Abstract. Let be a class of (possibly nondeterministic) language acceptors with a oneway input tape. A system of automata in, is composable if for every string of symbols accepted by, there is an assignment of each symbol in to one of the ’s such that if is the subsequence assigned to, then is accepted by. For a nonnegative integer, a-lookahead delegator for is a deterministic machine in which, knowing (a) the current states! of and the accessible “local ” information of each machine (e.g., the top of the stack if each machine is a pushdown automaton, whether a counter is zero on nonzero if each machine is a multicounter automaton, etc.), and (b) the lookahead symbols to the right of the current input symbol being processed, can uniquely determine " the to assign the current symbol. Moreover, every string accepted by is also accepted by, i.e., the subsequence of string delegated by to " each is accepted by. Thus,-lookahead delegation is a stronger requirement than composability, since the delegator must be deterministic. A system that is composable may not have a-delegator for any. We look at the decidability of composability and existence of-delegators for various classes of machines. Our results have applications to automated composition of e-services. E-

Abstract—We propose a model that captures the behavior of real-time recursive systems. To that end, we introduce dense-timed pushdown automata that extend the classical models of pushdown automata and timed automata, in the sense that the automaton operates on a finite set of real-valued clocks, and each symbol in the stack is equipped with a real-valued clock representing its “age”. The model induces a transition system that is infinite in two dimensions, namely it gives rise to a stack with an unbounded number of symbols each of which with a real-valued clock. The main contribution of the paper is an EXPTIME-complete algorithm for solving the reachability problem for dense-timed pushdown automata. I.

We study two questions in the theory of timed automata concerning timed language inclusion of real-time programs modeled as timed pushdown automata in real-time specifications with just one clock. We show that if the specification B is modeled as a timed automaton with one clock, then the language inclusion problem L(A) ⊆ L(B) for a timed pushdown automaton A is decidable. On the other hand, we show that the universality problem of timed visibly pushdown automata with only one clock is undecidable. Thus there is no algorithm to check language inclusion of real-time programs for specifications given by visibly pushdown specifications with just one clock.

Abstract not found

Timed automata are a popular formalism to model real-time systems. They were introduced two decades ago to support formal verification. Since then they have also been used for other purposes and a large has been introduced to be able to deal with the many different kinds of requirements of real-time system. This paper presents a fairly comprehensive survey, comprised of eighty variants of timed automata. The paper classifies all these eighty variants of timed automata in an effort to determine current developments. It uses analysis techniques, formal properties, and decision problems to draw distinctions between different versions. Moreover, the paper discusses the challenges behind using a timed automata specification to derive an implementation of a working real-time system and presents some solutions. Finally, the paper lists and classifies forty tools supporting timed automata. The paper does not only discuss many variants and their supporting concepts (e.g., closure properties, decision problems), techniques (e.g., for analysis), and tools, but it also attempts to help the reader navigate the vast literature in the field, to highlight differences and similarities between variants, and to reveal research trends and promising avenues for future exploration.

