Fast Zone-Based Algorithms for Reachability in Pushdown Timed Automata

Abstract

Given the versatility of timed automata a huge body of work has evolved that considers extensions of timed automata. One extension that has received a lot of interest is timed automata with a, possibly unbounded, stack, also called pushdown timed automata (PDTA). While different algorithms have been given for reachability in different variants of this model, most of these results are purely theoretical and do not give rise to efficient implementations. One main reason for this is that none of these algorithms (and the implementations that exist) use the so-called zone-based abstraction, but rely either on the region-abstraction or other approaches, which are significantly harder to implement.

In this paper, we show that a naive extension, using simulations, of the zone based reachability algorithm for the control state reachability problem of timed automata is not sound in the presence of a stack. To understand this better we give an inductive rule based view of the zone reachability algorithm for timed automata. This alternate view allows us to analyze and adapt the rules to also work for pushdown timed automata. We obtain the first zone-based algorithm for PDTA which is terminating, sound and complete. We implement our algorithm in the tool TChecker and perform experiments to show its efficacy, thus leading the way for more practical approaches to the verification of timed pushdown systems.

This work was partly supported by ReLaX CNRS IRL 2000, DST/CEFIPRA/INRIA project EQuaVE and SERB Matrices grant MTR/2018/00074.

1 Introduction

Timed automata [7] are a popular formalism for capturing real-time systems, and of use for instance, in model checking of cyber-physical systems. They extend finite automata with real variables called clocks whose values increase over time; transitions are guarded by constraints over these variables. The main problem of interest is the reachability problem, which asks whether a given state can be reached while satisfying the constraints imposed by the guards. This problem is known to be PSPACE-complete (already shown in [7]). The PSPACE algorithm, uses the so-called region-automaton construction, which essentially abstracts the timed automaton into an exponentially larger finite automaton of regions (collections of clock valuations), which is sound and complete for reachability.

Despite this complexity-theoretic hardness, the model of timed automata has proved to be extremely influential and versatile, resulting in an enormous body of work on its theory, variants and extensions over the past 25 years. Almost since its inception, researchers also began to develop tools to extend from theoretical algorithms to solve practical problems. Such tools range from the classical and richly featured tool UPPAAL [9, 23] to the more recent open-source tool TChecker [19], which have been used on industry strength benchmarks and perform rather well on many of them. These tools use a different algorithm for reachability, where reachable sets of valuations are represented as zones and explored in a graph. While a naive exploration of zones does not terminate, the algorithms used identify different strategies [8, 18, 21], e.g., subsumption or simulations, extrapolations, for pruning the zone-based exploration graphs, while preserving soundness and completeness of reachability. While this does not change the worst case complexity, in practice, the zone exploration results in much better practical performance as it allows on-the-fly computation of reachable zones. One could even argue that the wider adoption of timed automata paradigm in the verification community has been a result of scalable implementations and tools built on this zone-based approach.

In light of this, zone-based algorithms are often looked for to improve practical performance of extensions of timed automata as well. For instance, for timed automata with diagonal constraints, classical zone-based approaches were shown to be unsound [11, 12], but recently, an approach has been developed which adapts the existing construction and obtains fast zone-based algorithms [17]. In the present paper, we are interesting in adding a different feature to timed automata, namely an unbounded lifo-stack. This results in a powerful model of pushdown timed automata (PDTA for short), in which the source of “infinity” is both from real-time and the unbounded stack. Unsurprisingly, this model and its variants have been widely studied over the last 20 years with several old and recent results on decidability of reachability, related problems and their complexity, including [1,2,3,4,5, 10, 13,14,15,16]. A wide variety of techniques have been employed to solve these problems, from region-based abstractions, to using atoms and systems of constraints, to encoding into different logics etc. However, except for [4, 5], to the best of our knowledge, none of the others carry an implementation. In [5], the implementation uses a tree-automaton implicitly based on regions and the focus in [4] is towards multi-pushdown systems. A common factor of all these works is that none of them consider zone-based abstractions.

In this paper, we ask whether zone-based abstractions can be used to decide efficiently reachability questions in PDTA. We focus on the problem of well-nested control-state reachability of PDTA, i.e., given a PDTA, an initial and a target state, does there exist a run of the PDTA that starts at the initial state with empty stack and reaches the target state with an empty stack (in between, i.e., during the run, the stack can indeed be non-empty). As with timed automata, our goal here is towards its applicability to build powerful tools which could lead to wider adoption of the PDTA model and showcase its utility to model-checking timed recursive systems. As the first step, we examine the difficulties involved in mixing zones with stacks and point out that a naive adaptation of the zone-based algorithm would not be sound. Then we propose a new algorithm that modifies the zone-based algorithm to work for pushdown timed automata. This is done in three steps.

• First we view the zone-graph exploration at the heart of the zone-based reachability algorithm for timed automata as a least fixed point computation of two inductive rules. When applied till saturation, they compute a sound and complete finite abstraction of the set of all reachable zones.

• Next, this view allows us to generalize the approach in the presence of a stack by adding new inductive rules that correspond to push and pop transitions, and hence are specific to the stack operation. There are two main technical difficulties in this. First, we need to ensure termination of the fixed point computation, using a strong enough pruning condition of the (a priori infinite) zone graph to ensure finiteness, while being sound and not adding spurious runs. Second, we want to aggressively prune the graph as much as possible to obtain an efficient zone-exploration algorithm. We show how we can minimally change the condition of pruning in the zone exploration graph to achieve this delicate balance. Indeed, in doing so we use a judicious combination of the subsumption (or simulation) relation and an equivalence relation for obtaining a fixed point computation for PDTA that is terminating, while being sound and complete.

• Finally, we build new data structures that allow us to write an efficient algorithm that implements this fixed point computation. While getting a correct algorithm is relatively simple, to obtain an efficient one, we must again encounter and overcome several technical difficulties.

We implement our approach to build the first zone-based tool that efficiently solves well-nested control state reachability for PDTA. Our tool is built on top of existing infrastructure of TChecker [19], an open source tool and benefits from many existing optimizations. We perform experiments to show the practical performance of multiple variants of our algorithm and show how our most optimized version is vastly better in performance than other variants and of course the earlier region-based approach on a suite of example benchmarks.

We note that our PDTA model differs slightly from the model considered in [1, 3], as there is no age on stack and time spent on stack cannot be compared with clocks. Hence our model is closer to [10, 16]. However, in [13], it was shown that these two models are equivalent, more specifically, the stack can be untimed without loss of expressivity (albeit with an exponential blowup). Thus our approach can be applied to the other model as well by just untiming the stack. There are other more powerful extensions [14, 15] studied especially in the context of binary reachability, where only theoretical results are known. We also remark that the idea of combining the subsumption relation between zones with an equivalence relation also occurs while tackling liveness, or Buchi acceptance, in timed automata. This has been studied in depth [20, 22, 24], where the naive zone-based algorithm does not work, forcing the authors to strengthen the simulation relation in different ways. Though these problems are quite different, there are surprising similarities in the issues faced, as explained in Sect. 3.

The structure of the paper is as follows: we start with preliminaries and move on to the difficulty in using zones and simulation relations in solving reachability in PDTA. Then, we introduce in Sect. 4 our inductive rules for timed automata and PDTA and show their correctness. In Sect. 5, we present our algorithm and helpful data-structural advancements. We show the experimental performance in Sect. 6 and end with a brief conclusion. Proofs that are missing and more experimental results can be found in the long version of the paper available at [6].

