Event Clock Automata: from Theory to Practice∗
G. Geeraerts1 †
J.F. Raskin1
N. Sznajder2
1
Université Libre Bruxelles, Département d’Informatique
Brussels, Belgium
2
Université Pierre et Marie Curie UMR CNRS 7606, LIP6
Paris, France.
{gigeerae,jraskin}@ulb.ac.be
[email protected]
July 22, 2011
Abstract
Event clock automata (ECA) are a model for timed languages that has been
introduced by Alur, Fix and Henzinger as an alternative to timed automata, with
better theoretical properties (for instance, ECA are determinizable while timed automata are not). In this paper, we revisit and extend the theory of ECA. We first
prove that no finite time abstract language equivalence exists for ECA, thereby
disproving a claim in the original work on ECA. This means in particular that regions do not form a time abstract bisimulation. Nevertheless, we show that regions
can still be used to build a finite automaton recognizing the untimed language of
an ECA. Then, we extend the classical notions of zones and DBMs to let them
handle event clocks instead of plain clocks (as in timed automata) by introducing
event zones and Event DBMs (EDBMs). We discuss algorithms to handle event
zones represented as EDBMs, as well as (semi-) algorithms based on EDBMs to
decide language emptiness of ECA.
1
Introduction
Timed automata have been introduced by Alur and Dill in the early nineties [2] and
are a successful and popular model to reason about timed behaviors of computer systems. Where finite automata represent behaviors by finite sequences of actions, timed
∗ Work supported by the projects: (i) QUASIMODO (FP7- ICT-STREP-214755), Quasimodo: “Quantitative System Properties in Model-Driven-Design of Embedded”, http://www.quasimodo.aau.dk/,
(ii) GASICS (ESF-EUROCORES LogiCCC), Gasics: “Games for Analysis and Synthesis of Interactive
Computational Systems”, http://www.ulb.ac.be/di/gasics/ and (iii) Moves: “Fundamental
Issues in Modelling, Verification and Evolution of Software”, http://moves.ulb.ac.be, a PAI program funded by the Federal Belgian Government.
† Partly supported by a ‘Crédit aux chercheurs’ from the Belgian FRS/F.N.R.S.
1
automata define sets of timed words (called timed languages) that are finite sequences
of actions, each paired with a real time stamp. To this end, timed automata extend finite
automata with a finite set of real valued clocks, that can be tested and reset with each
action of the system. The theory of timed automata is now well developed [1]. The
algorithms to analyse timed automata have been implemented in several tools such as
Kronos [7] or UppAal (which is increasingly applied in industrial case studies) [4].
Timed automata, however, suffer from certain weaknesses, at least from the theoretical point of view. As a matter of fact, timed automata are not determinizable and
cannot be complemented in general [2]. Intuitively, this stems from the fact that the
reset of the clocks cannot be made deterministic wrt the word being read. Indeed, from
a given location, there can be two transitions, labeled by the same action a but different
reset sets.
This observation has prompted Alur, Fix and Henzinger to introduce the class of
event clock automata (ECA for short) [3], as an alternative model for timed languages.
Unlike timed automata, ECA force the clock resets to be strongly linked to the occurrences of actions. More precisely, for each action a of the system, there are two clocks
←
→ in an ECA: ←
x−a and −
x
x−a is the history clock of a and always records the time elapsed
a
→ is the prophecy clock for a, and
since the last occurrence of a. Symmetrically, −
x
a
always predicts the time distance up to the next occurrence of a. As a consequence,
while history clocks see their values increase with time elapsing (like clocks in timed
automata do), the values of prophecy clocks decrease over time. However, this scheme
ensures that the value of any clock is uniquely determined at any point in the timed
word being read, no matter what path is being followed in the ECA. A nice consequence of this definition is that ECA are determinizable [3]. While the theory of ECA
has witnessed some developments [13, 11, 15, 9, 12] since the seminal paper, no tool
is available that exploits the full power of event clocks (the only tool we are aware of
is T EMPO [14] and it is restricted to event-recording automata, i.e. ECA with history
clocks only).
In this paper, we revisit and extend the theory of ECA, with the hope to make it
more practical and amenable to implementation. A widespread belief [3] about ECA
and their analysis is that ECA are similar enough to timed automata that the classical
techniques (such as regions, zones or DBMs) developed for them can readily be applied
to ECA. The present research, however, highlights fundamental discrepancies between
timed automata and ECA:
1. First, we show that there is no finite time abstract language equivalence on the
valuations of event clocks, whereas the region equivalence [2] is a finite time
abstract language equivalence for timed automata. This implies, in particular,
that regions do not form a finite time-abstract bisimulation for ECA , thereby
contradicting a claim found in the original paper on ECA [3].
2. With timed automata, checking language emptiness can be done by building the
so-called region automaton [2] which recognizes Untime(L(A)), the untimed
version of A’s timed language. A consequence of the surprising result of point 1
is that, for some ECA A, the region automaton recognizes a strict subset of
Untime(L(A)). Thus, the region automaton (as defined in [2]) is not a sound
construction for checking language emptiness of ECA . We show however that
2
a slight modification of the original definition (that we call the existential region automaton) allows to recover Untime(L(A)). Unlike the timed automata
case, our proof cannot rely on bisimulation arguments, and requires original techniques.
3. Efficient algorithms to analyze timed automata are best implemented using zones
[1], that are in turn represented by DBMs [10]. Unfortunately, zones and DBMs
cannot be directly applied to ECA. Indeed, a zone is, roughly speaking, a conjunction of constraints of the form x − y ≺ c, where x, y are clocks, ≺ is either
< or ≤ and c is an integer. This makes sense in the case of timed automata, since
the difference of two clock values is an invariant with time elapsing. This is not
the case when we consider event clocks, as prophecy and history clocks evolve in
opposite directions with time elapsing. Thus, we introduce the notions of eventzones and Event DBMs that can handle constraints of the form x + y ≺ c, when
x and y are of different types.
4. In the case of timed automata two basic, zone-based algorithms for solving language emptiness have been studied: the forward analysis algorithm that iteratively computes all the states reachable from the initial state, and the backward
analysis algorithm that computes all the states that can reach an accepting state.
While the former might not terminate in general, the latter is guaranteed to terminate [1]. We show that this is not the case anymore with ECA: both algorithms
might not terminate again because of event clocks evolving in opposite directions.
These observations reflect the structure of the paper. We close it by discussing the
possibility to define widening operators, adapted from the closure by region, and the
k-approximation that have been defined for timed automata [6]. The hardest part of
this future work will be to obtain a proof of correctness for these operators, since, here
again, we will not be able to rely on bisimulation arguments.
2
Preliminaries
Words and timed words An alphabet Σ is a finite set of symbols. A (finite) word
is a finite sequence w = w0 w1 · · · wn of elements of Σ. We denote the length of w
by |w|. We denote by Σ∗ the set of words over Σ. A timed word over Σ is a pair
θ = (τ, w) such that w is a word over Σ and τ = τ0 τ1 · · · τ|w|−1 is a word over R≥0
with τi ≤ τi+1 for all 0 ≤ i < |w| − 1. We denote by TΣ∗ the set of timed words over
Σ. A (timed) language is a set of (timed) words. For a timed word θ = (τ, w), we let
Untime(θ) = w. For a timed language L, we let Untime(L) = {Untime(θ) | θ ∈ L}.
Event clocks Given an alphabet Σ, we define the set of associated event clocks CΣ =
−
→
HΣ ∪ PΣ , where HΣ = {←
x−
σ | σ ∈ Σ} is the set of history clocks, and PΣ = {xσ |
σ ∈ Σ} is the set of prophecy clocks. A valuation of a set of clocks is a function
v : C → R≥0 ∪ {⊥}, where ⊥ means that the clock value is undefined. We denote
by V (C) the set of all valuations of the clocks in C. For a valuation v ∈ V(C), for
3
all x ∈ HΣ , we let hv1 (x)i = dv(x)e − v(x) and for all x ∈ PΣ , we let hv(x)i =
v(x) − bv(x)c, where bv(x)c and dv(x)e denote respectively the largest previous and
smallest following integer. We also denote by v ± the valuation s.t. v ± (x) = v(x) for
all x ∈ HΣ , and v ± (x) = −v(x) for all x ∈ PΣ .
For all valuation v ∈ V (C) and all d ∈ R≥0 such that v(x) ≥ d for all x ∈ PΣ ∩ C,
we define the valuation v + d obtained from v by letting d time units elapse: for all
x ∈ HΣ ∩ C, (v + d)(x) = v(x) + d and for all x ∈ PΣ ∩ C, (v + d)(x) = v(x) − d,
with the convention that ⊥ + d = ⊥ − d = ⊥. A valuation is initial iff v(x) = ⊥ for
all x ∈ HΣ , and final iff v(x) = ⊥ for all x ∈ PΣ . We note v[x := c] the valuation that
matches v on all its clocks except for v(x) that equals c.
An atomic clock constraint over C ⊆ CΣ is either true or of the form x ∼ c,
where x ∈ C, c ∈ N and ∼ ∈ {<, >, =}. A clock constraint over C is a Boolean
combination of atomic clock constraints. We denote Constr (C) the set of all possible
clock constraints over C. A valuation v ∈ V (C) satisfies a clock constraint ψ ∈
Constr (C), denoted v |= ψ according to the following rules: v |= true, v |= x ∼ c iff
v(x) ∼ c, v |= ¬ψ iff v 6|= ψ, and v |= ψ1 ∧ ψ2 iff v |= ψ1 and v |= ψ2 .
Event-clock automata An event-clock automaton A = hQ, qi , Σ, δ, αi (ECA for
short) is a tuple, where Q is a finite set of locations, qi ∈ Q is the initial location,
Σ is an alphabet, δ ⊆ Q × Σ × Constr (CΣ ) × Q is a finite set of edges, and α ⊆ Q is
the set of accepting locations. We additionally require that, for each q ∈ Q, σ ∈ Σ, δ is
defined for a finite number of ψ ∈ Constr (CΣ ). An extended state (or simply state) of
an ECA A = hQ, qi , Σ, δ, αi is a pair (q, v) where q ∈ Q is a location, and v ∈ V (CΣ )
is a valuation.
Runs and accepted language The semantics of an
ECA A = hQ, qi, Σ, δ, αi is best
A
described by an infinite transition system TSA = QA , QA
, where QA =
i , →, α
A
Q × V (CΣ ) is the set of extended states of A, Qi = {(qi , v) | v is initial}, αA =
{(q, v) | q ∈ α and v is final}. The transition
relation → ⊆ QA × R≥0 × QA ∪
A
A
0
Q × Σ × Q is s.t. (i) (q, v), t, (q, v ) ∈ → iff v 0 = v + t (we denote this by
t
(q, v) →
− (q, v 0 )), and (ii) (q, v), σ, (q 0 , v 0 ) ∈→ iff there is (q, σ, ψ, q 0 ) ∈ δ and
←
−
0
v ∈ V (CΣ ) s.t. v[−
x→
σ := 0] = v, v[xσ := 0] = v and v |= ψ (we denote this
t,σ
σ
t
(q, v) −
→ (q 0 , v 0 )). We note (q, v) −−→ (q 0 , v 0 ) whenever there is (q 00 , v 00 ) s.t. (q, v) →
−
σ
(q 00 , v 00 ) −
→ (q 0 , v 00 ). Intuitively, this means that an history clock ←
x−
σ always records the
time elapsed since the last occurrence of the corresponding σ event, and that a prophecy
clock −
x→
σ always predicts the delay up to the next occurrence of σ. Thus, when firing
a σ-labeled transition, the guard must be tested against v (as defined above) because
it correctly predicts the next occurrence of σ and correctly records its last occurrence
−
0 ←
(unlike v and v 0 , as v(−
x→
σ ) = 0 and v (xσ ) = 0)
A sequence (q0 , v0 )(t0 , w0 )(q1 , v1 )(t1 , w1 )(q2 , v2 ) · · · (qn , vn ) is a (q, v)-run of A
on the timed word θ = (τ, w) iff: (q0 , v0 ) = (q, v), t0 = τ0 , for any 1 ≤ i ≤ n − 1:
ti ,wi
ti = τi − τi−1 , and for any 0 ≤ i ≤ n − 1: (qi , vi ) −−−→ (qi+1 , vi+1 ). A (q, v)-run
is initialized iff (q, v) ∈ QA
i (in this case, we simply call it a run). A (q, v)-run on
θ, ending in (qn , vn ) is accepting iff (qn , vn ) ∈ αA . In this case, we say that the run
4
accepts θ. For an ECA A and an extended state (q, v) of A, we denote by L(A, (q, v))
the set of timed words accepted by a (q, v)-run of A, and by L(A) the set of timed
words accepted by an initialized run of A.
3
Equivalence relations for event-clocks
A classical technique to analyze timed transition systems is to define time abstract
equivalence relations on the set of states, and to reason on the quotient transition system. In the case of timed automata, a fundamental concept is the region equivalence
[2], which is a finite time-abstract bisimulation, and allows to decide properties of
timed automata such as reachability. Contrary to a widespread belief [3], we show
that the class of ECA does not benefit of these properties, as ECA admit no finite
time-abstract language equivalence.
Time-abstract equivalence relations Let C be a class of ECA, all sharing the same
alphabet Σ. We recall three equivalence notions on event clock valuations:
• . ⊆ V (CΣ ) × V (CΣ ) is a time abstract simulation relation for the class C iff,
for all A ∈ C, for all location q of A, for all (v1 , v2 ) ∈ ., for all t1 ∈ R≥0 ,
t1 ,a
for all a ∈ Σ: (q, v1 ) −−→ (q 0 , v10 ) implies that there exists t2 ∈ R≥0 s.t.
t2 ,a
(q, v2 ) −−→ (q 0 , v20 ) and v10 . v20 . In this case, we say that v2 simulates v1 .
Finally, ' ⊆ V (CΣ ) × V (CΣ ) is a time abstract simulation equivalence iff
there exists a time abstract simulation relation . s.t. ' = {(v1 , v2 ) | v1 .
v2 and v2 . v1 }
• ∼ is a time abstract bisimulation equivalence for the class C iff it is a symmetric
time abstract simulation for the class C.
• ≈L ⊆ V (CΣ )×V (CΣ ) is a time abstract language equivalence for the class C iff
for all A ∈ C, for all location q of A, for all (v1 , v2 ) ∈ ≈L : Untime(L(q, v1 )) =
Untime(L(q, v2 ))
