Abstract.Weproposetimed(nite)automatatomodelthebehaviorofrealtimesystemsovertime.Ourdenitionprovidesasimple,andyetpowerful,wayto

ATheoryofTimedAutomata1 Abstract.Weproposetimed(nite)automatatomodelthebehaviorofrealtimesystemsovertime.Ourdenitionprovidesasimple,andyetpowerful,wayto ComputercienceDepartment,tanfordUniversity RajeevAlur2 tanford,ca94305. DavidL.Dill3 annotatestate-transitiongraphswithtimingconstraintsusingnitelymanyrealvaluedclocks.atimedautomatonacceptstimedwords innitesequencesin intersection,butnotundercomplementation,whereasdeterministictimedmuller whichareal-valuedtimeofoccurrenceisassociatedwitheachsymbol.westudy ditions.weshowthatnondeterministictimedautomataareclosedunderunionand properties,decisionproblems,andsubclasses.weconsiderbothnondeterministic automataareclosedunderallbooleanoperations.themainconstructionofthe timedautomatafromtheperspectiveofformallanguagetheory:weconsiderclosure anddeterministictransitionstructures,andbothbuchiandmulleracceptancecon- Keywords:Real-timesystems,automaticverication,formallanguagesandautomatatheory. (nondeterministic)timedautomaton.wealsoprovethattheuniversalityproblem toautomaticvericationofreal-timerequirementsofnite-statesystems. paperisan(ppace)algorithmforcheckingtheemptinessofthelanguageofa completeinthedeterministiccase.finally,wediscusstheapplicationofthistheory andthelanguageinclusionproblemaresolvableonlyforthedeterministicautomata: bothproblemsareundecidable(1-hard)inthenondeterministiccaseandppace- 1PreliminaryversionsofthispaperappearintheProceedingsofthe17thInternationalColloquiumon necessarilyreectthepositionorthepolicyoftheu..government,andnoocialendorsementofthis workshouldbeinferred. theoryinpractice"(1991). 07974. Navy,OceoftheChiefofNavalResearchundergrantN00014-91-J-1901.Thispublicationdoesnot Automata,Languages,andProgramming(1990),andintheProceedingsoftheREXworkshop\Real-time: 2Currentaddress:AT&TBellLaboratories,600MountainAvenue,Room2D-144,MurrayHill,NJ 3upportedbytheNationalcienceFoundationundergrantMIP-8858807,andbytheUnitedtates

1Introduction Modallogicsand!-automataforqualitativetemporalreasoningaboutconcurrentsystems ofsystems.whenthesystemsarenite-state,asmanyare,wecanuseniteautomata, Theseformalismsabstractawayfromtime,retainingonlythesequencingofevents.In thelineartimemodel,itisassumedthatanexecutioncanbecompletelymodeledasa ofthesystemisasetofsuchexecutionsequences.inceasetofsequencesisaformal sequenceofstatesorsystemevents,calledanexecutiontrace(orjusttrace).thebehavior havebeenstudiedingreatdetail(selectedreferences:[36,32,16,28,47,44,37,11]). language,thisleadsnaturallytotheuseofautomataforthespecicationandverication!-regularexpressions,modalformulasof(extended)temporallogic,andsecond-orderformulasofthemonadictheoryofonesuccessor(1) havethesameexpressiveness,aningandanalyzingsystembehavior.theuniversalacceptanceofniteautomataasthe leadingtoeectiveconstructionsanddecisionproceduresforautomaticallymanipulat- nondeterministicbuchiautomata,deterministicandnondeterministicmullerautomata, modelandtheappealofitstheory.inparticular,avarietyofcompetingformalisms canonicalmodelofnite-statecomputationcanbeattributedtotherobustnessofthe vantages,itisultimatelycounterproductivewhenreasoningaboutsystemsthatmust interactwithphysicalprocesses;thecorrectfunctioningofthecontrolsystemofairplanes denetheclassof!-regularlanguages[7,9,33,46,42].consequentlymanyverication andtoastersdependscruciallyuponreal-timeconsiderations.wewouldliketobeableto specifyandverifymodelsofreal-timesystemsaseasilyasqualitativemodels.ourgoal istomodifyniteautomataforthistaskanddevelopatheoryoftimedniteautomata, theoriesarebasedonthetheoryof!-regularlanguages. similarinspirittothetheoryof!-regularlanguages.webelievethatthisshouldbethe Althoughthedecisiontoabstractawayfromquantitativetimehashadmanyad- events,notstates(thetheorywithstate-basedmodelsdiersonlyindetails).withinthis framework,itispossibletoaddtimingtoanexecutiontracebypairingitwithasequence time? i'thevent.atthispoint,however,afundamentalquestionarises:whatisthenatureof rststepinbuildingtheoriesforthereal-timevericationproblem. oftimes,wherethei'thelementofthetimesequencegivesthetimeofoccurrenceofthe Forsimplicity,wediscussmodelsthatconsiderexecutionstobeinnitesequencesof kindsofsynchronousdigitalcircuits,wheresignalchangesareconsideredtohavechanged Modelingtime Onealternative,whichleadstothediscrete-timemodel,requiresthetimesequenceto beamonotonicallyincreasingsequenceofintegers.thismodelisappropriateforcertain behaviorscanbemanipulatedusingordinaryniteautomata.ofcourse,inphysical silenteventasmanytimesasnecessarybetweeneventsintheoriginaltrace.oncethis transformationhasbeenperformed,thetimeofeacheventisthesameasitsposition, intoatracewherethetimesincreasebyexactlyoneateachstep,byinsertingaspecial exactlywhenaclocksignalarrives.oneoftheadvantagesofthismodelisthatitcanbe transformedeasilyintoanordinaryformallanguage.eachtimedtracecanbeexpanded sothetimesequencecanbediscarded,leavinganordinarystring.hence,discretetime 1

requiresthatcontinuoustimebeapproximatedbychoosingsomexedquantumapriori, processeseventsdonotalwayshappenatinteger-valuedtimes.thediscrete-timemodel whichlimitstheaccuracywithwhichphysicalsystemscanbemodeled. requiresthesequenceofintegertimestobenon-decreasing.theinterpretationofatimed executiontraceinthismodelisthateventsoccurinthespeciedorderatreal-valued arerecordedinthetrace.thismodelisalsoeasilytransformedintoaconventional formallanguage.first,addtothesetofeventsanewone,calledtick.theuntimed times,butonlythe(integer)readingsoftheactualtimeswithrespecttoadigitalclock tracecorrespondingtoatimedtracewillincludealloftheeventsfromthetimedtrace, Thectitious-clockmodelissimilartothediscretetimemodel,exceptthatitonly tomanipulatethesebehaviorsusingniteautomata,butthecompensatingdisadvantage isthatitrepresentstimeonlyinanapproximatesense. (i+1)'thevents(notethatthisnumbermaybe0).onceagain,itisconceptuallysimple inthesameorder,butwithti+1?tinumberofticksinsertedbetweenthei'thandthe withdensetimeinanite-automataframeworkismoredicultthantheothertwocases, naturalmodelforphysicalprocessesoperatingovercontinuoustime.inthismodel,the timesofeventsarerealnumbers,whichincreasemonotonicallywithoutbound.dealing timedautomatatosupportautomatedreasoningaboutsuchsystems. becauseitisnotobvioushowtotransformasetofdense-timetracesintoanordinary formallanguage.instead,wehavedevelopedatheoryoftimedformallanguagesand Wepreferadense-timemodel,inwhichtimeisadenseset,becauseitisamore elapsedsincethelastreset.thetransitionsoftheautomatonputcertainconstraintson automata.timedautomataaccepttimedwords innitesequencesinwhicharealvaluedtimeofoccurrenceisassociatedwitheachsymbol.atimedautomatonisanite Overview theclockvalues:atransitionmaybetakenonlyifthecurrentvaluesoftheclockssatisfy dentlyofeachother)withthetransitionsoftheautomaton,andkeeptrackofthetime automatonwithanitesetofreal-valuedclocks.theclockscanberesetto0(indepen- Toaugmentnite!-automatawithtimingconstraints,weproposetheformalismoftimed theassociatedconstraints.withthismechanismwecanmodeltimingpropertiessuch as\thechanneldeliverseverymessagewithin3to5timeunitsofitsreceipt".timed periodicity,boundedresponse,andtimingdelays. turessuchasliveness,fairness,andnondeterminism;andquantitativefeaturessuchas automatacancaptureseveralinterestingaspectsofreal-timesystems:qualitativefea- closurepropertiesforthedeterministicclassesaresimilartotheiruntimedcounterparts: bothdeterministicandnondeterministicvarieties,andforacceptancecriteriaweconsider bothbuchiandmullerconditions.weshowthatnondeterministictimedautomataare closedunderunionandintersection,butsurprisingly,notundercomplementation.the deterministictimedmullerautomataareclosedunderallbooleanoperations,whereas deterministictimedbuchiautomataareclosedunderonlythepositivebooleanoperations. Westudytimedautomatafromtheperspectiveofformallanguagetheory.Weconsider Theseresultsimplythat,unliketheuntimedcase,deterministictimedMullerautomata arestrictlylessexpressivethantheirnondeterministiccounterparts. Westudyavarietyofdecisionproblemsforthedierenttypesoftimedautomata.The 2

ofuntimedwordsconsistentwiththetimingconstraintsofatimedautomatonformsan valuedclockvariables,thestatespaceofatimedautomatonisinnite,andtheuntiming mainpositiveresultisanuntimingconstructionfortimedautomata.duetothereal-!-regularset.italsoleadstoappacedecisionprocedurefortestingemptinessofthe algorithmconstructsanitequotientofthisspace.thisisusedtoprovethattheset languageofatimedautomaton.wealsoshowthatthedualproblemoftestingwhether asystemmodeledasaproductoftimedautomatasatisesitsspecicationgivenasa nite-statereal-timesystems.wegiveappacevericationalgorithmtotestwhether thedeterministicversions. languageinclusionproblem.however,boththeseproblemscanbesolvedinppacefor (1-hard)fornondeterministicautomata.Thisalsoimpliestheundecidabilityofthe atimedautomatonacceptsalltimedwords(i.e.,theuniversalityquestion)isundecidable deterministictimedmullerautomaton. Relatedwork Finally,weshowhowtoapplythetheoryoftimedautomatatoprovecorrectnessof havebeenproposedrecently,however,noattempthasbeenmadetodevelopatheory Dierentwaysofincorporatingtimingconstraintsinthequalitativemodelsofasystem Modecharts[25].Inatimedautomaton,unliketheseothermodels,aboundonthetime isbyassociatinglowerandupperboundswithtransitions.examplesoftheseinclude modelhavebeendeveloped. oftimedlanguagesandnoalgorithmsforcheckingreal-timepropertiesinthedense-time bydillthatemploystimers[13].amodelsimilartodill'swasindependentlyproposed transitions,canbedirectlyexpressed.ourmodelisbasedonanearliermodelproposed takentotraverseapathintheautomaton,notjustthetimeintervalbetweenthesuccessive timedpetrinets[38],timedtransitionsystems[35,21],timedi/oautomata[31],and Perhapsthemoststandardwayofintroducingtiminginformationinaprocessmodel transitionscanhappeninatimeintervalofunitlength.ouruntimingconstructiondoes andstudiedbylewis[30].hedenesstate-diagrams,andgivesawayoftranslatinga decidabilityandlowerboundresultspresentedherecarryovertohisformalismalso. notneedthelatterassumption,andhasabetterworst-casecomplexity.wenotethatthe everyedgeisannotatedwithamatrixofintervalsconstrainingvariousdelays.lewisalso developsanalgorithmforcheckingconsistencyofthetiminginformationforaspecial classofstate-diagrams;theonesforwhichthereexistsaconstantksuchthatatmostk circuitdescriptiontoastate-diagram.astate-diagramisanite-statemachinewhere anundecidabilityresult:in[5]itisshownthatthesatisabilityproblemforareal-time model. clocksemantics.inthecaseofthedense-timemodeltheonlypreviouslyknownresultis [6,24,26,35,17,5,20].Mostoftheselogicsemploythediscrete-timeorthectitious- extensionofthelinear-timetemporallogicptlisundecidable(1-hard)inthedense-time Therehavebeenafewattemptstoextendtemporallogicswithquantitativetime 3

Figure1:Buchiautomatonaccepting(a+b)a! a,b a given(nite)alphabet(see,forexample,[23]).asopposedtothis,an!-languageconsists 2!-automata a ofallinnitewordsover.!-automataprovideaniterepresentationforcertaintypes Inthissectionwewillbrieyreviewtherelevantaspectsofthetheoryof!-regularlan- ofinnitewords.thusan!-languageoveranitealphabetisasubsetof! theset Themorefamiliardenitionofaformallanguageisasasetofnitewordsoversome 0 1 inputwords.varioustypesof!-automatahavebeenstudiedintheliterature[7,33,9,42]. setofautomatonstates,0isasetofstartstates,andeisasetof edges.theautomatonstartsinaninitialstate,andifhs;s0;ai2ethentheautomaton automaton,butwiththeacceptanceconditionmodiedsuitablysoastohandleinnite of!-languages.an!-automatonisessentiallythesameasanondeterministicnite-state Wewillmainlyconsidertwotypesof!-automata:BuchiautomataandMullerautomata. canchangeitsstatefromstos0readingtheinputsymbola. AtransitiontableAisatupleh;;0;Ei,whereisaninputalphabet,isanite Foraword=12:::overthealphabet,wesaythat withanadditionalsetfofacceptingstates.arunrofaoveraword2!isan isarunofaover,provideds020,andhsi?1;si;ii2eforalli1.forsucharun, denitionofthetransitiontables.abuchiautomatonaisatransitiontableh;;0;ei thesetinf(r)consistsofthestatess2suchthats=siforinnitelymanyi0. Dierenttypesof!-automataaredenedbyaddinganacceptanceconditiontothe r:s01?!s12?!s23?! acceptingruniinf(r)\f6=;.inotherwords,arunrisacceptingisomestatefrom states0isthestartstateands1istheacceptingstate.everyacceptingrunofthe automatonhastheform Example2.1Considerthe2-stateautomatonofFigure1overthealphabetfa;bg.The thesetfrepeatsinnitelyoftenalongr.thelanguagel(a)acceptedbyaconsistsof thewords2!suchthatahasanacceptingrunover. withi2fa;bgfor1inforsomen1.theautomatonacceptsallwordswith onlyanitenumberofb's;thatis,thelanguagel0=(a+b)a!. r:s01?!s02?!n?!s0a 4?!s1a?!s1a?!

