that if ı = (s1, c1−−, s2) then applying
a rule decı will not give a proper encoding in case the c2-encoding has clocks
with greater values than the clocks of the processes in the c1-encoding. The
role of rots2,1, rot
s
2,2, rot
s
2,4 then is to decrement clock values of processes
which are part of a c2-encoding of positive value while preserving the signature
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 133
of the whole encoding. More precisely,
• rots2,1 resets the clock x1 of the process in state fst2 . This process will be
made second in the list by the next executed rule, i.e. rots2,2.
• rots2,2 resets the clock x1 of the process in last2 and makes this process
ﬁrst in the list. This rule also changes the state of the next last process
to last1 and the state of the second process (previously in fst1 ) to mid1 .
The identiﬁcation of the next last process is the same as that in case of
decrementing. The explanation of rots2,3 is similar, but rot
s
2,3 is only applied
if the c2 encoding has value 0.
• rots2,4 resets the clock x2 of the process currently in state last2 .
This again amounts to a rotation of the list corresponding to the c2-encoding
of non-zero positive value. Figures 8(b), (c) and (d) graphically show the eﬀect
of applying these rules to a c2-encoding of value 1 in Figure 8(a). After the
last step, we can perform a timed transition and obtain a proper encoding.
last2
mid2
(b)
fst2 last2mid2fst2
(c)
last2
fst2 mid2
(d)
last2
fst2
(a)
mid2
Fig. 8. Rotation of c2-encoding of value 1.
This amounts to a rotation of the list corresponding to the c2-encoding. The
rotation can be repeated until suﬃciently many processes in the c2-encoding
have been moved. When there are no clocks in the c2-encoding with greater
clock values than the largest clock value in the c1-encoding, the rotation stops
and decı can now be safely applied. We illustrate the role of rots2,1, rot
s
2,2 and
rots2,4 through Figure 9.
Also if, before applying decı, the largest clock value in a c1-encoding is same
as that in a c2-encoding, then we need to apply rot
s2
2,1, rot
s2
2,2, rot
s2
2,4 in se-
quence once more after decrementing (this scenario does not occur in Figure 9,
but is considered in the correctness proof).
The rule rots2,3 is used instead of the rule rot
s
2,2 when we use the rotation of
a c2-encoding of value 0.
There are also similar rules rots1,1, rot
s
1,2, rot
s
1,3, and rot
s
1,4, which are used
to rotate a c1-encoding and which are used in connection with rules of the
form decı with ı = (s1, c2−−, s2).
Zero Testing For each instruction ı = (s1, c1 = 0?, s2) in I there are rules in
C , namely tst ı1, tst
ı
2 and tst
ı
3. These three rules check that the value of the
encoding is zero by testing that there are no processes in state mid1 . This is
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151134
s1
rot 2,1
fst1
0.31
0.51
mid1
0.41
0.81
last1
0.61 0.0 0.31
1.01
0.91
0.16
last2
0.41
mid2fst2s1
0.21
rot 2,2
s1
s1 fst1
0.32
0.52
mid1
0.42
0.82
last1
0.22
0.62
last2
0.32
1.02
0.0
0.17
fst2
0.42
mid2
0.01
rot 2,4
s1
mid2
0.02
0.43
0.33
0.0
last2
0.01
0.18
fst2s1 fst1
0.33
0.53
mid1
0.43
0.83
last1
0.23
0.63
last1
0.0
0.61
idle
0.81
0.41
p
mid2
0.2
0.61
0.51
0.18
last2
0.19
0.36
fst2s1 fst1
0.51
0.71
s1 fst1
0.2
0.4
mid1
0.3
0.7
last1
0.1
0.5 0.1 0.2
0.9
0.8
0.05
last2
0.3
mid2fst2(a)
T=0.11
(b)
T=0.01
(c)
T=0.01
(d)
T=0.18
dec
(e)
Fig. 9. Decrementing preceded by rotation
done by verifying that the process which is next last in the list is the same as
the process which is ﬁrst in the list in a manner similar to the decrementing
rule.
For each instruction ı = (s1, c1 = 0?, s2) in C there are three rules in C,
namely
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 135
tst ı
1
:
⎡
⎢⎢⎣
s1
→
tmpı1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst1
true → {x1}
fst1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last1
0 < x2 → ∅
last1
⎤
⎥⎥⎦
tst ı
2
:
⎡
⎢⎢⎣
tmpı1
→
tmpı2
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst1
(0 < x1) ∧ (1 < x2) → ∅
last1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last1
x1 < 1 → {x1}
fst1
⎤
⎥⎥⎦
tst ı
3
:
⎡
⎢⎢⎣
tmpı2
→
s2
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst1
0 < x1 → ∅
fst1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last1
true → {x2}
last1
⎤
⎥⎥⎦
The rules interchange the processes in states fst1 and last1 and reset the ap-
propriate clocks to preserve the invariants of an encoding in a manner similar
to the rotation rules described above. The explanations of the rules tst ı1, tst
ı
2
and tst ı3 are in fact, similar to those for the rules rot
s
1,1, rot
s
1,3 and rot
s
1,4 re-
spectively. Sometimes before applying the rules for zero-testing, one has to
apply the rotation rules according to the same scenarios explained for the
decrementing rule.
Figure 10 shows the eﬀect of applying the rule to a c1-encoding of value 0.
fst1
(a)
fst1 fst1
(c)
fst1last1
(b)
last1
last1
(d)
last1
Fig. 10. Simulating (s1, c1?0, s2) on a c1-encoding of value zero.
Also, there are similar rules in C for each instruction of the form ı =
(s1, c2 = 0?, s2).
Initialization The initial phase consists of the following four rules.
init1 :
⎡
⎢⎢⎣
idlec
→
s
1
init
⎤
⎥⎥⎦
⎡
⎢⎢⎣
idlep
true → {x2}
fst1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
idlep
true → {x2}
fst2
⎤
⎥⎥⎦
init2 :
⎡
⎢⎢⎣
s
1
init
→
s
2
init
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst1
0 < x2 → ∅
fst1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
idlep
true → {x1}
last1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
idlep
true → {x1}
last2
⎤
⎥⎥⎦
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151136
init3 :
⎡
⎢⎢⎣
s
2
init
→
s
3
init
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst1
true → {x1}
fst1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst2
true → {x1}
fst2
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last1
0 < x1 → ∅
last1
⎤
⎥⎥⎦
init4 :
⎡
⎢⎢⎣
s
3
init
→
sinit
⎤
⎥⎥⎦
⎡
⎢⎢⎣
fst1
0 < x1 → ∅
fst1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last1
true → {x2}
last1
⎤
⎥⎥⎦
⎡
⎢⎢⎣
last2
true → {x2}
last2
⎤
⎥⎥⎦
The role of the initialization rules is to bring OC from its initial conﬁguration
(where the controller and all processes are idle) into a conﬁguration which is
an encoding of the initial conﬁguration βinit of C.
The ﬁrst rule init1 takes the controller into the temporary state s
1
init . It also
picks two idle processes to be the ﬁrst processes in the c1-encoding and c2-
encoding (each with value zero). Clock x2 of both the processes are reset.
The second rule init2 changes the controller state to s
2
init and picks two more
processes to be the last processes in the c1-encoding and c2-encoding. This
rule is enabled if the clock x2 of the process fst1 is strictly larger than 0. Also,
clock x1 of both the new processes are reset. The third rule init3 is enabled
when the clock x1 of the process last1 is greater than 0. and it changes the
controller state to s3init . It also resets the clock x1 of the processes in state
fst1 and fst2 respectively. The fourth rule init4 changes the controller state
to sinit . It also resets the clock x2 of the processes in state last1 and last2
respectively and completes the creation of the c1-encoding and c2-encoding of
value zero. Finally, applying a timed transition yields a proper encoding. The
eﬀect of the rules init1, init2, init3 and init4 are illustrated through Figure 11
(only the c1-encoding is shown).
fst1 fst1last1 fst1
fst1last1
last1
(a) (b) (c) (d)
Fig. 11. Initialization. Figure (d) shows a graphical representation of a c1-encoding of value 0.
