Integer Reset Timed Automata: Clock Reduction and Determinizability
aa r X i v : . [ c s . F L ] J a n Integer Reset Timed Automata: ClockReduction and Determinizability
Lakshmi Manasa and Shankara Narayanan Krishna
Department of Computer Science & Engineering,IIT Bombay, Powai, Mumbai-76, India. { manasa,krishnas } @cse.iitb.ac.in Abstract.
In this paper, we propose a procedure that given an integerreset timed automaton (IRTA) A , produces a language equivalent deter-ministic one clock IRTA B whose size is at most doubly exponential inthe size of A . We prove that this bound on the number of locations istight. Further, if integer resets are used in stopwatch automata, a sub-class of stopwatch automata which is closed under all boolean operationsand for which reachability is decidable is obtained. It is well known that for timed automata [3], emptiness checking is PSPACE-complete. This has paved the way for using timed automata in the verificationof real-timed systems - several algorithms, tools have been built. Even thoughemptiness checking is decidable, the questions of universality, inclusion are unde-cidable for non-deterministic timed automata with more than one clock. Further,timed automata cannot be determinized. Investigations have shown that even re-stricted classes like the one considered in [1] have undecidable universality. Someof the known classes where timed automata can be effectively determinized areevent clock automata (ECA) [4] and integer reset timed automata (IRTA) [10].[5] talks about a condition satisfying which, timed automata are determinizable.They give a procedure to obtain a language equivalent deterministic infinitetimed tree corresponding to a timed automaton A . The result is that A can bedeterminized if the number of clocks per node in this tree is bounded. ECA andIRTA fall into this category.Integer reset timed automata were introduced in [10]. For a imed automa-ton A and IRTA B , [10] and [11] decide the question “is L ( A ) ⊆ L ( B )” withnon-primitive recursive complexity and EXPSPACE respectively. [12] gives atechnique for obtaining a language equivalent determinized one clock IRTA A ′ from an IRTA A , with a triply exponential blow up in the number of locations.Subsequently, [13] proposes a technique to obtain from an IRTA or ǫ -IRTA A , aone clock ǫ -IRTA, with a doubly exponential blow up in the number of locations.The result in [13] cannot be considered an improvement over the one in [12] sincethe final IRTA obtained has ǫ -moves (even when we start with an IRTA without ǫ -moves). The determinization technique suggested in [5] applied to an IRTA A ,ives a deterministic timed automaton B (not an IRTA), whose size is doublyexponential in the size of A , and which has ≤ c m + 1 clocks, where c m is thebiggest constant used in the guards of A .As the main result of this paper, we show that starting with an IRTA A , wecan obtain a determinized one clock IRTA B whose size is doubly exponential inthe size of A . Comparing this result to the earlier works of [12], [13] and [5] wenote the following. – Our technique is extremely simple in comparison to the δ − X theory used in[12], [13]. [13] introduces ǫ moves in the one clock IRTA obtained even whenthe initial IRTA did not have any while [12] has a higher complexity. – [5] gives rise to a deterministic timed automaton with c m + 1 clocks, whilewe obtain a deterministic one clock IRTA. – Finally, we prove that the doubly exponential bound is tight. This has notbeen established in any of these earlier works.
For any set S , S ∗ ( S ω ) denotes the set of all finite (infinite) strings over S . S ∞ = S ∗ ∪ S ω . We consider as time domain T the set Q + or R + of non-negativerationals or reals, and Σ a finite set of actions. A time sequence over T is a finite(infinite) non-decreasing sequence t = ( t i ) i ≥ ; for simplicity t is taken to be zeroalways. For t ∈ T , int ( t ) and f rac ( t ) represent its integral and fractional partsrespectively. A timed word over Σ is defined as ρ = ( σ, t ), where σ = ( σ i ) i ≥ isa finite (infinite) sequence of symbols in Σ and t = ( t i ) i ≥ is a finite (infinite)sequence in T ∞ . A timed language L is a set of timed words.We consider a finite set of variables X called clocks . A clock valuation over X is a map ν : X → T mapping each clock x ∈ X to a time value. ν ( x ) representsthe value assigned to the clock x by ν . For t ∈ T , the valuation ν + t is defined as( ν + t )( x ) = ν ( x ) + t, ∀ x ∈ X . The set of all clock valuations over X is denotedby T X . For the set of clocks X , the set of constraints (guards) over X , denotedby C ( X ) is given by ϕ ::= x ∼ c | ϕ ∧ ϕ | ϕ ∨ ϕ where c ∈ N , ∼∈ { <, ≤ , >, ≥ , = , = } .Clock constraints are interpreted over clock valuations. The relation ν | = ϕ (valuation ν satisfies constraint ϕ ) is defined as ν | = x ∼ c if ν ( x ) ∼ c . Clockconstraints allow us to test the values of clocks. In order to change these values,we use the notion of resets . A reset φ is a subset of X which mentions whichset of clocks are reset. ν ′ = ν [ φ := 0] denotes ν ′ ( z ) = ν ( z ) for all z ∈ X \ φ and ν ′ ( y ) = 0 for all y ∈ φ . The set of all possible resets is 2 X , the set of all subsetsof X . Timed Automata : A timed automaton [3] is a tuple A = ( L, L , Σ, X, E, F )where L is a finite set of locations; L ⊆ L is a set of initial locations; Σ is a finiteset of symbols; X is a finite set of clocks; E ⊆ L × L × Σ × C ( X ) × X is the setof transitions and F ⊆ L is a set of final locations. C ( X ) and 2 X are the set ofclock constraints and clock resets as described above. An edge e = ( l, l ′ , a, ϕ, φ )represents a transition from l to l ′ on symbol a , with the valuation ν ∈ T X atisfying the guard ϕ , and φ gives the resets of certain clocks. For a location l and valuation ν , ( l, ν ) is called a state of A .A path is a finite (infinite) sequence of consecutive transitions. The pathis said to be accepting if it starts in an initial location ( l ∈ L ) and endsin a final location (or repeats a final location infinitely often). A run r through a path from a valuation ν ′ (with ν ′ ( x ) = 0 for all x ) is a sequence( l , ν ′ ) t −→ ( l , ν ) ( σ ,ϕ ,φ ) −→ ( l , ν ′ ) t −→ ( l , ν ) ( σ ,ϕ ,φ ) −→ ( l , ν ′ ) · · · ( l n , ν ′ n ). Notethat ν i = ν ′ i − + ( t i − t i − ) , ν i | = ϕ i , and that ν ′ i = ν i [ φ i := 0] , i ≥
1. The timedword corresponding to r is ρ = ( σ , t )( σ , t ) · · · ( σ n , t n ). A timed word ρ isaccepted by A iff there exists an accepting run (through an accepting path) over A , the word corresponding to which is ρ . The timed language L ( A ) acceptedby A is defined as the set of all timed words accepted by A . In the followingsections, we look at finite timed words. Region Automata : Given a set X of clocks, let R be a partitioning of T X . Eachpartition contains a set (possibly infinite) of clock valuations. Given α ∈ R , thesuccessors of α represented by Succ ( α ) are defined as α ′ ∈ Succ ( α ) if ∃ ν ∈ α, ∃ t ∈ T such that ν + t ∈ α ′ . The partition R is said to be a set of regions iff α ′ ∈ Succ ( α ) ⇐⇒ ∀ ν ∈ α, ∃ t ∈ T such that ν + t ∈ α ′ . A set of regionsis consistent with time elapse if two valuations which are equivalent (withinthe same partition) stay equivalent with time elapse. A region α ∈ R is saidto satisfy a clock constraint ϕ ∈ C ( X ) denoted as α | = ϕ , if ∀ ν ∈ α, ν | = ϕ .A clock reset φ ∈ X maps a region α to a region α [ φ := 0] = α ′ such that α ′ ∩ { ν [ φ := 0] } 6 = ∅ for some ν ∈ α . A set of regions R is said to be compatible with a set of clock constraints C ( X ) iff ∀ ϕ ∈ C ( X ) and ∀ α ∈ R exactly one ofthe following holds (a) α | = ϕ or (b) α | = ¬ ϕ . A set of regions R is said to be compatible with a set of clock resets 2 X iff α ′ = α [ φ := 0] ⇒ ∀ ν ∈ α, ∃ ν ′ ∈ α ′ such that ν ′ = ν [ φ := 0].Given a timed automaton A , and a set of regions R compatible with C ( X )and 2 X , the region automaton R ( A ) = ( Q, Q , Σ, E ′ , F ′ ) is defined as follows: Q = L × R the set of locations; Q = L × { α } ( α is the region where ν ( x ) = 0for all x ∈ X ), the set of initial locations; F ′ = F × R ⊆ Q the set of finallocations; E ′ ⊆ ( Q × Σ × Q ) is the set of edges. ( l, α ) a → ( l ′ , α ′ ) is an edge in E ′ if ∃ α ′′ ∈ R and a transition ( l, l ′ , a, ϕ, φ ) ∈ E such that (a) α ′′ ∈ Succ ( α ), (b) α ′′ | = ϕ and (c) α ′ = α ′′ [ φ := 0]. The region automaton [3] is an abstraction ofthe timed automaton accepting Untime( L ( A )). Theorem 1.
Let A be a timed automaton. Then the problem of checking empti-ness of L ( A ) is decidable. [3] An integer reset timed automaton (IRTA) [10] is a timed automaton A =( L, L , Σ, X, E, F ) with the restriction that for every e = ( l, l ′ , a, ϕ, φ ) ∈ E ,if φ = ∅ then ϕ consists of atleast one atomic clock constraint x = c for some x ∈ X, c ∈ N . The clock constraint x = c in the guard of a resetting transitionnsures that all the resets happen at integer time units (see also Lemma 1). Thetimed automaton A shown in Figure 2.1 is an IRTA. S Ta, x ≤ y := 0 a, x = 1? b, y = 1? x := 0 Fig. 2.1.
