Liveness in L/U-Parametric Timed Automata

We study timed systems in which some timing features are unknown parameters. Parametric timed automata are a classical formalism for such systems but for which most interesting problems are undecidable. Lower-bound/upper-bound parametric timed automata (L/U-PTAs) achieve decidability for reachability properties by enforcing a separation of parameters used as upper bounds in the automaton constraints, and those used as lower bounds. We further study L/U-PTAs by considering liveness related problems. We prove that: (1) the existence of at least one parameter valuation for which there exists an infinite run in the automaton is PSPACE-complete, (2) the existence of a parameter valuation such that the system has a deadlock is however undecidable, (3) the existence of a valuation for which a run remains in a given set of locations exhibits a very thin border between decidability and undecidability.

1. deciding the existence of at least one parameter valuation for which there exists an 20 infinite run in the automaton is PSPACE-complete; 21 2. deciding the existence of a parameter valuation such that the system has a deadlock is 22 however undecidable;  Outline 30 We recall the necessary preliminaries in Section 2. We then consider the problem of the 31 existence of at least one parameter valuation for which there exists an infinite run (Section 3), 32 for which there exists a deadlock (Section 4), and for which a run remains in a given set of 33 locations (Section 5). We conclude and discuss perspectives in Section 6.

36
Let N, Z, Q + and R + denote the sets of non-negative integers, integers, non-negative ra-37 tional numbers and non-negative real numbers respectively. Let I(N) denote the set of 38 non-necessarily closed intervals on N, i. e., of the form [a, b], (a, b], [a, b) or (a, b) where 39 a, b ∈ N and a ≤ b. 40 Throughout this paper, we assume a set X = {x 1 , . . . , x H } of clocks, i. e., real-valued 41 variables that evolve at the same rate. A clock valuation is a function w : X → R + . We actions, ii) L is a finite set of locations, iii) l 0 ∈ L is the initial location, iv) X is a finite set 23 of clocks, v) P is a finite set of parameters, vi) I is the invariant, assigning to every l ∈ L a 24 guard I(l), vii) E is a finite set of edges e = (l, g, σ, R, l ) where l, l ∈ L are the source and 25 target locations, σ ∈ Σ, R ⊆ X is a set of clocks to be reset, and g is a guard.

23:4
Liveness in L/U-Parametric Timed Automata (l, w) that is reachable. Given a set of locations G ⊆ L, we say that a run stays in G if 1 all of its states (l, w) are such that l ∈ G. A maximal run is a run that is either infinite 2 (i. e., contains an infinite number of discrete transitions), or that cannot be extended by a 3 discrete transition. A maximal run is deadlocked if it is finite, i. e., contains a finite number 4 of discrete transitions. By extension, we say that a TA is deadlocked if it contains at least 5 one deadlocked run.  lower-bound) parameter p i is such that, whenever it appears in a guard or an invariant

17
In this paper, we will consider bounded PTAs, i. e., PTAs with a bounded parameter 18 domain that assigns to each parameter an infimum and a supremum, both integers. cycle-existence-emptiness as ED-emptiness and EC-emptiness, respectively. Proof (sketch). From Lemma 4, this problem is equivalent to testing the TA obtained by 10 valuating upper-bound (resp. lower-bound) parameters with their maximal (resp. minimum) 11 value in bounds. See Appendix A for a detailed proof.

12
The above result cannot be used as such for non-bounded L/U-PTAs as a cycle that

23:6
Liveness in L/U-Parametric Timed Automata Proof. We reduce from the boundedness problem of a 2-counter machine, which is undecid-1 able [13]. Recall that a deterministic 2-counter machine has two non-negative counters C 1 2 and C 2 , a finite number of states and a finite number of transitions, which can be of the 3 form: 4 when in state q i , increment C k and go to q j ; 5 when in state q i , decrement C k and go to q j ; 6 when in state q i , if C k = 0 then go to q j , otherwise block.

