Fast zone-based algorithms for reachability in pushdown timed automata

Given the versatility of timed automata a huge body of work has evolved that considers extensions of timed automata. One extension that has received a lot of interest is timed automata with a, possibly unbounded, stack, also called the pushdown timed automata (PDTA) model. While different algorithms have been given for reachability in different variants of this model, most of these results are purely theoretical and do not give rise to efficient implementations. One main reason for this is that none of these algorithms (and the implementations that exist) use the so-called zone-based abstraction, but rely either on the region-abstraction or other approaches, which are significantly harder to implement. In this paper, we show that a naive extension of the zone based reachability algorithm for the control state reachability problem of timed automata is not sound in the presence of a stack. To understand this better we give an inductive rule based view of the zone reachability algorithm for timed automata. This alternate view allows us to analyze and adapt the rules to also work for pushdown timed automata. We obtain the first zone-based algorithm for PDTA which is terminating, sound and complete. We implement our algorithm in the tool TChecker and perform experiments to show its efficacy, thus leading the way for more practical approaches to the verification of pushdown timed systems.


Introduction
Timed automata [6] are a popular formalism for capturing real-time systems, and of use for instance, in model checking of cyber-physical systems. They extend finite automata with real variables called clocks whose values increase over time; transitions are guarded by constraints over these variables. The main problem of interest is the reachability problem, which asks whether a given state can be reached while satisfying the constraints imposed by the guards.
This problem is known to be PSPACE-complete (already shown in [6]). The PSPACE algorithm, uses the so-called region-automaton construction, which essentially abstracts the timed automaton into an exponentially larger finite automaton of regions (collections of clock valuations), which is sound and complete for reachability.
Despite this complexity-theoretic hardness, the model of timed automata has proved to be extremely influential and versatile, resulting in an enormous body of work on its theory, variants and extensions over the past 25 years. Almost since its inception, researchers also began to develop tools to extend from theoretical algorithms to solve practical problems. Such tools range from the classical and richly featured tool UPPAAL [8,22] to the more recent open-source tool TChecker [18], which have been used on industry strength benchmarks and perform rather well on many of them. These tools use a different algorithm for reachability, where reachable sets of valuations are represented as zones and explored in a graph. While a naive exploration of zones does not terminate, the algorithms used identify different strategies [7,20,17], e.g., subsumption or simulations, extrapolations, for pruning the zonebased exploration graphs, while preserving soundness and completeness of reachability. While this does not change the worst case complexity, in practice, the zone exploration results in much better practical performance as it allows on-the-fly computation of reachable zones. One could even argue that the wider adoption of timed automata paradigm in the verification community has been a result of scalable implementations and tools built on this zone-based approach.
In light of this, zone-based algorithms are often looked for to improve practical performance of extensions of timed automata as well. For instance, for timed automata with diagonal constraints, classical zone-based approaches were shown to be unsound [10,11], but recently, an approach has been developed which adapts the existing construction and obtains fast zone-based algorithms [16]. In the present paper, we are interesting in adding a different feature to timed automata, namely an unbounded lifo-stack. This results in a powerful model of pushdown timed automata (PDTA for short), in which the source of "infinity" is both from real-time and the unbounded stack. Unsurprisingly, this model and its variants have been widely studied over the last 20 years with several old and recent results on decidability of reachability, related problems and their complexity, including [1,2,3,4,5,9,12,13,14,15]. A wide variety of techniques have been employed to solve these problems, from region-based abstractions, to using atoms and systems of constraints, to encoding into different logics etc. However, except for [5,4], to the best of our knowledge, none of the others carry an implementation. In [5], the implementation uses a tree-automaton implicitly based on regions and the focus in [4] is towards multi-pushdown systems. A common factor of all these works is that none of them consider zone-based abstractions.
In this paper, we ask whether zone-based abstractions can be used to decide efficiently reachability questions in PDTA. We focus on the problem of well-nested control-state reachability of PDTA, i.e., given a PDTA, an initial and a target state, does there exist a run of the PDTA that starts at the initial state with empty stack and reaches the target state with an empty stack (in between, i.e., during the run, the stack can indeed be non-empty). As with timed automata, our goal here is towards its applicability to build powerful tools which could lead to wider adoption of the PDTA model and showcase its utility to model-checking timed recursive systems. As the first step, we examine the difficulties involved in mixing zones with stacks and point out that a naive adaptation of the zone-based algorithm would not be sound. Then we propose a new algorithm that modifies the zone-based algorithm to work for pushdown timed automata. This is done in three steps.
First we view the zone-graph exploration at the heart of the zone-based reachability algorithm for timed automata as a least fixed point computation of two inductive rules. When applied till saturation, they compute a sound and complete finite abstraction of the set of all reachable zones. Next, this view allows us to generalize the approach in the presence of a stack by adding new inductive rules that correspond to push and pop transitions, and hence are specific to the stack operation. There are two main technical difficulties in this. First, we need to ensure termination of the fixed point computation, using a strong enough pruning condition of the (a priori infinite) zone graph to ensure finiteness, while being sound and not adding spurious runs. Second, we want to aggressively prune the graph as much as possible to obtain an efficient zone-exploration algorithm. We show how we can minimally change the condition of pruning in the zone exploration graph to achieve this delicate balance. Indeed, in doing so we use a judicious combination of the subsumption (or simulation) relation and an equivalence relation for obtaining a fixed point computation for PDTA that is terminating, while being sound and complete. Finally, we build new data structures that allow us to write an efficient algorithm that implements this fixed point computation. While getting a correct algorithm is relatively simple, to obtain an efficient one, we must again encounter and overcome several technical difficulties. We implement our approach to build the first zone-based tool that efficiently solves wellnested control state reachability for PDTA. Our tool is built on top of existing infrastructure of TChecker [18], an open source tool and benefits from many existing optimizations. We perform experiments to show the practical performance of multiple variants of our algorithm and show how our most optimized version is vastly better in performance than other variants and of course the earlier region-based approach on a suite of example benchmarks.
We note that our PDTA model differs slightly from the model considered in [1,3], as there is no age on stack and time spent on stack cannot be compared with clocks. Hence our model is closer to [9,15]. However, in [12], it was shown that these two models are equivalent, more specifically, the stack can be untimed without loss of expressivity (albeit with an exponential blowup). Thus our approach can be applied to the other model as well by just untiming the stack. There are other more powerful extensions [14,13] studied especially in the context of binary reachability, where only theoretical results are known. We also remark that the idea of combining the subsumption relation between zones with an equivalence relation also occurs while tackling liveness, or Buchi acceptance, in timed automata. This has been studied in depth [23,21,19], where the naive zone-based algorithm does not work, forcing the authors to strengthen the simulation relation in different ways. Though these problems are quite different, there are surprising similarities in the issues faced, as explained in Section 3.
The structure of the paper is as follows: we start with preliminaries and move on to the difficulty in using zones and simulation relations in solving reachability in PDTA. Then, we introduce in Section 4 our inductive rules for timed automata and PDTA and show their correctness. In Section 5, we present our algorithm and helpful data-structural advancements. We show the experimental performance in Section 6 and end with a brief conclusion.

