Model Checking One-clock Priced Timed Automata

Logical Methods in Computer Science V ol. 4 (2:9) 2008, pp. 1–28 www .lmcs-online.org Submitted Sep . 20, 2007 Published Jun. 20, 2008 MODEL CHECKI N G ONE-CLOC K PRICED TIMED A UTOMA T A ∗ P A TRICIA BOUYER a , K IM G. LARSEN b , A ND NICOLAS MARKEY c a LSV, CNR S & ENS de Cachan, F rance and Oxford Universit y Computing Laboratory , UK e-mail addr ess : b ouyer@lsv.ens-cac h an.fr b Aalb org Universi ty , Denmark e-mail addr ess : kgl@cs.aau.dk c LSV, CNR S & ENS de Cachan, F rance e-mail addr ess : markey@lsv.ens-cac h an .fr Abstra ct. W e consider the mo del of priced (a.k.a. wei ghted) timed automata, an exten- sion of timed automata with cost information on b oth locations and transitions, and we study v arious mo del-chec king problems for that mo del based on extensions of classical tem- p oral logics with cost constrain ts on mo dalities. W e pro v e that, under the assumption that the mo del has only one clock, model-checking this class of models against th e logic WCTL, CTL with cost-constrained modalities, is PSP ACE -complete (while it has b een shown u n- decidable as soon as the model has three clo cks). W e also prove that mod el-checking WMTL, L TL with cost-constrained mo dalities, is decidable only if th ere is a single clo ck in the mo del and a single stop watc h cost v ariable ( i .e. , whose slopes lie in { 0 , 1 } ). An interesting dir ection of real-ti me mo del-c hec king that has r ecen tly receiv ed sub- stan tial atten tion is the extension and r e-targeti ng of timed automata tec hnology to wards optimal sc heduling and con troller sy nthesis [AAM06, RLS04, BBL08 ]. In particular, scheduling pr ob lems can often b e reformulate d in terms of reac habilit y questions with resp ect to b ehavio ural mo dels wh ere tasks and resour ces relev an t for the sc heduling pr oblem in question are mo d elled as interac ting timed automata [BLR05a]. Al- though there exists a wide b ody of literature and established resu lts on (optimal) sc hedu ling in the ﬁ elds of real-t ime systems and op eratio ns researc h, the applicatio n of mod el-c hecki ng has pro v ed to provide a nov el and comp etitiv e tec h n ology . In particular, m o del-c hec king has the adv anta ge of oﬀering a generic approac h, going w ell b ey ond most classical sc heduling solutions, whic h ha ve go o d prop erties only for scenarios satisfying sp eciﬁc assumptions that ma y or, quite often, ma y not apply in actual pr actical circumstances. Of course, mo del- c h ec kin g comes with its o wn restrictions and stum bling b lo c ks, the m ost n otorious b eing 1998 ACM Subje ct Classiﬁc ation: F.1.1,F.3.1. Key wor ds and phr ases: priced timed aut omata, model-chec king. ∗ This article is a long ve rsion of [BLM07]. It has b een extended with recent related results from [BM07]. a P artly supported by pro ject DOTS (ANR-06-SETI-003), and by a Marie -Curie fello wship. b P artly supported by an invited p rofessorship from ENS Cachan. c P artly supported by pro ject DOTS (ANR-06-SETI-003). LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.216 8/LMCS-4 (2:9) 2008 c  P . Bouyer, K.G. Larsen, and N. Markey CC  Cr eative Comm ons 2 P . BOUYER, K.G. LARSEN, AND N. MARKEY the state-space explosion. A lot of research has thus b een devo ted to “guide” and “prune” the reac habilit y searc h [BFH + 01a]. As part of the eﬀort on applying timed automata tec hnology to sc h eduling, the n otion of p riced (or w eigh ted) timed au tomata [BFH + 01b, ALP01] h as b een promoted as a useful extension of the classical mo d el of timed automata allo w in g contin uous consu mption of resources (e.g. energy , money , p ollution, etc.) to b e mo d elled and analyzed. In this w a y one ma y distinguish diﬀerent feasible schedules according to their consumption of resources ( i.e. , accum ulated cost) with ob vious p r eference for the optimal sc hedule with minimal resource requ iremen ts. Within the mo del of priced timed automata, the cost v ariables serv e pur ely as evalu- ation functions or observers , i.e. , the b ehavio ur of the underlying timed automata may in no w a y d ep end on these cost v ariables. As an imp ortan t consequence of this restriction —and in con trast to the related mo dels of constan t s lop e and linear h ybrid automata— a num b er of optimization pr oblems ha v e b een sh o wn decidable for priced timed automata including minim u m-cost reac habilit y [BFH + 01b, ALP01 , BBBR07], optimal (minimum and maxim um cost) r eac habilit y in multi- priced settings [LR05] and cost-optimal inﬁ nite sc hed- ules [BBL04, BBL08] in terms of min imal (or maximal) cost p er time ratio in the limit. Moreo ver UPP AAL Cora [BLR05b] provides an eﬃcien t to ol for computing cost-optimal or near-optimal solutions to reac habilit y questions, implement ing a sym b olic A ∗ algorithm based on a new data structure (so-called pr iced zones) allo wing for eﬃcien t symbolic state- represent ation with additional cost-information. Cost-extended ve rsions of temp oral logics suc h as CTL (branching-time ) and L TL (linear-time) app e ar as a natural “generali zations” of the ab o v e optimization problems. Just as TCTL and MTL pr o vide extensions of CTL and L TL with time-constrained mo d al- ities, W CTL and WMTL are extensions with c ost -constrained mo dalities in terpreted with resp ect to pr iced timed automata. Unfortun ately , th e addition of cost now turn s out to come with a price: whereas th e mo d el-c hecking p r oblems for timed automata with resp ect to TC TL and MTL are decidable, it has b een sho wn in [BBR04 ] that mo del-c hec king pr iced timed automata with r esp ect to W C TL is un decidable. Also, in [BBR05] it has r ecently b een sho w n that the p roblem of determining cost-optimal winning str ategies for p riced timed games is not computable. In [BBM06] it has b een sho wn that these negativ e results hold ev en for priced timed (game) automata with no more than thr ee clo c ks. Recen tly , the r estriction of timed sys tems to a single clo ck has raised some atte n tion, as it leads to muc h nicer decidabilit y and complexit y r esults. Ind eed, the emptiness problem in single-cloc k timed automata b ecomes NLOGSP A CE -Complete [LMS04] instead of PSP A CE - Complete in the general framewo rk [AD94]. Also, the emptiness pr ob lem is decidable for single-cloc k alternating timed automata and is undecidable for general alternating timed automata [L W05, OW0 5, L W08, OW0 7]. Ev en more recen tly , cost-optimal timed games ha v e b een p ro v ed decidable for one-clock priced timed games [BLMR06 ], and construction of almost-optimal str ategies can b e d one. In this pap er we fo cus on mo del-c hec kin g problems for pr iced timed automata with a single clo c k. On the one hand , w e sh ow that th e mo del-c hec king problem with r esp ect to WCTL is PSP A CE -Complete under the “single clo c k” assumption. This is rather sur- prising as mo del-c hec king TCT L (the only cost v ariable is the time elapsed) un der the same assumption is already PSP A CE -Complete [LMS04]. On the other h and, w e p ro v e that the mo del-c hec king problem with r esp ect to WMTL, the linear-time coun terp art of W CTL, is decidable if we add the extra requiremen ts that there is only one cost v ariable whic h MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 3 is stop watc h ( i.e. , with slop es in { 0 , 1 } ). W e also pro v e that those tw o conditions are necessary to get decidabilit y , b y pr o ving that an y slight extension of that mo del leads to undecidabilit y . The pap er is organized as follo ws: In Section 1, we p r esen t the mo del of priced timed automata. Section 2 is dev oted to the deﬁnition of WCTL, and to the pro of that it is decidable when the mo d el has only one clo c k. W e prop ose an E XPTIME algorithm, which w e then slightly mo dify so that it ru ns in PSP A CE . S ection 3 then hand les the linear-time case: w e ﬁrst deﬁn e WMTL, pr o ve that it is decidable under the single-clo c k and sin gle- stop w atc h-cost assum ptions, and that it is u ndecidable if we lift any of these r estrictions. 1. Preliminaries 1.1. Priced Timed Automat a. In th e sequel, R + denotes the set of nonnegativ e reals. Let X b e a set of clo ck v ariables. The set of clo c k constraints (or guards) ov er X is deﬁn ed b y th e grammar “ g ::= x ∼ c | g ∧ g ” wh ere x ∈ X , c ∈ N and ∼ ∈ { <, ≤ , = , ≥ , > } . The set of all clock constrain ts is denoted B ( X ). Th at a v aluatio n v : X → R + satisﬁes a clo c k constrain t g is deﬁned in a n atural wa y ( v satisﬁes x ∼ c whenever v ( x ) ∼ c ), and we then write v | = g . W e denote b y v 0 the v aluation that assigns zero to all clo c k v ariables, by v + t (with t ∈ R + ) the v aluation that assigns v ( x ) + t to all x ∈ X , and for R ⊆ X w e write [ R ← 0] v to den ote the v aluation th at assigns zero to all v ariables in R and agrees with v for all v ariables in X r R . Deﬁnition 1.1. A pric e d time d automaton ( PT A for short) is a tuple A = ( Q, q 0 , X , T , η , ( cost i ) 1 ≤ i ≤ p ) where Q is a ﬁ nite s et of lo c ations , q 0 ∈ Q is th e ini tial lo cation, X is a set of clo cks , T ⊆ Q × B ( X ) × 2 X × Q is the set of tr ansitions , η : Q → B ( X ) deﬁnes the invariants of eac h lo cation, and eac h cost i : Q ∪ T → N is a c ost (or pric e) function . F or S ⊆ N , a cost cost i is said to b e S -slop e d if cost i ( Q ) ⊆ S . If S = { 0 , 1 } , it is said stopwat ch . If | S | = n , we sa y that th e cost cost i is n -slop ed. The seman tics of a PT A A is giv en as a lab eled timed transition s y s tem T A = ( S, s 0 , → ) where S ⊆ Q × R X + is the set of states, s 0 = ( q 0 , v 0 ) is the initial state, and the transition relation → ⊆ S × ( T ∪ R + ) × S is comp o sed of dela y and discrete mov es d eﬁned as follo ws: (1) (discr ete move) ( q , v ) e − → ( q ′ , v ′ ) if e = ( q , g , R, q ′ ) ∈ E is s.t. v | = g , v ′ = [ R ← 0] v , v ′ | = η ( q ′ ). Th e i -th cost of this discrete mo v e is cost i  ( q , v ) e − → ( q ′ , v ′ )  = cost i ( e ). (2) (delay move) ( q , v ) t − → ( q , v + t ) if ∀ 0 ≤ t ′ ≤ t , v + t ′ | = η ( q ). T he i -th cost of th is dela y mov e is cost i  ( q , v ) t − → ( q , v + t )  = t · cost i ( q ). A d iscr ete mo ve or a dela y mo ve will b e called a simple move . A mixe d move ( q , v ) t,e − → ( q ′ , v ′ ) corresp onds to the concatenation of a dela y mov e and a d iscrete mo ve . F or tec hnical reasons, w e only consider n on-blo c king PT A s, b ec ause we will fu rther interpret logical formulas o ve r inﬁnite p aths. T he i -th cost of this mixed mov e is the sum of the i -th costs of the t w o mo v es. A ﬁnite (resp. inﬁnite) run of a PT A is a ﬁnite (resp. inﬁ nite) sequence of mixed mo ves in the underlying transition system. A run of A will thus b e distinguished from a p ath in T A , whic h is comp osed of simp le mo ves and where stuttering of dela y mo v es is allo w ed. Note ho w ever that a path in T A is naturally asso ciated with a r un in A . The i -th cost of a run 4 P . BOUYER, K.G. LARSEN, AND N. MARKEY  in A (resp. path  in T A ) is the sum of th e i -th costs of the mixed (resp. simple) mo v es comp osing the run (resp. path), and is denoted cost i (  ). T he length |  | of a ﬁ nite ru n  = s 0 t 1 ,e 1 − − − → s 1 t 2 ,e 2 − − − → · · · t n ,e n − − − → s n is n . A p osition along  is a nonn egativ e intege r π ≤ |  | . Giv en a p osition π ,  [ π ] denotes the corresp onding state s π , w h ereas  ≤ π denotes the ﬁnite preﬁx of  ending at p osition π , and  ≥ π is the su ﬃx starting in π . Remark 1.2. In the mo del of priced timed automata, the cost v ariables only play the role of observers (they are history variables in the sense of [OG76 , AL88]): th e v alues of these v ariables don’t constrain the b eha viour of the system (the b eha viours of a priced timed automaton are those of the und erlying timed automaton), but can b e used as ev aluation functions. F or ins tance, problems such as “optimal reac habilit y” [BFH + 01b, ALP 01 ], “op- timal inﬁnite sc hedules” [BBL04] or “optimal reac habilit y timed games” [ABM0 4, BCFL04, BBR05, BBM06] ha v e recen tly b een inv estigated. The problem we consider in this pap er is closely related to these kinds of pr oblems: we will use temp oral logics as a language for ev aluating the p erformances of a system. 