2 Preliminaries

2.1 Timed Automata

Timed automata extend finite-state automata with a set X of (non-negative) real-valued variables called clocks. We let \(\varPhi (X)\) denote the set of constraints \(\varphi \) that can be formed using the grammar: \(\varphi \,::\,= x\sim c\mid x-y\sim c \mid \varphi \wedge \varphi \), where \(x,y\in X\), \(c\in \mathbb {N}\), \({\sim }\in \{\le ,\ge ,<,>\}\), where each \(x\sim c\) is called an atomic constraint. A clock valuation is a map \(v:X\rightarrow \mathbb {R}_{\ge 0}\) and is said to satisfy \(\varphi \), denoted \(v\models \varphi \), if \(\varphi \) evaluates to true when each clock \(x\in X\) is replaced with v(x). For \(\delta \in \mathbb {R}^{\ge 0}\), we write \(v+\delta \) to denote the valuation defined as \((v+\delta )(x)=v(x)+\delta \) for all clocks x. For \(R\subseteq X\), we write [R]v to denote the valuation obtained by resetting clocks in R, i.e., \(([R]v)(x)=0\) if \(x\in R\), and \(([R]v)(x)=v(x)\) otherwise. Finally, \(v_0\) is the valuation that sets all clocks to 0.

A timed automaton \(\mathcal {A}\) is a tuple \((Q,X,q_0,\varDelta ,F)\), where Q is a finite set of states, X is a finite set of clocks, \(q_0\in Q\) is an initial state, \(F\subseteq Q\) is the set of final states and \(\varDelta \subseteq Q\times \varPhi (X)\times 2^X\times Q\) is a set of transitions. A transition \(t\in \varDelta \) is of the form \((q,g,R,q')\), where \(q,q'\) are states, \(g\in \varPhi (X)\) is the guard of the transition and \(R\subseteq X\) is the set of clocks that are reset at the transition. The semantics of a timed automaton \(\mathcal {A}\) is given as a transition system \( TS (\mathcal {A})\) over configurations. A configuration is a pair (q, v) where \(q\in Q\) is a state and v is a valuation, with the initial configuration being \((q_0,v_0)\). The transitions are of two types. First, for a configuration (q, v) and \(\delta \in \mathbb {R}^{\ge 0}\), \((q,v)\xrightarrow {\delta } (q,v+\delta )\) is a delay transition. Second, for \(t=(q,g,R,q')\in \varDelta \), \((q,v)\xrightarrow {t} (q',v')\) is a discrete transition if \(v\models g\) and \(v'=[R](v)\). A run is an alternating sequence of delays and discrete transitions starting from the initial configuration, and is said to be accepting if the last state in the sequence is a final state.

2.2 Reachability, Zones and Simulations

The problem of control-state reachability asks whether a given timed automaton has an accepting run. This problem is known to be PSPACE-complete [7], originally shown via the so-called region abstraction. Note that, since \( TS (\mathcal {A})\) is infinite, some abstraction is needed to get an algorithm. In practice however, the abstraction used to solve reachability, e.g., in tools such as UPPAAL [23] or TChecker [19] is the zone abstraction. A zone Z is defined as a set of valuations defined by a conjunction of atomic clock constraints. Given a guard g and reset R, we define the following operations on zones: time elapse \(\overrightarrow{Z}=\{v+\delta \mid v\in Z,\delta \in \mathbb {R}^{\ge 0}\}\), guard intersection \(g\cap Z=\{v\in Z\mid v\models g\}\) and reset \([R]Z=\{[R]v\mid v\in Z\}\). The resulting sets are also zones. With this, we can define the zone graph \( ZG (\mathcal {A})\) as a transition system obtained as follows: the nodes are (state, zone) pairs and \((q,Z)\xrightarrow {t}(q',Z')\), if \(t=(q,g,R,q')\) is a transition of \(\mathcal {A}\) and \(Z'=\overrightarrow{[R](g\cap Z)}\). The initial node is \((q_0,Z_0=\overrightarrow{\{v_0\}})\) and a path in the zone graph is said to be accepting if it ends at an accepting state. The zone graph is known to be sound and complete for reachability, but as the graph may still be infinite, this does not give an algorithm for solving reachability yet.

To obtain an algorithm, one resorts to different techniques such as extrapolation or simulation. Here we focus on simulation relations which will lead to finite abstractions. Given a timed automaton \(\mathcal {A}\), a binary relation \(\preceq \) on configurations is called a simulation if whenever \((q,v)\preceq (q',v')\), we have \(q=q'\) and

• for each delay \(\delta \in \mathbb {R}^{\ge 0}\), \((q,v+\delta )\preceq (q,v'+\delta )\) and

• for each \(t=(q,g,R,q_1)\in \varDelta \), if \(v\models g\) then \(v'\models g\) and \((q_1,[R]v) \preceq (q_1,[R]v')\).

We often simply write \(v\preceq _q v'\) instead of \((q,v)\preceq (q,v')\). We can now lift this to sets \(Z,Z'\) of valuations as \(Z\preceq _q Z'\) if for all \(v\in Z\) there exists \(v'\in Z'\) such that \(v\preceq _q v'\). We say that node (q, Z) is subsumbed by node \((q,Z')\) when \(Z\preceq _q Z'\). As a consequence we obtain the following lemma.

Lemma 1

If \((q,Z)\xrightarrow {t}(q_1,Z_1)\) in \( ZG (\mathcal {A})\) and \(Z\preceq _q Z'\), then \((q,Z')\xrightarrow {t}(q_1,Z'_1)\) and \(Z_1\preceq _{q_1}Z'_1\).

Proof

Indeed, let \(v_1\in Z_1=\overrightarrow{[R](g\cap Z)}\). We find \(v\in Z\) and \(\delta \ge 0\) such that \(v\models g\) and \(v_1=[R]v+\delta \). Since \(Z\preceq _q Z'\), we find \(v'\in Z'\) with \(v\preceq _q v'\). We deduce that \(v'\models g\) and \([R]v\preceq _{q_1}[R]v'\), which implies \(v_1\preceq _{q_1}v'_1\) with \(v'_1=[R]v'+\delta \in Z'_1=\overrightarrow{[R](g\cap Z')}\).    \(\square \)

A simulation \(\preceq \) is said to be finite if for every sequence of nodes \((q_1,Z_1)\), \((q_2,Z_2),\ldots \) there exist two nodes \((q_i,Z_i)\) and \((q_j,Z_j)\) with \(i<j\) such that \(q_i=q_j\) and \(Z_j\preceq _{q_i}Z_i\). The importance of the finiteness is that it allows us to stop exploration of zones along a branch of the zone graph: when a node \((q_j,Z_j)\) is reached which is subsumed by an earlier node \((q_i,Z_i)\), we may cut the exploration since all control states reachable from the latter are already reachable from the former. For a timed automaton \(\mathcal {A}\), we call this pruned graph as \(ZG_\preceq (A)\). Thus, if the simulation relation \(\preceq \) is finite, then \(ZG_\preceq (\mathcal {A})\) is finite, sound and complete for control state reachability. We formalize this algorithm in Sect. 4, using inductive rules.

Various finite simulations have been shown to exist in the literature, including the famous LU-abstractions [8], and more recent \(\mathcal {G}\)-abstractions based on sets of guards [17]. Hence this theory indeed has resulted in better implementations and is used in standard tools in this domain.

We will see that using simulation in the context of pushdown timed automata is not always sound, in some cases we need a stronger condition to stop the exploration. Towards this, we consider the equivalence relation on nodes induced by the simulation relation: \(Z\sim _q Z'\) if \(Z\preceq _q Z'\) and \(Z'\preceq _q Z\). We say that the simulation \(\preceq \) is strongly finite if the induced equivalence relation \(\sim \) has finite index. Notice that strongly finite implies finite but the converse does not necessarily hold. Fortunately, the usual simulations for timed automata, in particular the LU-simulation and the \(\mathcal {G}\)-simulation, are strongly finite.