Timed automata
Timed automata extend finite-state automata with a set X of (non-negative) real-valued variables called clocks. We let Φ(X) denote the set of constraints ϕ that can be formed using the grammar: ϕ : otherwise. Finally, v 0 is the valuation that sets all clocks to 0. A timed automaton A is a tuple (Q, X, q 0 , ∆, F ), where Q is a finite set of states, X is a finite set of clocks, q 0 ∈ Q is an initial state, F ⊆ Q is the set of final states and ∆ ⊆ Q × Φ(X) × 2 X × Q is a set of transitions. A transition t ∈ ∆ is of the form (q, g, R, q ), where q, q are states, g ∈ Φ(X) is the guard of the transition and R ⊆ X is the set of clocks that are reset at the transition. The semantics of a timed automaton A is given as a transition system TS(A) over configurations. A configuration is a pair (q, v) where q ∈ Q is a state and v is a valuation, with the initial configuration being (q 0 , v 0 ). The transitions are of two types. First, for a configuration (q, v) and δ ∈ R ≥0 , (q, v) . A run is an alternating sequence of delays and discrete transitions starting from the initial configuration, and is said to be accepting if the last state in the sequence is a final state. A timed automaton is said to be diagonal-free if the atomic constraints used in guards do not involve diagonal constraints, i.e., constraints of the form x − y ∼ c.

Reachability, Zones and simulations
The problem of control-state reachability asks whether a given timed automaton has an accepting run. This problem is known to be PSPACE-complete [6], originally shown via the so-called region abstraction. Note that, since TS(A) is infinite, some abstraction is needed to get an algorithm. In practice however, the abstraction used to solve reachability, e.g., in tools such as UPPAAL [22] or TChecker [18] is the zone abstraction. A zone Z is defined as a set of valuations defined by a conjunction of atomic clock constraints. Given a guard g and reset R, we define the following operations on zones: time elapse The resulting sets are also zones. With this, we can define the zone graph ZG(A) as a transition system obtained as follows: the nodes are (state, zone) pairs and (q, Z) . The initial node is (q 0 , Z 0 = − − → {v 0 }) and a path in the zone graph is said to be accepting if it ends at an accepting state. The zone graph is known to be sound and complete for reachability, but as the graph may still be infinite, this does not give an algorithm for solving reachability yet.
To obtain an algorithm, one resorts to different techniques such as extrapolation or simulation. Here we focus on simulation relations which will lead to finite abstractions. Given a timed automaton A, a binary relation on configurations is called a simulation if whenever (q, v) (q , v ), we have q = q and for each delay δ ∈ R ≥0 , (q, v + δ) (q, v + δ) and for each t = (q, g, R, We often simply write v q v instead of (q, v) (q, v ). We can now lift this to sets Z, Z of valuations as Z q Z if for all v ∈ Z there exists v ∈ Z such that v q v . We say that node (q, Z) is subsumbed by node (q, Z ) when Z q Z . As a consequence we obtain the following lemma.
A simulation is said to be finite if for every sequence of nodes (q 1 , Z 1 ), (q 2 , Z 2 ), . . . there exist two nodes (q i , Z i ) and (q j , Z j ) with i < j such that q i = q j and Z j qi Z i . The importance of the finiteness is that it allows us to stop exploration of zones along a branch of the zone graph: when a node (q j , Z j ) is reached which is subsumed by an earlier node (q i , Z i ), we may cut the exploration since all control states reachable from the latter are already reachable from the former. For a timed automaton A, we call this pruned graph as ZG (A). Thus, if the simulation relation is finite, then ZG (A) is finite, sound and complete for control state reachability. We formalize this algorithm in Section 4, using inductive rules.
Various finite simulations have been shown to exist in the literature, including the famous LU-abstractions [7] for diagonal-free timed automata, and more recent G-abstractions based on sets of guards [16] for timed automata with diagonal constraints. Hence this theory indeed has resulted in better implementations and is used in standard tools in this domain.
We will see that using simulation in the context of pushdown timed automata is not always sound, in some cases we need a stronger condition to stop the exploration. Towards this, we consider the equivalence relation on nodes induced by the simulation relation: Z ∼ q Z if Z q Z and Z q Z. We say that the simulation is strongly finite if the induced equivalence relation ∼ has finite index. Notice that strongly finite implies finite but the converse does not necessarily hold. Fortunately, the usual simulations for timed automata, in particular the LU-simulation and the G-simulation, are strongly finite.