Figure2:DeterministicMullerautomatonaccepting(a+b)a! b a areknownconstructionsforcomplementingbuchiautomata[41,40]. thelanguagel0ofexample2.1isan!-regularlanguage. intersectionisimplementedbyaproductconstructionforbuchiautomata[9,47].there a vericationproblemreducestothatoflanguageinclusion.theinclusionproblemfor WhenBuchiautomataareusedformodelingnite-stateconcurrentprocesses,the An!-languageiscalled!-regulariitisacceptedbysomeBuchiautomaton.Thus Theclassof!-regularlanguagesisclosedunderalltheBooleanoperations.Language 0 1 containedintheother,wecheckforemptinessoftheintersectionoftherstautomaton!-regularlanguagesisdecidable.totestwhetherthelanguageofoneautomatonis b foracyclethatisreachablefromastartstateandincludesatleastoneacceptingstate. languageofadeterministicautomatoncanbedoneinpolynomialtime[27]. withthecomplementofthesecond.testingforemptinessiseasy;weonlyneedtosearch thatis,j0j=1,and(ii)thenumberofa-labelededgesstartingatsisatmostone [41].However,checkingwhetherthelanguageofoneautomatoniscontainedinthe forallstatess2andforallsymbolsa2.thus,foradeterministictransition Ingeneral,complementingaBuchiautomatoninvolvesanexponentialblow-upinthe numberofstates,andthelanguageinclusionproblemisknowntobeppace-complete table,thecurrentstateandthenextinputsymboldeterminethenextstateuniquely. Consequently,adeterministicautomatonhasatmostonerunoveragivenword.Unlike theautomataonnitewords,theclassoflanguagesacceptedbydeterministicbuchi automataisstrictlysmallerthantheclassof!-regularlanguages.forinstance,thereis AtransitiontableA=h;;0;Eiisdeterministici(i)thereisasinglestartstate, automata(denedbelow)avoidthisproblematthecostofamorepowerfulacceptance condition. nodeterministicbuchiautomatonwhichacceptsthelanguagel0ofexample2.1.muller Buchiautomata,andalsoequalsthatacceptedbydeterministicMullerautomata. F2.ArunrofAoveraword2!isanacceptingruniinf(r)2F.Thatis,a runrisacceptingithesetofstatesrepeatinginnitelyoftenalongrequalssomesetin F.ThelanguageacceptedbyAisdenedasincaseofBuchiautomata. TheclassoflanguagesacceptedbyMullerautomataisthesameasthatacceptedby AMullerautomatonAisatransitiontableh;;0;Eiwithanacceptancefamily consistingofallwordsoverfa;bgwithonlyanitenumberofb's.themulleracceptance Example2.2ThedeterministicMullerautomatonofFigure2acceptsthelanguageL0 familyisffs1gg.thuseveryacceptingruncanvisitthestates0onlynitelyoften. 5

languages:theyareasexpressiveastheirnondeterministiccounterpart,andtheycanbe complementedinpolynomialtime.algorithmsforconstructingtheintersectionoftwo Mullerautomataandforcheckinglanguageinclusionareknown[10]. 3Timedautomata ThusdeterministicMullerautomataformastrongcandidateforrepresenting!-regular aword.thenweaugmentthedenitionof!-automatasothattheyaccepttimedwords, Inthissectionwedenetimedwordsbycouplingareal-valuedtimewitheachsymbolin andusethemtodevelopatheoryoftimedregularlanguagesanalogoustothetheoryof!-regularlanguages. Denition3.1Atimesequence=12isaninnitesequenceoftimevaluesi2R Wedenetimedwordssothatabehaviorofareal-timesystemcorrespondstoatimed nonnegativerealnumbers,r,ischosenasthetimedomain.awordiscoupledwitha wordoverthealphabetofevents.asinthecaseofthedense-timemodel,thesetof 3.1Timedlanguages withi>0,satisfyingthefollowingconstraints: timesequenceasdenedbelow: overandisatimesequence.atimedlanguageoverisasetoftimedwordsover. 1.Monotonicity:increasesstrictlymonotonically;thatis,i<i+1foralli1. 2.Progress:Foreveryt2R,thereissomei1suchthati>t. Atimedwordoveranalphabetisapair(;)where=12:::isaninniteword manyconsecutiveeventsinthesequence.toaccommodatethispossibilityonecoulduse correspondingcomponentiisinterpretedasthetimeofoccurrenceofi.undercertain iattimei.ifeachsymboliisinterpretedtodenoteaneventoccurrencethenthe circumstancesitmaybeappropriatetoallowthesametimevaluetobeassociatedwith aslightlydierentdenitionoftimedwordsbyrequiringatimesequencetoincreaseonly monotonically(i.e.,requireii+1foralli1).allourresultscontinuetoholdinthis Ifatimedword(;)isviewedasaninputtoanautomaton,itpresentsthesymbol Example3.2Letthealphabetbefa;bg.DeneatimedlanguageL1toconsistofall alternativemodelalso. timedwords(;)suchthatthereisnobaftertime5:6.thusthelanguagel1isgiven byletusconsidersomeexamplesoftimedlanguages. increasing.thelanguagel2isgivenas nate,andforthesuccessivepairsofaandb,thetimedierencebetweenaandbkeeps AnotherexampleisthelanguageL2consistingoftimedwordsinwhichaandbalter- L2=f((ab)!;)j8i:((2i?2i?1)<(2i+2?2i+1))g: L1=f(;)j8i:((i>5:6)!(i=a))g: 6

denedfortimedlanguagesasusual.inadditionwedenetheuntimeoperationwhich Thelanguage-theoreticoperationssuchasintersection,union,complementationare Figure3:Exampleofatimedtransitiontable a, x:=0 0 1 Untime(L2)consistsofasingleword(ab)!. discardsthetimevaluesassociatedwiththesymbols,thatis,itconsiderstheprojection ofatimedtrace(;)ontherstcomponent. of2!suchthat(;)2lforsometimesequence. Denition3.3ForatimedlanguageLover,Untime(L)isthe!-languageconsisting Forinstance,referringtoExample3.2,Untime(L1)isthe!-language(a+b)a!,and b, (x<2)? 3.2Transitiontableswithtimingconstraints Nowweextendtransitiontablestotimedtransitiontablessothattheycanreadtimed upontheinputsymbolread.incaseofatimedtransitiontable,wewantthischoiceto words.whenanautomatonmakesastate-transition,thechoiceofthenextstatedepends dependalsouponthetimeoftheinputsymbolrelativetothetimesofthepreviously Example3.4ConsiderthetimedtransitiontableofFigure3.Thestartstateiss0. thetimedtransitiontablesformally,letusconsidersomeexamples. betakenonlyifthecurrentvaluesoftheclockssatisfythisconstraint.beforewedene Witheachtransitionweassociateaclockconstraint,andrequirethatthetransitionmay instant,thereadingofaclockequalsthetimeelapsedsincethelasttimeitwasreset. transitiontable.aclockcanbesettozerosimultaneouslywithanytransition.atany readsymbols.forthispurpose,weassociateanitesetof(real-valued)clockswitheach fromstates1tos0isenabledonlyifthisvalueislessthan2.thewholecyclerepeats theactionofresettingtheclockxwhentheedgeistraversed.imilarlyanannotationof Thereisasingleclockx.Anannotationoftheformx:=0onanedgecorrespondsto theform(x<2)?onanedgegivestheclockconstraintassociatedwiththeedge. moreformally,thelanguageis clockxshowsthetimeelapsedsincetheoccurrenceofthelastasymbol.thetransition whentheautomatonmovesbacktostates0.thusthetimingconstraintexpressedby thistransitiontableisthatthedelaybetweenaandthefollowingbisalwayslessthan2; Theclockxgetssetto0alongwiththistransition.Whileinstates1,thevalueofthe Theautomatonstartsinstates0,andmovestostates1readingtheinputsymbola. f((ab)!;)j8i:(2i<2i?1+2)g: 7

clocktoberesetone1,andassociateanappropriateclockconstraintwithe2.notethat clockscanbesetasynchronouslyofeachother.thismeansthatdierentclockscan d, (y>2)? example. Thustoconstrainthedelaybetweentwotransitionse1ande2,werequireaparticular a b c 0 1 Example3.5ThetimedtransitiontableofFigure4usestwoclocksxandy,andaccepts berestartedatdierenttimes,andthereisnolowerboundonthedierencebetween theirreadings.havingmultipleclocksallowsmultipleconcurrentdelays,asinthenext 2 3 x:=0 y:=0 (x<1)? thelanguage itsvaluewhilereadingd,ensuresthatthedelaybetweenbandthefollowingdisalways 0eachtimeitmovesfroms0tos1readinga.Thecheck(x<1)?associatedwiththe c-transitionfroms2tos3ensuresthatchappenswithintime1oftheprecedinga.a similarmechanismofresettinganotherindependentclockywhilereadingbandchecking Theautomatoncyclesamongthestatess0,s1,s2ands3.Theclockxgetssetto L3=f((abcd)!;)j8j:((4j+3<4j+1+1)^(4j+4>4j+2+2))g: multipleclockswhichcanbesetindependentlyofeachother.theabovelanguagel3is banddtheautomatondoesnotputanyexplicitboundsonthetimedierencebetween aandthefollowingb,orcandthefollowingd.thisisanimportantadvantageofhaving theintersectionofthetwolanguagesl13andl23denedas greaterthan2. Noticethatintheaboveexample,toconstrainthedelaybetweenaandcandbetween clock;howevertoexpresstheirintersectionweneedtwoclocks. ofdierentcomponentsinadistributedsystem.alltheclocksincreaseattheuniform EachofthelanguagesL13andL23canbeexpressedbyanautomatonwhichusesjustone Weremarkthattheclocksoftheautomatondonotcorrespondtothelocalclocks L13=f((abcd)!;)j8j:(4j+3<4j+1+1)g; ratecountingtimewithrespecttoaxedglobaltimeframe.theyarectitiousclocks L23=f((abcd)!;)j8j:(4j+4>4j+2+2)g: andcheckedindependentlyofoneanother,butallstop-watchesrefertothesameclock. theautomatontobeequippedwithanitenumberofstop-watcheswhichcanbestarted inventedtoexpressthetimingpropertiesofthesystem.alternatively,wecanconsider 8 Figure4:Timedtransitiontablewith2clocks

timeconstant.weallowonlythebooleancombinationsofsuchsimpleconstraints.any valuefromq,thesetofnonnegativerationals,canbeusedasatimeconstant.later,in 3.3Clockconstraintsandclockinterpretations Denition3.6ForasetXofclockvariables,theset(X)ofclockconstraintsis Todenetimedautomataformally,weneedtosaywhattypeofclockconstraintsare denedinductivelyby additionofclockvalues,leadstoundecidability. allowedontheedges.thesimplestformofaconstraintcomparesaclockvaluewitha wherexisaclockinxandcisaconstantinq. ection5.5,wewillshowthatallowingmorecomplexconstraints,suchasthoseinvolving is,itisamappingfromxtor.wesaythataclockinterpretationforxsatisesa tions. Observethatconstraintssuchastrue,(x=c),x2[2;5)canbedenedasabbrevia- AclockinterpretationforasetXofclocksassignsarealvaluetoeachclock;that :=xcjcxj:j1^2; andagreeswithovertherestoftheclocks. 3.4Timedtransitiontables clockconstraintoverxievaluatestotrueusingthevaluesgivenby. (x)+t,andtheclockinterpretationtassignstoeachclockxthevaluet(x).for YX,[Y7!t]denotestheclockinterpretationforXwhichassignsttoeachx2Y, Fort2R,+tdenotestheclockinterpretationwhichmapseveryclockxtothevalue Denition3.7AtimedtransitiontableAisatupleh;;0;C;Ei,where Nowwegivetheprecisedenitionoftimedtransitiontables. E2C(C)givesthesetoftransitions.Anedgehs;s0;a;;i Cisanitesetofclocks,and 0isasetofstartstates, isanitealphabet, isanitesetofstates, attime0withallitsclocksinitializedto0.astimeadvances,thevaluesofallclocks Givenatimedword(;),thetimedtransitiontableAstartsinoneofitsstartstates constraintoverc. Cgivestheclockstoberesetwiththistransition,andisaclock representsatransitionfromstatestostates0oninputsymbola.theset change,reectingtheelapsedtime.attimei,achangesstatefromstos0usingsome transitionoftheformhs;s0;i;;ireadingtheinputi,ifthecurrentvaluesofclocks withrespecttothetimeofoccurrenceofthistransition.thisbehavioriscapturedby satisfy.withthistransitiontheclocksinareresetto0,andthusstartcountingtime clocksatthetransitionpoints.foratimesequence=12:::wedene0=0. deningrunsoftimedtransitiontables.arunrecordsthestateandthevaluesofallthe 9

withsi2andi2[c!r],foralli0,satisfyingthefollowingrequirements: Denition3.8Arunr,denotedby(s;),ofatimedtransitiontableh;;0;C;Eiover atimedword(;)isaninnitesequenceoftheform Initiation:s020,and0(x)=0forallx2C. Consecution:foralli1,thereisanedgeinEoftheformhsi?1;si;i;i;iisuch that(i?1+i?i?1)satisesiandiequals[i7!0](i?1+i?i?1). r:hs0;0i1?!1hs1;1i2?!2hs2;2i3?!3 Example3.9ConsiderthetimedtransitiontableofExample3.5.Consideratimed listingthevalues[x;y]. Belowwegivetheinitialsegmentoftherun.Aclockinterpretationisrepresentedby word Thesetinf(r)consistsofthosestatess2suchthats=siforinnitelymanyi0. hs0;[0;0]ia?!2hs1;[0;2]ib (a;2)!(b;2:7)!(c;2:8)!(d;5)! i+1aregivenbytheinterpretation(i+t?i).whenthetransitionfromstatesitosi+1 occurs,weusethevalue(i+i+1?i)tochecktheclockconstraint;however,attime Alongarunr=(s;)over(;),thevaluesoftheclocksattimetbetweeniand?! 2:7hs2;[0:7;0]ic?! 2:8hs3;[0:8;0:1]id?!5hs0;[3;2:3]i i+1,thevalueofaclockthatgetsresetisdenedtobe0. Wecancoupleacceptancecriteriawithtimedtransitiontables,andusethemtodene tablea0.wechoosethesetofclockstobetheemptyset,andreplaceeveryedgehs;s0;ai byhs;s0;a;;;truei.therunsofa0areinanobviouscorrespondencewiththerunsofa. 3.5Timedregularlanguages NotethatatransitiontableA=h;;0;Eicanbeconsideredtobeatimedtransition whereh;;0;c;eiisatimedtransitiontable,andfisasetofacceptingstates. timedlanguages. Denition3.10AtimedBuchiautomaton(inshortTBA)isatupleh;;0;C;E;Fi, oftimedlanguagesacceptedbytbastimedregularlanguages. inf(r)\f6=;. f(;)jahasanacceptingrunover(;)g. InanalogywiththeclassoflanguagesacceptedbyBuchiautomata,wecalltheclass Arunr=(s;)ofaTBAoveratimedword(;)iscalledanacceptingruni ForaTBAA,thelanguageL(A)oftimedwordsitacceptsisdenedtobetheset 10

Denition3.11AtimedlanguageLisatimedregularlanguageiL=L(A)forsome Example3.12ThelanguageL3ofExample3.5isatimedregularlanguage.Thetimed transitiontableoffigure4iscoupledwiththeacceptancesetconsistingofallthestates. TBAA. Figure5:TimedBuchiautomatonacceptingLcrt b b,(x<2)? a, x:=0 1 0 2 3 requiresthatthetimedierencebetweenthesuccessivepairsofaandbformanincreasing Forevery!-regularlanguageLover,thetimedlanguagef(;)j2Lgisregular. AtypicalexampleofanonregulartimedlanguageisthelanguageL2ofExample3.2.It a a, x:=0 Example3.13TheautomatonofFigure5acceptsthetimedlanguageLcrtoverthe sequence. alphabetfa;bg.lcrt=f((ab)!;)j9i:8ji:(2j<2j?1+2)g: timingconstraintstospecifyaninterestingconvergentresponseproperty: TheautomatonofExample3.13combinestheBuchiacceptanceconditionwiththe Anothernonregularlanguageisf(a!;)j8i:(i=2i)g. automatonstartsinstates0,andcyclesbetweenthestatess0ands1forawhile.then, nondeterministically,itmovestostates2settingitsclockxto0.whileinthecycle theresponsetimeis\eventually"alwayslessthan2timeunits. thatthenextbiswithin2timeunits.interpretingthesymbolbasaresponsetoarequest betweenthestatess2ands3,theautomatonresetsitsclockwhilereadinga,andensures denotedbythesymbola,theautomatonmodelsasystemwithaconvergentresponsetime; Thestartstateiss0,theacceptingstateiss2,andthereisasingleclockx.The phabetfa;bg. Example3.14TheautomatonofFigure6acceptsthefollowinglanguageovertheal- Thenextexampleshowsthattimedautomatacanspecifyperiodicbehavioralso. equals3thereisanasymbol.thusitexpressesthepropertythatahappensatalltime valuesthataremultiplesof3. regularintervalsofperiod3timeunits.theautomatonrequiresthatwhenevertheclock Theautomatonhasasinglestates0,andasingleclockx.Theclockgetsresetat f(;)j8i:9j:(j=3i^j=a)g 11

Figure6:Timedautomatonspecifyingperiodicbehavior a,b,(x<3)? intersection. Thenexttheoremconsiderssomeclosurepropertiesoftimedregularlanguages. Theorem3.15Theclassoftimedregularlanguagesisclosedunder(nite)unionand 3.6Propertiesoftimedregularlanguages lossofgeneralitythattheclocksetsciaredisjoint.weconstructtbasacceptingthe unionandintersectionofl(ai). Proof.ConsiderTBAsAi=h;i;i0;Ci;Ei;Fii,i=1;2;:::n.Assumewithout 0 a,(x=3)?,x:=0 i-thcomponentofthetuplekeepstrackofthestateofai,andthelastcomponentisused constructionforbuchiautomata[9].thesetofclocksfortheproductautomatonais thedisjointunionofalltheautomata. [ici.thestatesofaareoftheformhs1;:::sn;ki,whereeachsi2i,and1kn.the asacounterforcyclingthroughtheacceptingconditionsofalltheindividualautomata. incetbasarenondeterministicthecaseofunioniseasy.therequiredtbaissimply Initiallythecountervalueis1,anditisincrementedfromkto(k+1)(modulon)ithe currentstateofthek-thautomatonisanacceptingstate.notethatwechoosethevalue Intersectioncanbeimplementedbyatrivialmodicationofthestandardproduct ofnmodntoben. toberesetwiththistransitionis[ii,andtheassociatedclockconstraintis^ii. pereachautomaton,withthesamelabela.correspondingtothisset,thereisajoint ishs01;:::s0n;jiwithj=(k+1)modnifsk2fk,andj=kotherwise.thesetofclocks havingthesamelabel.letfhsi;s0i;a;i;ii2eiji=1;:::ngbeasetoftransitions,one transitionofaoutofeachstateoftheformhs1;:::sn;kilabeledwitha.thenewstate Ai.AtransitionofAisobtainedbycouplingthetransitionsoftheindividualautomata TheinitialstatesofAareoftheformhs1;:::sn;1iwhereeachsiisastartstateof ceptingconditionsofalltheautomataaremet.consequently,wedenetheacceptingset foratoconsistofstatesoftheformhs1;:::sn;ni,wheresn2fn. isnijij.thenumberofclocksisijcij,andthesizeoftheedgesetisnijeij.note thatjejincludesthelengthoftheclockconstraintsassumingbinaryencodingforthe Thecountervaluecyclesthroughthewholerange1;:::ninnitelyoftenitheac- constants. Intheaboveproductconstruction,thenumberofstatesoftheresultingautomaton 12

