On Reachability for Hybrid Automata over Bounded Time

On Reachabil ity for Hybri d Automata ov er Bounded T ime ∗ Thomas Brihaye † Laurent Doyen ‡ Gilles Geeraerts § Jo ¨ el Ouaknine ¶ Jean-Franc ¸ ois Raskin ‡ James W orrell § October 19, 2018 Abstract This paper in vestigates the time-bounded version of the reacha bility problem for hybrid automata. This problem asks whether a given hybrid automaton can reach a giv en target location within T time units, where T is a constant rational v alue. W e sh ow that, in co ntrast to the classical (unbound ed) reachability problem, the timed-bo unded ve rsion is decidable for rectangular hybrid automata provided only non-negati ve rates are allowe d. T his class of systems is of practical interest and subsumes, among others, t he class of stopwatch automata. W e also show that the problem becomes undecidable if either diagonal constraints or both negati ve and positiv e rates are allowed. 1 Introd uction The form alism of hyb rid a utomata [1] is a well-established mode l f or hyb rid systems whereby a digital co ntroller is emb edded with in a ph ysical environmen t. The state of a h ybrid system chan ges bo th throug h discr ete tra nsitions of the co ntroller, an d con- tinuous ev olution s of the environment. The discrete state of the system is enco ded by the locatio n ℓ of the auto maton, and the continuous state is en coded by r ea l-valued variables X e volving accord ing to dynam ical laws constrainin g th e first derivati ve ˙ X of th e variables. Hy brid au tomata have proved useful in ma ny applications, an d the ir analysis is supported by se veral tools [6, 5]. ∗ W ork support ed by the projects: ( i ) QU ASIMODO (FP7- ICT -ST REP-214755), Quasimodo: “Quanti ta- ti ve System Propertie s in Model-Dri ven-De sign of Embedded”, http://www .quasimodo.aau .dk/ , ( ii ) GASICS (ESF-EUROCOR ES LogiCCC), Gasics: “Games for Analysis and Synthesis of Interacti ve Computati onal Systems”, http://www.ulb .ac.be/di/gasi cs/ , ( iii ) Moves: “Fundament al Is- sues in Mode lling, V erificati on and E volut ion of Software ”, http://mov es.ulb.ac.be , a P AI program funded by the Federal Belgian Go vernment, ( iv ) the ARC proje ct A UWB-2010–10/15-UMONS-3, ( v ) the FRFC project 2.4515.11 and ( vi ) a grant from the National Bank of Belgium. † Uni versit ´ e de Mon s, Belgiu m ‡ LSV , ENS Cacha n & CNRS, France § Uni versit ´ e Libre de Bruxell es, Belgium ¶ Oxford Univ ersity Computing Laboratory , UK 1 A central p roblem in hybr id-system verification is the reac ha bility pr oblem which is to dec ide if there exists a n execution fr om a given initial location ℓ to a given g oal location ℓ ′ . While the reachability proble m is undecidable for s imple classes o f hybrid automata (such as linear hybrid automata [1]), the decidability frontier of this problem is sharply understood [7, 8]. For e xamp le, the reachability problem is decidable for the class o f initialized rectangu lar autom ata where (i) the flow c onstraints, guard s, inv ari- ants and discrete upd ates are defined by rectangu lar constraints of the form a ≤ ˙ x ≤ b or c ≤ x ≤ d (where a, b, c, d are rationa l con stants), a nd ( ii) whenever the flow con- straint of a v ariab le x changes between two locations ℓ and ℓ ′ , then x is reset along the transition from ℓ to ℓ ′ . Of particular interest is the class of tim ed a utomata which is a special class of initialized rectangular automata [2]. In recent y ears, it has been ob served that new d ecidability results can be obtained in the setting of tim e-boun ded verification of real-time systems [1 0, 11]. Given a time bound T ∈ N , th e time-bo unded verification problems consider only traces with dur a- tion at mo st T . Note th at due to the density of time, the num ber of discrete transitions may still be unbounded . Sev eral verification pro blems fo r timed a utomata and real- time tempor al logics tur n out to be decid able in the time-bou nded framew ork (such a s the lang uage-in clusion prob lem for timed auto mata [10]), or to be of lower co mplex- ity (such as the mo del-check ing prob lem for MTL [ 11]). The theory of time- boun ded verification is theref ore expected to be more robust and better-behaved in the case of hybrid automata as well. Follo wing th is line of research, we revisit th e r eachability p roblem for hybr id au - tomata with time-bo unded traces. T he time-boun ded r eachability pr ob lem f or hybr id automata is to d ecide, given a time bou nd T ∈ N , if ther e exists an execution of du - ration less th an T fr om a g iv en in itial location ℓ to a giv en g oal lo cation ℓ ′ . W e study the f rontier between decidability and u ndecida bility for this problem and show how bound ing time alters matter s with respect to the c lassical reach ability problem . I n this paper, we establish the follo wing results. First, we s how that the time-boun ded reacha- bility problem is decidable f or non-initialized rectangular a utomata when only p ositiv e rates are allowed 1 . T he proo f of this fact is techn ical an d, contr ary to mo st d ecidabil- ity results in the field, does not rely o n showing the existence of an und erlying finite (bi)simulation quotient. W e study the properties of ti me- boun ded runs and sho w that if a location is reachable within T time units, then it is reachable by a timed run in which the number of discrete transitions can be bounded. This in turn allows us to reduce the time-bou nded rea chability pro blem to th e satisfiability of a for mula in the first-orde r theory of real addition, decidable in EXPSP A CE [4]. Second, we show that the time-bound ed reachab ility p roblem is undecidable fo r non-in itialized rectang ular hyb rid au tomata if both positive and negative rates ar e al- lowed. Third , we sh ow that the time-bou nded reachability proble m is un decidab le for initialized rectangular hy brid autom ata with positiv e singular flows if diagon al con- straints in g uards are allowed. These two un decidability results allow to p recisely characterize the bound ary between decidability and undecidab ility . The un decidability results are obtaine d by reduction s from the halting prob lem for 1 This cla ss is interesting fro m a practi cal point of vie w as it inc ludes, among others, the class of stopwat ch automata [3], for which unbound ed reachabi lity is undecidable. 2 two-counter mach ines. W e pre sent n ovel encoding s of the execution of tw o- counter machines that fit into time-bound ed executions of hybrid automata with either negati ve rates, or diagonal constraints. 