Pushdown timed automata (PDTA)
A Pushdown Timed Automaton A is a tuple (Q, X, q 0 , Γ, ∆, F ), where Q is a finite set of states, X is a finite set of clocks, q 0 ∈ Q is an initial state, Γ is the stack alphabet, F ⊆ Q is the set of final states and ∆ is a set of transitions. A transition t ∈ ∆ is of the form (q, g, op, R, q ), where q, q are states, g ∈ Φ(X) is the guard of the transition and R ⊆ X is the set of clocks that are reset at the transition, op is one of three stack operations: nop or push a or pop a for some a ∈ Γ.
The semantics of a PDTA A is given as a transition system TS(A) over configurations. A configuration here is a tuple (q, v, χ) where q ∈ Q is a state, v is a valuation, χ ∈ Γ * is the stack content, with the initial configuration being (q 0 , v 0 , ε). The transitions are of two types.
First, for a configuration (q, v, χ) and δ ∈ R ≥0 , (q, v, χ) if op = nop, then χ = χ, if op = push a then χ = χ · a, if op = pop a , then χ = χ · a. A run is an alternating sequence of delays and discrete actions starting from the initial configuration. It is accepting if the last state in the sequence is final.
Our main focus is the well-nested control state reachability problem for PDTA, which asks whether a configuration (q, v, ε) with q ∈ F is reachable, where the stack is empty. Later, in Section 7, we remark how our solution can be extended to solve general control state Note that if we ignore the push/pop actions we get a TA, say A. Figure 2 Zone graph with simulation edges for finiteness. Again ignoring push/pop actions gives us a zone graph for the TA. Z0 is the initial zone. reachability, i.e., asking whether a configuration (q, v, χ) with q ∈ F is reachable, possibly with a nonempty stack χ.

Zones in PDTA and the problem with simulations
As mentioned earlier, zones are collections of clock valuations defined by conjunctions of timing constraints, and exploring zones reached by a timed automaton gives a sound and complete abstraction for state reachability. To make sure that the exploration is finite we need to prune the graph and one way this is done by simulation, i.e., not exploring paths from some nodes if they are "subsumed" by earlier nodes visited in the graph. Consider Figure 1, in which we ignore the push a and pop a or we can think of them as internal actions. Then the usual zone-graph construction with simulation would give the graph depicted in Figure 2. In this section, just for illustration we instantiate the simulation relation to be the well-known LU-simulation (we do not give the definition here as it is not relevant to what comes later, instead we refer to earlier work [7]). Using this, we obtain that the rightmost node is subsumed by the previous one, and hence the dotted simulation edge. If we did not do this we immediately observe that we get an infinite graph with increasing sets of zones. Now, our first question is whether this zone exploration with simulation can be lifted to PDTA. In this example, if we were to add back the push/pop edges, we get exactly the same Zone graph with annotations, and further, the final state is indeed reachable. Hence, for this particular example we do obtain a finite, sound and complete graph exploration. However, in general it turns out that the procedure is not sound.
Consider the example in Figure 3. In this example, again considering it as a TA (ignoring the push/pops), we would get the zone graph below, which would be finite, sound and complete for reachability in that TA. But if we consider it as a PDTA, now doing the same does not preserve soundness. In other words, in the PDTA, q 3 is no longer reachable. However, in the zone graph we would conclude that it is reachable due to the simulation edge. If, to fix this, we remove the dotted simulation edge, then we will lose finiteness.
Thus, it seems that we have a difficult situation where zones with the simulation relation, needed for termination, do not preserve soundness. This situation resembles the situation studied in [23,21,19], where the authors study liveness or Buchi-acceptance conditions in timed automata. Again in that situation, the naive algorithm with zone simulation does not work and the authors are forced to strengthen the simulation relation in different ways.
Surprisingly, it turns out, that even in our very different problem setting of reachability in PDTA, a similar solution works. That is, we replace simulation by equivalence (defined in the previous section) as the pruning criterion. However, there are two issues (i) it is not

Figure 3
A PDTA and its zone graph with simulation. With the simulation (dotted) edges, q3 is reachable in the zone graph, but its not reachable in the PDTA. easy to prove its correctness and (ii) this is far from efficient as shown in the experimental section. Our goal to use zones in the first place was efficiency and hence we would like to prune the zone graph as much as possible, i.e., we would like to use simulation edges as much as possible. In the next two sections, we describe our fix. We first show a different view of the exploration algorithm as a fixed point rule based approach. This allows us to then describe our fix in the same language, which is much easier to understand conceptually. Also as a corollary we will be able to show that using equivalence everywhere also gives a correct algorithm. After proving the correctness of our rule-based algorithm, we then tackle the challenges in implementing it.

Viewing reachability algorithms using rewrite rules
In this section, our goal is to compute a set S of nodes of the zone graph of a PDTA, as a least fixed point of a small set of inductive rules, such that a control state q occurs in S, i.e., (q, Z) ∈ S for some Z iff q is reachable in the PDTA from its initial state. To understand the rules and their correctness it is easier to first visualize this on plain timed automata without any push-pop edges.

Rewrite rules for Timed automata.
Given a TA A = (Q, X, q 0 , ∆, F ), the set S containing all reachable nodes of the zone graph, can be obtained as the least fixed point of the following inductive rules, with a natural deduction style of presentation.
Let S * denote the set at the fixed point by starting with the start rule and repeatedly applying the trans rule. It is easy to see that this computes the set of all reachable nodes of the zone graph: the start rule starts with the initial node and each application of trans rule takes a reachable node and applies a transition of the automaton and includes the resulting node reached. However, this set S * is a priori infinite since number of zones is infinite.
To make it finite we add a condition under which we will apply the transition rule based on a finite simulation relation (let us denote it ) for A.
Thus to obtain an algorithm, we would explore all nodes in the Zone graph using a search algorithm (say DFS/BFS) and we would add a node only if it is not subsumed by an already visited node, according to the simulation relation. We explained in Section 2.2 that doing this preserves soundness and completeness and gives a finite exploration.