Example3.16ThelanguageacceptedbytheautomatoninFigure7is other.considerthefollowingexample. inaniteintervaloftime.furthermore,thesymbolscanbearbitrarilyclosetoeach Observethatevenforthetimedregularlanguagesarbitrarilymanysymbolscanoccur Figure7:TimedautomatonacceptingLconverge a,(x=1)?,x:=0 a,x:=0 b 0 1 2 3 (x=1)? y:=0 Everywordacceptedbythisautomatonhasthepropertythatthesequenceoftime Lconverge=f((ab)!;)j8i:(2i?1=i^(2i?2i?1>2i+2?2i+1))g: b,(y<1)?,y:=0 bytheautomatonis dierencesbetweenaandthefollowingbisstrictlydecreasing.asamplewordaccepted timemodel.ifwerequireallthetimevaluesitobemultiplesofsomexedconstant, howeversmall,thelanguageacceptedbytheautomatonoffigure7willbeempty. Thisexampleillustratesthatthemodelofrealsisindeeddierentfromthediscrete- (a;1)!(b;1:5)!(a;2)!(b;2:25)!(a;3)!(b;3:125)! staysunchanged. Theorem3.17LetLbeatimedregularlanguage.Foreveryword,2Untime(L)i thesetofrationalsq.onlythedensenessoftheunderlyingdomainplaysacrucialrole. Inparticular,Theorem3.17showsthatifwerequireallthetimevaluesintimesequences toberationalnumbers,theuntimedlanguageuntime[l(a)]ofatimedautomatona Ontheotherhand,timedautomatadonotdistinguishbetweenthesetofrealsRand thereexistsatimesequencesuchthati2qforalli1,and(;)2l. Otherwisechoose0i2Qsuchthatforall0j<i,foralln2N,(0 withallrationaltimevaluessuchthat(;)2l(a),thenclearly,2untime[l(a)]. everyconstantappearingintheclockconstraintsofaisanintegralmultipleof.let 0=0,and0=0.Ifi=j+nforsome0j<iandn2N,thenchoose0i=0j+n. Proof.ConsideratimedautomatonA,andaword.Ifthereexistsatimesequence Nowsupposeforanarbitrarytimesequence,(;)2L(A).Let2Qbesuchthat 0,ifaclockxisresetatthei-thtransitionpoint,thenitspossiblevaluesatthej-th possible. (i?j)<n.notethatbecauseofthedensenessofqsuchachoiceof0iisalways Consideranacceptingrunr=(s;)ofAover(;).Becauseoftheconstructionof 13 i?0j)<ni

0=0,andifthei-thtransitionalongrisaccordingtotheedgehsi?1;si;i;i;ii,then Figure8:TimedMullerautomaton a,(x<5)? a,(x<2)? 3.7TimedMullerautomata transitionpointalongthetwotimesequences,namely,(j?i)and(0j?0i),satisfythe r0=(s;0)over(;0)whichfollowsthesamesequenceofedgesasr.inparticular,choose samesetofclockconstraints.consequentlyitispossibletoconstructanacceptingrun 1 0 2 WecandenetimedautomatawithMulleracceptanceconditionsalso. set0i=[i7!0](0i?1+0 i?0 i?1).consequently,aaccepts(;0). b,x:=0 c,x:=0 f(;)jahasanacceptingrunover(;)g. inf(r)2f. Denition3.18AtimedMullerautomaton(TMA)isatupleh;;0;C;E;Fi,where Example3.19ConsidertheautomatonofFigure8overthealphabetfa;b;cg.The h;;0;c;eiisatimedtransitiontable,andf2speciesanacceptancefamily. startstateiss0,andthemulleracceptancefamilyconsistsofasinglesetfs0;s2g.oany ForaTMAA,thelanguageL(A)oftimedwordsitacceptsisdenedtobetheset Arunr=(s;)oftheautomatonoveratimedword(;)isanacceptingruni acceptingrunshouldcyclebetweenstatess0ands1onlynitelymanytimes,andbetween theclassoftimedlanguagesacceptedbytmasisthesameastheclassoftimedregular power.thefollowingtheoremstatesthatthesameholdstruefortbasandtmas.thus than2ifthe(2i)-thsymbolisc,andlessthan5otherwise. statess0ands2innitelymanytimes.everyword(;)acceptedbytheautomaton languages.theproofofthefollowingtheoremcloselyfollowsthestandardargumentthat satises:(1)2(a(b+c))(ac)!,and(2)foralli1,thedierence(2i?1?2i?2)isless an!-regularlanguageisacceptedbyabuchiautomatoniitisacceptedbysomemuller automaton. Theorem3.20AtimedlanguageisacceptedbysometimedBuchiautomatoniitis RecallthatuntimedBuchiautomataandMullerautomatahavethesameexpressive timedtransitiontableasthatofa,andwiththeacceptancefamilyf=f0:0\f6= acceptedbysometimedmullerautomaton. ;g.itiseasytocheckthatl(a)=l(a0).thisprovesthe\onlyif"partoftheclaim. Proof.LetA=h;;0;C;E;FibeaTBA.ConsidertheTMAA0withthesame 14

AF=h;;0;C;E;fFgi,soitsucestoconstruct,foreachacceptancesetF,aTBA languageusingthesimulationofmulleracceptanceconditionbybuchiautomata.let A0FwhichacceptsthelanguageL(AF).AssumeF=fs1;:::skg.TheautomatonA0F tomakesurethateverystateinfisvisitedinnitelyoften.tatesofa0fareofthe AbeaTMAgivenash;;0;C;E;Fi.FirstnotethatL(A)=[F2FL(AF)where usesnondeterminismtoguesswhenthesetfisenteredforever,andthenusesacounter Intheotherdirection,givenaTMA,wecanconstructaTBAacceptingthesame formhs;ii,wheres2andi2f0;1;:::kg.thesetofinitialstatesis0f0g.the automatonsimulatesthetransitionsofa,andatsomepointnondeterministicallysets hasatransitionhhs;0i;hs0;0i;a;;i,and,inaddition,ifs02fitalsohasatransition thesecondcomponentto1.foreverytransitionhs;s0;a;;iofa,theautomatona0f hhs;0i;hs0;1i;a;;i. 4Checkingemptiness j=i.theonlyacceptingstateishsk;ki. setf.foreverya-transitionhs;s0;a;;iwithbothsands0inf,foreach1ik, thereisana0f-transitionhhs;ii;hs0;ji;a;;iwherej=(i+1)modk,ifsequalssi,else Whilethesecondcomponentisnonzero,theautomatonisrequiredtostaywithinthe timedautomaton.theexistenceofaninniteacceptingpathintheunderlyingtransition tableisclearlyanecessaryconditionforthelanguageofanautomatontobenonempty. However,thetimingconstraintsoftheautomatonruleoutcertainadditionalbehaviors. Inthissectionwedevelopanalgorithmforcheckingtheemptinessofthelanguageofa parisonswithrationalconstants.thefollowinglemmashowsthat,forcheckingemptiness, Recallthatourdenitionoftimedautomataallowsclockconstraintswhichinvolvecom- 4.1Restrictiontointegerconstants untimedwordsthatareconsistentwiththetimedwordsacceptedbyatimedautomaton. WewillshowthataBuchiautomatoncanbeconstructedthatacceptsexactlythesetof bymultiplyingallibyt. Lemma4.1ConsideratimedtransitiontableA,atimedword(;),andt2Q.(s;) constants.foratimedsequenceandt2q,lettdenotethetimedsequenceobtained wecanrestrictourselvestotimedautomatawhoseclockconstraintsinvolveonlyinteger transitiontableobtainedbyreplacingeachconstantdineachclockconstraintlabeling ttobetheleastcommonmultipleofdenominatorsofalltheconstantsappearinginthe theedgesofabytd. isarunofaover(;)i(s;t)isarunofatover(;t),whereatisthetimed clockconstraintsofa,thentheclockconstraintsforatuseonlyintegerconstants.inthis denominatorsofalltheoriginalconstants.weassumebinaryencodingfortheconstants. translation,thevaluesoftheindividualconstantsgrowatmostwiththeproductofthe ThusthereisanisomorphismbetweentherunsofAandtherunsofAt.Ifwechoose Proof.Thelemmacanbeprovedeasilyfromthedenitionsusinginduction. 15

weencodeconstantsinbinarynotation;ifweuseunaryencodingthenj(at)jcanbe j(at)jisboundedbyj(a)j2.observethatthisresultdependscruciallyonthefactthat exponentialinj(a)j. LetusdenotethelengthoftheclockconstraintsofAbyj(A)j.Itiseasytoprovethat L(A)weconsiderAt.AlsoUntime[L(A)]equalsUntime[L(At)].Intheremainderofthe sectionweassumethattheclockconstraintsuseonlyintegerconstants. 4.2Clockregions Ateverypointintimethefuturebehaviorofatimedtransitiontableisdeterminedby ObservethatL(A)isemptyiL[At]isempty.Hence,todecidetheemptinessof Denition4.2Foratimedtransitiontableh;;0;C;Ei,anextendedstateisapair itsstateandthevaluesofallitsclocks.thismotivatesthefollowingdenition: alsoontheorderingofthefractionalpartsofallclockvalues,thentherunsstartingfrom possiblybuildanautomatonwhosestatesaretheextendedstatesofa.butiftwo extendedstateswiththesamea-stateagreeontheintegralpartsofallclockvalues,and hs;iwheres2andisaclockinterpretationforc. thefractionalpartsisneededtodecidewhichclockwillchangeitsintegralpartrst.for thetwoextendedstatesareverysimilar.theintegralpartsoftheclockvaluesareneeded todeterminewhetherornotaparticularclockconstraintismet,whereastheorderingof incethenumberofsuchextendedstatesisinnite(infact,uncountable),wecannot withclockconstraint(x=1)canbefollowedbyatransitionwithclockconstraint(y=1), example,iftwoclocksxandyarebetween0and1inanextendedstate,thenatransition consequenceindecidingtheallowedpaths. comparedwithaconstantgreaterthanc,thenitsactualvalue,onceitexceedsc,isofno dependingonwhetherornotthecurrentclockvaluessatisfy(x<y). Theintegralpartsofclockvaluescangetarbitrarilylarge.Butifaclockxisnever cxbethelargestintegercsuchthat(xc)or(cx)isasubformulaofsomeclock Denition4.3LetA=h;;0;C;Eibeatimedtransitiontable.Foreachx2C,let clockincappearsinsomeclockconstraint. constraintappearingine. andbtcdenotestheintegralpartoft;thatis,t=btc+fract(t).weassumethatevery Nowweformalizethisnotion.Foranyt2R,fract(t)denotesthefractionalpartoft, 0iallthefollowingconditionshold: 1.Forallx2C,eitherb(x)candb0(x)carethesame,orboth(x)and0(x)are TheequivalencerelationisdenedoverthesetofallclockinterpretationsforC; AclockregionforAisanequivalenceclassofclockinterpretationsinducedby. 2.Forallx;y2Cwith(x)cxand(y)cy,fract((x))fract((y))i 3.Forallx2Cwith(x)cx,fract((x))=0ifract(0(x))=0. fract(0(x))fract(0(y)). greaterthancx. 16

012 1y6???? -x6cornerpoints:e.g.[(0,1)] 14Openlinesegments:e.g.[0<x=y<1] uniquelycharacterizedbya(nite)setofclockconstraintsitsatises.forexample, Wewilluse[]todenotetheclockregiontowhichbelongs.Eachregioncanbe 8Openregions:e.g.[0<x<y<1] consideraclockinterpretationovertwoclockswith(x)=0:3and(y)=0:7.every clockinterpretationin[]satisestheconstraint(0<x<y<1),andwewillrepresent thisregionby[0<x<y<1].thenatureoftheequivalenceclassescanbebest Figure9:Clockregions cy=1.theclockregionsareshowninfigure9. Example4.4Consideratimedtransitiontablewithtwoclocksxandywithcx=2and understoodthroughanexample. clockconstraintievery2satises.eachregioncanberepresentedbyspecifying ofa,if0thensatisesi0satises.wesaythataclockregionsatisesa Notethatthereareonlyanitenumberofregions.Alsonotethatforaclockconstraint (1)foreveryclockx,oneclockconstraintfromtheset theupperboundinthefollowinglemma. Bycountingthenumberofpossiblecombinationsofequationsoftheaboveform,weget (2)foreverypairofclocksxandysuchthatc?1<x<candd?1<y<d appearin(1)forsomec;d,whetherfract(x)islessthan,equalto,or greaterthanfract(y). fx=cjc=0;1;:::cxg[fc?1<x<cjc=1;:::cxg[fx>cxg; sizeofthelargestconstantstheclocksarecomparedwith,thenthenumberofregions binaryencoding,andhencetheproductx2c(2cx+2)iso[2j(a)j].incethenumber O[2j(A)j].Notethatifweincrease(A)withoutincreasingthenumberofclocksorthe ofclocksjcjisboundedbyj(a)j,henceforth,weassumethatthenumberofregionsis Lemma4.5Thenumberofclockregionsisboundedby[jCj!2jCjx2C(2cx+2)]. doesnotgrowwithj(a)j.alsoobservethataregioncanberepresentedinspacelinear inj(a)j. Rememberthatj(A)jstandsforthelengthoftheclockconstraintsofAassuming 17

Therststepinthedecisionprocedureforcheckingemptinessistoconstructatransition tablewhosepathsmimictherunsofainacertainway.wewilldenotethedesired 4.3Theregionautomaton ofthetimedtransitiontablea,andtheequivalenceclassofthecurrentvaluesofthe transitiontablebyr(a),theregionautomatonofa.astateofr(a)recordsthestate clocks.itisoftheformhs;iwiths2andbeingaclockregion.theintended interpretationisthatwhenevertheextendedstateofaishs;i,thestateofr(a)is labeledwithaiainstateswiththeclockvalues2canmakeatransitiononato andtheclockinterpretation0assigns0toeveryclock.thetransitionrelationofr(a) hs;[]i.theregionautomatonstartsinsomestatehs0;[0]iwheres0isastartstateofa, theextendedstatehs0;0iforsome020. isdenedsothattheintendedsimulationisobeyed.ithasanedgefromhs;itohs0;0i Denition4.6Aclockregion0isatime-successorofaclockregioniforeach2, thereexistsapositivet2rsuchthat+t20. bevisitedbyaclockinterpretation2astimeprogresses. clockregions.thetime-successorsofaclockregionarealltheclockregionsthatwill Theedgerelationcanbeconvenientlydenedusingatime-successorrelationoverthe ofaregionaretheregionsthatcanbereachedbymovingalongalinedrawnfromsome pointininthediagonallyupwardsdirection(paralleltothelinex=y).forexample, theregion[(1<x<2);(0<y<x?1)]has,otherthanitself,thefollowingregionsas Example4.7ConsidertheclockregionsshowninFigure9again.Thetime-successors [(x>2);(y>1)]. time-successors:[(x=2);(0<y<1)],[(x>2);(0<y<1)],[(x>2);(y=1)]and Tocomputeallthetime-successorsofweproceedasfollows.Firstobservethatthe (d?1<y<d)appearin(1),theorderingrelationshipbetweenfract(x)andfract(y). or(c?1<x<c)or(x>cx),and(2)foreverypairxandysuchthat(c?1<x<c)and time-successorrelationisatransitiverelation.weconsiderdierentcases. clockregionisspeciedbygiving(1)foreveryclockx,aconstraintoftheform(x=c) Firstsupposethatsatisestheconstraint(x>cx)foreveryclockx.Theonly Nowletusseehowtoconstructallthetime-successorsofaclockregion.Recallthata time-successorofisitself.thisisthecasefortheregion[(x>2);(y>1)]infigure9. below:(1)forx2c0,ifsatises(x=cx)thensatises(x>cx),otherwiseif (x=c)forsomeccx,isnonempty.inthiscase,astimeprogressesthefractional time-successorsofaresameasthetime-successorsoftheclockregionspeciedas partsoftheclocksinc0becomenonzero,andtheclockregionchangesimmediately.the NowsupposethatthesetC0consistingofclocksxsuchthatsatisestheconstraint (2)Forclocksxandysuchthatx<cxandy<cyholdsin,theordering relationshipinbetweentheirfractionalpartsisthesameasin. satises(x=c)thensatises(c<x<c+1).forx62c0,theconstraint inisthesameasthatin. 18