Abstract Lossy channel systems are a classical model with applications ranging from the modeling of communication protocols to programs running on weak memory models. All existing work assume that messages traveling inside the channels are picked from a finite alphabet. In this paper, we extend the model by assuming that each message is equipped with a clock representing the age of the message, thus obtaining the model of Timed Lossy Channel Systems (TLCS). The main contribution of the paper is to show that the control state reachability problem is decidable for TLCS. ACM Subject Classification D.2.4 Keywords and phrases Lossy channel systems, timed automata, model checking Introduction During the last two decades there has been a large amount of work devoted to the verification of discrete program models that have infinite state spaces such as Petri nets, pushdown systems, counter automata, and channel machines. In particular lossy channel systems have been studied extensively as a model of communication protocols. Such protocols are designed to work correctly even in the case where the underlying medium is unreliable in the sense that it can lose messages In this paper, we show decidability of the control state reachability problem for TLCS. We show the decidability result through a novel reduction formulated in two steps. First, we introduce a new model called Dynamic Lossy Channel Systems (DLCS) which is a generalization of (untimed) LCS. More precisely, a DLCS contains, in addition to a (fixed) finite set of lossy channels, a dynamic part that contains an a priori unbounded number of channels. The dynamic part behaves as a second-order lossy channel, i.e., a "lossy channel of lossy channels". We show that each DLCS induces a transition system that is well quasiordered in the sense of The complexity of the reachability problem for TLCS is not primitive recursive as it is not primitive recursive already for untimed LCS Preliminaries Notation We use N and R ≥0 to denote the sets of natural numbers resp. non-negative reals. For a real number r ∈ R ≥0 , we define Int(r) as the greatest n ∈ N such that n ≤ r, and Frac(r) as r − Int(r). We call Int(r) the integer part and Frac(r) the fractional part of r respectively. An open interval is written as (i, j) where i ∈ N and j ∈ N ∪ {∞}. Intervals can also be closed in one or both directions, e.g. We use (A → B) to denote the set of total functions from A to B. We say that a function f : N → N is strictly increasing if whenever i < j we also have f (i) < f (j). We use A * to denote the set of finite words over A. For words w 1 , w 2 ∈ A * , we use w 1 · w 2 to denote the concatenation of w 1 and w 2 . We use to denote the empty word. For a word w = a 1 · · · a n , we use w[i] to denote the ith symbol a i in w, and we will write a ∈ w if a = w[i] for some i : 1 ≤ i ≤ n. We will use a similar notation for tuples. We recall the classical subword ordering on the set A * of words, where a 1 . . . a m a 1 · · · a n if there is a strictly increasing injection g : . To simplify the notation, we write ω ∈ (A * ) * as w 1 · · · w n where w 1 , · · · , w n are words in A * . We extend the ordering to (A * ) * in such a way that Transition Systems A transition system is a pair S = Γ, −→ where Γ is the set of configurations, and −→⊆ Γ×Γ is a binary relation on the set of configurations. As usual, we write γ 1 −→ γ 2 instead of γ 1 , γ 2 ∈−→. We use * −→ to denote the reflexive transitive closure of −→. For a set Γ ⊆ Γ of configurations, we define the set P re (Γ ) := {γ| ∃γ ∈ Γ . γ −→ γ }. Sometimes, we equip Parosh Aziz Abdulla, Mohamed Faouzi Atig, and Jonathan Cederberg 3 the set Γ with an ordering and write the transition system as a triple Γ, −→, . We say that S is monotone (wrt. ) if whenever γ 1 −→ γ 2 and γ 1 γ 3 then γ 2 * −→ γ 4 for some γ 4 with γ 3 γ 4 . We say that is a well quasi-ordering (wqo for short), if, for all sequences γ 0 , γ 1 , γ 2 , . . ., there are i < j with γ i γ j . A set U ⊆ Γ is upward closed if whenever γ 1 ∈ U and γ 1 γ 2 then γ 2 ∈ U . The upward closure of a set Γ ⊆ Γ is defined by Γ ↑:= {γ ∈ Γ| ∃d ∈ Γ . d γ}. For sets Γ 1 ⊆ Γ 2 ⊆ Γ, we say that Γ 1 is a minor of Γ 2 if (i) for each γ 2 ∈ Γ 2 there is a γ 1 ∈ Γ 1 such that γ 1 γ 2 , and (ii) γ 1 γ 2 implies γ 1 = γ 2 for all γ 1 , γ 2 ∈ Γ 1 . If is a wqo, then each minor is finite. However, in general, a set may have several different minors. In the applications of this paper, each set Γ has a unique minor, denoted min(Γ ). An instance of the coverability problem consists of two configurations γ 1 and γ 2 . The task is to check whether γ 1 * −→ γ 2 ↑. A transition system Γ, −→, is said to be well quasi-ordered if the following conditions are satisfied: (i) is computable, i.e., for given configurations γ, γ , we can check whether γ 1 γ , (ii) is a wqo, (iii) −→ is monotone wrt. , (iv) for a configuration γ, we can compute the (finite) set min (P re ({γ}↑)). Notice that, since the transition relation is monotone with respect to , it follows that the set P re ({γ}↑) is upward closed. The classical framework of well quasi-ordered transition systems Theorem 1. The coverability problem is decidable for well quasi-ordered transition systems. Timed Lossy Channel Systems In this section, we introduce TLCS, define their operational semantics, and present the reachability problem. Furthermore, we show that it is sufficient to consider a class of "normalized" TLCS where initial ages of messages and new values assigned to clocks are always 0. A TLCS has three parts, a control part, a finite set of clocks, and a finite set of channels. The control part is a finite-state labeled transition system, where the labels are either clock operations or channel operations. The control part can be used to model the total behavior of a number of processes that communicate through the channels. The clocks assume real values, while the channels are unbounded lossy FIFO buffers. Model A Timed Lossy Channel System (TLCS for short) is a tuple T = S, s init , C, M, X, ∆ , where S is a finite set of (control) states, s init ∈ S is the initial control state, C is a finite set of channels, M is a finite set of messages, X is a finite set of clocks, and ∆ is a finite set of transitions. A transition t ∈ ∆ is a triple s 1 , op, s 2 where s 1 , s 2 ∈ S are states and op is an operation of one of the following forms: 1. nop is an empty operation that does not check or update the clock values or the channel contents. 