Lemma 2.
Let S * denote any set obtained from the start rule and by repeatedly applying Trans-till a fixed point is reached. Note that depending on the order of applications we may have different sets. Then we have:

(soundness and completeness) For all
We do not give the proof here as (i) it is only a reformulation of known results and (ii) it will be subsumed by the much stronger theorem we prove next.

Rewrite rules for PDTA.
Let A = (Q, X, q 0 , Γ, ∆, F ) be a PDTA, we will need not just a set but a tuple of sets. More precisely, we maintain a set of nodes S called root nodes. For each root node (q, Z) ∈ S, we also maintain a set of nodes, denoted S (q,Z) . The intuition is that root nodes are those that can be reached after pushing a symbol to the stack, whereas S (q,Z) will be the set of nodes that can be reached from (q, Z) with a well-nested run, i.e., starting with an empty stack and ending in an empty stack. This is to avoid storing the stack contents in our algorithm, which would be another source of infinity. Again, we use simulations to make the computation finite. So we fix a strongly finite simulation relation for A. Table 1 Inductive rules for well-nested control state reachability of PDTA Our inductive rules for well-nested control state reachability of pushdown timed automata are given in Table 1. Note that the internal rule is just the same as for timed automata above. The start rule not only starts the set of nodes computation but also the set of roots computation as described above. So the only interesting rules are the Push and Pop rules. The push rule says that when a push is encountered, then we must start exploring from a new root (i.e., context). So the only complicated rule is the Pop rule. Here the intuition is that if we see a push at a node and from a root equivalent to the root created from it, (i.e., its context) we see a matching pop reaching a new node, then this push-pop context is complete, and we can add this new node to the set of reachable nodes. This is precisely the point where we need equivalence rather than simulation and this will be made clear in the proof of the theorem below. Theorem 3. Let S * and (S (q,Z) ) (q,Z)∈S * denote any tuple of sets obtained from the start rule and by repeatedly applying the rules in Table 1 till a fixed point is reached 1 . Note that we always have (q 0 , Z 0 ) ∈ S * . The following statements hold: Proof. 1. Note that only the Push rule creates new root nodes and the red condition states that a new root node is added only if there isn't already an equivalent node in S * . Since the simulation relation is strongly finite, the set of roots S * must be finite. Also, before adding a node to some S (q,Z) with the internal rule or the pop rule, we check that the node is not subsumed by an existing one. Since the simulation relation is finite, this ensures that each set S (q,Z) is finite.
We will then show that v n qn Z for some (q n , Z ) ∈ S (q,Z) . The proof is by induction on n. Base case: For n = 1 we have q = q and v = v. The result is obtained by taking Z = Z. Notice that (q, Z) ∈ S (q,Z) follows immediately from the start rule if q = q 0 , Z = Z 0 or from the push-create rule. Let us then assume that the statement holds for runs of length at most n − 1. Consider any run of the form (q, v, ε) = (q 1 , v 1 , χ 1 ) → · · · → (q n , v n , χ n = ε) with v q Z. Notice that its last transition (q n−1 , v n−1 , χ n−1 ) → (q n , v n , χ n ) cannot be a push transition (in the PDTA) since χ n = ε. Hence, we have three subcases, depending on the last transition.
Time elapse. χ n−1 = χ n = ε, q n−1 = q n = q , v n = v n−1 + δ for some δ ∈ R ≥0 . Applying induction hypothesis, we have v n−1 q Z for some (q , Z ) ∈ S (q,Z) . Since zones are closed under time elapse, we get Z = − → Z and by definition of the simulation relation This completes the case.
Discrete internal transition. In this case . From the definition of the simulation relation we get v n qn Z . Then, applying the Internal rule, there exists (q n , Z ) ∈ S (q,Z) such that Z qn Z , with possibly Z = Z . Hence, v n qn Z qn Z , which completes the case. Pop transition. Then there exists 1 ≤ i < n−1 such that the run has the form: where the push and pop are matching transitions, i.e., |χ j | ≥ 1 for all

Figure 4
Construction for the completeness-push-pop last sub-case.
i < j < n − 1 (see Figure 4). Then by induction hypothesis at i, we have From the push transition we have We can apply the Push rule to obtain in the PDTA never pops the symbol a (by choice, since otherwise the push and pop would not be matching).
Hence we will also have the same sequence of transitions forming a run ( Finally, we have the pop transition We . From v n−1 qn−1 Z n−1 and the definition of the simulation relation we obtain v n qn Z n . Then, combining all the above equations (1)(2)(3)(4)(5), and applying the Pop-rule we obtain some (q n , Z n ) ∈ S (q,Z) with Z n qn Z n (possibly Z n = Z n ). Finally we get v n qn Z n qn Z n . This completes the proof.

3.
We will show that the following property is invariant by rule applications: The invariant holds initially, i.e., after application of the start rule. Indeed, in this case we have S = {(q 0 , Z 0 )} and S (q0,Z0) = {(q 0 , Z 0 )}. Hence (q , Z ) = (q, Z) = (q 0 , Z 0 ) and for all v ∈ Z 0 we can choose the empty run (q 0 , v, ε) 0 − → (q 0 , v, ε). We show below that (Inv) is preserved by application of an internal/push/pop rule. Therefore, the invariant still holds when reaching the fixed point, which proves the soundness. Let us write S − and S − (q,Z) for the sets before the application of the rule and S and S (q,Z) for the sets after the application of the rule. Internal rule. Let (q, Z) ∈ S = S − , (q , Z ) ∈ S (q,Z) and v ∈ Z . If (q , Z ) ∈ S − (q,Z) then we get the result since (Inv) holds before applying the internal rule. Otherwise, there is some with v q v and we are done.
Push rule. Let (q, Z) ∈ S, (q , Z ) ∈ S (q,Z) and v ∈ Z . If (q, Z) ∈ S − then we get the result since (Inv) holds before applying the Push rule. Otherwise, we must have (q , Z ) = (q, Z) and we can choose the empty run (q, v , ε) then we get the result since (Inv) holds before applying the Pop rule. Otherwise, by definition of the pop rule we have: The construction below is illustrated in Figure 5.
Since v ∈ Z 2 , we get some v 4 ∈ Z 1 such that v 4 |= g 1 and v = [R 1 ]v 4 + δ for some Finally, we apply the invariant to (q, Z) ∈ S, (q , Z ) ∈ S (q,Z) and v 2 ∈ Z , we get a run By repeatedly applying the property of simulation , we may extend the run from (q , v 2 , ε) Finally v q2 v . Therefore, the invariant holds after the pop rule.