Forinstance,inFigure9,thetime-successorsof[(x=0);(0<y<1)]aresameasthe time-successorsof[0<x<y<1]. thiscase,astimeprogresses,theclocksinc0assumeintegervalues.letbetheclock regionspeciedby clocksyforwhichdoesnotsatisfy(y>cy),fract(y)fract(x)isaconstraintof.in doesnotsatisfy(x>cx)andwhichhavethemaximalfractionalpart;thatis,forall Ifboththeabovecasesdonotapply,thenletC0bethesetofclocksxforwhich Inthiscase,thetime-successorsofinclude,,andallthetime-successorsof.For (1)Forx2C0,ifsatises(c?1<x<c)thensatises(x=c).For instance,infigure9,time-successorsof[0<x<y<1]includeitself,[(0<x<1);(y= (2)Forclocksxandysuchthat(c?1<x<c)and(d?1<y<d)appear asin. x62c0,theconstraintinissameasthatin. 1)],andallthetime-successorsof[(0<x<1);(y=1)]. Nowwearereadytodenetheregionautomaton. in(1),theorderingrelationshipinbetweentheirfractionalpartsissame Denition4.8ForatimedtransitiontableA=h;;0;C;Ei,thecorrespondingregionautomatonR(A)isatransitiontableoverthealphabet. ThestatesofR(A)areoftheformhs;iwheres2andisaclockregion. Theinitialstatesareoftheformhs0;[0]iwheres020and0(x)=0forallx2C. isfa;b;c;dg.everystateoftheautomatonisanacceptingstate.thecorresponding Example4.9ConsiderthetimedautomatonA0showninFigure10.Thealphabet R(A)hasanedgehhs;i;hs0;0i;aiithereisanedgehs;s0;a;;i2Eandaregion regionautomatonr(a0)isalsoshown.onlytheregionsreachablefromtheinitialregion 00suchthat(1)00isatime-successorof,(2)00satises,and(3)0=[7!0]00. automatonensurethatthetransitionfroms2tos3isnevertaken.theonlyreachable hs0;[x=y=0]iareshown.notethatcx=1andcy=1.thetimingconstraintsofthe regionwithstatecomponents2satisestheconstraints[y=1;x>1],andthisregionhas mostoneedgeoutofhs;iforeveryedgeoutofsandeverytime-successorof.itfollows iso[jj2j(a)j].aninspectionofthedenitionofthetime-successorrelationshowsthat everyregionhasatmostx2c[2cx+2]successorregions.theregionautomatonhasat canfollowab-transition. nooutgoingedges.thustheregionautomatonhelpsusinconcludingthatnotransitions thatthenumberofedgesinr(a)iso[jej2j(a)j].notethatcomputingthetime-successor relationiseasy,andcanbedoneintimelinearinthelengthoftherepresentationofthe region.constructingtheedgerelationfortheregionautomatonisalsorelativelyeasy;in Fromtheboundonthenumberofregions,itfollowsthatthenumberofstatesinR(A) additiontocomputingthetime-successors,wealsoneedtodeterminewhethertheclock 19

a 0 1 y:=0 2 b,(y=1)? c,(x<1)? c,(x<1)? a,(y<1)?,y:=0 3 d,(x>1)? 0 x=y=0 a a Figure10:AutomatonA0anditsregionautomaton a b b 1 0=y<x<1 1 y=0,x=1 1 y=0,x>1 b 2 1=y<x a c a a graphcanbeconstructedintimeo[(jj+jej)2j(a)j]. a d 3 d 3 3 d 3 d 0<y<x<1 0<y<1<x d 1=y<x x>1,y>1 Denition4.10Forarunr=(s;)ofAoftheform R(A). constraintlabelingaparticulara-transitionissatisedbyaclockregion.theregion NowweproceedtoestablishacorrespondencebetweentherunsofAandtherunsof d d r:hs0;0i1?!1hs1;1i2?!2hs2;2i3 d deneitsprojection[r]=(s;[])tobethesequence [r]:hs0;[0]i1?!hs1;[1]i2?!hs2;[2]i3?!3 20?!

over.incetimeprogresseswithoutboundalongr,everyclockx2ciseitherreset followingdenition: Denition4.11Arunr=(s;)oftheregionautomatonR(A)oftheform innitelyoften,orfromacertaintimeonwardsitincreaseswithoutbound.hence,for allx2c,forinnitelymanyi0,[i]satises[(x=0)_(x>cx)].thispromptsthe FromthedenitionoftheedgerelationforR(A),itfollowsthat[r]isarunofR(A) Lemma4.13impliesthatprogressiverunsofR(A)preciselycorrespondtotheprojected [(x=0)_(x>cx)]. isprogressiveiforeachclockx2c,thereareinnitelymanyi0suchthatisatises ThusforarunrofAover(;),[r]isaprogressiverunofR(A)over.Thefollowing r:hs0;0i1?!hs1;1i2?!hs2;2i3?! again. Example4.12ConsidertheregionautomatonR(A0)ofFigure10.Everyrunrof runsofa.beforeweprovethelemmaletusconsidertheregionautomatonofexample4.9 (ii),eventhoughthevalueofxisnotbounded,theclockyisresetonlynitelyoften, thoughygetsresetinnitelyoften,thevalueofxisalwayslessthan1.forrunsoftype theregionshs1;[y=0<x<1]iandhs3;[0<y<x<1]i,(ii)theautomatonstaysinthe hs3;[x>1;y>1]i. regionhs3;[0<y<1<x]iusingtheself-loop,or(iii)theautomatonstaysintheregion R(A0)hasasuxofoneofthefollowingthreeforms:(i)theautomatoncyclesbetween R(A0)oftype(iii). andyet,itsvalueisbounded.thuseveryprogressiverunofa0correspondstoarunof Lemma4.13IfrisaprogressiverunofR(A)overthenthereexistsatimesequence Onlythecase(iii)correspondstotheprogressiveruns.Forrunsoftype(i),even thattheextendedstateofaishsi;iiattimeiwithi2i.thereisanedgeinr(a) fromhsi;iitohsi+1;i+1ilabeledwithi+1.fromthedenitionoftheregionautomaton itfollowsthatthereisanedgehsi;si+1;i+1;i+1;i+1i2eandatime-successor0i+1of r0andthetimesequencestepbystep.asusual,r0startswithhs0;0i.nowsuppose andarunr0ofaover(;)suchthatrequals[r0]. isuchthat0i+1satisesi+1andi+1=[i+17!0]0i+1.fromthedenitionoftimesuccessor,thereexistsatimei+1suchthat(i+i+1?i)20i+1.nowitisclearthe Proof.Consideraprogressiverunr=(s;)ofR(A)over.Weconstructtherun Usingthisconstructionrepeatedlywegetarunr0=(s;)over(;)with[r0]=r. nexttransitionofacanbeattimei+1toanextendedstatehsi+1;i+1iwithi+12i+1. thattheautomatoncanfollowthesamesequenceoftransitionsasr0butattimes0i. runtoconstructanothertimesequence0satisfyingtheprogressrequirementandshow condition.upposethatisaconvergingsequence.weusethefactthatrisaprogressive sequence,afteracertainpositiononwards,everyclockinc0getsresetbeforeitreaches thevalue1.incerisprogressive,everyclockxnotinc0,afteracertainposition Theonlyproblemwiththeaboveconstructionisthatmaynotsatisfytheprogress LetC0bethesetofclocksresetinnitelyoftenalongr.inceisaconverging 21

onwards,nevergetsreset,andcontinuouslysatisesx>cx.thisensuresthatthere existsj0suchthat(1)afterthej-thtransitionpointeachclockx62c0continuously satises(x>cx),andeachclockx2c0continuouslysatises(x<1),and(2)foreach constructanothersequencer00=(s;0)withthesequenceoftransitiontimes0asfollows. Thesequenceoftransitionsalongr00issameasthatalongr0.Ifi62fk1;k2:::gthen isresetatleastoncebetweentheki-thandki+1-thtransitionpointsalongr.nowwe k>j,(k?j)islessthan0:5. werequirethe(i+1)-thtransitiontohappenafteradelayof(i+1?i),otherwisewe transitionpointsislessthan1.consequently,inspiteoftheadditionaldelays,thevalue requirethedelaytobe0:5.observethatalongr00thedelaybetweentheki-thandki+1-th Letj<k1<k2;:::beaninnitesequenceofintegerssuchthateachclockxinC0 andisarunofa.furthermore,[r00]=[r0]=r. (ascomparedtor0).fromthisweconcludethatr00satisestheconsecutionrequirement, alltheclockconstraintsandtheclockregionsatthetransitionpointsremainunchanged ofeveryclockinc0remainslessthan1afterthej-thtransitionpoint.othetruthof ForatimedautomatonA,itsregionautomatoncanbeusedtorecognizeUntime[L(A)]. ThefollowingtheoremisstatedforTBAs,butitalsoholdsforTMAs. 4.4Theuntimingconstruction quirement.hencer00istherunrequiredbythelemma. ince0hasinnitelymanyjumpseachofduration0:5,itsatisestheprogressre- theregionautomatoncorrespondingtothetimedtransitiontableh;;0;c;ei.the Theorem4.14GivenaTBAA=h;;0;C;E;Fi,thereexistsaBuchiautomaton acceptingsetofa0isf0=fhs;ijs2fg.,thelemmagivesatimesequenceandarunr0ofaover(;)suchthatrequals[r0]. overwhichacceptsuntime[l(a)]. A0over.TheconversefollowsfromLemma4.13.GivenaprogressiverunrofA0over Ifrisanacceptingrun,soisr0.Itfollowsthat2Untime[L(A)]iA0hasaprogressive, IfrisanacceptingrunofAover(;),then[r]isaprogressiveandacceptingrunof Proof.WeconstructaBuchiautomatonA0asfollows.ItstransitiontableisR(A), acceptingrunoverit. Example4.15LetusconsidertheregionautomatonR(A0)ofExample4.9again.ince progressiveisomestatefromeachfxrepeatsinnitelyoften.itisstraightforwardto overia00hasanacceptingrunover. constructanotherbuchiautomatona00suchthata0hasaprogressiveandacceptingrun Forx2C,letFx=fhs;ijj=[(x=0)_(x>cx)]g.RecallthatarunofA0is itfollowsthatthetransitiontabler(a0)canbechangedtoabuchiautomatonbychoosingtheacceptingsettoconsistofasingleregionhs3;[x>1;y>1]i.consequently allstatesofa0areaccepting,fromthedescriptionoftheprogressiverunsinexample4.12 TheautomatonA00isthedesiredautomaton;L(A00)equalsUntime[L(A)]. Untime[L(A0)]=L[R(A0)]=ac(ac)d!: 22

incharacter;itsconsistencycanbecheckedbyanite-stateautomaton.anequivalent formulationofthetheoremis Theorem4.14saysthatthetiminginformationinatimedautomatonis\regular" theproofoftheorem4.14.thenexttheoremfollows. fortheemptinessofthelanguageofthecorrespondingbuchiautomatonconstructedby Theorem4.16GivenatimedBuchiautomatonA=h;;0;C;E;Fitheemptinessof Furthermore,tocheckwhetherthelanguageofagivenTBAisempty,wecancheck IfatimedlanguageListimedregularthenUntime(L)is!-regular. L(A)canbecheckedintimeO[(jj+jEj)2j(A)j]. boundofthetheoremfollows. ofthesetsfx.thiscanbecheckedintimelinearinthesizeofa0[41].thecomplexity fromsomestartstateofa0andccontainsatleastonestateeachfromthesetf0andeach orem4.14.recallthatinection4.3wehadshownthatthenumberofstatesina0is O[jj2j(A)j],thenumberofedgesisO[jEj2j(A)j]. Proof.LetA0betheBuchiautomatonconstructedasoutlinedintheproofofThe- constants,weneedtoapplytheabovedecisionprocedureonatfortheleastcommon RecallthatifwestartwithanautomatonAwhoseclockconstraintsinvolverational ThelanguageL(A)isnonemptyithereisacycleCinA0suchthatCisaccessible thesizeoftheclockconstraints;wehave[at]=o[(a)2]. emptinessofl(a). denominatortofalltherationalconstants(seeection4.1).thisinvolvesablow-upin 4.5Complexityofcheckingemptiness amuller(or,buchi)automatonwhichacceptsuntime[l(a)],anduseittocheckforthe automata.inparticular,givenatimedmullerautomatonawecaneectivelyconstruct Theabovemethodcanbeusedevenifwechangetheacceptanceconditionfortimed ThecomplexityofthealgorithmfordecidingemptinessofaTBAisexponentialinthe numberofclocksandthelengthoftheconstantsinthetimingconstraints.thisblow-up incomplexityseemsunavoidable;wereducetheacceptanceproblemforlinearbounded tobeppace-completebyarguingthatthealgorithmofection4.4canbeimplemented automatona,isppace-complete. inpolynomialspace. Theorem4.17Theproblemofdecidingtheemptinessofthelanguageofagiventimed automata,aknownppace-completeproblem[23],totheemptinessquestionfortbas toprovetheppacelowerboundfortheemptinessproblem.wealsoshowtheproblem automatonbyguessingapathofthedesiredformusingonlypolynomialspace.thisisa fairlystandardtrick,andhenceweomitthedetails. table.butitispossibleto(nondeterministically)checkfornonemptinessoftheregion isexponentialinthenumberofclocksofa,wecannotconstructtheentiretransition Proof.[PPACE-membership]incethenumberofstatesoftheregionautomaton 23

tonacceptsagiveninputstringisppace-complete[23].alinearboundedautomaton MisanondeterministicTuringmachinewhosetapeheadcannotgobeyondtheendof theinputmarkers.weconstructatbaasuchthatitslanguageisnonemptyithe machinemhaltsonagiveninput. [PPACE-hardness]ThequestionofdecidingwhetheragivenlinearboundedautomatationofMisencodedbytheword thestring1;:::noversuchthatj=jifj6=iandi=hi;qi. unchanged.thealphabetofaincludes,andinaddition,hasasymbola0.acompu- leta1;a2;:::akdenotetheelementsof.acongurationofminwhichthetapereads 12:::n,andthemachineisinstateqreadingthei-thtapesymbol,isrepresentedby Theacceptancecorrespondstoaspecialstateqf;afterwhichthecongurationstays Let?bethetapealphabetofMandletQbeitsstates.Let=?[(?Q),and suchthatj1:::jnencodesthej-thcongurationaccordingtotheabovescheme.the timesequenceassociatedwiththiswordalsoencodesthecomputation:werequirethe timedierencebetweensuccessivea0'stobek+1,andifji=althenwerequireitstime tobelgreaterthanthetimeofthepreviousa0.theencodinginthetimesequenceis usedtoenforcetheconsecutionrequirement. 1a0:::1na021a0:::2na0:::j1a0:::jna0::: computationsofmaccordingtotheabovescheme.weonlysketchtheconstruction. Auses2n+1clocks.Theclockxisresetwitheacha0.Whilereadinga0werequire (x=k+1)tohold,andwhilereadingaiwerequire(x=i)tohold.theseconditions ensurethattheencodinginthetimesequenceisconsistentwiththeword.foreachtape celli,wehavetwoclocksxiandyi.theclockxiisresetwithji,foroddvaluesofj, andtheclockyiisresetwithji,forevenvaluesofj.assumethattheautomatonhas WewanttoconstructAwhichacceptspreciselythetimedwordsencodingthehalting properconsecutionofcongurations.properinitializationandhaltingcanbeenforcedin astraightforwardway.thesizeofaispolynomialinnandthesizeofm. values;thesevaluesareexaminedwhilereadingthe(j+2)-thconguration.thisensures form.whilereadingthe(j+1)-thconguration,they-clocksgetsettoappropriate determinedbyexaminingthevaluesofxi?1,xiandxi+1accordingtothetransitionrules cellofthej-thconguration.consequently,thepossiblechoicesforthevaluesofj+1 readtherstjcongurations,withjodd.thevalueoftheclockxirepresentsthei-th iare PPACE-hardnessresultcanbeprovedifweleavethesyntaxoftimedautomataunchanged,butusethediscretedomainNtomodeltime.Alsothiscomplexityisinsensitive totheencodingoftheconstants;theproblemisppace-completeevenifweencodeall constantsinunary. NotethatthesourceofthiscomplexityisnotthechoiceofRtomodeltime.The Theuniversalityproblemistodecidewhetherthelanguageofagivenautomatonover Inthissectionweshowtheuniversalityproblemfortimedautomatatobeundecidable. 5Intractableproblems24