We say that an equivalence relation is finite iff it is of finite index. Clearly, any time
abstract bisimulation is a time abstract simulation equivalence, and any time abstract
simulation equivalence is a time abstract language equivalence. We prove the absence
of finite time abstract language equivalence for ECA, thanks to Ainf depicted in Fig. 1:
Proposition 1. There is no finite time abstract language equivalence for ECA.
Proof. Let us assume that ≈L is a time abstract language equivalence on the class of
ECA. We will show, thanks to Ainf , that ≈L has necessarily infinitely many equivalence
classes.
→) = n
For any n ∈ N, let v n denote the initial valuation of C{a,b} s.t. v n (−
x
a
−
n →
n
and v (xb ) = 0, and let θ denote the timed word (b, 0)(b, 1)(b, 2) · · · (b, n − 1)(a, n).
Observe that, for any n ≥ 0, there is only one run of Ainf starting in (q0 , v n ) and this run
accepts θn . Hence, for any n ≥ 0: Untime(L(A, (q0 , v n ))) = Untime({θn }) = an b.
5
b
→
−
→>1
xb = 1 ∧ −
x
a
q0
b
−
→=1
x
a
q1
a
q2
Figure 1: The automaton Ainf
Now, let j, k be two natural values with j 6= k. Let sj = (q0 , v j ) and sk = (q0 , v k ).
Clearly, v j 6≈L v k since Untime(L(A, sj )) 6= Untime(L(Ainf , sk )). Since this is true
for infinitely many pairs (v j , v k ), ≈L has necessarily an infinite number of equivalence
classes. Thus, there is no finite time abstract language equivalence on the class of
ECA.
Corollary 1. There is no finite time abstract language equivalence, no finite time abstract simulation equivalence and no finite time abstract bisimulation for ECA.
4
Regions and event clocks
For the class of timed automata, the region equivalence has been shown to be a finite
time-abstract bisimulation, which is used to build the so-called region automaton, a
finite-state automaton recognizing Untime(L(A)) for all timed automata A [2]. Corollary 1 tells us that regions are not a time-abstract bisimulation for ECA (contrary to
what was claimed in [3]). Let us show that we can nevertheless rely on the notion of
region to build a finite automaton recognizing Untime(L(A)) for all ECA A.
Regions Let us fix a set of clocks C ⊆ CΣ and a constant cmax ∈ N. We first
recall two region equivalences from the literature. The former, denoted ≈cmax , is the
classical Alur-Dill region equivalence for timed automata [2] while the latter (denoted
≈∠
cmax ) is adapted from Bouyer [6] and refines the former:
• For any v1 , v2 ∈ V (C): v1 ≈cmax v2 iff:
(C1) for all x ∈ C, v1 (x) = ⊥ iff v2 (x) = ⊥,
(C2) for all x ∈ C: either v1 (x) > cmax and v2 (x) > cmax , or dv1 (x)e =
dv2 (x)e and bv1 (x)c = bv2 (x)c,
(C3) for all x1 , x2 ∈ C s.t. v1 (x1 ) ≤ cmax and v1 (x2 ) ≤ cmax : hv1 (x1 )i ≤
hv1 (x2 )i if and only if hv2 (x1 )i ≤ hv2 (x2 )i.
• For all v1 , v2 ∈ V (C): v1 ≈∠
cmax v2 iff: v1 ≈cmax v2 and:
6
(C4) For
or v1 (x2 ) > cmax
: either we have
± all x1 , x2±∈ C s.t. v1 (x1 ) > cmax
v (x1 ) − v (x2 ) > 2 · cmax and v ± (x1 ) − v ± (x2 ) > 2 · cmax ; or we
1
2
1
2
have bv1± (x1 )−v1± (x2 )c = bv2± (x1 )−v2± (x2 )c and dv1± (x1 )−v1± (x2 )e =
dv2± (x1 ) − v2± (x2 )e.
Equivalence classes of both ≈cmax and ≈∠
cmax are called regions. We denote by
Reg (C, cmax ) and Reg∠ (C, cmax ) the set of regions of ≈cmax and ≈∠
cmax respectively. Fig. 2 (a), (b) and (c) illustrate these two notions. Comparing (a) and (b)
clearly shows how ≈∠
cmax refines ≈cmax by introducing diagonal constraints between
clocks larger than cmax . Moreover, (c) shows why we need to rely on v1± and v2± in
C4: in this case, C contains an history and a prophecy clock that evolve in opposite
directions with time elapsing. Thus, their sum remains constant over time (hence the
2 · cmax in C4).
Observe that, for any cmax , and for any finite set of clocks C, Reg (C, cmax ) and
Reg∠ (C, cmax ) are finite sets. A region r on set of clocks C is initial (resp. final) iff
it contains only initial (final) valuations.
Regions are not a language equivalence Since both notions of regions defined
above are finite, Corollary 1 implies that they cannot form a language equivalence
for ECA. Let us explain intuitively why it is not the case. Consider Reg P{a,b} , 1
and the two valuations v1 and v2 in Fig. 2 (a). Clearly, v1 can reach the region where
−
→ = 1 and →
−
→ > 1 and →
−
x
xb > 1, while v2 cannot. Conversely, v2 can reach −
x
xb = 1
a
a
but v2 cannot. It is easy to build an ECA with cmax = 1 that distinguishesbetween
those two cases and accepts different words. Then, consider Reg∠ P{a,b} , 1 and the
−
−
→) = 4
valuations v 3 and v 4 (not shown in the figure) s.t. v 3 (→
xb ) = v 4 (→
xb ) = 1, v 3 (−
x
a
−
→
and v 4 (xa ) = 5. It is easy to see that for Ainf in Fig. 1: Untime(L(Ainf , (q0 , v 3 ))) =
{bbba} =
6 {bbbba} = Untime(L(Ainf , (q0 , v 4 ))), although v 3 and v 4 belong to the
same region. Indeed, from v 3 , the (q0 , q0 ) loop can be fired 3 times before we reach
−
→ = 1 and the (q , q ) edge can be fired. However, the (q , q ) loop has to be fired 4
x
a
0 1
0 0
→ = 1 and the (q , q ) edge can be fired. Remark that
times from v 4 before we reach −
x
a
0 1
these are essentially the same arguments as in the proof of Proposition 1. These two
examples illustrate the issue with prophecy clocks and regions. Roughly speaking, to
keep the set of regions finite, valuations where the clocks are too large (for instance,
> cmax in the case of Reg (C, cmax )) belong to the same region. This is not a problem for history clocks as an history clock larger than cmax remains over cmax with
time elapsing. This is not the case for prophecy clocks whose values decrease with time
elapsing: eventually, those clocks reach a value ≤ cmax , but the region equivalence is
too coarse to allow to predict the region they reach.
Region automata Let us now consider the consequence of Corollary 1 on the notion
of region automaton. We first define two variants of the region automaton:
Definition 1. Let A = hQ, qi , Σ, δ, αi and R be a set of regions on V (CΣ ). Then, the
existential (resp. universal) R-region automaton
of A is the finite
transition system
R
R
s.t.:
RA(∃, R, A) (resp. RA(∀, R, A)) defined by QR , QR
,
Σ,
δ
,
α
i
1. QR = Q × R
7
region.
is C
nots.t.
a problem
for history clocks thatvremain
cmax
once
a(x ) ≤ cmax and
(C3) the
forsame
all
, )�
xThis
∈
vx�v
)over
≤
cmax
(x
)�1≤
(C3)
for
all
x
s.t.
v1and
(x
)cmax
≤
2if
1all
1 x)�∈
1 (x
1
1∈
v
(x
)
>
cmax
and
v1Let
(x
)C
−(x)
vC2Σ>
(x
) 1>
1: ,�vx
22and
(C2)
for
C:
either
v
(x)
>
cmax
v2⊆
,cmax
orcm
�v
�v1x(x1larger
and
only
if
(x
≤
�v
(x
)�.
1
2
2cmax
Fig.
1.
Automaton
A
.
2−
2
1
2
2
→
Regions
C
∈
inf
1
they become
than
this
value
(unless
they
are
reset).
This
is
however
not
the
case
xand
a
∠
�v
(x
)�
if
only
if
�v
(x
)�
≤
�v
(x
)�.
1 any
2 −
2≈ 11
2 v12 ≈cmax v2 and:
→
–forFor
v
,
v
∈
V
(C):
v
v
iff:
1
2
1
2
prophecy
clocks
whose
value
decrease
with
time
elapsing:
eventually,
those
clocks
xa1
cmax (x)�
�v
(x
)�
if
and
only
if
�v
(x
)�
≤
�v
∠ �v
�v
(x
)
−
v
(x
)�
and
�v
(x
)
−
v
(x
)�
=
�v
1
2
2
1
2
and
=
�v
(x)�,
1v2 v(x2 and:
2 cmax
2 let
1 �v(x)�
1 2− v(x) an(
– For(C4)
any vvalue
∈cmax
v1is2≈
we
�vv1(x)�
11, vany
2≤
1 ≈
cmax
cmax
1
xV1 ,(C):
x,2but
∈vthe
C
s.t.
v1equivalence
(xv112) iff:
> cmax
or
>
: either
(x11 ) −=
reach aFor
region
too
coarse
to predic
pre- 1
1 to2 )allow
−
→
→
(C4) cisely
For which
any
x2(C3)
∈−
s.t.
v1v(x
>− cmax
or
(x2 )s.t.
>orcmax
either
vV
x–
v) )2−we
∈
(C):
≈∠
v)2 ≤
iff:cm
v1
For
v(x
1
1 (x
1) − v
b v1cmax
xC
1 :,11
1 region
they
will
reach.
b
for
x(x
C
v�v
cmax
and
v1∠
(x1equivalen
v1 (xx2region
), >
cmax
and
(x1 1))x
>
;any
(x
v≤
cmax
2all
2−
1 (x
2 )� = two
Then,
recall
→
1 ,v(x
22 )>∈
11(x
−
→
x
b
v
(x
)
>
cmax
and
v
(x
)
−
v
)
cmax
;
or
�v
)
−
v
(x
)�
=
1
1
x
1 cmax
2
2
1
2
2
1
1
1
2
b
Regions
and
event
clocks
Equivalence
classes
of
both
≈
and
≈
are
ca
Regions Let C ⊆ CΣ 4and
∈
N.
For
all
valuation
v
∈
V(C),
for
all
x
∈
H
,
Regions
Let
C
⊆
C
and
cmax
∈
N.
For
all
valuation
�v2 (x1 ) − v2 (x2 )� and �v1 (x1 ) − v1 (x2 )�(C4)
= �v2 (xFor
vany
(x2 )�x1 , x2 cmax
1 ) −Σ
2Σ
s.t. v1 (x
cmax
1) >
�v�vP11Σ(x
if1�v(x)�
and
only
if−
(x
�v2∈(xC
1))�
�v
(xautomata
v21for
(x
)� now
and
(x
−
v
(x
−onAlur-Dill
(xnotio
)� of≤ region
equivalence
forcma
tim
2the
2vthe
12)�
2 )�.
1) −
1
2 )� =
2 (x
1 )�v
2∠
Region
Let2all
us
consequence
of �v
corollary
2�v(x)�.
we let �v1 (x)� = �v(x)�
−2 v(x)
and
x ∈consider
, we
let
=
v(x)
∠
we
let
�v
(x)�
=
�v(x)�
−
v(x)
and
for
all
x
∈
P
,
∠
Reg
(C,
cmax
)
and
Reg
(C,
cmax
)
the
set
of
regions
of2
1
Σ
Equivalence
classes
of
both
≈
and
≈
are
called
regions.
We
denote
by
region
automaton.
We
first
define
two
variants
of
the
region
automaton:
v
(x
)
>
cmax
and
v
(x
)
−
v
(x
cmax
1regions.
2 Bouyer
2 v21 and:
2 we
∠V
Then, we recall two Equivalence
region equivalences
the
litterature.
former
, vand
∈
(C):
vthe1 classical
≈
v∠2 [2],
iff:[3]
v1that
≈of
– from
For
any
vcmax
`cmax
` iscalled
´by
and
refines
the former
1in
2´The
cmax
classes
of both
≈
≈
are
We
denote
by
cmax
∠
∠defined
A
classical
notion,
the
setting
of
timed
automata
is
region
equivcmax
Fig.
2.
The
sets
of
regions
Reg
P
,
1
and
Reg
P
,
1
.
{a,b}
{a,b}
Reg
(C,
cmax
)
and
Reg
(C,
cmax
)
the
set
of
regions
of
≈
and
≈
respec´and R
`set
´two
Alur-Dill regionReg
equivalence
for
automata
[1]
while
the
been
defined
we
recall
equivalences
litteratu
∠ �Q, q`i , Σ,
cmax
∠
tively.
Observe
that,
for
any
,2and
for
any
finite
o
Definition
3.timed
LetReg
A
=
δ,)Then,
α�
be
aregions
regions
oncmax
(Cand
).)Then,
(x
(x
)�) or
and
)for
−
vset
Σ1
(C,
cmax
) That
and
(C, cmax
set
≈�v
≈
respec12(x
1>
1 (x
(C4)
xfor
,ofany
x∠latter
∈ofishas
C
v2Vregion
)−cmax
>v(C,2cmax
vfrom
(x
)the
cmax
Fig.
2.
The
sets
of that,
regions
Pcmax
, ,1the
and
Reg
Pfinite
,set
1of.s.t.
cmax
1
2
1 (x
1Reg
1�v
{a,b}any
{a,b}
alence.
equivalence
relation,
whose
equivalence
classes
are
called
regions
is,
tively.
Observe
forReg
anyFor
and
of cmax
clocks
C,
cmax
by Bouyer [3] and
refines
the
former:
the
existential
(resp.
universal)
R-region
automaton
of
A
the
finite
transition
system
∠
� finite
tively. Observe
, and
for any
set of
clocks
Reg
(C,
cmax
Alur-Dill
equivalence
automata
∠ that, for any cmaxand
R
R region
Rcmax
–C,
any
vtimed
∈
V (C):
v[1]
≈1wh
(C,
).
The
difference
≈
and
2 property
1�v
cm
RA(∃,
R,(C,
A)of
(resp.
RA(∀,
R,v
A))
defined
by
Q
,Q
, Σ,
δ R , α≈
s.t.:
>the cmax
and
v∠�∠cmax
(x
)For
−
vfor
(x
),)vbetween
>
cmax
;iscmax
or
(x∠
and
cmax
). The
difference
between
≈
and
can
be understood
∠Reg
the
class
time
automata,
aReg
finite
time
bisimulation
exi abstract
cmax
1 (x
2 )between
2
1
2[2].
21This
and
Reg
(C,
cmax
).
The
difference
≈
and
≈
can
be
understood
– For any vare
,
v
∈
V
(C):
v
≈
v
iff:
cmax
∠ by Bouyer [3]
1 finite
2
cmax 2
cmax
sets. theR1example
Equivalence
classes
of
both
≈
and
≈
∠
cmax
and
refines
the
former:
from
in
Fig.
2:
≈
is
finer
because
it
introduces
diagonal
constraints
(C1)
for
all
∈=C,�v
v21(x
(x)
= ⊥2 (x
ifc
∠ from
example
inwhich
Fig.
≈−constraints
isx)�finer
because
1.
Q ==to
Q iff
×
build
a2:so-called
region
is2:a )finite
whose
�v
(x
) the
−because
vautomaton,
(x2itthan
)�introduces
and
�v
(x
v1state
(x
the
example
inRvFig.
is 1
finer
diagonal
(C1) forare
all finite
xfrom
∈ C,
vploited
(x)
⊥
=≈⊥,
cmax
2 (x)
2cmax
1 ) −itvintr
sets.
cmax
∠2automaton,
R
on 1the
pairs
of clocks
s.t.
one
of
theinitial
clocks
is 2larger
cmax
. 1 ) 1
2.
Q
=
{(q,
r)
|
q
∈
q
and
r
is
an
region}
Reg
(C,
cmax
and
Reg
(C,
cmax
)
the
set
of
i
the
pairs
of
s.t. oneand
ofand
the
clocks
islanguage
larger
than
. s.t.
(C2) for
all xon
∈are
C:not
either
(x)are
> equivalence
cmax
v
> both
cmax
, or� of
�v
(x)�
= untimed
�v
(x)�
iv1 clocks
�(x)
2on
1clocks
2defined
(C2)
∈ original
C:
vthan
>
Regions
a language
Since
notions
of
regions
above
the
pairs
onelanguage
offor
theallclocks
is either
larger
locations
regions,
whose
iscmax
the
ofxthe
timed
1 (x)cm
R
3. δ(x)�,
⊆ QR × Σ �→ QR is s.t. (q1 , r–
(q2 , rany
there
exists
a valuation
1 ), a,
2 ) ∈ δviff ,
For
v
∈
V
(C):
v
≈
v
iff:
∠
and
�v1are
(x)�
=a�v
2 3 implies
1
2
1
cmax
2
Regions
not
language
equivalence
Since
both
notions
of
regions
defined
above
are finite,
Corollary
that
they
can’t
form
a
language
equivalence
for
ECA.
Let
≥0
tively.
Observe
that,
for≈�v
any
cmax
,�v
and
for
any
Equivalence
classes
of
≈
are
region
(resp.
valuations)
v1 ∈ rautomaton
exists
time
delay
tboth
and
a valuation
automaton.
The
regions
in turn,
be
used
to and
decide
several
properties
on
and
= called
cmax
1 , there
cmax
1 (x)�
2 (x)�,
(C3) are
for
all xCorollary
C
s.t.forv1all
(x
≤
cmax
and
) a can,
≤
cmax
: ∈�vRfor
1 , xcounter-examples
2 ∈ 3
1 (xECA.
1 )� ≤
usfinite,
consider
explain
why
it1 (x
is 1not
the
case.
implies
that1 )that
they
can’t
form
a vlanguage
equivalence
Let
t,a
(C1)
for
all
x
∈
C,
v
(x)
=
⊥
iff
v
(x)
=
⊥,
∠
(a)
∠
1
2
v
∈
r
s.t.
(q
,
v
)
−
−
→
(q
,
v
).
2 (x 1)� 1≤such
2
2language emptiness.
as
−
→and (C,
�vconsider
andtimed
only�2Rifautomata,
�v
�v2cmax
(x
Regcmax
(C,−
). The
1 (x2 )� ifcounter-examples
2 Reg
1� explain
2 )�.
(C3)
for
all regions
xdifference
∈≈
Cbetween
s.t. van
(C,
and
Reg
)cmax
the set
of
us
that
why
it is)not
thex→
case.
x
1 , x2 of
1(
cmax
a
→
∠ r) | q ∈ α and r is a final region}−
4. α v
=≈
{(q,
a for
– For any– vConsider
(C):
v
iff:
v
≈
v
and:
(C2)
all
x
∈
C:
either
v
(x)
>
cmax
and
v
(x)
>
P
,
1
and
the
two
valuations
v
and
v
s.t.
v
(
x
)
=
1.1,
−
→
−
→
1 , v2 ∈ V Reg
1
2
1
cmax
2
1
2
1
a
∠
{a,b}
1
2
cmax
As
shown
in
Corollary
2,
and
contrary
to
what
is
claimed
in
the
seminal
paper
on
�
�
x
x
�
�
from
the
in�vFig.
is clocks
finer
av (x
bthat,
(x22:
)� ≈
ifcmax
and
if �vbec
(x
−
→
Observe
for
any
cmax
, and
for
finite
set only
of
−
→ valuations
→
→
−
→
R
1any
2C
(C4) For
any
∈ PC
s.t.
(x
>
cmax
)v1>and
cmax
either
vaexample
x
2 1.2,
1,)Σ,
1 1.1
2automaton
1)(x=
1) −
→
– Consider
Reg
,av1R)1,tively.
and
the
vand
s.t.
1.1,
v1 (−
xxb1), x
=
v2=
(−
x
=
and
xor
=
Let
R{a,b}
Q
Q
δ R−
,atwo
αvR
w
bevan
(untimed)
word
on
2 :�v
1 (x
2a (be
ba)region
i 1.2
x
and
(x)�
=
�v
(x)�,
ECA
[4],