Algorithm for PDTA Reachability via Zones
In this section, we describe Algorithm 1 implementing the fixed point computation defined by the inductive rules in Table 1. We describe the structure of the algorithm and its main data-structures. Notice first that the sets S and S (q,Z) for (q, Z) ∈ S can be alternatively represented as a single set of pairs of nodes: We can recover S as the first projection of S and S (q,Z) as the second projection of S filtered by the first component being (q, Z). We use both notations below depending on which is more convenient.
should be added to S (q,Z) or is subsumed by an existing node. This is like a graph traversal. The set S stores the already discovered pairs of nodes, and we will use a ToDo (unordered) list to store the newly discovered nodes from which outgoing transitions should be considered. The ToDo list should also consist of pairs [(q, Z), (q , Z )] so that when a new node (q , Z ) is discovered by an internal transition from (q , Z ) we know to which set S (q,Z) it should be added.
As we can see from Theorem 3-soundness, given (q, Z) ∈ S, the set S (q,Z) should consist of nodes reachable from (q, Z) via a well-nested run. Hence, when dealing with a pair [(q, Z), (q , Z )] ∈ S and we see a push transition q , we should not try to add the pair (q , Z ) to S (q,Z) since the corresponding run would not be well-nested. Instead, we should search for a matching pop transition which could be taken after a well-nested run starting from (q , Z ). This is why the push rule adds the new root (q , Z ) to S (unless it is equivalent to an existing root). The pair of nodes [(q , Z ), (q , Z )] is newly discovered and added to the ToDo list for further exploration.
The push transition may be matched with several pop transitions (which could be already discovered or yet to be discovered by the algorithm). To avoid revisiting the push transition many times, it will be stored by the algorithm in an additional set S push . More precisely, we will store in S push the tuple [(q, Z), a, (q , Z )] meaning that the root node (q , Z ) may be reached from the root node (q, Z) via a well-nested run reaching some (q , Z ) followed by a transition pushing a onto the stack.
Finally, assume that, when dealing with a pair [(q 1 , Z 1 ), (q 1 , Z 1 )] ∈ S, we see a pop . We will check whether it can be matched with an already visited push transition, stored in the set S push as a pair [(q, Z), a, (q , Z )] with (q , Z ) = (q 1 , Z 1 ). If this is the case, the pop rule may be applied and the node (q 2 , Z 2 ) added to S (q,Z) (unless it is subsumed by an existing node). The newly discovered pair of nodes [(q, Z), (q 2 , Z 2 )] is also added to the ToDo list for further exploration. Once again, the pop transition may also be matched with push transitions that will be discovered later by the algorithm. To avoid revisiting the pop transition many times, we store the tuple [(q 1 , Z 1 ), a, (q 2 , Z 2 )] in a new set S pop .
Data structures. We use a data structure TLM to store the triple of sets (S, S push , S pop ) and which is accessed with the following methods.
TLM.create() creates the data structure with the three sets empty.  Concretely, the data structure should store sets of nodes (q, Z) and be able to search or iterate through such sets. In order to make the algorithm slightly faster, we will segregate our sets of nodes, with the name of the state. We will use a hashmap in order to accomplish this task. See Figure 6 where the concrete data structure is depicted. We will use a first level hashmap to store the set of roots S. In order to implement TLM.isNewNode(q, Z, q , Z ), we first search for (q, Z) in the first level map, then a pointer TLM[q][Z][0] will lead to a second level hashmap for the set of nodes S (q,Z) and we search for (q , Z ) in this second level map. See Figure 6(b).
To implement TLM.isNewPop(q, Z, a, q , Z ) and TLM.iterPop(q, Z, a), we first search the root node (q, Z) in the first level map, then a pointer TLM[q][Z][2] will lead to a second level hashmap storing the set of triples (a, q , Z ) such that [(q, Z), a, (q , Z )] ∈ S pop . To speed up the access, this second level pop map is segregated first on the key a, then on the key q to get the list of corresponding zones Z . See Figure 6(c,d).
Finally, we also store the set S push to implement TLM.isNewPush(q, Z, a, q , Z ) and TLM.iterPush(a, q , Z ). Notice that S push consists of triples [(q, Z), a, (q , Z )] where both (q, Z) and (q , Z ) are root nodes from S. Notice also that for the iteration we fix the second node (q , Z ). To get an efficient implementation, we first search the root node (q , Z ) in the first level map, then a pointer TLM[q ][Z ][1] will lead to a second level hashmap storing the set of triples (a, q, Z) such that [(q, Z), a, (q , Z )] ∈ S push . To speed up the access, this second level push map is segregated first on the key a, then on the key q to get the list of corresponding zones Z. See Figure 6(c,d).
We move next to proving the main lemmas that will help us show correctness of Algorithm 1. We start with termination.

Lemma 4 (Termination). Algorithm 1 will always terminate.
Proof. If we look at our algorithm, we can clearly see that before adding a pair of nodes to the ToDo list, we add the same pair to S with TLM.add, and before that, we always check whether the pair is already in our TLM or not (isNewNode or isNewRoot). Since the size of the TLM is always bounded because we check either the first level map or the second level map before adding, the outer while loop will be called only a finite number of times, which shows termination of the algorithm. while ToDo = ∅ do 6: if op = nop ∧ TLM.isNewNode(q, Z, q , Z ) then 9: TLM.add(q, Z, q , Z ) Internal Rule 10: ToDo (a) First level map constructed using equivalence ∼q for controlling size. Keys will be state names, values will be lists of quadruplets, each of which has four pointers to second level maps, second level pushes maps, second level pops maps, and zones.
(d) For pushes/pops map, this is a map corresponding to root node (q1, Z1), and symbol a2 (say). The (q, Z) stored here is constructed using equivalence (pushes map), or using simulation (pops map).