1.2. Example. Th e PT A of Figure 1 mo dels a never-ending pro c ess of repairing p roblems, whic h are b ound to o ccur rep eatedly w ith a certain fr equ ency . T h e repair of a problem has a certain cost, captured in the mo del by the cost v ariable c . As so on as a pr oblem o ccurs (mo deled b y the Problem lo cation) the v alue of c gro ws with rate 3, u n til actual repair is taking place in one of the lo cations Chea p (rate 2) or Expen siv e (rate 4). At most 20 time units after the o ccurrence of a p roblem it w ill h a v e b een rep aired one wa y or another. ˙ c =0 x ≤ 9 ˙ c =3 x ≤ 10 ˙ c =2 x< 20 ˙ c =4 x ≤ 15 x ≥ 2 x ≥ 4 x =20 , x :=0 , c +=5 x =15 , x :=0 Problem Cheap Expensive OK Figure 1: Repair pr oblem as a P T A 2 4 6 8 10 x 10 20 30 40 50 c W ait in Problem Goto Cheap W ait in Problem Goto Expe nsive Figure 2: Minimum cost of r epair and asso ci- ated strategy in lo cation Problem In this setting w e are in terested in prop erties concerning the cost of repairs. F or instance, w e w ould lik e to express that when ev er a p roblem o ccurs, it may b e repaired ( i.e. reac h the lo cation OK ) within a total cost of 47. In fact Figure 2 gives the minimum cost of repair —as we ll as an optimal strategy— for any state of the form ( Problem , x ) with x ∈ [0 , 10]. Corresp on d ingly , the minimum cost of reac h ing OK from states of the form ( Cheap , x ) (resp . ( Expensiv e , x )) is giv en b y the expression 45 − 2 x (resp. 60 − 4 x ). Symmetrically , w e w ou ld lik e to express prop erties on th e w orst cost to r epair, or to link the uptime with the (b est, w orst) cost of repairing. As will b e illustrated later, extending temp oral logics with cost informations p ro vides a nice setting for expressin g suc h prop erties. MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 5 2. Model Checking Br anching-Time Logics W e ﬁrst fo cus on the case of branc hing-time logics. F r om this p oint on, A P denotes a ﬁxed, ﬁ nite, non-empt y set of atomic p rop ositions. W e ﬁrst deﬁn e the cost-extended version of CTL. 2.1. The Logic W CTL. The logic W CTL 1 [BBR04] extends CT L with cost constrain ts. Its synta x is giv en by the follo w ing grammar: W C TL ∋ ϕ ::= a | ¬ ϕ | ϕ ∨ ϕ | E ϕ U cost ∼ c ϕ | A ϕ U cost ∼ c ϕ where a ∈ AP , cost is a cost fun ction, c ranges o v er N , and ∼ ∈ { <, ≤ , = , ≥ , > } . W e in terpr et formulas of W CTL o v er labeled PT A , i .e. P T A ha ving a lab eling function ℓ whic h asso ciates with ev ery lo cation q a subset of AP . W e iden tify eac h cost app earing in the W CTL f orm ulas with the cost ha ving the same name in the mo d el (whic h is assumed to exist). Deﬁnition 2.1. Let A b e a lab eled PT A . The satisfac tion relation of W CTL is d eﬁned ov er conﬁgurations ( q , v ) of A as follo w s: ( q , v ) | = a ⇔ a ∈ ℓ ( q ) ( q , v ) | = ¬ ϕ ⇔ ( q , v ) 6| = ϕ ( q , v ) | = ϕ ∨ ψ ⇔ ( q , v ) | = ϕ or ( q , v ) | = ψ ( q , v ) | = E ϕ U cost ∼ c ψ ⇔ there is an inﬁ nite run  in A from ( q , v ) s.t.  | = ϕ U cost ∼ c ψ ( q , v ) | = A ϕ U cost ∼ c ψ ⇔ any inﬁ n ite run  in A f rom ( q , v ) satisﬁes  | = ϕ U cost ∼ c ψ  | = ϕ U cost ∼ c ψ ⇔ there exists a p ositio n π > 0 along  s.t.  [ π ] | = ψ , for ev ery p ositio n 0 < π ′ < π ,  [ π ′ ] | = ϕ, and cost (  ≤ π ) ∼ c If A is not clear f rom the con text, we ma y write A , ( q , v ) | = ϕ instead of simply ( q , v ) | = ϕ . As usual, w e will use sh orthands suc h as “ true def ⇔ a ∨ ¬ a ”, “( ϕ ⇒ ψ ) def ⇔ ¬ ϕ ∨ ψ ”, “ E F cost ∼ c ϕ def ⇔ E true U cost ∼ c ϕ ”, and “ A G cost ∼ c ϕ def ⇔ ¬ E F cost ∼ c ¬ ϕ ”. Moreo ve r, if th e cost function cost is unique or clear from the con text, w e ma y w rite ϕ U ∼ c ψ instead of ϕ U cost ∼ c ψ . Finally , we omit to mentio n the su bscript “ ∼ c ” wh en it is equiv alent to “ ≥ 0” (th us imp osing n o r eal constrain t). Example 2.2. W e go bac k to our example of Section 1.2. T hat it is alwa ys p ossible to repair a problem with cost at most 47 can b e expressed in W CTL with the follo w in g form ula: A G  Problem ⇒ E F c ≤ 47 OK  . W e can also express that th e worst cost to repair is 56, in the sens e th at state Rep air can alw ays b e reac hed w ithin this cost: A G  Problem ⇒ A F c ≤ 56 OK  . 1 WC TL stands for “W eigh ted CTL”, follo wing [BBR04] terminology . It would hav e b een more natural to call it “Priced CTL” (PCTL) in our setting, bu t this w ould hav e b een confusing with “Probabilistic CTL” [HJ94]. 6 P . BOUYER, K.G. LARSEN, AND N. MARKEY No w, consider in g time as a sp ecia l case of a cost (with constan t slop e 1), w e can express prop erties r elating the time elapsed in the OK state and the cost to repair: A G  ¬ E ( OK U t ≥ 8 ( Problem ∧ ¬ E F c< 30 OK ))  . This expresses that if the system sp end s at least 8 (consecutiv e) time units in the OK state, then the next Problem can b e repaired with cost at most 30. The main r esu lt of this section is the follo wing theorem: Theorem 2.3. Mo del-che cking WCTL on one-clo ck P T A is PS P A CE - Complete. The P SP A CE lo w er b oun d can b e pro v ed by a d irect adaptation of the PSP A C E - Hardness pro of for the mo del-c hec king of TCTL, the restriction of W CTL to time con- strain ts, o v er on e-clo c k timed automata [LMS04]. The PSP A CE up p er b ound is more in v olv ed, and w ill b e done in t w o steps: (1) ﬁrst w e will exhibit a set of regions whic h will b e correct for mo del-c hec king W CT L form ulas, see Section 2.2; (2) then w e will use this r esult to p r op ose a PS P A CE algorithm for mo del-c hec kin g W C TL, s ee Section 2.3. Finally , it is worth r eminding here that the mo d el-c hecking of W CTL o v er priced timed automata with th r ee clo c ks is und ecidable [BBM06]. 2.2. Suﬃcien t Gran ularit y for WCTL. The pro of of T heorem 2.3 partly relies on the follo wing prop ositio n, which exhibits, for ev ery WCTL formula Φ , a set of r e gions within whic h th e tr u th of Φ is uniform. Note that these are not the classical regions as deﬁ ned in [AD94, A CD93], b ecause their granularit y needs to b e reﬁned in order to b e correct. Computing a suﬃcien t gran ularit y was already a k ey step for c h ec kin g dur ation prop erties in simple timed automata [BES93]. Prop osition 2.4. L et Φ b e a WCTL formula and let A b e a one-clo ck PT A . Then ther e exist a ﬁnite set of c onstan ts { a 0 , ..., a n } satisfying the fol low ing c onditions: • 0 = a 0 < a 1 < . . . < a n < a n +1 = + ∞ ; • for every lo c ation q of A , for every 0 ≤ i ≤ n , the truth of Φ is unif orm over { ( q , x ) | a i < x < a i +1 } ; • { a 0 , ..., a n } c ontains al l the c onstants app e aring in clo ck c onstr aints of A ; • the c onstants ar e inte g r al multiples of 1 /C ~ (Φ) wher e ~ (Φ) is the constrained temp oral heigh t of Φ , i.e., the maximal numb er of neste d c onstr aine d mo dalities 2 in Φ , and C is the lcm of al l p ositive c osts lab eling a lo c ation of A ; • a n e quals the lar gest c onstant M app e aring in the g uar ds of A ; In p articular, we have n ≤ M · C ~ (Φ) + 1 . As a corollary , we reco ver th e partial decidabilit y r esult of [BBR04], stating th at the mo del-c hec king of one-clo c k PT A with a stopwatch c ost 3 against W CTL formulas is decidable using classical one-dimens ional r egions of timed automata ( i.e. , w ith gran ularit y 1). 2 With ”constrained mod alit y” w e mean a modality decorated with a constraining interv al d iﬀerent from (0 , + ∞ ). 3 I.e. , cost with rates in { 0 , 1 } . MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 7 Pr o of. Th e pro of of this prop osit ion is b y str u ctural ind uction on Φ. The cases of atomic prop ositions and b oolean com binations are straight forw ard; unconstrained mo d alities r e- quire n o reﬁn emen t of the granularit y (the basic CTL algorithm is correct and do es n ot need to reﬁ ne the gran ularit y); we will th us fo cus on constrained m o dalities. 2.2.1. We ﬁrst assume that A has no discr ete c osts. ( i.e . cost ( T ) = { 0 } ) , the extension to the general case will b e p resen ted at the end of the pro of. ◮ W e ﬁrst fo cus on the case when Φ = E ϕ U cost ∼ c ψ (w e s im p ly w rite Φ = E ϕ U ∼ c ψ , and assume that cost is the only cost of A , as its other costs pla y n o role in the p r oblem). Assume that the resu lt has b een p ro v ed for the W CTL sub form ulas ϕ and ψ , and that w e hav e merged all constan ts f or ϕ and ψ : w e th us h a ve constant s 0 = a 0 < a 1 < . . . < a n < a n +1 = + ∞ suc h that for ev ery lo cation q of A , for ev ery 0 ≤ i ≤ n , the truth of ϕ and that of ψ are b oth u niform ov er { ( q , x ) | a i < x < a i +1 } . By induction h yp othesis, the gran ularit y of these constants is 1 /C max( ~ ( ϕ ) , ~ ( ψ )) = 1 /C ~ (Φ) − 1 . W e will exhibit extra constan ts such that th e ab o ve prop ositio n then also h olds for th e form ula Φ. F or the sak e of simp licit y , we w ill call r e gi ons all elemen tary interv als ( a i , a i +1 ) and singletons { a i } . In ord er to compute the set of states s atisfying E ϕ U ∼ c ψ , for every state ( q , x ) we compute all costs of paths from ( q , x ) to some region ( q ′ , r ), along whic h ϕ alw a ys holds after a d iscrete action has b een done, and su c h that a ψ -state can immediately b e reac h ed via a discr ete action from ( q ′ , r ). W e then chec k whether w e can ac h iev e a cost satisfying “ ∼ c ” for the m entioned ψ -state. W e thus ﬁrst explain ho w w e compu te th e set of p ossible costs b et w een a state ( q , x ) and a region ( q ′ , r ) in A . Indeed, for c hec k in g the existence of a run satisfying ϕ U ∼ c ψ , we will ﬁ r st remo v e discrete tran s itions leading to states not satisfying ϕ , and then compute all p ossible costs of run s from ( q , x ) to some ( q ′ , r ), where ( q ′ , r ) is a ψ -state just reac hed by a discrete action, in the restricted graph . F or eac h ind ex i , w e restrict the automaton A to transitions whose guard s con tain the in terv al ( a i , a i +1 ), and that do not reset th e clo ck. W e denote by A i this restricted automaton. Let q and q ′ b e t w o lo cations of A i . As stated by the follo wing lemma, th e set of costs of paths b et w een ( q , a i ) and ( q ′ , a i +1 ) is an in terv al that can b e easily computed: Lemma 2.5. We assume a i +1 6 = + ∞ . L et S i ( q , q ′ ) b e the set of lo c ations that ar e r e achable fr om ( q , a i ) and c o-r e achable fr om ( q ′ , a i +1 ) in T A i , and assume it is non-empty ( i.e. , ther e is a p ath joining those two states). L et c i,q ,q ′ min and c i,q ,q ′ max b e the minimum and maximum c osts among the c osts of lo c ations in S i ( q , q ′ ) . Then the set of al l p ossible c osts of p aths in T A i going fr om ( q , a i ) to ( q ′ , a i +1 ) is an interval h ( a i +1 − a i ) · c i,q ,q ′ min , ( a i +1 − a i ) · c i,q ,q ′ max i . The interval is left-close d iﬀ ther e exist two lo c ations r and s (with p ossibly r = s ) in S i ( q , q ′ ) with c ost c i,q ,q ′ min such that 4 ( q , a i ) ∗ A i ( r , a i ) , ( r , a i ) ∗ A i ( s, a i +1 ) , and ( s, a i +1 ) ∗ A i ( q ′ , a i +1 ) . The i nterval i s right-close d iﬀ ther e exists two lo c ations r and s in S i ( q , q ′ ) with c ost c i,q ,q ′ max such that ( q , a i ) ∗ A i ( r , a i ) , ( r , a i ) ∗ A i ( s, a i +1 ) , and ( s, a i +1 ) ∗ A i ( q ′ , a i +1 ) . The cond itions on left/righ t-closures c h aracterize the fact that it is p ossible to instan ta- neously reac h/lea v e a lo cation w ith minimal/maximal cost, or if a small p ositiv e delay h as to elapse (du e to a strict guard). 