2. c!(m ∈ I) appends a new message m ∈ M to the end of the channel c ∈ C. The initial age of the new message is selected non-deterministically from I ∈ I. 3. c?(m ∈ I) removes (receives) the message at the head of the channel c ∈ C provided that this message is m ∈ M and that its age lies in I ∈ I. 4. x ∈ I checks whether the value of x ∈ X belongs to the interval I ∈ I. 5. x ← I assigns non-deterministically a value to x ∈ X from I ∈ I. Timed Lossy Channel Systems Configurations A configuration γ of T is a triple s, X, ν , where s ∈ S is a control state, X ∈ X → R ≥0 defines the clock values (assigns a real number to each clock), and ν ∈ C → (M × R ≥0 ) * defines the content of each channel (the content of a channel is represented by a word, where each message is represented by a pair containing its name and its age). Transition Relation We define a transition relation on configurations 1. op = nop, X 2 = X 1 , and ν 2 = ν 1 . The empty operation does not affect the clock values or the channel contents. , and δ ∈ I. The transition appends a new message to the end of the channel c with name m, and with an age that belongs to the interval I. , and δ ∈ I. The transition removes the message at the head of the channel c provided that its name is m, and that its age is in the interval I. 4. op = x ∈ I, X 1 (x) ∈ I, X 2 = X 1 , and ν 2 = ν 1 . The transition is enabled only if the value of x belongs to I. The clock values and the channel contents are not affected. Notice that in all five cases the control state changes from s 1 to s 2 . The timed transition relation models the passage of time, in the sense that the values of all clocks and the ages of all messages inside the channels are uniformly increased by (the same) real number. For configurations γ 1 = s, X 1 , ν 1 , γ 2 = s, X 2 , ν 2 , and a real number δ ∈ R ≥0 , the relation γ 1 δ −→ T γ 2 holds if the following two conditions hold: (i) X 2 (x) = X 1 (x) + δ for all x ∈ X, and (ii) for every c ∈ C, if ν 1 (c) is of the form ( . Finally the lossy transition relation allows messages to be lost from the channels at any time. Formally, if γ 1 = s, X, ν 1 and γ 2 = s, X, ν 2 , the relation γ 1 Reachability The initial configuration of a TLCS T is defined by γ init := s init , X init , ν init where X init (x) = 0 for all x ∈ X, and ν init (c) = for all c ∈ C. In other words, T is initiated from a configuration where it is in its initial control state, where all the clocks have a value equal to 0, and where all the channels are empty. A control state s ∈ S is said to be reachable if γ init * −→ T s, X, ν for some X and ν. An instance of the reachability problem consists of an Parosh Aziz Abdulla, Mohamed Faouzi Atig, and Jonathan Cederberg 5 TLCS T = S, s init , C, M, X, ∆ and a control state s ∈ S. The task is to check whether s is reachable. Normalization A TLCS T = S, s init , C, M, X, ∆ such that I = [0, 0] for all s 1 , c!(m ∈ I), s 2 ∈ ∆ is said to be message-normalized. We say that T is clock-normalized if whenever s 1 , x ← I, s 2 ∈ ∆ then I = [0, 0]. Finally, T is normalized if it is both clock-and message-normalized. The following two lemmas show that the reachability problem for general TLCS can be reduced to that for normalized TLCS. Therefore, in the rest of the paper, we assume that all TLCS are normalized. Lemma 2. The reachability problem for TLCS can be reduced to that for message-normalized TLCS. Lemma 3. The reachability problem for TLCS can be reduced to that for clock-normalized TLCS. Dynamic Lossy Channel Systems In this section, we introduce the model of Dynamic Lossy Channel Systems (DLCS for short). The model is a generalization of lossy channel systems Model A DLCS is a tuple D = S, s init , C, Σ, ∆ where S is a finite set of (control) states, s init ∈ S is the initial control state, C is a finite set of channels names, Σ is the channel alphabet, and ∆ is a finite set of transitions. A transition t ∈ ∆ is a triple s 1 , op, s 2 where s 1 , s 2 ∈ S are states and op is an operation of one of the following forms: 1. nop is an empty operation that does not check or update the channels, 2. c!m appends the message m ∈ Σ to the end of the static channel c ∈ C, 3. c?m removes the message m ∈ Σ from the head of the static channel c ∈ C, 6 Timed Lossy Channel Systems 4. send_channel(c) makes a copy of the content of the static channel c to a new dynamic channel, and appends the new channel to the end of the sequence of dynamic channels. 5. receive_channel(c) copies the content of the rightmost dynamic channel to the static channel c ∈ C and then removes this dynamic channel from the sequence of channels. Configurations A configuration d of D is a triple s, ν, ω , where s ∈ S is a control state, ν ∈ (C → Σ * ) is a function that represents the content of the set of static channels C, and ω ∈ (Σ * ) * is the content of the sequence of dynamic channels, also called the dynamic part of D. For configurations d 1 = s 1 , ν 1 , ω 1 , d 2 = s 2 , ν 2 , ω 2 , we say that d 1 d 2 if s 1 = s 2 , ν 1 (c) ν 2 (c) for all c ∈ C, and ω 1 ω 2 (recall the definition of from Section 2). Intuitively, we derive d 1 from d 2 by deleting messages from the channels (both static and dynamic) and by removing dynamic channels.