Correctness
Let C = (S, sinit , {c1, c2} , I) be a counter machine and let OC = (QC,C)
be an open timed network derived from C as described in Section 4.1 and
Section 4.2. Let  and −→ be the transition relations induced by C and
OC respectively. Also, let
∗
 and
∗
−→ be their respective reﬂexive, transitive
closures.
If sF is a control state in C then the following holds
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 137
Theorem 4.4 βinit
∗
 sF iﬀ γinit
∗
−→ sF for some initial conﬁguration γinit
of OC.
We show the proof of Theorem 4.4 in Appendix. Theorem 4.1 directly follows
from Theorem 4.4.
5 Robust Timed Networks
In this section, we deﬁne the robust semantics of timed network. We show
that the controller state reachability is undecidable for robust timed networks.
Notice that the problem is decidable for robust timed automata.
First we deﬁne a timed event to be a pair (ξ, r) where ξ is the timestamp
of the rule r ∈ . A timed trace is a ﬁnite sequence of timed events with
non-decreasing timestamps.
Given a computation γinit −→T=δ1−→r1 γ1 . . . γn−1 −→T=δn−→rn γn of a
timed network, there is an associated timed trace tt(π) = 〈(ξ1, r1), . . . , (ξn, rn)〉
where ξ1 = δ1 and ξi = Σ1≤j≤iδj. Consider a timed network N . Let Γinit be
the (inﬁnite) set of initial conﬁgurations (deﬁned as in Section 2) and let SF
be a set of ﬁnal controller states. We deﬁne the language L(N) of N as a set
consisting of timed traces tt(π) where π is a γinit-computation with γinit ∈ Γinit
and π leads to some ﬁnal controller state in SF .
Next we deﬁne a metric D on the set of all timed traces of a timed net-
work as follows. Given two timed traces w = 〈(ξ1, r1), . . . , (ξn, rn)〉 and
w ′ = 〈(ξ′1, r
′
1), . . . , (ξ
′
n, r
′
n)〉, let
• D(w ,w ′) = ∞ if there is a j : 1 ≤ j ≤ n such that rj = r ′j .
• D(w ,w ′) = max
{
|ξj − ξ
′
j | : 1 ≤ j ≤ n
}
.
As argued in [4], any other ’reasonable’ metric on timed traces of timed net-
work yield the same topology as the metric D .
For the metric D , a timed trace w , and a positive real ε ∈ R+, we deﬁne the
D-tube around w of diameter ε to be the set T (w , ε) = {w ′ | D(w ,w ′) < ε}
of all timed traces at a distance less than ε from w . A D-open set Op is a set
of timed traces such that for all timed trace w ∈ Op, there is a positive real
ε ∈ R+ with T (w , ε) ⊆ Op. Thus, if a D-open set contains a computation π,
then it also contains all computations in some neighbourhood of π. From now
on, we shall omit reference to D and use ’open’ to mean a D-open set.
Let the set of all timed traces be called TT . A set tts of timed traces is closed
if its complement TT − tts is open. The closure tts of a set tts of timed traces
is the least closed set containing tts and the interior ttsint is the greatest open
set contained in tts. Given a set O, we use [O] to denote the set (O)
int
.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151138
The language L of a timed network induces a robust language [L] = (L)int.
The set [L] represents the set of timed traces of N under the robust seman-
tics. Notice that a computation π is in [L] if and only if there is some open
neighbourhood T (π, ε) around π within some distance ε such that each timed
trace in the neighbourhood is also included in the closure of the set L of
computations of TN.
5.1 Open Robust Timed Networks
In the following, we consider timed networks where clock constraints are
negation-free and disjunction-free. For any given timed network, one can
easily obtain such an equivalent timed network. Next we show the following.
Open Robust Reachability (OTN(K)-Robust-Reach)
Instance: An open timed network O = (Q,) with K clocks and a set SF
of controller states.
Question: Is [L(O)] = ∅ ?
We show that the above problem is undecidable (Theorem 5.4). The unde-
cidability proof in Theorem 5.4 uses the following three lemmas.
Lemma 5.1 For every open timed network O, L(O) is an open set.
Proof. This proof is adapted from [4], where they show this lemma for
timed automata. Consider an arbitrary timed trace w ∈ L(O). Let
w = 〈(ξ1, r1), . . . , (ξn, rn)〉. Since w ∈ L(O), there is a computation π =
γinit −→T=δ1 γ
′
1 −→r1 γ1 . . . −→T=δn γ
′
n −→rn γn, where δi = ξi − ξi−1 for
i : 1 < i ≤ n and δ1 = ξ1. Let γ′i be of the form (I, q
i,Qi, X i).
We will show that there is a positive ε such that T (w , ε) ⊆ L(O).
For each i : 1 ≤ i ≤ n,
• let εi be a real number strictly smaller than the minimum of the distances
|K −X ik(j)| (where j ∈ I) such that there is a guard xk < K or xk > K in
the rule ri and g(X
i
k(j)) is satisﬁed. (since all clock constraints are strict,
these distances are strictly positive).
We deﬁne ε := min {εi/2 | 1 ≤ i ≤ n}.
Consider any timed trace w ′ = 〈(ξ′′1 , r1), . . . , (ξ
′′
n, rn)〉 where D(w ,w
′) < ε.
This means that |ξ′′i − ξi| < ε for each i. We show that there is in fact
a γinit-computation γinit −→T=δ′
1
β ′1 −→r1 β1 . . . −→T=δ′n β
′
n −→rn βn, i.e.,
w ′ ∈ L(O).
Let β ′i be of the form (I, q
i,Qi, X ′′i). Also, let ε′i = |ξ
′′
i − ξi| for each i.
Recall that ε′i < ε. In π, consider a clock value X
i
k(j). We show that if
the clock participated in rule ri at global time ξi, with its new valuation
at time ξ′′i , it can still participate in the rule ri. Either X
i
k(j) = ξi if it
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 139
was never reset or X ik(j) = ξi − ξ if it was last reset by the rule r. Now,
consider ξ′′i − ξ
′′
 . We know that |ξ
′′
i − ξi| < ε and |ξ
′′
 − ξ| < ε. Then
ξ′′i − ξ
′′
 < (ξi + ε)− (ξ − ε) = ξi − ξ + 2 ∗ ε = ξi − ξ + min(εi : 1 ≤ i ≤ n).
From deﬁnition of ε and the fact that X ′′ik(j) = ξ
′′
i − ξ
′′
 , we know that the
guard g(X ′′ik(j)) is still true and we have β
′
i −→ri βi.
The case when the clock is never reset before is handled in a similar manner.
Let δ′i = ξ
′′
i − ξ
′′
i−1 and δ
′
1 = ξ
′′
1 . Deﬁne β
′
i = β
+δ′i
i−1 for i > 1 and β
′
1 = γ
δ′
1
init .
From the assumption that w ′ is a timed trace, i.e., ξ′′i−1 ≤ ξ
′′
i , it is clear that
β ′i−1 −→T=δ′i β
′
i for i > 1 and γinit −→T=δ′1 β
′
1.
This means that w ′ ∈ L(O). This implies that T (w , ε) ⊆ L(O) and thus L(O)
is an open set. 
Lemma 5.2 For an open set Op, Op = ∅ iﬀ [Op] = ∅.
Proof. Assume that Op = ∅. Then Op = ∅. Then (Op)
int
= ∅, i.e., [Op] = ∅.
Now we show the proof for the other direction. Op ⊆ Op and Opint ⊆ (Op)
int
.