regions
do
not
form
a
finite
time
abstract
bisimulation
for
ECA.
However,
1
2
∠
1 �v (x
1−
∠
−
→
−
→
→
∠
v1 (x
)
>
cmax
and
v
(x
)
−
v
(x
)
>
cmax
;
or
)
−
v
(x
)�
=
1
run
on
w =1Reg
.(C,
wn1.1
is cmax
a finite1 sequence
rn1 of states
Rbetween
s.t.: any
2 R1.2
1 and
1 r0the
1r1 . . .pairs
2 of
on
s.t.v1one
clocks
is cm
la
, vcmax
∈ the
Vand
(C):
v1 ≈
–ofclocks
For
v12(xb ) = 1.2,Σ.v2A(x
=
vw221(wx22b .). =
a ) of
2 of
and
).
The
difference
≈
≈cmax
ca
Rto)�
In1 )the
timed
automata,
classical
technique
solve
several
problems
�v2 (x
− vsetting
and
�vnot
(x
) 0−≤vi1that
(xan2 )�
=
−
v∈2δ(x
for
all
x
,
x
∈
C
s.t.
v
(x
)
≤
cmax
and
v
r20)�
∈of
QR
all
≤
−
1:
(r�v
w
ri+1
.2Such
a→
run
is 2
accepting
iffECA.
−
this
does
regions
are
not
useful
for
analysing
We
address
this
issue
←
−
2 (x
1for
1mean
2 (x
1, )
i ,(C3)
i+1
1
1
1
i and
−
→
−
→
x
b
∠
x
−
→
x
b
R
x
b
(C4)
For
any
x
,
x
∈
C
s.t.
v
(
b
xbw istechnique
1
2
1
rnof
∈timed
α (in automata,
that
case,
we
say
that
accepted
by
R).
The
language
L(R)
of
R
is
the
from
the
example
in
Fig.
2:
≈
is
finer
because
it
introduces
dia
(such
language
emptiness
or
CTL
model-checking)
consists
in
analysing
the
correIn the
settingin
a
classical
to
solve
several
problems
cmax
∠ by
1 (i) called
1
the
present
section,
recalling
two
notions
of
regions
from
the
literature,
(ii)
�v
(x
)�
if
and
only
if
�v
(x
)�
≤
�v
(x
)�.
Equivalence
classes
of
both
≈
and
≈
regions.
We
denote
by
1 by are
1
1
2
2
1
2
2
cmax
cmax
set
of
all
untimed
words
accepted
R.
sponding
region
automaton
[1]. Roughly
speaking,
the region
automaton
is
a finite au(such
language
emptiness
oron
CTL
model-checking)
consists
in analysing
the
correvis
cmax
and
∠
1 (x
2 ) >than
the
pairs
s.t.
one
the
clocks
larger
cmax
.a v2 (x
∠
Reg (C,sponding
cmax
) and
Reg
(C,
) Roughly
the
setalphabat
of
regions
ofFor
≈explain
and
≈,∠
respecexposing
counter-examples
that
intuitively
why
these
notions
do
not
form
Let Acmax
be
ECA
with
Σof
and
maximal
constant
cmax
.of
Thus,
the
region
aucmax
−
→
−
→
cmax
tomaton
whose
states
arean
regions,
and
whose
transitions
correspond
to
the
transition
←
−
v
∈
V
(C):
v
≈
v
iff:
v
≈
–clocks
v
region
automaton
[1].
speaking,
the
region
automaton
is
a
finite
au1
2
1
2
1
cmax
1 any
cmax
xtoa´C,
xbRegReg
tomaton
as defined
forfor
timed
automata
[2]
(C
�v
tively. Observe
that,
forstates
any are
cmax
, and
any
finite
setcorresponds
of
(C,
) )´x
`clocks
´RA(∀,
`cmax
´, bA).
Σ , cmax
2 (x1 ) − vbe
2 (x
2 )� and �v1 (
`(iii)
∠` transition
time
abstract
bisimulation
and
showing
that
regions
can
nevertheless
exploited
tomaton
whose
regions,
and
whose
transitions
correspond
to
the
∠
FORMATS
11
paper
May
27,
2011
Page
8
of
15
Fig.
2.
The
of regions
Reg
P∠{a,b}
andthree
Reg
,∈
(C4)
For
any
xfollowing
,P{a,b}
x{a,b}
Fromdifference
now
on,2.
we
denote
itofRegAut
WeP≈
also
study
the
Fig.
The
setssets
regions
Reg
, 1, 1can
and
Reg
11 ..C s.t. v1 (x1 ) >1 cmax or v1 (x
1P
21 ,variants:
{a,b}
∀ (A).
and Reg∠ (C, cmax ). The
between
≈
and
be
understood
cmax
cmax
∠(b)
∠
FORMATS
11
paper
- (ii)
May
27,
- Page
8any
of26ECA
15minutes
Time
to accepts
submission:
22011
days
7 Reg
hours
to
build
a
finite
automaton
that
Untime(L(A)),
for(C
(i)
RegAut
(A)
=
RA(∀,
Reg
(C
,
cmax
)
,
A),
RegAut
(A)
=
RA(∃,
) , A)A.
∠∀
Σ
Σ , cmax
∃
from the example in Fig. 2: ≈cmax−
is∠ finer
because
it∠introduces
diagonal
constraints
v
(x
)
>
cmax
and
v
(x1 )classes
− v2 (xof2 )both
> cm
Time
to submission:
2
days
7
hours
26
minutes
→
−
→
1
2
2
Equivalence
≈c←
x−
and (iii) RegAut
(A)
=
RA(∃,
Reg
(C
,
cmax
)
,
A).
Observe
that,
for
timed
auΣ
←
−
a∃ xb is larger than cmax
on the pairs of clocks s.t. one of thexclocks
.
{
xa (x1 ) − v1∠
tomata
thesesets.
four region automata accept the untimed
language
proved
−-rcan
vaPage
(x
)�ofbyand
= �v
are finite
1 )(this
2be
28(C,
2 )�cmax
areRegions
finite
sets.
- May
27,
15 �v1
Reg
cmax
) and
(C,
LetFORMATS
us fix a11
se paper
of clocks
C�v
⊆2 (x
C2011
and
constant
cmax
∈
N. WeReg
first(x
recall
1
2
−
→ 1
1
1
1
1
1
2 to ECA.
Σ
a bisimulation argument)
us see how
these
results
adapt
not)
FORMATS[2].
11Letpaper
- May
27,
2011
- (or
Page
8 of 15
←
−
Time to submission: 2 daysr27 hours 26 minutes 1
←
xbAlur-Dill
two
equivalences
from the
litterature.
The
former
isdefined
the
classical
region
Time
to equivalence
submission:
2 Since
days
7
hours
26 of
tively.
Observe
for ≈
any
∠ cmax ,
rminutes
Regions
are anot
a language
equivalence
both
notions
of
regions
defined
above
x−b that,
3 regions
Regions
areregion
not
language
Since
both
notions
above
Equivalence
classes
of
both
≈
and
are
Recognised
language
of universal
region automata
Let us
show that
universal
region
r
cmax
−
→
3
cmax
1
2 timed
∠
xthat
1Let
areequivalence
finite,
Corollary
3
implies
that
they
can’t
form
a
language
equivalence
ECA.
Let
a automata
are finite,
Corollary
3
implies
they
can’t
form
a
language
equivalence
for
ECA.
for
[2]
while
the
latter
has
been
defined
by
Bouyer
[8]
and
automata do not recognize the untimed language of the ECA .
r
and
Reg
(C,
cmax
).
The
differenc
∠
4
rit
2 is
usrefines
consider
counter-examples
that
explain
why
not
the
case.
r
r
us consider
counter-examples
that
explain
why
it
is
not
the
case.
Reg
(C,
cmax
)
and
Reg
(C,
cmax
)
the
set
of
regions
2
4
`
´ ∠
−
→ the former:
←
x
a
x−b2. The
r5 from
the
example
infor
≈and
←
− 2:
�
� �
r1 r3 r3 rFig.
sets
of−
regions
Reg
PFig.
, 1finite
Re
1�
cmax
1
{a,b}
→
x
tively.
Observe
that,
for
any
cmax
,
and
any
se
a
5
– Consider
P{a,b}
twovaluations
valuations
and vv22 s.t.
s.t. vv11(xa ) 1=
– Consider
Reg Reg
P{a,b}
, 1 , 1andand
thethe
two
v1v1and
= 1.1,
1.1,
1
1
on
the
pairs
of
clocks
s.t.
one
of
the
−
→
r
–
For
any
v
,
v
∈
V
(C):
v
≈
v
iff:
−
→
−
→
−
→
−
→
−
→
−
→
4
∠
r1.1
2a )First
2 is obtained by taking the automaton in Fig.
consider
ECA
A
2 (c),
→
4 which
x
1
xb1.2,
) =−
va2 )(consider
x1.
= 1.2
(x
)cmax
=
v1 (xbv)1 (=
v2First
(x1
=
1.2
and
v2 (vx2A1the
)bwhich
1.1
x1.
b=
b1.2,
the and
ECA
is
obtained
by taking
the
automaton
in Fig. 2 (c),
and
(C,
cmax
).
The
difference
between
≈cmax a
7bReg
removing
�1 =
from
locations,
adding a fresh initial location �0 and an
rthe
(C1) 1 for all
x
∈
C,
v
⊥
v
(x)
=
⊥,
1 (x)
5iffrinitial
1
2
←
−
removing �1 from the initial locations,
adding
a fresh
initial location
�0 and an
5
∠
←
−
−
→
→
−
{xa
edge
(� from
, c,aψ,
)the
with
ψcmax
= x→
> to1to
∧
1.2:
Now,
assume
is an edge
In the
setting
of timed
automata,
classical
technique
solve
problems
x(x)
example
in
Fig.
≈
is
finer
because
it in
In(C2)
the setting
of xtimed
automata,
a�1classical
technique
solve
several
problems
→
ba >several
cmax
C:
>
and
>
, isoran�vthere
edge
(�∈
, �c,
ψ,either
�1A)0�which
withvψ
=� −
x
1∧−
xabthe
>automaton
1.v2
Now,
there
edge
1. for
Firstall
consider
ECA
is
by taking
inassume
Fig.cmax
2 (c),
1 (x)
1 (x)� = �v2 (x)�
0the
a >
�obtained
�
(such(such
language
emptiness
or
CTL
model-checking)
consists
in
analysing
the
corre(�
,
r),
c,
(�
,
r
)
in
RegAut
(A)
where
r
is
initial.
Because
of
the
guard
on
the
language
emptiness
or
CTL
model-checking)
consists
in
analysing
the
correare
finite
sets.
0
1
�´ A which
1. First
consider
ECA
is`obtained
by
taking
automaton
Fig.
2 (c),
1the
1
`1 from
´∀ clocks
removing
the
initial
aof
fresh
initial
location
�0one
and
an
(�0 ,�r),
c,the
(�=
) on
in locations,
RegAut
(A) where
r is
initial.
Because
ofin
the
guard
on
−
→
→
the
s.t.
of
the
clocks
larger`than
1 , r�v
∀adding
→) > is
�−
�is
�the
∠
and
�v
21 pairs
1Roughly
3
4 automaton
1c,(x)�
2=(x)�,
→
→
x
x
sponding
region
automaton
[1].
Roughly
speaking,
the
region
finite
auedge
�0−
to
�speaking,
in
A,
all
valuations
in
rthat
are
such
that
vand
(−
x
1 and Reg P
Fig.
2. The
sets
of region
regions
Reg
,to
1from
and
Reg
P−
,1.
1the
. region
→and
sponding
automaton
[1].
the
automaton
avThe
finite
auavFig.
b an
�fresh
� initial
��0−
aregions
removing
�ψ,
from
the
initial
locations,
adding
a
location
an
{a,b}
1P{a,b}
2.
sets
of
edge
(�
,
�
)
with
ψ
x
>
1
∧
x
>
Now,
assume
there
is
edge
0
1
a
b
edge
from
�
�
in
A,
all
the
valuations
v
in
r
are
such
(
x
)
>
1
{a,b
1 In −
a
�
the
setting
of
timed
a classical
techniqu
��0−
→
→
−
tomaton
whose
states
regions,
whose
correspond
to
the
transition
()2→
xinThen,
>ψ
1.∀=
Then,
we
seen
above,
and
illustrated
by the
v1
→
(C3)
for
∈and
Cand
s.t.
v>1astransitions
(x
≤
cmax
and
vautomata,
(xby
cmax
:v1�vand
tomaton
whose
whose
correspond
to
� are
edge
(�
c,
with
x
1seen
∧
xhave
> Because
1.
Now,
there
is)the
an≤vedge
,vall
r),
(�
,,rv��x
)regions,
(A)
rtransitions
is1 )
initial.
of assume
the
guard
on
the
b )RegAut
2 )� ≤
1
1as
1transition
1 (x
1ψ,
1
awhere
babove,
(0−
xc,,bx
)are
>
1.
as
we
have
and
as
illustrated
and
v
� (�0states
�
1
2
(c)
→) > 1 and�
�
� −
�1 in (such
edge
from
to,valuations
A,RegAut
all in
theFig.
valuations
vit
inisrr�not
suchcase
vthat
(x
(a),
v ∈exists
r� ,model-checking)
there
a time
emptiness
0 1
�all CTL
(�0 ,(x
r),
c,�(�
r�and
) Fig.
in
(A)
where
isare
initial.
Because
ofor
guard
on
the
valuations
in
2 (a),�if
it∀language
is22not
the
case
that
v � a∈for
rthe
,� there
a time
�v
if
only
�v
(x
≤
�vthe
(xthat
)�.
→
−
`
´exists
` cons
�1
2 )�
1 )�
2� for
2all
−
→
�
v
(
x
)
>
1.
Then,
as
we
have
seen
above,
and
as
illustrated
by
the
v
and
v
b
1
2
∠
delay
s.t.
(v
+ t)
satisfies
the
guard
of
the
edge
from
�
to
�
in
A.
Hence,
there
edge delay
from t�0s.t.to
�1� +
int t)
A,
all−
the
valuations
v the
in
r
are
such
that
v
(
x
)
>
1
and
are finite sets.
1
2
a
−
→
→
∠
�
�
(v
satisfies
the
guard
of
edge
from
�
to
�
in
A.
Hence,
there
�
�
1��Reg
The
sets
of
, 1 RegAut
and Reg
P{a,b}
sponding
region
automaton
Roughly
speaking,
the
reg,
Fig.V2 (a),
isFig.
the
case
thatvfor
∈
r≈
, there
a2and:
timeP
�alland
– For all
≈
{a,b}
� −
1x(A),
2ofiff:
1� regions
cmax
2[1].
avnot
b2.
is, in(C):
RegAut
no
edge
thev,vform
(�1,,r)
rexists
),,vby
c,
(�the
,and
andvthus
vvaluations
(→
xv)1 ,in
>v2in1.�∈
Then,
asitx
we
have
seen
above,
as
v1RegAut
2 , r)
2 (A)
∀guardcmax
∀ (A)
edge
of
the
form
(�
),illustrated
c,2 �in
(�
and
thus
1 �1r to
2A. Hence,
delaybis,
t s.t. RegAut
(v + t) satisfies
the
of
the
edge
from
�
there
∀ (A), no
∀
�
�(x
�all v above
are
finite
(C4)
For
all not
xSince
,Fig.
x2no
∈
C
s.t.
vthe
>
cmax
or
v,1regions,
(x2(A)
)exists
> cmax
either we
have
in1 (A),
22not
(a),recognise
itof
not
case
for
∈ sets.
rRegAut
there
a �and
time :whose
tomaton
states
are
transitions
does
Untime(L(A)).
Regions are not a language
equivalence
both
notions
of
defined
1whose
1 )� that
Untime(L(A)).
is, indoes
RegAut
edge
form
(�regions
, and thus
�valuations
� isthe
←
1 , r ), c, (�2 , r) �
∀ �recognise
∀
x−b
±
±
±
±
t
s.t.
(v
+
t)
satisfies
the
guard
of
the
edge
from
�
to
�
in
A.
Hence,
there
�
�
�
2.
Second,
consider
the
ECA
B
which
is
obtained
by
taking
the
automaton
in
Fig.
2
(d),
are finite, Corollary 3 implies that�delay
they
can’t
form
a
language
equivalence
for
ECA.
Let
1
2
does
not 1
recognise
←
−
the
by
taking
the
automaton
in
Fig.
2
(d),
v2.1 Second,
(x
) −consider
v1Untime(L(A)).
(x
> B2which
· cmax
and
v
(x
)
−
v
(x
)
>
2
·
cmax
;
or
�is obtained
�
In
the
setting
of
timed
automata,
a
classic
2 ) ECA
1
2
relation
of
the
timed
automaton,
lifted
to
regions.
The
soun
2
2RegAut (A)
xb we
inremoving
RegAut
(A),
nonot
edge
of the
form
(�1adding
, r� ), c,
, r)initial
thus2initial
from
the
initial
locations,
ainfresh
�0 and an±edge
2. is,
Second,
consider
B�±
which
is locations,
obtained
by
taking
the
automaton
Fig.
(d), �0 location
us consider counter-examples that
explain
why
it ECA
is
the
case.
2adding
1
1initial
∀ removing
∀ ±an edge
�the
a(�fresh
location
and
±
±
±, and
1 from the
→
−
−
→�(x
�vrecognise
(x�(�
),with
−
vsets.
(x−
)�ψadding
=
�v
−1.<vAssume
)�
and
�v1anrelies
(xthere
v1 edge
(x
= that
(such
or
CTL
model-chec
→
−
→
removing
�1
from
initial
athose
fresh
initial
location
and
an
edge
1)the
1∧)problems
2 emptiness
1) −
2 )�fact
does
not
1 ψ,
ton
heavily
the
a,
ψ,−
=
x
>(x
1alanguage
x
1.
Assume
is on
an
2<
2
finite
�
� have
1 )to
a0 <
(�
a,
ψ�1locations,
=
x2solve
x
that
there isthat
edge
1Untime(L(A)).
0 ,are
10
b >� 1−
�with
�Assume
→
→∧ <0b 1.
−
→<)0 that
�the
±
±
∠
(�0the
, a, ψ,two
�1 )�with
ψ
=
x
>
1
∧
0
<
x
there
is
an
edge
�
– Consider Reg P{a,b} , 1 2.
and
valuations
v
and
v
s.t.
v
(
x
=
1.1,
b
a
∠
�
Second,
consider
ECA
B
which
is
obtained
by
taking
the
automaton
in
Fig.
2
(d),
1
2
1
a
�(�0,, rr),
ofv2(�(x
form
(�RegAut
RegAut
where
is initial.
Then,Roughly
all the
�v
(xthe
)−
←
−the rThen,
←
1 , r ) in
of
, r),
) a,
in∠sponding
where
r is
initial.
alltechnique
the
∀ (B),
1
2 )�.
�a, (�1
0(�
region
automaton
[1].
speak
∀ (B),
bisimulation
for
timed
automata.
Since
this
is
nottothe
case
→
→) = 1.2 and
−
→form
x�classical
of 2the form
(�the
a,setting
in RegAut
(B),
where
r� isinitial
initial.
Then,
all
In
of
timed
automata,
solve
x−
b and
0 , r),
1� , r )� locations,
→
−
→
a
�
� −
∀
→
−
→0a
� the
� −
� 1,
removing
initial
adding
a>
fresh
location
an
edge
v1 (−
xb ) = 1.2, v2 (−
x
v
=
0v
valuations
v
in
are
such
that
(
x
)
>
<
(
x
)
<
1
and
either
(i)
a
2 (x�b1�)from
→
−
→
�1.1
�r−
� v1,
b
a
valuations
v
in
r
are
such
that
v
(
x
)
0
<
v
(
x
)
<
1
and
either
(i)
b
a
valuations v in r� −
are such−
that
v (xb ) > 1, −
0 � <−
v (xa ) �<−
1 and either (i) � −
→
→
→
→
−
→
→
→
→
��region
� −
1 and whose
−
→
−
−
→
→
→
→
tomaton
whose
states
are
regions,
�ψ,
�(x
�∧
� (−
� 1−
� −
(�v �0((such
,−
a,
�
)
with
ψ
=
x
>
1
0
<
x
<
1.
Assume
that
there
is
an
edge
→
→
−
−
→
→
−
−
→
→
−
the
automaton
construction
has
to
be
reconsidered.
1
1
b
a
�
�
�
�
v
)
<
v
(
x
)+1,
or
(ii)
v
x
)
=
v
(
x
)+1
or
(iii)
v
(
x
)
>
v
(
x
)+1.
In
the
language
emptiness
or
CTL
model-checking)
consists
in
ana
<
v (xaor
) = or
v∠((iii)
xba)+1
(iii)
(xa ) In>the
v (xb )+1.
In theb
b
a
�b )+1,
xav) (<xav)(x
(ii) vor
(x(ii)
xab )+1
v (xaor
)>
v (xvb )+1.
b )+1,
ab) �=vv ((x
→) = 0
In the setting of timed automata,
aform
classical
technique
to
solve
several
problems
� −
�
→
→
� )=
�
of
the
(�
, r),
a,it(�tois1cases,
,easy
r� )thatto
in
(B),
where
rdelay
Then,
all
the
�isno