4 The notation α ∗ A i α ′ means t hat th ere is a path in T A i from α to α ′ . 8 P . BOUYER, K.G. LARSEN, AND N. MARKEY Pr o of. Obviously the costs of all paths in T A i from ( q , a i ) to ( q ′ , a i +1 ) b elong to the in terv al ( a i +1 − a i ) · [ c i,q ,q ′ min , c i,q ,q ′ max ]. W e w ill n o w prov e that the set of costs is an in terv al contai ning ( a i +1 − a i ) · ( c i,q ,q ′ min , c i,q ,q ′ max ). q ,a i q ′ ,a i +1 maximal cost minimal cost Figure 3: The set of costs b et we en tw o s tates is an inte rv al. Let τ min (resp. τ max ) b e a sequence of transitions in A i leading fr om ( q , a i ) to ( q ′ , a i +1 ) and going through a lo cation with minimal (resp . maximal) cost (see Figure 3). Easily enough, the p ossible costs of the p aths follo wing τ min (resp. τ max ) form an in terv al wh ose left (resp. r igh t) b ound is c i,q ,q ′ min · ( a i +1 − a i ) (resp. c i,q ,q ′ max · ( a i +1 − a i )). No w, if c and c ′ are the resp ect iv e costs of q and q ′ , then 1 2 · ( c + c ′ ) · ( a i +1 − a i ) is in b oth in terv als. Indeed, the path follo win g τ min (resp. τ max ) whic h dela ys 1 2 · ( a i +1 − a i ) time units in q , then d irectly go es to q ′ and w aits there for the remaining 1 2 · ( a i +1 − a i ) time units ac hiev es the ab ov e-men tioned cost. This implies that th e set of all p ossible costs is an int erv al. The b ound c i,q ,q ′ min · ( a i +1 − a i ) is r eac hed iﬀ th er e is a path from ( q, a i ) to ( q ′ , a i +1 ) whic h dela ys only in lo cations with cost c i,q ,q ′ min . This is precisely the condition expressed in th e lemma. Th e same holds for the upp er b ound c i,q ,q ′ max · ( a i +1 − a i ).  Similar results clearly hold f or other kin ds of r egions: • b et w een a s tate ( q , a i ) and a region ( q ′ , ( a i , a i +1 )) with a i +1 6 = + ∞ , the set of p ossible costs is an interv al h 0 , c i,q ,q ′ max · ( a i +1 − a i )), where 0 can b e r eac hed iﬀ it is p ossible to go from ( q , a i ) to some state ( q ′′ , a i ) co-reac hable fr om ( q ′ , x ) for some x ∈ ( a i , a i +1 ), and cost ( q ′′ ) = 0. • b et w een a state ( q , x ), with x ∈ ( a i , a i +1 ), and ( q ′ , a i +1 ), the s et of costs is ( a i +1 − x ) · h c i,q ,q ′ min , c i,q ,q ′ max i , with s im ilar conditions as ab o v e for the b oun ds of the interv al. • b et w een a s tate ( q , x ), with x ∈ ( a i , a i +1 ), and region ( q ′ , ( a i , a i +1 )) (assuming a i +1 6 = + ∞ ), the set of p ossible costs is [0 , c i,q ,q ′ max · ( a i +1 − x )); • b et w een a state ( q , a n ) and a regio n ( q ′ , ( a n , + ∞ )), the set of p ossible costs is either [0 , 0], if n o p ositiv e cost rate is r eac hable and co-reac h able, or h 0 , + ∞ ) otherwise. If the latter case, 0 can b e achiev ed iﬀ it is p ossible to reac h a state ( q ′′ , a n ) with cost ( q ′′ ) = 0; • b et w een a s tate ( q , x ) with x ∈ ( a n , + ∞ ) and a region ( q ′ , ( a n , + ∞ )), the set of costs is either [0 , 0] or [0 , + ∞ ), with the same conditions as previously . W e use these computations and bu ild a graph G lab eled by inte rv als which will store all p ossible costs b et w een symb olic states ( i.e. , pairs ( q , r ), where q is a lo ca tion and r a region) in T A . V ertice s of G are pairs ( q , { a i } ) and ( q , ( a i , a i +1 )), and tuples ( q , x, { a i } ) and ( q , x, ( a i , a i +1 )), where q is a lo cation of A . Th eir roles are as follo ws: v ertices of th e MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 9 form ( q , x, r ) are us ed to initiate a computation, th ey rep resen t a state ( q , x ) with x ∈ r . States ( q , { a i } ) are “regular” steps in the computation, while states ( q , ( a i , a i +1 )) are u sed either for ﬁ nishing a computation, or jus t b efore r esetting the clo ck (there will b e no edge from ( q , ( a i , a i +1 )) to any ( q ′ , { a i +1 } )). Edges of G are d eﬁned as follo w s: • ( q , { a i } ) → ( q ′ , { a i +1 } ) if there is a path from ( q , a i ) to ( q ′ , a i +1 ). This edge is then lab eled with an inte rv al h ( a i +1 − a i ) · c i,q ,q ′ min , ( a i +1 − a i ) · c i,q ,q ′ max i , the natur e of the interv al (left-clo sed and /or righ t-closed) d ep endin g on the criteria exp osed in Lemma 2.5. • ( q , { a i } ) → ( q ′ , { a i } ) if th ere is an instantaneo us p ath fr om ( q , a i ) to ( q ′ , a i ) in A , the edge is then lab eled w ith the in terv al [0 , 0] (b ecause we assum ed there are n o discrete costs on transitions of A ). • ( q , { a i } ) → ( q ′ , { a 0 } ) if there is a transition in A en ab led w hen the v alue of the clo c k is a i and resetting th e clo c k. It is lab el ed with [0 , 0]. • ( q , ( a i , a i +1 )) → ( q ′ , { a 0 } ) if there is a tr an s ition in A enabled when the v alue of the clo ck is in ( a i , a i +1 ) and resetting the clo c k. It is lab ele d w ith [0 , 0]. • ( q , { a i } ) → ( q ′ , ( a i , a i +1 )) if th er e is a path from ( q, a i ) to some ( q ′ , α ) with a i < α < a i +1 . This edge is lab eled with the interv al h 0 , ( a i +1 − a i ) · c i,q ,q ′ max ). • ( q , x, { a i } ) → ( q , { a i } ) lab eled with [0 , 0]. • ( q , x, ( a i , a i +1 )) → ( q ′ , { a i +1 } ) if there is a path f rom some ( q , α ) w ith a i < α < a i +1 to ( q ′ , a i +1 ). Th is edge is lab eled w ith ( a i +1 − x ) · h c i,q ,q ′ min , c i,q ,q ′ max i . • ( q , x, ( a i , a i +1 )) → ( q ′ , ( a i , a i +1 )) lab eled w ith [0 , ( a i +1 − x ) · c i,q ,q ′ max ). Figure 4 represents one part of this graph. Note that eac h path π of this graph is naturally associated with an inte rv al ι ( π ) (p ossibly dep endin g on v ariable x if we start from a no d e ( q , x, ( a i , a i +1 ))) by sum ming up all interv als lab el ing transitions of π . q ,x, { 0 } q ,x, { a i } q ,x, ( a i ; a i +1 ) q ,x, { a i +1 } q ′ ,x, { 0 } q ′ ,x, { a i } q ′ ,x, ( a i ; a i +1 ) q ′ ,x, { a i +1 } ... ... ... ... q , { 0 } q , { a i } q , ( a i ; a i +1 ) q , { a i +1 } q ′ , { 0 } q ′ , { a i } q ′ , ( a i ; a i +1 ) q ′ , { a i +1 } ... ... ... ... Figure 4: (Sc hematic) r epresen tation of th e graph G (in terv als lab eling transitions ha v e b een omitted to improv e r eadabilit y) The correctness of graph G w.r.t. costs is stated by the follo wing lemma, wh ic h is a direct consequence of the p revious inv estigations. Lemma 2.6. L et q and q ′ b e two lo c ations of A . L et r and r ′ b e two r e gions, and let α ∈ r . L et d ∈ R + . Th er e exists a p ath π in G fr om a state ( q , x, r ) to ( q ′ , r ′ ) with ι ( π )( α ) ∋ d 10 P . BOUYER, K.G. LARSEN, AND N. MARKEY if, and only if, ther e is a p ath in T A with total c ost d , and g oing fr om ( q , α ) to some ( q ′ , β ) with β ∈ r ′ . Corollary 2.7. Fix two r e gions r and r ′ . Then the set of p ossible c osts of p aths in G fr om ( q , x, r ) to ( q ′ , r ′ ) is of the form [ m ∈ N h α m − β m · x, α ′ m − β ′ m · x i (p ossibly with β m and/or β ′ m = 0 , and/or α ′ m = + ∞ ). M or e over, • al l c onstants α m and α ′ m ar e either inte g r al multiples of 1 /C max( ~ ( ϕ ) , ~ ( ψ ) ) or + ∞ , and c onstants β m and β ′ m ar e e i ther c osts of the automaton or 0 ; • if r = ( a n , + ∞ ) , then β m = β ′ m = 0 for al l m . Pr o of. App lying Lemma 2.6 , the union of the costs of all p aths in G from ( q , x, r ) to ( q ′ , r ′ ) represent s the set of all p ossible costs of paths in T A from ( q , α ) with α ∈ r to some ( q ′ , β ) with β ∈ r ′ . This set can b e w ritten as the counta ble union, f or eac h m ∈ N , of the costs of paths of length m in G , thus a coun table union of (a ﬁ nite u nion of ) inte rv als. No w, any path in G con tains at most one transition issued from a state ( q , x, r ). Thus, co eﬃcien ts β m are either 0, or the cost of some lo cation of A . Co eﬃcien ts α m are then in tegral com b in ations of terms of the form c · ( a i +1 − a i ) where c is th e cost of s ome location. As all a i ’s are integral m ultiples of 1 /C max( ~ ( ϕ ) , ~ ( ψ )) , w e get w hat w e exp ected. Th e sp ecial form for th e unboun ded region is ob vious from th e construction of G .  Lemma 2.8. F or every lo c ation q , and for Φ = E ϕ U ∼ c ψ ∈ WCTL, the set of c lo ck v alues x such that ( q , x ) satisﬁes Φ is a ﬁnite union of intervals. Mor e over, • the b ounds of those intervals ar e inte gr al multiples of 1 /C ~ (Φ) ; • the lar gest ﬁnite b ound of those intervals is at most the maximal c onstant app e aring in the guar ds of the automaton. Pr o of. Th e set of clo ck v alues x suc h that ( q , x ) satisﬁes E ϕ U ∼ c ψ can b e wr itten as [ r region { x ∈ r | ( q , x ) | = E ϕ U ∼ c ψ } . There is a ﬁnite num b er of regions. F or the unboun ded region, the set of p ossible costs does not dep end on the initial v alue of x , and thus either the whole region s atisﬁes the form ula, or no p o in t in that region do es. Fix a b ounded region r , and x ∈ r . T hen, ( q , x ) | = E ϕ U ψ if, and only if there exists a path in T A from ( q , x ) to some ( q ′ , r ′ ) su c h that ( i ) a ψ -stat e is immediately reac h able from ( q ′ , r ′ ) b y a d iscrete mo v e, and ( ii ) along that path, all states tra versed just after a discrete mov e satisfy ϕ . F or eac h pair ( q , r ) leading to a ψ -state, w e can applying Corollary 2.7 on the graph just obtained after having remov ed d iscrete transitions not leading to a ϕ -state. The set of p ossib le costs of paths satisfying ϕ U ψ is then a (count able) u n ion of the form S m ∈ N h α m − β m · x, α ′ m − β ′ m · x i with the constraint s on constan ts describ ed in the previous corollary . W e assume that r = ( a i , a i +1 ) and th at the constraint ∼ c is either ≤ c , or < c , or = c (the other cases w ould b e h an d led in a similar w a y). If α m − β m · a i > c , then the inte rv al h α m − β m · x, α ′ m − β ′ m · x i pla y s n o role for th e satisfaction of formula E ϕ U ∼ c ψ in th e region r , we can thus remov e this in terv al from th e un ion. Now, β m is an int eger whic h is either n ull or divides C . Thus as α m is an in tegral m ultiple of 1 /C max( ~ ( ϕ ) , ~ ( ψ )) = 1 /C ~ (Φ) − 1 , left-most b ou n ds of in teresting in terv als MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 11 can b e α m − β m · x for ﬁnitely many α m ’s an d β m ’s (w ith the fu rther option closed or op en). Fix some α and β , and also ﬁx some β ′ . F or tw o in terv als h α − β · x, α ′ 1 − β ′ · x i and h α − β · x, α ′ 2 − β ′ · x i in the ab o v e union, it is suﬃcien t to keep only the one with the largest α ′ (b ecause the other is included in this interv al). Thus, in the ab o ve countable union of inte rv als, w e can select a ﬁn ite union of int erv als whic h will b e suﬃcient for c hec kin g prop erty E ϕ U ∼ c ψ in region r . W e th us assume that the set of costs of paths which ma y witness f orm ula ϕ U ∼ c ψ is a ﬁnite un ion S k m =1 h α m − β m · x, α ′ m − β ′ m · x i with α m and α ′ m in N /C ~ (Φ) − 1 and β m and β ′ m in ( C / N ∗ ∩ N ) ∪ { 0 } . No w, the b ounds a ′ i of the in terv als of p ositions where Φ holds sh ould corresp ond to v alues of x w here one of th e b ound s α m − β m · x or α ′ m − β ′ m · x exac tly equ als c . It easily f ollo ws that th ose b ou n ds a ′ i are inte gral multiples of 1 /C ~ (Φ) , as requ ired. This p ro v es that w e get only ﬁnitely man y new in terv als, and that the largest constant is the same as for ϕ and ψ (b ecause of the initial remark on the unb ounded region), th us it is the largest constan t app ea ring in the automaton.  