Higher-Order Timed Automata and Tail Recursion

A tree is a finite, left-closed set $T\subseteq {\mathbb{N}}^{\ast }$, i.e., for all $vi\in T$, we have $v\in T$ and, moreover, $vi-1\in T$ if $i>0$. A tree alphabet is a finite, nonempty set $\mathrm{\Sigma }$ and a function $\mathrm{𝑎𝑟}:\mathrm{\Sigma }\to \mathbb{N}$ indicating the arity of each symbol. We write ${\mathrm{\Sigma }}_i$ for the set of symbols of arity $i$ in $\mathrm{\Sigma }$. A $\mathrm{\Sigma }$-tree is a pair $(T,l)$ of a tree $T$ and a labeling function $l:T\mapsto \mathrm{\Sigma }$, such that each $v\in T$ has exactly $\mathrm{𝑎𝑟}(l(v))$ successors. We often identify a tree with its labeling function.

Let $S$ be a set. ${ℬ}^{+}(S)$ is the set of positive Boolean expressions over $S$, derived from the grammar $\phi ≔s\mid \perp \mid \top \mid \phi \vee \phi \mid \phi \wedge \phi$ with $s\in S$.

An alternating parity tree-automaton (APT) is a $𝒫=(Q,\mathrm{\Sigma },\delta ,q_I,\mathrm{\Lambda })$ where $Q$ is a finite, nonempty set of states, $\mathrm{\Sigma }$ is a tree alphabet containing a special nullary symbol $\omega$, $\delta ={\bigcup }_{i\le n}{\delta }^i$ is the transition function with ${\delta }^i:Q\times {\mathrm{\Sigma }}_i\to {ℬ}^{+}(Q^i)$ and $n$ being the maximal arity that occurs in $\mathrm{\Sigma }$. We write $\delta (q,l(v))$ for ${\delta }^i(q,l(v))$ if $\mathrm{𝑎𝑟}(l(v))=i$. Finally, $q_I\in Q$ is the starting state and $\mathrm{\Lambda }:Q\to \mathbb{N}$ is the priority function. The size of an APT is the number of its states.

A run of an APT $𝒫$ on some $\mathrm{\Sigma }$-tree $T$ (for matching $\mathrm{\Sigma }$) is a parity game $G(𝒫,T)$ between $\exists$ and $\forall$, called the acceptance game. It has positions from $T\times (Q\cup {\bigcup }_{i\le n}{ℬ}^{+}(Q^i))$ where $n$ is the maximal arity in $\mathrm{\Sigma }$. Its starting position is $(ϵ,q_I)$. In a position of the form $(v,q)$, the unique successor is $(v,\delta (q,l(v)))$. Positions of the forms $(v,{\phi }_1\vee {\phi }_2)$ and $(v,{\phi }_1\wedge {\phi }_2)$ have two successors, namely $(v,{\phi }_1)$ and $(v,{\phi }_2)$. A position of the form $(v,(q_0,\mathrm{\dots },q_{i-1}))$ has $i$ successors $(v0,q_0),\mathrm{\dots },(vi-1,q_{i-1})$, a position of the form $(v,\top )$ or $(v,\perp )$ has no successors. Positions of the forms $(v,\top )$ and $(v,{\phi }_1\wedge {\phi }_2)$ and $(v,(q_0,\mathrm{\dots },q_{i-1}))$ belong to $\forall$, all other positions belong to $\exists$. Finally, the priorities of the game are $\mathrm{\Omega }(v,q)=\mathrm{\Lambda }(q)$; for all other positions we have $\mathrm{\Omega }(v,\phi )=1$. $𝒫$ accepts a tree $T$ if $\exists$ wins $G(𝒫,T)$. In the following, we assume APT to have designated states $q_{\top },q_{\perp }$ from which all, resp. no trees are accepted.

Instead of the classical definition of Higher-Order Recursion Schemes (HORS, cf. e.g., [18]), we use a version going back to Damm [14] and re-introduced by Walukiewicz and Salvati [21], using the $\lambda Y$-calculus as syntax.