2 Definitions Let I be the set of intervals of real numb ers with endpo ints in Z ∪ {−∞ , + ∞} . Let X be a set of continu ous v ariable s, and let X ′ = { x ′ | x ∈ X } an d ˙ X = { ˙ x | x ∈ X } b e the set of p rimed and do tted variables, c orrespon ding respectively to variable u pdates and first derivati ves. A r ectan gular co nstraint ov er X is an e xp ression of the form x ∈ I where x belong s to X an d I to I . A diago nal con straint over X is a constraint of the f orm x − y ∼ c where x, y belo ng to X , c to Z , an d ∼ is in { <, ≤ , = , ≥ , > } . Finite conjunc tions of diago nal and rec tangular constraints ov er X are called guar ds , ov er ˙ X they are called r ate con straints , and over X ∪ X ′ they are called update constr ain ts . A guard or rate constrain t is rectangular if all its constrain ts ar e rectangu lar . An update constraint is rectangular if a ll its co nstraints are either rectangu lar or of the form x = x ′ . W e den ote by G ( X ) , R ( X ) , U ( X ) respectively the sets o f g uards, rate co nstraints, and update constraints over X . Linear hybrid auto mata. A linea r hybrid automato n (LHA) is a tuple H = ( X , Lo c , Edges , Rates , Inv , Init) w here X = { x 1 , . . . , x | X | } is a finite set of continu ous vari- ables ; Lo c is a fin ite set of locatio ns ; Edge s ⊆ Lo c × G ( X ) × U ( X ) × Lo c is a finite set of edges ; Rates : Lo c 7→ R ( X ) assigns to ea ch lo cation a co nstraint on the possible variable rates ; Inv : Lo c 7→ G ( X ) assign s an invariant to each location; and Init ∈ Lo c is an initia l location . For an ed ge e = ( ℓ , g , r , ℓ ′ ) , we deno te by src ( e ) and trg ( e ) the location ℓ and ℓ ′ respectively , g is ca lled the guard of e and r is the upda te (or reset ) of e . In the seq uel, we deno te by rmax the maximal constan t occurr ing in the constraints of { Rates( ℓ ) | ℓ ∈ Lo c } A LHA H is sing ular if for all location s ℓ an d for all variables x of H , the o nly constraint over ˙ x in Rates ( ℓ ) is of the fo rm ˙ x ∈ I where I is a singu lar in terval; it is fixed rate if for all variables x of H there exists I x ∈ I such that for all loc ations ℓ of H , the on ly co nstraint on ˙ x in Rates( ℓ ) is the con straint ˙ x ∈ I x . It is mu ltirate if it is no t fixed r ate. I t is no n-negative r ate if for all variables x , for a ll location s ℓ , the constraint Rates( ℓ ) imp lies that ˙ x mu st be non-n egati ve. Rectangular hybrid a utomata . A rectangular h ybrid auto maton ( RHA) is a line ar hybrid automa ton in which all gu ards, ra tes, and in variants are rectan gular . In this case, we v iew each re set r as a functio n X ′ 7→ I ∪ {⊥} that associates to e ach variable x ∈ X either an interval of possible reset values r ( x ) , or ⊥ when the value o f the variable x remains unchan ged along the tran sition. When it is the case that r ( x ) is either ⊥ or a singular interval fo r each x , we say that r is deterministic . In the case of RHA, we can also view rate con straints as functio ns Rates : Lo c × X → I that associate to each location ℓ and each variable x an interval of possible rates Rates( ℓ )( x ) . A rectan gular hybrid automa ton H is initialized if f or every edg e ( ℓ, g , r, ℓ ′ ) of H , fo r every x ∈ X , if 3 Rates( ℓ )( x ) 6 = Ra tes( ℓ ′ )( x ) then r ( x ) 6 = ⊥ , i.e., every v ariable whose rate co nstraint is changed must be reset. LHA semantics. A valuatio n of a set of variables X is a function ν : X 7→ R . W e further denote by ~ 0 the valuation tha t assigns 0 to each variable. Giv en an L HA H = ( X , Lo c , Edges , Rates , In v , Init , X ) , a state of H is a pair ( ℓ, ν ) , where ℓ ∈ Lo c an d ν is a v aluation of X . T he semantics of H is defined as follows. Gi ven a state s = ( ℓ, ν ) of H , an edge step ( ℓ, ν ) e − → ( ℓ ′ , ν ′ ) can occur and change th e state to ( ℓ ′ , ν ′ ) if e = ( ℓ, g , r , ℓ ′ ) ∈ Edg e s , ν | = g , ν ′ ( x ) = ν ( x ) for all x s.t. r ( x ) = ⊥ , and ν ′ ( x ) ∈ r ( x ) fo r all x s.t. r ( x ) 6 = ⊥ ; given a tim e delay t ∈ R + , a continuo us time step ( ℓ, ν ) t − → ( ℓ, ν ′ ) can occur and change the state to ( ℓ, ν ′ ) if there exists a vector r = ( r 1 , . . . r | X | ) such that r | = Rates( ℓ ) , ν ′ = ν + ( r · t ) , an d ν + ( r · t ′ ) | = In v ( ℓ ) for all 0 ≤ t ′ ≤ t . A pa th in H is a finite seque nce e 1 , e 2 , . . . , e n of edges such that trg ( e i ) = src ( e i +1 ) for all 1 ≤ i ≤ n − 1 . A c ycle is a p ath e 1 , e 2 , . . . , e n such that trg ( e n ) = s rc ( e 1 ) . A cycle e 1 , e 2 , . . . , e n is simple if s rc ( e i ) 6 = src ( e j ) for all i 6 = j . A timed path of H is a finite sequence of the fo rm π = ( t 1 , e 1 ) , ( t 2 , e 2 ) , . . . , ( t n , e n ) , such that e 1 , . . . , e n is a path in H and t i ∈ R + for all 0 ≤ i ≤ n . W e lift the no tions of cycle and simple c ycle to the timed case accordin gly . Given a timed p ath π = ( t 1 , e 1 ) , ( t 2 , e 2 ) , . . . , ( t n , e n ) , we denote by π [ i : j ] (with 1 ≤ i ≤ j ≤ n ) the timed pa th ( t i , e i ) , . . . , ( t j , e j ) . A run in H is a seque nce s 0 , ( t 0 , e 0 ) , s 1 , ( t 1 , e 1 ) , . . . , ( t n − 1 , e n − 1 ) , s n such that: • ( t 0 , e 0 ) , ( t 1 , e 1 ) , . . . , ( t n − 1 , e n − 1 ) is a tim ed path in H , and • fo r all 1 ≤ i < n , ther e exists a s tate s ′ i of H with s i t i − → s ′ i e i − → s i +1 . Giv en a run ρ = s 0 , ( t 0 , e 0 ) , . . . , s n , let first ( ρ ) = s 0 = ( ℓ 0 , ν 0 ) , last ( ρ ) = s n , duration ( ρ ) = P n − 1 i =1 t i , and | ρ | = n + 1 . W e say th at ρ is ( i ) strict if t i > 0 for all 1 ≤ i ≤ n − 1 ; ( ii ) k - variable-b ound ed (for k ∈ N ) if ν 0 ( x ) ≤ k for all x ∈ X , and s i t i − → ( ℓ i , ν i ) imp lies that ν i ( x ) ≤ k for all 0 ≤ i ≤ n ; ( iii ) T -time-b ound ed (fo r T ∈ N ) if duration ( ρ ) ≤ T . Note that a unique tim ed p ath TPath ( ρ ) = ( t 0 , e 0 ) , ( t 1 , e 1 ) , . . . , ( t n − 1 , e n − 1 ) , is associated to each r un ρ = s 0 , ( t 0 , e 0 ) , s 1 , . . . , ( t n − 1 , e n − 1 ) , s n . Hence, we som etimes abuse notation and deno te a run ρ with fi rst ( ρ ) = s 0 , last ( ρ ) = s and TPath ( ρ ) = π by s 0 π − → s . The converse howe ver is n ot true: given a tim ed path π and an initial state s 0 , it could be impossible to build a run starting from s 0 and following π beca use some guards o r in variants along π m ight be violated. Howe ver , if such a run exists it is necessarily un ique when the automato n is singula r and all r esets are deterministic . In that case, we d enote by Run ( s 0 , π ) the func tion that r eturns the unique ru n ρ such that first ( ρ ) = s 0 and TPath ( ρ ) = π if it exists, and ⊥ o therwise. Time-bounded reachability problem for LHA. Wh ile the reachab ility problem asks to decide the existence of any tim ed run that reach es a given goal location, we are on ly interested in runs having b ounde d d uration. 