IRTA A . Lemma 1. [11] Let A = ( L, L , Σ, X, E, F ) be an IRTA and ν be a clock valu-ation in any given run in A . Then ∀ x, y ∈ X, f rac ( ν ( x )) = f rac ( ν ( y )) . In this section, we look at the regions R of an IRTA. Given a set X of clocks, let R be a finite partitioning of T X . The notions of successor of a region, compatibilitywith guards and compatibility with resets are same as mentioned earlier.Let c m ∈ N be the maximum constant occurring in the guards C ( X ) of theIRTA A . For the set of clocks X , define a set of intervals I as I = { [ c ] | ≤ c ≤ c m } ∪ { ( c, c + 1) | ≤ c < c m } ∪ { ( c m , ∞ ) } We denote the clock interval of t ∈ T as h t i I . For example, if c m = 2, then h i I = [1], h . i I = (1 ,
2) and h . i I = (2 , ∞ ).Let α be a tuple (( I x ) x ∈ X , ≺ ) where (i) I x ∈ I is the clock interval of x ∈ X ,(ii) ≺ is a total preorder on X = { x ∈ X | I x is of the form ( c, c + 1) } .The region associated with α is the set of valuations ν ∈ T X such that for all x ∈ X , ν ( x ) ∈ I x and for all x, y ∈ X , x ≺ y iff f rac ( ν ( x )) ≤ f rac ( ν ( y )).Since the fractional parts of all clocks are same always (Lemma 1), we can dropthe preorder ≺ and consider α to be (( I x ) x ∈ X ). For x ∈ X , α ( x ) = I x . Theset of all such tuples α partitions T X and this is the set we consider to be R . For a valuation ν , the clock region it belongs to is denoted as h ν i R . Forexample, if ν ( x ) = 2 . , ν ( y ) = 1 . , c m = 3, then h ν i R = ((2 , , (1 , h t i I and h ν i R whenever they are clear from thecontext.Consider the set of clock intervals I and the set of clock regions R definedfor the set of clocks X with the maximum clock constant being c m . For twoclock intervals I , I ∈ I , we define I + I as the clock interval I ∈ I suchthat ∀ t ∈ I , ∀ t ∈ I , ∃ t ∈ I, such that t = t + t . For a clock region α = ( { I x } x ∈ X ) ∈ R and a clock interval I ∈ I , we define α + I as the region( { I x + I } x ∈ X ). Definition 1.
Two timed words ρ = ( σ , t )( σ , t ) · · · ( σ n , t n ) and ρ ′ =( σ ′ , t ′ )( σ ′ , t ′ ) · · · ( σ ′ n , t ′ n ) are said to be equivalent denoted by ρ ∼ = ρ ′ iff for all i the following holds (1) σ i = σ ′ i and (2) int ( t i ) = int ( t ′ i ) , f rac ( t i ) = 0 iff f rac ( t ′ i ) = 0 . emma 2. If A is an IRTA and ρ ∼ = ρ ′ then, ρ ∈ L ( A ) iff ρ ′ ∈ L ( A ) [11]. Consider the timed automaton A in figure 2.2 and two timed words ρ =( a, . c, .
5) and ρ = ( a, . c, . ρ ∼ = ρ . However ρ ∈ L ( A ) while ρ L ( A ). This shows that lemma 2 need not hold for a timed automatonwhich is not an IRTA. S T Uy := 0 a, < x, y < x := 0 b, < y ≤ c, y = 1? Fig. 2.2.
Timed automaton A which is not an IRTA. Integral, Non-integral, Saturated region : Let α = (( I x ) x ∈ X ) ∈ R and let X m ⊆ X be such that ∀ x ∈ X m , I x = ( c m , ∞ ). (i) α is said to be saturated if X m = X, (ii) α is said to be integral if ∀ x ∈ X \ X m , with X m ⊂ X , I x is of the form [ c ],and (iii) α is said to be non-integral if ∀ x ∈ X \ X m , with X m ⊂ X , I x is of theform ( c, c + 1). If A is an IRTA, and α is a region of A , then α can be classfiedas one of integral, non-integral or saturated region (Lemma 1 implies this). Theunion of the integral, saturated regions is denoted by R I . Following [7], we have Lemma 3.
The set R of IRTA regions forms a set of regions. R is compatiblewith the clock constraints C ( X ) and with the set X of clock resets. In this section, we give a technique to obtain given an IRTA A with k ≥ A with one clock n . As the constraints in A are over a single clock n ,we can consider each constraint to be a disjunction of clock intervals from theset I . For example, a constraint n ≤ ∧ n ≥ s to t canbe expressed as three transitions from s to t on n ∈ [1], n ∈ (1 ,
2) and n ∈ [2]respectively. Let c m be the maximum constant used in the guards of A . Givena clock region α of A and a constraint ϕ of the form n ∈ I n , α + ϕ consists ofvaluations obtained by adding I n to each interval I x in α (as defined in Section2). For example, if α = (1 < x < , < y <
1) and ϕ = n ∈ [1], then α + ϕ consists of the valuations (2 < x < , < y < ϕ over X , therelation α + ϕ | = ϕ iff ν | = ϕ for all ν ∈ α + ϕ . So, if ϕ is y >
2, then in theexample above, α + ϕ = ϕ . However, α + ϕ | = y >
1. This notation will beused in the following construction.
Given an IRTA A = ( L, L , Σ, X, E, F ) construct a one clock IRTA A =( L , L , Σ, { n } , E , F ) as follows: L ⊆ L × R I , R I is the set of integral and saturated regions; – L = L × { α } where α = ([0] , [0] , · · · [0]); – F ⊆ F × R I ; – E ⊆ L × Σ ×I × { n } × L is the set of transitions. A transition ( l, α ) a,ϕ ,φ −→ ( l ′ , α ′ ) is defined iff there exists a transition l a,ϕ,φ −→ l ′ in E such that • α + ϕ | = ϕ , • α ′ = ( α + ϕ )[ φ := 0] if φ = ∅ ; α ′ = α if φ = ∅ , • φ = { n } iff φ is non-empty. S T S a, n ≤ n := 0 a, n = 1? b, n = 1? n := 0 n := 0 a, n = 1? a, n ≤ Fig. 3.1.