7
The machine starts in state q 0 ; by definition, it halts when it reaches a specific state 8 called q halt . The boundedness problem for 2-counter machines asks whether the value of the 9 counters remains smaller than some bound, and is undecidable [13].

10
Given such a machine M, we encode it as a PTA A(M); our encoding is adapted from 11 an existing encoding of a 2-counter machine, used to (re)prove the EF-emptiness problem for 12 bounded PTAs and then further related results, and found in [4]. We describe it in details, 13 as we will modify it in the subsequent proofs.
14 Each state q i of the machine is encoded as a location of the automaton, which we call q i .

15
The counters are encoded using clocks x, y and z and one parameter a, with the following 16 relations with the values c 1 and c 2 of counters C 1 and C 2 : when x = 0, we have y = 1 − ac 1 17 and z = 1 − ac 2 . All three clocks are parametric, i. e., are compared with a in some guard 18 or invariant of the encoding. We will see that a is a rational-valued bounded parameter, 19 typically in [0, 1] (although not bounding a has no impact on the proof). 20 We initialize the clocks with the gadget in Figure 2a (that also blocks the case where 21 a = 0). Clearly, when in q 0 with x = 0, we have y = z = 1, which indeed corresponds to 22 counter values 0. 23 We now present the gadget encoding the increment instruction of C 1 in Figure 2b. The 24 transition from q i to l i1 only serves to clearly indicate the entry in the increment gadget and 25 is done in 0 time unit. Since we use only equalities, there are really only two paths that go 26 through the gadget: one going through l i2 and one through l i2 . Let us begin with the former. 27 We start from some encoding configuration: x = 0, y = 1 − ac 1 and z = 1 − ac 2 in q i (and 28 therefore the same in l i1 ). We can enter l i2 (after elapsing enough time) if 1 − ac 2 ≤ 1, i. e., 29 ac 2 ≥ 0, which implies that a ≥ 0, and when entering l i2 we have x = ac 2 , y = 1 − ac 1 + ac 2 30 and z = 0. Then we can enter l i3 if 1 − ac 1 + ac 2 ≤ 1 + a, i. e., a(c 1 + 1) ≥ ac 2 . When 31 entering l i3 , we then have x = a(c 1 + 1), y = 0 and z = a(c 1 + 1) − ac 2 . Finally, we can go 32 to q j if a(c 1 + 1) ≤ 1 and when entering q j we have x = 0, y = 1 − a(c 1 + 1) and z = 1 − ac 2 , 33 as expected. 34 We now examine the second path. We can enter l i2 if 1 − ac 1 ≤ a + 1, i. e., a(c 1 + 1) ≥ 0, 35 and when entering l i2 we have x = a(c 1 + 1), y = 0 and z = 1 − ac 2 + a(c 1 + 1). Then we 36 can go to l i3 if 1 − ac 2 + a(c 1 + 1) ≤ 1 + a, i. e., a(c 1 + 1) ≤ ac 2 . When entering l i3 , we then 1 have x = ac 2 , y = ac 2 − a(c 1 + 1) and z = 0. Finally, we can go to q j if ac 2 ≤ 1 and when 2 entering q j we have x = 0, y = 1 − a(c 1 + 1) and z = 1 − ac 2 , as expected.

3
Remark that exactly one path can be taken depending on the respective order of c 1 + 1 4 and c 2 , except when both are equal or a = 0, in which cases both paths lead to the same 5 configuration anyway (and the case a = 0 is excluded by Figure 2a anyway).
6 Decrement is done similarly by replacing guards y = a + 1 with y = 1, and guards x = 1 7 and z = 1 with x = a + 1 and z = a + 1, respectively.

8
From q i , to encode zero-testing C 1 and going to q j , we only need to add a transition 9 from q i to q j with guard y = 1 ∧ x = 0.
10 All those gadgets also work for C 2 by swapping y and z.