This concludes the ind uction step for f orm ula E ϕ U ∼ c ψ w hen the automaton has no discrete cost. W e will now handle the cases of the formulas E G ≥ c false and E G = c false b efore giving sev eral equiv alences to hand le all the other cases. ◮ W e no w consider the form ulas Φ = E G = c false and Φ = E G ≥ c false : handling those mo d alities is su ﬃcien t f or our pr o of, as we explain later. T o handle those t w o formulas, we will extend the graph G d eﬁned previously for th e initial automaton (with non-reﬁn ed classical regions). W e add to the graph G new “ﬁn al” states which are triples ( q , y , r ) (we o verline it to d istinguish it fr om the initial states). Suc h a state has the same incoming transitions as the state ( q , r ), except that we will enforce the ﬁn al v alue of the clo ck b e y , and not any v alue in r . F or instance, a tr ansition ( q , { a i } ) → ( q ′ , y , ( a i , a i +1 )) will b e lab ele d by the in terv al h 0 , ( y − a i ) · c i,q ,q ′ max ] (remember the construction of the graph on p age 9). F rom eac h of these n ew ﬁn al states, we add an outgoing transition lab ele d by a ﬁnite union of interv als corresp ond ing to all the costs of a single mixed mo v e leading to a s tate from whic h inﬁ nite runs are p ossible. These in terv als are either of th e form h 0 , γ · ( b − y ) i , or of th e form h γ · ( a − y ) , γ · ( b − y ) i where γ is the cost rate of the corresp onding state, and a , b are constant s of the au tomaton. No w, w e omit the details, bu t they are v ery s imilar to th ose for the original graph G . In this extended graph, the set of p ossible costs of paths in T A from ( q , x ) to ( q ′ , y ) cor- resp ond s to the set of costs of paths in the new graph fr om ( q , x, r ) to ( q ′ , y , r ′ ) and is a coun table un ion [ m ∈ N h α m − β m · x + γ m · y , α ′ m − β ′ m · x + γ ′ m · y i where α m and α ′ m are intege rs (or + ∞ ), and β m , β ′ m , γ m and γ ′ m are costs of the automaton or 0 (resu lt similar to Corollary 2.7). W e can ev en b e more precise: β m is either 0 or the cost rate of q , whereas β ′ m is the cost rate of q . Similarly , γ m is either 0 or th e cost rate of q ′ , and γ ′ m is the cost rate of q ′ . A state ( q , x ) will satisfy the formula Φ = E G = c false w henev er there is a run  in A suc h that it can b e decomp osed int o  =  1 ·  2 ·  3 suc h that the cost of  1 is strictly less than c , the cost of  1 ·  2 is strictly larger than c an d  2 corresp onds to a single mixed mo ve. That is, w henev er there exists a p ath from ( q , x, r ) to ( q ′ , y , r ′ ) of cost less than c s.t., w hen adding u p the outgoing cost of a single mixed mo v e, we get a cost larger than c . As in 12 P . BOUYER, K.G. LARSEN, AND N. MARKEY Lemma 2.8, we can r estrict the ab o v e u nion to a ﬁn ite union, and we th us only need to solv e ﬁnitely many linear systems of inequations. Then, we can analyze all p ossible cases for the b ounds where the truth of Φ c hanges, and as previously , we see that the granularit y needs only to b e r eﬁ ned by 1 /C , hence th e gran ularit y whic h is required is 1 /C (sin ce w e started from the classical region automaton, with non-reﬁn ed constan ts). A state ( q , x ) satisﬁes E G ≥ c false whenev er there is an inﬁn ite ru n from ( q , x ) for which the cost of all its preﬁxes is str ictly less than c (though the limit of these costs can b e c itself ). In suc h a run, there is a preﬁx of cost strictly less than c and fr om that p oin t on, the cost of eac h mixed mo v e is very close to 0 (and indeed as close as we wa n t to 0). W e thus pro ceed as follo ws: we ﬁx a lo c ation q and a region r . F or ev ery x and y , we compute the set of p ossible costs b et w een ( q , x ) an d ( q , y ) for x, y ∈ r . T his is a coun table u n ion [ m ∈ N h α m − β m · x + γ m · y , α ′ m i after ha ving simpliﬁed the previous union in whic h β ′ m and γ ′ m w ere b oth equal to the cost of lo cation q . F or eac h of the term s of the union, we distinguish b etw een s ev eral cases: • if β m = γ m = α m = 0, then there is a cycle which can b e iterated from ( q , r ), and the global cost w ill b e as small as we w an t. If the left-most b ound of the in terv al is closed, then we can ensur e a zero-cost, otherwise we cannot ensu r e a zero-cost. • if β m = γ m = 0 b ut α m > 0, then there is n o corresp on d ing cycle that can b e iterated without the cost to diverge. • if β m = 0 bu t γ m > 0 is the cost of q , then the only c hance to b e able to iterate a cycle without pa ying to o m uc h is to c ho ose y b e the left-most p o in t a of th e r egion r . Then, either α m + γ m · a = 0, in which case w e can iterate a cycle, or α m + γ m · a > 0, in which case w e cannot iterate a cycle. • if β m = 0 bu t γ m > 0 is the cost of q , a s imilar reasoning can b e d one, b ut with the righ t-most b ound b of r . • if β m = γ m > 0 is the cost of lo cation q , then it is not diﬃcu lt to chec k that α m is then not smaller than β m · ( b − a ) (this can b e c heck ed on the graph G ). Hence, a corresp onding cycle can only b e iterated if a = b , and thus if r is a punctual region. The analysis of all these cases show th at w e only need to lo ok at terms of the un ion suc h that α m − β m · b + γ m · a = 0, and either a = b , or the α m · β m · γ m = 0. Moreo ver, for eac h suc h constrain t, it is only necessary to lo ok at one of the witnessing inte rv als. W e see that this set of states is a set of regions (we do n ot need to reﬁne the region: a wh ole r egion either satisﬁes the prop ert y , or do es not satisfy the p rop erty). That w a y , w e can compu te th e set of s tates S 0 from w hic h there exists an inﬁ nite ru n with a cost as small as p ossib le (thou gh p ossibly not zero). It remains to describ e the set of states from which there is a ﬁnite p ath of cost strictly less than c and reac hin g a state of S 0 . This can easily b e done u sing the extended graph G w e ha v e presente d ab ov e. ◮ W e no w explain ho w we reduce all t he other cases to t he previous ones. W e consider the case of form ula A ϕ U ∼ c ψ , still assumin g that the automa ton has no discrete costs. W e pro v e this result by reducing to th e previous case. W e consider the r egion automaton of A w.r.t. constants ( a i ) 0 ≤ i ≤ n +1 men tioned earlier (correct for subformulas ϕ and ψ ), w e assume it is still a timed automaton (truth of formula s in the original automaton and in th is region automaton is then equiv alen t). MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 13 W e moreo ve r assume th at we ha v e t w o copies of eac h state, lab eled with tw o extra atomic prop osit ion has paid and can hav e no t paid w hic h c h aracterize when the last mo ve had a p ositiv e cost, and w h en it could ha v e no cost (for instance an instantaneo us tr an s ition or a transition fr om a lo cation where th e cost rate is null). W e denote th e new automaton b y A ext , and give no w a list of equiv alences, not diﬃcult to chec k, and us efu l for pro ving the ind uction step for formulas of the form A ϕ U ∼ c ψ . • ( q , x ) , A | = A ϕ U ≥ c ψ iﬀ ( q , x ) , A | = A ϕ U ψ ∧ A G c ψ iﬀ ( q , x ) , A | = A ϕ U ψ ∧ A G ≤ c ( A ϕ U ψ ) ∧ A F >c true ; • ( q , x ) , A | = E G >c false iﬀ ( q , x ) , A | = E G ≥ c false ∨ E F ≤ c E G ( can hav e not paid ); • ( q , x ) , A | = A ϕ U ≤ c ψ iﬀ ( q , x ) , A | = A ϕ U ψ ∧ A F ≤ c ψ ; • ( q , x ) , A | = E G ≤ c ψ iﬀ ( q , x ) , A ext | = E G ψ ∨ E ψ U >c true ; • ( q , x ) , A | = A ϕ U c + 1 and there is a tr ansition in T with discrete cost k from q to q ′ . W e note A unf this unf oldin g. Then, ( q , x ) , A | = E ϕ U ∼ c ψ iﬀ ( q (0) , x ) , A unf | = _ i ≤ p +1 E ϕ U ∼ c − i ( ψ ∧ cop y i ) where cop y i is an atomic prop osit ion lab eling all lo cations of A i . The correctness of this construction is ob vious. No w, app lying the induction h yp othesis on automata with no discrete cost on transitions, the granularit y of r egions required f or mo del-c hec king eac h form ula is 1 /C max( ~ ( ϕ ) , ~ ( ψ ))+1 , th e granularit y for the original form ula in A is thus also 1 /C max( ~ ( ϕ ) , ~ ( ψ ))+1 = 1 /C ~ (Φ) , which prov es the induction step also for automata with discrete costs on transitions. Finally , this extension to automata with discrete costs can b e adapted to mo dalit ies of the form A U . W e omit the tedious details.  Remark 2.9. In the ab ov e pro of, w e h a v e exhibited exp onen tially many constan ts a i ’s at whic h truth of the formula can change. W e will show here that the exp onentia l num b er of constan ts is unav oidable in general. Ind eed, consider the one-clo ck PT A A disp la yed on Figure 5. Usin g a WCTL form ula, we will r equire that th e cost is exact ly 4 b etw een a 14 P . BOUYER, K.G. LARSEN, AND N. MARKEY ˙ p =1 ˙ p =4 ˙ p =2 ˙ p =2 ˙ p =1 ˙ p =1 ˙ p =1 x< 1 x ≥ 1 x =2 x :=0 x =2 x :=0 x< 2 x< 2 x =0 a b c Figure 5: The one-clo c k PT A A and b . That wa y , if clo c k x equals x 0 .x 1 x 2 x 3 . . . x n . . . (this is th e binary repr esen tatio n of a r eal in the in terv al (0 , 2)) w hen leavi ng a , then it will b e equ al to x 1 .x 2 x 3 . . . x n . . . in b . W e consider the W CTL form ula ϕ ( X ) = E  ( a ∨ b ) U =0 ( ¬ a ∧ E ( ¬ b U =4 ( b ∧ X )))  , where X is a formula w e will sp ecify . Th en formula ϕ ( E F =0 c ) states that w e can go from a to b with cost 4, and that x = 0 wh en arriving in b (since w e can ﬁr e the transition leading to c ). F r om the remark ab o v e, this can only b e true if x = 0 or x = 1 in a . No w, consider form ula ϕ ( E F =0 c ∨ ϕ ( E F =0 c )). If it holds in state a , then state c can b e reac hed after exactly one or t wo r ou n ds in the automaton, i.e. , if the v alue of x is in { 0 , 1 / 2 , 1 , 3 / 2 } . Clearly enough , n esting ϕ n times characte rizes v alues of the clo c ks of the f orm p/ 2 n − 1 where p is an int eger strictly less than 2 n . 2.3. Algorithms and Complexity. In this section, we pro vid e t w o algorithms for mo d el- c h ec kin g W C T L on one-clo c k PT A . T he ﬁr st algorithm run s in E XPTIME , whereas the second one ru n s in PSP ACE , thus matc hin g th e PSP A CE lo w er b ound. Ho wev er, it is easier to ﬁrst exp lain the ﬁrst algorithm, and then reuse part of it in the second algorithm. Finally , w e will p ursu e the example of Subs ection 1.2 f or illustrating our PSP ACE algorithm. 