4 Problem 1 (Time-bounded r eacha bility problem) Given an LHA H = ( X , Lo c , Edges , Rates , Inv , Init) , a lo cation Goal ∈ Lo c and a time bound T ∈ N , the time -boun ded reachability pr oblem is to decid e wheth er there exis ts a fin ite run ρ = (Init , ~ 0) π − → (Goal , · ) of H with du ration ( ρ ) ≤ T . In the following table, we summ arize the known facts regarding decidability o f the reachability problem fo r LHA, alo ng with the results on time-boun ded reachab ility that we prove in the rest of this paper . No te that decidability fo r initialized rectangu lar hybrid au tomata (IHRA) follows dire ctly f rom [7]. W e show decid ability for (non- initialized) RHA that only have non-n egati ve rates in Section 3. The unde cidability of the time-bo unded reachability problem for RHA and LHA is not a c onsequen ce o f the known results f rom the literature and require new pr oofs that are giv en in Section 4. HA classes Reachability T ime-Bou nded Reachability LHA U [1] U (see Section 4) RHA U [7] U (see Section 4) non-n egati ve rates RHA U [7] D (see Section 3) IRHA D [7] D [7] Example of time bounded reachability Let H be th e hybr id automato n of Fig. 1 with the conv entio n that the transition starting from ℓ i and ending in ℓ j is denoted e ij . Although no t explicitly stated on the figure, we assume that all the locations are equippe d with the inv ariant ( x ≤ 1) ∧ ( y ≤ 1) . As this auto maton u ses on ly r ectangular constraints and positive r ates, it is in the class for which we show the decid ability o f the time- bound ed reach ability pro blem (see Section 3). Note that it is n on-initialized as, for example, variable y is not reset fr om location ℓ 0 to location ℓ 1 while its rate is changin g, and it is singu lar , diagonal- free, an d multirate. ˙ x =5 ˙ y =2 ℓ 0 ℓ 1 ℓ 2 ℓ 3 ℓ 4 ˙ x =2 ˙ y =5 ˙ x =1 ˙ y =17 ˙ x =10 ˙ y =7 ˙ x =0 ˙ y =0 x =1 x :=0 y =1 y :=0 x =1 x :=0 x =1 x :=0 y ≤ 1; y :=0 x =3 x :=0 x =1 x :=0 Figure 1: A singular, diago nal-free, multirate hybrid automaton. Assume we want to reach location ℓ 4 from ( ℓ 0 , 0 , 0) within one time unit. One clearly see that the du ration of any r un starting from ℓ 0 and crossing ℓ 2 will exceed one time unit. An o ther po ssibility would b e to direc tly go f rom ℓ 0 to ℓ 3 . In this c ase, when r eaching location ℓ 3 , af ter crossing e 03 , th e value of the variable x ( resp. y ) is 0 (resp. 2 5 ). Th us, in ord er to cross e 34 , one shou ld wait 1 10 time units, if we do so, 5 1 5 8 25 57 125 139 250 Figure 2: A su ccessful run. 1 5 8 25 57 125 376 625 2323 3125 Figure 3: A loop between ℓ 0 and ℓ 1 . the value o f y will reach 11 10 and violate th e inv arian t. It is thus impossible to reach ℓ 3 from ( ℓ 0 , 0 , 0) with out visiting ℓ 1 . A single visit to ℓ 1 is sufficient as the following run testifies: ( ℓ 0 , 0 , 0) 1 5 ,e 01 − − − →  ℓ 1 , 0 , 2 5  3 25 ,e 10 − − − − →  ℓ 0 , 6 25 , 0  17 125 ,e 03 − − − − − →  ℓ 3 , 0 , 34 125  1 10 ,e 34 − − − − →  ℓ 4 , 0 , 243 250  . Th e illu stration of the ev olution of the variables alo ng th is run is given in Fig. 2. In this p icture, the e volution of the x -v ariable (resp. of the y -variable) is represented by the dash ed ( resp. p lain) cu rve. The ev olutio ns of the valuations of th e variables alo ng the beginning of the uniqu e ru n looping b etween ℓ 0 and ℓ 1 is illu strated in Fig. 3. L ooking at that looping run, one could be con vinced that H does not admit a finite bisimulation quotient. 3 Decidabili ty f or RHA with Non-Negativ e Rates In th is section, we prove that the time-bo unded reachability p roblem is d ecidable f or the class of (n on-initialized ) r ectang ular hybrid autom ata having non- ne ga tive rates , while it is unde cidable fo r this c lass in the classical (u nboun ded) c ase [7]. Note that this class is intere sting in practice since it con tains, am ong o thers, the impor tant class of stopwatch au tomata , a significant subset of LHA tha t has sev eral u seful applica- tions [3]. W e obta in d ecidability by sho wing that f or RHA with non-negative rates, a g oal locatio n is reachable within T time units iff there exists a witn ess run of that automaton wh ich reaches the goal (with in T time units) by a r un ρ of length | ρ | ≤ K H T where K H T is a para meter that depends on T and on the size of the autom aton H . T ime-bo unded reachability can th us be re duced to th e satisfiability o f a f ormula in the first order theo ry of the reals encod ing the existence of runs of length at most K H T and reaching Goal . For simplicity o f th e proof s, we consider RHA with the following restriction s: (i) the g uards do not contain strict in equalities , an d (ii) th e rates are singu lar . W e argue at the end of this section that th ese restrictions can b e made withou t loss of ge nerality . Then, in ord er to furthe r simplify th e p resentation, w e show how to syntactically sim- plify the automaton while preserving th e time- boun ded reacha bility proper ties. The details of the constructions can be found in the appendix . Proposition 1 Let H be a singular RHA with non -negative rates and withou t strict inequalities, an d let Goa l b e a loc ation o f H . W e ca n build a hybrid a utomaton H ′ with the following the pr op erties: H 1 H ′ is a singula r RHA with n on-n e gative r ates H 2 H ′ contains only deterministic r esets 6 H 3 for every ed ge ( ℓ, g , r , ℓ ′ ) o f H ′ , g is either true or o f the fo rm x 1 = 1 ∧ x 2 = 1 ∧ · · · ∧ x k = 1 , an d r ≡ x ′ 1 = 0 ∧ · · · ∧ x ′ k = 0 . and a set o f loca tions S of H ′ such that H ad mits a T -time bounded run r eaching Goa l iff H ′ admits a strict 1 -variab le-boun ded, and T -time bound ed r un reaching S . Pr o of. The proof is given in Appen dix A  As a conseq uence, t o p rove decid ability of time-bo unded reachab ility of RHA with n on-negative rates, we o nly need to prove that we can decid e wh ether an RHA r especting H 1 throug h H 3 admits a strict r un ρ reaching the go al within T tim e units, and where a ll variables are boun ded by 1 alon g ρ . Bounding the number of equalities. As a first step to obtain a witness of time- bound ed reachability , we bound the num ber of tran sitions guard ed by equalities along a run of bound ed du ration: Proposition 2 Let H be an LHA, with set of variables X an d r espectin g hypo thesis H 1 thr o ugh H 3 . Let ρ be a T -time bou nded run of H . Th en, ρ co ntains at mo st | X |· r max · T transitions guar d ed by an equality . Pr o of. For a contradictio n, assume that there exists an execution ρ of H with M transitions contain ing ( at least) an equ ality where M > | X | · rmax · T . By H 3 , the equalities in the guard s are of the form x = 1 . In particular , there mu st exists a variable y ∈ X which has been te sted eq ual to one (an d thus r eset to zero b y H 3 ) strictly m ore than rma x · T times. Since all th e rates o f y are n on negativ e by H 1 , the shortest time needed to r each the guar d y = 1 from the value 0 is 1 rmax . Along ρ , the variable y has reached the guard y = 1 from 0 strictly more than rmax · T times; this im plies th at duration ( ρ ) > r ma x · T · 1 rmax = T which is a contradiction .  Bounding runs without equa lities. Unfo rtunately , it is not possible to bound the number o f transition s tha t do not con tain equ alities, even alon g a time-b ounde d ru n. Howe ver , we will show that, given a time-bo unded ru n ρ without equality g uards, we can build a run ρ ′ that is e quiv alent to ρ (in a sense tha t its initial an d target states are the same) , and whose length is bo unded b y a par ameter dep ending on the size of the automaton . More precisely: Proposition 3 Let H be an RHA with n on-negative rates. F or any 1 -variable bounded and 1 rmax+1 -time b ound ed run ρ = s 0 π − → s of H that con tains no eq ualities in the guards, H admits a 1 -variable b ound ed and 1 rmax+1 -time boun ded run ρ ′ = s 0 π ′ − → s such that | ρ ′ | ≤ 2 | X | + (2 | X | + 1) · | Lo c | · (2 ( | Edges | +1) + 1 ) . Note that Pro position 3 applies only to r uns of duration at m ost 1 rmax+1 . However , this is not restrictive, since any T -time-b ounde d r un can always be split in to at most T · (rmax + 1 ) subru ns of duratio n at most 1 rmax+1 , p rovided that we add a self- loop with guar d true an d n o reset on ev ery location (th is can be done with out loss of generality as far as reachability is concerned). 