One clock IRTA A corresponding to the IRTA A in Figure 2.1. S S, ( x = 0 , y = 1)By construction, the region component α in the locations ( l, α ) of A isupdated only whenever a reset happens in A . Since resets happen only at integertime units, the region components are always integral. A reset in A results inresetting n in A ; the value of n is otherwise the time elapsed between two resets.Next, we prove that A and A accept the same timed language.In the following proof, we represent a state (( l, α ) , µ ) of A as ( l, α, µ ) anduse the notation ν = α + µ to represent that for all x ∈ X, ν ( x ) = c x + µ ( n )where [ c x ] = α ( x ). Theorem 2.
Let A be an IRTA and let A be the one clock IRTA obtained usingthe above construction. Then L ( A ) = L ( A ) . Proof. L ( A ) ⊆ L ( A ): Consider a run ( l , ν ′ ) t −→ ( l , ν ) σ ,ϕ ,φ −→ ( l , ν ′ )in A of length one. By construction of A , there is a run ( l , α , µ ′ ) t −→ ( l , α , µ ) σ ,ϕ ,φ −→ ( l , α , µ ′ ) where µ ′ = 0 , α + ϕ | = ϕ . ϕ is n ∈ h t i .Also, ν ′ = α + µ ′ , ν = α + µ , ν ′ = α + µ ′ irrespective of φ .Assume the result for all runs of length < m . Consider a run of A of length m . Let ( l , ν ′ ) t −→ ( l , ν ) σ ,ϕ ,φ −→ ( l , ν ′ ) . . . t m − −→ ( l m − , ν m − ) σ m − ,ϕ m − ,φ m − −→ ( l m − , ν ′ m − ) t m −→ ( l m − , ν m ) σ m ,ϕ m ,φ m −→ ( l m , ν ′ m ) be a run in A correspond-ing to ( σ , t ) . . . ( σ m , t m ). Consider the subrun ( l , ν ′ ) t −→ ( l , ν ) σ ,ϕ ,φ −→ ( l , ν ′ ) . . . σ m − ,ϕ m − ,φ m − −→ ( l m − , ν ′ m − ). By induction hypothesis, we can ob-tain a run of length m − A which ends in ( l m − , α m − , µ ′ m − ). Thesubrun in A extends as ( l m − , ν ′ m − ) t m −→ ( l m − , ν m ) σ m ,ϕ m ,φ m −→ ( l m , ν ′ m ). Weknow that ν m | = ϕ m and ν m = ν ′ m − + ( t m − t m − ). From induction hy-pothesis, we also know that ν ′ m − = α m − + µ ′ m − . Hence there should existedges ( l m − , α m − , µ ′ m − ) t m −→ ( l m − , α m − , µ m ) σ m ,ϕ m ,φ m −→ ( l m , α m , µ ′ m ). Since m = α m − + µ m | = ϕ m , and α m − + ϕ m | = ϕ m , we have ϕ m = n ∈ h µ m ( n ) i ,and ν ′ m = α m + µ ′ m . Clearly, ( σ , t ) . . . ( σ m , t m ) is in L ( A ) whenever it is in L ( A ). See Appendix A for an example. L ( A ) ⊆ L ( A ): The above argument can be traced backward to argue this. ⊓⊔ S T (0 , S , S U (0 , n := 0 a, < n < n := 0 b, < n < a, < n < n := 0 c, n = 1? n := 0 b, n = 1? Fig. 3.2.
One clock automaton A for the timed automaton in the Figure 2.2. T (0 , T, (0 < x < , y = 0).However, it must be noted that this technique works because A is an IRTA.The fact that resets happen at globally integral times has helped us retain in n the time elapsed between two resets. See the automaton A in Figure 3.2 which isobtained by applying the above technique to the timed automaton A in Figure2.2. In the Figure 3.2, consider the location [ S , S , a, 1. To satisfy 0 < x, y < 1, we need to knowthe exact value of y . This can be achieved by (1) having a fresh clock containingvalue of y or (2) remember the value of y in the location. Option (2) would giverise to infinitely many locations in place of [ S , Complexity The definition of A shows that the number of locations is at most | L |× |R I | = | L |× [ c m + 2] | X | . However, E reveals that the region part of in ( l, α )changes only if the corresponding edge in A resets at least one clock. Hence allthe locations in L have integral regions with at least one of the clocks havingthe interval [0]. Thus the total number of locations in A is | L | ≤ | L | . [( c m +2) | X | − ( c m + 1) | X | ]. Lemma 4 shows that this bound is indeed tight. Lemma 4. There is an IRTA A such that the smallest one clock IRTA A corresponding to it has exactly | L | . [( c m + 2) | X | − ( c m + 1) | X | ] locations, where L is the set of locations of A , X is the set of clocks of A and c m is the maximumconstant used in the guards of A .roof. Consider the IRTA A = ( L, L , Σ, X, E, F ) in Figure 3.3 having twoclocks. The one clock IRTA A in Figure 3.3 has exactly | L | . [( c m + 2) | X | − ( c m +1) | X | ] number of locations. S S S + S S + c x , n = 0? b x , n = 1? n := 0 c y , n = 0? b y , n = 1? n := 0 a x n = 1? n := 0 b x n = 1? n := 0 a y , n = 1? n := 0 b y n = 1? n := 0 sd , d d , d , d , d Fig. 3.3. Deterministic IRTA A and its one clock IRTA A ′ . The symbolsrepresent the following timed transitions : d ::= a x , x = y = 1? x := 0, d ::= a y , x = y = 1? y := 0, d ::= c x , x = 0 ∧ y > d ::= c y , y = 0 ∧ x > d ::= b y , x > ∧ y = 1? y := 0, d ::= b x , x = 1 ∧ y > x := 0 . + denotes allvalues > A is L ( A )= { ( a x , a y , a x , b x , a y , b y , a x , b x , c x , b x , a y , b y , c y , c y , . . . } . Clearly, untime ( L ( A )) = a x ( b x c ∗ x ) ∗ + a y ( b y c ∗ y ) ∗ . It is easy to see that the minimal(deterministic, not complete) automaton D accepting untime ( L ( A )) requires5 locations (use the standard Myhill-Nerode argument). Decorating this withappropriate constraints (see below), we obtain a one clock IRTA A accepting L ( A ).To argue that A is the smallest one clock IRTA accepting L ( A ) is easy:(1) To accept ( a x , , ( a y , s, t ( s is the initial location)with s a x ,a y ,n =1? ,n :=0 −→ t ; (2) To accept ( a x , b x , n on thetransition from s to t and add t b x ,n =1? −→ s . But this would mean accepting illegalwords like ( a y , b x , a y , b x , a x , 2) as well, hence we need to add newlocations u, v and replace s a y ,n =1? n :=0 −→ t with s a y ,n =1? n :=0 −→ u and replace t b x ,n =1? −→ s with t b x ,n =1? n :=0 −→ v ; (3) After (2), to accept ( a x , b x , b x , . . . ( b x , n ) . . . ,we need a loop on b x resetting n every time n = 1. This is easily done by adding v b x ,n =1? n :=0 −→ v . To incorporate any number of c x ’s without time elapse, we alsoadd v c x ,n =0? −→ v . A similar argument will show that we need one more location w to take care of b y , c y . It can be seen that what we obtain is precisely A . ⊓⊔ In this section, we give a technique to obtain from an IRTA A , a one clockdeterministic IRTA A d .Given an IRTA A = ( L, L , Σ, X, E, F ), a language equivalent one clockdeterministic IRTA A d = ( L d , L d , Σ, { n } , E d , F d ) is constructed as follows: L d ⊆ L ×R I , where R I is the set of integral and saturated regions; – L d = S L × { α } where α = ([0] , [0] , · · · [0]); – F d = { A ∈ L d | A contains some ( l, α ), l ∈ F } ; – E d ⊆ L d × Σ × I × { n } × L d is the set of transitions. Let A = { ( l , α ) , . . . , ( l n , α n ) } . A transition A a,ϕ d ,φ d −→ B ∈ E d iff • For each ( l i , α i ) ∈ A , if there exists in E an edge l i a,ϕ i ,φ i −→ l ′ i such that α i + ϕ d | = ϕ i then ( l ′ i , α ′ i ) ∈ B , • φ d = { n } iff φ i = ∅ for some i ∈ { , , . . . n } , • If φ d = {} then α ′ i = α i for all i . If φ d = { n } , then α ′ i = α i + ϕ d [ φ i := 0]when φ i = {} and α ′ i = α i + ϕ d when φ i = {} .Figure 3.4 gives the deterministic one clock IRTA A d obtained for the IRTA A inFigure 2.1. Note that the same can be achieved by determinising A (of Figure3.1) in the same way [see Appendix B].The technique outlined above is very similar to the one studied in the Section3.1 except that it performs subset construction along with clock reduction. Forexample consider the automata A , A and A d in Figures 2.1, 3.1 and 3.4 respec-tively. A is non-deterministic at the location S on a when x = 1, since it has twoedges, one to S itself and other to T which resets y . A focuses only on clockreduction and retains this non-determinism at location S 00 on a when n = 1by having two edges one to S 00 and other to T 10. However, A d is obtained byperforming subset construction along with clock reduction. Thus in A d the edgecorresponding to the non-deterministic edges is { S } a,n =1? n :=0 −→ { S , T } .We update the region component of S 00 to S 11 in the target state to reflectthe difference between the values of x in locations S and T in A after the edge.Hence, the edge a, n = 0? from { S , T } (due to S 11) requires no time elapseas a is valid from S when x = 1? (which is the value of x in S S S T S S + T a, n < n := 0 an = 1? n := 0 bn = 1? a, n < n := 0 a, n = 1? n := 0 b, n = 1? a, n = 0? a, n = 0? Fig. 3.4. Deterministic one clock IRTA A d corresponding to the IRTA in Figure2.1. Theorem 3. Let A be an IRTA and let A d be the deterministic one clock IRTAconstructed above. Then L ( A ) = L ( A d ) . The proof is similar to the proof of Theorem 2 taking into consideration thesubset construction. Complexity From the definition of A d given above, L d ⊆ L ×R I . Hence | L d | ≤ | L |∗|R I − | L |∗ ( c m +2) | X | − emma 5. There is a non-deterministic IRTA A such that the smallest deter-ministic one clock IRTA A corresponding to it has exactly | L | ∗ ( c m +2) | X | − locations, where L is the set of locations of A , X is the set of clocks of A and c m is the maximum constant used in the guards of A .Proof. See Appendix