2.3.1. An EX PTIME Al gorithm. The correctness of the algorithm we prop ose for mo d el- c h ec kin g one-clock PT A against WCTL p rop erties relies on the prop er ties w e h av e pr o ved in the pr evious section: if A is an automaton with maximal constan t M , writing C for the l.c.m. of all costs lab eli ng a lo ca tion, and if Φ is a W CT L form ula of constrained size n (the maximal n um b er of nested constrained mo dalities), then th e satisfactio n of Φ is uniform on the r egions ( m/C n ; ( m + 1) /C n ) with m < M · C n , and also on ( M ; + ∞ ). T he idea is th us to test the satisfaction of Φ f or eac h state of th e form ( q , k / 2 C n ) for 0 ≤ k ≤ ( M · 2 C n ) + 1 ( i.e. at the b o unds and in the midd le of eac h region). T o chec k the truth of Φ = E ϕ U cost ∼ c ψ in state ( q , x ) with x = k / 2 C n , w e will non- deterministically guess a witness. Using graph G that we ha v e deﬁned in S ection 2.2, w e b egin with pro ving a “small witness p r op erty” : Lemma 2.10. L et s b e the smal lest p ositive c ost in A , and C b e the lcm of al l p ositive c osts of A . L et q b e a lo c ation of A , and x ∈ R + . L et Φ = E ϕ U ∼ c ψ b e a WCTL formula of size n . Then ( q , x ) | = Φ iﬀ ther e exists a run in A , fr om ( q , x ) and satisfying ϕ U ∼ c ψ , and whose pr oje ction in G visits at most N = ⌊ c · C n /s ⌋ + 2 times e ach state of G . Pr o of. Let τ b e a run in A , starting fr om ( q , x ) (with x = k / 2 C n for some k ) and sat- isfying ϕ U ∼ c ψ . T o that r un corresp ond s a p ath  in the r egion graph, starting in ( q , x ). Consider a cycle in th at path  : either it h as a global cost in terv al [0 , 0], in w h ic h case it can b e remov ed and still yields a witnessin g run; or it has a global cost in terv al of the form h a, b i with b > 0. I n that case, letting s b e the s m allest p ositiv e cost of the automaton, w e know MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 15 that b ≥ s/C n . No w, if some state of G is visited (strictly) more than N = ⌊ c · C n /s ⌋ + 2 times along  , we b uild a p ath  ′ from  by r emoving extraneous cycles, in suc h a wa y that eac h state of G is visited at most N times along  (and that  starts and end s in the same states). Since w e assum ed that  do es not con tain cycles with cost int erv al [0; 0], we kno w that the upp er b ound of the accum ulated cost along  ′ is ab o v e c . Also, the lo w er b ound of the accum ulated costs along  ′ is less than that of  . Since  “con tains” a r u n witnessing ϕ U ∼ c ψ , the cost in terv al of  conta ins a v alue satisfying ∼ c , thus so do es the cost in terv al of  ′ . In other w ords,  ′ still con tains a p ath witnessing ϕ U ∼ c ψ . This path can easily b e lifted to a ru n in A s atisfying the formula ϕ U ∼ c ψ .  Since a transition in G ma y corresp ond to a linear sequence of transitions in A , we kno w that if ( q , x ) | = E ϕ U ∼ c ψ , then there exists a w itness ha ving at m ost exp onenti ally man y transitions in A . W e now describ e our algorithm: assum ing w e hav e computed, for eac h state q of A , the in terv als of v alues of x w h ere ϕ (resp. ψ ) holds, we non-deterministically guess the successiv e states of a p ath in A , c hec king that ϕ holds after eac h action trans ition and th at the p ath reac h es a ψ -state after an action transition and with cost satisfying ∼ c . Th is v eriﬁcatio n can b e achiev ed in PSP ACE (and can b e made deterministic as PSP A CE = NPS P ACE ). Since we apply this algorithm for eac h state ( q , k / 2 C n ) with 0 ≤ k ≤ ( M · 2 C n ) + 1, our global algorithm r uns in d eterministic exp o nen tial time. It is immediate to design a similar algorithm for f ormulas E G ≥ c f a lse and E G = c f a lse . The other existen tial mo dalities are handled b y reducing to those case, as explained in Section 2.2. 2.3.2. A PS P ACE Algo rithm. The PSP A CE a lgorithm will reuse some parts of the pr evious algorithm, but it w ill imp ro v e on space p erformance by computing and storing only the minimal inf ormation r equired: instead of computing th e tr u th v alue of eac h subf orm ula in eac h state ( q , k / 2 C n ), it will only compu te the information it r eally needs. Our metho d is th u s similar in spir it to the space-eﬃcie n t, on-the-ﬂy algorithm for TCTL presen ted in [HKV96]. W e will then need, while guessing a witness for E ϕ U cost ∼ c ψ , to c h ec k that all in ter- mediary states reac hed after an action tran s ition satisfy form ula ϕ . As ϕ migh t b e itself a WCTL formula w ith several nested mo daliti es, w e will fork a new computation of our algorithm on form ula ϕ f rom eac h intermediary state. Th e maximal n um b er of threads runn in g simultaneao usly is at most the depth of th e parsing tree of form ula Φ. When a thread is preempted w e only need to store a p ol ynomial amount of inform ation in order to b e able to resume it. Ind eed, it is suﬃcient to store for eac h preempted thread a triple ( α, K , I ) wh ere α is a no de of the region graph, K records th e n um b er of steps of the path w e are guessing (we kno w that w hen E ϕ U ∼ c ψ holds, an exp o nen tial witness exists), and I is an in terv al corresp onding to the accumulat ed cost along the path b eing guessed. The algorithm th us run s as follo w s: w e start by lab eling the ro ot of the tree b y α = ( q , x, r ), K = 0 and I = [0; 0]. Then we guess a sequen ce of transitions in the r egion graph, starting from ( q , x, r ); when a new state ( q ′ , r ′ ) is add ed, we incremen t the v alue of K and up d ate the v alue of the interv al, as d escrib ed in th e previous section. If w e just ﬁr ed an action tr ansition, then either we fork an execution for c hec king that ϕ holds, or w e c hec k that the constraint cost ∼ c can b e satisﬁed b y the new interv al and w e v erify that the new state satisﬁes ψ (by again forking a new execution). 16 P . BOUYER, K.G. LARSEN, AND N. MARKEY The n um b er of n ested guesses can b e b oun ded b y the depth of the parsing tree of Φ , b ecause when a new thread starts, it starts from a no de in th e parsing tree that is a c h ild of the pr evious no d e. Thus, the memory n eeded in this algorithm is the parsing tree of form ula Φ with eac h no de lab eled by a tuple whic h can b e stored in p olynomial space. Th is globally leads to a P SP ACE algorithm. Example 2.11. W e illustrate our P SP ACE algorithm on our initial example, with for- m ula Φ = ¬ E ( OK U t ≤ 8 ( Problem ∧ ¬ E F c< 30 OK )). W e write g = 1 /C 2 for the resu lting gran ularit y as d eﬁned in Pr op. 2.4, and consider a starting state, e.g. ( OK , x = mg ). ¬ ( OK , x, r ) step : 0 cost : [0 , 0] E U t ≤ 8 ( OK , x, r ) step : 0 cost : [0 , 0] OK ( OK , x, r ) step : 0 cost : [0 , 0] ∧ Problem ¬ E U c< 30 ⊤ OK ¬ ( OK , x, r ) step : 0 cost : [0 , 0] E U t ≤ 8 ( OK , { x + g } ) step : 1 cost : [ g , g ] OK ( OK , { x + g } ) step : 0 cost : [0 , 0] ∧ Problem ¬ E U c< 30 ⊤ OK ¬ ( OK , x, r ) step : 0 cost : [0 , 0] E U t ≤ 8 ( Problem , { x + kg } ) step : k cost : [ kg, k g ] OK ∧ ( Problem , { x + kg } ) step : 0 cost : [0 , 0] Problem ¬ E U c< 30 ⊤ OK ... Figure 6: Execution of our PSP A CE algorithm on the initial example. Figure 6 sh o w s three steps of our algo rithm. The ﬁr st step rep r esen ts the ﬁrst iteration, where subf orm ula OK is satisﬁed at the b eginnin g of the ru n. A t step 2, the execution go es to ( OK , x + g ): w e chec k that the left-hand-side formula still holds in ( OK , x + g ) (as depicted), but also in intermediary states. Th e third ﬁgur e corresp ond s to k steps later, when the algorithm decides to go to the righ t-hand-part of E U t ≤ 8 . In that case, of course, it is chec k ed that k g ≤ 8, and then go es on v erifying the second until sub f orm ula. 3. Mod el-checking l inear-time logics W e now turn to the case of linear-time temp oral logics. W e b egin with the deﬁn ition of our logic WMTL. 3.1. The L ogic WMTL . The logic WMTL is a we igh ted extension of L TL, but can also b e view ed as an extension of MTL [Ko y90], hence its name WMTL, holding for “W eigh ted MTL”. The syntax of WMTL is d eﬁned inductivel y as follo w s : WMTL ∋ ϕ ::= a | ¬ ϕ | ϕ ∨ ϕ | ϕ U cost ∼ c ϕ MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 17 where a ∈ A P , cost is a cost function, c ranges o v er N , ∼ ∈ { <, ≤ , = , ≥ , > } . If there is a single cost fu nction or if the cost function cost is clear from the cont ext, we simply wr ite ϕ U ∼ c ψ for ϕ U cost ∼ c ψ . W e interpret WMTL f orm ulas ov er (ﬁnite) ru ns of lab el ed PT A , iden tifying eac h cost of the formula with the corresp onding cost in the automaton. Deﬁnition 3.1. Let A b e a lab eled P T A , and let  = ( q 0 , v 0 ) τ 1 ,e 1 − − − → ( q 1 , v 1 ) · · · e p ,τ p − − − → ( q p , v p ) b e a ﬁnite run in A . T he satisfaction relation for WMTL is then deﬁned inductive ly as follo ws:  | = a ⇔ a ∈ ℓ ( q 0 )  | = ¬ ϕ ⇔  6| = ϕ  | = ϕ 1 ∨ ϕ 2 ⇔  | = ϕ 1 or  | = ϕ 2  | = ϕ 1 U cost ∼ c ϕ 2 ⇔ ∃ 0 < π ≤ |  | s.t.  ≥ π | = ϕ 2 , ∀ 0 < π ′ < π ,  ≥ π ′ | = ϕ 1 , and cost (  ≤ π ) ∼ c. Example 3.2. Bac k on our example of Figure 1, we can express that there is no path from OK b ac k to itself in time less than 10 and cost less than 20. Th is is ac hiev ed by sho wing that no p ath satisﬁes the follo w ing form ula: OK U ( Problem ∧ ( ¬ OK ) U x ≤ 10 OK ∧ ( ¬ O K ) U c ≤ 20 OK ) . As w e will see, mo del-c hec king WMTL will in fact b e undecidable when the automaton in v olves more th an one cost. Remark 3.3. Classically , there are t wo p ossib le seman tics for timed temp oral lo gics [Ras99]: the con tin uous semantic s, w here the sy s tem is observed con tinuously , and the p oint -based seman tics, w here th e system is observed only w hen the state of the system changes. W e ha v e c hosen th e latter, b ec ause the mo del chec king problem for MTL un der the contin uous seman tics is already undecidable [AH90 ], wh ereas the mod el-c hecking under the p oin t-based seman tics is d ecidable o v er ﬁnite runs [OW05]. W e stud y existen tial m o del-c hec king of WMTL ov er priced timed automata, stated as: giv en a one-clo c k PT A A and a WMTL formula ϕ , d ecide whether there exists a ﬁnite run  in A starting in an initial state and such that  | = ϕ . Since WMTL is closed under negation, our results obviously extend to the du al problem of universal mo d el-c hecking. W e pro v e that the m o del-c hec king problem against WMTL pr op erties is decidable for: (1) one-clock PT A w ith one stopw atc h cost v ariable. An y extension to that mo del leads to und ecidabilit y . Indeed, w e prov e that the mo d el- c h ec kin g problem against WMTL prop erties is u ndecidable for: (2) one-clock PT A w ith one cost v ariable, (3) t w o-clo c k PT A w ith one stopw atc h cost v ariable, (4) one-clock PT A w ith tw o stopw atc h cost v ariables. W e pr esen t our results as follo ws. In Section 3.2, we explain the p ositiv e result (1) us in g an abstraction pr op osed in [O W05 ] for proving the decidabilit y of MTL mo del c hec king o v er timed automata. Th en , in Section 3.3, we p resen t all our u ndecidabilit y results, starting with the pro o f for result (2), and th en sligh tly mo difyin g the construction f or pro ving results (3) and (4). 