comprisesallthetimedwordsover.pecically,weshowthattheproblemis1- hardbyreducinga1-hardproblemof2-countermachines.theclass1consistsof highlyundecidableproblems,includingsomenonarithmeticalsets(foranexpositionof theanalyticalhierarchyconsult,forinstance,[39]).notethattheuniversalityproblem Anondeterministic2-countermachineMconsistsoftwocountersCandD,andase- issameasdecidingemptinessofthecomplementofthelanguageoftheautomaton. quenceofninstructions.eachinstructionmayincrementordecrementoneofthecoun- ters,orjump,conditionallyupononeofthecountersbeingzero.aftertheexecution complementandundecidabilityoftestingforlanguageinclusion. Theundecidabilityofthisproblemhasseveralimplicationssuchasnonclosureunder ofanonjumpinstruction,mproceedsnondeterministicallytooneofthetwospecied 5.1A1-completeproblem Theconsecutionrelationoncongurationsisdenedintheobviousway.Acomputationof d0givethevaluesofthelocationcounterandthetwocounterscandd,respectively. Misaninnitesequenceofrelatedcongurations,startingwiththeinitialconguration locationcounterhasthevalue1. h1;0;0i.itiscalledrecurringiitcontainsinnitelymanycongurationsinwhichthe WerepresentacongurationofMbyatriplehi;c;di,where1in,c0,and emptytape,acomputationinwhichthestartingstateisvisitedinnitelyoften,isknown Lemma5.1Theproblemofdecidingwhetheragivennondeterministic2-countermachinehasarecurringcomputation,is1-hard. tobe1-complete[19].alongthesamelinesweobtainthefollowingresult. TheproblemofdecidingwhetheranondeterministicTuringmachinehas,overthe whetheritacceptsalltimedwordsoveris1-hard. Theorem5.2Givenatimedautomatonoveranalphabettheproblemofdeciding andusetheencodingtoprovetheundecidabilityresult. Nowweproceedtoencodethecomputationsof2-countermachinesusingtimedautomata, 5.2Undecidabilityoftheuniversalityproblem tionsusingtimedwordsoverthealphabetfb1;:::bn;a1;a2g.acongurationhi;c;diis quencesrepresentingtheindividualcongurations.weusethetimesequenceassociated requirementsoftheprograminstructions.werequirethatthesubsequenceofcorrespondingtothetimeinterval[j;j+1)encodesthej-thcongurationofthecomputation. Proof.Weencodethecomputationsofagiven2-countermachineMwithninstruc- representedbythesequencebiac1ad2.weencodeacomputationbyconcatenatingthese- withatimedwordtoexpressthatthesuccessivecongurationsarerelatedasperthe tervalsencodingthesuccessivecongurationsisthesamewerequirethateverya1inthe rstintervalhasamatchinga1atdistance1andviceversa. Notethatthedensenessoftheunderlyingtimedomainallowsthecountervaluestoget arbitrarilylarge.toenforcearequirementsuchasthenumberofa1symbolsintwoin- DeneatimedlanguageLundecasfollows.(;)isinLundeci 25

=bi1ac1 1ad1 2bi2ac2 1ad2 2suchthathi1;c1;d1i;hi2;c2;d2iisarecurringcomputationofM. Forallj1,thetimeofbijisj. Forallj1, {ifcj+1=cjthenforeverya1attimetintheinterval(j;j+1)thereisana1 attimet+1. {ifcj+1=cj+1thenforeverya1attimetintheinterval(j+1;j+2)except thelastone,thereisana1attimet?1. {ifcj+1=cj?1thenforeverya1attimetintheinterval(j;j+1)exceptthe lastone,thereisana1attimet+1. imilarrequirementsholdfora2's. Clearly,LundecisnonemptyiMhasarecurringcomputation.Wewillconstructatimed automatonaundecwhichacceptsthecomplementoflundec.henceaundecacceptsevery timedwordimdoesnothavearecurringcomputation.thetheoremfollowsfrom Lemma5.1. ThedesiredautomatonAundecisadisjunctionofseveralTBAs. LetA0betheTBAwhichaccepts(;)iforsomeintegerj1,eitherthereisnob symbolattimej,orthesubsequenceofinthetimeinterval(j;j+1)isnotoftheform a1a2.itiseasytoconstructsuchatimedautomaton. Atimedword(;)inLundecshouldencodetheinitialcongurationovertheinterval [1;2).LetAinitbetheTBAwhichrequiresthatthesubsequenceofcorrespondingto theinterval[1;2)isnotb1;itacceptsthelanguagef(;)j(16=b1)_(16=1)_(2<2)g. Foreachinstruction1inweconstructaTBAAi.Aiaccepts(;)ithetimed wordhasbiatsometimet,andthecongurationcorrespondingtothesubsequencein [t+1;t+2)doesnotfollowfromthecongurationcorrespondingtothesubsequencein [t;t+1)byexecutingtheinstructioni.wegivetheconstructionforasampleinstruction, say,\incrementthecounterdandjumpnondeterministicallytoinstruction3or5".the automatonaiisthedisjunctionofthefollowingsixtbasa1i;:::a6i. LetA1ibetheautomatonwhichaccepts(;)iforsomej1,j=bi,andattime j+1thereisneitherb3norb5.itiseasytoconstructthisautomaton. LetA2ibethefollowingTBA: b i 1 a x:=0,x:=0 x<1? 1 a,x=1? 0 1 2 x 1 =? Inthisgure,anedgewithoutalabelmeansthatthetransitioncanbetakenonevery inputsymbol.whileinstates2,theautomatoncannotacceptasymbola1ifthecondition (x=1)holds.thusa2iaccepts(;)ithereissomebiattimetfollowedbyana1at timet0<(t+1)suchthatthereisnomatchinga1attime(t0+1). 26

whichrequiresthatforsomebiattimet,thereisana2atsomet0<(t+1)withnomatch at(t0+1).leta5ibetheautomatonwhichsaysthatforsomebiattimettherearetwo a2'sin(t+1;t+2)withoutmatchesin(t;t+1).leta6ibetheautomatonwhichrequires complementsofa2ianda3itogetherensurepropermatchingofa1's. forsomet0<(t+1)thereisnoa1attimet0butthereisana1attime(t0+1).the Alongsimilarlinesweensurepropermatchingofa2symbols.LetA4ibetheautomaton imilarlywecanconstructa3iwhichaccepts(;)ithereissomebiattimet,and thatforsomebiattimetthelasta2intheinterval(t+1;t+2)hasamatchinga2in (t;t+1).nowconsideraword(;)suchthatthereisbiatsometimetsuchthatthe respectively.ifk>lthenthewordisacceptedbya4i.ifk=l,theneitherthereisno encodingofa2'sintheintervals(t;t+1)and(t+1;t+2)donotmatchaccordingto thedesiredscheme.letthenumberofa2'sin(t;t+1)andin(t+1;t+2)bekandl Ifk<lthewordisacceptedbyA5i. theformercasethewordisacceptedbya4i,andinthelattercaseitisacceptedbya6i. matchforsomea2in(t;t+1),oreverya2in(t;t+1)hasamatchin(t+1;t+2).in Ainit,Arecur,andeachofAi,isthecomplementofLundec. expressesthisconstraint. thatb1appearsonlynitelymanytimesin.letarecurbethebuchiautomatonwhich Itisshownin[5]thatthesatisabilityproblemforareal-timeextensionofthepropositionallineartemporallogicPTLbecomesundecidableifadensedomainischosentingproblemistolocateitsexactpositionintheanalyticalhierarchy.Inthefollowing subsectionsweconsidervariousimplicationsoftheaboveundecidabilityresult. modeltime.thusourundecidabilityresultisnotunusualforformalismsreasoningabout densereal-time.obviously,theuniversalityproblemfortmasisalsoundecidable.we PuttingallthepiecestogetherweclaimthatthelanguageofthedisjunctionofA0, Therequirementthatthecomputationbenotrecurringtranslatestotherequirement havenotbeenabletoshowthattheuniversalityproblemis1-complete,aninterest- RecallthatthelanguageinclusionproblemforBuchiautomatacanbesolvedinPPACE. thelanguageofonetbaisasubsetoftheother.thisresultisanobstacleinusingtimed automataasaspecicationlanguageforautomaticvericationofnite-statereal-time However,itfollowsfromTheorem5.2thatthereisnodecisionproceduretocheckwhether 5.3Inclusionandequivalence thelanguageinclusionproblem.letaunivbeanautomatonwhichacceptseverytimed L(A1)L(A2)is1-hard. systems. Corollary5.3GiventwoTBAsA1andA2overanalphabet,theproblemofchecking two.howeveralternativedenitionsexist.wewillexploreonesuchnotion. wordover.theautomatonaisuniversalil(auniv)l(a). denitionforequivalenceoftwoautomatausesequalityofthelanguagesacceptedbythe Proof.WereducetheuniversalityproblemforagiventimedautomatonAoverto Nowweconsidertheproblemoftestingequivalenceoftwoautomata.Anatural 27

Denition5.4FortimedBuchiautomataA1andA2overanalphabet,dene A11A2iL(A1)=L(A2).DeneA12A2iforalltimedautomataAover, L(A)\L(A1)isemptypreciselywhenL(A)\L(A2)isempty. regularlanguagesbecauseofthenonclosureundercomplement(tobeprovedshortly).in Themotivationbehindtheseconddenitionisthattwoautomata(modelingtwonitestatesystems)shouldbeconsidereddierentonlywhenathirdautomaton(modelingthe observerortheenvironment)composedwiththemgivesdierentbehaviors:inonecase Foraclassofautomataclosedundercomplementtheabovetwodenitionsofequivalencecoincide.However,thesetwoequivalencerelationsdierfortheclassoftimed fact,thesecondnotionisaweakernotion:a11a2impliesa12a2,butnotviceversa. thecompositelanguageisempty,andintheothercasethereisapossiblejointexecution. TheproofofTheorem5.2canbeusedtoshowundecidabilityofthisequivalencealso. Theorem5.5FortimedBuchiautomataA1andA2overanalphabet, thehierarchyofundecidableproblems. Notethattheproblemsofdecidingthetwotypesofequivalenceslieatdierentlevelsof 1.TheproblemofdecidingwhetherA11A2is1-hard. 2.TheproblemofdecidingwhetherA12A2iscompletefortheco-r.e.class. ForeachTBAA,itchecksfortheemptinessofL(A)\L(A1)andtheemptinessof ConsiderthefollowingprocedureP:PenumeratesalltheTBAsoveronebyone. automatonaoversuchthatonlyoneofl(a)\l(a1)andl(a)\l(a2)isempty. hardnessoftheuniversalityproblemimplies1-hardnessofthersttypeofequivalence. isrecursivelyenumerable.ifthetwoautomataareinequivalentthenthereexistsan Nowweshowthattheproblemofdecidingnonequivalence,bytheseconddenition, Proof.ThelanguageofagivenTBAAisuniversaliA1Auniv.Hencethe1- recurringcomputationsofanondeterministicmachine.recallthatthehaltingproblem able.weusetheencodingschemeusedintheproofoftheorem5.2.theonlydierence isthatweusethehaltingproblemofadeterministic2-countermachineminsteadofthe fordeterministic2-countermachinesisundecidable.assumethatthen-thinstruction anda2arenotequivalent. L(A)\L(A2).IfPeverndsdierentanswersinthetwocases,ithaltssayingthatA1 tomatonwhichaccepts(;)ibndoesnotappearin.thecomplementofl(a0undec) isthehaltinginstruction.weobtaina0undecbyreplacingthedisjunctarecurbyanau- Finallyweprovethattheproblemofdecidingthesecondtypeofequivalenceisunsolv- IfMhalts,thenwecanconstructatimedautomatonAhaltwhichacceptsaparticular thena0undecacceptsalltimedwords,andhence,itslanguageisthesameasthatofauniv. useskclockstoensurepropermatchingofthecountervaluesinsuccessivecongurations. timedwordencodingthehaltingcomputationofm.ifmhaltsinksteps,thenahalt ThedetailsareverysimilartothePPACE-hardnessproofofTheorem4.17.L(Ahalt)\ consistsofthetimedwordsencodingthehaltingcomputation. L(Auniv)isnonemptywhereasL(Ahalt)\L(A0undec)isempty,andthusAunivandA0undec WeclaimthatAuniv2A0undecithemachineMdoesnothalt.IfMdoesnothalt areinequivalentinthiscase.thiscompletestheproof. 28

Figure11:Noncomplementableautomaton a a a ofl(a1)andthecomplementofl(a2)isempty.assumethattbasareclosedunder 5.4Nonclosureundercomplement a a 0 1 2 complement.consequently,l(a1)6l(a2)ithereisatbaasuchthatl(a1)\l(a) The1-hardnessoftheinclusionproblemimpliesthattheclassofTBAsisnotclosed undercomplement. Corollary5.6Theclassoftimedregularlanguagesisnotclosedundercomplementation. Proof.GivenTBAsA1andA2overanalphabet,L(A1)L(A2)itheintersection x:=0 x=1? inclusionproblem. inclusionproblemisrecursivelyenumerable.thiscontradictsthe1-hardnessofthe isnonempty,butl(a2)\l(a)isempty.thatis,l(a1)6l(a2)ia1anda2are inequivalentaccordingto2.fromtheorem5.5itfollowsthatthecomplementofthe mentation. Example5.7ThelanguageacceptedbytheautomatonofFigure11overfagis Thefollowingexampleprovidessomeinsightregardingthenonclosureundercomple- ofclocks. thetimesofallthea'swithinthepast1timeunit,wouldrequireanunboundednumber boundonthenumberofa'sthatcanhappeninatimeperiodoflength1,keepingtrackof mentneedstomakesurethatnopairofa'sisseparatedbydistance1.incethereisno ThecomplementofthislanguagecannotbecharacterizedusingaTBA.Thecomple- f(a!;)j9i1:9j>i:(j=i+1)g: transitions. ofatomicformulaswhichcompareclockvalueswith(rational)constants.withthis vocabulary,timedautomatacanexpressonlyconstantboundsonthedelaysbetween Inthissectionweconsidersomeofthewaystomodifyourdenitionofclockconstraints andindicatehowthesedecisionsaecttheexpressivenessandcomplexityofdierent 5.5Choiceoftheclockconstraints ingtwoclockssuchas(xy+c).inparticular,indenition3.6oftheset(x)ofclock problems.recallthatourdenitionoftheclockconstraintsallowsbooleancombinations Firstsupposeweextendthedenitionofclockconstraintstoallowsubformulasinvolv- 29