C. ⊓⊔ We have given a simple and elegant technique to determinize the class IRTA andto reduce the number of clocks. The complexity bound we obtain is also optimal.If we allow ǫ moves in the IRTA A , we can follow the clock reduction techniqueexplained above by treating ǫ as a special symbol. Stopwatches are variables whose rate of growth is either 0 or 1. Stopwatch au-tomata (SWA) [8] obtained by adding stopwatches to timed automata renderreachability undecidable while being expressively equivalent to linear hybrid au-tomata [2]. Reachability is decidable for interrupt timed automata (ITA) [6], avariant of SWA with linear constraints, linear updates and restrictions on ratesof growth and use of stopwatches in updates as well as constraints. To the best ofour knowledge, this is the only known decidable variant of SWA. In this section,we explore the idea of integer resets in the context of stopwatch automata anddefine Integer Reset Stopwatch Automata (IRSA). We show that reachabilityis decidable for IRSA if diagonal constraints are not allowed. Further, in theabsence of diagonal constraints, IRSA is determinizable, and closed under com-plementation, union and intersection. Undeciability of rechability of IRSA withdiagonal constraints indicates that IRSA and ITA are incomparable.An integer reset stopwatch automaton (IRSA) is a stopwatch automaton A = ( L, L , Σ, X, Z, E, F, η ) where (i) L, L , F, X and Σ are the same as intimed automata; (ii) Z is a set of stopwatches; (iii) η : L → { , } | Z | assigns therate of growth of stopwatches in locations; (iv) E ⊆ L × L × Σ × C ( X ∪ Z ) × X ∪ Z is the set of transitions such that for every e = ( l, l ′ , a, ϕ, φ ) ∈ E , whenever φ = ∅ or η ( l ) = η ( l ′ ), ϕ consists of at least one atomic clock constraint of the form (a) x = c , for some x ∈ X, c ∈ N , (b) z = c for some z ∈ Z, c ∈ N provided η ( l )( z ) = 1.The valuations of all variables is ν : X ∪ Z → T . Time elapse of t units ina location l ∈ L , denoted as ν + t is as earlier (in Section 2) for clocks. Forstopwatches it is defined as ∀ z ∈ Z , ν + t ( z ) is ν ( z ) + t if η ( l )( z ) = 1, and is ν ( z )if η ( l )( z ) = 0. Constraint satisfaction ν | = ϕ and resets ν [ φ := 0] are interpretedas defined earlier. It is easy to see that the semantics of IRSA are largely similarto those of timed automata. We follow the same notations as in Section 2. Proposition 1. Let A be an IRSA and ν be a valuation in any given run of A .Then ∀ x, y ∈ X ∪ Z, f rac ( ν ( x )) = f rac ( ν ( y )) . his proposition follows as a direct result of the definition of IRSA and Lemma1. It allows us to consider R as the set of IRSA regions partitioning T X ∪ Z .These are the same as IRTA regions (defined in Section 2) over the set X ∪ Z .Given an IRSA A , we give a technique to convert it into a language equivalentIRTA B . The construction is along the same lines as clock reduction in Section3.1. We consider the locations of B to be L × R I . Given a location ( l, α ) of B ,and a transition ( l, α ) −→ ( l ′ , α ′ ), α is updated to α ′ on edges l −→ l ′ of A that (i) reset a clock or stopwatch or (ii) η ( l ) = η ( l ′ ). For each stopwatch z in A , there is a clock x z in B simulating z . We consider atomic constraints in A to be of the form x ∈ I where x ∈ X ∪ Z and I ∈ I . For example, an edgewith constraint x = 2 ∧ z < x ∈ [2] ∧ z ∈ [0] and x ∈ [2] ∧ z ∈ (0 , 1) respectively. The formal construction of B from A is given below.Given an IRSA A = ( L, L , Σ, X, Z, E, F, η ) construct an IRTA B =( L ′ , L ′ , Σ, X ∪ Z ′ , E ′ , F ′ ) as follows: (i) L ′ ⊆ L × R I , R I is the set of in-tegral and saturated IRSA regions over X ∪ Z ; (ii) L ′ = L × { α } where α = ([0] , [0] , · · · [0]); (iii) F ′ ⊆ F × R I ; (iv) Z ′ is a set of new clocks such thatfor every z ∈ Z , there is a unique clock x z in Z ′ corresponding to z via a bijec-tion Z ′ ↔ Z ; (v) E ′ ⊆ L ′ × Σ × C ( X ∪ Z ′ ) × X ∪ Z ′ × L ′ is the set of transitions.A transition ( l, α ) a,ϕ ′ ,φ ′ −→ ( l ′ , α ′ ) is defined iff there exists a transition l a,ϕ,φ −→ l ′ in E such that(a) ∃ I ∈ I such that α + I | = ϕ . ∀ x ∈ X , ( α + I )( x ) = α ( x ) + I and ∀ z ∈ Z, ( α + I )( z ) = α ( z ) + I if η ( l )( z ) = 1, else ( α + I )( z ) = α ( z );(b) ϕ ′ is obtained by replacing z ∈ c + α ( z ) in ϕ by x z ∈ c , for all z ∈ Z ;(c) φ ′ = ( φ ∩ X ) ∪ Z ′ if φ = ∅ or η ( l ) = η ( l ′ ). Otherwise, φ ′ = ∅ ;(d) α ′ = ( α + I )[ φ := 0] if φ ′ = ∅ ; else α ′ = α .Each time a reset