7 T o pr ove Prop osition 3, we rely on a contraction o peration that receives a timed path an d retur ns another one of smaller length. Let π = ( t 1 , e 1 ) , ( t 2 , e 2 ) , . . . , ( t n , e n ) be a timed path. W e define Cnt ( π ) by con sidering two cases. Let j , k , j ′ , k ′ be fo ur positions such that 1 ≤ j ≤ k < j ′ ≤ k ′ ≤ n and e j . . . e k = e ′ j . . . e ′ k is a simple cycle . If such j , k , j ′ , k ′ exist, then let: Cnt ( π ) = π [1 : j − 1] · ( e j , t j + t j ′ ) · · · ( e k , t k + t k ′ ) · π [ k + 1 : j ′ − 1 ] · π [ k ′ + 1 : n ] Otherwise , we let Cnt ( π ) = π . Observe that π and Cnt ( π ) share the s ame source an d target locations, even when π [ k ′ + 1 : n ] is e mpty . Then, giv en a timed p ath π , we let Cnt 0 ( π ) = π , Cnt i ( π ) = Cnt  Cnt i − 1 ( π )  for any i ≥ 1 , an d Cnt ∗ ( π ) = Cnt n ( π ) wh ere n is the least value such that Cnt n ( π ) = Cnt n +1 ( π ) . Clearly , since π is finite, and sinc e | Cnt ( π ) | < | π | or Cnt ( π ) = π for any π , Cnt ∗ ( π ) always exists . Mor eover , we can always bou nd the length of Cnt ∗ ( π ) . This stems f rom the fact that Cnt ∗ ( π ) is a timed path that c ontains at m ost one o ccur- rence of each simple cycle. The len gth o f such paths can be bo unded using classical combinato rial ar gum ents. Lemma 1 F or any timed path π of an LHA H with | Loc | lo cations a nd | Edges | edges: | Cnt ∗ ( π ) | ≤ | Lo c | · (2 ( | Edges | +1) + 1 ) . Pr o of. Let Cnt ∗ ( π ) = ( t 1 , e 1 ) , ( t 2 , e 2 ) , . . . , ( t n , e , ) . First, observe that, by definition of Cnt ∗ , the actual values of th e time delays t 1 , t 2 ,. . . t n are ir relev ant to the length o f Cnt ∗ ( π ) , since th e ‘co ntraction ’ is based solely on the edg es. Still by definition of Cnt ∗ , also observe that the path e 1 , e 2 , . . . , e n does not contain two occurren ces of the same simp le cycle. Thus, the length of Cnt ∗ ( π ) is al ways bounded by th e len gth of the maximal path in H that does not contain two occurre nces o f the same simple cycle. In ord er to comp ute this value, we first observe that any path σ = e 1 , e 2 , . . . e n can always b e decomp osed in to sub paths σ 1 , σ 2 , . . . σ 2 k , σ 2 k +1 where a ny σ 2 i +1 (for 0 ≤ i ≤ k ) is an ac yclic path and any σ 2 j is a simple c ycle (for 1 ≤ j ≤ k ). This stems from the fact that any cycle (whether it is simp le or not) ca n always be decomp osed into a sequence of simple cycles and ac yclic paths. Thus, the worst ca se scenario for a p ath contain ing at mo st one each simple cycle is to have a path of the form : σ 1 , σ 2 , . . . σ 2 k , σ 2 k +1 where each σ 2 i +1 (for 0 ≤ i ≤ k ) is o f maxim al leng th, and { σ 2 j | 1 ≤ j ≤ k } is the set of all po ssible simp le cycles. By definition of a simp le cycle, in an au tomaton with | E dges | and | L o c | location s, ther e ar e at most 2 | Edges | simple cycles, and each of th em has at most len gth | L o c | (oth erwise the cycle would contain tw o edg es with the some orig in a nd the cycle wouldn’t be simple). Moreover , in such an automato n, each acyclic path is of length at most | Lo c | too. Hence, th e worst case is a path σ 1 , σ 2 , . . . σ 2 k , σ 2 k +1 where, k = 2 | Edges | , for all 1 ≤ i ≤ k : | σ 2 i | = | Lo c | an d for all 0 ≤ j ≤ k : | σ 2 j +1 | = | Lo c | , that is a total leng th of k · | Lo c | + ( k + 1) · | Lo c | = | Lo c | · (2 k + 1) = | Lo c | · (2 ( | Edges | +1) + 1 ) .  Note that the contraction operation is p urely syntactic and w orks on the timed path only . Hence, g iv en a run s 0 π − → s , we h av e no gu arantee th at R un ( s 0 , Cnt ∗ ( π )) 6 = ⊥ . Moreover , ev en in the alternative, the resu lting ru n might b e s 0 Cnt ∗ ( π ) − − − − − → s ′ with s 6 = s ′ . Nevertheless, we can show that Cnt ∗ ( π ) preser ves some prope rties of π . For 8 a timed path π = ( t 1 , e 1 ) , . . . , ( t n , e n ) o f an LHA H with rate function Rates , we let Effect ( π , x ) = P n i =1 Rates( ℓ i )( x ) · t i , wh ere ℓ i is the in itial lo cation o f e i for any 1 ≤ i ≤ n . Note thus that, for any run ( ℓ, ν ) π − → ( ℓ ′ , ν ′ ) , for any v ariable x which is not r eset a long π , ν ′ ( x ) = ν ( x ) + Effect ( π , x ) . It is easy to see that Cnt ∗ ( π ) preserves the effect of π . Moreover, the du ration of Cnt ∗ ( π ) and π are equa l. Lemma 2 F or any timed path π : ( i ) duration ( π ) = d u ration ( Cnt ∗ ( π )) and ( ii ) for any variable x : Effect ( π , x ) = E ffect ( Cnt ∗ ( π ) , x ) . W e are now ready to show , given a timed path π (w ith duration ( π ) ≤ 1 rmax+1 and without eq uality tests in the guard s), h ow to build a timed path Contraction ( π ) th at fully pr eserves the v alues of the v ariable, as stated in Prop osition 3. The ke y in gredien t to obtain Contraction ( π ) is to app ly Cnt ∗ to selected portions of π , in such a w ay that for each edge e that resets a variable for the first or the last time along π , the time distance between the occurre nce of e and th e beginning o f the tim ed path is th e same in both π and Contraction ( π ) . The precise constructio n goes as follows. Let π = ( t 1 , e 1 ) , . . . , ( t n , e n ) b e a timed path. For each variable x , we denote by S π x the set of position s i such that e i is eith er the first o r the last edg e in π to reset x (hence | S π x | ∈ { 0 , 1 , 2 } f or any x ). Then, we decomp ose π as: π 1 · ( t i 1 , e i 1 ) · π 2 · ( t i 2 , e i 2 ) · · · ( t i k , e i k ) · π k +1 with { i 1 , . . . , i k } = ∪ x S π x . From this decomp osition o f π , we let Contracti on ( π ) = Cnt ∗ ( π 1 ) · ( t i 1 , e i 1 ) · Cnt ∗ ( π 2 ) · ( t i 2 , e i 2 ) · · · ( t i k , e i k ) · Cnt ∗ ( π k +1 ) . W e first note that, thanks to Lemma 1, | Contraction ( π ) | is bou nded. Lemma 3 Let H be a n LHA with set of variable X , set of edges E dges and set of location Lo c , a nd let π be a timed path of H . Then | Contraction ( π ) | ≤ 2 · | X | + (2 · | X | + 1 ) · | Lo c | · (2 ( | Edges | +1) + 1 ) . Pr o of. The Le mma stems from th e fact that | ∪ x S π x | ≤ 2 · | X | and that, fo r any j : | Cnt ∗ ( π j ) | ≤ | Lo c | · (2 ( | Edges | +1) + 1 ) by Lemma 1.  