constraints,weallow,asatomicconstraints,theconditions(xy+c)and(x+cy),for Figure12:Automatonwithclockconstraintsusing+ 1 a,x:=0 b,y:=0 c addtotheexpressivenessoftimedautomata. thattwoequivalentclockinterpretationsagreeonallthesubformulasappearinginthe clockconstraints.alsoitiseasytoprovethatthisextensionofclockconstraintsdoesnot relationonclockinterpretations.now,inadditiontothepreviousconditions,werequire x;y2xandc2q.thustheallowedclockconstraintsarequantier-freeformulasusing constructioncanhandlethisextensionveryeasily.weneedtorenetheequivalence theprimitivesofcomparison()andadditionbyrationalconstants(+c).theuntiming 0 2 Nextletusallowtheprimitiveofadditionintheclockconstraints.Nowwecanwrite 2x=3y clockconstraintssuchas(x+yx0+y0)whichallowtheautomatontocomparevarious delays.thisgreatlyincreasestheexpressivenessoftheformalism.thelanguageofthe Example5.8ConsidertheautomatonofFigure12withthealphabetfa;b;cg.Itexpressesthepropertythatthesymbolsa,b,andcoccurcyclically,andthedelaybetween automatoninthefollowingexampleisnottimedregular. by bandcisalwaystwicethedelaybetweenthelastpairofaandb.thelanguageisdened sameasthedelaybetweenthenexttwosymbols,anautomatonwouldneedanunbounded values(i.e.,discrete-timemodel),tocheckthatthedelaybetweenrsttwosymbolsis mentedbynite-statesystems.evenifweconstrainalleventstooccuratintegertime Intuitively,theconstraintsinvolvingadditionaretoopowerfulandcannotbeimple- f((abc)!;)j8j:[(3j?3j?1)=2(3j?1?3j?2)]g: ofclockconstraintsmakestheemptinessproblemfortimedautomataundecidable. memory.thuswithniteresources,anautomatoncancomparedelayswithconstants, butcannotrememberdelays.infact,wecanshowthatintroducingadditioninthesyntax Theorem5.9Allowingtheadditionprimitiveinthesyntaxofclockconstraintsmakes tationsofnondeterministic2-countermachinestotheemptinessproblemfortimeau- tomatausingtheprimitive+.thealphabetisfa;b1;:::bng.wesaythatatimed Proof.AsintheproofofTheorem5.2wereducetheproblemofrecurringcompu- theemptinessproblemfortimedautomata1-hard. 30

betweenbandthefollowingaencodesthevalueofthecounterc,andthedelaybetween =bi1abi2abi3with2j?2j?1=cj,and2j+1?2j=djforallj1.thusthedelay aandthefollowingbencodesthevalueofd.weconstructatimedautomatonwhich countercremainsunchanged.thedetailsoftheproofarequitestraightforward. Theprimitiveof+isusedtoexpressaconsecutionrequirementsuchasthevalueofthe word(;)encodesacomputationhi1;c1;d1i;hi2;c2;d2iofthe2-countermachinei 6Deterministictimedautomata acceptspreciselythetimedwordsencodingtherecurringcomputationsofthemachine. Theresultsofection5showthattheclassoftimedautomataisnotclosedundercomplement,andonecannotautomaticallycomparethelanguagesoftwoautomata.Inthis sectionwedenedeterministictimedautomata,andshowthattheclassoflanguagesacceptedbydeterministictimedmullerautomata(dtma)isclosedunderalltheboolean operations. stateandthenextinputsymbolalongwithitstimeofoccurrence,theextendedstate Wewantasimilarcriterionfordeterminismforthetimedautomata:givenanextended Recallthatintheuntimedcaseadeterministictransitiontablehasasinglestartstate, andfromeachstate,giventhenextinputsymbol,thenextstateisuniquelydetermined. afterthenexttransitionshouldbeuniquelydetermined.oweallowmultipletransitions 6.1Denition mutuallyexclusivesothatatanytimeonlyoneofthesetransitionsisenabled. startingatthesamestatewiththesamelabel,butrequiretheirclockconstraintstobe Denition6.1Atimedtransitiontableh;;0;C;Eiiscalleddeterministici Atimedautomatonisdeterministiciitstimedtransitiontableisdeterministic. 2.foralls2,foralla2,foreverypairofedgesoftheformhs;?;a;?;1iand 1.ithasonlyonestartstate,j0j=1,and determinismfortransitiontables.thuseverydeterministictransitiontableisalsoa Notethatinabsenceofclockstheabovedenitionmatcheswiththedenitionof unsatisable). hs;?;a;?;2i,theclockconstraints1and2aremutuallyexclusive(i.e.,1^2is deterministictimedtransitiontable.letusconsideranexampleofadtma. Example6.2TheDTMAofFigure13acceptsthelanguageLcrtofExample3.13: exclusiveoutgoingtransitionsonb.theacceptanceconditionrequiresthatthetransition withtheclockconstraint(x2)istakenonlynitelyoften. TheMulleracceptancefamilyisgivenbyffs1;s2gg.Thestates1hastwomutually Lcrt=f((ab)!;)j9i:8ji:(2j<2j?1+2)g: 31

Deterministictimedautomatacanbeeasilycomplementedbecauseofthefollowing Figure13:DeterministictimedMullerautomaton a,x:=0 b,(x<2)? 0 1 2 upposetheextendedstateofaattimej?1ishs;i,andtherunhasbeenconstructed property: upto(j?1)steps.bythedeterministicpropertyofa,attimejthereisatmostone Therunstartsattime0withtheextendedstatehs0;0iwheres0istheuniquestartstate. Lemma6.3Adeterministictimedtransitiontablehasatmostonerunoveragiven timedword. Proof.ConsideradeterministictimedtransitiontableA,andatimedword(;). b,(x>2)? a,x:=0 6.2Closureproperties attimej.thelemmafollowsbyinduction..ifsuchatransitiondoesnotexistthenahasnorunover(;).otherwise,thischoice oftransitionuniquelyextendstheruntothej-thstep,anddeterminestheextendedstate transitionhs;s0;j;;isuchthattheclockinterpretationattimej,+j?j?1,satises Nowweconsidertheclosurepropertiesfordeterministictimedautomata.Likeinthe untimedcase,theclassoflanguagesacceptedbydeterministictimedmullerautomatais closedunderallbooleanoperations. thisedgeisthenegationofthedisjunctionoftheclockconstraintsofallthea-labeled q),foreachsymbola,weaddana-labelededgefromstoq.theclockconstraintfor lows.firstweaddadummystateqtotheautomaton.fromeachstates(including DTMAA=h;;s0;C;E;FiweconstructanotherDTMAAbycompletingAasfol- Theorem6.4TheclassoftimedlanguagesacceptedbydeterministictimedMullerautomataisclosedunderunion,intersection,andcomplementation. edgesstartingats.weleavetheacceptanceconditionunchanged.thisconstruction preservesdeterminismaswellasthesetofacceptedtimedwords.thenewautomaton Proof.WedeneatransformationonDTMAstomaketheproofseasier;forevery Ahasthepropertythatforeachstatesandeachinputsymbola,thedisjunctionofthe remainderoftheproofweassumeeachdtmatobecomplete. clockconstraintsofthea-labelededgesstartingatsisavalidformula.observethata haspreciselyonerunoveranytimedword.wecallsuchanautomatoncomplete.inthe ofclocks.firstweconstructatimedtransitiontableausingaproductconstruction. ThesetofstatesofAis12.Itsstartstateishs01;s02i.ThesetofclocksisC1[C2. LetAi=h;i;s0i;Ci;Ei;Fii,fori=1;2,betwocompleteDTMAswithdisjointsets 32

componentisanacceptingsetofa1;thatis, obtainedbyputtingtogethertheuniquerunsofaiover(;). ThetransitionsofAaredenedbycouplingthetransitionsofthetwoautomatahaving hs2;t2;a;2;2i,ahasatransitionhhs1;s2i;ht1;t2i;a;1[2;1^2i.itiseasytocheck thataisalsodeterministic.ahasauniquerunovereach(;),andthisruncanbe thesamelabel.correspondingtoana1-transitionhs1;t1;a;1;1iandana2-transition consistofthesetsfsuchthatfs0j9s21:hs;s0i2fgisinf2.nowcouplingawith HencearunrofAisanacceptingrunforA1iinf(r)2F1.imilarlydeneF2to LetF1consistofthesetsF12suchthattheprojectionofFontotherst themulleracceptancefamilyf1[f2givesadtmaacceptingl(a1)[l(a2),whereas usingtheacceptancefamilyf1\f2givesadtmaacceptingl(a1)\l(a2). Finallyconsidercomplementation.LetAbeacompleteDTMAh;;s0;C;E;Fi.A F1=fF12jfs21j9s022:hs;s0i2Fg2F1g: asa,butitsacceptanceconditionisgivenby2?f. therunofaoveritdoesnotmeettheacceptancecriterionofa.thecomplementlanguage is,therefore,acceptedbyadtmawhichhasthesameunderlyingtimedtransitiontable hasexactlyonerunoveragiventimedword.hence,(;)isinthecomplementofl(a)i viewedasadtma,thecomplementofadtba-languageisacceptedbyadtma.the nexttheoremstatestheclosureproperties. manya's"isspeciablebyadba,however,thecomplementproperty,\thereareonly classofdtbastobeclosedundercomplementation.however,sinceeverydtbacanbe nitelymanya's"cannotbeexpressedbyadba.consequentlywedonotexpectthe automata(dba)arenotclosedundercomplement.thepropertythat\thereareinnitely NowletusconsidertheclosurepropertiesofDTBAs.RecallthatdeterministicBuchi Theorem6.5TheclassoftimedlanguagesacceptedbyDTBAsisclosedunderunion andintersection,butnotclosedundercomplement.thecomplementofadtbalanguage isacceptedbysomedtma. DTMAs(seeproofofTheorem6.4).Theacceptingsetisfhs;s0ijs2F1_s02F2g. showsthatitpreservesdeterminism.theclosureunderintersectionfordtbasfollows. closurefordtbasundercomplement.thelanguagef(;)j2(ba)!gisspeciableby adba.itscomplementlanguagef(;)j2(a+b)b!gisnotspeciablebyadtba. Proof.Forthecaseofunion,weconstructtheproducttransitiontableasincaseof (a+b)b!isnotspeciablebyadba. ThisclaimfollowsfromLemma6.7(tobeprovedshortly),andthefactthatthelanguage AcarefulinspectionoftheproductconstructionforTBAs(seeproofofTheorem3.15) ThenonclosureofdeterministicBuchiautomataundercomplementleadstothenon- sameunderlyingtimedtransitiontableasa,andtheacceptancefamily2?f. criterionofa.thecomplementlanguageis,therefore,acceptedbyadtmawiththe complementofl(a)ithe(unique)runofaoveritdoesnotmeettheacceptance LetA=h;;s0;C;E;Fibeacompletedeterministicautomaton.(;)isinthe 33

Inthissectionweexaminethecomplexityoftheemptinessproblemandthelanguage 6.3Decisionproblems inclusionproblemfordeterministictimedautomata. edges.consequently,checkingemptinessofdeterministicautomataisnosimpler;itis PPACE-complete. Theemptinessofatimedautomatondoesnotdependonthesymbolslabelingits problemofdecidingwhetherl(a1)iscontainedinl(a2)isppace-complete. canbenondeterministic.theproblemcanbesolvedinppace: Theorem6.6ForatimedautomatonA1andadeterministictimedautomatonA2,the isdecidable.infact,whilecheckingl(a1)l(a2),onlya2needbedeterministic,a1 Proof.PPACE-hardnessfollows,evenwhenA1isdeterministic,fromthefactthat incedeterministicautomatacanbecomplemented,checkingforlanguageinclusion hard.letaemptybeadeterministicautomatonwhichacceptstheemptylanguage.now checkingfortheemptinessofthelanguageofadeterministictimedautomatonisppace- foradeterministictimedautomatona,l(a)isemptyil(a)l(aempty). transitiontableafromthetimedtransitiontablesofa1anda2usingtheproduct correspondstocomplementingtheacceptancecondition.firstweconstructatimed construction(seeproofoftheorem6.4).thesizeofaisproportionaltotheproductof L(A2)isempty.Recallthatcomplementingthelanguageofadeterministicautomaton thesizesofai.thenweconstructtheregionautomatonr(a).l(a1)6l(a2)ir(a) hasacyclewhichisaccessiblefromitsstartstate,meetstheprogressivenessrequirement, ObservethatL(A1)L(A2)itheintersectionofL(A1)withthecomplementof 6.4Expressiveness Inthissectionwecomparetheexpressivepowerofthevarioustypesoftimedautomata. theproofofppace-solvabilityofemptiness(theorem4.17). TheexistenceofsuchacyclecanbecheckedinspacepolynomialinthesizeofA,asin theacceptancecriterionfora1,andthecomplementoftheacceptancecriterionfora2. tion.howevertheconversedoesnothold.firstobservethatevery!-regularlanguage isexpressibleasadma,andhenceasadtma.ontheotherhand,sincedeterministic BuchiautomataarestrictlylessexpressivethandeterministicMullerautomata,certain guagescannotbeexpressedusingdtbaseither.itfollowsthatdtbasarestrictlyless!-regularlanguagesarenotspeciablebydbas.thenextlemmashowsthatsuchlan- expressivethandtmas.infact,dtmasareclosedundercomplement,whereasdtbas EveryDTBAcanbeexpressedasaDTMAsimplybyrewritingitsacceptancecondi- arenot. Lemma6.7Foran!-languageL,thetimedlanguagef(;)j2Lgisacceptedby somedtbailisacceptedbysomedba. sameautomatonconsideredasatimedautomaton. constructanotherdtbaa0suchthatl(a0)=f(;)j(2l)^8i:(i=i)g.a0 Nowsupposethatthelanguagef(;)j2LgisacceptedbysomeDTBAA.We Proof.ClearlyifLisacceptedbyaDBA,thenf(;)j2Lgisacceptedbythe 34

Classoftimedlanguages TMA=TBA DTMA DTBA [ union,intersection,complement Operationsclosedunder requirestimetoincreaseby1ateachtransition.theautomatona0canbeobtainedfrom Abyintroducinganextraclockx.Weaddtheconjunctx=1totheclockconstraintof Figure14:Classesoftimedautomata everyedgeinaandrequireittoberesetoneveryedge.a0isalsodeterministic. WhileconstructingR(A0)weneedtoconsideronlythoseclockregionswhichhaveall clockswithzerofractionalparts.incethetimeincreaseateverystepispredetermined, bytheuntimingprocedureisadbaacceptingl. anda0isdeterministic,itfollowsthatr(a0)isadeterministictransitiontable.weneed notchecktheprogressivenessconditionalso.itfollowsthattheautomatonconstructed ThenextstepistheuntimingconstructionforA0.ObservethatUntime(L(A0))=L. responsepropertylcrtspeciableusingadtma(seeexample6.2).thislanguageinvolvesacombinationoflivenessandtiming.weconjecturethatnodtbacanspecify languageifuntime(l)isadbalanguage.toanswerthisletusconsidertheconvergent Alongthelinesoftheaboveproofwecanalsoshowthatforan!-languageL,the FromtheabovediscussiononemayconjecturethataDTMAlanguageLisaDTBA thisproperty(eventhoughuntime(lcrt)canbetriviallyspeciedbyadba). timedlanguagef(;)j2lgisacceptedbysomedtma(ortma,ortba)ilis classoflanguagesacceptedbydtmasisstrictlysmallerthanthatacceptedbytmas. acceptedbysomedma(orma,orba,respectively). representableasadtma;itreliesonnondeterminisminacrucialway. whichshowstheinclusionsamongvariousclassesandtheclosurepropertiesofvarious Inparticular,thelanguageofExample5.7,(\somepairofa'sisdistance1apart")isnot incedtmasareclosedundercomplement,whereastmasarenot,itfollowsthatthe showninfigure15. 7Verication classes.comparethiswiththecorrespondingresultsforthevariousclassesof!-automata WesummarizethediscussiononvarioustypesofautomatainthetableofFigure14 problem,butitsucestoillustratetheapplicationoftimedautomatatoverication problems.westartbyintroducingtimeinlineartracesemanticsforconcurrentprocesses. ofnite-statereal-timesystems.wehavechosenasimpleformulationoftheverication Inthissectionwediscusshowtousethetheoryoftimedautomatatoprovecorrectness 35