Let $𝒳=\{\text{x},\text{y},\mathrm{\dots }\}$ be a set of ${ℝ}^{\ge 0}$-valued variables, called clocks. $\mathrm{𝐶𝐶}(𝒳)$ is the set of clock constraints over $𝒳$, defined as conjunctive formulas over $\top$ and $\text{x}\oplus c$ for $\text{x}\in 𝒳$ and $c\in \mathbb{N}$, where . Clock constraints are denoted by $\chi ,{\chi }^{\prime }$ etc.

A clock evaluation is a mapping $\eta :𝒳\to {ℝ}^{\ge 0}$; it satisfies a clock constraint as follows: (i) $\eta \vDash \top$ always, (ii) $\eta \vDash \text{x}\oplus c$ iff $\eta (\text{x})\oplus c$ and (iii) $\eta \vDash {\phi }_1\wedge {\phi }_2$ iff $\eta \vDash {\phi }_1$ and $\eta \vDash {\phi }_2$. For a clock evaluation $\eta$ and $d\in {ℝ}^{\ge 0}$, we write $\eta +d$ for the clock evaluation defined via $(\eta +d)(\text{x})=\eta (\text{x})+d$ for all $\text{x}\in 𝒳$. For $R\subseteq 𝒳$, ${\eta |}_R$ is the clock evaluation defined via ${\eta |}_R(\text{x})=\eta (\text{x})$ if $x\notin R$ and ${\eta |}_R(\text{x})=0$ if $\text{x}\in R$.

Let $\mathrm{𝑃𝑟𝑜𝑝}$ be a finite set of propositions. A timed automaton over clocks in $𝒳$ and with propositions in $\mathrm{𝑃𝑟𝑜𝑝}$ is an $𝒜=(L,𝒳,{\mathrm{\ell }}_0,\iota ,\mathrm{\Delta },\lambda )$ where (i) $L$ is the set of locations of the timed automaton, including the initial location ${\mathrm{\ell }}_0$, (ii) $𝒳$ is a finite set of clocks, (iii) $\iota :L\to \mathrm{𝐶𝐶}(𝒳)$ assigns a clock constraint called an invariant to each location, (iv) $\mathrm{\Delta }\subseteq L\times \mathrm{𝐶𝐶}(𝒳)\times 2^{𝒳}\times L$ is a finite set of transitions; we write $\mathrm{\ell }\stackrel{g,R}{\text{→}}{\mathrm{\ell }}^{\prime }$ for $(\mathrm{\ell },g,R,{\mathrm{\ell }}^{\prime })\in \delta$. In such a transition, $g$ is the guard and $R$ are the resets of the transition. Finally, (v) $\lambda :L\to 2^{\mathrm{𝑃𝑟𝑜𝑝}}$ labels each location with the propositions valid there. The index $m(𝒜)$ of a timed automaton $𝒜$ is the largest constant that occurs in its guards or invariants. Its size is defined as

due to the coding of the constants in clock constraints in binary. A TA defines a timed Transition System (tTS), to be defined in more general fashion in Sect. 3.

We define the timed modal $\mu$-calculus ($T_{\mu }$) following [17]. Let $𝒳$ be a set of clocks and let $𝒴$ disjoint from $𝒳$ be a set of specification clocks. Let $\mathrm{𝑃𝑟𝑜𝑝}$ be a set of propositions and let $𝒱$ be a set of fixpoint variables. A formula of $T_{\mu }$ is one derived from the following grammar:

where $p\in \mathrm{𝑃𝑟𝑜𝑝},X\in 𝒱,\chi \in \mathrm{𝐶𝐶}(𝒳\cup 𝒴)$ and $\text{z}\in 𝒴$. Moreover, every variable $X$ must be bound exactly once and occur under an even number of negations in $\mu X.\phi$ or $\nu X.\phi$, a standard convention for the modal $\mu$-calculus. This induces, for each $T_{\mu }$ formula $\phi$, a function $\mathrm{𝑓𝑝}$ where $\mathrm{𝑓𝑝}(X)$ is the unique $\psi$ with $\mu X.\psi$ or $\nu X.\psi$ a subformula of $\phi$. Moreover, we assume w.l.o.g. that every $T_{\mu }$ formula is guarded in the sense that, on the path from $\mu X.\psi$ or $\nu X.\psi$ to $X$ in the syntax tree of the formula, there is an instance of $⊳$ or $\boxminus$. Analogously to the ordinary $\mu$-calculus [10], every $T_{\mu }$ formula can be converted into an equivalent guarded one, potentially at the cost of exponential blowup¹¹1This blowup can be avoided at the cost of extra complexity, so we decide to simply stipulate guardedness for the sake of simplicity..

$\text{z}.\phi$ resets the specification clock z to $0$. Hence, patterns like $\text{z}.\mathrm{\dots }\text{z}=4\mathrm{\dots }$ serve to test for elapsed time. The intuition for ${\phi }_1⊳{\phi }_2$ is that of a temporal next operator: it is satisfied if ${\phi }_2$ is true after a sequence of a delay, a discrete transition, and another delay, and ${\phi }_1$ is true all the way before. The operator $\boxminus$ is the dual of it, i.e., a temporal next with universal quantification over delays and transitions.

Let $𝒯=(𝒮,\text{→},s_0,\lambda )$ be a tTS, let $\alpha :𝒱\to 2^{𝒮}$ be a variable assignment. The semantics ${⟦\phi ⟧}_{𝒯}^{\alpha }$ of a $T_{\mu }$ formula $\phi$ is defined inductively via

with

and where ${⟦{\psi }_1⊳{\psi }_2⟧}_{𝒯}^{\alpha }$ is defined as

Here, the temporal next relation $⊳$ is defined as the composition of a delay, a discrete transition, and another delay. The clause that all states after the discrete transition need to satisfy ${\psi }_1\vee {\psi }_2$ is standard to cope with the fact that there might not be a smallest delay that makes ${\psi }_2$ true. Standard patterns in temporal logic, e.g., $𝙴(p{𝚄}_{[3,4]}q)$, which says that there is a path on which $p$ holds until $q$ holds, and that $q$ holds after time elapsed between $3$ and $4$ time units, can be expressed as e.g., $\text{z}.\mu X.(q\wedge 3\le \text{z}\wedge \text{z}\le 4)\vee p⊳X$.

The model-checking problem for $T_{\mu }$ is then to decide, given a timed automaton and a $T_{\mu }$ formula $\phi$, whether $𝒯\vDash \phi$ where $𝒯$ is the tTS defined by the timed automaton.

The region abstraction is a classical result (see e.g., [4] or [6], Def. 9.42), that maps the infinite transition system defined by a TA onto a finite transition system. While we work with tTS defined by HORTA, the key point is the same: the region abstraction uses an equivalence relation ${\simeq }_m$, for $m\in \mathbb{N}$, on clock evaluations. Let $𝒳$ be a set of clocks, specification or otherwise. Then ${\simeq }_m$ is defined as follows: $\eta {\simeq }_m{\eta }^{\prime }$ iff

$\mathrm{𝑓𝑟𝑎𝑐}(r)$ is the fractional part of a real number. Clock evaluations are equivalent if, for each clock, (i) either both clocks have a value greater than $m$, or (ii) they compare in the same way with respect to all integers $\le m$. Moreover, the passage of time makes equivalent evaluations reach the next integral value first for the same clock. ${\simeq }_m$ is an equivalence relation for any $m$; an equivalence class in ${\simeq }_m$ is called a region. The equivalence class of $\eta$ under ${\simeq }_m$ is ${[\eta ]}_m$ (or just $[\eta ]$ when $m$ is clear). We define the notion of a successor region:

The second term defines the successor region of $[\eta ]$ to be the first region that is entered if time passes from any ${\eta }^{\prime \prime }\in [\eta ]$, and the first term makes the successor region well-defined in regions where all clocks have values greater than $m$. We call this region the maximal region.