Abstract. We show that the information rate of the language accepted by a reversal-bounded deterministic counter machine is computable. For the nondeterministic case, we provide computable upper bounds. For the class of languages accepted by multi-tape deterministic finite automata, the information rate is computable as well. 1

Abstract. We introduce real-counter automata, which are two-way finite automata augmented with counters that take real values. In contrast to traditional word automata that accept sequences of symbols, real-counter automata accept real words that are bounded and closed real intervals delimited by a finite number of markers. We study the membership and emptiness problems for one-way/twoway real-counter automata as well as those automata further augmented with other unbounded storage devices such as integer-counters and pushdown stacks. 1

The linear reachability problem for finite state transition systems is to decide whether there is an execution path in a given finite state transition system such that the counts of labels on the path satisfy a given linear constraint. Using some known results on minimal solutions (in nonnegative integers) for linear Diophantine equation systems, we present new time complexity bounds for the problem. In contrast to the previously known results, the bounds obtained in this paper are polynomial in the size of the transition system in consideration, when the linear constraint is fixed. The bounds are also used to establish a worst-case time complexity result for the linear reachability problem for timed automata. Key words: Model-checking, timed automata, reachability, linear Diophantine equation systems, minimal solutions 1

This paper proposes a new timed model named nested timed automata (NeTAs). An NeTA is a pushdown system whose stack symbols are timed automata (TAs). It either behaves as the top TA in the stack, or switches from one TA to another by pushing, popping, or changing the top TA of the stack. Different from existing component-based context-switch models such as recursive timed automata and timed recursive state machines, when time passage happens, all clocks of TAs in the stack elapse uniformly. We show that the safety property of NeTAs is decidable by encoding NeTAs to the dense timed pushdown automa-ta. NeTAs provide a natural way to analyze the recursive behaviors of component-based timed systems with structure retained. We illustrate this advantage by the deadline analysis of nested interrupts.