Since Op is open, Op = Opint. Thus, Op ⊆ (Op)
int
. Now, if (Op)
int
= ∅, then
from the above, it follows that Op = ∅. 
Lemma 5.3 For every open timed network O, L(O) = ∅ iﬀ [L(O)] = ∅.
Proof. Since L(O) is an open set by Lemma 5.1, the proof follows from
Lemma 5.2. 
Now we show the following.
Theorem 5.4 OTN(2)-Robust-Reach is undecidable.
Proof. The undecidability of OTN(2)-Reach (Theorem 4.1) means that it is
undecidable for an open timed network O whether L(O) = ∅. From this and
Lemma 5.3, the theorem follows. 
5.2 Closed Robust Timed Networks
In section 3, we showed that CTN(K)-Reach under standard semantics is
decidable. In this section, we show that the problem becomes undecidable
under robust semantics.
First, we deﬁne runs, which are extensions of traces and computations.
Deﬁnition 5.5 A run τ is a tuple (γinit ,∆, H,R) where:
• γinit = (I, q,Q, X) is an initial conﬁguration of a timed network.
• ∆ = 〈δ1, . . . , δn〉 is a ﬁnite sequence of delays.
• R = 〈r1, . . . , rn〉 is a ﬁnite sequence of rules. For i : 1 ≤ i ≤ n, let mi be
the number of transitions in rule ri.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151140
• H = 〈h1, . . . , hn〉 is a ﬁnite sequence of injections. For i : 1 ≤ i ≤ n, hi :
{1, . . . , mi} → I.
We say that a run τ is valid with respect to a timed network N if
∃〈γ0, γ′1, γ1 . . . , γ
′
n, γn〉 : γ0 = γinit , γ
′
i −→ri γi, γi−1 −→T=δi γ
′
i and hi is a
witness injection for γ′i −→ri γi for i ∈ {1, . . . , n}. Note that for given H
and ∆, there is at most one 〈γ0, γ′1, γ1, . . . , γ
′
n, γn〉 satisfying these conditions.
Let comp(τ) denote this sequence of conﬁgurations if it exists. We extend tt
to runs in the obvious manner. Several computations may correspond to the
same timed trace, and several runs may correspond to the same computation.
The next lemma relates traces and runs.
Lemma 5.6 Let N be a timed network. If there exists an inﬁnite sequence
〈wi〉 ∈ L(N ) where the distance between any two elements is at most ε < ∞,
then there exists an inﬁnite sequence 〈τij〉 of valid runs of N of the form(
γ,∆ij , H,R
)
such that tt(τij ) = wij . In other words, these valid runs diﬀer
only in their sequences of delays.
Proof. Assume 〈wi〉 and ε satisfying above conditions. Since the distance
between any two timed traces in 〈wi〉 is at most ε < ∞, all wi are of same
length n and all wi share the same sequence of rules R = 〈r1, . . . , rn〉. There
is an inﬁnite sequence 〈τi〉 of valid runs such that tt(τi) = wi since wi ∈ L(N ).
Let each τi be of the form (γi,∆i, Hi, R). Let L be the number of transitions in
the largest rule multiplied by n. The number of processes participating in each
run of length n is at most L. Without loss of generality, assume the index set
of each γi is I = {1, . . . , L}. From the fact that all γi are initial conﬁgurations,
we conclude that all clock values in γi are equal to 0, all processes are in idle
p
and the controller is in idlec . As all γi share the same index set, all γi are
identical. Let γ = γi. The set of injections from {1, . . . , L} to I = {1, . . . , L}
is obviously ﬁnite, and so is the set of sequences of length n of such injections.
Therefore, there must exist an inﬁnite subsequence 〈τij〉 of 〈τi〉 where all runs
share the same sequence of injections H . Each run in this subsequence is of
the form
(
γ,∆ij , H,R
)
. 
To prove the undecidability of CTN(K)-Robust-Reach, we show the following
two lemmas.
Lemma 5.7 Given a closed timed network N , L(N ) is closed.
Proof. Let 〈wi〉 be an inﬁnite sequence of timed traces in L(N ) converging
to a timed trace w . To prove that L(N ) is closed, it is enough to show that
w ∈ L(N ).
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 141
By Lemma 5.6, there is an inﬁnite sequence 〈τi〉 of valid runs, where each τi
is of the form (γ,∆i, H,R).
The convergence of 〈wi〉 implies the convergence of sequence 〈∆i〉. Let ∆
be the limit of 〈∆i〉, and let τ = (γ,∆, H,R) with ∆ = 〈δ1, . . . , δn〉, H =
〈h1, . . . , hn〉, R = 〈r1, . . . , rn〉. Clearly, tt(τ) = w . We will show that τ is a
valid run of N .
We show by induction on the length of runs that the sequence 〈comp(τi)〉
converges. Let 〈γi0, γ
′i
1 , γ
i
1, . . . , γ
′i
n , γ
i
n〉 = comp(τi).
Induction hypothesis IH(k) : 〈γi0〉 converges, ∀j : 1 ≤ j ≤ k : 〈γ
i
j〉 con-
verges and 〈γ′ij 〉 converges.
Base case ∀i : γi0 = γ, so 〈γ
i
0〉 clearly converges to γ0 = γ.
Induction Step Assume 1 ≤ k ≤ n− 1 and IH(k).
• ∀i : γ′ik+1 = γ
i
k + δ
i
k+1. Since 〈δ
i
k+1〉 converges to δk+1, and 〈γ
i
k〉 converges to
γk by induction hypothesis, 〈γ′ik+1〉 converges to γk + δk+1.
• Let Xk+1 be the clock mapping deﬁned as follows. For each process p used
by hk+1 to execute rk+1, Xk+1(l)(p) is 0 if xl is reset. For all other processes
p and clocks xl, Xk+1(l)(p) = Xk(l)(p)+δk+1. Note that each clock mapping
X ik+1 of γ
i
k+1 is deﬁned as follows. For each process p used by hk+1 to execute
rk+1, X
i
k+1(l)(p) is 0 if xl is reset. For all other processes p and clocks xl,
X ik+1(l)(p) = X
i
k(l)(p) + δ
i
k+1. Since 〈X
i
k〉 converges to Xk by induction
hypothesis and 〈δik+1〉 converges to δk+1, 〈X
i
k+1〉 converges to Xk+1, and
〈γik+1〉 converges.
Let the sequence of conﬁgurations 〈γ0, γ′1, γ1, . . . , γn〉 be the limit of
〈comp(τi)〉. All clock values in these conﬁgurations are limits of clock val-
ues in 〈comp(τi)〉. By deﬁnition of closed sets, all sequences converging in a
closed set do so within the set. This implies that all guards satisﬁed in each
comp(τi) are still satisﬁed in 〈γ0, γ′1, γ1, . . . , γn〉. Therefore it is the case that
γ0 −→T=δ1 γ
′
1 −→r1 γ1 . . . −→rn γn.

For a timed network N , we let N be the closed timed network derived from
N by replacing each strict constraint by its non-strict counter-part.
Lemma 5.8 For an open timed network O, if there exist w and ε > 0 such
that T (w , ε) ⊆ L(O) then L(O) = ∅.
Proof. Consider w = 〈(ξ1, r1) . . . (ξn, rn)〉 and ε which satisfy the above con-
straints.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151142
Let ε′ such that 0 < ε′ < 1
n
min
⎛
⎜⎜⎜⎝
{1− fract(ξi), 1 ≤ i ≤ n}∪
{1− fract(ξj − ξi), 1 ≤ i < j ≤ n}∪
{ε}
⎞
⎟⎟⎟⎠
Let w ′ = 〈(ξ′1, r1) . . . (ξ
′
n, rn)〉, where ξ
′
i = ξi+iε
′. It is the case that D(w ′,w) <
ε, hence w ′ ∈ L(O). Moreover, since ε′ < 1−fract(ξi)
n
and i ≤ n, fract(ξ′i) = 0.