In order to ob tain Prop osition 3, it remain s to show that this con struction can be used to build a run ρ ′ that is eq uiv alent to the origin al run ρ . By Lemm a 2, we k now that duration ( Cnt ∗ ( π j )) = duration ( π j ) f or any j . Hence, the first a nd last resets o f each v ariab le hap pen at the same time (relati vely to the beginning of the timed path) in both π and Contraction ( π ) . Intuitively , p reserving the time o f occurr ence of the first reset (o f so me variable x ) guar antees that x will nev er e xceed 1 along Contraction ( π ) , because du rati o n ( Co ntraction ( π ) ) = duratio n ( π ) ≤ 1 rmax+1 . Symmetrically , pre- serving the last reset o f some v ariable x g uarantees that th e final value of x will be the same in both π and Co ntraction ( π ) . More over , we kn ow (see Lem ma 2) that the contraction function also p reserves the value of th e variables that are not reset. Than ks to these results, we are now re ady to prove Prop osition 3. Pr o of. [of Pr oposition 3 ] Let π = TPath ( ρ ) and let π ′ denote Contraction ( π ) . T o prove the existence of ρ ′ , we will cho ose ρ ′ = s 0 π ′ − → s . Let u s first show that Run ( s 0 , π ′ ) 6 = ⊥ . Since π and π ′ contain n o equ ality test, by H 3 , this amounts to showing th at firing π ′ from s 0 will always keep all the variable v alues ≤ 1 . Let u s con sider the decomp osition of π into : π 1 · ( t i 1 , e i 1 ) · π 2 · ( t i 2 , e i 2 ) · · · ( t i k , e i k ) · π k +1 , as in th e definition of Contraction . F or any 1 ≤ i ≤ k , let s i = ( ℓ i , ν i ) 9 denote th e state reached by the r un s 0 π 1 · ( t i 1 ,e i 1 ) ··· π i − − − − − − − − − − → s i . Symmetrically , let s ′ i = ( ℓ i , ν ′ i ) deno te the state reach ed by the run s 0 Cnt ∗ ( π 1 ) · ( t i 1 ,e i 1 ) ··· Cnt ∗ ( π i ) − − − − − − − − − − − − − − − − − − → s ′ i , assumin g it e xists. In that case, we observe tha t, for any v ariable x which is not reset along Cnt ∗ ( π 1 ) · ( t i 1 , e i 1 ) · · · Cnt ∗ ( π i ) , we hav e: ν i ( x ) = ν ′ i ( x ) , by Lemma 2. Then, we pro ceed by con tradiction. Let ( t j , e j ) be an element fro m π ′ , let x b e a variable such that s 0 π ′ [1: j ] − − − − → ( ℓ ′ , ν ′ ) and ν ′ ( x ) + Rates( ℓ ′ )( x ) · t j +1 > 1 . W e first observe that, once x has been reset alon g π ′ , its value can never exceed 1 b ecause duration ( π ′ ) = duration ( π ) ≤ 1 rmax+1 . Hence, ( t j , e j ) must occu r before the first reset of x alon g π ′ . W e d istinguish two cases: 1. In the case wher e ( t j , e j ) o ccurs in so me par t Cnt ∗  π i j  of th e deco mposition of π ′ , we know that ν ′ i j − 1 ( x ) + E ffect  ( t i j , e i j ) Cnt ∗  π i j  , x  > 1 , since x is not reset along Cnt ∗  π i j  . Howe ver , we ha ve: ν i j ( x ) = ν i j − 1 ( x ) + Effect  ( t i j , e i j ) · π i j , x  def. a nd x n ot reset = ν ′ i j − 1 ( x ) + Effect  ( t i j , e i j ) · π i j , x  observation ab ove = ν ′ i j − 1 ( x ) + Effect  ( t i j , e i j ) · Cnt ∗  π i j  , x  Lemma 2 > 1 Hence, ρ reaches a valuation wh ere the value of x excee ds 1 . Contrad iction. 2. The c ase where ( t j , e j ) = ( t i k , e i k ) f or some i k is treated similarly a nd leads to the same contrad iction. Now , we are sure that ρ ′ = s 0 π ′ − → ( ℓ ′ , ν ′ ) is ind eed a 1 -variable bou nded run . By Lemma 3, it has the ad equate length . It remains to show that ρ = s 0 π − → ( ℓ, ν ) implies ℓ ′ = ℓ and ν = ν ′ . The first po int is true by definition of π ′ . For any variable x , let i x denote the element ( t i x , e i x ) o f π where the last r eset of x occurs along π (and thus along π ′ ). W e observe that ν ( x ) = Effect ( π i x +1 · ( t i x +1 , e i x +1 ) · · · π k +1 , x ) and th at ν ′ ( x ) = Effect ( Cnt ∗ ( π i x +1 ) · ( t i x +1 , e i x +1 ) · · · Cnt ∗ ( π k +1 ) , x ) since x is not reset anymore along those tw o suffixes. By Lemma 2, we have ν ( x ) = ν ′ ( x ) .  Handling ‘ < ’ and non-singular rate s. Let us now b riefly e xplain ho w we can adapt the construction of this sectio n to cope with strict g uards and non-sing ular rates. First, when the RHA H contains strict guards, the RHA H ′ of Proposition 1 will also contain guards with atoms of the f orm x < 1 . Thus, when building a ‘contracted p ath’ ρ ′ starting from a path ρ (as in the proo f of Prop osition 3), we n eed to en sure that these strict g uards will also b e satisfied along ρ ′ . It is ea sy to use similar argu ments to establish this: if some g uard x < 1 is not satisfied in ρ ′ , this is ne cessarily befor e the first reset of x , which m eans that th e guard was not satisfied in ρ either . O n the other hand, to take non -singular rates into account, w e nee d to adap t the definition of timed path. A timed path is n ow of th e form ( t 0 , r 0 , e 0 ) · · · ( t n , r n , e n ) , wh ere each r i is a vector of r eals of size | X | , indicating th e actu al rate that was cho sen for e ach variable when the i -th con tinuou s step has been taken . It is then straightfo rward to adapt th e 10 definitions of Cnt , Effect and Contract i on to take those r ates into acco unt and still k eep the pro perties stated in Lemma 1 an d 3 and in Proposition 3 (no te that we n eed to rely on the conve xity of the inv ariants in RHA to ensure that proper rates can be fo und wh en building Cnt ( π ) ). Theorem 1 The time- bound ed r ea chability pr oblem is decidab le for th e class of r ect- angula r hyb rid automata with non-negative rates. Pr o of. Let H be an RHA with non -negative r ates, let Goal be one of its location, let B b e a natural value, and let us show how to determine w hether H admits a B - time-bou nded run rea ching Goal . By Pr oposition 1 (and taking into account the above remarks to cop e with strict guard s and rectangu lar rates), this amou nts to determin ing the exists of a strict 1 -variable bo unded run reach ing Goa l ′ in H ′ (where Goal ′ and H ′ are defined as in Propo sition 1 ). By Proposition 3 , this can b e d one by co nsidering only the ru ns of len gth at most 2 | X | + (2 | X | + 1) · | Lo c | · (2 ( | Edges | +1) + 1) in H ′ . Th is question can be answered by building an F O ( R , ≤ , +) formu la ϕ H ′ which is satis fiable iff ρ ′ exists. Since the satisfiability of FO ( R , ≤ , +) is decidable [4], we obtain the theorem.  4 Undecid ability Results In this section , we show th at the time- boun ded reachab ility prob lem for line ar hy brid automata becomes undecid able if eith er both positive a nd negative rates are allowed, or diag onal constra ints are allowed in the guards. Along with the decida bility result of Section 3 , these facts imply that the class o f rectang ular hy brid autom ata having positive rates only an d no diag onal constraints fo rms a max imal decidab le class. Our proof s rely on reductio ns f rom the halting problem for Minsky two-co unters mac hines. A tw o- counter machine M co nsists of a finite set of control states Q , an initial state q I ∈ Q , a final state q F ∈ Q , a set C o f co unters ( | C | = 2 ) an d a finite set δ M of instructions manipulatin g two integer-v alued counters. In structions are of the form: q : c := c + 1 go to q ′ , or q : if c = 0 then go to q ′ else c := c − 1 go to q ′′ . Formally , instru ctions are tuples ( q, α, c, q ′ ) where q , q ′ ∈ Q are source and target states respectively , the action α ∈ { inc, dec, 0? } applies to the coun ter c ∈ C . A configuration of M is a pair ( q , v ) where q ∈ Q and v : C → N is a valuation of the coun ters. An a ccepting run of M is a finite sequen ce π = ( q 0 , v 0 ) δ 0 ( q 1 , v 1 ) δ 1 . . . δ n − 1 ( q n , v n ) where δ i = ( q i , α i , c i , q i +1 ) ∈ δ M are instruction s a nd ( q i , v i ) are con - figuration s of M such tha t q 0 = q I , v 0 ( c ) = 0 fo r all c ∈ C , q n = q F , an d for all 0 ≤ i < n , we have v i +1 ( c ) = v i ( c ) for c 6 = c i , and (i) if α = inc , the n v i +1 ( c i ) = v i ( c i ) + 1 , (ii) if α = dec , the n v i ( c i ) 6 = 0 and v i +1 ( c i ) = v i ( c i ) − 1 , and (iii) if α = 0? , then v i +1 ( c i ) = v i ( c i ) = 0 . The haltin g pr oblem asks, g iv en a two-counter machin e M , wh ether M has an accep ting run. This prob lem is un decid- able [9]. 