11
The action associated with the transitions do not matter; we can assume a single action σ 12 on all transitions (omitted in all figures).
13 Finally, we add a self-loop (with no guard) on the location q halt , ensuring that whenever 14 q halt is reachable then there exists an infinite run in the PTA. 15 We now prove that the value of the counters remains bounded iff there exists a parameter 16 valuation v such that v(A) yields an infinite run. First note that if a = 0 the initial gadget 17 cannot be passed, and there is no infinite run. Assume a > 0. Consider two cases: 18 1. either the value of the counters is not bounded. Then, for any parameter valuation, at 19 some point during an incrementation of, say, C 1 we will have a(c 1 + 1) > 1 when taking 20 the transition from l i2 to l i3 and the PTA will be blocked. Therefore, there exists no 21 parameter valuation for which there exists an infinite run. too. For other values of a, the machine will block at some point in an increment 33 gadget, because a is not small enough and the guard to q j cannot be satisfied.

34
In both subcases, there exist parameter valuations for which there exists an infinite run.

35
Hence the value of the counters remains bounded iff there exists a parameter valuation v 36 such that v(A) contains an infinite run.

37
Remark. Throughout this paper, we allow guards and invariants of the form x ∼ 38 1≤j≤M β j p j + d, which is more restrictive than [6] (that allows parametric coefficients 39 different from 0 and 1, as well as diagonal constraints), but more permissive than [2], that  . This also allows the proof to work without complex parametric expres-1 sions in guards, using three additional clocks (we conjecture that a smarter encoding can be 2 exhibited to factor these additional clocks, so as to use a single additional clock). A similar 3 modification can be applied to all subsequent undecidability proofs.  Proof. We will use a reduction from the halting problem of a 2-counter machine.

8
Let us consider the encoding used in the proof of Theorem 9, that we transform into an 9 L/U-PTA by replacing any comparison of a clock with a (say where a − (resp. a + ) is a lower-bound (resp. upper-bound) parameter. We give the modified 11 increment gadget in Figure 3 (other gadgets are modified in a similar fashion).

12
We replace the initial gadget ( Figure 2a) with the new one in Figure 4a. Before initializing 13 the values of the counters, this gadget first ensures that a − ≤ a + .
14 We also add a new location q halt reachable from q halt as shown in the final gadget in 15 Figure 4b. Finally, we add an unguarded transition (i. e., a transition the guard of which 16 is true) from any location of the encoding (including that of the initial gadget, but exclud-17 ing q halt ) to location q halt . That is, it is always possible to reach q halt from any location c. or this run reaches q halt ; from there, thanks to the upper transition in Figure 4b, it 10 can reach q halt , from which it is again deadlock-free. 3. If a − = a + = 0, the machine may again not be properly simulated: again we could 12 reach q halt while the machine does not halt. The situation is similar to the previous case 13 (a − < a + ) except that in q halt a run has to take the lower transition in Figure 4b to 14 reach q halt , from which it is again deadlock-free.  Hence, if the 2-counter machine halts, there exist parameter valuations for which a 41 run has no discrete successor, and hence the system is not deadlock-free.

42
Hence the 2-counter machine halts iff the set of valuations for which the automaton has 43 at least one deadlock is not empty.

Liveness in L/U-Parametric Timed Automata
Proof. Let us consider each formalism: 1 open bounded L/U-PTAs In the above construction, we can assume, e. g., a − ∈ (0, 1], 2 which does not impact the proof.

L/U-PTAs
The bounds on the parameters are not required in the above construction: for 4 valuations larger than 1 (that necessarily do not simulate correctly the machine), a 5 gadget may block, therefore leading to q halt , from which the system is deadlock-free, 6 hence without impacting the spirit of the proof. Observe that the number of parameters can be reduced to 1 for (possibly bounded) PTAs 10 by merging a − and a + into a single parameter a.

12
In this section, we prove that the EG-emptiness problem is decidable for closed bounded 13 L/U-PTAs, and that lifting either closedness or boundedness leads to undecidability.
14 Theorem 12. The EG-emptiness problem is decidable for closed bounded L/U-PTAs.