For 1 ≤ i < j ≤ n, let ∆(i, j) = ξ′j−ξ
′
i = ξj−ξi+(j− i)ε
′. ∆(i, j) denotes the
amount of time elapsed between events i and j in w ′. Since ε′ <
1−fract(ξj−ξi)
n
and 0 ≤ (j − i) ≤ n, ∆(i, j) = 0.
Consider any computation π = γ0 −→T=ξ1+ε′ γ
′
1 −→r1 γ1 −→T=∆(1,2)
γ′2 . . . γn−1 −→T=∆(n−1,n) γ
′
n −→rn γn.
Each clock value in each γ′i is either of the form ξ
′
i if the clock was never
reset, or ξ′i − ξ
′
j if it was most recently reset in event j. Hence its value is
in {∆(i, j), 1 ≤ i < j ≤ n}∪{ξi + iε′, 1 ≤ i ≤ n}, which does not intersect the
set of natural numbers. Therefore no clock value is a natural number, which
means that all runs of π satisfy all guards of O strictly. Finally, this implies
that they satisfy all guards of O, and w ′ ∈ L(O).

Theorem 5.9 CTN(2)-Robust-Reach is undecidable.
Proof. We show the undecidability of CTN(2)-Robust-Reach by reducing
OTN(2)-Robust-Reach to CTN(2)-Robust-Reach. Consider an open timed
network O with 2 clocks.
Now we show that [L(O)] = ∅ iﬀ [L(O)] = ∅.
• [L(O)] = ∅ =⇒ [L(O)] = ∅. It is straightforward that L(O) ⊆ L(O),
therefore [L(O)] ⊆ [L(O)]. Thus, if [L(O)] = ∅, then [L(O)] = ∅.
• [L(O)] = ∅ =⇒ [L(O)] = ∅. Since for an open timed networkO, [L(O)] = ∅
iﬀ L(O) = ∅ (Lemma 5.3), it is enough to show that L(O) = ∅ =⇒
[L(O)] = ∅. Assume L(O) = ∅. By Lemma 5.8, for each w ∈ L(O) and
for each ε > 0, T (w , ε)  L(O). By Lemma 5.7, L(O) is closed, therefore
L(O) = L(O). Consequently [L(O)] = (L(O))int ⊆ L(O), which implies
that T (w , ε)  [L(O)]. However [L(O)] is open, therefore it must be empty.

Remark 1 OTN(1)-Robust-Reach is decidable due to decidability of TN(1)-
Reach [3] and Lemma 5.3.
Remark 2 CTN(1)-Robust-Reach is also decidable due to decidability of
OTN(1)-Robust-Reach and the fact that given a CTN N , one can con-
struct an open timed network N op such that [L(N )] = ∅ iﬀ [L(N op)] = ∅.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 143
Proof of this is similar to the proof for Theorem 5.9.
6 Conclusion
We have shown that the controller state reachability problem for multi-clock
timed networks is decidable if TN is closed, undecidable otherwise. However,
semantic removal of equality under robust semantics makes the problem un-
decidable even for closed TNs. This emphasises the fact that robust semantics
is more intractable than the standard semantics of TNs. This fact was already
noted by [9] for timed automata.
References
[1] R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126:183–235,
1994.
[2] P. Abdulla, J. Deneux, and P. Mahata. Multi-clock timed networks. In Proc. LICS’ 04, pages
345–354. IEEE Computer Society Press, 2004.
[3] Parosh Aziz Abdulla and Bengt Jonsson. Model checking of systems with many identical timed
processes. Theoretical Computer Science, 290(1):241–264, 2003.
[4] V. Gupta, T. Henzinger, and R. Jagadesan. Robust timed automata. In In Proc. of HART’
97, volume 1201 of Lecture Notes in Computer Science, pages 331–345, 1997.
[5] P. Godefroid and P. Wolper. Using partial orders for the eﬃcient veriﬁcation of deadlock
freedom and safety properties. Formal Methods in System Design, 2(2):149–164, 1993.
[6] T.A. Henzinger, Z. Manna, and A. Pnueli. What good are digital clocks. In Proc. ICALP’ 92,
volume 623 of Lecture Notes in Computer Science, pages 545–558, 1992.
[7] T. Henzinger and J. Raskin. Robust undecidability of timed and hybrid systems. In Proc. of
HSCC’ 00, volume 1790 of Lecture Notes in Computer Science, pages 145–159, 2000.
[8] M. Minsky. Recursive unsolvabitity of post’s problem of tag and other topics in the theory of
turing machines. Ann. of Math., 74:437–455, 1961.
[9] J. Ouaknine and J. Worrell. Revisiting digitization, robustness and decidability for timed
automata. In Proc. of LICS’ 03, pages 198–207. IEEE Computer Society Press, 2003.
[10] J. Ouaknine and J. Worrell. Universality and language inclusion for open and closed timed
automata. In Proc. of HSCC’ 03, volume 2623 of Lecture Notes in Computer Science, 2003.
[11] A. Puri. Dynamical properties of timed automata. In Proc. FTRTFT’98, volume 1486 of
Lecture Notes in Computer Science, pages 210–227, 1998.
[12] M. Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program
veriﬁcation. In Proc. LICS’86, pages 332–344. IEEE Computer Society Press, 1986.
A Appendix
In the proofs we need some deﬁnitions.
In our correctness proof of Theorem 4.4, we use the relation
n
, with n ≥ 0, on conﬁgurations,
where β
n
 β′ iﬀ there is a sequence β0  β1  · · · βn with β0 = β and βn = β
′. The relation
n
 is extended to local states in a similar manner to
∗
. Notice that
∗
= ∪n
n
.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151144
Let N = (Q,) be a timed network. We deﬁne =⇒r to denote −→Timed ◦ −→r ◦ −→Timed, i.e.
=⇒r corresponds to performing a discrete transition according to the rule r , preceded and followed
by a timed transition. We deﬁne =⇒ to be
S
r∈
=⇒r . For a set R ⊆  of rules, we let γ1 =⇒R γ2
denote that γ1 =⇒r γ2 for some r ∈ R. We use
∗
=⇒,
∗
=⇒r and
∗
=⇒R to denote the reﬂexive transitive
closure of the respective relations.
First we introduce ﬁve new types of temporary encodings cinc11 semi-encoding, c
inc2
1 semi-encoding,
cinc31 semi-encoding, c
rot1
1 semi-encoding and c
rot2
1 semi-encoding to describe the eﬀect of the rules
incı1, inc
ı
2, inc
ı
3, rot
s
11 and rot
s
12 respectively. For m ≥ 1, a conﬁguration γ = (I, q,Q,X) is said
to be
• a cinc11 semi-encoding of value m if there is an injection h from {0, . . . , m + 1} to I such that the
following conditions are satisﬁed
· Q(h(0)) = fstı where ı is an increment instruction in C, Q(h(1)) = fst1 , Q(h(i)) = mid1 for
each i : 2 ≤ i ≤ m and Q(h(m + 1)) = last1 .
· X1(h(i)) < X2(h(i− 1)) for each i : 2 ≤ i ≤ m + 1.
· X2(h(i)) < X1(h((i + 2))), for each i : 1 ≤ i ≤ m− 1.
· X2(h(0)) < X2(h(m + 1)) < X1(h(1)) < X1(h(2)).
• a cinc21 semi-encoding of value m if there is an injection h from {0, . . . , m + 1} to I such that the
following conditions are satisﬁed
· Q is as deﬁned for a cinc11 semi-encoding.
· X1(h(i)) < X2(h(i− 1)) for each i : 1 ≤ i ≤ m + 1.
· X2(h(i)) < X1(h((i + 2))), for each i : 1 ≤ i ≤ m− 1.