11 Undecidability for RHA with neg ative rates. Given a two-cou nter machine M , we constru ct an RHA H M (thus without diag onal constraints) such th at M has an accepting run if and o nly if the an swer to the time-b ounde d r eachability proble m for ( H M , Goal) with time b ound 1 is Y E S . Th e construction o f H M crucially makes use of both positiv e and negativ e rates. Theorem 2 The time- boun ded r eachability pr oblem is undecidable for r ectangu lar hy- brid automata even if r estricted to singu lar rates. Pr o of. The redu ction is as follows. The execution step s of M are simu lated in H M by a (po ssibly infinite) seq uence o f ticks within one tim e un it. The ticks occur a t time t 0 = 0 , t 1 = 1 − 1 4 , t 2 = 1 − 1 16 , . . . Th e counters are encoded as fo llows. If the v alue of cou nter c ∈ C after i execution steps of M is v ( c ) , th en th e variable x c in H M has value 1 4 i + v ( c ) at time t i . Note that this encod ing is time-dep endent and that the value of x c at time t i is always smaller than 1 − t i = 1 4 i , and equal to 1 4 i if the counter value is 0 . T o m aintain this encodin g (if a cou nter c is no t mod ified in an execution step), we n eed to divide x c by 4 before the next tick o ccurs. W e use the divisor gadget in Figure 4 to d o this. Using the diagram in th e figure, it is easy to check that th e v alue of variable x c is d ivided by k 2 where k is a constant used to defin e the variable rates. I n the seq uel, we use k = 2 and k = 4 (i.e. , division by 4 and by 1 6 r espectively). No te also that the division of ν ( x c ) by k 2 takes ν ( x c ) · ( 1 k + 1 k 2 ) time units, which is less than 3 · ν ( x c ) 4 for k ≥ 2 . Sinc e ν ( x c ) ≤ 1 4 i at step t i , the du ration of the division is at most 3 4 i = t i +1 − t i , the duration of the next tick. W e also use the divisor gad get on a variable x t to co nstruct an automaton A tick that g enerates the tick s, as in Figure 5. W e take k = 2 and we connec t and merge th e incoming and outgo ing transition o f the divisor ga dget. Initially , we requir e x t = 1 . Since division of x t by k 2 = 4 takes ν ( x t ) · ( 1 k + 1 k 2 ) = 3 · ν ( x t ) 4 time units, it turns out th at th e value of x t is always 1 − t i = 1 4 i at tim e t i . Therefore, we can pro duce infinitely many ticks within one time unit. The a utomaton H M is th e produ ct of A tick with the a utomaton constructed as fol- lows. Assume the set of c ounters is C = { c, d } . For each state q of M , we construct a location ℓ q with rate ˙ x c = 0 and ˙ x d = 0 . For each in struction ( q , · , · , q ′ ) o f M , we construct a transition fro m location ℓ q to ℓ q ′ throug h a syn chronize d produ ct of division gadgets to maintain the encod ing, as sh own in Figure 6 and Figure 7 . For example, th e instruction ( q , inc, c, q ′ ) is simulated by dividing x c by 1 6 = 4 2 and x d by 4 , wh ich transform s for instance x c = 1 4 i + n into x ′ c = 1 4 i + n +2 . The decr ement is implemen ted similarly . Note that the decremen t of c re quires division by 1 which is tri vially realized by a lo cation with rate ˙ x c = 0 . Fina lly , th e ze ro test is implemen ted as fo llows. A counter c ha s value 0 in step i if x c = 1 − t i = 1 4 i . Theref ore, it suffices to check that x c = x t to simu late a zer o test. T o avoid d iagonal constraints, we replace x c = x t by a test x t = 0 on the tran sition gu arded by x c = 0 in the d ivisor gadget for x c (as suggested in Figure 7). The set Goal = { ℓ q F } contains the location corr espondin g to the final state q F in M . By the above arguments, there is a one-to -one mapp ing b etween the execution of M and the ru n of H M . In par ticular, the counter values at step i are co rrectly 12 ˙ x = − k ˙ y = 1 ˙ x = 1 ˙ y = − k x/k 2 y = 0 x = 0 y = 0 x y ν ( x ) ν ( x ) /k 2 time Figure 4 : Gad get for division of a variable x by k 2 . Th e variable y is in ternal to the gadget. The dur ation of the division is v · ( 1 k + 1 k 2 ) . T he g uard ( x t = 0 ) has no influence here, and it is used only when k = 2 . x t / 4 x t := 1 tick Figure 5: T ick-g adget to produ ce in finitely many ticks within one time unit. q ˙ x c = 0 ˙ x d = 0 q ′ ˙ x c = 0 ˙ x d = 0 tick x c / 16 × x d / 4 tick Figure 6: I ncremen t-gadget to simu late instruction ( q , inc, c, q ′ ) . q ˙ x c = 0 ˙ x d = 0 q ′ ˙ x c = 0 ˙ x d = 0 tick x c / 4 x t = 0 × x d / 4 tick ( x c = x t ) Figure 7: Zer o-gadg et to simulate instru ction ( q , ?0 , c, q ′ ) . W e do use the gu ard x t = 0 in the di visor ga dget for x c , in order to simulate the diagon al g uard ( x c = x t ) . encoded at time t i . Ther efore, the location l q F is r eachable i n H M within one time unit if and only if M h as an accepting run reaching q F .  Undecidability with diag onal constraints. W e now show that d iagonal constrain ts also leads to undecid ability . The result holds e ven if e very v ariab le has a positive, 13 singular, fixed rate. Theorem 3 The time-boun ded reac ha bility pr oblem is u ndecida ble for LHA that use only singular , strictly positive, and fixed-rate variab les. Pr o of. The pro of is again by redu ction fr om the haltin g p roblem for two-counte r ma- chines. W e describe the en coding of th e coun ters an d the simu lation of the instru ctions. Giv en a cou nter c , we represent c v ia tw o auxiliary counters c b ot and c top such that v ( c ) = v ( c top ) − v ( c b ot ) . Incremen ting an d decrementing c are achiev ed by incrementing either c top or c b ot . Zero-testing for c correspo nds to checking whether the two auxiliary co unters ha ve the same value. Therefo re, we do n ot need to simulate decrementa tion of a co unter . W e encod e the value of cou nter c b ot using two re al-valued variables x and y , by postulating that | x − y | = 1 2 v ( c bot ) . Both x and y h av e rate ˙ x = ˙ y = 1 at all times an d in all lo cations of the hybrid automa ton. Incr ementing c b ot now simply corresp onds to halving the value of | x − y | . I n ord er to achiev e this, we use two real-valued v ariables z and w with rate ˙ z = 2 and ˙ w = 3 . All o perations are simulated in ‘ round s’. At the beginning of a roun d, we re quire that the variables x, y , z , w h av e r espectiv e value 1 2 v ( c bot ) , 0 , 0 , 0 . W e first explain how we merely maintain the value of c b ot throug hout a rou nd: 1. Starting fro m the beginn ing of the roun d, let all variables ev olve until x = z , which we detect via a diagonal constraint. Recall that z evolves at twice the rate of x . 2. At that poin t, x = 2 2 v ( c bot ) and y = 1 2 v ( c bot ) . Reset x and z to zero. 3. Now let all v ariable s ev olve until y = z , and reset y , z an d w to zero. It is easy to see that all v ariables now have exactly the same v alues as they had at th e beginning of the round. Moreover, the in variant | x − y | = 1 2 v ( c bot ) is maintained throug hout. Note that the total duration o f the ab ove round is 2 2 v ( c bot ) . T o incr ement c b ot , we proceed as follows: 1 ′ . Starting from th e beginnin g of th e rou nd, let all variables ev olve until x = w . Recall that the rate of w is three times that of x . 