� time
0it
←
−
∀ see
two
itthere
isRegAut
easy
that
is
s.t.
(v
+0t� )(−
x
two
former
cases,
isformer
easy
see
is
noto
time
delay
t�there
s.t.the
(v
+ timed
tinitial.
)(t−
x
0automaton,
two
former
cases,
see
that
there
is
no
time
(v
+
t
)(
x
)=
a
as.t.delay
a
relation
of
lifted
region
In
this
section,
we
revisit
the
definition
of
the to
region
a
→
−
−
→
x
�−
�region
�
�corre1 vin
2 1,a[1].
sponding
automaton
Roughly
speaking,
the
region
automa
→
→
−
(such language emptiness or CTL
model-checking)
consists
analysing
the
�
�v
�
�
→
−
�
�
valuations
in
r
are
such
that
(
x
)
>
0
<
v
(
x
)
<
1
and
either
(i)
←
−edge
a of
and
(v
+(v
t )(+
xand
in
these
two
cases, two
there
is no edge
form
+>
t 1.
)(x
) >
1.
in these
two
cases,
there
b )t >
and
)(
x1.b )Hence,
Hence,
inb� Hence,
these
cases,
there
istheno
edge is
of no
the
formof the form
b→
�� −
� (v
x
�
�
�
�
→
→
−
−
→
−
−
→
→
−
a
∠
�
�
�
�
�
��
∠is
sponding region automaton [1]. Roughly
the
region
automaton
a can
finite
au∠
�RegAut
�(1x,br)+1,
��
v (�
(tomaton
x0a, r)(�),
<0a,
vthe
(x
=in
vton
(xb )+1
or
(iii)
vfind
(xthose
)>
vcase,
(find
xproblems
In
the
)whose
in ror
In
the
third
case,
one
two
valuations
to
solve
heavily
relies
on t
a
b )+1.
of
time
successor
fortwo
regions,
a central
∀RegAut
),
a,in
(�
,(B).
r��a ))definition
RegAut
In
the
third
one
can
find
valuations
are
regions,
and
whose
transitions
correspond
, vspeaking,
r(�
),� a,(�(�
)(ii)
In
the
third
case,
one
can
two
valuations
01, ,rfuly
1states
∀ (B).
∀ (B).
→
� −
v1 and
and
vwhose
r andtransitions
two
time delays
tthat
t2 s.t.isto
(i)
for
alltransition
t�1 : (v1t�+s.t.
t�1 )(v
�≈��∠
tomaton whose states are regions,
correspond
the
1a )� =
1
2 incases,
1 and
�see
� 0∠
�
∠
� is easy
two
former
it
to
there
no
time
delay
+
t
)(
x
cmax
v1� and �v2v−
in
r and
t1 and
t2 s.t.
(i) for
all timed
t(i)
(v
t1t)1Fig.
v two
in r �time
and∠delays
twobisimulation
time
delays
t1 and
t2 s.t.
for
allautomata.
:�≈(vcmax
) �≈Since
2.t1The
sets of
region
1 +
1 and
1 +
cmax
for
this
1 : regions.
(ii)→
all
t�21.:2(vHence,
+t�2 ) �≈in
+t
on
Fig.
2to
(b).
As
(vrelation
of
the
automaton,
The
soundness
ofisthn
2 +t
2 ) and
2timed
�(v
∠1 ),cases,
and
(v
xfor
>
these
there
is
no
edge
of
the
form
�illustrated
∠∠lifted
�� 11
� as
6as
b )+t
∠), as
+t
and
for
allReg
t2 :the
(v
+t
(v
+t
illustrated
on
Fig.
2�(b).
As
(v�2 +
) and
(ii)
for
all
:�≈0two
(v
+t
)Reg
(v
+t
illustrated
on
Fig.
2
(b).
As
(v
�a consequence
� 2no(a)
�� 1 ), P
Figure 2: The
sets
oft2 ))(
regions
Pcmax
,r2� ),(b)
,
1
and
(c)
2form
1�≈
2��(ii)
1
1
cmax
2t),2(�
{a,b}
{a,b}
cmax
2�(�
there
is
edge
of
,
a,
,
r
)
in
RegAut
(B),
�
∠
�
1
∀ two valuations
(�ton
∠ has to be rec
�automaton
), to
a, ∠(�solve
) there
in those
RegAut
(B).
Inthe
the
third
case,
find
�� ∠ (B),
region
construction
0 ,ar consequence
1a, r
∀ problems
isthe
nothere
edge
form
(�
rone
),the
a,can
(�valuations
,, rr��� ),
) a,in(�
RegAut
relies
on
fact that
consequence
isofthe
no
edge
of heavily
the0 , form
) ∀in RegAut
1 , r ∠the
∀ (B),regions ar
RegAut
(B)
not recognise
Untime(L(B)).
Reg∠ C{a} , 1vthus
. and
Dotted
show
trajectories
followed
by
� does
�10
� with
∀arrows
v
in
r
and
two
time
delays
t
and
t
s.t.
(i)
for
all
t
:
(v
+
t
)
≈
�
∠
1
2
1
2
1
∠ not recognise
`
´ of t
cmax
1
1
thus
RegAut
(B)
does
Untime(L(B)).
thus∀are
RegAut
not
recognise
In regions.
thisUntime(L(B)).
section,
we is
revisit
thecase
definition
time elapsing. Curved
arrows
used
to(B)
refer
to∠selected
� ∀
� does
bisimulation
for
timed
automata.
Since this
not the
for ECA,
Fig. 2. The sets of regions Reg P
and (ii)offor
all t2 : (vregion
) �≈cmax (v
illustrated
As
(v2 +t2 )language
2 +t2 automata
Recognised
existential
Fortunately,
definition
of Fig.
ex- 2 (b).
� 1 +t1�), asthe
� on
{a,b}
∠
��
aRecognised
consequence
there
is
no
edge
of
the
form
(�
,
r
),
a,
(�
,
r
)
in
RegAut
(B),
0
1
istential
region automaton
allows
us
to
re-obtain
a
finite
transition
system
recognising
∀
language
of
existential
region
automata
Fortunately,
the
definition
of
exRecognised
language
of
existential
region
automata
Fortunately,
the
definition
of
ex∠
exactly
Untime(L(A)),
for
all not
ECArecognise
A. Remark
that this construction is direct, conthus
RegAut
does
Untime(L(B)).
∀ (B)
istential
region
automaton
allows
us to
re-obtain
are-obtain
finite transition
system
recognising
istential
region
automaton
allows
us
to
a
finite
transition
system
recognising
trary to the original construction [3] that consists in first translating the ECA into a
exactly Untime(L(A)),
for recognising
all ECA
Remark
this construction
is direct, conexactly
Untime(L(A)),
forA.
all
ECA timed
A.that
Remark
this an
construction
is direct, connon-deterministic
timedof
automaton
the same
languagethat
but
Recognised
language
existential
region
automata
Fortunately,
the with
definition
of ex-into a
trary
to
the
original
construction
[3]
that
consists
in
first
translating
the
ECA
increased number
of clocks
the original ECA,
computing
the re-translating
trary
to thecompared
originaltoconstruction
[3] and
thatthen
consists
in first
the ECA into a
istential
region of
automaton
allows
us to
re-obtain
a finite
system
recognising
timed
automaton
recognising
thewetransition
same
timed
language
with anbut with an
gionnon-deterministic
automatonnon-deterministic
this timed
automaton.
Moreover,
the proof
are about
present
timed
automaton
recognising
the tosame
timedbut
language
8 A.
exactly
Untime(L(A)),
for
all
ECA
Remark
that
this
construction
is
direct,
concannot
invoke the
fact
that
regions
form
a
time-abstract
bisimulation,
as
it
is
the
case
increased
number
of
clocks
compared
to
the
original
ECA,
and
then
computing
the
reincreased
number of[3]
clocks
compared
to
thetranslating
original ECA,
and then
computing
the retrary
to the
original
construction
thatonconsists
inproof
first
the
ECA
into
a
for timed
automata,
and
thus
need automaton.
to rely
different
techniques.
Actually,
gion
automaton
ofwe
this
timed
Moreover,
the
proof we
are
about
toare
present
gion
automaton
of
this
timed
automaton.
Moreover,
the
proof
we
about
to present
we will
show
that:
non-deterministic
timed
automaton
recognising
the
same
timed
language
but
with
an
cannot invoke the fact that regions form a time-abstract bisimulation, as it is the case
1
, 1 and R
sets.
fuly the definition
of
successor for region
the region automaton construction
hasare
to finite
be time
reconsidered.
In the of
setting
of timed
automata
In this section, we revisit the definition
the region
automaton,
(such
or CTL
fuly the definition
timesets.
successor
forlanguage
regions, aemptiness
central notion
in t
areoffinite
sponding region automaton [1]. Rou
In the setting of timed automata, a classical techniq
tomaton whose states are regions, a
(such language emptiness or CTL model-checking) co
relation
of the
timed automaton,
lifte
cannot
invokecompared
the fact that
regions
form
a time-abstract
bisimulation,
the case
increased
number
of clocks
to the
and then
computing
theActually,
re- as it is speaking,
for
timed
automata,
and
we(A))
thus
tooriginal
rely
onECA,
different
proof
techniques.
sponding
region
automaton
[1].
Roughly
the
re
Untime(L(A))
⊆ L(RegAut
⊆need
L(RegAut
(A))
⊆ Untime(L(A))
(1)
for
timed
automata,
and
we
thus
need
to
rely
on
different
proof
techniques.
Actually,
gion we
automaton
of that:
this timed automaton. Moreover, the proof
we are
about
to present
ton
to
solve
those
problems
heavily
will show
weinequalities
will
that:
tomaton
whose transition
cannot
fact show
thatare
regions
form awhose
time-abstract
as, tit)is
The twoinvoke
leftmostthe
easily established.
Let (q , v states
)(wbisimulation,
, t )(qare
, v )(wregions,
· · ·the
(q ,case
v and
)
bisimulation
for
timed
automata. Si
∠
be
an
accepting
run
of
A
on
θ
=
(τ,
w).
Thus,
θ
∈
L(A).
For
all
0
≤
i
≤
n
let
r
be
the
for timed automata,
and we
thus need ∃toof
relythe
on L(RegAut
different
proof
Actually,
Untime(L(A))
⊆relation
L(RegAut
(A))
⊆
(A))techniques.
⊆ Untime(L(A))
(1)
∠
∃
timed
automaton,
lifted
to
regions.
The so
Untime(L(A))
⊆ L(RegAut
(A))
⊆
L(RegAut
(A))
⊆
Untime(L(A))
(1)
∃
∃
we will show that:
the region
automaton construction
h
∠
∃
∃
0
0
0
0
1
1
1
i
1
n
n
2. QR
i = {(qi , r) | r is an initial region}
3. δ R ⊆ QR × Σ × QR is s.t. (q1 , r1 ), a, (q2 , r2 ) ∈ δ iff there exists a valuation
(resp. for all valuations) v1 ∈ r1 , there exists a time delay t ∈ R≥0 and a
t,a
valuation v2 ∈ r2 s.t. (q1 , v1 ) −−→ (q2 , v2 ).
4. αR = {(q, r) | q ∈ α and r is a final region}
R
R
Let R = QR , QR
be a region automaton and w be an (untimed) word
i , Σ, δ , α
over Σ. A run of R on w = w0 w1 . . . wn is a finite sequence (q0 , r0 )(q1 , r1 ) . . .
(qn+1 , rn+1 ) of states of R such that: (q0 , r0 ) ∈ QR
i and such that: for all 0 ≤ i ≤ n:
(qi , ri ), wi , (qi+1 , ri+1 ) ∈ δ R . Such a run is accepting iff (qn+1 , rn+1 ) ∈ αR (in
that case, we say that w is accepted by R). The language L(R) of R is the set of all
untimed words accepted by R.
Let A be an ECA with alphabet Σ and maximal constant cmax . If we adapt and
apply the notion of region automaton, as defined for timed automata [2], to A we obtain RA(∀, Reg (CΣ , cmax ) , A). To alleviate notations, we denote it by RegAut∀ (A).
In the rest of the paper, we also consider three other variants: (i) RegAut∠
∀ (A) =
RA(∀, Reg∠ (CΣ , cmax ) , A), (ii) RegAut∃ (A) = RA(∃, Reg (CΣ , cmax ) , A) and
∠
(iii) RegAut∠
∃ (A) = RA(∃, Reg (CΣ , cmax ) , A). Observe that, for timed automata,
all these automata coincide, and thus accept the untimed language (this can be proved
by a bisimulation argument) [2]. Let us see how these results adapt (or not) to ECA.
Recognized language of universal region automata Let us show that, in general
universal region automata do not recognize the untimed language of the ECA.
Lemma 1. There is an ECA A such that L(RegAut∀ (A)) ( Untime(L(A)) and such
that L(RegAut∠
∀ (A)) ( Untime(L(A)).
Proof. Consider the automaton Ainf in Fig. 1, with cmax = 1. Assume there is, in
RegAut∀ (Ainf ), and edge of the form (q0 , r), b, (q0 , r0 ) , where r is initial. By the
−
→) > 1.
guard of the (q0 , q0 ) loop, r0 is a region s.t. for all v ∈ r: v(→
xb ) = 1 and v(−
x
a
−
To fire the (q0 , q0 ) loop again, we need to let time elapse up to the point where →
xb = 0.
−
−
→) = 1.1 and
Then consider two valuations v and v 0 s.t. v(→
xb ) = v 0 (→
xb ) = 1, v(−
x
a
→) = 2.1. Clearly, {v, v 0 } ⊆ r0 . However, firing the (q , q ) loop from (q , v) leads
v 0 (−
x
a
0 0
0
→) = 0.1, and firing the same (q , q ) loop from (q , v 0 ) leads to
x
to (q0 , v 00 ), with v 00 (−
a
0 0
0
→) = 1.1. Thus, v 00 and v 000 do not belong to the same region. Since
(q0 , v 000 ) with v 000 (−
x
a
we are considering a universal automaton, we conclude that there is no edge of the form
(q0 , r0 ), b, (q0 , r00 ) . Hence, RegAut∀ (Ainf ) cannot recognize an arbitrary number of
b’s from any of its initial states, and thus, L(RegAut∀ (Ainf )) ( Untime(L(Ainf )).
For the second case, we consider Fig. 2 (b) that depicts the projection of the set
−
→ →
−
of regions used to build RegAut∠
∀ (Ainf ) on the clocks {xa , xb } (remark that we can
restrict our reasoning to this projection, since the other clocks are never testedin Ainf ).
0
Assume there is, in RegAut∠
∀ (Ainf ), an edge of the form (q0 , r), b, (q0 , r ) were r
0
is initial. This implies that r ∈ {r1 , . . . , r5 } (we refer to the names in Fig. 2), because of the guard of the (q0 , q0 ) loop. Since Untime(L(Ainf )) = {bn a | n ≥ 1}, it
must be possible to accept an arbitrary number of b’s from one of the (q0 , r0 ). Let us
9
show that it is not the case. From r3 and r4 we have edges (q0 , r3 ), b, (q0 , r1 ) and
−
q0 , r4 ), b, (q0 , r2 ) . However, there is no valuation v ∈ r1 ∪ r2 s.t. (v + t)(→
xb ) = 0
∠
−
→
and (v + t)(xa ) > 1 for some t. Thus, there is, in RegAut∀ (Ainf ), no edge of
0
the form (q0 , r), b,
(q0 , r ) when r ∈ r1 , r2 . Finally, there is no edge of the form
(q0 , r5 ), b, (q0 , r) because some valuations of r5 (such as v1 ) will reach r3 and some
others (such as v2 ) will stay in r5 after the firing of the loop. Since we consider a
universal automaton, (q0 , r5 ) has no successor.
Recognized language of existential region automata Fortunately, the definition of
existential region automaton allows us to recover a finite transition system recognizing
exactly Untime(L(A)), for all ECA A. Remark that our construction is direct, contrary to the original construction [3] that consists in first translating the ECA into a
non-deterministic timed automaton recognising the same timed language but with an
increased number of clocks compared to the original ECA, and then computing the region automaton of this timed automaton. Moreover, the proof we are about to present
cannot invoke the fact that regions form a time-abstract bisimulation, as it is the case
for timed automata, and we thus need to rely on different proof techniques. Actually,
we will show that:
Untime(L(A)) ⊆ L(RegAut∠
∃ (A)) ⊆ L(RegAut∃ (A)) ⊆ Untime(L(A))
The two leftmost inequalities are easily established by the following reasonings. Let
(q0 , v0 )(t0 , w0 )(q1 , v1 ) (t1 , w1 ) · · · (qn , vn ) be an accepting run of A on θ = (τ, w).
Thus, θ ∈ L(A). For all 0 ≤ i ≤ n let ri be the (unique) region containing vi . Then,
by definition of RegAut∠
∃ (A), (q0 , r0 )w0 (q1 , r1 )w1 · · · (qn , rn ) is an accepting run of
∠
RegAut∠
∃ (A) on w = Untime(θ). Hence Untime(L(A)) ⊆ L(RegAut∃ (A)). Second, since ≈∠
cmax refines ≈cmax , each accepting run (q0 , r0 )w0 (q1 , r1 )w1 · · · (qn , rn )
0
0
0
in RegAut∠
∃ (A) corresponds to an accepting run (q0 , r0 )w0 (q1 , r1 )w1 · · · (qn , rn ) in
RegAut∃ (A), where for any 0 ≤ i ≤ n, ri0 is the (unique) region of Reg (CΣ , cmax )
that contains ri . Hence, L(RegAut∠
∃ (A)) ⊆ L(RegAut∃ (A)).
To establish L(RegAut∃ (A)) ⊆ Untime(L(A)) we need to rely on the notion of
weak time successor. The set of weak time successors of v by t time units is:
v +w t
=