17
We define the time elapsing of a constraint C, denoted by C , as the constraint over X 18 and P obtained from C by delaying all clocks by an arbitrary amount of time. We define 19 the past of C, denoted by C , as the constraint over X and P obtained from C by letting i. e., obtained by eliminating the clock variables (e. g., using Fourier-Motzkin).

24
A parametric zone is a convex polyhedron over X ∪P in which all constraints on variables 25 are of the form x ∼ plt, (parametric rectangular constraints) or x i − x j ∼ plt (parametric 26 diagonal constraints), where x i ∈ X, x j ∈ X and plt is a parametric linear term over P , 27 i. e., a linear term without clocks (α i = 0 for all i).

28
A symbolic state is a pair s = (l, C) where l ∈ L is a location, and C its associated 29 parametric zone. The initial symbolic state of A is s 0 = l 0 , ({ 0} ∧ I(l 0 )) ∧ I(l 0 ) .

32
The Succ operation is effectively computable, using polyhedra operations: note that the 33 successor of a parametric zone C is a parametric zone (see e. g., [10]).

34
A symbolic run of a PTA is an alternating sequence of symbolic states and edges starting to symbolic states belonging to a run of A as symbolic states of A.

38
We can now come back to the proof of Theorem 12.

39
Proof. Let A |bounds be a closed bounded L/U-PTA and G be a subset of its locations. Since

Liveness in L/U-Parametric Timed Automata
We prove that the 2-counter machine halts iff the set of valuations satisfying EG(L \ 1 {q halt }) is not empty. We rule out valuations such that a − > a + or b − > b + by sending 2 them directly to q halt . For valuations a − < a + or b − < b + , the machine may not be 3 correctly simulated: either the encoding loops, and then blocks after some operations (due 4 to the invariant) which leads to q halt ; or it reaches q halt , and goes to q halt thanks to an 5 appropriate gadget. Finally, valuations a − = a + and b − = b + > 0 may simulate correctly 6 the machine: if these valuations are not small enough, an increment will block, leading to 7 q halt ; otherwise, for some valuations sufficiently small, and only if the machine halts, then 8 q halt is reached, and from there no transition leads to q halt , ensuring EG(L \ {q halt }).

9
See Appendix C for a detailed proof.

10
Remark. The above construction works over 1 time unit (an invariant can be added to q halt 11 too), so this gives an undecidability result over bounded time as well. 12 We now prove that EG-emptiness is also undecidable for unbounded L/U-PTAs. When Proof (sketch). We again use a reduction from the halting problem of a 2-counter machine.

23
Our proof essentially relies on a mechanism similar to the proof of Theorem 13; however, we 24 must use a different PTA encoding (the encoding used in the proof of Theorem 13 does not 25 work for unbounded L/U-PTAs, as it strongly relies on the fact that b − be strictly positive).

26
Instead, we propose an encoding inspired by that of a 2-counter machine proposed in [5] to 27 prove the undecidability of the EF-emptiness problem for PTAs with a single integer-valued 28 parameter (that can also be rational-valued). We modify the encoding of [5] to obtain an 29 L/U-PTA, by splitting the single parameter a into a lower-bound parameter a − and an 30 upper-bound parameter a + , in the spirit of previous undecidability results for L/U-PTAs 31 in this paper (Theorems 10 and 13). Then, we add a global invariant w ≤ b + (where w is 32 a fresh clock never reset, and b + a fresh upper-bound parameter), to ensure that, for any 33 valuation of b + > 0, the number of operations the machine can perform is finite (which 34 requires some modifications of the gadgets to ensure that they require at least 1 time unit).

35
The proof then follows a reasoning similar to that of Theorem 13.

36
See Appendix D for a detailed proof.

37
Remark. The above construction works also for integer-valued parameters, so this gives an 38 undecidability result for integer-valued parameters too. The proof also works over discrete 39 time (with integer-valued parameters).  through G is PSPACE-complete. This concludes the proof. Proof. We will use a reduction from the halting problem of a 2-counter machine.

3
Let us consider the encoding used in the proof of Theorem 10, to which we will perform 4 several modifications.

5
First, we force the 2-counter machine to execute in a constant 1-time unit duration as 6 follows: 7 1. We replace any occurrence of "1" in the encoding with a parameter, either b − or b + 8 (depending on whether the occurrence of 1 occurs as a lower-bound or an upper-bound); 9 hence the duration of an increment or decrement gadget is now at least b − and at most b + .

10
We give the increment gadget in Figure 5.  Hence, the duration of any gadget is at least b − and therefore for any valuation b − > 0 the 31 number of operations the machine can perform is finite due to the global invariant w ≤ 1.

32
Then, before starting the 2-counter machine encoding, we add an initial gadget given 33 in Figure 7. This gadget constrains a − ≤ a + , b − ≤ b + , and is such that when leaving the

23:16
Liveness in L/U-Parametric Timed Automata Figure 6 EG-emptiness for bounded L/U-PTAs: zero-test gadget with two transitions from q halt as depicted in Figure 8. We then add a transition (with no 4 guard) from any location of the encoding (except q halt ) to q halt . That is, for any increment 5 gadget, if the value of the parameters is not small enough to correctly simulate the machine, 6 then the system is not deadlocked, and can lead instead to q halt . (If the value is small 7 enough, the system can either lead to q halt or continue in the 2-counter machine encoding.) 8 We also add a transition to q halt (with no guard) from all locations in the initial gadget in   when in state q i , increment C k and go to q j ; 27 when in state q i , if C k = 0 then go to q k , otherwise decrement C k and go to q j ;

28
Starting from the initial configuration (q 0 , C 1 = 0, C 2 = 0) the machine either reaches q halt 29 and halts, or loops forever. Knowing whether the machine halts is undecidable [13].

30
The encoding uses a single parameter a. Two clocks x and y are used to encode the value 31 of the counters, while a third clock z is used as an auxiliary clock. Whenever z = 0, then 32 x = c 1 and y = c 2 .

33
We modify this encoding by splitting the single parameter a into a lower-bound param-34 eter a − and an upper-bound parameter a + , in the spirit of previous undecidability results

36
In addition, we request that the entire execution takes a time less than b + , where b + 37 is a fresh upper-bound parameter; this is achieved by adding an invariant w ≤ b + to all 38 locations (with w a fresh clock never reset after the initial gadget).

39
We give the modified increment gadget for the first counter in Figure 9 (invariants are 40 omitted). Note that, if z = 0 when entering q i then the time to pass this gadget is in 41 [a − + 1, a + + 1].

42
The test and decrement gadget is similar, and given in Figure 10. We performed a 43 slight modification to the zero-test of [5], that was executed in 0-time; we require in our q i q halt w ≤ b + q halt a − ≤ x < a + Figure 12 EG-emptiness for L/U-PTAs: final gadget (including that of the initial gadget, but excluding q halt ) to a new location q halt . We also 1 add two transitions from q halt to q halt given in the final gadget in Figure 12.  1. If a − > a + or b + = 0, the initial gadget cannot be passed: any run is sent to q halt 5 because of the transitions to q halt , and therefore EG(L \ {q halt }) does not hold. 6 2. If a − < a + and b + > 0, then the machine may not be correctly simulated: a given 7 run will either reach q halt , in which case it will also reach q halt (as the guard from q halt 8 to q halt in Figure 12 does not forbid this run), or it will loop in the machine until it 9 eventually gets blocked: since b + > 0, since all gadgets require at least 1 time unit, for 10 any value of b + the invariant z ≤ b + will eventually block a transition after at most 11 b + steps. When being blocked, a run has no other option than going to q halt , because 12 of the unguarded transitions from any location to q halt . Hence if a − < a + and b + > 0, 13 EG(L \ {q halt }) does not hold. 14 3. Now, assume a − = a + and b + > 0.