Let $𝒳$ be a set of clocks, let $𝒴$ be a set of specification clocks. Let ${𝒯}_t=(𝒮,\text{→},s_0,\lambda )$ be the tTS generated by the HORTA $t$. Note that $𝒮\subseteq \{(v,\eta )\mid v\in T,\eta \vDash \iota (lv)\}$.

Let $\mathrm{𝑃𝑟𝑜𝑝},\mathrm{\Xi }$ be the propositions, resp. clock constraints mentioned by $\phi$, and let $𝒴$ be the specification clocks that $\phi$ mentions. Define an (untimed) $\mu$-calculus formula $\widehat{\phi }$ via

where the $Z,Z^{\prime }$ for the $⊳$ and $\boxminus$ are fresh for each subformula. The semantics of the untimed modal operators are standard: ${⟦{\mathrm{◇}}_D\psi ⟧}_{𝒯}^{\alpha }=\{s\mid \text{ ex. }{s}^{\prime }\in {⟦\psi ⟧}_{𝒯}^{\alpha }\text{ s.t. }s\stackrel{D}{\text{→}}{s}^{\prime }\}$ and similarly for ${\mathrm{\square }}_D$ and the other modalities. Note that this definition is for untimed transition systems.

Let $m$ be that largest integer in any location invariant or guard in $t$ or a clock constraint in $\phi$. Let $[\eta ]$ denote ${[\eta ]}_m$ from now on. Define a new (untimed) transition system with transitions $\{D,T\}\cup \{z\mid z\in 𝒴\}$ and propositions in $\mathrm{𝑃𝑟𝑜𝑝}\cup \mathrm{\Xi }$ via ${𝒯}_T^u=({𝒮}_u,{\text{→}}_u,s_0^{\prime },{\lambda }^{\prime })$ via

• $\mathrm{■}$

  ${𝒮}_u=\{(v,[\eta ])\mid (v,\eta )\in 𝒮\}$,

• $\mathrm{■}$

  ${\text{→}}_u=\{(v,[\eta ])\stackrel{D}{\text{→}}(v,\mathrm{𝑠𝑢𝑐}(\eta ))\mid \mathrm{𝑠𝑢𝑐}(\eta )\vDash \iota (l(v))\}\cup \{(v,[\eta ])\stackrel{T}{\text{→}}(vi,[{\eta }^{\prime }])\mid (v,\eta )\text{→}(vi,{\eta }^{\prime })\}\cup \{(v,[\eta ])\stackrel{\text{z}}{\text{→}}(v,{[\eta ]|}_{\text{z}}){\mid \eta |}_{\text{z}}\vDash \iota (l(v))\}$,

• $\mathrm{■}$

  $s_0^{\prime }=(ϵ,[{\eta }_0])$,

• $\mathrm{■}$

  ${\lambda }^{\prime }((v,[\eta ]))=\lambda (v,\eta )=\lambda (v)\cup \{\chi \in \mathrm{\Xi }\mid \eta \vDash \chi \}$.

Finally, given a variable assignment $\alpha :𝒱\to 2^{𝒮}$, define $\widehat{\alpha }:𝒱\to 2^{{𝒮}^{\prime }}$ via $\widehat{\alpha }(X)=\{(v,[\eta ])\mid (v,\eta )\in \alpha (X)\}$.

Technically the proof in [2] is only for tTS defined via TA, not via HORTA. However, finiteness is not a crucial ingredient of the proof, and the region graph construction is very robust.