v0
∀x :

x ∈ PΣ and v(x) > cmax implies v 0 (x) > cmax − t

and 
x∈
/ PΣ or v(x) ≤ cmax or v(x) = ⊥ implies v 0 (x) = (v + t)(x)
As can be seen, weak time successors introduce non-determinism on prophecy clocks
that are larger than cmax . So, v +w t is a set of valuations. Let q be a location of
t
an ECA. We write (q, v) →
− w (q, v 0 ) whenever v 0 ∈ (v +w t). Then, a sequence
(q0 , v0 )(t0 , w0 ) (q1 , v1 )(t1 , w1 )(q2 , v2 ) · · · (qn , vn ) is an initialized weak run, on θ =
(τ, w), of an ECA A = hQ, qi , Σ, δ, αi iff q0 = qi , v0 is initial, t0 = τ0 , for any
1 ≤ i ≤ n − 1: ti = τi − τi−1 , and for any 0 ≤ i ≤ n − 1: there is (qi0 , vi0 ) s.t.
ti
wi
(qi , vi ) −
→w (qi0 , vi0 ) −→
(qi+1 , vi+1 ). A weak run is accepting iff qn ∈ α and vn is
final. The weak language wL(A) of A is the set of all timed words θ s.t. there is an
accepting weak run on θ. Clearly, L(A) ⊆ wL(A) as every run is also a weak run.
10
However, the converse also holds, since the non-determinism appears only on clocks
larger than cmax , which the automaton cannot distinguish:
Proposition 2. For any ECA A: L(A) = wL(A).
Proof. Since, by definition, every run is a weak run, L(A) ⊆ wL(A). Let us show
that L(A) ⊇ wL(A). Let θ = (τ0 , w0 ) · · · (τn , wn ) be a timed word in wL(A), and
w0
t0
0
−→ (q1 , v1 ) · · · (qn+1 , vn+1 ) be the corresponding accepting
let (q0 , v0 ) −→
w (q0 , v0 ) −
weak run of A. For any 0 ≤ i ≤ n, we build v i as follows. For any x s.t. x ∈ PΣ
and vi0 (x) > cmax , let k > i be the least position s.t. vk0 (x) ≤ cmax . Remark that
such a position always exists in an accepting run (recall that if a letter is never to be
Pk
seen again, its valuation must be set to ⊥). Then, we let v i (x) = vk0 (x) + j=i+1 tj .
Otherwise, we let v i (x) = vi0 (x). Remark that vi0 and v i differ only on prophecy
clocks larger than cmax , and that vi0 (x) > cmax iff v i (x) > cmax for any i and x.
Moreover, the definition of the sequence of v i clearly respects the definition of time
successor. We further define ṽi for all i as follows: ṽi (x) = ti + v i (x) for all x ∈ PΣ
s.t. vi (x) > cmax and ṽi (x) = vi (x) otherwise. Hence, it can be checked that for all
ti
wi
t0
w0
0 ≤ i ≤ n, (qi , ṽi ) −
→ (qi , v i ) −→
(qi+1 , ṽi+1 ), and so that (q0 , ṽ0 ) −→
(q0 , v 0 ) −−→
t1
(q1 , ṽ1 ) −→
(q1 , v 1 ) · · · (qn+1 , ṽn+1 ). Moreover, ṽn+1 (x) = vn+1 (x) = ⊥ for all
x ∈ PΣ . Thus, θ ∈ L(A) and thus, L(A) ⊇ wL(A).
Then, we prove that weak time successors enjoy a property which is reminiscent of
time abstract bisimulation. This allows to establish Theorem 1.
Lemma 2. Let C be a set of clocks and let cmax be a natural constant. For any
v1 , v2 ∈ V (C) s.t. v1 ≈cmax v2 , for any t1 ∈ R≥0 , there exist t2 and v 0 ∈ (v2 +w t2 )
s.t. v1 + t1 ≈cmax v 0 .
Proof. The cases where v1 ≈cmax v1 + t1 are trivial. We first restrict ourselves to the
case where v1 and v1 + t1 belong to adjacent regions, that is:


∀0 ≤ t0 ≤ t : v1 + t0 ≈cmax v1

and
∃0 < t ≤ t1 : 
(1)
∀t < t0 ≤ t1 : v1 + t0 ≈cmax v1 + t1
Let us now show how to chose t2 . Let Cv0 denote the set of clocks x s.t. hv(x)i = 0.
Under the hypothesis (1), we have to consider two cases:
1. Either Cv01 = ∅ and Cv01 +t1 6= ∅. In that case, let x be a clock in Cv01 +t1 . We
let t2 = hv2 (x)i
2. Or Cv01 6= ∅ and Cv01 +t1 = ∅. In that case, we need to consider two sub-cases.
If there is x s.t. hv2 (x)i 6= 0, we let t2 be a value s.t. 0 < t2 < min{hv2 (x)i |
hv2 (x)i 6= 0}. Otherwise, all the clocks in v2 have a null fractional part, and we
can take any delay < 1 for t2 : we let t2 = 0.1.
11
Now, let us show that there exists v ∈ v2 +w t2 s.t. v ≈cmax v1 + t1 . For that
purpose, we first build a valuation v3 as follows. For any history clock x, we let
v3 (x) = v2 (x). For all prophecy clocks x s.t. v2 (x) ≤ cmax , or v2 (x) = ⊥, we
let v3 (x) = v2 (x) too. For all prophecy clocks x s.t. v2 (x) > cmax (and thus v1 (x) >
cmax since v1 ≈cmax v2 ), we consider two cases. Either (v1 + t1 )(x) > cmax . In
that case we let v3 (x) = cmax + t2 + 1. Or (v1 + t1 )(x) = cmax . In that case we let
v3 (x) = cmax + t2 . Remark that the case (v1 + t1 )(x) < cmax is not possible since
we have assumed that v1 (x) > cmax and that v1 and v1 + t1 are in adjacent regions.
We now let v 0 = v3 + t2 . It is easy to check that v 0 ≈cmax (v1 + t1 ). Moreover,
0
v ∈ (v2 +w t2 ), since v3 has been obtained from v2 by replacing values larger than
cmax by other values larger than cmax .
To conclude, observe that if v3 ∈ (v2 +w t2 ) and v2 ∈ (v1 +w t1 ), then v3 ∈
(v1 +w (t1 + t2 )). This allows to handle the case where v1 and v1 + t1 are not in
adjacent regions: by decomposing t1 into a sequence t01 , t02 , . . . , t0n s.t. t1 = t01 + t02 +
Pi
Pi+1
· · · + t0n , and for all 1 ≤ i < n, v1 + j=1 t0j and v1 + j=1 t0j are in adjacent
regions. Then, applying the reasoning above, we get a sequence t001 , . . . , t00n of time
delays and a sequence v00 , v10 , . . . , vn0 of valuations s.t. v00 = v2 , for all 0 ≤ i < n,
Pi+1
Pn
0
0
vi+1
∈ vi0 +w t00i and vi+1
≈cmax v1 + j=1 t0j . Thus, vn0 ∈ v2 +w j=1 t00j and
P
n
vn0 ≈cmax v1 + j=1 t0j = v1 + t1 .
We can now prove that:
Theorem 1. For any ECA A = (Σ, Q, qi , δ, α): L(RegAut∃ (A)) ⊆ Untime(L(A)).
w
wn−1
w
0
1
Proof. Let (q0 , r0 ) −−→
(q1 , r1 ) −−→
· · · −−−→ (qn , rn ) be an accepting run of
RegAut∃ (A). Let us build, inductively a sequence t0 , t1 ,. . . , tn−1 of time delays and a
sequence v 0 , v 1 ,. . . , v n of valuations s.t. v i ∈ ri for all 0 ≤ i ≤ n. This will allow us
to obtain an accepting weak run of A. For the base case, we let v 0 be a valuation from
t0 ,w0
r0 and we let v 1 and t0 be s.t. v 0 −−−→ v 1 with v 1 ∈ r1 . Such v 1 and t0 are guaranteed
w0
to exist by definition of the region automaton, and since (q0 , r0 ) −−→
(q1 , r1 ) in this
region automaton. For the inductive case, we consider i with 2 ≤ i ≤ n and assume
that v i−1 has been defined and is in ri−1 . Let us show how to build ti−1 and v i . Since
wi−1
ri−1 −−−→ ri in the region automaton, there are vi ∈ ri , vi−1 ∈ ri−1 , and ti−1 s.t.
wi−1
ti−1
−−−→ v . Let c denote the value v (−
x−−→). Since
−−−→ v
+t
v
i−1
i−1
i−1
i
i
wi−1
wi−1
(2)
vi−1 + ti−1 −−−→ vi
we know that
−→
(vi−1 + ti−1 )[−
x−
wi−1 := c] |= ψ
(3)
wi−1
where ψ is the guard of the edge responsible for vi−1 + ti−1 −−−→ vi and that
v = (v
+ t )[−
x−−→ := c, ←
x −−− := 0].
i
and
Next, we let
0
vi−1
i−1
i−1
wi−1
wi−1
be a valuation and ti−1 be a time delay s.t.
0
vi−1
≈cmax (vi−1 + ti−1 ).
12
0
vi−1
(4)
∈ v i−1 +w ti−1
(5)
0
Such vi−1
and ti−1 are guaranteed to exist by Lemma 2: v i−1 ∈ ri−1 by induction
hypothesis and vi−1 ∈ ri−1 by construction, hence v i−1 ≈cmax v i−1 . Then, we let
−→
←−−−
0
v i = vi−1
[−
x−
wi−1 := c, xwi−1 := 0]
(6)
w
i
0
0
−→
v i . By (5), vi−1
and vi−1 + ti−1 are equivalent. Hence,
Let us check that vi−1
−
−
−
→
−
−
→
−−−→
0
0
vi−1 [xwi−1 := c] ≈cmax (vi−1 + ti−1 )[xw−
i−1 := c]. Thus, by (3), vi−1 [xwi−1 :=
0
c] |= ψ, and the same transition can be fired from vi−1 , leading to v i , by (6). Finally,
by (4), (6) and (5), we deduce that v i ≈cmax vi ∈ ri , hence v i ∈ ri .
t0 ,w0
t1 ,w1
By construction, (q0 , v 0 ) −−−→ (q1 , v 1 ) −−−→ · · · (qn , v n ) is an accepting weak
run of A on θ with Untime(θ) = w. Thus, wL(RegAut∃ (A)) ⊆ Untime(L(A)). Since
wL(RegAut∃ (A)) = L(RegAut∃ (A)), by Proposition 2, we have L(RegAut∃ (A)) ⊆
Untime(L(A)).
Size of the existential region automaton The number of Alur-Dill regions on n
clocks and with maximal constant cmax is at most R(n, cmax ) = n! × 2n × (2 ×
cmax + 2)n [2]. Adapting this result to take into account the ⊥ value, we have:
|Reg (CΣ , cmax ) | ≤ R(2 × |Σ|, cmax + 1). Hence, the number of locations of
RegAut∃ (A) for an ECA A with m locations and alphabet Σ is at most m × R(2 ×
|Σ|, cmax + 1). In [3], a technique is given to obtain a finite automaton recognizing Untime(L(A)) for all ECA A: first transform A into a non-deterministic timed
automaton [2] A0 s.t. L(A0 ) = L(A), then compute the region automaton of A0 .
However, building A0 incurs a blow up in the number of clocks and locations, and
the size of the region automaton of A0 is at most m × 2K × R(K, cmax ) where
K = 6×|Σ|×(cmax +2) is an upper bound on the number of atomic clock constraints
in A. Our construction thus yields a smaller automaton.
5
Zones and event-clocks
In the setting of timed automata, the zone datastructure [10] has been introduced as
an effective way to improve the running time and memory consumption of on-thefly algorithms for checking emptiness. In this section, we adapt this notion to the
framework of ECA, and discuss forward and backward analysis algorithms. Roughly
speaking, a zone is a symbolic representation for a set of clock valuations that are
defined by constraints of the form x − y ≺ c, where x, y are clocks, ≺ is either < or
≤, and c is an integer constant. Keeping the difference between clock values makes
sense in the setting of timed automata as all the clocks have always real values and
the difference between two clock values is an invariant over the elapsing of time. To
adapt the notion of zone to ECA, we need to overcome two difficulties. First, prophecy
and history clocks evolve in different directions with time elapsing. Hence, it is not
always the case that if v(x) − v(y) = c then (v + t)(x) − (v + t)(y) = c for all t (for
instance if x is a prophecy clocks and y an history clock). However, the sum of clocks
of different types is now an invariant, so event clock zones must be definable, either by
constraints of the form x − y ≺ c, if x and y are both history or both prophecy clocks,
13
or by constraints of the form x + y ≺ c otherwise. Second, clocks can now take the
special value ⊥. Formally, we introduce the notion of event-zone as follows.
Definition 2. For a set C of clocks over an alphabet Σ, an event-zone is a subset
of V (C) that is defined by a conjunction of constraints of the form x = ⊥; x ∼ c;
x1 − x2 ∼ c if x1 , x2 ∈ HΣ or x1 , x2 ∈ PΣ ; and x1 + x2 ∼ c if either x1 ∈ HΣ and
x2 ∈ PΣ or x1 ∈ PΣ and x2 ∈ HΣ , with x, x1 , x2 ∈ C, ∼ ∈ {≤, ≥, <, >} and c ∈ Z.
Event-clock Difference Bound Matrices In the context of timed automata, Difference Bound Matrices (DBMs for short) have been introduced to represent and manipulate zones [5, 10]. Let us now adapt DBMs to event clocks. In order to adapt DBMs to
event-zones, we need to be able to (i) encode contraints of the form x + y ≺ c and of
the form x0 − y 0 ≺ c, depending on the types of x, y, x0 and y 0 , (ii) encode constraints
of the form x = ⊥, and (iii) encode the fact that a variable is not constrained by the
zone. Indeed, in a DBM, this is encoded by the pair of constraints x ≥ 0 and x < +∞.
This is not sound in our case since 0 ≤ x < +∞ implies that x 6= ⊥. Thus, we
introduce a special symbol ? to denote the absence of constraint.
Formally, an EDBM M of the set of clocks C = {x1 , . . . , xn } is a (n + 1) square
matrix of elements from Z×{<, ≤} ∪{(∞, <), (⊥, =), (?, =)} s.t. for all 0 ≤ i, j, ≤
n: mi,j = (⊥, =) implies i = 0 or j = 0 (i.e., ⊥ can only appear in the first position
of a row or column). Thus, a constraint of the form xi = ⊥ will be encoded with either
mi,0 = (⊥, =) or m0,i = (⊥, =). As in the case of DBMs, we assume that the extra
clock x0 is always equal to zero. Moreover, since prophecy clocks decrease with time
evolving, they are encoded by their opposite value in the matrix. Hence the EDBM
naturally encodes sums of variables when the two clocks are of different types. Each
element (mij , ≺ij ) of the matrix thus represents either the constraint xi − xj ≺ij mij
or the constraint xi + xj ≺ij mij , depending on the type of xi and xj . Finally, the
special symbol ? encodes the fact that the variable is not constrained (it can take any
real value, or the ⊥ value). Formally, an EDBM M on set of clocks C = {x1 , . . . , xn }
represents the zone [[M ]] on set of clocks C s.t. v ∈ [[M ]] iff for all 0 ≤ i, j ≤ n: if
Mi,j = (c, ≺) with c 6= ? then v ± (xi ) − v ± (xj ) ≺ c (assuming v ± (x0 ) denotes the
value 0 and assuming that for all k ∈ Z∪{⊥}: ⊥+k = ⊥−k = k +⊥ = k −⊥ = ⊥).
When [[M ]] = ∅, we say that M is empty. In the sequel, we also rely on the ≤ ordering
on EDBM elements. We let (m; ≺) ≤ (m0 ; ≺0 ) iff one of the following holds: either
(i) m0 = ?; or (ii) m, m0 ∈ Z ∪ {∞} and m < m0 ; or (iii) m = m0 and either ≺=≺0
or ≺0 =≤.
As an example, consider the two following EDBMs that both represent x1 = ⊥ ∧
0 < x3 − x4 < 1 ∧ x2 + x4 ≤ 2 (where x1 , x2 are prophecy clocks, and x3 , x4 are
history clocks):