Figure 6
Two level map implementing the data structure TLM storing the sets S, S push , Spop.
Next, recall that TLM encodes a triple of sets (S, S push , S pop ) defined by: Recall also the correspondence explained at the beginning of Section 5 between a set S of pairs of nodes, and the set of roots S together with the sets of nodes S (q,Z) for (q, Z) ∈ S. Then we have the following properties. and some transition t = q Using the three properties above, we will now show soundness and completeness of Algorithm 1. We start with soundness, for which we need to define the notion of a midcomputation. Table 1 in some order (not necessarily until a fixed point is reached). We say that TLM is a mid-computation when it encodes a triple (S, S push , S pop ) where S is a mid-computation.

Definition 8 (Mid-Computation (MC)). A mid-computation is any set S of pairs of nodes [(q, Z), (q , Z )] that can be obtained by applying the inductive rules in
For example, just applying the start rule yields S = {[(q 0 , Z 0 ), (q 0 , Z 0 )]}, which is a mid-computation. Now we can show the following lemma.

Lemma 9 (Soundness). At any point in Algorithm 1, TLM is a mid-computation.
Proof. We will prove this lemma by induction. Base Case: Just after execution of Line 3, we have S = {[(q 0 , Z 0 ), (q 0 , Z 0 )]} which is the smallest MC, just after applying the start rule. Induction Hypothesis: Let us say that after letting the algorithm execute for some time we stop it, and TLM is a mid-computation. Induction: Now we prove that no matter what happens, TLM will still be a MC. There are only a few statements in the algorithm that will change S encoded by TLM, and that is when some add method is called. Apart from the initialization in Line 3 which has been considered in the base case, they all start with a pair [(q, Z), (q , Z )] popped from ToDo list. According to Lemma 5, we can see that (q , Z ) ∈ TLM[q][Z][0], i.e., [(q, Z), (q , Z )] ∈ S or equivalently (q, Z) ∈ S and (q , Z ) ∈ S (q,Z) . Now, we have several cases.
TLM.add(q, Z, q , Z ) on Line 9: The transtion in consideration is t = q From the test TLM.isNewNode(q, Z, q , Z ), we know that (q , Z ) is not already subsumed by an element in S (q,Z) . Therefore, the rule for internal transitions can be applied, resulting in S := S ∪ {[(q, Z), (q , Z )]}. And this corresponds to excecuting Line 9. Therefore, the new TLM after Line 9 is also a mid-computation.
TLM.add(q , Z , q , Z ) on Line 14: The call to isNewRoot on Line 12 returned [true, Z ], indicating that (q , Z ) is a new root. Therefore, the push rule can be applied here, which is what is done in Line 14 and TLM is still a mid-computation.
TLM.add(q, Z, q 2 , Z 2 ) on Line 21: The transition in consideration is Since TLM encodes S, we have [(q , Z 1 ), (q 1 , Z 1 )] ∈ S, i.e., (q , Z 1 ) ∈ S and (q 1 , Z 1 ) ∈ S (q ,Z1) . We can therefore apply the pop rule over here, unless (q 2 , Z 2 ) is subsumed by an existing node in S (q,Z) , which is checked in Line 20. Therefore the pop rule can be applied, which is exactly done in Line 21, resulting in TLM being again a mid-computation.
Since TLM encodes S, we have (q 3 , Z 3 ) ∈ S and (q 3 , Z 3 ) ∈ S (q3,Z3) . We can therefore apply the pop rule here as well, if the node (q , Z ) is not subsumed by any other node in S (q3,Z3) , which is checked in Line 30. The pop rule can therefore be applied and the resulting TLM is still a mid-computation.
Next we turn to completeness of the algorithm. Table 1, that is, no new node can be added by applying one of these rules.