· X2(h(0)) < X2(h(m + 1)) < X1(h(2)).
• a cinc31 semi-encoding of value m if there is an injection h from {0, . . . , m + 1} to I such that the
following conditions are satisﬁed
· Q is as deﬁned for a c1-encoding.
· X1(h(i)) < X2(h(i− 1)) for each i : 1 ≤ i ≤ m + 1.
· X2(h(i)) < X1(h((i + 2))), for each i : 1 ≤ i ≤ m− 1.
· X1(h(0)) < X1(h(1)).
· X2(h(0)) < X2(h(m + 1)) < X1(h(2)).
A graphical representation of cinc11 semi-encoding, c
inc2
1 semi-encoding and c
inc3
1 semi-encoding is
shown in Figure 5(b), 5(c), and 5(d) respectively.
For m ≥ 0, a conﬁguration γ = (I, q,Q,X) is said to be
• a crot11 semi-encoding of value m if there is an injection h from {0, . . . , m + 1} to I such that the
following conditions are satisﬁed
· Q is as deﬁned for a c1-encoding.
· X1(h(i)) < X2(h(i− 1)) for each i : 1 ≤ i ≤ m + 1.
· X2(h(i)) < X1(h((i + 2))), for each i : 0 ≤ i ≤ m− 1.
· X1(h(0)) < X2(h(m + 1)) < X1(h(1)).
• a crot21 semi-encoding of value m if there is an injection h from {0, . . . , m + 1} to I such that the
following conditions are satisﬁed
· Q is as deﬁned for a crot11 semi-encoding.
· X1(h(i)) < X2(h(i− 1)) for each i : 1 ≤ i ≤ m + 1.
· X2(h(i)) < X1(h((i + 2))), for each i : 0 ≤ i ≤ m− 1.
· X1(h(0)) < X1(h(1)).
· X2(h(m)) < X2(h(m + 1)).
Figure 8 illustrates the rotation of a c1-encoding graphically and shows a graphical representation
of crot11 semi-encoding and c
rot2
1 semi-encoding in Figure 8(b) and 8(c) respectively.
In a similar manner to a c1-encoding, we use Val1(γ) to denote the value m of a c
inc1
1 semi-encoding
(cinc21 semi-encoding, c
inc3
1 semi-encoding, c
rot1
1 semi-encoding, c
rot2
1 semi-encoding) γ.
A conﬁguration γ = (I, q,Q,X) is said to be a Type 1a semi-encoding if it satisﬁes the following
two conditions:
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 145
• q = tmpı1 for some increment (of the form ı = (s1, c1++, s2)).
• γ is both a c2-encoding and a c
inc1
1 semi-encoding.
In such a case, we deﬁne sig(γ) of γ to be the triple (tmpı1, m1,m2), where m1 = Val1(γ) and
m2 = Val2(γ). Also, we deﬁne next(γ) to be (s2,m1,m2). Intuitively, next(γ) is the signature of
the conﬁguration which occurs after performing three discrete transitions (by rule incı2, inc
ı
3 and
incı4 in sequence) in our simulation.
A conﬁguration γ = (I, q,Q,X) is said to be a Type 1b semi-encoding if it satisﬁes the following
two conditions:
• q = tmpı2 for some increment (of the form ı = (s1, c1++, s2)).
• γ is both a c2-encoding and a c
inc2
1 semi-encoding.
We deﬁne the signature of a cinc21 semi-encoding as in c
inc1
1 semi-encoding. Furthermore, we use
next(γ) to be (s2,m1,m2). Intuitively, next(γ) is the signature of the conﬁguration which occurs
next after performing two discrete transitions (by rules incı3 and inc
ı
4 in sequence) in our simulation.
Similarly, we deﬁne a Type 1c semi-encoding, it signature and the function next for such a semi-
encoding.
A conﬁguration γ = (I, q,Q,X) is said to be a Type 1d semi-encoding if it satisﬁes the following
two conditions:
• q = tmps11 for some controller state s in C or q = tmp
ı
1 for some zero-testing instruction (of the
form ı = (s1, c1?0, s2)).
• γ is both a c2-encoding and a c
rot1
1 semi-encoding.
The signature for a crot11 semi-encoding is deﬁned in a similar manner to a c
inc1
1 semi-encoding. This
means that sig(γ) = (tmps11,m1,m2) or sig(γ) = (tmp
ı
1, m1,m2) depending on the value of q. Then
next(γ) is deﬁned as (s,m1,m2) if q = tmp
s
11, (s2, 0, m2) otherwise.
A conﬁguration γ = (I, q,Q,X) is said to be a Type 1e semi-encoding if it satisﬁes the following
two conditions:
• q = tmps12 for some controller state s in C, or q = tmp
ı
2 for some zero-testing instruction (of the
form ı = (s1, c1?0, s2)).
• γ is both a c2-encoding and a c
rot2
1 semi-encoding.
The signature and the function next(γ) can be deﬁned for a crot21 semi-encoding in a similar manner
to a crot11 semi-encoding. In the following, sometimes we use semi-encoding to means semi-encodings
of some Type. The notion of a (semi-)encoding can be extended to a proper (semi-)encoding in the
same manner as before (Section 4.1), i.e. we require clocks of all processes which are not idle to
have values strictly between zero and one.
Proof of Theorem 4.4
The if-direction follows immediately from the the following lemma.
Lemma A.1 For any conﬁguration γ = (I, q,Q,X) and initial conﬁguration γinit in OC, if
γinit
∗
−→ γ then one of the following holds.
(i) q is not a member of S, (i.e. q is either a temporary state or the state idlec).
(ii) γ is an encoding such that βinit
∗
 sig(γ).
The only-if-direction follows from the following lemma.
Lemma A.2 If βinit
n
 sF then γinit
∗
−→ sF , for each n ≥ 0 and initial conﬁguration γinit of OC
with |γinit | ≥ n + 4.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151146
The reason for the condition |γinit | ≥ n+4 is that the sum of counter values never exceeds n in the
path from βinit to sF . Furthermore, each c1- (or c2)-encoding uses m+2 processes for representing
a counter value m. The lemma then states that the initial conﬁguration, from which we start the
simulation of the path from βinit to sF , should be suﬃciently large to incorporate all counter values
which arise along that path.
The proofs of Lemma A.1 and Lemma A.2 reﬂect the informal arguments provided together with
each rule in Section 4.2.
Proof of Lemma A.1
Suppose that γinit
∗
−→ γ. If γinit −→Timed γ then the result follows immediately. Otherwise,
γinit
∗
=⇒ γ, i.e., there is a sequence
γinit = γ0 =⇒r0 γ1 =⇒r1 γ2 =⇒r2 · · · =⇒rn−1 γn = γ
Let γi = (I, qi,Qi,Xi) for i : 0 ≤ i ≤ n. We notice that q0 = idle
c. By deﬁnition of the rules,
it must be the case that r0 = init1, r1 = init2, r2 = init3 and therefore q1 = s
1
init , q2 = s
2
init and
q3 = s
3
init . In other words, γ0, . . . , γ3 satisfy the claim of the Lemma. Lemma A.1 follows from the
following property:
For each 4 ≤ i ≤ n, it is the case that γi is either
• an encoding with βinit
∗
 sig(γi); or
• a semi-encoding with βinit
∗
 next(γi).
This property is shown using an induction on i. For the base case we observe that, by deﬁnition
of the rules, it follows that r3 = init4 and therefore sig(γ4) = βinit . For the induction step, we
observe that, for each i : 4 ≤ i < n, it follows from the rule deﬁnitions that one of the following
cases is satisﬁed:
(i) ri = inc
ı
1 for some ı = (s1, c1++, s2), γi is an encoding with sig(γi) = (s1,m1, m2), and γi+1
is a Type 1a semi-encoding with sig(γi+1) = (tmp
ı
1,m1 + 1, m2).
(ii) ri = inc
ı
2 for some ı = (s1, c1++, s2), γi is a Type 1a semi-encoding with sig(γi) =
(tmpı1,m1, m2), and γi+1 is a Type 1b semi-encoding with sig(γi+1) = (tmp
ı
2,m1,m2).
(iii) ri = inc
ı
3 for some ı = (s1, c1++, s2), γi is a Type 1b semi-encoding with sig(γi) =
(tmpı2,m1, m2), and γi+1 is a Type 1c semi-encoding with sig(γi+1) = (tmp
ı
3, m1,m2).
(iv) ri = inc
ı
4 for some ı = (s1, c1++, s2), γi is a Type 1c semi-encoding with sig(γi) =
(tmpı3,m1, m2), and γi+1 is an encoding with sig(γi+1) = (s2,m1,m2).
(v) ri = dec
ı for some ı = (s1, c1−−, s2), γi is an encoding with sig(γi) = (s1,m1,m2), m1 > 0,
and γi+1 is an encoding with sig(γi+1) = (s2,m1 − 1,m2).
(vi) ri = rot
s
1,1 for some s ∈ S and γi is an encoding with sig(γi) = (s,m1,m2), and γi+1 is a
Type 1d semi-encoding with sig(γi+1) = (tmp
s
11,m1,m2).
(vii) ri ∈
˘
rots1,2, rot
s
1,3
¯
for some s ∈ S and γi is a Type 1d semi-encoding with sig(γi) =
(tmps11,m1,m2), and γi+1 is a Type 1e semi-encoding with sig(γi+1) = (tmp
s
12,m1,m2).
(viii) ri = rot
s
1,4 for some s ∈ S and γi is a Type 1e semi-encoding with sig(γi) = (tmp
s
12,m1,m2),
and γi+1 is an encoding with sig(γi+1) = (s,m1, m2).
(ix) ri = tst
ı
1 for some ı = (s1, c1 = 0?, s2), and γi is an encoding with sig(γi) = (s1, 0,m2) is and
γi+1 is a Type 1d semi-encoding with sig(γi+1) = (tmp
ı
1, 0,m2).
(x) ri = tst
ı
2 for some ı = (s1, c1 = 0?, s2), and γi is a Type 1d semi-encoding with sig(γi) =
(tmpı1, 0, m2) is and γi+1 is a Type 1e semi-encoding with sig(γi+1) = (tmp
ı
2, 0, m2).
(xi) ri = tst
ı
3 for some ı = (s1, c1 = 0?, s2), and γi is a Type 1e semi-encoding with sig(γi) =
(tmpı2, 0, m2) is and γi+1 is an encoding with sig(γi+1) = (s2, 0,m2).
(xii) Similar cases corresponding to instructions which change counter c2.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 147
Proof of Lemma A.2
To show Lemma A.2 we use some deﬁnitions.
Let γ = (I, q,Q,X) be a conﬁguration in our simulation. We deﬁne Latest1(γ) = max(X2(i) :
i ∈ I ∧ Q(i) ∈ {fst1 ,mid1}). In other words, Latest1(γ) is the highest among values of clocks
belonging to processes which are part of the (semi-)c1-encoding. We deﬁne Latest2(γ) in a similar
manner, and deﬁne Latest(γ) = max(Latest1(γ),Latest2(γ)). We also deﬁne Next2Latest 1(γ) =
max(Xk(i) : k ∈ {1, 2} ∧ i ∈ I ∧ Q(i) ∈ {fst1 ,mid1 , last1 } ∧Xk(i) < Latest1(γ)). In other words,
Next2Latest 1(γ) is the next highest among values of clocks belonging to processes which are part
of the (semi-)c1-encoding. We deﬁne Next2Latest 2(γ) in a similar manner.
Let Delay1(γ) be the size of the set consisting of clock values of the form Xi(j) where i ∈ {1, 2} , j ∈
I,Q(j) ∈ {fst2 ,mid2 , last2} and Latest1(γ) < Xi(j). In other words, Delay1(γ) is the number of
clocks which are part of the c2-encoding and which have values higher than any clock of a process
which is part of the c1-encoding. We deﬁne Delay2(γ) in a similar manner. Notice that it may be
the case that both Delay1(γ) = 0 and Delay2(γ) = 0 (if the maximum clock values are equal in
the c1- and the c2-encoding).
We deﬁne another temporary encoding: almost proper c1-encoding which is a c1 encoding with one
process having index i ∈ I s.t Q(i) = mid1 and X2(i) > 1 while all processes with index j ∈ I ,
Q(j) = idlep and j = i satisﬁes 0 < X1(j), X2(j) < 1. Also, 0 < X1(i) < 1. An almost proper
encoding of Type 1 is an almost proper c1-encoding and a proper c2-encoding. Similarly, we deﬁne
an almost proper c2-encoding and an almost proper encoding of Type 2. We also extend this notion
of almost proper encodings to almost proper semi-encodings.
Lemma A.2 follows immediately from the following lemma.
Lemma A.3 For each n ≥ 0 and initial conﬁguration γinit , if βinit
n
 β and |γinit | ≥ n + 4, then
there exists a proper encoding γ such that γinit
∗
=⇒ γ and sig(γ) = β.
Proof. We prove this lemma by induction on n.
In the base case (n = 0), we have β = βinit and |γinit | ≥ 4. By the deﬁnition of init1, this rule
is enabled. Let γ1 be such that γinit −→init1 γ1. Deﬁne γ2 = γ
+t1
1 with 0 < t1 < 1. We have
γ1 −→T=t1 γ2. Rule init2 is now enabled. Let γ3 be such that γ2 −→init2 γ3. Deﬁne γ4 = γ
+t2
3
with 0 < t2 < 1 − Latest(γ3). We have γ3 −→T=t2 γ4. Rule init3 is now enabled. Let γ5 be such
that γ4 −→init3 γ5. Deﬁne γ6 = γ
+δ3
5 with 0 < δ3 < 1− Latest(γ5). We have γ5 −→T=δ3 γ6. Rule
init4 is now enabled. Let γ7 be such that γ6 −→init4 γ7. By deﬁnition of init4, γ7 is an encoding
and sig(γ7) = βinit . Let δ4 be such that 0 < δ4 < 1−Latest(γ7). δ4 exists by the deﬁnition of δ1, δ2,
δ3, init1, init2, init3 and init4. Let γ8 = γ
+δ4
7 . γ8 is a proper encoding with sig(γ8) = βinit . Notice
that the transitions −→init1 , −→init2 , −→init3 and −→init4 are enabled only because |γinit | ≥ 4.
For the induction step, assume that βinit
n+1
 β and |γinit | ≥ n + 5. We know that there is a β1
with βinit
n
 β1  β. By the induction hypothesis, it follows that there is a proper encoding γ1
such that sig(γ1) = β1 and γinit
∗
=⇒ γ1. We need to show that there is a proper encoding γ with
sig(γ) = β and γ1
∗
=⇒ γ. This follows from the following lemma. 
Lemma A.4 Let β1 and β2 be conﬁgurations of C, where β1  β2 and β2 is of the form
(s,m1,m2). Let γ1 be a proper encoding such that sig(γ1) = β1 and |γ1| ≥ m1 + m2 + 4. There is
a proper encoding γ2 such that sig(γ2) = β2 and γ1
∗
=⇒ γ2.
The proof of Lemma A.4 follows from Lemma A.5, Lemma A.6, Lemma A.7, Lemma A.8,
Lemma A.14, and Lemma A.15:
• Lemma A.5, Lemma A.6, Lemma A.7 and Lemma A.8 state that an increment can be simulated
by an application of the rule incı1 followed by an application of the rule inc
ı
2, followed by an
application of rule incı3, followed by an application of rule inc
ı
4.
• Lemma A.14 states that a decrement can be simulated by the rule decı preceded and followed
by a number of rotations. This lemma follows from Lemma A.9, Lemma A.10, Lemma A.11,
Lemma A.12, and Lemma A.13.
• Lemma A.15 deals with zero testing and is similar to Lemma A.14.
The condition |γ1| ≥ m1 +m2 +4 in the claim of Lemma A.4 is relevant only in Lemma A.5, since
this is the only case where the value of a counter is increased.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151148
Lemma A.5 Consider an instruction ı = (s1, c1++, s2). Let γ1 be a proper encoding with
sig(γ1) = (s1,m1,m2) and |γ1| ≥ m1 + m2 + 5. There is a proper semi-encoding γ2 of Type
1a such that sig(γ2) = (tmp
ı
1,m1 + 1, m2) and γ1 =⇒incı1 γ2.
A similar result holds in case ı is of the form (s1, c2++, s2).
Proof. Since |γ1| ≥ m1 + m2 + 5, there is at least one process in γ1 whose state is idle
p (we need
m1+2 processes for the c1-encoding and m2+2 processes for the c2-encoding, which means that we
have at least one process left to be in state idlep). This together with the fact that γ1 is a proper
encoding implies that incı1 is enabled from γ1, i.e., there is conﬁguration γ3 with γ1 −→incı
1
γ3.
Deﬁne γ2 = γ
+δ
3 where 0 < δ < 1− Latest(γ3). Such a δ exists by deﬁnition of inc
ı
1 and since γ1 is
a proper encoding. By the deﬁnitions it follows that γ2 is a proper semi-encoding of Type 1a with
sig(γ2) = (tmp
ı
1,m1 + 1,m2) and γ1 −→incı1 γ3 −→T=δ γ2. 
Lemma A.6 Consider an instruction ı = (s1, c1++, s2). Let γ1 be a proper semi-encoding of
Type 1a with sig(γ1) = (tmp
ı
1,m1,m2) and |γ1| ≥ m1 + m2 + 4. There is a proper semi-encoding
γ2 of Type 1b such that sig(γ2) = (tmp
ı
2,m1,m2) and γ1 =⇒incı2 γ2.
A similar result holds in case ı is of the form (s1, c2++, s2).
Proof. The fact that γ1 is a proper semi-encoding of Type 1a implies that inc
ı
2 is enabled from
γ1, i.e., there is conﬁguration γ3 with γ1 −→incı
2
γ3. Deﬁne γ2 = γ
+δ
3 where 0 < δ < 1−Latest(γ3).
Such a δ exists by deﬁnition of incı2 and since γ1 is a proper encoding. By the deﬁnitions it
follows that γ2 is a proper semi-encoding of Type 1b with sig(γ2) = (tmp
ı
2,m1,m2) and γ1 −→incı2
γ3 −→T=δ γ2. 
Lemma A.7 Consider an instruction ı = (s1, c1++, s2). Let γ1 be a semi-encoding of Type 1b
with sig(γ1) = (tmp
ı
2, m1,m2). There is a proper semi-encoding γ2 of Type 1c such that sig(γ2) =
(tmpı3,m1,m2) and γ1 =⇒incı3 γ2.
A similar result holds in case ı is of the form (s1, c2++, s2).
Proof is similar to that of Lemma A.6.
Lemma A.8 Consider an instruction ı = (s1, c1++, s2). Let γ1 be a proper semi-encoding of Type
1c with sig(γ1) = (tmp
ı
3,m1,m2). There is a proper encoding γ2 such that sig(γ2) = (s2,m1,m2)
and γ1 =⇒incı
3
γ2.
A similar result holds in case ı is of the form (s1, c2++, s2).
Proof is similar to that of the above.
Lemma A.9 Let γ1 be an (almost) proper c2-encoding with Delay1(γ1) > 0 and sig(γ1) =
(s,m1,m2). There is an (almost) proper semi-encoding of Type 2d, γ2 such that Delay1(γ1) −
Delay1(γ2) ∈ {0, 1}, sig(γ2) = (tmp
s
21,m1,m2), and γ1 =⇒rots2,1 γ2.
A similar result holds in case Delay2(γ1) > 0.
Proof.
Now, γ1 is an (almost) proper c2-encoding and by deﬁnition of the rule rot
s
2,1, rot
s
2,1 is enabled
from γ1 and there is a γ3 with γ1 −→rots
2,1
γ3. Deﬁne γ2 = γ
+δ
3 where 0 < δ < 1−Latest(γ3) if γ1 is
a proper encoding, and 0 < δ < 1−max(Next2Latest2(γ3),Latest1(γ3)) otherwise. Existence of δ
follows from the deﬁnition of the rule rots2,1, and the fact that γ1 is an (almost) proper c2-encoding.
By the deﬁnitions it follows that γ2 is an (almost) proper semi-encoding of Type 2d with
• Delay1(γ2) = Delay1(γ1) − 1 if Latest 2(γ1) is strictly smaller than the value of the clock x1 of
the process in state fst2 .
• Delay1(γ2) = Delay1(γ1) otherwise.
with sig(γ2) = (tmp
s
21,m1,m2) and γ1 −→rots2,1 γ3 −→T=δ γ2. 
Lemma A.10 Let γ1 be an (almost) proper semi-encoding of Type 2d with Delay1(γ1) > 0 such
that sig(γ1) = (tmp
s
21,m1,m2). There is an almost proper semi-encoding of Type 2e, γ2 such
that Delay1(γ1) − Delay1(γ2) ∈ {0, 1}, sig(γ1) = (tmp
s
22,m1,m2), and either γ1 =⇒rots2,2 γ2 or
γ1 =⇒rots
2,3
γ2.
A similar result holds in case Delay2(γ1) > 0.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 149
Proof. We distinguish between two cases, namely when m2 > 0 and when m2 = 0.
First, we assume that m2 > 0. Now there are two cases.
• γ1 is a proper semi-conding of Type 2d. To apply rot
s
2,2, we need to ﬁrst deﬁne δ1 such that
1 − Latest(γ1) < δ1 < 1 −max(Next2Latest 2(γ1),Latest1(γ1)) and γ3 = γ
+δ1
1 . δ1 exists due to
the fact that γ1 is a proper semi-encoding of Type 2d and by deﬁnition of the rule rot
s
2,1. From
the value of δ1 and the fact that m2 > 0 it follows that rot
s
2,2 is enabled from γ3, i.e., there is a
γ4 with γ3 −→rots
2,2
γ4.
• γ1 is an almost proper semi-conding of Type 2d. Now, rot
s
2,2 is enabled from γ1, i.e., there is a
γ4 with γ1 −→T=0−→rots
2,2
γ4.
Deﬁne γ2 = γ
+δ2
4 where 0 < δ < 1 −max(Next2Latest2(γ4),Latest1(γ4)). Existence of δ2 follows
from the deﬁnition of the rule rots2,2, existence of δ1 and the fact that γ1 is an (almost) proper
semi-encoding of Type 2d. By the deﬁnitions it follows that γ2 is an almost proper semi-encoding
of Type 2e with
• Delay1(γ2) = Delay1(γ1) if the clock x1 of the process in last2 is smaller than or equal to
Latest1(γ1), in other words, if Delay1(γ1) = 1,
• Delay1(γ2) = Delay1(γ1)− 1, otherwise.
and sig(γ2) = (tmp
s
22,m1,m2).
The case when m2 = 0 is similar. Here we replace the rule rot
s
2,2 by the rule rot
s
2,3, and obtain
γ1 −→T=δ1 γ3 −→rots2,3 γ4 −→T=δ2 γ2. 
Lemma A.11 Let γ1 be an almost proper semi-encoding of Type 2e with Delay1(γ1) > 0 such that
sig(γ1) = (tmp
s
22,m1,m2). There is a proper encoding γ2 such that Delay1(γ2) = Delay1(γ1) − 1,
with sig(γ1) = (s,m1, m2), and γ1 =⇒rots
2,4
γ2.
A similar result holds in case Delay2(γ1) > 0.
Proof. From the fact that γ1 is an almost proper semi-encoding of Type 2e and the fact that m2 > 0
it follows that rots2,4 is enabled from γ1, i.e., there is a γ3 with γ1 −→rots
2,4
γ3. Deﬁne γ2 = γ
+δ1
3
where 0 < δ1 < 1 − Latest(γ3). Existence of δ1 follows from the deﬁnition of the rule rot
s
2,4, and
the fact that γ1 is an almost proper semi-encoding of Type 2e. By the deﬁnitions it follows that
γ2 is a proper encoding with Delay1(γ2) = Delay1(γ1) − 1 (due to the fact that the largest clock
in the semi-encoding of Type 2e is reset and Delay1(γ1) > 0), and sig(γ2) = (s,m1,m2). 
Lemma A.12 Let γ1 be an almost proper semi-encoding of Type 2e with Delay1(γ1) > 0 such that
sig(γ1) = (tmp
s
23,m1,m2). There is a proper encoding γ2 such that Delay1(γ2) = Delay1(γ1) − 1,
with sig(γ1) = (s,m1, m2), and γ1 =⇒rots
2,4
γ2.
A similar result holds in case Delay2(γ1) > 0.
Proof of this lemma is similar to that of the previous one.
Lemma A.13 Consider an instruction ı = (s1, c1−−, s2). Let γ1 be a proper encoding with
sig(γ1) = (s1,m1,m2) and m1 > 0. If Delay1(γ1) = 0 then there is a proper encoding γ2 such
that sig(γ2) = (s2,m1 − 1, m2) and one of the following holds.
(i) If Latest1(γ1) > Latest2(γ1) then γ1 =⇒decı γ2.
(ii) If Latest1(γ1) = Latest2(γ1) and m2 > 0 then γ1 =⇒decı ◦ =⇒rots2
2,1
◦ =⇒rots2
2,2
◦ =⇒rots2
2,4
γ2.
(iii) If Latest1(γ1) = Latest2(γ1) and m2 = 0 then γ1 =⇒decı ◦ =⇒rots2
2,1
◦ =⇒rots2
2,3
◦ =⇒rots2
2,4
γ2.
A similar result holds in case ı is of the form (s1, c2−−, s2).
Proof. Deﬁne γ3 = γ
+δ1
1 where
• 1− Latest1(γ1) < δ1 < 1−max(Next2Latest1(γ1),Latest2(γ1)) if Latest1(γ1) > Latest2(γ1).
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151150
• 1−Latest1(γ1) < δ1 < 1−max(Next2Latest1(γ1),Next2Latest 2(γ1)) if Latest1(γ1) = Latest2(γ1).
Such a δ1 exists since γ1 is a proper encoding. From the deﬁnition of δ1 and the fact that m1 > 0
it follows that decı is enabled from γ3, i.e., there is a γ4 with γ3 −→decı γ4. Now there are three
cases depending on the values of Latest1(γ1) and Latest2(γ1) as follows:
(i) If Latest1(γ1) > Latest2(γ1) then deﬁne γ2 = γ
+δ2
4 where 0 < δ2 < 1−Latest(γ4). Existence
of δ2 follows from the manner in which δ1 is chosen, deﬁnition of the rule dec
ı, and since
γ1 is a proper encoding. By the deﬁnitions it follows that γ2 is a proper encoding with
sig(γ2) = (s2,m1 − 1, m2), and γ1 −→T=δ1 γ3 −→decı γ4 −→T=δ2 γ2.
(ii) If Latest1(γ1) = Latest2(γ1) and m2 > 0. γ1 is a proper c2-encoding, but γ4 is an al-
most proper c2-encoding with sig(γ4) = (s2,m1 − 1,m2), From this fact, it is clear that the
rule rots22,1 is enabled from γ4, i.e., there is a γ5 with γ4 −→rots2
2,1
γ5. Deﬁne γ6 = γ
+δ2
5
where 0 < δ2 < 1 − max(Next2Latest2(γ5),Latest1(γ5)). Existence of δ2 follows from
the manner in which δ1 is chosen, deﬁnitions of the rules dec
ı and rots22,1, and since γ1
is a proper encoding. By the deﬁnitions it follows that γ6 is an almost proper semi-
encoding of Type 2d with sig(γ6) =
`
tmps22,2,m1 − 1, m2
´
. From the deﬁnition of decı
and the condition that Latest1(γ1) = Latest2(γ1), it follows that the largest clock value
of the processes in the c2-encoding has value larger than 1 in γ6. Therefore, the rule
rots22,2 is enabled from γ6, i.e., there is a γ7 with γ6 −→rots2
2,2
γ7. Deﬁne γ8 = γ
+δ3
7 where
0 < δ3 < 1−max(Next2Latest 2(γ7),Latest1(γ7)). Existence of δ3 follows from the manner in
which δ1, δ2 are chosen, deﬁnitions of the rules rot
s2
2,2, and since γ6 is an almost proper semi-
encoding of Type 2d. By the deﬁnitions it follows that γ8 is an almost proper semi-encoding
of Type 2e with sig(γ8) =
`
tmps22,2, m1 − 1,m2
´
. Therefore, the rule rots22,4 is enabled from
γ8, i.e., there is a γ9 with γ8 −→rots2
2,4
γ9. Deﬁne γ2 = γ
+δ4
9 where 0 < δ4 < 1 − Latest(γ9).
By the deﬁnitions it follows that γ2 is a proper encoding with sig(γ2) = (s2,m1 − 1, m2).
and γ1 −→T=δ1 γ3 −→decı γ4 −→rots2
2,1
γ5 −→T=δ2 γ6 −→rots2
2,2
γ7 −→T=δ3 γ8 −→rots2
2,4
γ9 −→T=δ4 γ2.
(iii) If Latest1(γ1) = Latest2(γ1), but m2 = 0. The proof is similar to the previous case. Here, we
use the rule rots22,3 instead of the rule rot
s2
2,2 in the above and obtain γ1 −→T=δ1 γ3 −→decı
γ4 −→rots2
2,1
γ5 −→T=δ2 γ6 −→rots2
2,3
γ7 −→T=δ3 γ8 −→rots2
2,4
γ9 −→T=δ4 γ2.

From Lemma A.9, Lemma A.10, Lemma A.11, Lemma A.12, and Lemma A.13 we get the following.
Lemma A.14 Consider an instruction ı = (s1, c1−−, s2). Let γ1 be a proper encoding with
sig(γ1) = (s1,m1, m2) and m1 > 0. There is a proper encoding γ2 such that sig(γ2) =
(s2,m1 − 1, m2) and
γ1◦
∗
=⇒rots1
2
=⇒decı ◦
∗
=⇒rots2
2
γ2
where for a controller state s, we deﬁne rots2 =
˘
rots2,1, rot
s
2,2, rot
s
2,3, rot
s
2,4
¯
.
A similar result holds in case ı is of the form (s1, c2−−, s2).
Lemma A.15 Consider an instruction ı = (s1, c1 = 0?, s2). Let γ1 be a proper encoding with
sig(γ1) = (s1, 0, m2).
Then there is a proper encoding γ2 such that sig(γ2) = (s2, 0, m2) and
γ1
∗
=⇒rots1
2
◦ =⇒tstı
1
◦ =⇒tstı
2
◦ =⇒tstı
3
◦
∗
=⇒rots2
2
γ2
where for a controller state s, rots2 is as deﬁned in Lemma A.14.
A similar result holds in case ı is of the form (s1, c2 = 0?, s2).
The proof is similar to that for Lemma A.14.
P.A. Abdulla et al. / Electronic Notes in Theoretical Computer Science 138 (2005) 117–151 151