2 ′ . At that po int, x = 1 . 5 2 v ( c bot ) and y = 0 . 5 2 v ( c bot ) = 1 2 v ( c bot )+1 . Reset x , z , and w to zero. 3 ′ . Now let all variables ev olve u ntil y = z , and r eset y , z and w to z ero. W e now have x = 1 2 v ( c bot )+1 , and thu s the value o f | x − y | has ind eed be en halved as required . Note that the total duration o f this increm entation roun d is 1 2 v ( c bot ) , where v ( c b ot ) denotes the v alue of cou nter c b ot prior to incrementation . Clearly , the sam e operation s can b e simu lated for coun ter c top (using further aux- iliary real-valued variables). Note that the durations of the rou nds for c b ot and c top are 14 in g eneral different—in fact c b ot -roun ds ar e never faster than c top -roun ds. But because they ar e powers of 1 2 , it is always possible to synchr onize th em, simp ly by repeatin g maintain-r ounds f or c b ot until the round for c top has comp leted. Finally , zero-testing the original cou nter c (w hich corresponds to checking whether c b ot = c top ) is achieved by ch ecking wheth er the correspond ing variables have the same value at the very beginnin g of a c b ot -roun d (since the c b ot - and c top -roun ds are then synchronize d). W e simulate the secon d co unter d of th e machine usin g furthe r au xiliary cou nters d b ot and d top . It is clear that the time requ ired to simulate o ne instruction o f a two- counter mach ine is exactly the d uration of the slowest round . Note howev er that since counters c b ot , c top , d b ot , and d top are never dec remented, the du ration of the slowest round is a t most 2 2 p , wher e p is th e smallest of th e initial values of c b ot and d b ot . I f a two-counter machin e has an accep ting run of length m , then the total duratio n of the simulation is at most 2 m 2 p . In o rder to boun d this value, it is necessary before co mmencin g th e simulation to initialize th e co unters c b ot , c top , d b ot , and d top to a s ufficiently large value, for example any number grea ter than log 2 ( m ) + 1 . In this way , the dura tion of the simu lation is at most 1. Initializing th e coun ters in this way is straightfo rward. Startin g with zero cou nters (all relevant variables ar e zero ) we r epeatedly increme nt c b ot , c top , d b ot , an d d top a non deterministic numb er of times, via a self-lo op. When each of these cou nters has value k , we can increment all fo ur cou nters in a single r ound of duration 1 2 k as explained above. So over a time period of dur ation at most P ∞ k =0 1 2 k = 2 th e coun ters can be initialized to ⌈ log 2 ( m ) + 1 ⌉ . Let us now combine these ingred ients. Giv en a two-counter machine M , w e con- struct a hybr id autom aton H M such th at M has an acceptin g run iff H M has a run of duration at most 3 that reaches the final state Goal . H M uses th e real-valued variables described above to encod e the cou nters of M . In the in itialization phase, H M nonde terministically assigns values to the au xiliary counters, hen ce guessing the len gth of an accep ting run o f M , and then p roceeds with the simulatio n of M . This e nsures a co rrespond ence between an ac cepting ru n of M and a time-boun ded ru n of H M that reaches Goal .  Refer ences [1] R. Alur, C. Courcou betis, N. Halbwachs, T . A. Henz inger, P .-H. Ho, X. Nico llin, A. Oli vero, J. Sifakis, and S. Y ovine. The algorithm ic analysis of hy brid systems. TCS , 138(1) , 19 95. [2] R. Alur and D. L. Dill. A theor y o f timed au tomata. Th. Comp. Sci. , 126(2):1 83– 235, 1994. [3] F . Cassez and K. G. Larsen. The impressiv e power o f stopwatches. In P r o c. of CONCUR , LNCS 1877, pages 138–15 2. Sprin ger, 1 877. 15 [4] J. Ferrante and C. Rack off. A dec ision procedure for the first or der theory of real addition with order . SIAM J. Comput. , 4(1):69–76 , 197 5. [5] G. Frehse. Phaver: algorith mic verification o f hyb rid systems past hytech. Int. J . Softw . T ools T echnol. T ransf. , 10:263–279 , May 2008. [6] T . A. Hen zinger, P . -H. Ho, and H. W ong-T oi. Hytech: A mod el ch ecker for hy brid systems. In Pr oc. of CA V , LNCS 125 4, pages 460–463. Springer, 1997 . [7] T . A. Henzinger, P . W . Kopke, A. Pu ri, and P . V araiya. What’ s d ecidable about hybrid automata? J. Comput. Syst. Sci. , 57(1):94–12 4, 1998 . [8] T . A. Henzinger and J.-F . Raskin. Rob ust und ecidability o f timed and hybr id systems. In Pr oc. of HS CC , LNCS 1790, pages 145–1 59. Spr inger, 2000. [9] M. L . Minsky . Compu tation: fi nite and infi nite ma chines . Prentice-Hall In c., Englewood Cliffs, N.J., 1967. Prentice-H all Series in Automatic Computation. [10] J. Ou aknine, A. Rabinovich, and J. W orrell. T ime-b ound ed verification. In Pr oc. of CONCUR , LNCS 5710, pages 496–510 . Sp ringer, 2009 . [11] J. Ouaknin e a nd J. W orrell. T owards a theor y of time- boun ded verification. In Pr o c. of ICALP (II) , LNCS 6199, pages 22–37 . Spr inger, 2010. 16 A Constructions to Pr ove Pr oposition 1 In this section, we expo se three construction s that allo w to prove Proposition 1. Th ese three co nstructions have to be app lied successively , starting from an RHA with no n- negativ e rates: 1. The first con struction allows to remove the non -deterministic resets w hile pre- serving time-boun ded r eachability . 2. The second construction allows to con sider only runs where the variables are bound ed b y 1 . Roughly sp eaking, it amounts to enc ode the integral parts of he variables in the l oca tions and adapting the guards and in variants ac cording ly . 3. The third con struction allo ws to consider strict runs only . Throu ghout the sectio n, w e assume all the gua rds to be reduced , i.e.: ( i ) the same atom d oes not app ear twice in the same guar d, ( i i ) the only guar d co ntaining true is true and ( iii ) th e o nly guar d co ntaining false is false . Remark that any guar d can always b e replaced by an equi valent red uced guard. For any v aluatio n ν , we denote by ν [ S/ 0] the valuation s.t. fo r any x : ν [ S/ 0]( x ) = v ( x ) if x 6∈ S and ν [ S/ 0]( x ) = 0 otherwise.x A.1 First construction: deterministic r esets Giv en an RHA H we show ho w t o construct an RHA H ′ with only deterministic resets such that H is equ iv alent to H ′ with r espect to reachab ility in th e sense of Prop osition 4. The idea of th e constru ction is to replace non- deterministic r esets in H with resets to 0 in H ′ and to co mpensate by suitably alter ing the g uards o f subsequ ent transition s in H ′ . Let X = { x 1 , . . . , x n } be a set of v ariables, I a set of r eal intervals inclu ding the singleto n { 0 } , let g be a gu ard on X , and let ρ ∈ I n be an n -tu ple of inter vals. (Intuitively ρ ( j ) represents the interv al in which variable x j was las t reset with ρ ( j ) = { 0 } if x j has not yet been reset.) Then we inductively defin e Adapt ( g , ρ ) as fo llows: Adapt ( g 1 ∧ g 2 , ρ ) = Adapt ( g 1 , ρ ) ∧ Adapt ( g 2 , ρ ) Adapt ( x j ∈ I , ρ ) = x j ∈ ( I − ρ ( j )) . Here, gi ven inter vals I , J ⊆ R , I − J deno tes the interv al { x | ∃ y ∈ I , z ∈ J : x + z = y } . Let H = ( X, Lo c , Edges , Rates ′ , In v , Init) be a RHA. W e construct a new RHA DetReset ( H ) = ( X , Lo c ′ , Edges ′ , Rates , Inv ′ , Init ′ ) a s follows. Writing I for the set of intervals used in variable resets in H , we have: 1. Lo c ′ = Lo c × I | X | . 2. For each  ℓ, g , r, ℓ ′  ∈ Edges we hav e that  ( ℓ, ρ ) , g ′ , r ′ , ( ℓ ′ , ρ ′ )  ∈ E dges ′ , where g ′ = Adapt ( g , ρ ) ; r ′ ( j ) = ⊥ and ρ ′ ( j ) = ρ ( j ) if r ( j ) = ⊥ ; r ′ ( j ) = { 0 } and ρ ′ ( j ) = r ( j ) if r ( j ) 6 = ⊥ . 17 3. Rates ′ ( ℓ, ρ ) = Ra tes( ℓ ) . 4. Inv ′ ( ℓ, ρ ) = Adap t  Inv ′ ( ℓ ) , ρ  . 5. Init ′ = { ( ℓ, 0 ) | ℓ ∈ Init } , where 0 = ( { 0 } , . . . , { 0 } ) . Proposition 4 Let ℓ be a lo cation of H . Then , H a dmits a T -time- bound ed run r each- ing ℓ iff DetReset ( H ) admits a T -time-bounded run r ea ching some lo cation o f the form ( ℓ, ρ ) . A.2 Second construction: variables bou nded by 1 Next, we sho w , gi ven an RHA H with non-negative rates and deterministic res ets , how we can build an RHA CBound ( H ) with the same pro perties, and s.t. we c an decide time-bou nded reachability on H by considering only the runs of CBound ( H ) with the variables bo unded by 1 . The idea of the constructio n is to encod e th e integer par t of the variable values of H in the locations of CBound ( H ) , a nd to keep the f ractional part (thus, a value in [0 , 1] ) in the variable. T o achieve this, loca tions of CBou nd ( H ) are o f the form ( ℓ, i ) , where ℓ is a location of H , and i is a fu nction that assoc iates a value from { 0 , . . . , cmax } to each variable. Intu itiv ely , i ( j ) represents the integer part of x j in the o riginal run of H ′ , whereas the f ractional p art is tra cked by x j (hence all the variables stay in th e interval [0 , 1] ). For instance, th e configura tion ( ℓ, 2 . 1 , 3 . 2 ) of H is encod ed by the configur ation (( ℓ, (2 , 3)) , 0 . 1 , 0 . 2) of CBound ( H ) . The t ran sitions o f CBound ( H ) are adapted from the transitions of H by modifying th e gu ards to take into account the integer part encode d in the location s. This is achieved th anks to the Adapt fu nction described hereu nder . Finally , f resh transitions are adde d to CBound ( H ) that allow to reset variables who se v alue reach 1 , while prope rly adap ting the information about the integral part. Let X = { x 1 , . . . , x n } b e a set of variables, let g be a g uard on X , and let i = ( i 1 , . . . , i n ) ∈ N n be a tuple o f natur al values. Th en, we define inducti vely Adapt ( g , i ) as follows: Adapt ( x j ≤ k , i ) =      false if k < i j x j = 0 if k = i j true if k > i j ; Adapt ( x j < k , i ) =      false if k ≤ i j x j < 1 if k = i j + 1 true if k > i j + 1 ; Adapt ( x j = k , i ) =      false if k < i j x j = 0 if k = i j false if k > i j ; 18 Adapt ( x j ≥ k , i ) =      false if k > i j + 1 x j = 1 if k = i j + 1 true if k ≤ i j ; Adapt ( x j > k , i ) =      true if k < i j x j > 0 if k = i j false if k > i j . Adapt ( g 1 ∧ g 2 , i ) = Adapt ( g 1 , i ) ∧ Adapt ( g 2 , i ) Giv en an RHA H = ( X , Lo c , Edges , Rates , In v , Init) s.t. for any ( ℓ, g , r, ℓ ′ ) ∈ Edges , for any x ∈ X : r ( x ) is either [0 , 0 ] or ⊥ (that is, all the resets are deterministic and to zero), we b uild the RHA CBound ( H ) = ( X , Lo c ′ , Edges ′ , Rates ′ , In v ′ , Init ′ ) as follows (wh ere cmax is th e largest constant ap pearing in H ): 1. Lo c ′ = Lo c × { 0 , . . . , cmax } n . 2. For each  ℓ, g , r, ℓ ′  ∈ E dges we have that:  ( ℓ, i ) , Adapt ( g , i ) , r, ( ℓ ′ , i ′ )  ∈ Edges ′ , where i ′ j = ( i j if r ( x j ) 6 = ⊥ 0 otherwise .  ( ℓ, i ) , x k = 1 , { x k } , ( ℓ, i ′ )  ∈ Edges ′ , whe re i ′ j = ( i j if j 6 = k min( i j + 1 , cmax) if j = k . 3. for any ( ℓ, i ) ∈ Lo c ′ : Rates( ℓ, i ) = Rates( ℓ ) . 4. Inv ′ ( ℓ, i ) = ( x 1 ≤ 1) ∧ · · · ∧ ( x n ≤ 1) , fo r each ( ℓ, i ) ∈ Lo c ′ . 5. Init ′ =  ( ℓ, i ) | ℓ ∈ Init  . Proposition 5 Let H be a n RHA with no n-negative rates, and s.t. for any ed ge ( ℓ, g , r, ℓ ′ ) of H , for an y va riable x of H : r ( x ) is e ither [0 , 0] or ⊥ . Let ℓ be a location of H . Then, H admits a T -time-b ound ed run r eaching ℓ iff CBound ( H ) admits a 1 -variable- bound ed an d T -time-boun ded run reac hin g some location of the form ( ℓ, i ) . A.3 Third construction: strictly elapsing time Last, we explain how we can build an RHA that enforces strictly elap sing time . Given an RHA H = ( X , Lo c , E dges , Rates , Inv , Init) s.t. for any ( ℓ, g , r , ℓ ′ ) ∈ Edges , fo r any x ∈ X : r ( x ) is either [0 , 0] or ⊥ , we build the RHA Strict ( H ) = ( X , Lo c ′ , Edges ′ , Rates ′ , In v ′ , Init ′ ) as f ollows. Let Π be the (finite) set of all no n-empty pa ths of H that contain s at m ost one occurrenc e of each simp le loop. T hen: 19 1. Lo c ′ = Lo c × Π 2.  ( ℓ, π ) , g , r , ( ℓ ′ , π ′ )  ∈ Edges ′ iff: • π = ( ℓ, g 1 , r 1 , ℓ 1 )( ℓ 1 , g 2 , r 2 , ℓ 2 ) . . . ( ℓ n − 1 , g n , r n , ℓ ′ ) • g = V n i =0 g i [ X i / 0] , where X i = { x | ∃ 0 ≤ j < i : r j ( x ) 6 = ⊥} • r is s.t. for any x ∈ X : r ( x ) = 0 if there is 1 ≤ j ≤ n s.t. r ( j ) 6 = ⊥ , and r ( x ) = ⊥ otherwise. 3. Rates ′ is s.t. Rates ′ ( ℓ, π ) = Rates( ℓ ) for any ( ℓ, π ) ∈ Lo c ′ . 4. Inv ′ is s.t.: Inv ′ ( ℓ, π ) = Inv( ℓ ) ∧ V n i =1 Inv( ℓ i )[ X i / 0] wh ere X i = { x | ∃ 0 ≤ j ≤ i : r j ( x ) 6 = ⊥} 5. Init ′ = { ( ℓ, π ) | ℓ ∈ Init } . Proposition 6 Let H be a n RHA with no n-negative rates and s.t. for any edge ( ℓ, g , r, ℓ ′ ) of H , f or any variable x of H : r ( x ) is either [0 , 0] or ⊥ . Let ℓ be a lo cation of H . Then, H admits a 1 -varia ble-bou nded and T -time-boun ded run reac hin g ℓ iff Str ict ( H ) ad - mits a strict , 1 -v ariable-bo unded and T -time-bo unded run reaching some location of the form ( ℓ, π ) . A.4 Proof of Pr oposition 1 By applying successi vely the three co nstruction s abov e to an y RHA with non-negative rates H , on e ob tain an RHA H ′ = Strict ( CBound ( DetReset ( H ))) that has the fol- lowing p roperties: 1. H ′ contains only deterministic r esets to zero 2. All the g uards and inv ariants in H ′ are either true o r conju nctions of atoms of the f orm x = 1 or y < 1 on ly 2 . Mo reover , each time a variable is tested to 1 by an edge, it is reset to zero. Moreover , when the o riginal H contains no strict ineq ualities in th e guards a nd in variants, the same h olds for the guards an d in variants of H ′ , i.e ., they will all be either true or o f the f orm x 1 = 1 ∧ x 2 = 1 ∧ · · · ∧ x k = 1 for { x 1 , . . . , x k } ⊆ X . Thus, H ′ has the righ t syntax, an d respects H 1 throug h H 3 . Given a location ℓ o f H , we let Goal bet th e set of all H ′ locations o f th e for m ((( ℓ, ρ ) , i ) , S ) . Thanks to Proposition 4, 5 and 6, we are en sured that H admits a T -time-bounded r un reaching ℓ iff H ′ admits a strict 1 -variable-boun ded an d T -time-boun ded ru n reaching Goal .  2 Remark that the third construction removes from the guards all the atoms of the form x > 0 that are introduc ed by the second one. 20