We have seen before that, on the region graph, the formula $\widehat{\phi }$ captures the semantics of $\phi$. We define an APT ${𝒫}_{\phi }$ alongside the logic of $\widehat{\phi }$, but based on the syntax of $\phi$ itself. The reason for that is in the details of the translation of $⊳$ and $\boxminus$, where we have to make sure that the regions are visited one by one, but must also avoid excessive pointless delays. The states of ${𝒫}_{\phi }$ will be the product of the set of subformulas of $\phi$ and the set of regions in the region graph, plus some extra copies in some places. Transitions will follow the logic of subformulas in the first component, and pass through the regions as need be at formulas with real-time semantics, e.g., $⊳,\boxminus$.

As a preparation, let $\mathrm{\Sigma }$ be the tree alphabet used in $t$. Define ${\mathrm{\Sigma }}^{\prime }=\mathrm{\Sigma }\cup \{a_{\text{aux}}\mid a\in \mathrm{\Sigma }\}$ where all the new tree constructors are unary. Let $m$ be the integer used for the region graph. The longest sequence of delay transitions that can be taken before reaching the maximal region is less than $k^{\prime }=|𝒳\cup 𝒴|\cdot 3\cdot m$. Let $k$ be the length of the longest path in the syntax tree of $\phi$ that contains no formulas of the form ${\psi }_1⊳{\psi }_2$ or ${\psi }_1\boxminus {\psi }_2$, including passing through fixpoint variables. This number exists due to guardedness. Write $𝐤$ for $2\cdot k^{\prime }+k$.

Obtain a $\lambda Y$ term $\widehat{t}$ from $t$ by replacing each occurrence of a tree constructor $a$ by $a_{\text{aux}}^{𝐤}a$. i.e., by prepending it by a sequence of $𝐤$ many copies of $a_{\text{aux}}$. These tree constructors give the yet-to-be-defined automaton enough space to (i) explicitly simulate delay transitions in the region graph by transitions reading $a_{\text{aux}}$ in the tree, and (ii) allow easy handling of the logic of subformulas by transitions without advancing in the tree proper.

Let ${𝒫}_{\phi }=(Q,{\mathrm{\Sigma }}^{\prime },\delta ,q_I,\mathrm{\Lambda })$ with the individual components defined as follows:

• $\mathrm{■}$

  $Q=\mathrm{𝑠𝑢𝑏}(\phi )\times {ℝ}^{\ge 0}{/}_{{\simeq }_m}\times \{0,1,2\}$ and $q_I=(\phi ,[{\eta }_0],0)$

• $\mathrm{■}$

  $\mathrm{\Lambda }$ is defined inductively via the alternation index of a subformula of $\phi$. Let $\mathrm{𝑎𝑖}(\psi )$ be defined inductively for formulas of the form $\mu X.{\psi }^{\prime }$ and $\nu x.{\psi }^{\prime }$ as follows:

  • –

    For formulas of the form $\psi =\mu x.{\psi }^{\prime }$ set $\mathrm{𝑎𝑖}(\psi )$ to the smallest even integer that is at least as big as $\mathrm{𝑎𝑖}({\psi }^{\prime \prime })$ for all subformulas ${\psi }^{\prime \prime }$ of $\psi$, but at least $0$.

  • –

    For formulas of the form $\psi =\mu x.{\psi }^{\prime }$ set $\mathrm{𝑎𝑖}(\psi )$ to the smallest odd integer that is at least as big as $\mathrm{𝑎𝑖}({\psi }^{\prime \prime })$ for all subformulas ${\psi }^{\prime \prime }$ of $\psi$, but at least $1$.

  Fo other ${\psi }^{\prime }$, set $\mathrm{𝑎𝑖}(\psi )$ to $\mathrm{𝑎𝑖}({\psi }^{\prime })$ where ${\psi }^{\prime }$ is the first subformula of the form $\mu X.{\psi }^{\prime }$ or $\nu X.{\psi }^{\prime }$ on the path to the root in the syntax tree of $\phi$. Then $\mathrm{\Lambda }((\psi ,[\eta ],i))=\mathrm{𝑎𝑖}(\psi )$.

Finally, $\delta$ is defined (for the non-modalities) as follows:

The intuition here is that the acceptance game simply follows the logic of the subformula in question. The transitions for $⊳$ are