Interrupt Timed Automata (ITA) 
Introduction
Context. Scheduling problems in multi-task systems are usually modeled with stopwatches, i.e. variables which evolve with rate 0 or 1 and can be tested and updated when discrete transitions are fired. Thus stopwatches model clocks that can be suspended and restarted with their former value, which makes them useful to express delay accumulation. However, adding such variables to finite automata yields the powerful model of Stopwatch Automata (SwA) [15, 10] where reachability has been proved undecidable. On the other hand, reachability is PSPACEcomplete in the now classical model of Timed Automata (TA) [2, 3] , where all variables are clocks, with single rate 1.
Restricting SwA to gain decidability, while retaining part of the power of stopwatches, is a difficult problem. A few * Work partially supported by projects CoChaT (Digiteo 2009-27HD) and DOTS (ANR-06-SETI-003) models have been proposed, for instance Suspension Automata [17] , Hierarchical Timed Automata [12] , Task Automata [14] or Interrupt Timed Automata (ITA) [5] . We consider here the ITA model, specifically adapted to the description of multi-task systems with hierarchical interrupt levels in a single processor environment, like operating systems. As proved in [5] , untiming languages accepted by ITA yields regular languages with the effective construction of a class graph generalizing the region automaton from [2] .
While untimed properties like reachability or CTL model checking [13, 19, 11] are useful for such models, real time verification allows to obtain more precise results, for instance quantitative response time properties. Therefore, timed extensions of CTL have been defined, leading to different versions of Timed CTL (TCTL) [1, 16] for which several tools on TA have been developed [4, 9] .
Contribution.
Starting with studying closure properties and settling an expressiveness conjecture from [5] , we improve complexity of reachability on ITA. We then focus on the verification of real time properties for ITA. These properties are expressed in TCTL c , a timed extension of CTL where formulas involve model clocks as well as external clocks. This logic is a variant of the one in [16] , also studied later from the expressivity point of view [8] . Unfortunately, we prove here that, contrary to reachability, model checking TCTL c over ITA is undecidable. The result holds for a fixed two-clock formula, showing its robustness (which is not always the case in similar proofs). However, we propose two fragments for which decidability procedures can be found. In the first one, only model clocks are involved and we can express properties like (P1) a safe state is reached before spending 3 t.u. in handling some interruption. Decidability is obtained by a generalized class graph construction in 2-EXPSPACE (PSPACE if the number of clocks is fixed). Since the corresponding fragment cannot refer to global time, we consider a second fragment in which it is possible to reason on minimal or maximal delays. Properties like (P2) the system is error free for at least 50 t.u. or (P3) the system will reach a safe state within 7 t.u. can be expressed. In this case, the decidability procedure relies on a new specific technique involving infinite runs.
Outline. Section 2 gives definitions for ITA, expressiveness, closure, and complexity results. We prove in Section 3 that model checking TCTL c over ITA is undecidable and Section 4 presents model checking procedures for two fragments of TCTL c .
Interrupt Timed Automata
Notations. The sets of natural, rational and real numbers are denoted respectively by N, Q and R. For a finite set X of clocks, a linear expression over X is a term of the form x∈X a x · x + b where b and the a x s are in Q. We denote by C(X) the set of constraints obtained by conjunctions of atomic propositions of the form C 0, where C is a linear expression over X and ∈ {>, ≥, =, ≤, <}. The subset C 0 (X) of C(X) contains constraints of the form x + b 0. An update over X is a conjunction of assignments of the form x := C for a clock x ∈ X and a linear expression C over X. The set of all updates over X is written U(X), with U 0 (X) for the subset containing only assignments of the form x := 0 (reset) or of the form x := x (no update). For a linear expression C and an update u containing x := C x , the expression C[u] is obtained by substituting x by C x in C.
A clock valuation is a mapping v : X → R and we denote by 0 the valuation with value 0 for all clocks. The set of all clock valuations is R X and we write v |= ϕ when valuation v satisfies the clock constraint ϕ. For a valuation v, a linear expression C and an update u, the value v(C) is obtained by replacing each x in C by v(x) and the valuation
Interrupt timed automata and timed automata. Interrupt Timed Automata (ITA) were introduced in [5] Given a set of tasks with different priority levels, a higher level task represents an interruption for a lower level task. At a given level, exactly one clock is active (rate 1), while the clocks for tasks of lower levels are suspended (rate 0), and the clocks for tasks of higher levels are not yet activated and thus contain value 0. The mechanism is illustrated in Figure 1 .
We extend the definition by associating with states a timing policy which indicates whether time may (Lazy, default), may not (Urgent) or must (Delayed) elapse in a state. This feature could not be enforced by additional clock constraints like in TA and is needed to obtain the translation from ITA to ITA − (see below). We also add a labeling of states with atomic propositions, in view of interpreting logic formulas on these automata. 
Definition 1. An interrupt timed automaton is a tuple
The class ITA − is the subclass of ITA where updates are restricted as follows. For a transition q ϕ,a,u −−−→ q of an automaton A in ITA − , with k = λ(q) and k = λ(q ), there is no update (i.e.
Thus, in an ITA − , the only non trivial update (i.e. not enforced by the semantics of the model) is an update of the clock of the current level, when the transition does not decrease the level.
A configuration of the system consists of a state of the ITA, a clock valuation and a boolean value expressing whether time has elapsed since the last discrete transition. Figure 2 (a), with two interrupt levels (and two interrupt clocks), with a geometric view of a possible trajectory in Figure 2 (b). We now briefly recall the classical model of timed automata (TA) [3] (in which timing policies can be enforced by clock constraints). 
Definition 2. The semantics of an ITA A is defined by the transition system T
The semantics of a timed automaton is also defined as a timed transition system, with the set Q × R X of configurations (no additionnal boolean value). Discrete steps are similar to those of ITA but in time steps, all clocks evolve with same rate 1:
A run of an automaton A in TA or in ITA is a path in the associated timed transition system, where time steps and discrete steps alternate. An accepting run is a finite run ending in a state of F . For such a run with label
The set L(A) contains the timed words accepted by A. Interrupt Timed Languages or ITL (resp. Timed Languages or TL) denote the family of timed languages accepted by an ITA (resp. a TA). We also consider maximal runs which are either infinite or such that no discrete step is possible from the last configuration. We use the notion of (totally ordered) positions (which allow to consider multiple discrete actions simultaneously) along a maximal run [16] : for a run ρ, we denote by < ρ the strict order on positions and for position π along ρ, the corresponding configuration is denoted by s π .
Expressiveness, closure, and complexity results. We end this section by closing some questions left open in [5] and improve complexity bounds for the reachability problem on ITA. In particular, while it was known that ITL is not contained in TL, the converse was not proved. We have:
Proposition 1. The families TL and ITL are incomparable. ITL is neither closed under complementation, nor under intersection.
These proofs rely on a specific pumping lemma for ITA. Note that incomparability of languages accepted by TA and ITA also proves that ITA are not in the same class than Hierarchical Timed Automata (HTA) from [12] , since it was also proved that these HTA can be flattened into a network of TA. Finally, we prove that ITA and ITA − have the same expressive power: This transformation allows to reduce reachability for ITA to the same problem for ITA − , where it is solved by bounding the length of a minimal path. The bound is exponential for ITA − , but stays only doubly exponential for ITA, due to the conservation of the number of clocks. Thus, we have:
Proposition 3. Reachability on ITA can be done in 2-NEXPTIME and in NP when the number of clocks is fixed.
These results improve the ones of [5] where the upper bounds were in 2-EXPSPACE and in PSPACE when the number of clocks is fixed.
Detailed proofs for these results can be found in [6] .
3 Model checking TCTL over ITA
Timed logic TCTL c .
At least two different timed extensions of the branching time logic CTL have been proposed. The first one [1] adds subscripts to the U operator while the second one considers formula clocks [16] . Model checking of timed automata was proved decidable in both cases and compared expressiveness has been revisited later on [8] .
In the variant below, CTL is enriched with both model clocks (set X), used in linear constraints, and formula clocks (set Y disjoint from X), used only in comparisons to constants and resets. Such linear constraints yield a more expressive logic, which raises the question of decidability both for TA and ITA.
Definition 4. Formulas of the timed logic TCTL c are defined by the following grammar:
where p ∈ AP is an atomic proposition, y ∈ Y is a formula clock, x i are model clocks, a i and b are rational numbers such that (a i ) i∈I has finite support I ⊆ N, and ∈ {>, ≥ , =, ≤, <}.