occurs or a rate changing edge is taken in A , the corre-sponding edge in B resets all clocks in Z ′ and updates α to contain the latestvalues of stopwatches. Hence constraints involving Z ′ should pertain to the elapsesince the last update of α . Thus, the constraints in B replace z ∈ c + α ( z ) by x z ∈ c . Appendix D gives an example of this construction and establishes thatthe resulting timed automaton is indeed an IRTA. Lemma 6. Let A be an IRSA and B be the IRTA constructed as above. Then L ( A ) = L ( B ) . Corollary 1. Reachability is decidable for the class IRSA. Further, it is closedunder all boolean operations. Lemma 6 can be proved along the lines of Theorem 2. Corollary 1 follows fromLemma 6, Theorem 3 and decidability of emptiness of timed automata [3]. Notethat the timed automaton B has at most | L | × ( c m + 2) | X ∪ Z | locations where c m is the maximum constant used in the constraints of A . This bound can beproved to be tight employing the same technique as in Lemma 4. RSA with diagonal constraints : It is well known that diagonal constraintsdo not add to the expressive power of timed automata. However, we note thatdiagonal constraints involving stopwatches renders reachability undecidable forIRSA. It is easy to see that Minsky’s two counter machine can be simulated using3 stopwatches x , x , x and one clock g by following the encoding c = x − x and c = x − x for counters c , c . Incrementing c is accomplished by atransition g =0? −→ s g =1? g :=0 −→ where η ( S )( x ) = 0 and η ( S )( x i ) = 1 , ∀ i < 3. Asimple diagonal constraint x − x = 0? is sufficient to check if c is zero.Acknowledgement: We thank the anonymous reviewers for useful comments. References 1. S. Adams, J. Ouaknine and J. Worrell. Undecidability of universality for timedautomata with minimal resources. Proceedings of FORMATS’07 , LNCS 4763, 25-37, 2007.2. R. Alur, C. Courcoubetis, N. Halbwachs, T.A. Henzinger, P. Ho, X. Nicollin, A.Olivero, J. Sifakis and S. Yovine. The algorithmic analysis of hybrid systems. The-oretical Computer Science , 138:3-34, 1995.3. R. Alur and D. L. Dill. A Theory of Timed Automata. Theoretical Computer Science ,126(2),183-235 1994.4. R. Alur, L. Fix and T. Henzinger. A determinizable class of timed automata. Pro-ceedings of CAV’94 , LNCS 818, 1-13, 1994.5. C. Baier, N. Bertrand, P. Bouyer and T. Brihaye. When are Timed AutomataDetreminizable?. Proceedings of ICALP’09 , LNCS 5556, 43-54, 2009.6. B. B´erard and S. Haddad. Interrupt Timed automata. Proceedings of FOSSACS’09 , LNCS 5504, 197-211, 2009.7. P. Bouyer, C. Duford, E. Fleury, and A. Petit. Updatable Timed Automata. Theo-retical Computer Science , 321(2-3): 291-345, 2004.8. F. Cassez and K. G. Larsen. The impressive power of stopwatches. In Proc. of concur2000: concurrency theory , 138-152. Springer, 1999.9. Olivier Finkel. Undecidable Problems About Timed Automata. Proceedings of FOR-MATS’06 , LNCS 4202, 187-199, 2006.10. K. Nagaraj. Topics in Timed Automata. Master’s Thesis , Department of ComputerScience & Engineering, Indian Institute of Technology, Bombay, July 2006.11. P. V. Suman, P. K. Pandya, S. N. Krishna and L. Manasa. Timed Automatawith Integer Resets: Language Inclusion and Expressiveness. Proceedings of FOR-MATS’08 , LNCS 5215, 78-92, 2008.12. P. V. Suman, P. K. Pandya, S. N. Krishna and L. Manasa.Timed automata with integer resets: Langauge inclusion and expres-siveness. Research report TIFR-SPKG-GM-2008/1,2008 available at ∼ vsuman/TechReps/IrtaLangInclTechRep.pdf .13. P. V. Suman and P. K. Pandya. Determinization and Expressiveness of IntegerReset Timed Automata with Silent Transitions. Proceedings of LATA 2009 , LNCS5457, 728-739, 2008. ppendix A Equivalent runs in A and A Consider the IRTA A in Figure 2.1 and its corresponding one clock IRTA A inFigure 3.1. We now show a demonstration of the proof of Theorem 2 with anexample. Recall that a state in A is of the form ( l i , ( ν ′ i ( x ) , ν ′ i ( y ))) and a state in A is ( l i , ( α i ( x ) , α i ( y )) , µ ′ i ( n )). We shall denote the clock intervals [0] , [1] , (1 , ∞ )as 0 , , + respectively.Consider a timed word ρ = ( a, . a, a, b, a, ρ in A is r = ( S, (0 , . −→ ( S, (0 . , . a,x ≤ −→ ( S, (0 . , . −→ ( S, (1 , a,x ≤ −→ ( S, (1 , −→ ( S, (1 , a,x =1? ,y :=0 −→ ( T, (1 , −→ ( T, (2 , b,y =1? x :=0 −→ ( S, (0 , −→ ( S, (1 , a −→ ( T, (1 , r in A corresponding to ρ given by r = ( S, (0 , , . −→ ( S, (0 , , . a,n ≤ −→ ( S, (0 , , . −→ ( S, (0 , , a,n ≤ −→ ( S, (0 , , −→ ( S, (0 , , a,n =1? n :=0 −→ ( T, (1 , , −→ ( T, (1 , , b,n =1? ,n :=0 −→ ( S, (0 , , −→ ( S, (0 , , a,n =1? ,n :=0 −→ ( T, (1 , , ν ′ i = α i + µ ′ i holds for all i . B Determinization of A In Section 3.1, we saw how to build a one clock possibly non-deterministic IRTA A for a given IRTA A with any number of clocks. As A is also an IRTA, wecan apply the same technique outlined in Section 3.2 to obtain a deterministicone clock IRTA A d . From Theorems 2 and 3, we know that L ( A ) = L ( A ) and L ( A ) = L ( A d ). Hence L ( A ) = L ( A d ).The Figure B.1 shows the deterministic one clock IRTA A d obtained from A in Figure 3.1 following definition in Section 3.2. Note that A d is the sameas A d in Figure 3.4. A A B C C B a, n < n := 0 an = 1? n := 0 bn = 1? a, n < n := 0 a, n = 1? n := 0 b, n = 1? a, n = 0? a, n = 0? Fig. B.1. The deterministic one clock IRTA A d corresponding to the IRTA A in Figure 3.1. Here A , B and C represnt the locations S T 10 and S 01 of A respectively. Proof of Lemma 5 Consider the non-deterministic IRTA A in Figure C.1. It is clear that A d inFigure C.1 has exactly 2 | L | ∗ ( c m +2) | X | − sd , d , d d , d S S S S S S S e , c a b , e , a e , a b , b , e , a e , c , a e , a a , a b c e a b c c b a c , c e b a a b c Fig. C.1. IRTA A and its deterministic IRTA A ′ . The locations S S S S S S S { S, } , { ( S, , ( S, } , { ( S, } , { ( S, , ( S, , ( S, + ) } , { ( S, , ( S, + ) } , { ( S, , ( S, + ) } and { ( S, + ) } respectively. Here the symbolsrepresent the following timed transitions d ::= b, x = 1? , x := 0, d ::= b, x ≥ d ::= c, x = 1? x := 0, d ::= c, x > d ::= e, x ≥ b b, n = 0?, b b, n = 1? , n := 0, c c, n = 0?, c c, n = 1? , n := 0, e e, n = 0?, e e, n = 1?, a b, n = 0?; c, n = 0?; e, n = 0?, a b, n ∈ (0 , c, n ∈ (0 , e, n ∈ (0 , a b, n > c, n > e, n > 0? and a b, n > c, n > e, n > A d in Figure C.1. D Details of Section 5 B is an IRTA : From the definition of B , it is easy to observe the following. – For every resetting edge e in A , there is a resetting edge e ′ in B that resetsall clocks in Z ′ in addition to clocks mentioned in e . – For every rate changing edge (source and target have different η values) e in A , there exists an edge e ′ in B which resets all clocks in Z ′ .By definition of A , we are assured that these kinds of edges occur at integer timeunits as they are accompanied by atomic constraints of the form (a) x = c , forsome x ∈ X, c ∈ N , (b) z = c for some z ∈ Z, c ∈ N provided η ( l )( z ) = 1. Nowconsider the corresponding constraints in B . – If all the atomic constraints are over X , then they are the same in B . – If the atomic constraints in A involve z = c (same as z ∈ [ c ]) then thecorresponding constraint in B is of the form x z ∈ [ c ] − α ( z ). As α ∈ R I ver X ∪ Z , α ( z ) is either integral or saturated. If α ( z ) is integral then[ c ] − α ( z ) is also integral. If α ( z ) = ( c m , ∞ ), then we are assured that thereis no constraint of the form z = c, c > c m in A and hence no constraint x z ∈ [ c ] − α ( z ) in B .From the above argument, it is clear that all resetting edges in B are accompaniedby atomic constraints of the form x ∈ [ c ] , x ∈ X ∪ Z ′ . Thus, B is an IRTA. An IRSA A and its language equivalent IRTA B S, T, U, V, a, x = 1? g := 0 y := 0 h := 0 b, g = 1? c, h < d, h = 1? x := 0 d, g ≤ Fig. D.1. IRSA A with clocks x, y and stopwatches g, h . The location ( T, η ( T )( g ) = 1 and η ( T )( h ) = 0. S T U + V + S + T + + a, x = 1? { e, f } b, e = 1? { e, f, y } c, f < { e, f, x } d, f = 1? { e, f } a, x = 1? b, e = 1? { e, f, y } d, e = 0? Fig. D.2. Timed automaton B which is language equivalent to IRSA in FigureD.1. Here the clock intervals [0] , [1] , (1 , ∞ ) are represented as 0 , , + respectively.Location ( T, T, ( x = 1 , y = 1 , g = 0 , h = 1)). The set of clocksto be reset is indicated on each edge. Clocks e, f simulate the stopwatches g, h respectively. Proof of Lemma 6 : Language equivalence L ( A ) = L ( A ) in Theorem 2 was established by provingthat for a run in A there exists a run in A such that ν ′ i = α i + µ ′ i always. A similarroof which inducts on the number of symbols in a timed word can be given forLemma 6 too. The hypothesis is that for a state ( l i , ν ′ i ) there exists a state( l i , α i , µ ′ i ) in B such that ν ′ i ∩ X = µ ′ i ∩ X and ∀ z ∈ Z, ν ′ i ( z ) ∈ α i ( z ) + h µ ′ i ( x z ) i .Thus, ν ′ i ( z ) | = z ∈ c + α i ( z ) iff µ ′ i ( x z ) | = x z ∈ c for all ii