Classof!-languages MA=BA=DMAunion,intersection,complement DBA [ Operationsclosedunder 7.1Tracesemantics Intracesemantics,weassociateasetofobservableeventswitheachprocess,andmodel Figure15:Classesof!-automata theprocessbythesetofallitstraces.atraceisa(linear)sequenceofeventsthatmay eventsareassumedtooccurinstantaneously.actionswithdurationaremodeledusing beobservedwhentheprocessruns.forexample,aneventmaydenoteanassignmentofa valuetoavariable,orpressingabuttononthecontrolpanel,orarrivalofamessage.all eventsmarkingthebeginningandtheendoftheaction.hoareoriginallyproposedsuch amodelforcp[22]. happensimultaneously,thecorrespondingtracewillhaveasetfa;bginourmodel.inthe nonterminatinginteractionofreactivesystemswiththeirenvironments. usualinterleavingmodels,thissetwillbereplacedbyallpossiblesequences,namely,a followedbybandbfollowedbya.alsoweconsideronlyinnitesequences,whichmodel Inourmodel,atracewillbeasequenceofsetsofevents.Thusiftwoeventsaandb arrivalofamessageatoneendofp,andletbstandforthedeliveryofthemessageatthe thesetofnonemptysubsetsofa.anuntimedprocessisapair(a;x)comprisingof Example7.1ConsiderachannelPconnectingtwocomponents.Letarepresentthe thesetaofitsobservableeventsandthesetxofitspossibletraces. otherendofthechannel.thechannelcannotreceiveanewmessageuntiltheprevious Formally,givenasetAofevents,atrace=12:::isaninnitewordoverP+(A) onehasreachedtheotherend.consequentlythetwoeventsaandbalternate.assuming thatthemessageskeeparriving,theonlypossibletraceis plexsystemsusingthesimplerones.wewillconsideronlythemostimportantofthese by(fa;bg;(ab)!). Oftenwewilldenotethesingletonsetfagbythesymbola.TheprocessPisrepresented Variousoperationscanbedenedonprocesses;theseareusefulfordescribingcom- P:fag!fbg!fag!fbg!: operations,namely,parallelcomposition.theparallelcompositionofasetofprocesses intersectingeacheventsetinwithbanddeletingalltheemptysetsfromthesequence. describesthejointbehaviorofalltheprocessesrunningconcurrently. operation.theprojectionof2p+(a)!ontoba(writtendb)isformedby Forinstance,inExample7.1Pdfagisthetracea!.Noticethattheprojectionoperation Theparallelcompositionoperatorcanbeconvenientlydenedusingtheprojection 36

isaprocesswiththeeventset[iaiandthetraceset mayresultinanitesequence;butforourpurposeitsucestoconsidertheprojection ThusisatraceofkiPiidAiisatraceofPiforeachi=1;:::n.Whenthereare ofatraceontobonlywheni\bisnonemptyforinnitelymanyi. allthetraces.ontheotherhand,ifalleventsetsareidenticalthenthetracesetofthe nocommoneventstheabovedenitioncorrespondstotheunconstrainedinterleavingsof ForasetofprocessesfPi=(Ai;Xi)ji=1;2;:::ng,theirparallelcompositionkiPi compositionprocessissimplytheset-theoreticintersectionofallthecomponenttrace sets. f2p+([iai)!j^idai2xig: TheeventofmessagearrivalforQissameastheeventb.Letcdenotethedeliveryof Example7.2ConsideranotherchannelQconnectedtothechannelPofExample7.1. themessageattheotherendofq.theprocessqisgivenby(fb;cg;(bc)!). theimplementationandthespecicationaregivenasuntimedprocesses.theimplementationprocessistypicallyacompositionofseveralsmallercomponentprocesses.we Example7.3ConsiderthechannelsofExample7.2.Theimplementationprocessis XIX. [PkQ].Thespecicationisgivenastheprocess=(fa;b;cg;(abc)!).Thusthe saythatanimplementation(a;xi)iscorrectwithrespecttoaspecication(a;x)i arrivesatp.inthiscase,[pkq]doesnotmeetthespecication,forithastoomany mentationwithxi=;iscorrectwithrespecttoeveryspecication.toovercomethis specicationrequiresthemessagetoreachtheotherendofqbeforethenextmessage othertraces,specically,thetraceab(acb)!. problem,oneneedstodistinguishbetweenoutputevents(theeventscontrolledbythe system),andtheinputevents(theeventscontrolledbyitsenvironment),andrequire events[14].webelievethatdistinguishingbetweeninputandoutputeventsandintro- thattheimplementationshouldnotpreventitsenvironmentfromexecutingtheinput ducingtimingaretwoorthogonalissues,andourgoalinthispaperistoindicatehowto Noticethataccordingtotheabovedenitionofthevericationproblem,animple- b,andbetweeneverypairofb'sweallowthepossibilityoftheeventahappeningbefore theeventc,theeventchappeningbeforea,andbothoccurringsimultaneously.thus [PkQ]hastheeventsetfa;b;cg,andhasaninnitenumberoftraces. Inthisframework,thevericationquestionispresentedasaninclusionproblem.Both WhenPandQarecomposedwerequirethemtosynchronizeonthecommonevent Anuntimedprocessmodelsthesequencingofeventsbutnottheactualtimesatwhich addressthelatterproblem. 7.2Addingtimingtotraces theeventsoccur.thusthedescriptionofthechannelinexample7.1givesonlythe sequencingoftheeventsaandb,andnotthedelaysbetweenthem.timingcanbeadded 37

toatracebycouplingitwithasequenceoftimevalues.wechoosethesetofrealsto eventsaisapair(;)whereisatraceovera,andisatimesequence.notethat, modeltime. satisfyingthestrictmonotonicityandprogressconstraints.atimedtraceoverasetof sameassociatedtimevalue. thereisnoreasontoallowthepossibilityoftheadjacentelementsinatracehavingthe sincedierenteventshappeningsimultaneouslyappearinasingleelementinatrace, Recallthatatimesequence=12:::isaninnitesequenceoftimevaluesi2R ininnitelymanyeventsbeforetime1. particular,1givesthetimeoftherstobservableevent;wealwaysassume1>0,and eventscanhappeninaboundedintervaloftime.inparticular,itrulesoutconvergenttime dene0=0.observethattheprogressconditionimpliesthatonlyanitenumberof sequencessuchas1=2;3=4;7=8;:::representingthepossibilitythatthesystemparticipates Atimedprocessisapair(A;L)whereAisanitesetofevents,andLisasetof Inatimedtrace(;),eachigivesthetimeatwhichtheeventsinioccur.In 3timeunits.Furthermore,ittakes1timeunitforeverymessagetotraversethechannel. Theprocesshasasingletimedtrace timedtracesovera. messagearrivesattime1,andthesubsequentmessagesarriveatxedintervalsoflength Example7.4ConsiderthechannelPofExample7.1again.Assumethattherst withbandthendeletealltheemptysetsalongwiththeassociatedtimevalues.the denitionofparallelcompositionremainsunchanged,exceptthatitusestheprojection cesses.togettheprojectionof(;)ontoba,werstintersecteacheventsetin anditisrepresentedasatimedprocesspt=(fa;bg;fpg). Theoperationsonuntimedprocessesareextendedintheobviouswaytotimedpro- P=(a;1)!(b;2)!(a;4)!(b;5)! asbefore,theonlypossibletraceisq=(bc)!.inaddition,thetimingspecicationof Example7.5AsinExample7.2consideranotherchannelQconnectedtoP.ForQ, traceorisempty. possibilityofinterleaving:parallelcompositionoftwotimedtracesiseitherasingletimed processesshouldparticipateinthecommoneventsatthesametime.thisrulesoutthe fortimedtraces.thusinparallelcompositionoftwoprocesses,werequirethatboththe hasinnitelymanytimedtraces,anditisgivenby betweenbandthefollowingc,issomerealvaluebetween1and2.thetimedprocessqt Qsaysthatthetimetakenbyamessagefortraversingthechannel,thatis,thedelay Thecompositionprocesshasuncountablymanytimedtraces.Anexampletraceis Thedescriptionof[PTkQT]isobtainedbycomposingPwitheachtimedtraceofQT. (a;1)!(b;2)!(c;3:8)!(a;4)!(b;5)!(c;6:02)! [fb;cg;f(q;)j8i:(2i?1+1<2i<2i?1+2)g]: 38

Aandthetracesetconsistingoftracessuchthat(;)2Lforsometimesequence. ForatimedprocessP=(A;L),Untime[(A;L)]istheuntimedprocesswiththeeventset However,asExample7.6shows,thetwosidesarenotnecessarilyequal.Inotherwords, thetiminginformationretainedinthetimedtracesconstrainsthesetofpossibletraces ThetimevaluesassociatedwiththeeventscanbediscardedbytheUntimeoperation. whentwoprocessesarecomposed. Notethat Untime(QT)=Q.[PTkQT]hasauniqueuntimedtrace(abc)!.Ontheotherhand, Example7.6ConsiderthechannelsofExample7.5.ObservethatUntime(PT)=Pand Untime(P1kP2)Untime(P1)kUntime(P2): tationisgivenasacompositionofseveraltimedprocesses,andthespecicationisalso ofaneventaandaneventcareadmissible. [PkQ]hasinnitelymanytraces;betweeneverypairofbeventsallpossibleorderings implementationasthetimedprocess[ptkqt]thenitmeetsthespecication.the Example7.7ConsiderthevericationproblemofExample7.3again.Ifwemodelthe givenasatimedprocess. specicationisnowatimedprocess(fa;b;cg;f((abc)!;)g).observethat,thoughthe Thevericationproblemisagainposedasaninclusionproblem.Nowtheimplemen- 7.3!-automataandverication WestartwithanoverviewoftheapplicationofBuchiautomatatoverifyuntimedprocesses[45,44].Observethatforanuntimedprocess(A;X),Xisan!-languageoverthe withrespecttocruciallydependsonthetimingconstraintsofthetwochannels. specicationconstrainsonlythesequencingofevents,thecorrectnessof[ptkqt] alphabetp+(a).ifitisaregularlanguageitcanberepresentedbyabuchiautomaton. APoverthealphabetP+(A).Thestatesoftheautomatoncorrespondtotheinternal statesoftheprocess.theautomatonaphasatransitionhs;s0;ai,withaa,ifthe automatonapaccepts(orgenerates)preciselythetracesofp;thatis,theprocesspis processcanchangeitsstatefromstos0participatingintheeventsfroma.theacceptance conditionsoftheautomatoncorrespondtothefairnessconstraintsontheprocess.the givenby(a;l(ap)).uchaprocesspiscalledan!-regularprocess. Wemodelanite-state(untimed)processPwitheventsetAusingaBuchiautomaton theproductconstruction,weneedtomakethealphabetsofvariousautomataidentical. automata.incetheeventsetsofvariouscomponentsmaybedierent,beforeweapply prisingofncomponents,whereeachcomponentismodeledasan!-regularprocess Pi=(Ai;L(Ai)).Theimplementationprocessis[kiPi].WecanautomaticallyconstructtheautomatonforIusingtheconstructionforlanguageintersectionforBuchdividualcomponentasaBuchiautomaton.Inparticular,considerasystemIcom- Theuserdescribesasystemconsistingofvariouscomponentsbyspecifyingeachin- LetA=[iAi.FromeachAi,weconstructanautomatonA0ioverthealphabetP+(A) suchthatl(a0i)=f2p+(a)!jdai2l(ai)g.nowthedesiredautomatonaiisthe productoftheautomataa0i. 39

meetsthespecicationil(ai).thepropertycanpresentedasabuchiautomaton A.Inthiscase,thevericationproblemreducestocheckingemptinessofL(AI)\L(A)c. Thespecicationisgivenasan!-regularlanguageoverP+(A).Theimplementation componentsaresmall,thenumberofcomponentsinmostsystemsofinterestislarge, exponentialinthesizeofthespecicationalso.however,ifaisdeterministic,thenthe complexityisonlypolynomialinthesizeofthespecication. descriptionofitsindividualcomponents.ifaisnondeterministic,takingthecomplementinvolvesanexponentialblow-up,andthusthecomplexityofvericationproblemis Evenifthesizeofthespecicationandthesizesoftheautomatafortheindividual ThevericationproblemisPPACE-complete.ThesizeofAIisexponentialinthe havebeenproposed,andshowntobeapplicabletovericationofsomemoderatelysized andintheabovemethodthecomplexityisexponentialinthisnumber.thustheproduct systems[8,18]. 7.4Vericationusingtimedautomata automatonaihasaprohibitivelylargenumberofstates,andthislimitstheapplicability Foratimedprocess(A;L),LisatimedlanguageoverP+(A).Atimedregularprocessis ofthisapproach.alternativemethodswhichavoidenumerationofallthestatesinai conditionscorrespondtothefairnessconditions.noticethattheprogressrequirement imposescertainfairnessrequirementsimplicitly.thus,withanite-stateprocessp,we torepresentthetimingdelaysofvariousphysicalcomponents.asbefore,theacceptance state-transitiongraphofthesystem.wehavealreadyseenhowtheclockscanbeused automaton. oneforwhichthesetlisatimedregularlanguage,andcanberepresentedbyatimed associateatbaapsuchthatl(ap)consistsofpreciselythetimedtracesofp. Typically,animplementationisdescribedasacompositionofseveralcomponents. Finite-statesystemsaremodeledbyTBAs.Theunderlyingtransitiontablegivesthe alphabetp+(a),wherea=[iai.thesystemiscorrectil(ai).ifisgivenasa explicitlyconstructtheimplementationautomatonai. this,rstweneedtomakethealphabetsofvariousautomataidentical,andthentakethe intersection.however,inthevericationprocedureweareabouttooutline,wewillnot possibletoconstructatbaaiwhichrepresentsthecompositeprocess[kipi].todo EachcomponentshouldbemodeledasatimedregularprocessPi=(Ai;L(Ai)).Itis TBA,theningeneral,itisundecidabletotestforcorrectness.However,ifisgivenas adtmaa,thenwecansolvethisasoutlinedinection6.3. Theorem7.8GiventimedregularprocessesPi=(Ai;L(Ai)),i=1;:::n,modeled Thespecicationofthesystemisgivenasanothertimedregularlanguageoverthe bytimedautomataai,andaspecicationasadeterministictimedautomatona,the inclusionofthetracesetof[kipi]inl(a)canbecheckedinppace. Puttingtogetherallthepieces,weconclude: Ci,i=0;:::n,aredisjoint. A=hP+(A);0;00;C0;E0;Fi.Assumewithoutlossofgeneralitythattheclocksets Proof.ConsiderTBAsAi=hP+(Ai);i;i0;Ci;Ei;Fii,i=1;:::n,andtheDTMA 40

TheinitialstatesofAareoftheformhs0;:::sniwitheachsi2i0.AtransitionofAis clocksofaisc=[ici.thestatesofaareoftheformhs0;:::sniwitheachsi2i. correspondingtotheproductaofthetimedtransitiontablesofaiwitha.thesetof obtainedbycouplingthetransitionsoftheindividualautomatalabeledwithconsistent eventsets.astates=hs0;:::snihasatransitiontostates0=hs0;:::s0nilabeled witheventseta2p+(a),clockconstraint^ii,andtheset[iiofclocks,iforeach Thevericationalgorithmconstructsthetransitiontableoftheregionautomaton notparticipateinthistransition:s0i=si,a\ai=;,i=;,andi=true. 0in,eitherthereisatransitionhsi;s0i;a\Ai;i;ii2Ei,ortheautomatonAidoes automatonsuchthat(1)itisaccessiblefromtheinitialstateofr(a),(2)itsatises ection4.totestthedesiredinclusion,thealgorithmsearchesforacycleintheregion theprogessivenesscondition:foreachclockx2c,thecyclecontainsatleastoneregion weconsideronlythoseinniterunsinwhicheachautomatonparticipatesinnitelymany times,werequirethat,foreach1in,thecyclecontainsatransitioninwhichthe satisfying[(x=0)_(x>cx)],(3)sinceourdenitionofthecompositionrequiresthat TheregionautomatonR(A)isdenedfromtheproducttableAasdescribedin acceptancefamilyf.thedesiredinclusiondoesnotholdiacyclewithalltheabove theprojectionofthestatesinthecycleontothecomponentofadoesnotbelongtothe automatonaiparticipates,(4)thefairnessrequirementsofallimplementationautomata Aiaremet:foreach1in,thecyclecontainssomestatewhosei-thcomponent conditionscanbefound. belongstotheacceptingsetfi,(5)thefairnessconditionofthespecicationisnotmet: thetimecomplexityoftheabovealgorithmislinearinthisnumber.therearemainly threesourcesofexponentialblow-up: descriptionoftheinputautomata.itfollowsthattheinclusiontestcanbeperformedin PPACE. ThenumberofverticesintheregionautomatonisO[jAjijAij2j(A)j+ij(Ai)j],and Eachstateoftheregionautomatoncanberepresentedinspacepolynomialinthe 2.Thecomplexityisproportionaltotheproductoftheconstantscx,thelargestconstantxiscomparedwith,overalltheclocksxinvolved. 1.Thecomplexityisproportionaltothenumberofstatesintheglobaltimedautomatondescribingtheimplementation[kiPi].Thisisexponentialinthenumberof components. case.incethenumberofcomponentsistypicallylarge,thisexponentialfactorhasbeen amajorobstacleinimplementingmodel-checkingalgorithms. 3.Thecomplexityisproportionaltothenumberofpermutationsoverthesetofall Therstfactorispresentinthesimplestofvericationproblems,evenintheuntimed blow-upbyactualconstantsisobservedevenforsimpler,discretemodels.notethatif Thesecondfactoristypicalofanyformalismtoreasonaboutquantitativetime.The clocks. theboundsonthedelaysofdierentcomponentsarerelativelyprimethenthisfactor leadstoamajorblow-upinthecomplexity.41

id approach Lastly,intheuntimingconstruction,weneedtoaccountforallthepossibleorderings T Figure16:TRAIN 0 1 x:=0 (x<5)? (x>2)? 7.5Vericationexample exponentialinthenumberofcomponents. remarkthatswitchingtoasimpler,saydiscrete-time,modelwillavoidthisblow-upin complexity.howeversincethetotalnumberofclocksislinearinthenumberofindependentcomponents,thisblow-upisthesameasthatcontributedbytherstfactor,namely, ofthefractionalpartsofdierentclocks,andthisisthesourceofthethirdfactor.we 3 2 out railroadcrossing[29].thesystemiscomposedofthreecomponents:train,gateand Weconsideranexampleofanautomaticcontrollerthatopensandclosesagateata CONTROLLER. approachandinis2minutes.furthermore,weknowthatthemaximumdelaybetween withtwoeventsapproachandexit.theeventsinandoutmarktheeventsofentry exit,in,out,idtg.thetrainstartsinstates0.theeventidtrepresentsitsidlingevent; andexitofthetrainfromtherailroadcrossing.thetrainisrequiredtosendthesignal approachatleast2minutesbeforeitentersthecrossing.thustheminimumdelaybetween thetrainisnotrequiredtoenterthegate.thetraincommunicateswiththecontroller TheautomatonmodelingthetrainisshowninFigure16.Theeventsetisfapproach, isfraise,lower,up,down,idgg.thegateisopeninstates0andclosedinstates2.it Boththetimingrequirementsareexpressedusingasingleclockx. thesignalsapproachandexitis5minutes.thisisalivenessrequirementonthetrain. communicateswiththecontrollerthroughthesignalslowerandraise.theeventsupand downdenotetheopeningandtheclosingofthegate.thegaterespondstothesignal lowerbyclosingwithin1minute,andrespondstothesignalraisewithin1to2minutes. ThegatecantakeitsidlingtransitionidGinstatess0ors2forever. TheautomatonmodelingthegatecomponentisshowninFigure17.Theeventset Finally,Figure18showstheautomatonmodelingthecontroller.Theeventsetis 42

id G (y>1) > up (y<2)? 0 3 Figure17:GATE lower 1 y:=0 down (y<1)? y:=0 2 raise id G id C raise (z<1)? Figure18:CONTROLLER approach z:=0 43 z:=0 exit 0 1 3 2 lower (z=1)?