⊥}}, the set of configurations. The formulas of TCTL c are interpreted over extended configurations of the form (q, v, β, w), also written as (s, w), where s = (q, v, β) ∈ S and w ∈ R Y is a valuation of the formula clocks 1 . The notions of (maximal) run and position are extended to these configurations in a natural way: the clock valuation w becomes w + d in a time step of delay d and is unchanged in a discrete step. We denote by Exec(s, w) the set of maximal runs starting from (s, w).
The semantics of TCTL c is defined as follows. For atomic propositions and a configuration (s, w) = (q, v, β, w):
and inductively:
Undecidability of TCTL c model checking.
We now prove that model checking TCTL c over ITA is undecidable. More precisely, let TCTL ext c be the fragment of TCTL c containing only formula clocks, we have:
The first step of the proof is the construction of automaton A M , as a synchronized product between an interrupt timed automaton and a timed automaton, to simulate a two counter machine M. In the second step, a TCTL c formula with two external clocks is built to simulate the timed automaton part of the product. This formula does not depend on the two counter machine.
First step. We consider the class ITA×TA of automata built as a synchronized product between an interrupt timed automaton and a timed automaton over the same alphabet. Note that if accepted languages are considered, the language of such an automaton is the intersection of the language of an ITA and the language of a TA.
Lemma 1. Reachability is undecidable in the class ITA×TA.
Sketch. We build an automaton in ITA×TA which simulates a deterministic two counter machine. Recall that such a machine M consists of a finite sequence of labeled instructions L, which handle two counters c and d, and ends at a special instruction with label Halt. The other instructions have one of the two forms below, where e ∈ {c, d} represents one of the two counters:
• e := e + 1; goto • if e > 0 then (e := e − 1; goto ) else goto Without loss of generality, we may assume that the counters have initial value zero. The behaviour of the machine is described by a (possibly infinite) sequence of configurations: 0 , 0, 0 1 , n 1 , p 1 . . . i , n i , p i . . ., where n i and p i are the respective counter values and i is the label, after the i th instruction. The problem of termination for such a machine ("is the Halt label reached?") is known to be undecidable [18] .
The automaton A M = Σ, AP, Q, q 0 , F, pol, X ∪ Y, λ, lab, Δ is built to reach its final location Halt if and only if M stops. It is defined as follows:
• Σ consists of one letter per transition, AP is defined in the sequel.
•
• pol : Q → {U rgent, Lazy, Delayed} is such that pol(q) = U rgent iff either q ∈ L or q = ( , q 2 , ), and pol(q) = Lazy in most other cases: some states ( , k i , ) are Delayed, as shown on Figure 4 .
• X = {x 1 , x 2 , x 3 } is the set of interrupt clocks and Y = {y c , y d } is the set of standard clocks with rate 1.
• λ : Q → {1, 2, 3} is the interrupt level of each state. All states in L are at level 1; so do all states corresponding to k 0 , k 1 , k 2 and r 1 . States corresponding to r 2 and r 3 are in level 2, while the ones corresponding to r 4 and r 5 are in level 3.
• lab will be defined in the second step of the proof.
• Δ is defined through basic modules in the sequel.
The transitions of A M are built within small modules, each one corresponding to one instruction of M. The value n of c (resp. p of d) in a state of L is encoded by the value
The idea behind this construction is that for any standard clock y, it is possible to mimic the copy of the value of k −y in an interrupt clock x i , for some constant k, provided the value of y never exceeds k. To achieve this, we start and reset the interrupt clock, then stop it when y = k. Note that by the end of the copy, the value of y has changed. Conversely, in order to copy the content of an interrupt clock x i into a clock y, we interrupt x i by x i+1 and reset y at the same time. When x i+1 = x i , clock y has the value of x i . Remark that the form of the guards on x i+1 allows us to copy any linear expression on {x 1 , . . . , x i } in y.
For instance, consider an instruction labeled by incrementing c then going to , with the respective values n of c and p of d, from a configuration where n ≥ p. The corresponding module A c++ c≥d ( , ) is depicted on Figure 3 . In A M is obtained by joining the modules described above through the states of L. The automaton A M can actually be viewed as the product of an ITA I and a TA T , synchronized on actions. It can be seen in all the modules described above that guards never mix a standard clock with an interrupt one. Since each transition has a unique label, keeping only guards and resets on either the clocks of X or on those of Y yields an ITA and a TA whose product is A M .
Note that another notion of synchronized product between ITA and TA leads to the class ITA + where reachability is decidable [5] . 
Second step.
To prove Theorem 1, we build from the automaton A M above a formula ϕ in TCTL c simulating the TA T , so that the ITA I satisfies ϕ iff M terminates. Formula ϕ expresses that (1) there is a run in I reaching the Halt state, and (2) for each module of I, this run satisfies the constraints on the clocks y c and y d of T . The full proofs that the above construction is correct (M halts iff A M reaches the Halt state) and for this second step are given in [7] . Observe that state policies allow an encoding with two TA clocks; an additional one would be needed to simulate policies.
Decidable fragments

Model checking TCTL int c
In this section we consider formulas with only model clocks, the corresponding fragment being denoted by TCTL int c . For example property P 1 in the introduction is expressed by A x 2 ≤ 3 U safe. Model checking is achieved by adapting a class graph construction for untiming ITA and adding information relevant to the formula. The problem is thus reduced to a CTL model checking problem on this graph. Proof. The proof relies on a refinement of the class graph construction in [5] , each class being divided into subclasses corresponding to truth values of comparisons in the given formula. Thus each comparison can be represented by a fresh propositional variable. The final step of the algorithm consists in applying standard CTL model-checking procedure.
Theorem 2. Model checking TCTL
Let ϕ be a formula in TCTL int c and A an ITA with n levels. In order to build the finite class graph, the first step consists in computing n sets of expressions E 1 , . . . , E n . Each set E k is initialized to {x k , 0} and expressions in this set are those which are relevant for comparisons with the current clock at level k. The sets are then computed top down from n to 1. In that process, we use the k-normalization operator: for an expression
• At level k, we may assume (by normalization) that expressions in guards of an edge leaving a state are of the
• To take into account the constraints of formula ϕ, we add the following step: For each comparison C 0 in ϕ, and for each k, with norm(C,
• Then we iterate the following procedure until no new term is added to any
The proof of termination for this construction is similar to the one in [5] .
Consider the ITA A 1 (Figure 2(a) ) and the formula ϕ 1 = E U (q 1 ∧ (x 2 > x 1 )). We assume that q 1 is a propositional property true only in state q 1 . Initially, the set of expressions are E 1 = {x 1 , 0} and E 2 = {x 2 , 0}. First the expression − 1 2 x 1 + 1 is added into E 2 since x 1 + 2x 2 = 2 appears on the guard in the transition from q 1 to q 2 . Then expression 1 is added to E 1 because x 1 − 1 < 0 appears on the guard in the transition from q 0 to q 1 . Finally expression x 1 is added to E 2 since x 2 − x 1 > 0 appears in ϕ 1 . After iteration, we obtain E 1 = {x 1 , 0, 1, The next step is to build the class graph as the transition system G A whose set of configurations are the classes R = (q, { k } 1≤k≤λ(q) ), where q is a state and k is a total preorder over E k . The class R describes the set of valua-
The set of transitions is defined by discrete and successor steps, whose details are developed in [5] . Just remark that the way the set of expressions is computed, and more notably the inclusion of all differences between other expressions (up to normalization details), will enable us to know for each level the preorder between expressions after firing a discrete transition increasing the interrupt level. The transition system G A is finite and time abstract bisimilar to T A . Moreover, the truth value of each comparison C = i≥1 a i · x i + b 0 appearing in ϕ can be set for each class R. Indeed, since for every k, both 0 and k−1 i≥1 a i · x i + b are in the set of expressions E k , the truth value of C 0 does not change inside a class. Therefore, introducing a fresh propositional variable q C for the constraint C 0, each class R can be labeled with a truth value for each q C . Deciding the truth value of ϕ can then be done by a classical CTL model-checking algorithm on G A .
On the example, we obtain the states in which q 1 ∧(x 2 > x 1 ) is true and conclude that ϕ 1 is true on A 1 .
The complexity of the procedure is obtained by bounding the number of expressions for each level k by max(2, |Δ| + |ϕ|) 2 n(n−k+1) +1 , thus obtaining a triple exponential bound for the size of the graph, by storing the orderings. The 2-EXPSPACE complexity results in a standard way from a non deterministic search in this graph.
Due to the linear constraints we conjecture that model checking TCTL int c on TA is undecidable. This would enforce the incomparability of TL and ITL from a decidability point of view.
Model checking a fragment of TCTL
The decidability of model-checking TCTL c formulas over ITA has been studied above for two cases: (1) when there are 2 formula clocks, in which case the problem is undecidable (Theorem 1) and (2) when there is no formula clock, in which case the problem is decidable (Theorem 2).
The remaining case concerns formulas with only 1 formula clock, which can measure elapsing of global time. In this section, we prove the decidability of model checking ITA for a strict subset of this logic. TCTL p is the set of formulas where satisfaction of an until modality over propositions can be parameterized by a time interval. Formulas of TCTL p are defined by the following grammar:
where p ∈ AP is an atomic proposition, a ∈ Q + , and ∈ {>, ≥, ≤, <} is a comparison operator. This logic is indeed a subset of T CT L c with only one formula clock since a formula, say A p U >a r, can be rewritten as y.(A p U (r ∧ (y > a))). Properties P 2 and P 3 from introduction are expressed respectively as A ¬error U ≥50 and A U ≤7 safe. Since ITA can be translated into ITA − , the problem can be simplified by focusing on the subclass ITA − . We prove that: Sketch. The main idea underlying these procedures for cases 1 and 2 is to obtain a maximal (exponential in the number of clocks) size for the runs on which it is sufficient to test the formula. Then the decision procedure is as follows. It non deterministically guesses a path in the ITA − whose length is less than or equal to the bound. In order to check that this path yields a run, it builds a linear program whose variables are {x j i }, where x j i is the value of clock x i after the jth step, and {d j } where d j is the amount of time elapsed during the jth step, when j corresponds to a time step. The equations and inequations are deduced from the guards and updates of discrete transitions in the path and the delay of the time steps.
The satisfaction of the formula can be checked by separately verifying on one side that the run satisfies p U r, and on the other side, that the sum of all delays d j satisfies the constraint in the formula.
The size of this linear program is exponential w.r.t. the size of the ITA − . As a linear program can be solved in polynomial time [20] , we obtain a procedure in NEXPTIME. If the number of clocks is fixed the number of variables is now polynomial w.r.t. the size of the problem.
For formulas in case 3, a specific procedure can be avoided: the result of case 2 can be reused since A p U ≤a r = (A p U r) ∧ ¬(E ¬r U >a ), and A p U <a r = (A p U r) ∧ ¬(E ¬r U ≥a ).
While a counterexample is a finite path in the three previous cases, it is potentially infinite in case 4. Therefore, the proof is more difficult and the decidability procedure relies on a specific technique.
Lemma 3.
Model checking a formula A p U ≥a r and A p U >a r on an ITA − is decidable. Sketch. We start by noticing that formula A p U ≥a r is true on a configuration of an ITA − A if all the following conditions hold for paths starting in this configuration:
• all paths do satisfy p U r,
• there is no path such that from a certain point where the time elapsed is strictly less than a, proposition r is false until both p and r are,
• there is no path such that from a certain point where the time elapsed is strictly less than a, proposition r is always false.
Using maximal paths, which are either infinite or finite but ending in a state from which no transition can be taken, is necessary for this last condition.
Conclusion and related work
Several restrictions of stopwatch automata have been proposed to gain decidability results. For the model of suspension automata [17] , reachability is decidable when stopwatches have value zero if suspended and satisfy some additional bounds. In the case of preemptive scheduling, the clocks in task automata from [14] can be updated by subtraction, which can be viewed as a kind of stopwatch simulation. Checking schedulability is proved decidable for several scheduling policies (and undecidable in general).
In this work we consider interrupt timed automata, where stopwatches are organized along hierarchical levels. Although model checking TCTL formulas with explicit clocks is undecidable, we obtain decidability for two subsets of real time properties: when only model clocks are used in the formula, with a complexity in 2-EXPSPACE, and for a subset of TCTL with subscripts. The case of formulas with internal clocks and only one external clock, remains open. We also plan to extend these results to ITA + which subsumes both TA and ITA.