Lemma 10 (Completeness). After the termination of Algorithm 1, the set S encoded by TLM is a fixed point of the inductive rules in
Proof. We show that the rules defined in Table 1 will not add any new pair of nodes to the set S defined by TLM.
Start Rule: After Line 3 of the algorithm we see that [(q 0 , Z 0 ), (q 0 , Z 0 )] ∈ S. Therefore, applying the start rule would not add any new pair of nodes.  Table 1 would add (q , Z ) to S (q,Z) unless there is (q , Z ) ∈ S (q,Z) with Z q Z . Now, since [(q, Z), (q , Z )] ∈ S then TLM.add(q, Z, q , Z ) was executed, and [(q, Z), (q , Z )] was also added to ToDo. When [(q, Z), (q , Z )] was removed from ToDo, the internal transition t was considered. Hence, either the test TLM.isNewNode(q, Z, q , Z ) returned true and TLM.add(q, Z, q , Z ) was executed; we get (q , Z ) ∈ S (q,Z) . Or the test returned false and we had some (q , Z ) ∈ TLM[q][Z][0] = S (q,Z) such that Z q Z . In both cases, the rule for internal transitions is satisfied. Push Rule: Let (q, Z) ∈ S and (q , Z ) ∈ S (q,Z) , i.e., [(q, Z) Since [(q, Z), (q , Z )] ∈ S then TLM.add(q, Z, q , Z ) was executed, and [(q, Z), (q , Z )] was also added to ToDo. When [(q, Z), (q , Z )] was removed from ToDo, the push transition t was considered and TLM.isNewRoot(q , Z ) was called and returned [isN ew, Z 1 ]. If the boolean isN ew is true then Line 14 is executed resulting in [(q , Z ), (q , Z )], i.e., (q , Z ) ∈ S and (q , Z ) ∈ S (q ,Z ) . Otherwise, (q , Z 1 ) ∈ S and Z ∼ q Z 1 . In both cases, the rule for push transitions is satisfied.
Pop Rule: Let the rule premises be (q, We will show that there is (q 2 , Z † 2 ) ∈ S (q,Z) with Z 2 q2 Z † 2 so that the conclusion of the pop rule is satisfied. First, by the argument used earlier with respect to [(q, Z), (q , Z )] ∈ S, we can say that the transition t, hence also the node (q , Z ), should have been considered while popping [(q, Z), (q , Z )] from the ToDo list. Since no two nodes in the first level map of TLM are equivalent, we can say that Z 1 used in Line 17-25 coincide with Z 1 used here. Due to Lines 17-18, we get (a, q, Z) ∈ TLM[q ][Z 1 ] [1]. Let us note T push the time when TLM.addPush(q, Z, a, q , Z 1 ) was executed. Note that this time could have been earlier than when transition t was considered if condition on Line 17 was not satisfied. With respect to (q 1 , Z 1 ) ∈ S (q ,Z1) , i.e., [(q , Z 1 ), (q 1 , Z 1 )] ∈ S, we can say that transition t 1 , hence also node (q 2 , Z 2 ), should have been considered when [(q , Z 1 ), (q 1 , Z 1 )] was removed from the ToDo list. Notice the correspondence between the notation in the algorithm and the notation above, correspondence given by: Hence, the test on Line 27 translates to TLM.isNewNode(q , Z 1 , a, q 2 , Z 2 ). If it returns false, there must be some other node (q 2 , [a], and to unify the notation, we let Z 2 = Z 2 . Let us note T pop the time when TLM.addPop(q , Z 1 , a, q 2 , Z 2 ) was executed.
We have the following cases now Finally, from Lemma 4, Lemma 9, Lemma 10 and Theorem 3, we obtain: Theorem 11. The set S encoded by TLM computed by Algorithm 1 is a fixed point obtained starting from the empty set by applying the inductive rules in Table 1. Therefore, Algorithm 1 terminates and is sound and complete for well-nested control state reachability of pushdown timed automata.

Experiments and Results
We build on the existing architecture of an open-source tool for analysis of timed automata, TChecker [18]. Our tool is freely available for download and use at https://github. com/karthik-314/PDTA_reachability. Currently, our implementation uses only the LUsimulation [7] and hence we only deal with diagonal-free timed automata. But we could also extend it to use G-simulations from [16], which would allow us to handle diagonal constraints as well.

Implementation
The input for our implementation are PDTA, rather than TA so we modify TChecker in order to run our experiments. While most of the TChecker file format will remain the same, the only place where we make a change to the syntax of the input, will be the edges. TChecker uses the following format, for its transitions, edge:<Process>:<src>:<tgt>:<label>{ do:<Reset1(x=0)> ; <Reset2(y=0)> : provided: <guard1(x==0)> && <guard2(y>=1)>} The new format in order to incorporate the pushes and pops will be, In case the operation is nop, the square brackets are left empty. We have implemented two variants of Algorithm 1 for PDTA and we will compare these between each other and also with a region-based approach. More precisely, we consider the following 3 algorithms: Simulation As mentioned in Section 4, if instead of simulation, we just use equivalence everywhere, we do obtain a correct algorithm for reachability in PDTA. Hence it is interesting to compare it with the above approach. Region Based Implementation (RB): A previous implementation [5], uses a region based approach in order to solve the non-emptiness problem in PDTA. We note two features of the algorithm. First, it uses a tree-automaton based approach for efficiency and correctness, but underlying it is the region (rather than zone) construction. Second, it works only with closed guards, while our approach works with closed and open guards. We note the following important points regarding our implementation: 1. The used in our implementation will be LU [7], without extrapolation and with global clock bounds. 2. The ToDo list used currently uses LIFO (stack) ordering for popping of elements. This corresponds to a DFS exploration of the zone-graph. But we can use other data structures for this purpose as well, e.g., changing it to FIFO would give us a BFS exploration etc. 3. Both the simulation based and equivalence based approach are tested on PDTA with empty and non-empty languages, but we have ensured that both of them return an answer only after the entire exploration has been completed. In other words, we do not stop the exploration when we reach a final state. This is to make fair comparisons, where we do not terminate because of being "lucky" in encountering the final state early. Of course in practice we would not do this. In contrast, we note that the RB approach is an on the fly approach which returns non-empty as soon as the final state turns out to be reachable. All experiments are run on Intel-i5 10th Generation processor, with an 8GB RAM, with a timeout of 120 seconds.

Benchmarks
We used a total of 10 benchmarks in our experiments, but parameterized several of them in order to test the scalability and to give us more insight into performance comparisons. The benchmark and their parameterizations are explained in A.1. We highlight only some salient points here. The benchmark B 1 is the PDTA from Figure 1. B 2 (k) is directly adapted from Figure 3 with the constant y ≤ 1 parametrized to y ≤ k, and k + 1 pops between q 0 and q 2 . Note that q 3 is unreachable regardless of the value of k. Benchmarks B 3 , B 4 are adapted from [5] with B 3 involving untiming of a stack age into normal clocks. B 5 , B 6 involve significant interplay of push/pop edges and clocks and B 6 , B 7 also have open guards. More details can be found in A.1. We also note that automata B 1 , B 3 (3, 4), B 5 (k 1 , k 2 ), B 8 , B 9 (k 1 , k 2 ) accept a nonempty language, while the rest are empty. As described earlier this does not change the performance of the simulation and equivalence based approaches, but may significantly change the performance of the Region Based Approach. used in guards as well, which is even more the case for the region based approach. Finally, our approach can easily handle closed and open guards.