18 P . BOUYER, K.G. LARSEN, AND N. MARKEY 3.2. Decidability of WMTL for One-C lo c k PT A With O ne Stopw atch Cost. Theorem 3.4. Mo del che cking one-clo ck PT A with one stopwatch c ost against WMTL pr op- erties is de cidable, and non-primitive r e cursive. Pr o of. Time can b e viewed as a sp ecial { 1 } -slo p ed cost. Hence, the non-p r imitiv e recursive lo wer b oun d follo ws from that of MTL mo d el chec king ov er ﬁnite timed w ords, see [OW 05, O W07]. The decidabilit y then relies on the same en co d ing as [OW05]. W e present the construc- tion, but do not giv e all d etails, esp ecia lly wh en th ere is nothin g new compared with the ab o v e-mentio ned pap er. Let ϕ b e a WMTL formula, and A b e a single-clo c k P T A w ith a stop w atc h cost. Clas- sically , from form ula ϕ , w e construct an “equiv alen t” one-v ariable alternating timed au - tomaton 5 B ϕ . Figure 7 displa ys an example of suc h an automaton, corresp ondin g to for- m ula G [ a ⇒ ( F ≤ 3 b ∨ F ≥ 2 c )] (see [OW 05] for more details on alternating timed automata). ℓ 1 ¬ a ℓ 2 x :=0 a ℓ 3 x :=0 a b x ≤ 3 c x ≥ 2 Figure 7: A timed alternating automaton for formula G [ a ⇒ ( F ≤ 3 b ∨ F ≥ 2 c )] Ho wev er, n ote that in that case, th e u n ique v ariable of the alternating automaton is not a clo c k bu t a cost v ariable, whose rate will dep end on the lo cation of A w hic h is b eing visited. Ho wev er, as for MTL, w e hav e the p r op erty that A | = ϕ iﬀ there is an accepting join t run of A and B ϕ . In the follo w ing, we write q for a generic lo cation of A and ℓ for a generic lo cation of B ϕ . S imilarly , Q denotes the set of lo cations of A and L the set of lo cations of B ϕ . An A / B ϕ -joint c onﬁgur ation is a ﬁn ite subs et of Q × R ≥ 0 ∪ L × R ≥ 0 with exactly one elemen t of Q × R ≥ 0 (the cu rrent state in automaton A ). T he join t b ehavio ur of A and B ϕ is made of time evo lutions and discrete s teps in a natural w a y . Note th at, fr om a giv en joint conﬁguration γ , the time ev olution is giv en b y the current location q γ of A : if the cost rate in q γ is 1, then all v ariables b eh a ve lik e clo c ks, i.e. , grow with rate 1, and if the cost r ate in q γ is 0, then all v ariables in B ϕ are stopp ed, and only the clock of A gro w s w ith rate 1. W e encod e conﬁgurations w ith words ov er the alph ab et Γ = 2 ( Q × Reg ∪ L × Reg ) , where Reg = { 0 , 1 , . . . , M } ∪ {⊤} ( M is an intege r ab o v e the maximal constan t app earing in b ot h A and B ϕ ). A state ( ℓ, c ) of B ϕ will for instance b e enco ded by ( ℓ, int ( c )) 6 if c ≤ M , and it will b e enco ded by ( ℓ, ⊤ ) if c > M . No w giv en a j oin t conﬁ guration γ = { ( q , x ) } ∪ { ( ℓ i , c i ) | i ∈ I } , partition γ in to a sequence of subsets γ 0 , γ 1 , . . . , γ p , γ ⊤ , such that γ ⊤ = { ( α, β ) ∈ γ | β > M } , and if i, j 6 = ⊤ , for all ( α, β ) ∈ γ i and ( α ′ , β ′ ) ∈ γ j , fr ac ( β ) ≤ fr ac ( β ′ ) 7 iﬀ i ≤ j (so that ( α, β ) and ( α ′ , β ′ ) are in the same block γ i iﬀ β and β ′ are b oth sm aller than or equ al to M and h a v e the same 5 W e use the e ager semantics [BMOW07] for alternating automata, where conﬁguration of the automaton alw a y s hav e the same sets of successors. 6 int represents the integ ral part. 7 fr ac represents t h e fractional part. MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 19 fractional part). W e assume in addition that the fractional part of element s in γ 0 is 0 (ev en if it means that γ 0 = ∅ ), and th at all γ i for 1 ≤ i ≤ p are non-empty . If γ is a j oin t conﬁguration, we deﬁne its enco d ing H ( γ ) as the word (o ver Γ ) reg ( γ 0 ) reg ( γ 1 ) . . . re g ( γ p ) reg ( γ ⊤ ) where reg ( γ i ) = { ( α, reg ( β )) | ( α, β ) ∈ γ i } with re g ( β ) = int ( β ) if β ≤ M , and reg ( β ) = ⊤ otherwise. Example 3.5. Consider the conﬁguration γ = { ( q , 1 . 6) } ∪ { ( ℓ 1 , 5 . 2) , ( ℓ 2 , 2 . 2) , ( ℓ 2 , 2 . 6) , ( ℓ 3 , 1 . 5) , ( ℓ 3 , 4 . 5) } . Assuming that the maximal constant (on b oth A and B ϕ ) is 4, the enco d ing is th en H ( γ ) = { ( ℓ 2 , 2) } · { ( ℓ 3 , 1) } · { ( q , 1) , ( ℓ 2 , 2) } · { ( ℓ 1 , ⊤ ) , ( ℓ 3 , ⊤ ) } W e deﬁne a discrete transition system o ve r enco dings of A / B ϕ -join t conﬁ gurations: there is a transition W ⇒ W ′ if there exists γ ∈ H − 1 ( W ) an d γ ′ ∈ H − 1 ( W ′ ) such that γ → γ ′ (that can b e either a time ev olution or a discrete s tep). Lemma 3.6. The e quivalenc e r elation ≡ deﬁne d as γ 1 ≡ γ 2 def ⇔ H ( γ 1 ) = H ( γ 2 ) is a time- abstr act bisimulation over joint c onﬁgur ations. Pr o of. W e assu m e γ 1 → γ ′ 1 and γ 1 ≡ γ 2 . W e wr ite H ( γ 1 ) = H ( γ 2 ) = w 0 w 1 . . . w p w ⊤ where w i 6 = ∅ if 1 ≤ i ≤ p . W e distinguish b et wee n the diﬀerent p ossible cases for the transition γ 1 → γ ′ 1 . • assume γ 1 → γ ′ 1 is a time evolutio n, and the cost rate in the corresp on d ing lo cation of A is 0. If γ 1 = { ( q 1 , x 1 ) } ∪ { ( ℓ i, 1 , c i, 1 ) | i ∈ I 1 } , then γ ′ 1 = { ( q 1 , x 1 + t 1 ) } ∪ { ( ℓ i, 1 , c i, 1 ) | i ∈ I 1 } for some t 1 ∈ R ≥ 0 . W e assume in addition that γ 2 = { ( q 2 , x 2 ) } ∪ { ( ℓ i, 2 , c i, 2 ) | i ∈ I 2 } . W e s et γ i 1 the p art of conﬁguration γ 1 whic h corresp onds to letter w i , and we write α i 1 for the fractional part of the clo ck v alues corresp o nding to γ i 1 . W e ha v e 0 = α 0 1 < α 1 1 < . . . < α p 1 < 1. W e deﬁne similarly ( α i 2 ) 0 ≤ i ≤ p for conﬁ guration γ 2 . W e th en distinguish b et w een sev eral cases: − either x 1 + t 1 > M , in which case it is suﬃcient to c ho ose t 2 ∈ R ≥ 0 suc h that x 2 + t 2 > M . − or x 1 + t 1 ≤ M and fr ac ( x 1 + t 1 ) = α i 1 for some 0 ≤ i ≤ p . In that case, choose t 2 = x 1 + t 1 − α i 1 + α i 2 − x 2 . As γ 1 ≡ γ 2 , it is not diﬃcult to chec k that t 2 ∈ R ≥ 0 . Moreo ver, fr ac ( x 2 + t 2 ) = α i 2 and int ( x 2 + t 2 ) = int ( x 1 + t 1 ). − or x 1 + t 1 ≤ M and α i 1 < fr ac ( x 1 + t 1 ) < α i +1 1 for some 0 ≤ i ≤ p (sett ing α p +1 1 = 1). As previously , in th at case also, w e can c ho ose t 2 ∈ R ≥ 0 suc h that α i 2 < fr ac ( x 2 + t 2 ) < α i +1 2 and int ( x 2 + t 2 ) = int ( x 1 + t 1 ). In all cases, deﬁnin g γ ′ 2 = { ( q 2 , x 2 + t 2 ) } ∪ { ( ℓ i, 2 , c i, 2 ) | i ∈ I 2 } , we get that γ 2 → γ ′ 2 and γ ′ 1 ≡ γ ′ 2 , wh ic h prov es the inductiv e case. • there are t w o other cases (time evolutio n with rate of all v ariables b eing 1, and discrete step), bu t they are sim ilar to the case of MTL, and we b etter refer to [OW07].  Hence, from the previous lemma, we get: Corollary 3.7. W ⇒ ∗ W ′ iﬀ ther e exist γ ∈ H − 1 ( W ) and γ ′ ∈ H − 1 ( W ′ ) such that γ → ∗ γ ′ . The set Γ = 2 ( Q × Reg ∪ L × Reg ) is n aturally ordered by inclusion ⊆ . W e extend the classical subw ord r elation for wo rds ov er Γ as follo ws: Give n t w o words a 0 a 1 . . . a n and a ′ 0 a ′ 1 . . . a ′ n ′ 20 P . BOUYER, K.G. LARSEN, AND N. MARKEY in Γ ∗ , we sa y that a 0 a 1 . . . a n ⊑ a ′ 0 a ′ 1 . . . a ′ n ′ whenev er there exists an increasing injection ι : { 0 , 1 , . . . , n } → { 0 , 1 , . . . , n ′ } su c h th at for every i ∈ { 0 , 1 , . . . , n } , a i ⊆ a ′ ι ( i ) . F oll o w - ing [AN00, Theorem 3.1], th e preorder ⊑ is a well-quasi-o rder. Lemma 3.8. Assume that W 1 ⊑ W 2 , and that W 2 ⇒ ∗ W ′ 2 . Then, ther e e xists W ′ 1 ⊑ W ′ 2 such that W 1 ⇒ ∗ W ′ 1 . The algorithm then pro ceeds as follo ws: w e start from th e enco ding of the initial conﬁguration, s a y W 0 , an d then generate the tree u nfolding of the imp licit graph (Γ ∗ , ⇒ ), stopping a b r anc h w hen the curr en t n o de is lab ell ed by W s uc h that there already exists a no de of the tree lab elled b y W ′ with W ′ ⊑ W (note that by Lemma 3.8, if there is an accepting path f r om W , then so is th ere from W ′ , hence it is correct to p rune the tree after no de W ). Note that this tree is ﬁnitely branching. Hence, if th e compu tation do es not terminate, then it means th at there is an in ﬁnite branch (by K¨ onig lemma). Th is is not p ossible as ⊑ is a w ell-quasi-order. Hence, the computation ev en tu ally terminates, and we can d ecide wh ether there is a joint accepting computation in A and B ϕ , w h ic h imp lies that w e can decide whether A satisﬁes ϕ or not.  Remark 3.9. I n th e case of MTL, the previous enco ding can b e used to prov e the decidabil- it y of mo del c hec kin g for timed automata w ith an y num b er of clo c ks. In our case, it cannot: Lemma 3.6 d o es not hold for tw o-clo c k PT A , ev en with a s ingle stop w atch cost. Consider for instance tw o clo cks x an d z , and a cost v ariable cost . Assume we are in location q of the automaton with cost rate 0 and that there is an outgo ing transition lab elled by the con- strain t x = 1. Assume moreov er that the v alue of z is 0, whereas the v alue of x is 0 . 2. W e consider t wo cases: either the v alue of cost is 0 . 5, or the v alue of cost is 0 . 9. In b oth cases, the encodin g 8 of the joint conﬁguration is { ( q , z , 0) } · { ( q , x , 0) } · { ( cost , 0) } . Ho wev er, in th e ﬁrst case, the en co ding when ﬁ r ing the transition will b e { ( q , x, 1) } · { ( cost , 0) } · { ( q , z , 0) } , whereas in the s econd case, it w ill b e { ( q , x, 1) } · { ( q, z , 0) } · { ( cost , 0) } . Hence the relation ≡ is not a time-abstract bisim ulation. Remark 3.10. Let A b e a PT A with a stop w atc h cost. F rom the construction using enco d- ings by words we ha v e pr esen ted ab o v e, we see that tru th of WMTL formulas is in v arian t b y classical regions (by classical regions, we mean one-dimensional regions with granular- it y 1): indeed, in the ab o ve construction, it suﬃces to c hange the in itial conﬁgur ation with the enco din g of the r egion we w an t to start f rom, and applying the p revious results, w e immediately get that the truth of the form ula will th en not dep end on the p recise initial v alue of the clo c k. As a consequence, the mo d el chec king of W CTL ∗ 9 is decidable (and non-primitiv e recursiv e) for PT A with a single stop w atc h cost: it suﬃces to lab el regions (in the classical sense) with the WMTL subformulas they satisfy . Let us mention right no w that the u ndecidabilit y results b elo w directly extend to W CTL ∗ , so that again, any extension of the mo del leads to un decidabilit y . 3.3. Undecidabilit y Results. In this part, w e prov e that the ab ov e result is tigh t, in the sense that addin g an extra stop w atc h cost ot r emo vin g th e “stop w atc h” condition yields undecidabilit y . 8 W e extend the enco ding we hav e presented ab ov e to sev eral clo cks, as originall y done in [O W05]. 9 WC TL ∗ is th e extension of CTL ∗ [CES86] with cost constrain ts. W e omit its deﬁnition. MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 21 3.3.1. One- Clo ck PT A With One Cost V ariable. Theorem 3.11. Mo del che cking one-clo ck PT A with one (gener al) c ost against W M TL pr op erties is unde cidable. W e p ush some ideas us ed in [BBM06, BLM07] fu rther to pro v e this new un decidabilit y result. W e reduce the halting problem for a t wo-co unt er machine M to that p roblem. The unique clock of the automato n will store b oth v alues of the counters. If the ﬁrst (resp . second) counter has v alue c 1 (resp. c 2 ), then th e v alue of the clo c k will b e 2 − c 1 3 − c 2 . Our mac h ine M has t w o kinds of instr u ctions. T h e ﬁr st kind increments one of the counte r, sa y c , and jump s to the n ext instruction: p i : c := c + 1 ; got o p j . (3.1) The second kind decrements one of th e counte r, sa y c , and go es to the n ext instru ction, except if the v alue of the counter w as zero: p i : if ( c == 0 ) th en goto p j else c := c − 1 ; got o p k . (3.2) Our r eduction consists in building a one-clo ck PT A A M and a WMTL form ula ϕ suc h that the t w o-co un ter machine M h alts iﬀ A M has a run satisfying ϕ . Eac h instruction of M is enco ded as a mo d ule, all the mo dules are then plugged together. Mo dule for instru ction (3.1). Consider instru ction (3.1), which incremen ts the ﬁrst coun ter. T o sim ulate this ins truction, we need to b e able to divide the v alue of the clock b y 2. T h e corresp ondin g mo dule, n amed Mod i , is d epicted on Figure 8. 