(0, ≤) (⊥, =) (?, =) (?, =) (?, =)
(⊥, =) (?, =) (?, =) (?, =) (?, =)


 (0, ≤) (?, =) (0, ≤) (?, =) (?, =)


 (?, =) (?, =) (?, =) (0, ≤) (1, <)
(?, =) (?, =) (2, ≤) (0, <) (0, ≤)
14

(0, ≤) (⊥, =)
 (⊥, =) (?, =)

 (0, ≤) (?, =)

(∞, <) (?, =)
(∞, <) (?, =)

(∞, <) (0, ≤) (0, ≤)
(?, =) (?, =) (?, =)

(0, ≤) (0, ≤) (0, ≤)

(∞, <) (0, ≤) (1, <)
(2, ≤) (0, <) (0, ≤)
Normal form EDBMs As in the case of DBMs, we define a normal form for EDBM,
and show how to turn any EDBM M into a normal form EDBM M 0 s.t. [[M ]] = [[M 0 ]].
A non-empty EDBM M is in normal form iff the following holds: (i) for all 1 ≤ i ≤ n:
Mi,0 = (⊥, =) iff M0,i = (⊥, =) and Mi,0 = (?, =) iff M0,i = (?, =), (ii) for all
1 ≤ i ≤ n: Mi,0 ∈ {(⊥, =), (?, =)} implies Mi,j = Mj,i = (?, =) for all 1 ≤ j ≤ n,
(iii) for all 1 ≤ i, j ≤ n : Mi,j = (?, =) iff either Mi,0 ∈ {(?, =), (⊥, =)} or
Mj,0 ∈ {(?, =), (⊥, =)} and (iv) the matrix M 0 is a normal form DBM [10], where
M 0 is obtained by projecting away all lines 1 ≤ i ≤ n s.t. Mi,0 ∈ {(?, =), (⊥, =)} and
all columns 1 ≤ j ≤ n s.t. M0,j ∈ {(?, =), (⊥, =)} from M . To canonically represent
the empty zone, we select a particular EDBM M∅ s.t. [[M∅ ]] = ∅. For example, the
latter EDBM of the above example is in normal form.
Then, given an EDBM M , Algorithm 1 allows to compute a normal form EDBM
M 0 s.t. [[M ]] = [[M 0 ]]. This algorithm relies on the function DBMNormalise(M ,S),
where M is an (`+1)×(`+1) EDBM, and S ⊆ {0, . . . , `}. DBMNormalise(M ,S)
applies the classical normalisation algorithm for DBMs [10] on the DBM obtained by
projecting away from M all the lines and columns i 6∈ S. Algorithm 1 proceeds in
three steps. In the first loop, we look for lines (resp. columns) i s.t. Mi,0 (resp. M0,i )
is (⊥, =), meaning that there is a constraint imposing that xi = ⊥. In this case, the
corresponding M0,i (resp. Mi,0 ) must be equal to (⊥, =) too, and all the other elements
in the ith line and column must contain (?, =). If we find a j s.t. Mi,j 6= (?, =) or
Mj,i 6= (?, =), then the zone is empty, and we return M∅ . Then, in the second loop,
the algorithm looks for lines (resp. columns) i with the first element equal to (?, =)
but containing a constraint of the form (c, ≺), which imposes that the variable i must
be different from ⊥. We record this information by replacing the (?, =) in Mi,0 (resp.
M0,i ) by the weakest possible constraint that forces xi to have a value different from ⊥.
This is either (0, ≤) or (∞, <), depending on the type of xi and is taken care by the
SetCst() function. At this point the set S contains the indices of all variables that
are constrained to be real. The algorithm finishes by calling the normalisation function
for DBMs. Remark, in particular, that the algorithm returns M∅ iff M is empty which
also provides us with a test for EDBM emptiness.
Proposition 3. For all EDBM M , EDBMNormalise(M ) returns a normal form
EDBM M 0 s.t. [[M 0 ]] = [[M ]].
Operations on zones The four basic operations we need to perform on event-zones
→
−
are: (i) future of an event-zone Z : Z = {v ∈ V(CΣ ) | ∃v 0 ∈ Z, t ∈ R≥0 : v =
←
−
v 0 + t}; (ii) past of an event-zone Z : Z = {v ∈ V(CΣ ) | ∃t ∈ R≥0 : v + t ∈ Z};
(iii) intersection of two event-zones Z and Z 0 ; and (iv) release of a clock x in Z:
15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
EDBMNormalise(M ) begin
Let S = {0} ;
foreach 1 ≤ i ≤ n s.t. Mi,0 = (⊥, =) or M0,i = (⊥, =) do
if ∃1 ≤ j ≤ n s.t. Mi,j 6= (?, =) or Mj,i 6= (?, =) then return M∅ ;
Mi,0 ← (⊥, =) ; M0,i ← (⊥, =) ;
foreach 0 ≤ i, j ≤ n s.t. Mi,j ∈
/ {(?, =), (⊥, =)} do
S ← S ∪ {i, j} ;
foreach i, j ∈ S do SetCst(Mi,j ) ;
M 0 ← DBMNormalise(M ,S) ;
if M 0 = Empty then return M∅ ;
return M 0 ;
SetCst(Mi,j ) begin
if Mi,j = (?, =) then
if xi ∈ PΣ and (xj ∈ HΣ or xj = x0 ) then Mi,j ← (0, ≤) ;
else Mi,j ← (∞, <) ;
Algorithm 1: A normalisation algorithm for EDBMs.
relx (Z) = {v[x := d] | v ∈ Z, d ∈ R≥0 ∪ {⊥}}. Moreover, we also need to be able to
test for inclusion of two zones encoded as EDBMs. Let M , M1 and M2 be EDBMs in
normal form, on n clocks. Then:
−
→
−
→
Future If M = M∅ , we let M = M∅ . Otherwise, we let M be s.t.:


/ {(⊥, =), (?, =)}, j = 0 and xi ∈ PΣ
(0, ≤) if Mij ∈
−
→
M i,j =
(∞, <) if Mij ∈
/ {(⊥, =), (?, =)}, j = 0 and xi ∈ HΣ


Mi,j
otherwise
←
−
←
−
Past If M = M∅ , we let M = M∅ . Otherwise, we let M be s.t. for all i, j:


/ {(⊥, =), (?, =)}, i = 0 and xj ∈ PΣ
(∞, <) if Mij ∈
←
−
M i,j =
(0, ≤) if Mij ∈
/ {(⊥, =), (?, =)}, i = 0 and xj ∈ HΣ


Mi,j
otherwise
Intersection We consider several cases. If M 1 = M∅ or M 2 = M∅ , we let M 1 ∩
1
2
2
1
M 2 = M∅ . If there are 0 ≤ i, j ≤ n s.t. Mi,j
6≤ Mi,j
and Mi,j
6≤ Mi,j
, we let
1
2
1
2
0
M ∩ M = M∅ too. Otherwise, we let M ∩ M be the EDBM M s.t for all
0
1
2
i, j: Mi,j
= min(Mi,j
, Mi,j
).
Release Let x be an event clock. In the case where M = M∅ , we let relx (M ) = M∅ .
Otherwise, we let relx (M ) be the EDBM s.t. for all i, j:
(
Mi,j
if xi 6= x and xj 6= x
relx (M )i,j =
(?, =) otherwise
16
1
2
Inclusion We note M 1 ⊆ M 2 iff Mi,j
≤ Mi,j
for all 0 ≤ i, j ≤ n.
Propositionhh4. Let
M, M 1 , M 2 hh
be EDBMs
in normal form, on set of clocks C. Then,
−−→
←−−
−
→ii
←
−ii
(i) [[M ]] = M , (ii) [[M ]] = M , (iii) M 1 ∩ M 2 = M 1 ∩ M 2 , (iv)
for all clock x ∈ C, relx ([[M ]]) = [[relx (M )]] and (v) M 1 ⊆ M 2 iff M 1 ⊆ M 2 .
Proof.
1. In the case where M = M∅ the proof is trivial. Otherwise, M is nonempty, since it is in normal form. We assume that M is an EDBM on set of
clocks C = {x1 , . . . , xn }, that for all 0 ≤ i, j ≤ n: Mi,j = (mi,j , ≺i,j ) and
−−→
−
→
that M = (m0i,j , ≺0i,j ). It is easy to see that any v ∈ [[M ]] satisfies the constraints
hh−
ii
hh
ii
−−→
→
−
→
of M . Thus, [[M ]] ⊆ M .
hh−
→ii
Consider now a valuation v ∈ M . We need to find a delay t ∈ R≥0 such
that there exists vM ∈ [[M ]] such that vM + t = v. This amounts to solving the
following system of inequalities:


−mi0 − v(xi ) ≺i0 t ≺0i m0i − v(xi )
v(xi ) − mi0 ≺i0 t ≺0i v(xi ) + m0i


0≤t
for all xi ∈ PΣ ∩ C such that m0i ∈
/ {⊥, ?}
for all xi ∈ HΣ ∩ C such that m0i ∈
/ {⊥, ?}
with the convention that ∞+c = ∞−c = ∞ and that −∞+c = −∞−c = −∞
for all c ∈ N. We show that the set of solutions is not empty, i.e. that all
inequalities are pairwise coherent.
Since for all xi ∈ PΣ ∩C, (m00i , ≺00i ) = (m0i , ≺0i ), we know that v(xi ) ≺0i m0i
and since for all xi ∈ HΣ ∩ C (m00i , ≺00i ) = (m0i , ≺0i ) , we also know that
−m0i ≺0i v(xi ). Then, none of the inequalities forces t to be negative.
Let now xi , xj be two prophecy clocks s.t. m0,i 6∈ {⊥, ?} and m0,j 6∈ {⊥, ?}.
For all vM ∈ [[M ]], −mi0 ≺i0 vM (xi ) ≺0i m0i , and −mj0 ≺j0 vM (xj ) ≺0j
m0j , then −mi0 − m0j ≺1 vM (xi ) − vM (xj ) ≺2 m0i + mj0 , where ≺1 =≤
iff ≺i0 =≤ and ≺0j =≤ ≺2 =≤ iff ≺0i =≤ and ≺j0 =≤. Since M is in normal
form, (mji , ≺ji ) ≤ (m0i + mj0 , ≺2 ) and (mij , ≺ij ) ≤ (mi0 + m0j , ≺1 ). Since
(m0ij , ≺0ij ) = (mij , ≺ij ) and (m0ji , ≺0ji ) = (mji , ≺ji ), we deduce that −mi0 −
m0j ≺1 v(xi ) − v(xj ) ≺2 m0i + mj0 . Hence, −mi0 − v(xi ) ≺1 m0j − v(xj )
and −mj0 − v(xj ) ≺2 m0i − v(xi ). Then the constraints on t deduced from xi
and xj are coherent. With the same arguments, we obtain that the constraints on
t deduced from xi , xj ∈ HΣ ∩ C are coherent too.
Consider now xi ∈ PΣ ∩ C and xj ∈ HΣ ∩ C. Then again, since any valuation
vM in [[M ]] satisfies −mi0 − m0j ≺1 vM (xi ) + vM (xj ) ≺2 m0i + mj0 , so does
v, and one can deduce that −mi0 − v(xi ) ≺1 v(xj ) + m0j and v(xj ) − mj0 ≺2
m0i − v(xi ) and hence that the constraints on t derived from xi ∈ PΣ ∩ C and
xj ∈ HΣ ∩ C are coherent.
Then, the set of solutions of the inequalities is not empty. Let t be such a solution.
We let vM be the valuation s.t. vM (x) = v(x) + t for any x ∈ PΣ ∩ C and
vM (x) = v(x) − t for all x ∈ HΣ ∩ C. Such a valuation exists, and is in [[M ]]
17
by construction. Then, since v = vM + thhwithiivM ∈ [[M ]] and some t ∈ R≥0 we
−−→
−−→
−
→
deduce that v ∈ [[M ]]. We conclude that M ⊆ [[M ]].
2. As prophecy and history clocks evolve in opposite directions, the arguments of
−
→
the proof for M can be adapted.
3. In the case where M 1 = M∅ or M 2 = M∅ the proof is trivial. Otherwise,
M 1 and M 2 are non-empty, since they are in normal form. First consider the
1
2
2
1
case where there are 0 ≤ i, j ≤ n s.t. Mi,j
6≤ Mi,j
and Mi,j
6≤ Mi,j
. By
1
2
definition of ≤, this implies that either Mi,j or Mi,j is equal to (⊥, =), and that
the
m ∈ R≥0 ∪ {∞}.
other
constraint
is of the form
(≺,m),with Then, clearly
M 1 ∩ M 2 = ∅ and thus M 1 ∩ M 2 = [[M∅ ]] = M 1 ∩ M 2 .
1
2
Thus, let us assume that for all 0 ≤ i, j ≤ n, min{Mi,j
, Mi,j
} is defined. Let
v be a valuations on the set of clocks C = {x1 , . . . , xn }, let M be an EDBM
on C. Then for all 0 ≤ i, j ≤ n, we say that v satisfies Mi,j = (mi,j , ≺i,j )
(denoted v |= Mi,j = (mi,j , ≺i,j )) iff:
(a) either mi,j =?
(b) or i = 0 and mi,j = v(xj ) = ⊥
(c) or j = 0 and mi,j = v(xi ) = ⊥
(d) or mi,j 6∈ {?, ⊥} and |xi | − |xj | ≺i,j mi,j , assuming ⊥ + c = c + ⊥ =
⊥ − c = c − ⊥ = ⊥ for all c.
Then, clearly, [[M ]] = {v | ∀0 ≤ i, j ≤ n : v |= Mi,j }.
Then observe that, by definition of the ordering ≤ on EDBM constraints:
v |= (m1 , ≺1 ) and v |= (m2 , ≺2 )
iff v |= min (m1 , ≺1 ), (m2 , ≺2 )
By definition of M 1 ∩ M 2 , we conclude that M 1 ∩ M 2 = M 1 ∩ M 2 .
4. In the case where M = M∅ the proof is trivial. Otherwise, M is non-empty,
since it is in normal form. Let us assume that x is the clock of index k in C. We
first examine the case where Mk0 = (?, =), then relx (M ) = M since M is in
normal form. Since x is already unconstrained in M , we have relx ([[M ]]) = [[M ]].
Hence relx ([[M ]]) = [[M ]] = [[relx (M )]].
Otherwise, let us assume that C = {x1 , . . . , xn } and that for all 0 ≤ i, j ≤ n:
Mij = (mij , ≺ij ). Let v ∈ relx ([[M ]]). Then there is some v 0 ∈ [[M ]], such that
v 0 (y) = v(y), for all clock y 6= x in C. Since v 0 satisfies all the constraints of
M , v satisfies all the constraints of [[M ]] related to clocks different from x, and
hence v ∈ [[relx (M )]]. Thus, relx ([[M ]]) ⊆ [[relx (M )]].
Conversely, let v ∈ [[relx (M )]]. We consider two cases. Either Mk0 = (⊥, =).
We let v 0 be the valuation s.t. v 0 (x) = ⊥ and for all y 6= x: v 0 (y) = v(y). Clearly
v 0 ∈ [[M ]] since M is non-empty and in normal form. Hence, v ∈ relx [[M ]].
Otherwise Mk0 = (m, ≺) with m ∈ R≥0 ∪ {∞}, since we have already ruled
18
out the case Mk0 = (?, =). We let v 0 be a valuation that is a solution of the
following set of inequalities if x is an history clock:
−mjk
−mjk
v 0 (y) =
−m0k ≺0k v 0 (x) ≺k0
≺jk v 0 (x) − v 0 (xj ) ≺kj
≺jk v 0 (x) + v 0 (xj ) ≺kj
v(y)
mk0
mkj
mkj
for all y 6= x
for all xj ∈ (HΣ ∩ C) \ {x}
for all xj ∈ (PΣ ∩ C) \ {x}
or a solution of the following set of inequalities if x is a prophecy clock:
−mkj
−mjk
v 0 (y) =
−mk0 ≺k0 v 0 (x) ≺0k
≺kj v 0 (x) − v 0 (xj ) ≺jk
≺jk v 0 (x) + v 0 (xj ) ≺kj
v(y)
m0k
mjk
mkj
for all y 6= x
for all xj ∈ (PΣ ∩ C) \ {x}
for all xj ∈ (HΣ ∩ C) \ {x}
assuming as usual that ⊥ + c = c + ⊥ = ⊥ − c = c − ⊥ = ⊥.
Since M is in normal form, such a v 0 exists (otherwise, some of the constraints
could be strengthened without modifying the zone, and M is not in normal form),
and it is in [[M ]]. Hence v is in relx ([[M ]]). We conclude that [[relx (M )]] ⊆
relx ([[M ]]).
5. The proof
stems
from the fact
that M 1 ⊆ M 2 iff M 1 ∩ M 2 =
1
2
M 1 iff M 1 ∩ M 2 = M 1 iff, min(Mi,j
, Mi,j
) = Mi,j for all 0 ≤
i, j ≤ n (by Proposition 4).
Forward and backward analysis We present now the forward and backward analysis algorithms adapted to ECA. From now on, we consider an ECA A = hQ, qi , Σ, δ, αi.
t,a
We also let Post ((q, v)) = {(q 0 , v 0 ) | ∃t, a : (q, v) −−→ (q 0 , v 0 )} and Pre ((q, v)) =
t,a
{(q 0 , v 0 ) | ∃t, a : (q 0 , v 0 ) −−→ (q, v)} and we extend those operators to sets of states
in the natural way. Moreover, given a set of valuations Z and a location q, we abuse
notations
and denote by (q, Z) the set {(q,Sv) | v ∈ Z}. Also, we let Post∗ ((q, Z)) =
S
n
∗
n
0
n∈N Post ((q, Z)) and Pre ((q, Z)) =
n∈N Pre ((q, Z)), where Post ((q, Z)) =
n
n−1
(q, Z) and Post ((q, Z)) = Post Post
((q, Z)) , and similarly for Pren ((q, Z)).
The Post and Pre operators are sufficient to solve language emptiness for ECA:
Lemma 3 (adapted from [3], Lemma 1). Let A = hQ, qi , Σ, δ, αi be an ECA, let
I = {(qi , v) | v is initial}, and let α = {(q, v) | q ∈ α and v is final}. Then:
Post∗ (I) ∩ α 6= ∅ iff Pre∗ (α) ∩ I 6= ∅ iff L(A) 6= ∅.
Let us show how to compute these operators on event-zones. Given a location q, an
event-zone Z on CΣ , and an edge e = (q, a, ψ, q 0 ) ∈ δ, we let:
(
Poste ((q1 , Z))
=
Pree ((q1 , Z))
=
−
→
→ = 0)) ∩ ψ ∩ (←
q 0 , rel←
rel−
( Z ∩ (−
x
x−
a
a = 0)
x−
x→
a
a
∅

−−−−−−−−−−−−−
−−−−−−−−−−−−−−
−−−−−
 q, ←
←
−
−
→
→ (relx
←
− (Z ∩ (xa = 0)) ∩ ψ) ∩ (xa = 0)
relx−
a
a
∅
19
if q1 = q
otherwise
if q1 = q 0
otherwise
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ForwExact begin
Let Visited = ∅ ; Let Wait = {(qi , Z0 )} ;
while Wait 6= ∅ do
Get and remove (q, Z) from Wait ;
if q ∈ α and Z ⊆ Zf then return Yes ;
if there is no (q, Z 0 ) ∈ Visited s.t. Z ⊆ Z 0 then
Visited := Visited ∪ {(q, Z)} ;
Wait := Wait ∪ Post ((q, Z)) ;
return No ;
BackExact begin
Let Visited = ∅ ; Let Wait = {(q, Zf ) | q ∈ α} ;
while Wait 6= ∅ do
Get and remove (q, Z) from Wait ;
if q = qi and Z ⊆ Z0 then return Yes ;
if there is no (q, Z 0 ) ∈ Visited s.t. Z ⊆ Z 0 then
Visited := Visited ∪ {(q, Z)} ;
Wait := Wait ∪ Pre ((q, Z)) ;
return No ;
Algorithm 2: The forward and backward algorithms
a
←
x−
a = 1
q0
a
q1
b
a
−
→
xb = 1
q2
Figure 3: An ECA for which backward analysis does not terminate.
Then, it is easy to check that Post ((q, Z)) = ∪e∈δ Poste ((q, Z)) and Pre ((q, Z)) =
∪e∈δ Pree ((q, Z)). With the algorithms on EDBMs presented above, these definitions
can be used to compute the Pre and Post of zones using their EDBM encodings. Remark that Pre and Post return sets of event-zones as these are not closed under union.
Let us now consider the ForwExact and BackExact algorithms to test for language
emptiness
of ECA, shown in Algorithm 2. In these two algorithms Z0 denotes the zone
V
x
=
⊥ containing all the possible initial valuations and Zf denotes the zone
x∈H
Σ
V
x∈PΣ x = ⊥ representing all the possible final valuations. By Lemma 3, it is clear
that ForwExact and BackExact are correct when they terminate. Unfortunately, Fig. 3
shows an ECA on which the backward algorithm does not terminate. Since history and
prophecy clocks are symmetrical, this example can be adapted to define an ECA on
which the forward algorithm does not terminate either. Remark that in the case of timed
automata, the forward analysis is not guaranteed to terminate, whereas the backward
20
1 v 2(x )� and
2 �v
1 (x )2k− 2v
�v (x ) −
1
2 2
1 1

1994. C. Daws, O. Maler, A. Olivero,2S. Tripakis,
9. M. Bozga,
and S. Yovine. Kronos: A model-
2C

(−2k,
≤)clocks
≤ Mij ≤ C
(2k,⊆
≤),
or if1M
=),2
(?, =)} cmax 1
i,j
ij ∈ {(⊥,
4. R.
L. Fix, and T. A. Henzinger.
Event-clock
automata:
determinizable
of timed

Regions
Let
us
fix
aifclass
se
of
and
a1 2)�
constant
∈ N.1 We fi
Proposition 13. Let
Z
beAlur,
an
setand
of
clocks
CR
and
R
=
Reg
(C
,ofcmax
).conclude.
Closure
.aM
This
proposition
allows
toonly
Σ
�v
(x
)�
if
if
�v
(x
≤
�v
(x
)�.
Σ and
checking
toolevent-zone
for real-timeon
systems.
In
Proceedings
oflet
CAV98,
volume
1427
Lecture
Notes
1
2
2
2
2
automata. Theor. Comput. Sci., 211(1-2):253–273,
=
Φk (M )1999.
(∞, <)
if Mi,j > (2k, ≤)
∠
i,j
Computer
Science,
546–550.
Springer,
1998.
∠ ≈former

Then: Z ⊆ Approxincmax
⊆
Closure
(Z).
region
litterature.
is
the
classical
Alur-D
Equivalence
classes
ofvfrom
both
≈
and
are
called
regions
5.
G. (Z)
Behrmann,
A.
David,pages
K. G.
J.two
Håkansson,
Pettersson,
W. Yi, and M. Hendriks.
RLarsen,
equivalences
cmax
cmax
∈ the
V≤)systems.
(C):
vofIn1clocks
≈The
vlet
iff:
vReg
v2and
–P.Society,
For
any
(−2k,
<)
if an
<2(−2k,
1M,ijconcurrent
2 of
1 ≈
cmax
Equivalence
classes
both
≈
cmax
10. D. L.Uppaal
Dill.4.0. Timing
assumptions
andComputer
verification
of
finite-state
Proposition
13.
Let
Z bev
event-zone
on
set
C
and
R=
(C
, cmax
).an
In QEST, pages
125–126.
IEEE
2006.
cmax
Σ
∠
equivalence
for
timed
automata
[2]
while
the
latter
has
been
defined
by
Bouye
6.
R.
Bellman.
Dynamic
Programming.
Princeton
university
press,
1957.
J. Sifakis, editor, Automatic
Verification
Methods
for
Finite
State
Systems,
volume
407
of
Reg
(C,
cmax
)systèmes
and
Reg
cmax
) the
of
≈
For
any
xterminates
∈(Z).
C
s.t.)set
vand
)regions
>by∠letcmax
orcmax
v)1 (x
>
Then:
Z
⊆(C4)
Approx
(Z)
⊆(C,
Closure
1, x
2 (parameterised
1k)(x
1Reg
2 )se
R
Theorem 14. For all
A with
maximal
cmax
ForwKApp
cmax
7.ECA
P. Bouyer.
et algorithmesconstant
pour
la vérification
des, let
temporisés.
de
Then,
we
ForwKApp
beThèse
the
algorithm
by
obtained
Reg
(C,
cmax
(C,ofcmax
theand
kcmax
Lecture
NotesModèles
in Computer
Science,
pages
197–212.
Springer,
1989.
refines
the
former:
doctorat, Laboratoire Spécification et Vérification,
ENS
Cachan,
France,
Apr.
2002.
ting
f = Approx
Algorithm
2.>
Since,
there
are
k-bounded
regions,
tively.
Observe
that,
for
cmax
, finitely
and
for
any
finite
setcmax
C,
k in
and answers Yes
�=Kleene
∅.
vterminates.
)any
cmax
v2that,
(x
−
vany
(x
;
11. iff
C.8.L(A)
Dima.
theorems
for event-clock
automata.
In(x
Proceedings
of
the 12th
Inter- many
1
1 ) for
2the
2 )of>clocks
P. Bouyer.
Timed automata
may cause
some troubles. In
RESEARCH
REPORT
tively.
Observe
, cmax
and for
ForwKApp
Our
proof
of correctness
of ForwKApp
follows
Theorem
14.
For all
ECA2LSV–02–9,
A
with
maximal
constant
cmax
,k ForwKApp
k always
national
Symposium
of Computation
Theory,
FCT
’99,
pages
215–225,
cmax terminates
LSV, ENS
DE, 2002. on Fundamentals ∠
∠
–answers
For
vYovine.
,�v
vL(A)
V1�=
(C):
≈2cmax
v2 iff:
lines
of(C,
[7],any
and
relies
on
Proposition
13,
establishing
theand
relative
coarseness
of
Approx
(x
−
vv2is1(x
)�
�v
)cmax
− v (x
�v2 (x
and
Reg
cmax
).
The
difference
between
≈
and
can
∠
1iff
2Kronos:
2∈
1 (x1
2 )�≈=
1
9. M. Bozga,
C.
Daws,Springer-Verlag.
O. Maler,
A. Olivero,
S. Tripakis,
and
A)
modelLondon,
UK,of
1999.
and
Yes
∅.
cmax
Remark 15. The importance
the 2cmax
bound
applied
toS.volume
the
sum
constraints
picand
Reg
(C,
cmax
).
The 1kdifference
betw
and
Closure
proposition
allows
toTime.
conclude.
for real-time
systems. In
Proceedings
of CAV98,
1427
of Lecture
Notes
R . This
∠
12. J.-F. checking
Raskin.tool
Logics,
Automata
and
Classical
Theories
for
Deciding
Real
PhD
thesis,
(C1)
for
all
x
∈
C,
v
(x)
=
⊥
iff
v
(x)
=
⊥,
12: ≈
2 finerunbecause
the 1998.
example
in Fig.
is
diag
in Computerthe
Science,
pages
546–550.
tured on Figure ?? .FUNDP
Consider
zone
infrom
gray.Springer,
Then
if we approximate
it using
a cmax
modifier
peu la figureit introduces
cmax
∠∠
(Belgium),
1999.
from
the
example
Fig.
2:cmax
≈
is
finer
Proposition
13.all
Let
Z be
anC:
event-zone
set(x)
of
clocks
C
and applied
let≈
R
= in
Reg
(C
, cmax
).
10. D. L. Dill. Timing assumptions and
verification
of finite-state
concurrent
systems.
In onv
Σand
Remark
15.
The
importance
of
the
2cmax
bound
to
the
sum
constraints
is
picEquivalence
classes
of
both
≈
are
calle
cmax
(C2)
for
x
∈
either
>
cmax
and
v
(x)
>
,
or
�v
(x)�
=
cmax
1
2
1
cmax
bound it becomes
the
quarter
hence
intersecting
the
upper
right
region.
How13. all
J.-F.
and
P.-Y.
Schobbens.
The
logic
ofApprox
event
clocks:
decidability,
complexity
and
on
the
pairs
of
clocks
s.t.
one
the
clocks
iswelarger
than
cmax
.clocks
J.Raskin
Sifakis,
editor,plane,
Automatic
Verification
Methods
for⊆
Finite
State
Systems,
volume
407 of of
Then:
Z
cmax (Z) ⊆ ClosureR (Z).
∠
tured
on
Figure
??
.
Consider
the
zone
in
gray.
Then
if
approximate
it
using
a
cmax
m
on
the
pairs
of
clocks
s.t.
one
of
the
i
Lecture
Notes
in
Computer
Science,
pages
197–212.
Springer,
1989.
expressiveness.
Automatica,
34(3):247–282,
1998.
and
�v
=
�v
1 (x)�
2 (x)�,
ever, the original zone
did
notKleene
intersect
this
particular
region.
The
2cmax
bound
is the (C, cmax ) the set of regions of ≈
Reg
(C,
cmax
)In and
Reg
C. Dima.
theorems
for event-clock
automata.
In Proceedings
of A
the
12th
Inter-plane,
14. N.11.Tang
and M.
Ogawa.
Event-clock
visibly
pushdown
automata.
Proceedings
of the
35th
Theorem
14.
For all
ECA
with
maximal
constant
cmax
, ForwKAppcmax
terminates
bound
it
becomes
all
the
quarter
hence
intersecting
the
upper
right
region.
How(C3)
for
all
x2region.
∈
C s.t.
vany
≤ cmax
(x1 )finite
≤ cmax
�v1
national Symposium
on Fundamentals of
Computation
Theory,
FCTx
’99,
215–225,
second diagonal, preventing
the
approximation
toand
“hit”
upper
right
1 ,pages
1 (x’09,
1 )cmax
1any
Conference
on Current
Trends in Theory
andthis
Practice
ofL(A)
Computer
Science,
SOFSEM
answers
YesObserve
iff
�= ∅.
tively.
that,
for
, andand
forv2cmax
setthe:of
London, UK, 1999. Springer-Verlag.ever, the
original
zone
did
not
intersect
this
particular
region.
The
bound
is
pages
558–569,
Berlin,
Heidelberg,
2009.
Springer-Verlag.
�vDeciding
)� if
and
only if �v2 (x1 )� ≤ �v2 (x2 )�.
12. J.-F.
Raskin. Logics,
Automata
Classical
Theories
for
Real
Time.
PhD thesis,
1 (x2∠
−
→and−
→
diagonal,
preventing
the
approximation
tothe
“hit”
this upper
right region.
15. The
importance
ofcmax
the
2cmax
bound
to
sum constraints
is picand
Reg
(C,
).
The
difference
between
≈cmax and ≈
FUNDP (Belgium), 1999. xa xsecond
−
→
−
→
b Remark
∠ applied
– ofFor
all v??
v2 ∈complexity
Vthe(C):
v2approximate
iff:
v1 ≈
v2 and:
x
1 ,. Consider
1x≈
cmax
avgray.
b Then
cmax
13. J.-F. Raskin and P.-Y. Schobbens. The logic
event
clocks:
decidability,
and
tured
on Figure
zone
in
if we
it using
a cmax
modifier un peu la figure
∠
r
expressiveness. Automatica, 34(3):247–282,
1998.
from
the
example
Fig.
2:1 )≈
isregion.
finer
it :introd
bound
it becomes
all the
hence
intersecting
the
upper
right
(C4)
For
x
, x2of2plane,
∈ Cin
s.t.
v1 (x
>cmax
cmax
or
v1How(xbecause
either
Z
1quarter
2 ) > cmax
� ± all
�←
�
14. N. Tang and M. Ogawa. Event-clock visibly pushdown automata.
In Proceedings
the 35th�
−
ever, the original
zone
did
not
intersect
this
particular
region.
The
2cmax
bound
is
the
±
±
±
x
�
�
�
Conference on Current1Trends in Theory and Practice
of�
Computer
Science,
SOFSEM
’09,
b
on
the
pairs
of
clocks
s.t.
one
of
the
clocks
is
larger
than
v
(x
)
−
v
(x
)
>
2
·
cmax
and
v
(x
)
−
v
(x
)
>
2
·cma
cma
r
1
2
1
2
second diagonal,
the
to “hit” this upper right region.
1 preventing
1 approximation
2
2
References
pages 558–569, Berlin, Heidelberg, 2009. Springer-Verlag.
ClosureR (Z)
\ Z �v ± (x ) − v ± (x )� = �v ± (x ) − v ± (x )� and �v ± (x ) − v ±
have
1 1
2
1
2
1
1
1
2
2
1
1
←
−
±
±
x
b
Z −
Z
�v
(x
)
−
v
(x
)�.
←
−
→
1
2
2
2
References
x
b
\Z
−
→
−
→ 1633 of Lecture
1. R. Alur. Timed automata. In Proceedings of CAV Z99,
volume
Notes in
1
1
x
1
a xb
1
Computer Science, pages 8–22. Springer, 1999.
= Closure
\ Z Timed automata. In Proceedings of CAV 99, volume 1633 of Lecture Notes in
R (Z)
1. References
R.
Alur.
←
−
2. R. Alur and D. Dill. A Theory of Timed
→ Automata. Theoretical Computer Science,
−
1 ←
2 xa
{←
x−
a←
x−
= Z \ Z Computer Science, pages 8–22. Springer,
a
1999.
(a)
(b) In Proceedings of CAV
126(2):183–236, 1994.
1. R. Alur. Timed automata.
99, volume 1633 of Lecture Notes in ←
x−b
x−
a
2.
R.
Alur
and
D.
Dill.
A
Theory
of
Timed
Automata.
Theoretical
Computer
Science,
Computer
Science,
pages
8–22.
Springer,
1999.
1
1
3. R. Alur, L. Fix, and T. A. Henzinger. Event-clock automata: a determinizable class of timed
1
2.
R.
Alur
and
D.
Dill.
A
Theory
of
Timed
Automata.
Theoretical
Computer
Science,
126(2):183–236,
1994.
automata. Theor. Comput. Sci., 211(1-2):253–273, 1999.
1994.
←
6
Figure
4:126(2):183–236,
Examples
for
Closure
R and Approx
k
3. R.
and
T. Henzinger.
A. Henzinger.
Event-clock
automata:
aclass
determinizable
class of timed
x−b a determinizable
3. Alur,
R. Alur,L.
L. Fix,
Fix, and
T. A.
Event-clock
automata:
of timed
automata.
Comput.
Sci., 211(1-2):253–273,
1999.
automata. Theor.
Theor. Comput.
Sci., 211(1-2):253–273,
1999.
`
´
`
1
1
15
Fig. 2. The sets of regions Reg P
, 1 and Reg∠ P{a,b} ,`1
sets of regions Reg←
P
−
analysis always terminates (the proof relies on a bisimulation argument) [1].Fig.{a,b}
2. The
15
←
x−
a
15
Proposition 5. Neither ForwExact nor BackExact terminate in general.
1
{xa
1
Proof. We give the proof for BackExact, a similar proof for ForwExact can then be
are finite
26 sets.
deduced by symmetry. Consider
the ECA in Fig. 3. Running
backward
analysis
arethefinite
sets.
26
setting
of timed
automata,
to
s
algorithm from (q2 , In
Zf ),the
we obtain,
after selecting
the transition
e = (q2 ,ab, classical
true, q2 ), technique
` automata,
´ solve
of
timed
a
cla
∠
−
→
←
−
→
−
0In the setting
the zone Z1 =(such
xa = ⊥language
∧ xb = 0. Then,
the transition
= (q
a,of
xb regions
= 1, q2 ) isReg P{a,b}
Fig.→
2. eThe
sets
, 1 and
Reg
1 ,model-checking)
emptiness
or
CTL
consists
in
analy
−
→
−
→
−
−
→
language
emptiness
or CTL modelback-firable and we attain the zone Z2 = xa ≥ 0 ∧ x(such
this
b ≥ 1∧x
b − xa = 1. At
←
−
00
sponding
region
automaton
[1].
Roughly
speaking,
the
region
automat
point the transition e = (q1 , a, xa = 1, q1 ) is back-firable,
which leads
to theautomaton
zone
sponding
region
[1].
Roughly
sp
→
−
−
→
←
−
→
−
−
→
→
−
←
−
Z3 = xb ≥ 1 ∧
xa ≥ 0 ∧ 0 whose
≤ xa ≤ 1 ∧
xb − xaare
≥1∧
xb + xa ≥ and
2. Thewhose
back-firingtransitions correspond
tomaton
states
regions,
whose
of the e00 transition can be repeated, and, by induction,tomaton
after n iterations
of thestates
loop, are regions, and who
finite
sets.
relation
of
the
timed
automaton,
lifted
to
regions.
The soundness
→
−
−
→
←
−
→
−
−
→
nare
the algorithm reaches the zone Z = xb ≥ n ∧ xa ≥ relation
0 ∧ 0 ≤ xa of
≤ 1the
∧ xbtimed
− xa ≥ automaton,
liftedof
to the
reg
→
−
←
−
In theproblems
setting
ofheavily
timed
automata,
a classical
technique
t
n ∧ xb + xa ≥
n +to
1. Thus,
the those
condition
of
the if in line
14
is always
fulfilled,
and
ton
solve
relies
on
the
fact
that
regions
are
ton
to solve
those
problems
heavily
relies
the algorithm visits an infinite
number
of
zones,
without
reaching
q
.
(such language emptiness0 or CTL model-checking) consist
bisimulation for timed automata.
Since this
is not automata.
the case for
ECA,
th
bisimulation
for timed
Since
this
region
automaton
Roughly
speaking, the region
the regionsponding
automaton
construction
has[1].
to be
reconsidered.
the region
automaton
construction has to be
tomaton
whose
states
are regions,ofand
co
In this
section,operators
we revisit
the
thewhose
region transitions
automaton,
6 Future work:
widening
In definition
this section, we
revisit
the
definitionan
relation ofofthe
timed
automaton,
lifted toa regions.
The soundn
fuly the definition
time
successor
for regions,
central
notion
inreg
th
fulydoes
thenotdefinition
of time
successor
for
As said earlier, the zone-based forward analysis algorithm
terminate either
tonTo to
solve
thosewidening
problems
heavily
relies on the fact that re
in the case of timed automata.
recover
termination,
operators
have been
defined. The most popular widening
operator is the
so-called
k-approximation
zones this is not the case fo
bisimulation
for
timed
automata.onSince
[8]. Roughly speaking, it is defined as follows: in the definition of the zone, replace
the region automaton construction has to be reconsidered.
any constraint of the form xi ≺ c or xi − xj ≺ c, by respectively xi < ∞ and
Inand
this
section,
we revisit
thec ≺definition
of the region auto
xi − xj < ∞ if and only if c > k,
replace
any constraint
of the form
xi or
c ≺ xi − xj , by respectivelyfuly
k < xthe
and
k
<
x
−
x
,
if
and
only
if
c
>
k.
Such
an
i
i
j of time successor for regions, a central no
definition
operator can be easily computed on DBMs, and is a standard operation implemented
in several tools such as as UppAal [4] for more more than 15 years. Nevertheless, this
operator has been widely discussed in the recent literature since Bouyer has pointed out
21
several flaws in the proposed proofs of soundness [6]. Actually, the k-approximation
is sound when the timed automaton contains no diagonal constraints. Unfortunately,
k-approximation is not sound when the timed automaton contains diagonal constraints,
and no sound widening operator exists in this case.
In [6], Bouyer identifies some subclasses of timed automata for which the widening
operator is provably correct. The idea of the proof relies mainly on the definition of
another widening operator, called the closure by regions, which is shown to be sound.
The closure by regions of a zone Z, with respect to a set of regions R is defined as
the smallest set of regions from R that have a non-empty intersection with Z, i.e.
ClosureR (Z) = {r ∈ R | Z ∩ r 6= ∅}. Then, the proof concludes by showing that
Approxk (Z) is sound for some values of k (that are proved to exist) s.t.
Z ⊆ Approxk (Z) ⊆ ClosureR (Z).
(7)
In the perspective of bringing ECA from theory to implementation, provably correct
widening operators are necessary, since neither the forward nor the backward algorithm
terminate in general. We plan to adapt the k-approximation to ECA, and we believe
that we can follow the general idea of the proof in [6]. However, the proof techniques
will not be applicable in a straightforward way, for several reasons. First, the proof
of [6] relies on the following property, which holds in the case of timed automata: for
all zone Z and all location q: Post ((q, ClosureR (Z))) ⊆ ClosureR (Post ((q, Z))).
Unfortunately this is not the case in general with ECA. Indeed, consider the zone Z and
−−−−−−−−−→
the region r in Fig. 4 (a). Clearly, r is included in ClosureR (Z) but r is not included in
→
−
ClosureR ( Z ) (recall that prophecy clocks decrease with time elapsing). Moreover, the
definition of the k approximation will need to be adapted to the case of ECA. Indeed,
the second inclusion in (7) does not hold when using the k-approximation defined for
timed automata, which merely replaces all constants > k by ∞ in the constraints of
←
− −
→
the zone. Indeed, consider the event-zone Z defined
by xa + xa ≤ 2 in Fig. 4 (b),
together with the set of regions R = Reg C{a} , 1 . Clearly, with such a definition,
→ ≤ 2 would be replaced by ←
→ < ∞, which yields an
the constraint ←
x−a + −
x
x−a + −
x
a
a
approximation that intersects with r, and is thus not contained in ClosureR (Z). We
keep open for future works the definition of a provably correct adaptation of the kapproximation for ECA.
References
[1] R. Alur. Timed automata. In Proceedings of CAV’99, volume 1633 of Lecture
Notes in Computer Science, pages 8–22. Springer, 1999.
[2] R. Alur and D. Dill. A Theory of Timed Automata. Theoretical Computer Science, 126(2):183–236, 1994.
[3] R. Alur, L. Fix, and T. A. Henzinger. Event-clock automata: a determinizable
class of timed automata. Theoretical Computer Science, 211(1-2):253–273, 1999.
22
[4] G. Behrmann, A. David, K. G. Larsen, J. Håkansson, P. Pettersson, W. Yi, and
M. Hendriks. Uppaal 4.0. In Proceedings of QEST’06, pages 125–126. IEEE
Computer Society, 2006.
[5] R. Bellman. Dynamic Programming. Princeton university press, 1957.
[6] P. Bouyer. Forward analysis of updatable timed automata. Formal Methods in
System Design, 24(3):281–320, May 2004.
[7] M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and S. Yovine. Kronos:
A model-checking tool for real-time systems. In Proceedings of CAV’98, volume
1427 of Lecture Notes in Computer Science, pages 546–550. Springer, 1998.
[8] C. Daws and S. Tripakis. Model checking of real-time reachability properties
using abstractions. In B. Steffen, editor, Proceedings of TACAS’98, volume 1384
of Lecture Notes in Computer Science, pages 313–329. Springer, 1998.
[9] B. Di Giampaolo, G. Geeraerts, J. Raskin, and N. Sznajder. Safraless procedures
for timed specifications. In Proceedings of FORMATS’10, volume 6246 of Lecture Notes in Computer Science, pages 2–22. Springer, 2010.
[10] D. L. Dill. Timing assumptions and verification of finite-state concurrent systems.
In Proceedings of Automatic Verification Methods for Finite State Systems, volume 407 of Lecture Notes in Computer Science, pages 197–212. Springer, 1989.
[11] C. Dima. Kleene theorems for event-clock automata. In Proceedings of FCT’99,
volume 1684 of Lecture Notes in Computer Science, pages 215–225. Springer,
1999.
[12] D. D’Souza and N. Tabareau. On timed automata with input-determined guards.
In Proccedings of FORMATS/FTRTFT’04, volume 3253 of Lecture Notes in
Computer Science, pages 68–83, 2004.
[13] J.-F. Raskin and P.-Y. Schobbens. The logic of event clocks: decidability, complexity and expressiveness. Automatica, 34(3):247–282, 1998.
[14] M. Sorea. Tempo: A model-checker for event-recording automata. In Proceedings of RT-TOOLS’01, Aalborg, Denmark, August 2001.
[15] N. Tang and M. Ogawa. Event-clock visibly pushdown automata. In Proceedings
of SOFSEM’09, volume 5404 of Lecture Notes in Computer Science, pages 558–
569. Springer, 2009.
23