fapproach,exit,raise,lower,idcg.thecontrolleridlestateiss0.wheneveritreceives thesignalapproachfromthetrain,itrespondsbysendingthesignallowertothegate. Theresponsetimeis1minute.Wheneveritreceivesthesignalexit,itrespondswitha signalraisetothegatewithin1minute. Figure19:afetyproperty ~in,~down ~in,~up down,~in in,~up 0 1 2 Theeventsetistheunionoftheeventsetsofallthethreecomponents.Inthisexample, Theentiresystemisthen [TRAINkGATEkCONTROLLER]: up,~in out,~up alltheautomataareparticularlysimple;theyaredeterministic,anddonothaveany fairnessconstraints(everyrunisanacceptingrun).thetimedautomatonaispecifying theentiresystemisobtainedbycomposingtheabovethreeautomata. isspeciedbytheautomatonoffigure19.anedgelabelinstandsforanyeventset 2.Real-timeLiveness:Thegateisneverclosedatastretchformorethan10minutes. 1.afety:Wheneverthetrainisinsidethegate,thegateshouldbeclosed. Thespecicationreferstoonlytheeventsin,out,up,down.Thesafetyproperty Thecorrectnessrequirementsforthesystemarethefollowing: containingin,andanedgelabel\in,:out"meansanyeventsetnotcontainingout,but containingin.theautomatondisallowsinbeforedown,andupbeforeout.allthestates areacceptingstates. automatonrequiresthateverydownbefollowedbyupwithin10minutes. Thereal-timelivenesspropertyisspeciedbythetimedautomatonofFigure20.The outlinedinection7.observethatthoughthesafetypropertyispurelyaqualitative looponstates1withtheclockconstraint(x<10)cannotbetakenindenitely,andthe automatonwilleventuallyvisitstates0. alsointheacceptanceset.thisisbecausetheprogressoftimeensuresthattheselfmore,observethattheacceptanceconditionisnotnecessary;wecanincludestates1 ThecorrectnessofAIagainstthetwospecicationscanbecheckedseparatelyas Notethattheautomatonisdeterministic,andhencecanbecomplemented.Further- property,itdoesnotholdifwediscardthetimingrequirements. 44

~down (x<10)? Nowwebrieyreviewotherresultsabouttimedautomata.Thepreciseformulationof Figure20:Real-timelivenessproperty down, x:=0 timedautomataisdierentindierentpapers,buttheunderlyingidearemainsthesame. Inthispresentation,wehavestudiedthemfromtheperspectiveofformallanguagetheory. Timedautomataprovideanaturalwayofexpressingtimingdelaysofareal-timesystem. 8Newresultsontimedautomata 0 real-timeextensionofthelineartemporallogicptl[4].thedecisionprocedureconstructs atimedautomatonafromagivenmitl-formula,suchthataacceptspreciselythe TimedautomataareusefulfordevelopingadecisionprocedureforthelogicMITL,a 1 up,(x<10)? rithmsinthebranching-timemodelalso.in[1],wedevelopamodel-checkingalgorithm modeledasaproductoftimedautomataagainstmitl-specication. forspecicationswrittenintctl areal-timeextensionofthebranching-timetemporallogicctlof[16].in[43],anotionoftimedbisimulationisdenedfortimedautomata, questionfora.thisconstructioncanalsobeusedtocheckthecorrectnessofasystem satisfyingmodelsof;therebyreducingthesatisabilityquestionfortotheemptiness morestructuredrepresentationssuchasprocessalgebras,timedpetrinets,orhigh-level andanalgorithmfordecidingwhethertwotimedautomataarebisimilar,isgiven. Theuntimingconstructionfortimedautomataformsthebasisforvericationalgo- real-timeprogramminglanguages,shouldexist.recently,ifakisetal.haveshownhow totranslateatermofthereal-timeprocessalgebraatptoatimedautomaton[34]. Timedautomataisafairlylow-levelrepresentation,andautomatictranslationsfrom ingxeddistributionswiththedelays.thisextensionmakesourprocessesgeneralized rateprobabilisticinformation.thisisparticularlyrelevantforsystemsthatcontroland semi-markovprocesses(gmps).urprisingly,theuntimingconstructionusedtotest foremptinessofatimedautomatoncanbeusedtoanalyzethebehaviorofgmpsalso. In[2],wepresentanalgorithmthatcombinesmodel-checkingforTCTLwithmodelcheckingfordiscrete-timeMarkovchains.Themethodcanalsobeadoptedtochectomata[48].Theproblemofsynthesizingschedulersfromtimedautomataspecications Questionsotherthanvericationcanalsobestudiedusingtimedautomata.For interactwithphysicalprocesses.weaddprobabilitiestotimedautomatabyassociat- Onepromisingdirectionofextendingtheprocessmodeldiscussedhereistoincorpo- propertiesspeciedusingdeterministictimedautomata[3]. eventsystemswhentheplantandspecicationbehaviorsarerepresentedbytimedau- example,wong-toiandhomannstudytheproblemofsupervisorycontrolofdiscrete 45

References showhowtocomputetheearliestandthelatesttimeatargetstatecanappearalongthe runsofanautomatonfromagiveninitialstate. minimumandmaximumdelayproblemsforreal-timesystems[12].forinstance,they isaddressedin[15].courcoubetisandyannakakisusetimedautomatatosolvecertain [2]R.Alur,C.Courcoubetis,andD.Dill.Model-checkingforprobabilisticreal-time [1]R.Alur,C.Courcoubetis,andD.Dill.Model-checkingforreal-timesystems.In [3]R.Alur,C.Courcoubetis,andD.Dill.Verifyingautomataspecicationsofprobabilisticreal-timesystems.InProceedingsofREXworkshop\Real-time:theoryin 425,1990. systems.inautomata,languagesandprogramming:proceedingsofthe18thicalp, LectureNotesinComputercience510,1991. ProceedingsoftheFifthIEEEymposiumonLogicinComputercience,pages414{ [5]R.AlurandT.Henzinger.Areallytemporallogic.InProceedingsofthe30thIEEE [4]R.Alur,T.Feder,andT.Henzinger.Thebenetsofrelaxingpunctuality.InProceedingsoftheTenthACMymposiumonPrinciplesofDistributedComputing,pages practice",lecturenotesincomputercience600,pages28{44.pringer-verlag, 139{152,1991. 1991. [7]R.Buchi.Onadecisionmethodinrestrictedsecond-orderarithmetic.InProceedings [6]A.BernsteinandP.Harter.Provingreal-timepropertiesofprogramswithtemporal oftheinternationalcongressonlogic,methodology,andphilosophyofcience1960, pages164{176,1981. logic.inproceedingsoftheeighthacmymposiumonoperatingystemprinciples, ymposiumonfoundationsofcomputercience,pages164{169,1989. [8]J.Burch,E.Clarke,D.Dill,L.Hwang,andK.L.McMillan.ymbolicmodelchecking:1020statesandbeyond.InformationandComputation,98(2):142{170,1992. pages1{12.tanforduniversitypress,1962. [10]E.Clarke,I.Draghicescu,andR.Kurshan.Auniedapproachforshowinglanguage [9]Y.Choueka.Theoriesofautomataon!-tapes:asimpliedapproach.Journalof [11]E.Clarke,E.A.Emerson,andA.P.istla.Automaticvericationofnite-state Computerandystemciences,8:117{141,1974. gramminglanguagesandystems,8(2):244{263,1986. concurrentsystemsusingtemporal-logicspecications.acmtransactionsonpro- containmentandequivalencebetweenvarioustypesof!-automata.technicalreport, CarnegieMellonUniversity,1989. 46

[13]D.Dill.Timingassumptionsandvericationofnite-stateconcurrentsystems.In [12]C.CourcoubetisandM.Yannakakis.Minimumandmaximumdelayproblemsinrealtimesystems.InProceedingsoftheThirdWorkshoponComputer-AidedVerication, [14]D.Dill.TraceTheoryforAutomaticHierarchicalVericationofpeed-independent LectureNotesinComputercience575,pages399{409,1991. J.ifakis,editor,AutomaticVericationMethodsforFinitetateystems,Lecture NotesinComputercience407,pages197{212.pringer{Verlag,1989. [15]D.DillandH.Wong-Toi.ynthesizingprocessesandschedulersfromtemporalspecications.InProceedingsoftheecondWorkshoponComputer-AidedVerication, LectureNotesinComputercience531,pages272{281,1990. [16]E.A.EmersonandE.M.Clarke.Usingbranching-timetemporallogictosynthesize Circuits.MITPress,1989. [17]E.A.Emerson,A.Mok,A.P.istla,andJ.rinivasan.Quantitativetemporal [18]P.GodefroidandP.Wolper.Apartialapproachtomodel-checking.InProceedings synchronizationskeletons.cienceofcomputerprogramming,2:241{266,1982. reasoning.inproceedingsoftheecondworkshoponcomputer-aidedverication, LectureNotesinComputercience531,pages136{145,1990. [20]E.Harel,O.Lichtenstein,andA.Pnueli.Explicit-clocktemporallogic.InProceedings [19]D.Harel,A.Pnueli,andJ.tavi.Propositionaldynamiclogicofregularprograms. oftheixthieeeymposiumonlogicincomputercience,pages406{415,1991. JournalofComputerandystemciences,26:222{243,1983. [22]C.Hoare.Communicatingsequentialprocesses.CommunicationsoftheACM, [21]T.Henzinger,Z.Manna,andA.Pnueli.Temporalproofmethodologiesforreal-time Languages,pages353{366,1991. systems.inproceedingsofthe18thacmymposiumonprinciplesofprogramming 21(8):666{677,1978. ofthefifthieeeymposiumonlogicincomputercience,pages402{413,1990. [23]J.HopcroftandJ.Ullman.IntroductiontoAutomataTheory,Languages,andComputation.Addison-Wesley,1979. [24]F.JahanianandA.Mok.afetyanalysisoftimingpropertiesinreal-timesystems. [25]F.JahanianandA.Mok.Agraph-theoreticapproachfortiminganalysisandits [26]R.Koymans.pecifyingreal-timepropertieswithmetrictemporallogic.Journalof IEEETransactionsonoftwareEngineering,E{12(9):890{904,1986. implementation.ieeetransactionsoncomputers,c-36(8):961{975,1987. Real-Timeystems,2:255{299,1990.47

[27]R.Kurshan.ComplementingdeterministicBuchiautomatainpolynomialtime.JournalofComputerandystemciences,35:59{71,1987. nets.inproceedingsofinternationaljointconferenceontheoryandpracticeofoft- waredevelopment,lecturenotesincomputercience186,pages339{355.pringer- Verlag,1985. Processing83:ProceedingsoftheNinthIFIPWorldComputerCongress,pages657{ [29]N.LevesonandJ.tolzy.AnalyzingsafetyandfaulttoleranceusingtimedPetri [28]L.Lamport.Whatgoodistemporallogic?InR.Mason,editor,Information 668.ElsevierciencePublishers,1983. [32]Z.MannaandA.Pnueli.Thetemporalframeworkforconcurrentprograms.In [30]H.Lewis.Finite-stateanalysisofasynchronouscircuitswithboundedtemporaluncertainty.TechnicalReportTR-15-89,HarvardUniversity,1989. [31]N.LynchandH.Attiya.Usingmappingstoprovetimingproperties.InProceedingsof R.BoyerandJ.Moore,editors,TheCorrectnessProbleminComputercience, 1990. theninthacmymposiumonprinciplesofdistributedcomputing,pages265{280, [33]R.McNaughton.Testingandgeneratinginnitesequencesbyaniteautomaton. pages215{274.academicpress,1981. [35]J.Ostro.TemporalLogicofReal-timeystems.ResearchtudiesPress,1990. [34]X.Nicollin,J.ifakis,and.Yovine.FromATPtotimedgraphsandhybridsystems. Computercience600,pages549{572.pringer-Verlag,1991. InProceedingsofREXworkshop\Real-time:theoryinpractice",LectureNotesin InformationandControl,9:521{530,1966. [38]C.Ramchandani.AnalysisofasynchronousconcurrentsystemsbyPetrinets.TechnicalReportMACTR-120,MassachusettsInstituteofTechnology,1974. LectureNotesinComputercience224,pages510{584.pringer-Verlag,1986. siumonfoundationsofcomputercience,pages46{77,1977. [36]A.Pnueli.Thetemporallogicofprograms.InProceedingsofthe18thIEEEympo- [37]A.Pnueli.Applicationsoftemporallogictothespecicationandvericationof reactivesystems:asurveyofcurrenttrends.incurrenttrendsinconcurrency, [40].afra.Onthecomplexityof!-automata.InProceedingsofthe29thIEEEymposiumonFoundationsofComputercience,pages319{327,1988. automatawithapplicationstotemporallogic.theoreticalcomputercience,49:217{ [41]A.P.istla,M.Vardi,andP.Wolper.ThecomplementationproblemforBuchi [39]H.Rogers.TheoryofRecursiveFunctionsandEectiveComputability.McGraw-Hill, 237,1987. 1967. 48

[42]W.Thomas.Automataoninniteobjects.InJ.vanLeeuwen,editor,Handbookof [44]M.Vardi.Vericationofconcurrentprograms{theautomata-theoreticframework. [43]K.Cerans.Decidabilityofbisimulationequivalenceforparalleltimerprocesses.In ProceedingsoftheFourthWorkshoponComputer-AidedVeriction,LectureNotes incomputercience,1992.toappear. 1990. TheoreticalComputercience,volumeB,pages133{191.ElsevierciencePublishers, [45]M.VardiandP.Wolper.Anautomata-theoreticapproachtoautomaticprogram [46]P.Wolper.Temporallogiccanbemoreexpressive.InformationandControl,56:72{ 167{176,1987. InProceedingsoftheecondIEEEymposiumonLogicinComputercience,pages cience,pages332{344,1986. verication.inproceedingsofthefirstieeeymposiumonlogicincomputer [48]H.Wong-ToiandG.Homann.Thecontrolofdensereal-timediscreteeventsystems. [47]P.Wolper,M.Vardi,andA.P.istla.Reasoningaboutinnitecomputationpaths. InProceedingsofthe30thIEEEConferenceonDecisionandControl,pages1527{ pages185{194,1983. 99,1983. 1528,1991. InProceedingsofthe24thIEEEymposiumonFoundationsofComputercience, 49