10 1 A 1 B 2 C 1 D x ≤ 1 x =1 x :=0 +2 to Mo d j mo dule Mo d i x ≤ 1 x ≤ 1 Figure 8: Mod ule f or incremen ting c 1 The follo wing lemma is then easy to p r o v e: Lemma 3.12. Assume that ther e is a run  entering mo dule Mod i with x = x 0 ≤ 1 , exiting with x = x 1 , and such that no time e lapses in A and D and the c ost b etwe en A and D e quals 3 . Then x 1 = x 0 / 2 . A similar result can b e obtained f or a m o dule incremen ting c 2 : it simp ly su ﬃces to replace the cost rate in C b y 3 ins tead of 2. Mo dule for instruction (3.2). T he sim ulation of this instruction is m uc h more in v olv ed than the pr evious in struction. Ind eed, we ﬁrst ha v e to c h ec k w hether the v alue of x when en tering the mo du le is of the form 3 − c 2 ( i.e. , wh ether c 1 = 0). T his is ac hiev ed, r oughly , by m ultiplying the v alue of x b y 3 unti l it reac hes (or excee ds) 1. Dep endin g on the result, this mo dule will then branc h to m o dule Mod j or d ecremen t counter c 1 and go to m o dule Mod k . The diﬃcult p oint is that clo ck x m ust b e r e-set to its original v alue b et wee n the ﬁrst and the second p art. W e consider the mo dule Mo d i depicted on Figure 9. 10 As there is a uniq ue cost v ariable, w e write its r ate within the location, and add a discrete incremen tation ( e.g. +2) on edges, when the edge has a positive cost. 22 P . BOUYER, K.G. LARSEN, AND N. MARKEY 1 A 0 3 B 0 1 C 0 1 A 3 B 1 C 1 C ′ 1 D 3 E 1 3 E 2 1 F 1 1 F 2 3 G 1 3 G 2 1 H 1 1 H 2 1 A 2 2 B 2 1 C 2 1 D 2 x< 1 x =1 x :=0 x< 1 x =1 x :=0 x =1 x :=0 x> 1 x :=0 x :=0 x :=0 x =1 x :=0 +1 to Mod k to Mod j x ≤ 1 x =1 mo dule Mod i Figure 9: Mod ule testing/decrement ing c 1 Lemma 3.13. A ssume ther e exists a run  entering mo dule Mod i with x = x 0 ≤ 1 , exiting to mo dule Mod j with x = x 1 , and such that • no time elapses in A 0 , C 0 , D , A , C ′ , F 1 and H 1 ; • any visit to C 0 or C ′ is eventual ly fol lowe d (strictly) by a v i sit to C ′ or F 1 ; • the c ost exactly e quals 3 along e ach p art of  b etwe en A or A 0 and the next visit in D , b etwe en C 0 or C ′ and the next v isit in C ′ or F 1 , and b etwe en the last visit to D and H 1 . Then x 1 = x 0 and ther e exists n ∈ N s.t. x 0 = 3 − n . Pr o of. Let  b e suc h a run. First, if x 0 = 1 and  go es directly to mo dule Mod j , then the result immediately follo ws . Otherwise,  visits D at least once. W e prov e ind u ctiv ely that, at the k -th visit in D , the v alue of x equals 3 k x 0 (remem b er that no time can elapse in D ). The ﬁ rst part of  b et w een A 0 and D is as f ollo ws 11 (the lab els on the arro ws represent the cost of the corre- sp ond ing tran s ition): ( A 0 , x 0 ) 0 − → ( B 0 , x 0 ) 3(1 − x 0 ) − − − − − → ( B 0 , 1) 0 − → ( C 0 , 0) 0 − → ( C , 0) α − → ( C , α ) 0 − → ( D , α ) . The total cost, 3(1 − x 0 ) + α , m ust equ al 3. Thus α = 3 x 0 . A similar argument shows that one turn in the lo op (fr om D b ac k to itself ) also multiplie s clock x b y 3, hence the result. Since  ev entually ﬁres the transition fr om D to E 1 , it m ust b e the case that x 0 = 3 − n for some n ∈ N . W e n o w prov e that x 1 = x 0 . The pr o of follo ws a similar line: we pro ve that at the k -th visit to C 0 or C ′ , the v alue of x is (3 k − 3) x 0 . This clearly holds when k = 1 ( i.e . , w h en we visit C 0 ). Assumin g that  ev en tually visits C ′ , w e consider the part of  b et wee n C 0 and the ﬁr st v isit to C ′ : ( C 0 , 0) 0 − → ( C , 0) 3 x 0 − − → ( C , 3 x 0 ) 0 − → ( D , 3 x 0 ) 0 − → ( A, 3 x 0 ) 0 − → ( B , 3 x 0 ) ( B , 3 x 0 ) 3(1 − 3 x 0 ) − − − − − − → ( B , 1) 0 − → ( C , 0) β − → ( C, β ) 0 − → ( C ′ , β ) . The cost of this part is 3 − 6 x 0 + β , and must equal 3. Th us β = 6 x 0 as required. A similar computation (considering eac h part of  b et w een t wo consecutiv e visits to C ′ ) prov es th e inductiv e case. 11 By contradictio n, it can b e prov ed that C ′ cannot b e visited along th at part of  , since the cost b etw een C 0 and C ′ must b e exactly 3. MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 23 No w, consider the part fr om the last visit of C ′ to H 1 : ( C ′ , (3 n − 3) x 0 ) 0 − → ( C , (3 n − 3) x 0 ) 3 x 0 − − → ( C, 3 n x 0 ) 0 − → ( D , 3 n x 0 ) 0 − → ( E 1 , 0) ( E 1 , 0) 3 γ − → ( E 1 , γ ) 0 − → ( F 1 , γ ) 0 − → ( G 1 , 0) 3 δ − → ( G 1 , δ ) 0 − → ( H 1 , δ ) . Remem b er that 3 n x 0 = 1, whic h explains wh y the computation go es to E 1 instead of E 2 ). The cost b et w een C ′ and F 1 is 3 x 0 + 3 γ , and equals 3. Thus γ = 1 − x 0 . Similarly , the cost b et w een D and H 1 is 3 γ + 3 δ and m ust equal 3, w hic h pro v es th at δ , whic h is precisely x 1 , equals x 0 .  W e ha v e a sim ilar result for a ru n going to mo d ule Mod k : Lemma 3.14. A ssume ther e exists a run  entering mo dule Mod i with x = x 0 ≤ 1 , exiting to mo dule Mod k with x = x 1 , and such that • no time elapses in A 0 , C 0 , D , A , C ′ , F 2 H 2 , A 2 and D 2 ; • any visit to C 0 or C ′ is eventual ly fol lowe d (strictly) by a v i sit to C ′ or F 2 ; • the c ost exactly e quals 3 along e ach p art of  b etwe en A or A 0 and the next visit in D , b etwe en C 0 or C ′ and the next v isit in C ′ or F 2 , b etwe e n the last visit to D and H 2 , and b etwe en H 2 and D 2 . Then x 1 = 2 x 0 and for ev ery n ∈ N , x 0 6 = 3 − n . Pr o of. Th e arguments of the pr evious pr o of still apply: the v alue of x at th e k -th visit to D is 3 k x 0 . If x 0 had b ee n of the form 3 − n , then  would not ha v e b een able to ﬁ r e the transition to E 2 . Also, the v alue of x when  visits H 2 is pr ecisely x 0 . The part fr om H 2 to D is then as follo ws: ( H 2 , x 0 ) 0 − → ( A 2 , x 0 ) 0 − → ( B 2 , x 0 ) 2(1 − x 0 ) − − − − − → ( B 2 , 1) 0 − → ( C 2 , 0) κ − → ( C 2 , κ ) 1 − → ( D 2 , κ ) . The cost of this part is 2(1 − x 0 ) + κ + 1, so that x 1 = κ = 2 x 0 .  Again, these r esults can easily b e adapted to the case of an in s truction testing and decremen ting c 2 : it suﬃces to • set the costs of states B 0 , B , E 1 , E 2 , G 1 and G 2 to 2, • set the cost of B 2 to 3, • set the discrete cost of C 2 → D 2 to 0 • set the discrete costs of C → D , G 1 → H 1 and G 2 → H 2 to +1. Global r eduction. W e no w explain th e global red u ction: the automaton A M is obtained by plugging the mo dules ab o v e follo wing the instructions of M . Th ere is one sp ec ial mo d ule for instru ction Halt , whic h is m ade of a single H alt s tate. W e also add a sp ec ial initial state that lets 1 t.u. elapse (so that x = 1) b e fore en tering the ﬁrst mo dule. The WMTL form ula is b uilt as f ollo ws: w e ﬁrst deﬁne an intermediary subformula stating that no time can ela pse in some giv en state. It writes zero ( P ) = G ( P ⇒ ( P U =0 ¬ P )). If the lo cal cost in state P is n ot zero (whic h is the case in all the states of A M ), this formula forbids time ela psing in P . W e then let ϕ 1 b e the form u la requiring that time cannot elapse in a state lab elle d with A , D , A 0 , C 0 , C ′ , F 1 , F 2 H 1 , H 2 , A 2 and D 2 . It remains to express the other conditions of Lemmas 3.12, 3.13 and 3.14. W e write ϕ 2 for the corresp ond ing 24 P . BOUYER, K.G. LARSEN, AND N. MARKEY form ula.. F or in stance, the conditions of Lemmas 3.13 and 3.14 wo uld b e expressed as follo ws 12 : G                 A 0 ∧ Mod decr ⇒                                  ( A ∨ A 0 ) ⇒ ( ¬ D U =3 D ) ∧ ( C 0 ∨ C ′ ) ⇒ ( ¬ ( C ′ ∨ F 1 ) U =3 ( C ′ ∨ F 1 )) ∧ ( D ∧ ¬ D U H 1 ) ⇒ ( ¬ H 1 U =3 H 1 )   U H 1 W     ( A ∨ A 0 ) ⇒ ( ¬ D U =3 D ) ∧ ( C 0 ∨ C ′ ) ⇒ ( ¬ ( C ′ ∨ F 2 ) U =3 ( C ′ ∨ F 2 )) ∧ ( D ∧ ¬ D U H 2 ) ⇒ ( ¬ H 2 U =3 H 2 ) ∧ H 2 ⇒ ( ¬ D 2 U =3 D 2 )     U H 2                                                The follo wing p rop osition is n o w straightforw ard: Prop osition 3.15. The machine M halts iﬀ ther e exists a run in A M satisfying ϕ 1 ∧ ϕ 2 ∧ FHalt . Remark 3.16. • F or the sak e of s im p licit y , our reduction uses d iscrete costs, so that our WMTL form ulas only in v olve constrain ts “= 0” and “= 3” (and the same formula ϕ 2 can b e used for b oth coun ters). But our u ndecidabilit y resu lt easily extends to automata without discrete costs. • Our reduction u ses a { 1 , 2 , 3 } -slop ed cost v ariable, but it could b e ac h iev ed with an y { p, q , r } -slop ed cost v ariable (with 0 < p < q < r , and p , q and r are p airwise coprime) b y enco ding the v alues of the counters b y the clo ck v alue ( p/q ) c 1 · ( p/r ) c 2 . • Our WMTL formula can easily b e tu r ned in to a WMITL form ula (whose synta x is that of MIT L [AFH96], i.e. , with n o p unctual constraints). It suﬃces to rep lace f orm ulas of the form ( ¬ p ) U = n p with ( ¬ p ) U ≤ n p ∧ ( ¬ p ) U ≥ n p . 3.3.2. Two-Clo ck PT A with O ne Stopwatch-Cost V ariable. While this case do es not ﬁt in our “one-clo c k” setting, it is an in teresting intermediate step b et w een the p r evious and the next resu lts. Theorem 3.17. Mo del che cki ng two-clo ck PT A with one stopw atch c ost against WMTL pr op erties is unde cidable. Pr o of. Th e pro of uses th e same enco ding, except that states with cost 2 or 3 are replaced b y sequences of states with costs 0 and 1 having the same eﬀect. W e ha v e t w o diﬀerent kinds of s tates with cost 2 (or 3): • those in wh ic h w e sta y until x = 1: A 2 B C x ≤ 1 x =1 x :=0 These states are replaced by th e follo wing submo d ule: A 1 B 0 B 1 B C x ≤ 1 z :=0 x =1 x :=0 z =1 z :=0 x =1 x :=0 12 The atomic prop osition Mod decr is used to indicate that w e are in a mod ule d ecrementing one of the counters. It implicitly lab els all the states of su ch modu les. MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 25 A simple compu tation sho ws that b oth sequences h a v e the same eﬀect on clo c k x and induce th e same cost. Of course, the case of cost 3 is handled b y adding one more p air of states w ith costs 0 and 1. • those in wh ic h w e en ter with x = 0 (and exit with x ≤ 1): A 2 B C x :=0 x ≤ 1 Those are r eplace with a sligh tly diﬀerent sequen ce of states: A 1 B 0 B 1 B C x :=0 x ≤ 1 z :=0 x =1 x :=0 z =1 Again, one is easily con vinced th at b o th sequences are “equiv alen t”, and that this trans- formation adapts to states w ith cost 3.  3.3.3. One- Clo ck PT A with Two Stopwa tch-Cost V ariables. In the abov e constructions, eac h clock can b e replaced with an observer v ariable, i.e. , with a “clo c k cost” that is not inv olv ed in the guards of the automaton an ym ore. W e brieﬂy exp lain this transformation on an example, and leav e the d etails to the k een reader. A B C x :=0 x =1 x< 1 1 A 1 x 0 1 1 1 1 x < 1 1 B 1 x =1 1 C Figure 10: Replacing a clo ck with an extra “clo c k cost” Figure 10 displays the transform ation to b e applied to the automaton. It then suﬃces to enforce th at no time elapses in states x 0 , x < 1 and x =1 , and that the follo win g formula holds: ^ ∼ n ∈{ < 1 , =1 } G h  x 0 ∧ ¬ x 0 U x ∼ n  ⇒  ¬ x 0 U ( c x ∼ n ) x ∼ n  i This precisely en co des the role of clock x in the original automat on with a clo c k cost, which is in particular a stopw atc h co st. Note that this transformation is not correct in general, but it is here b ecause our redu ction nev er inv olve s tw o consecutiv e transitions w ith the same guard. Thus, w e get immediately the follo wing result: Theorem 3.18. Mo del che c king one-c lo ck PT A with two stopwatch-c ost variables against WMTL pr op erties is unde cidable. 