2.3 Pushdown Timed Automata (PDTA)

A Pushdown Timed Automaton \(\mathcal {A}\) is a tuple \((Q,X,q_0,\varGamma ,\varDelta ,F)\), where Q is a finite set of states, X is a finite set of clocks, \(q_0\in Q\) is an initial state, \(\varGamma \) is the stack alphabet, \(F\subseteq Q\) is the set of final states and \(\varDelta \) is a set of transitions. A transition \(t\in \varDelta \) is of the form \((q,g,\mathrm {op},R,q')\), where \(q,q'\) are states, \(g\in \varPhi (X)\) is the guard of the transition and \(R\subseteq X\) is the set of clocks that are reset at the transition, \(\mathrm {op}\) is one of three stack operations: \(\mathrm {nop}\) or \(\mathrm {push}_a\) or \(\mathrm {pop}_a\) for some \(a\in \varGamma \).

The semantics of a PDTA \(\mathcal {A}\) is given as a transition system \( TS (\mathcal {A})\) over configurations. A configuration here is a tuple \((q,v,\chi )\) where \(q\in Q\) is a state, v is a valuation, \(\chi \in \varGamma ^*\) is the stack content, with the initial configuration being \((q_0,v_0,\varepsilon )\). The transitions are of two types. First, for a configuration \((q,v,\chi )\) and \(\delta \in \mathbb {R}^{\ge 0}\), \((q,v,\chi )\xrightarrow {\delta } (q,v+\delta ,\chi )\) is a delay transition. Second, for \(t=(q,g,\mathrm {op},R,q')\in \varDelta \), \((q,v,\chi )\xrightarrow {t} (q',v',\chi ')\) is a discrete transition if \(v\models g\), \(v'=[R](v)\) and

• if \(\mathrm {op}=\mathrm {nop}\), then \(\chi '=\chi \),

• if \(\mathrm {op}=\mathrm {push}_a\) then \(\chi '=\chi \cdot a\),

• if \(\mathrm {op}=\mathrm {pop}_a\), then \(\chi =\chi '\cdot a\).

A run is an alternating sequence of delays and discrete actions starting from the initial configuration. It is accepting if the last state in the sequence is final.

Our main focus is the well-nested control state reachability problem for PDTA, which asks whether a configuration \((q,v,\varepsilon )\) with \(q\in F\) is reachable, where the stack is empty. Later, in Sect. 7, we remark how our solution can be extended to solve general control state reachability, i.e., asking whether a configuration \((q,v,\chi )\) with \(q\in F\) is reachable, possibly with a nonempty stack \(\chi \).

3 Zones in PDTA and the Problem with Simulations

As mentioned earlier, zones are collections of clock valuations defined by conjunctions of timing constraints, and exploring zones reached by a timed automaton gives a sound and complete abstraction for state reachability. To make sure that the exploration is finite we need to prune the graph and one way this is done by simulation, i.e., not exploring paths from some nodes if they are “subsumed” by earlier nodes visited in the graph. Consider Fig. 1, in which we ignore the \(\mathrm {push}_a\) and \(\mathrm {pop}_a\) or we can think of them as internal actions. Then the usual zone-graph construction with simulation would give the graph depicted in Fig. 2. In this section, just for illustration we instantiate the simulation relation to be the well-known LU-simulation (we do not give the definition here as it is not relevant to what comes later, instead we refer to earlier work [8]). Using this, we obtain that the rightmost node is subsumed by the previous one, and hence the dotted simulation edge. If we did not do this we immediately observe that we get an infinite graph with increasing sets of zones.

Now, our first question is whether this zone exploration with simulation can be lifted to PDTA. In this example, if we were to add back the push/pop edges, we get exactly the same Zone graph with annotations, and further, the final state is indeed reachable. Hence, for this particular example we do obtain a finite, sound and complete graph exploration. However, in general it turns out that the procedure is not sound.

Fig. 1.

A simple PDTA with 2 clocks \(\{x,y\}\). Note that if we ignore the push/pop actions we get a TA, say A.

Fig. 2.

Zone graph with simulation edges for finiteness. Again ignoring push/pop actions gives us a zone graph for the TA. \(Z_0\) is the initial zone.

Consider the example in Fig. 3. In this example, again considering it as a TA (ignoring the push/pops), we would get the zone graph below, which would be finite, sound and complete for reachability in that TA. But if we consider it as a PDTA, now doing the same does not preserve soundness. In other words, in the PDTA, \(q_3\) is no longer reachable. However, in the zone graph we would conclude that it is reachable due to the simulation edge. If, to fix this, we remove the dotted simulation edge, then we will lose finiteness.

Fig. 3.

A PDTA and its zone graph with simulation. With the simulation (dotted) edges, \(q_3\) is reachable in the zone graph, but its not reachable in the PDTA.

Thus, it seems that we have a difficult situation where zones with the simulation relation, needed for termination, do not preserve soundness. This situation resembles the situation studied in [20, 22, 24], where the authors study liveness or Buchi-acceptance conditions in timed automata. Again in that situation, the naive algorithm with zone simulation does not work and the authors are forced to strengthen the simulation relation in different ways.

Surprisingly, it turns out, that even in our very different problem setting of reachability in PDTA, a similar solution works. That is, we replace simulation by equivalence (defined in the previous section) as the pruning criterion. However, there are two issues (i) it is not easy to prove its correctness and (ii) this is far from efficient as shown in the experimental section. Our goal to use zones in the first place was efficiency and hence we would like to prune the zone graph as much as possible, i.e., we would like to use simulation edges as much as possible. In the next two sections, we describe our fix. We first show a different view of the exploration algorithm as a fixed point rule based approach. This allows us to then describe our fix in the same language, which is much easier to understand conceptually. Also as a corollary we will be able to show that using equivalence everywhere also gives a correct algorithm. After proving the correctness of our rule-based algorithm, we then tackle the challenges in implementing it.

4 Viewing Reachability Algorithms Using Rewrite Rules

In this section, our goal is to compute a set S of nodes of the zone graph of a PDTA, as a least fixed point of a small set of inductive rules, such that a control state q occurs in S, i.e., \((q,Z)\in S\) for some Z iff q is reachable in the PDTA from its initial state. To understand the rules and their correctness it is easier to first visualize this on plain timed automata without any push-pop edges.

4.1 Rewrite Rules for Timed Automata.

Given a TA \(\mathcal {A}=(Q,X,q_0,\varDelta ,F)\), the set S containing all reachable nodes of the zone graph, can be obtained as the least fixed point of the following inductive rules, with a natural deduction style of presentation.

Let \(S^*\) denote the set at the fixed point by starting with the start rule and repeatedly applying the trans rule. It is easy to see that this computes the set of all reachable nodes of the zone graph: the start rule starts with the initial node and each application of trans rule takes a reachable node and applies a transition of the automaton and includes the resulting node reached. However, this set \(S^*\) is a priori infinite since number of zones is infinite.

To make it finite we add a condition under which we will apply the transition rule based on a finite simulation relation (let us denote it \(\preceq \)) for \(\mathcal {A}\).

Thus to obtain an algorithm, we would explore all nodes in the Zone graph using a search algorithm (say DFS/BFS) and we would add a node only if it is not subsumed by an already visited node, according to the simulation relation. We explained in Sect. 2.2 that doing this preserves soundness and completeness and gives a finite exploration.

Lemma 2

Let \(S_\preceq ^*\) denote any set obtained from the start rule and by repeatedly applying Trans-\(\preceq \) till a fixed point is reached. Note that depending on the order of applications we may have different sets. Then we have:

1. 1.

   (finiteness) \(S_\preceq ^*\) is finite.

2. 2.

   (soundness and completeness) For all \(q\in Q\), a configuration (q, v) is reachable from \((q_0,v_0)\) in the TA \(\mathcal {A}\) iff \((q,Z)\in S_\preceq ^*\) for some zone Z.

We do not give the proof here as (i) it is only a reformulation of known results and (ii) it will be subsumed by the much stronger theorem we prove next.

4.2 Rewrite Rules for PDTA

Let \(\mathcal {A}=(Q,X,q_0,\varGamma ,\varDelta ,F)\) be a PDTA, we will need not just a set but a tuple of sets. More precisely, we maintain a set of nodes \(\mathfrak {S}\) called root nodes. For each root node \((q,Z)\in \mathfrak {S}\), we also maintain a set of nodes, denoted \(S_{(q,Z)}\). The intuition is that root nodes are those that can be reached after pushing a symbol to the stack, whereas \(S_{(q,Z)}\) will be the set of nodes that can be reached from (q, Z) with a well-nested run, i.e., starting with an empty stack and ending in an empty stack. This is to avoid storing the stack contents in our algorithm, which would be another source of infinity. Again, we use simulations to make the computation finite. So we fix a strongly finite simulation relation \(\preceq \) for \(\mathcal {A}\).

Table 1. Inductive rules for control state reachability of PDTA

Our inductive rules for the control state reachability of pushdown timed automata are given in Table 1. Note that the internal rule is just the same as for timed automata above. The start rule not only starts the set of nodes computation but also the set of roots computation as described above. So the only interesting rules are the Push and Pop rules. The push rule says that when a push is encountered, then we must start exploring from a new root (i.e., context). So the only complicated rule is the Pop rule. Here the intuition is that if we see a push at a node and from a root equivalent to the root created from it, (i.e., its context) we see a matching pop reaching a new node, then this push-pop context is complete, and we can add this new node to the set of reachable nodes. This is precisely the point where we need equivalence rather than simulation and this will be made clear in the proof of the theorem below.

Theorem 1

Let \(\mathfrak {S}^*\) and \((S_{(q,Z)})_{(q,Z)\in \mathfrak {S}^{*}}\) denote any tuple of sets obtained from the start rule and by repeatedly applying the rules in Table 1 till a fixed point is reached¹. Note that we always have \((q_0,Z_0)\in \mathfrak {S}^*\). The following statements hold:

1. 1.

   (finiteness) \(\mathfrak {S}^*\) is finite and for each \((q,Z)\in \mathfrak {S}^*\), \(S_{(q,Z)}\) is finite.

2. 2.

   (completeness) For each \((q,Z)\in \mathfrak {S}^*\), if there exists a run \((q,v,\varepsilon )\xrightarrow {*} (q',v',\varepsilon )\) of \(\mathcal {A}\) with \(\{v\}\preceq _q Z\), then there exists \((q',Z')\in S_{(q,Z)}\) such that \(\{v'\}\preceq _{q'} Z'\).

3. 3.

   (soundness) For each \((q,Z)\in \mathfrak {S}^*\), \((q',Z')\in S_{(q,Z)}\) and \(v'\in Z'\), there exists a run in PDTA from \((q,v,\varepsilon )\) to \((q',v'',\varepsilon )\) with \(v\in Z\) and \(v'\preceq _{q'}v''\).

Fig. 4.

Construction for the completeness-push-pop last sub-case.

Proof

1. Note that only the Push rule creates new root nodes and the red condition states that a new root node is added only if there isn’t already an equivalent node in \(\mathfrak {S}^*\). Since the simulation relation is strongly finite, the set of roots \(\mathfrak {S}^{*}\) must be finite. Also, before adding a node to some \(S_{(q,Z)}\) with the internal rule or the pop rule, we check that the node is not subsumed by an existing one. Since the simulation relation is finite, this ensures that each set \(S_{(q,Z)}\) is finite.

2. Let \((q,Z)\in \mathfrak {S}^*\) and assume that \((q',v',\varepsilon )\) is reachable from some \((q,v,\varepsilon )\) with \(v\preceq _q Z\), i.e., there exists a run \((q,v,\varepsilon )=(q_1,v_1,\chi _1)\rightarrow \cdots \rightarrow (q_n,v_n,\chi _n)=(q',v',\varepsilon )\). We will then show that \(v_n\preceq _{q_n}Z'\) for some \((q_n,Z')\in S_{(q,Z)}\). The proof is by induction on n. Base case: For \(n=1\) we have \(q'=q\) and \(v'=v\). The result is obtained by taking \(Z'=Z\). Notice that \((q,Z)\in S_{(q,Z)}\) follows immediately from the start rule if \(q=q_0\), \(Z=Z_0\) or from the push-create rule.

Let us then assume that the statement holds for runs of length at most \(n-1\). Consider any run of the form \((q,v,\varepsilon )=(q_1,v_1,\chi _1)\rightarrow \cdots \rightarrow (q_n,v_n,\chi _n=\varepsilon )\) with \(v\preceq _q Z\). Notice that its last transition \((q_{n-1},v_{n-1},\chi _{n-1})\rightarrow (q_n,v_n,\chi _n)\) cannot be a push transition (in the PDTA) since \(\chi _n=\varepsilon \). Hence, we have three subcases, depending on the last transition.

• Time elapse. \(\chi _{n-1}=\chi _n=\varepsilon \), \(q_{n-1}=q_n=q'\), \(v_n=v_{n-1}+\delta \) for some \(\delta \in \mathbb {R}^{\ge 0}\). Applying induction hypothesis, we have \(v_{n-1}\preceq _{q'}Z'\) for some \((q',Z')\in S_{(q,Z)}\). Since zones are closed under time elapse, we get \(Z'=\overrightarrow{Z'}\) and by definition of the simulation relation \(v_n=v_{n-1}+\delta \preceq _{q'}\overrightarrow{Z'}=Z'\). This completes the case.

• Discrete internal transition. In this case \(\chi _{n-1}=\chi _n=\varepsilon \), \(t=q_{n-1}\xrightarrow {g,\mathrm {nop},R}q_n\), \(v_{n-1}\models g\) and \(v_n=[R]v_{n-1}\). Then applying induction hypothesis, there exists \((q_{n-1},Z')\in S_{(q,Z)}\) such that \(v_{n-1}\preceq _{q_{n-1}}Z'\). Now let \(Z''=\overrightarrow{R(g\cap Z')}\). From the definition of the simulation relation we get \(v_n\preceq _{q_n}Z''\). Then, applying the Internal rule, there exists \((q_n,Z''')\in S_{(q,Z)}\) such that \(Z''\preceq _{q_n}Z'''\), with possibly \(Z'''=Z''\). Hence, \(v_n\preceq _{q_n}Z''\preceq _{q_n}Z'''\), which completes the case.

• Pop transition. Then there exists \(1\le i<n-1\) such that the run has the form: \((q_1,v_1,\varepsilon )\rightarrow \ldots \rightarrow (q_i,v_i,\chi _i=\varepsilon )\xrightarrow {\mathrm {push}_a} (q_{i+1},v_{i+1},\chi _{i+1}=a)\rightarrow \ldots \rightarrow (q_{n-1},v_{n-1},\chi _{n-1}=a)\xrightarrow {\mathrm {pop}_a} (q_n,v_n,\chi _n=\varepsilon )\), where the push and pop are matching transitions, i.e., \(|\chi _j|\ge 1\) for all \(i<j<n-1\) (see Fig. 4). Then by induction hypothesis at i, we have

  $$\begin{aligned} v_i\preceq _{q_i}Z_i \text { for some } (q_i,Z_i)\in S_{(q,Z)} \,. \end{aligned}$$

  (1)

  From the push transition we have

  $$\begin{aligned} \exists t=q_i\xrightarrow {g, \mathrm {push}_a, R} q_{i+1} \in \varDelta \text { with } v_i\models g \text { and } v_{i+1}=[R]v_i \,. \end{aligned}$$

  (2)

  Let \(Z_{i+1}=\overrightarrow{R(g\cap Z_i)}\). By definition of the simulation relation, we deduce from \(v_i\preceq _{q_i}Z_i\) that \(v_{i+1}\preceq _{q_{i+1}}Z_{i+1}\). We can apply the Push rule to obtain

  $$\begin{aligned} (q_{i+1},Z'_{i+1})\in \mathfrak {S}^* \text { for some } Z'_{i+1}\sim _{q_{i+1}}Z_{i+1} \end{aligned}$$

  (3)

  possibly with \(Z'_{i+1}=Z_{i+1}\) as a special case. Further the segment of run \((q_{i+1},v_{i+1},a)\rightarrow \ldots (q_{n-1},v_{n-1},a)\) in the PDTA never pops the symbol a (by choice, since otherwise the push and pop would not be matching). Hence we will also have the same sequence of transitions forming a run \((q_{i+1},v_{i+1},\varepsilon )\rightarrow \ldots (q_{n-1},v_{n-1},\varepsilon )\). Using \(v_{i+1}\preceq _{q_{i+1}}Z_{i+1}\sim _{q_{i+1}}Z'_{i+1}\), we deduce that \(v_{i+1}\preceq _{q_{i+1}}Z'_{i+1}\). By induction hypothesis,

  $$\begin{aligned} v_{n-1}\preceq _{q_{n-1}}Z_{n-1} \text { for some } (q_{n-1},Z_{n-1})\in S_{(q_{i+1},Z'_{i+1})} \,. \end{aligned}$$

  (4)

  Finally, we have the pop transition

  $$\begin{aligned} t_1=q_{n-1}\xrightarrow {g_1,\mathrm {pop}_a,R_1} q_n \in \varDelta \text { with } v_{n-1}\models g_1 \text { and } v_n=[R_1]v_{n-1} \,. \end{aligned}$$

  (5)

  We let \(Z_n=\overrightarrow{R_1(g_1\cap Z_{n-1})}\). From \(v_{n-1}\preceq _{q_{n-1}}Z_{n-1}\) and the definition of the simulation relation we obtain \(v_n\preceq _{q_n}Z_n\). Then, combining all the above equations (1–5), and applying the Pop-rule we obtain some \((q_n,Z'_n)\in S_{(q,Z)}\) with \(Z_n\preceq _{q_n}Z'_n\) (possibly \(Z'_n=Z_n\)). Finally we get \(v_n\preceq _{q_n}Z_n\preceq _{q_n}Z'_n\). This completes the proof.

3. We will show that the following property is invariant by rule applications:

$$\begin{aligned} \forall (q,Z)\in \mathfrak {S},~&\forall (q',Z')\in S_{(q,Z)}, \forall v'\in Z', \text { there is a run } \\&(q,v,\varepsilon )\xrightarrow {*}(q',v'',\varepsilon ) \text { with } v\in Z \text { and } v'\preceq _{q'}v'' \end{aligned}$$

(Inv)

The invariant holds initially, i.e., after application of the start rule. Indeed, in this case we have \(\mathfrak {S}=\{(q_0,Z_0)\}\) and \(S_{(q_0,Z_0)}=\{(q_0,Z_0)\}\). Hence \((q',Z')=(q,Z)=(q_0,Z_0)\) and for all \(v\in Z_0\) we can choose the empty run \((q_0,v,\varepsilon )\xrightarrow {0}(q_0,v,\varepsilon )\).

We show below that (Inv) is preserved by application of an internal/push/pop rule. Therefore, the invariant still holds when reaching the fixed point, which proves the soundness. Let us write \(\mathfrak {S}^{-}\) and \(S^{-}_{(q,Z)}\) for the sets before the application of the rule and \(\mathfrak {S}\) and \(S_{(q,Z)}\) for the sets after the application of the rule.

Internal Rule. Let \((q,Z)\in \mathfrak {S}=\mathfrak {S}^{-}\), \((q',Z')\in S_{(q,Z)}\) and \(v'\in Z'\). If \((q',Z')\in S^{-}_{(q,Z)}\) then we get the result since (Inv) holds before applying the internal rule. Otherwise, there is some \((q_1,Z_1)\in S^{-}_{(q,Z)}\) and a transition \(t=q_1\xrightarrow {g,\mathrm {nop},R}q'\) with \(Z'=\overrightarrow{R(g\cap Z_1)}\).

By definition, there exists \(v_1\in Z_1\) such that \(v_{1}\models g\) and \(v'=[R]v_{1}+\delta \) for some \(\delta \ge 0\). Hence we have a run \((q_{1},v_{1},\varepsilon )\xrightarrow {t}\xrightarrow {\delta }(q',v',\varepsilon )\). Since the invariant holds before the internal rule, there is a run \((q,v,\varepsilon )\xrightarrow {*}(q_{1},v'_{1},\varepsilon )\) with \(v\in Z\) and \(v_{1}\preceq _{q_1}v'_{1}\). Now since \(\preceq \) is a simulation we obtain that \((q_{1},v'_{1},\varepsilon )\xrightarrow {t}\xrightarrow {\delta }(q',v'',\varepsilon )\) with \(v'\preceq _{q'}v''\) and we are done.

Push Rule. Let \((q,Z)\in \mathfrak {S}\), \((q',Z')\in S_{(q,Z)}\) and \(v'\in Z'\). If \((q,Z)\in \mathfrak {S}^{-}\) then we get the result since (Inv) holds before applying the Push rule. Otherwise, we must have \((q',Z')=(q,Z)\) and we can choose the empty run \((q,v',\varepsilon )\xrightarrow {0}(q,v',\varepsilon )\).

Pop Rule. Let \((q,Z)\in \mathfrak {S}=\mathfrak {S}^{-}\), \((q_2,Z_2)\in S_{(q,Z)}\) and \(v'\in Z_2\). Again, if \((q_2,Z_2)\in S^{-}_{(q,Z)}\) then we get the result since (Inv) holds before applying the Pop rule. Otherwise, by definition of the pop rule we have:

1. 1.

   some \((q',Z')\in S_{(q,Z)}\),

2. 2.

   some push transition \(t=q'\xrightarrow {g,\mathrm {push}_a,R}q''\),

3. 3.

   some \((q'',Z_1)\in \mathfrak {S}\) with \(Z_1\sim _{q''}Z''=\overrightarrow{R(g\cap Z')}\),

4. 4.

   some \((q'_1,Z'_1)\in S_{(q'',Z_1)}\),

5. 5.

   some pop transition \(t_1=q'_1\xrightarrow {g_1,\mathrm {pop}_a,R_1}q_2\),

with \(Z_2=\overrightarrow{R_1(g_1\cap Z'_1)}\). The construction below is illustrated in Fig. 5.

Since \(v'\in Z_2\), we get some \(v_4\in Z'_1\) such that \(v_4\models g_1\) and \(v'=[R_1]v_4+\delta '\) for some \(\delta '\ge 0\). Hence we have a run \((q'_1,v_4,a)\xrightarrow {t_1}\xrightarrow {\delta '}(q_2,v',\varepsilon )\).

Now, applying the invariant to \((q'',Z_1)\in \mathfrak {S}\), \((q'_1,Z'_1)\in S_{(q'',Z_1)}\) and \(v_4\in Z'_1\), we get a run \((q'',v_3,\varepsilon )\xrightarrow {*}(q'_1,v'_4,\varepsilon )\) with \(v_3\in Z_1\) and \(v_{4}\preceq _{q'_1}v'_{4}\). Hence, we also have a run \((q'',v_3,a)\xrightarrow {*}(q'',v'_{4},a)\).

Let \(v'_{3}\in Z''=\overrightarrow{R(g\cap Z')}\sim _{q''}Z_1\) with \(v_3\preceq _{q''}v'_{3}\). we get some \(v_2\in Z'\) such that \(v_{2}\models g\) and \(v'_{3}=[R]v_{2}+\delta \) for some \(\delta \ge 0\). Hence we have a run \((q',v_{2},\varepsilon )\xrightarrow {t}\xrightarrow {\delta }(q'',v'_{3},a)\).

Finally, we apply the invariant to \((q,Z)\in \mathfrak {S}\), \((q',Z')\in S_{(q,Z)}\) and \(v_{2}\in Z'\), we get a run \((q,v,\varepsilon )\xrightarrow {*}(q',v'_{2},\varepsilon )\) with \(v\in Z\) and \(v_{2}\preceq _{q'}v'_{2}\).

By repeatedly applying the property of simulation \(\preceq \), we may extend the run from \((q',v'_{2},\varepsilon )\) with \( (q',v'_{2},\varepsilon ) \xrightarrow {t}\xrightarrow {\delta } (q'',v''_{3},a) \xrightarrow {*} (q'_1,v''_{4},a) \xrightarrow {t_1}\xrightarrow {\delta '} (q_2,v'',\varepsilon ) \) where \(v_3\preceq _{q''}v'_{3}\preceq _{q''}v''_{3}\) and \(v_{4}\preceq _{q'_1}v'_{4}\preceq _{q'_1}v''_{4}\). Finally \(v'\preceq _{q_2}v''\). Therefore, the invariant holds after the pop rule.    \(\square \)

Fig. 5.

Construction for the soundness.

5 Algorithm for PDTA Reachability via Zones

In this section, we describe Algorithm 1 implementing the fixed point computation defined by the inductive rules in Table 1. We describe the structure of the algorithm and its main data-structures.

Notice first that the sets \(\mathfrak {S}\) and \(S_{(q,Z)}\) for \((q,Z)\in \mathfrak {S}\) can be alternatively represented as a single set of pairs of nodes:

$$ \mathcal {S} = \{ [(q,Z),(q',Z')] \mid (q,Z)\in \mathfrak {S}\text { and } (q',Z')\in S_{(q,Z)} \} \,. $$

We can recover \(\mathfrak {S}\) as the first projection of \(\mathcal {S}\) and \(S_{(q,Z)}\) as the second projection of \(\mathcal {S}\) filtered by the first component being (q, Z). We use both notations below depending on which is more convenient. The start rule initializes \(\mathcal {S}\) to \(\{[(q_0,Z_0),(q_0,Z_0)]\}\).

Let us consider first the rule for internal transitions. For each already discovered pair of nodes \([(q,Z),(q',Z')]\in \mathcal {S}\) (or \((q',Z')\in S_{(q,Z)}\) with \((q,Z)\in \mathfrak {S}\)), we have to consider each possible internal transition \(q'\xrightarrow {g,\mathrm {nop},R}q''\) and check whether the node \((q'',Z'')\) with \(Z''=\overrightarrow{R(g\cap Z')}\) should be added to \(S_{(q,Z)}\) or is subsumed by an existing node. This is like a graph traversal. The set \(\mathcal {S}\) stores the already discovered pairs of nodes, and we will use a \(\mathsf {ToDo}\) (unordered) list to store the newly discovered nodes from which outgoing transitions should be considered. The \(\mathsf {ToDo}\) list should also consist of pairs \([(q,Z),(q',Z')]\) so that when a new node \((q'',Z'')\) is discovered by an internal transition from \((q',Z')\) we know to which set \(S_{(q,Z)}\) it should be added.

As we can see from Theorem 1-soundness, given \((q,Z)\in \mathfrak {S}\), the set \(S_{(q,Z)}\) should consist of nodes reachable from (q, Z) via a well-nested run. Hence, when dealing with a pair \([(q,Z),(q',Z')]\in \mathcal {S}\) and we see a push transition \(q'\xrightarrow {g,\mathrm {push}_a,R}q''\) with \(Z''=\overrightarrow{R(g\cap Z')}\), we should not try to add the pair \((q'',Z'')\) to \(S_{(q,Z)}\) since the corresponding run would not be well-nested. Instead, we should search for a matching pop transition which could be taken after a well-nested run starting from \((q'',Z'')\). This is why the push rule adds the new root \((q'',Z'')\) to \(\mathfrak {S}\) (unless it is equivalent to an existing root). The pair of nodes \([(q'',Z''),(q'',Z'')]\) is newly discovered and added to the \(\mathsf {ToDo}\) list for further exploration.

The push transition may be matched with several pop transitions (which could be already discovered or yet to be discovered by the algorithm). To avoid revisiting the push transition many times, it will be stored by the algorithm in an additional set \(\mathcal {S}_\mathrm {push}\). More precisely, we will store in \(\mathcal {S}_\mathrm {push}\) the tuple \([(q,Z),a,(q'',Z'')]\) meaning that the root node \((q'',Z'')\) may be reached from the root node (q, Z) via a well-nested run reaching some \((q',Z')\) followed by a transition pushing a onto the stack.

Finally, assume that, when dealing with a pair \([(q_1,Z_1),(q'_1,Z'_1)]\in \mathcal {S}\), we see a pop transition \(q'_1\xrightarrow {g_1,\mathrm {pop}_a,R_1}q_2\) with \(Z_2=\overrightarrow{R_1(g_1\cap Z'_1)}\). We will check whether it can be matched with an already visited push transition, stored in the set \(\mathcal {S}_\mathrm {push}\) as a pair \([(q,Z),a,(q'',Z'')]\) with \((q'',Z'')=(q_1,Z_1)\). If this is the case, the pop rule may be applied and the node \((q_2,Z_2)\) added to \(S_{(q,Z)}\) (unless it is subsumed by an existing node). The newly discovered pair of nodes \([(q,Z),(q_2,Z_2)]\) is also added to the \(\mathsf {ToDo}\) list for further exploration. Once again, the pop transition may also be matched with push transitions that will be discovered later by the algorithm. To avoid revisiting the pop transition many times, we store the tuple \([(q_1,Z_1),a,(q_2,Z_2)]\) in a new set \(\mathcal {S}_\mathrm {pop}\).

Data Structures. We use a data structure \(\mathsf {TLM}\) to store the triple of sets \((\mathcal {S},\mathcal {S}_\mathrm {push},\mathcal {S}_\mathrm {pop})\) and which is accessed with the following methods.

• \(\mathsf {TLM}.\mathsf {create}()\) creates the data structure with the three sets empty.

• \(\mathsf {TLM}.\mathsf {add}(q,Z,q',Z')\) adds \([(q,Z),(q',Z')]\) to \(\mathcal {S}\).

• \(\mathsf {TLM}.\mathsf {addPush}(q,Z,a,q',Z')\) adds \([(q,Z),a,(q',Z')]\) to \(\mathcal {S}_\mathrm {push}\).

• \(\mathsf {TLM}.\mathsf {addPop}(q,Z,a,q',Z')\) adds \([(q,Z),a,(q',Z')]\) to \(\mathcal {S}_\mathrm {pop}\).

• \(\mathsf {TLM}.\mathsf {isNewRoot}(q,Z)\) returns \([\mathsf {false},Z']\) if there exists some \((q,Z')\in \mathfrak {S}\) with \(Z'\sim _q Z\), and returns \([\mathsf {true},Z]\) otherwise.

• \(\mathsf {TLM}.\mathsf {isNewNode}(q,Z,q',Z')\) returns \(\mathsf {false}\) if \(\exists [(q,Z),(q',Z'')]\in \mathcal {S}\) with \(Z'\preceq _{q'}Z''\), and returns \(\mathsf {true}\) otherwise.

• \(\mathsf {TLM}.\mathsf {isNewPop}(q,Z,a,q',Z')\) returns \(\mathsf {false}\) if \(\exists [(q,Z),a,(q',Z'')]\in \mathcal {S}_\mathrm {pop}\) with \(Z'\preceq _{q'}Z''\), \(\mathsf {true}\) otherwise.

• \(\mathsf {TLM}.\mathsf {isNewPush}(q,Z,a,q',Z')\) returns \(\mathsf {false}\) if \([(q,Z),a,(q',Z')]\in \mathcal {S}_\mathrm {push}\), and returns \(\mathsf {true}\) otherwise.

• \(\mathsf {TLM}.\mathsf {iterPop}(q,Z,a)\) returns the list of \((q',Z')\) with \([(q,Z),a,(q',Z')]\in \mathcal {S}_\mathrm {pop}\).

• \(\mathsf {TLM}.\mathsf {iterPush}(a,q',Z')\) returns the list of (q, Z), s.t. \([(q,Z),a,(q',Z')]\in \mathcal {S}_\mathrm {push}\).

Concretely, the data structure should store sets of nodes (q, Z) and be able to search or iterate through such sets. In order to make the algorithm slightly faster, we will segregate our sets of nodes, with the name of the state. We will use a hashmap in order to accomplish this task. See Fig. 6 where the concrete data structure is depicted.

We will use a first level hashmap to store the set of roots \(\mathfrak {S}\). To implement \(\mathsf {TLM}.\mathsf {isNewNode}(q,Z,q',Z')\), we first search for (q, Z) in the first level map, then a pointer \(\mathsf {TLM}[q][Z][0]\) will lead to a second level hashmap for the set of nodes \(S_{(q,Z)}\) and we search for \((q',Z')\) in this second level map. See Fig. 6(b).

To implement \(\mathsf {TLM}.\mathsf {isNewPop}(q,Z,a,q',Z')\) and \(\mathsf {TLM}.\mathsf {iterPop}(q,Z,a)\), we first search the root node (q, Z) in the first level map, then a pointer \(\mathsf {TLM}[q][Z][2]\) will lead to a second level hashmap storing the set of triples \((a,q',Z')\) such that \([(q,Z),a,(q',Z')]\in \mathcal {S}_\mathrm {pop}\). To speed up the access, this second level pop map is segregated first on the key a, then on the key \(q'\) to get the list of corresponding zones \(Z'\). See Fig. 6(c,d).

Finally, we also store the set \(\mathcal {S}_\mathrm {push}\) to implement \(\mathsf {TLM}.\)\(\mathsf {isNewPush}(q,Z,a,q',Z')\) and \(\mathsf {TLM}.\mathsf {iterPush}(a,q',Z')\). Notice that \(\mathcal {S}_\mathrm {push}\) consists of triples \([(q,Z),a,(q',Z')]\) where both (q, Z) and \((q',Z')\) are root nodes from \(\mathfrak {S}\). Notice also that for the iteration we fix the second node \((q',Z')\). To get an efficient implementation, we first search the root node \((q',Z')\) in the first level map, then a pointer \(\mathsf {TLM}[q'][Z'][1]\) will lead to a second level hashmap storing the set of triples (a, q, Z) such that \([(q,Z),a,(q',Z')]\in \mathcal {S}_\mathrm {push}\). To speed up the access, this second level push map is segregated first on the key a, then on the key q to get the list of corresponding zones Z. See Fig. 6(c,d).

Fig. 6.

Two level map implementing the data structure \(\mathsf {TLM}\) storing the sets \(\mathcal {S}\), \(\mathcal {S}_\mathrm {push}\), \(\mathcal {S}_\mathrm {pop}\).

We now show correctness of Algorithm 1. Note that \(\mathsf {TLM}\) encodes a triple of sets \((\mathcal {S},\mathcal {S}_\mathrm {push},\mathcal {S}_\mathrm {pop})\) defined by:

$$\begin{aligned} \mathcal {S}&=\{[(q,Z),(q',Z')] \mid (q',Z')\in \mathsf {TLM}[q][Z][0] \} \\ \mathcal {S}_\mathrm {push}&=\{[(q,Z),a,(q',Z')] \mid (a,q,Z)\in \mathsf {TLM}[q'][Z'][1] \} \\ \mathcal {S}_\mathrm {pop}&=\{[(q,Z),a,(q',Z')] \mid (a,q',Z')\in \mathsf {TLM}[q][Z][2] \} \end{aligned}$$

Recall also the correspondence explained at beginning of Sect. 5 between a set \(\mathcal {S}\) of pairs of nodes, and the set of roots \(\mathfrak {S}\) together with the sets of nodes \(S_{(q,Z)}\) for \((q,Z)\in \mathfrak {S}\).

Theorem 2

The set \(\mathcal {S}\) encoded by \(\mathsf {TLM}\) computed by Algorithm 1 is a fixed point obtained starting from the empty set by applying the inductive rules in Table 1. Therefore, Algorithm 1 terminates and is sound and complete for well-nested control state reachability of pushdown timed automata.

Proof (sketch)

1. 1.

   For termination, if we look at our algorithm, we can clearly see that before adding a pair of nodes to the \(\mathsf {ToDo}\) list, we add the same pair to \(\mathcal {S}\) with \(\mathsf {TLM}.\mathsf {add}\), and before that, we always check whether the pair is already in our \(\mathsf {TLM}\) or not (\(\mathsf {isNewNode}\) or \(\mathsf {isNewRoot}\)). Since the size of the \(\mathsf {TLM}\) is always bounded because we check either the first level map or the second level map before adding, the outer while loop will be called only a finite number of times. From this we can conclude that the algorithm will terminate.

2. 2.

   For soundness we have prove that any change to the \(\mathsf {TLM}\) is equivalent to applying one of the rewrite rules to \((\mathcal {S},\mathcal {S}_\mathrm {push}, \mathcal {S}_\mathrm {pop})\), which is already known to be sound from Theorem 1. The changes to the \(\mathsf {TLM}\) occur in lines 3, 9, 14, 21, 31. Since line 3 simply adds \([(q_0,Z_0),(q_0,Z_0)]\) to \(\mathcal {S}\), it simulates the start rule. For line 9, we can see that the pre conditions of internal rule Table 1 are met, with \((q,Z)\in \mathfrak {S}\), \((q',Z')\in S_{(q,Z)}\), the if-statement (just above the line) stating that there is an nop transition from q to \(q'\), and \(Z''\ne \phi \). Using all these we can see that indeed the operation can be performed. Similar arguments can be made for line 14, which simulates the push rule, and line numbers 21, 31 both for the pop-rule.

3. 3.

   For completeness we have to prove that after termination of the algorithm, using \((\mathcal {S},\mathcal {S}_\mathrm {push},\mathcal {S}_\mathrm {pop})\) to encode \(\mathsf {TLM}\), we cannot use any of the rules mentioned in Table 1, to add anything extra to the \(\mathsf {TLM}\). Then from Theorem 1-completeness we can conclude. For the start rule we can simply say that it was definitely executed (Line 3), so it cannot be executed again. For the internal rule we argue that if it can be applied after termination, then it should have been applied during execution. Since all transitions are considered in the for-loop, and the conditions before line 9 checks all the preconditions of the internal rule, it is certainly the case that a node \((q'',Z'')\) could not be added because either it was already added, or \((q'',Z''')\in S_{(q,Z)},Z'' \preceq _{q''} Z'''\). The argument for the push rule is similar. For the pop rule to be applied we argue that there must be a push transition and a pop transition satisfying the pre-conditions in the pop rule. Since both of these are already present for zones in the \(\mathsf {TLM}\), we say that they must have been added to \(\mathcal {S}_\mathrm {push}\) and \(\mathcal {S}_\mathrm {pop}\). We then concern ourselves with the order, arguing that if the push transition was discovered later the node either must already have been added (Line 21) or another node simulating the node must have been present in the \(\mathsf {TLM}\) (Line 20). A similar argument is made in case the order of discovery is reversed.

For the full proof details, we refer the reader to the long version [6].   \(\square \)

6 Experiments and Results

Implementation We build on the existing architecture of an open-source tool for analysis of timed automata, TChecker [19]. Our tool along with the benchmarks we used is available at https://github.com/karthik-314/PDTA_reachability and more details can be found [6]. The input for our implementation are PDTA, rather than TA so we modify TChecker in order to run our experiments. While most of the TChecker file format will remain the same, the only place where we make a change to the syntax of the input, will be the edges. TChecker uses the following format, for its transitions,

The new format in order to incorporate the pushes and pops will be,

In case the operation is \(\mathrm {nop}\), the square brackets are left empty.

We have implemented two variants of Algorithm 1 for PDTA and we will compare these between each other and also with a region-based approach. More precisely, we consider the following 3 algorithms:

• Simulation Based Approach (\(\preceq _{LU}\)): Direct implementation of Algorithm 1.

• Equivalence Based Approach (\(\sim _{LU}\)): This is a variation of Algorithm 1, with two methods changed,

  • TLM.isNewNode\((q,Z,q',Z')\): Returns false if \(\exists [(q,Z),(q',Z'')] \in \mathcal {S}\) with \(Z' \sim _{q'} Z''\), and true otherwise.

  • TLM.isNewPop\((q,Z,a,q',Z')\): Returns false if \(\exists [(q,Z),a,(q',Z'')] \in \mathcal {S}_{pop}\) with \(Z' \sim _{q'} Z''\), and true otherwise.

  As mentioned in Sect. 4, if instead of simulation, we just use equivalence everywhere, we do obtain a correct algorithm for reachability in PDTA. Hence it is interesting to compare it with the above approach.

• Region Based Implementation (RB): A previous implementation [5], uses a region based approach in order to solve the non-emptiness problem in PDTA. We note two features of the algorithm. First, it uses a tree-automaton based approach for efficiency and correctness, but underlying it is the region (rather than zone) construction. Second, it works only with closed guards, while our approach works with closed and open guards.

We note the following important points regarding our implementation:

1. 1.

   The \(\preceq \) used in our implementation will be \(\preceq _{LU}\) [8], without extrapolation and with global clock bounds.

2. 2.

   The ToDo list used currently uses LIFO (stack) ordering for popping of elements. This corresponds to a DFS exploration of the zone-graph. But we can use other data structures for this purpose as well, e.g., changing it to FIFO would give us a BFS exploration etc.

3. 3.

   Both the simulation based and equivalence based approach are tested on PDTA with empty and non-empty languages, but we have ensured that both of them return an answer only after the entire exploration has been completed. In other words, we do not stop the exploration when we reach a final state. This is to make fair comparisons, where we do not terminate because of being “lucky” in encountering the final state early. Of course in practice we would not do this. In contrast, we note that the RB approach is an on the fly approach which returns non-empty as soon as the final state turns out to be reachable.

All experiments are run on Intel-i5 10th Generation processor, with an 8GB RAM, with a timeout of 120 seconds. Benchmarks. We used a total of 10 benchmarks in our experiments, but parameterized several of them in order to test the scalability and to give us more insight into performance comparisons. The benchmark and their parameterizations are explained in [6]. We highlight only some salient points here. The benchmark \(B_1\) is the PDTA from Fig. 1. \(B_2(k)\) is directly adapted from Fig. 3 with the constant \(y\le 1\) parametrized to \(y\le k\), and \(k+1\) pops between \(q_0\) and \(q_2\). Note that \(q_3\) is unreachable regardless of the value of k. Benchmarks \(B_3,B_4\) are adapted from [5] with \(B_3\) involving untiming of a stack age into normal clocks. \(B_5,B_6\) involve significant interplay of push/pop edges and clocks and \(B_6,B_7\) also have open guards. More details can be found in [6]. We also note that automata \(B_1\), \(B_3(3, 4), B_5(k_1,k_2), B_8, B_9(k_1,k_2)\) accept a nonempty language, while the rest are empty. As described earlier this does not change the performance of the simulation and equivalence based approaches, but may significantly change the performance of the Region Based Approach.

Table 2. Results on the Benchmarks. Time recorded in ms, and timeout (T.O.) used is 120 s. OoM stands for Out of Memory kill. Results rounded up to 1 decimal. # nodes refers to the number of nodes in the zone/region graph explored. In case of timeout \(\ge n\), refers to recorded number of nodes n before timeout occurred. NA in RB columns represents that the region based approach does not handle open guards in transitions (\(B_6\), \(B_7\) have open guards.)

Results Table 2 contains a selection of our experimental results; more can be found in [6]. From the table, we conclude first that the zone based approach is indeed faster than the Region Based Approach for all examples. Second, the simulation based approach runs faster than the equivalence based approach for all examples if the ToDo priority for removal remains the same. In fact, the performance of the simulation based approach depends mostly on the size of the PDTA, but the equivalence based approach is dependant on the constants used in guards as well, which is even more the case for the region based approach. Finally, our approach can easily handle closed and open guards.

Most of the timeouts that occurred during the experiments are due to Out of Memory (OoM) kills, especially for larger sized PDTAs. For smaller sized PDTA such as \(B_2(100)\), the recorded number of nodes before timeout was 154700.

Regarding the performance, we would like to emphasize that B1, B2, B3, B4, B7 were designed to compare the Zone approach to the region (RB) approach. As a consequence these models are very simple and the number of explored nodes remains almost the same regardless of whether we use \(\sim \) or \(\preceq \) to prune, which reflects in the times/sizes not being too different. However, the other examples B5, B6 are more complex and have nodes that get pruned during exploration (both using \(\sim \) and \(\preceq \)). Here we can see the clear improvement of \(\preceq \) over \(\sim \) both in terms of time taken and also of number of explored nodes.

7 Discussion and Future Work

In this paper, we examined how an unbounded stack can be integrated seamlessly with zone-abstractions in timed automata. We would like to point out that two easy extensions of our work are possible. First, as remarked earlier, our algorithm checks for well-nested reachability, i.e., it requires to reach a final state with empty stack for acceptance. But we can generalize this to general control-state reachability by showing that a control state q is reachable in the PDTA (with possibly a non-empty stack) iff some node (q, Z) is discovered by our algorithm and added to some \(S_{(q',Z')}\) (and not just to \(S_{(q_0,Z_0)}\) as in the well-nested case). While this idea is simple and requires only minor edits to the existing algorithm, the proof of correctness requires more work and we leave this for future work.

Secondly, we can handle the model with ages in stack as in [1, 3] with an exponential blowup (thanks to [13]). However, an open question is whether this blowup can be avoided in practice. As noted earlier, there exist extensions [14, 15] studied especially in the context of binary reachability, which are expressively strictly more powerful, for which decidability results are known. It would be interesting to see how we can extend the zone-based approach to those models.

Finally, it seems interesting to examine further the link to the liveness problem, possibly allowing us to transfer ideas and obtain faster implementations. Another possibility would be to use the extrapolation operator (rather than, or in addition to, simulation), which we have not considered in this work.