Results
Most of the timeouts that occurred during the experiments are due to Out of Memory (OoM) kills, especially for larger sized PDTAs. For smaller sized PDTA such as B 2 (100), the recorded number of nodes before timeout was 154700.
Regarding the performance, we would like to emphasize that B1, B2, B3, B4, B7 were designed to compare the Zone approach to the region (RB) approach. As a consequence these models are very simple and the number of explored nodes remains almost the same regardless of whether we use ∼ or to prune, which reflects in the times/sizes not being too different. However, the other examples B5, B6 are more complex and have nodes that get pruned during exploration (both using ∼ and ). Here we can see the clear improvement of over ∼ both in terms of time taken and also of number of explored nodes.

Discussion and Future work
In this paper, we examined how an unbounded stack can be integrated seamlessly with zone-abstractions in timed automata. We would like to point out that two easy extensions of our work are possible. First, as remarked earlier, our algorithm checks for well-nested reachability, i.e., it requires to reach a final state with empty stack for acceptance. But we can generalize this to general control-state reachability by showing that a control state q is reachable in the PDTA (with possibly a non-empty stack) iff some node (q, Z) is discovered by our algorithm and added to some S (q ,Z ) (and not just to S (q0,Z0) as in the well-nested case). While this idea is simple and requires only minor edits to the existing algorithm, the proof of correctness requires more work and we leave this for future work. Secondly, we can handle the model with ages in stack as in [3,1] with an exponential blowup (thanks to [12]). However, an open question is whether this blowup can be avoided in practice. As noted earlier, there exist extensions [14,13] studied especially in the context of binary reachability, which are expressively strictly more powerful, for which decidability results are known. It would be interesting to see how we can extend the zone-based approach to those models.
Finally, it seems interesting to examine further the link to the liveness problem, possibly allowing us to transfer ideas and obtain faster implementations. Another possibility would be to use the extrapolation operator (rather than, or in addition to, simulation), which we have not considered in this work. the benchmark. We use this benchmark, since the zone graph for this P DT A without any simulation will be infinitely large. B 2 (k): This is an adaptation of the P DT A in Figure 3, with k + 1 pops between q 0 , and q 3 , and y ≤ k replacing y ≤ 1. The PDTA has k + 4 states, and state q 2 is unreachable irrespective of the value of k. We have chosen this as a benchmark since in order to say that q 2 is unreachable, the loop q 0 − → q 1 − → q 0 , has to be taken as many times as possible, creating more number of root nodes, with each root node containing the set of nodes that it can reach, making the size of the entire TLM proportional to k 2 . Therefore in order to accurately say that q 2 is unreachable, it would take O(k 2 ) time. B 3 (k 1 , k 2 ): We have made this benchmark using a T P DA, with timed stack, and converting it to a timeless stack P DT A using an approach similar to the one proposed in [12]. The T P DA with timed stack is shown in Figure 7. In both Figures 7 and 10, we can see that state s 1 is reachable only if k 1 ≤ k 2 . This creates a significant difference in execution times when it comes to B 3 (4, 3), and B 3 (3,4). B 4 : This benchmark was originally used for testing in the region based implementation [5].
Since there was only one push-pop pair, and no cycles with push/pop in it, it could be simulated using an extra clock x 3 . The language accepted by the automaton is empty, since q 5 is unreachable. B 5 (k 1 , k 2 ): An illustration of this benchmark is shown in Figure 12, with k 1 = 4. k 1 should be even for q 1 to be reachable. This PDTA benchmark is used since a large number of pushes are required to reach q 1 , creating more root nodes. Also because of internal transition loops between r x , and r x in the PDTA which can create many non equivalent zones, this creates the possibility of a large TLM. B 6 (k 1 , k 2 , k 3 ): The illustration for this benchmark is shown in Figure 13. It has been used to indicate that the size of the TLM is not just dependent on the size of the automaton, but also on the constants used in the automaton. In this PDTA, the size of the TLM is dependent on all k 1 , k 2 , and k 3 . k 1 , and k 2 enforce the pushes and pops in the automaton to be taken a fixed number of times, and if k 1 ≥ k 2 , the language accepted is empty. B 7 : The benchmark illustrated in Figure 14 has been used also in order to highlight the significance of open guards. The guards over the pushes, push a , and push b , make it impossible to take two pushes on a, then a push on b, which is required to empty the stack on reaching q 2 . And the guards x == 0 ∧ z == 20, also make it harder to directly reach q 2 with an empty stack. B 8 : A variation of this P DT A was used in testing for the region based implementation as well. States {q 1 , q 3 , q 5 , q 6 , q 8 } are reachable, and the language is not empty. B 9 (k 1 , k 2 ): The PDTA for this benchmark with k 1 = 2 is illustrated in Figure 16. This benchmark has been used in order to force the automaton to take only a single path which is allowed. Also the extra 2 state loops on nodes like r 2 , can create many non-equivalent nodes under one root node, and these nodes can then be propagated to other root nodes via pushes and pops, which can make the execution time heavily dependent on the constant k 2 . States q0, and q1 are reachable. The · · · indicates that there are a series of states, say, {r1, r2, ...r8} between q0, and q1, with 8 pushes, starting from q0 − → r1, to r7 − → r8. And in the end there transition t1 is in between r8 and q1. q 0 · · · q 2 q 1 x ≥ 1, {x} y ≤ k, push a pop k+1 a Figure 9 Parametrized P DT A -B2(k). Used in experiments using different values of k. The · · · indicate there are a series of transitions (linear) between q0 and q2 consisting of k + 1 pops. The number of states between q0 and q2, will be k + 1.

A.2 All Results
Here we display all results on the benchmarks that have been used.  Table 3 List of all results on the three environments. All time is recorded in milliseconds. T.O. refers to timeout before 120 seconds, and OOM refers to OOM kill of process. In case of timeout ≥ n, refers to recorded number of nodes before timeout occurred. In case of B2(1000) the preprocessing is not complete before the timeout and hence no nodes are displayed.