4. Conclusion In this pap er, we ha v e stud ied v arious mo d el-c hecking problems for one-clo c k priced timed automata. W e ha v e prov ed that th e mo d el-c hec king of one-clock p riced timed au- tomata against W CTL pr op erties is PSP A CE -complete. T h is is rather sur prising as mo del- c h ec kin g T CTL o v er one-clock timed automata has th e same complexit y , though it allo ws m uc h less features. F or proving this result, w e ha v e exhibited a suﬃcien t granularit y su c h that tr uth of formulas o v er regions deﬁned with th is granularit y is un iform. Based on this 26 P . BOUYER, K.G. LARSEN, AND N. MARKEY result, we dev eloped a space-eﬃcien t algorithm whic h computes satisfaction of sub formula s on-the-ﬂy . T his result has to b e con trasted with the undecidabilit y result of [BBM06] which establishes that mo del-c hec king priced timed automata with three clo cks and m ore against W C TL prop erties is undecidable. W e ha ve also depicted the precise decidabilit y b order for WMTL mo d el-c hecking, a cost-constrained extension of L TL. W e hav e prov ed that the restriction to sin gle-cloc k single-stop watc h cost v ariable leads to d ecidabilit y , and that any single extension leads to undecidabilit y . There are sev eral natural researc h directions: the decidabilit y of W CTL mod el-c hec king for tw o-clo c k s priced timed automata is not kno wn, w e just kn ow that these mo dels ha ve an inﬁnite b isim ulation [BBR04]; another in teresting extension is m u lti-constrained mo dalities, e.g. E ϕ U cost 1 ≤ 5 , cost 2 > 3 ϕ ? Referen ces [AAM06] Y asmina Abd edda ¨ ım, Eugene A sarin, and Oded Maler. Sc heduling with timed automata. The- or etic al Computer Scienc e , 354(2):272 –300, 2006. [ABM04] Ra jeev Alur, Mikhail Bernadsky , and P . Madhusudan. Optimal reac habilit y in wei ghted timed games. In Pr o c. 31st International Col l o quium on Automat a, L anguages and Pr o gr amm ing (ICALP’04) , volume 3142 of L e ctur e Notes in Computer Scienc e , pages 122–1 33. Sp ringer, 200 4. [AC D93] Ra jeev Alur, Costas Courcoub etis, and D a vid Dill. Mo del-chec king in dense real-time. Inf orma- tion and Computation , 104(1):2–3 4, 1993. [AD94] Ra jeev Alur and Da vid Dill. A theory of timed automata. The or etic al Computer Scienc e , 126(2):183 –235, 1994. [AFH96] Ra jeev Alur, T om´ as F eder, and Thomas A. H enzinger. The b en eﬁts of relaxing punctuality . Journal of the ACM , 43(1): 116–146 , 1996. [AH90] Ra jeev Alur and Thomas A . Henzinger. Real-time logics: Complexit y and expressiveness. In Pr o c. 5th Annual Symp osium on L o gic in Computer Scienc e (LICS’ 90) , pages 390–401 . IEEE Computer Society Press, 1990. [AL88] Martin Abadi and Leslie Lamp ort. The existence of reﬁnement mapp ings. In Pr o c. of the 3r d Ann ual IEEE Symp. on L o gic In Computer Scienc e (LICS’88) , pages 165–175. IEEE Computer Society Press, 1988. [ALP01] Ra jeev Alur, Salv atore La T orre, and George J. Pappas. O ptimal paths in weigh ted timed automata. In Pr o c. 4th International Workshop Hybrid Systems: Computation and Contr ol (HSCC’01) , vo lume 2034 of L e ctur e Notes in Computer Scienc e , pages 49– 62. Springer, 200 1. [AN00] Parosh Aziz Ab dulla and A letta Nyl´ en. Better is b etter than well: O n eﬃcient veriﬁcation of inﬁn ite-state systems. I n Pr o c. 15th A nnual Symp osium on L o gic in Computer Scienc e (LICS’00) , pages 132–140. IEEE Computer S ociety press, 2000. [BBBR07] Patricia Bouyer , Thomas Brihay e, V´ eronique Bruy` ere, and Jean-F ran¸ cois Raskin. O n t he op- timal reachabilit y problem on wei ghted timed automata. F ormal Metho ds in System Design , 31(2):135– 175, Octob er 2007. [BBL04] Patricia Bouyer, Ed Brinksma, and Kim G. Larsen. Staying aliv e as cheaply as p os sible. In Pr o c. 7th International Workshop on Hybrid Systems: Computation and Contr ol (HSCC’04) , v olume 2993 of L e ctur e Notes in Com puter Scienc e , pages 203–218. Springer, 200 4. [BBL08] Patricia Bouyer, Ed Brinksma, and Kim G. Larsen. Optimal inﬁnite sc h eduling for multi-priced timed automata. F ormal M etho ds i n System Design , 32(1):2 –23, F ebruary 2008. [BBM06] P atricia Bouyer, Thomas Brihay e, and N icolas Mark ey . Improv ed und ecidability results on w eigh ted timed automata. Information Pr o c essing L etters , 98(5):188 –194, 2006. [BBR04] Thomas Brihay e, V´ eronique Bruy` ere, and Jean-F ran¸ cois Raskin. Mo del-chec king for weigh t ed timed automata. In Pr o c. Joint Conf . F ormal M o del ling and Analysis of Tim e d Systems and F ormal T e chniques in R e al-Time and F ault T oler ant System (FORMA TS+FTR TFT’04) , v olume 3253 of L e ctur e Notes in Com puter Scienc e , pages 277–292. Springer, 200 4. MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMA T A ∗ 27 [BBR05] Thomas Brihay e, V´ eronique Bruy` ere, and Jean-F ran¸ cois Raskin. On optimal timed strategies. In Pr o c. 3r d International Confer enc e on F ormal Mo deling and Analysis of Time d Systems (F ORMA TS’05) , vo lume 3821 of L e ctur e Notes in C om puter Scienc e , pages 49–64. Springer, 2005. [BCFL04] Patricia Bouyer, F ranc k Cassez, Emmanuel Fleury , and Kim G. Larsen. Optimal strategies in priced timed game automata. In Pr o c. 24th Conf. F ound. Softw. T e ch. & The or. Comp. Scienc e (FST&TCS’04) , volume 3328 of L e ctur e Notes in Computer Scienc e , pages 148–160. Springer, 2004. [BES93] Ahmed Boua jjani, Rachid Echahed, and Jos eph Sifakis. On mo del chec k ing for real-time p rop- erties with du rations. In Pr o c. 8th A nnual Symp osium on L o gic i n Computer Scienc e (LICS’93) . IEEE Compu t er Society Press, 1993. [BFH + 01a] Gerd Behrmann, Ansgar F ehnker, Thomas Hu ne, Kim G. Larsen, Paul Pettersson, and Judi Romijn. Eﬃcient guiding tow ards cost-optimalit y in UPP AAL. In Pr o c. 7th I nternational Con- fer enc e on T o ols and Algorithms for the C onstruct ion and Analysis of Systems (T A CAS’01) , vol ume 2031 of L e ctur e Notes in Computer Scienc e , pages 174–1 88, 2001. [BFH + 01b] Gerd Behrmann, A nsgar F ehnker, Thomas Hun e, Kim G. Larsen, P aul P ettersson, Jud i Romijn, and F rits V aandrager. Minimum-cost reac habilit y for priced timed aut omata. I n Pr o c. 4th In- ternational Workshop on Hybrid Systems: Computation and C ontr ol (HSCC’01) , volume 2034 of L e ctur e Notes i n Com puter Scienc e , pages 147–161 . Springer, 2001. [BLM07] P atricia Bouyer, Kim G. Larsen, and Nicolas Markey . Mo del-chec king one-clo ck priced timed automata. In Pr o c e e dings of the 10th International Confer enc e on F oundations of Softwar e Sci- enc e and Computation Structur es (F oSSaCS’07) , vol ume 4423 of L e ctur e Notes in Computer Scienc e , pages 108–1 22. Springer, Marc h 2007. [BLMR06] Pa tricia Bouyer, K im G. Larsen, Nicolas Markey , and Jacob I. Rasmussen. Almost opt imal strategies in one-clo ck priced timed automata. I n Pr o c. 26th Conf. F ound. Softw. T e ch. & The or. Comp. Scienc e (FST&TCS’06) , volume 4337 of L e ctur e Notes i n Computer Scienc e , pages 346 – 357. Springer, 2006. [BLR05a] Gerd Behrmann, Kim G. Larsen, and Jacob I. Rasmussen. Op timal scheduling using priced timed automata. ACM SIGMETRICS Performanc e Evaluation R eview , 32(4):34–40, 2005. [BLR05b] Gerd Behrmann, Kim G. Larsen, and Jaco b I. Rasm ussen. Priced timed automata: Algorithms and applications. In R evise d L e ctur es 3r d International Symp osium on F ormal Metho ds for Com- p onents and Obje cts (FMCO’04) , volume 3657 of L e ctur e Notes in Computer Scienc e , pages 162–182 . Springer, 2005. [BM07] P atricia Bouy er and Nicolas Mark ey . Costs are expensive! I n Pr o c e e dings of the 5th Internat ional Confer enc e on Formal Mo del ling and Analysis of Time d Syst ems (FORMA TS’07) , vo lume 4763 of L e ctur e Notes i n Com puter Scienc e , pages 53–68. Sp ringer, Oct ob er 2007. [BMO W07] Patricia Bouyer, Nicolas Mark ey , Jo ¨ el Ouakn ine, and James W orrell. The cost of punctuality . In Pr o c. 21st Annual Symp osium on L o gic in Computer Scienc e (LICS’07) , p ages 109–11 8. IEEE Computer Society Press, 2007. [CES86] Edm und M. Clarke, E. Allen Emerson, and A. Prasad Sistla. Au tomatic veriﬁcatio n of ﬁnite- state concurrent systems u sing temp or al logic speciﬁcations. A C M T r ansactions on Pr o gr amming L anguages and Systems , 8(2):244–263, April 1986 . [HJ94] Hans Hansson and Bengt Jonsson. A logic for reasoning ab out time and reliabilit y . F ormal Asp e cts of Computing , 6(5):512–5 35, 1994. [HKV96] Thomas A. Henzinger, Orna Kupferman, and Moshe Y. V ardi. A space-eﬃcient on-th e-ﬂy algo- rithm for real-time mod el c hec king. In Pr o c. 7th Intl. C onf. Concurr ency The ory (CONCUR’96) , vol ume 1119 of L e ctur e Notes in Computer Scienc e , pages 514–5 29. Springer, 1996. [Ko y90] Ron Koymans. Sp ecifying real-time prop erties with Metric Temporal Logic. R e al-Time Systems , 2(4):255–2 99, 1990. [LMS04] F ran¸ cois Laroussinie, Nicolas Markey , and Philipp e S chnoeb elen. Mo del chec k ing timed au- tomata with one or tw o clocks. In Pr o c. 15th I nternational Confer enc e on Concurr ency The ory (CONCUR’04) , v olume 3170 of LNCS , pages 387–40 1. Sp rin ger, 2004. [LR05] Kim G. Larsen and Jacob I . Rassmussen. Optimal conditional reachabili ty for multi-priced timed automata. In Pr o c. 8th Internationl Confer enc e on F oundations of Softwar e Scienc e and 28 P . BOUYER, K.G. LARSEN, AND N. MARKEY Computation Structur es (F oSSaCS’05) , volume 3441 of L e ctur e Notes in Com puter Sci enc e , pages 234–2 49. Springer, 200 5. [L W05] Sla womir Lasota and Igor W alukiewicz. A lternating timed automata. I n Pr o c. 8th International Confer enc e on F oundations of Softwar e Scienc e and C om putation Structur es (F oSSaCS’05) , vol- ume 3441 of LNCS , pages 250–265. Springer, 2005 . [L W08] Sla womir Lasota and Igor W alukiewicz. Alternating timed automata. A CM T r ansactions on Computational L o gic , 9(2), March 2008. [OG76] Susan Owic ki and David Gries. An axiomatic pro of technique for parallel programs. A cta Infor- matic a , 6(4):319–340 , Au gust 1976. [OW0 5] Jo ¨ el Ou aknine and James W orrell. On the decidability of Metric Temporal Logic. In Pr o c. 19th Ann ual Symp osium on L o gic in Computer Scienc e (LICS’ 05) , pages 188–197 . IEEE Computer Society Press, 2005. [OW0 7] Jo ¨ el Ouakn ine and James W orrell. On the decidability and complexity of Metric Temporal Logic o ver ﬁnite w ords. L o gic al Metho ds in Computer Scienc e , 3(1:8), 2007. [Ras99] Jean-F ran¸ cois Raskin. L o gics, Automat a and Cl assic al The ories for De cidi ng R e al-Time . PhD thesis, Univers ity of Namur, Namur, Belgium, 1999. [RLS04] Jacob I. Rasmussen, Kim G. Larsen, and K. Subramani. R esource-optimal scheduling using priced timed automata. In Pr o c. 10th International Confer enc e on T o ols and Algorithms for the Construction and Analysis of Systems (T ACAS’04) , volume 2988 of L e ctur e Notes in Computer Scienc e , pages 220–2 35. Springer, 2004 . This wor k is licensed unde r the Creative Commons Attr ibution-NoDer ivs Lice nse. T o view a copy of this license, visit h ttp:/ /cre ativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons , 559 Nathan Abbott Wa y , S tanford, California 94305, USA.

Model Checking One-clock Priced Timed Automata

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment