Coarse abstractions make Zeno behaviours difficult to detect

An infinite run of a timed automaton is Zeno if it spans only a finite amount of time. Such runs are considered unfeasible and hence it is important to detect them, or dually, find runs that are non-Zeno. Over the years important improvements have been obtained in checking reachability properties for timed automata. We show that some of these very efficient optimizations make testing for Zeno runs costly. In particular we show NP-completeness for the LU-extrapolation of Behrmann et al. We analyze the source of this complexity in detail and give general conditions on extrapolation operators that guarantee a (low) polynomial complexity of Zenoness checking. We propose a slight weakening of the LU-extrapolation that satisfies these conditions.


Introduction
Timed automata [1] are finite automata augmented with a finite number of clocks. The values of the clocks increase synchronously along with time in the states of the automaton and these values can be compared to a constant and reset to zero while crossing a transition. This model has been successfully used for verification of timed systems thanks to a number of tools [3,6,14].
Since timed automata model reactive systems that continuously interact with the environment, it is interesting to consider questions related to their infinite executions. An execution is said to be Zeno if an infinite number of events happen in a finite time interval. Such executions are clearly unfeasible. During verification, the aim is to detect if there exists a non-Zeno execution that violates a certain property. On the other hand while implementing timed automata, it is required to check the presence of pathological Zeno executions. This brings the motivation to analyze an automaton for the presence of such executions.
The analysis of timed automata faces the challenge of handling its uncountably many configurations. To tackle this problem, one considers a finite graph called the abstract zone graph (also known as simulation graph) of the automaton. This finite graph captures the semantics of the automaton. In this paper, we consider the problems of deciding if an automaton has a non-Zeno execution, dually a Zeno execution, given its abstract zone graph as input.
An abstract zone graph is obtained by over-approximating each zone of the so-called zone graph with an abstraction function. The zone graph in principle could be infinite and an abstraction function is necessary for reducing it to a finite graph. The coarser the abstraction, the smaller the abstract zone graph, and hence the quicker the analysis of the automaton. This has motivated a lot of research towards finding coarser abstraction functions [2]. The classic maximumbound abstraction uses as a parameter the maximal constant a clock gets compared to in a transition. A coarser abstraction called the LU-extrapolation was introduced in Behrmann et al. [2] for checking state reachability in timed automata. This is the coarsest among all the implemented approximations and is at present efficiently used in tools like UPPAAL.
It was shown in [12,13] that even infinite executions of the automaton directly correspond to infinite paths in the abstract zone graph when one uses the maximum-bound approximation. In addition, it was proved that the existence of a non-Zeno infinite execution could be determined by adding an extra clock to the automaton to keep track of time and analyzing the abstract zone graph of this transformed automaton. A similar correspondence was established in the case of the LU-extrapolation by Li [11]. These results answer our question about deciding non-Zeno infinite executions of the automaton from its abstract zone graph. However, it was shown in [9,10] that adding a clock has an exponential worst case complexity. A new polynomial construction was proposed for the case of the classic maximum-bound approximation. But, the case of the LU-extrapolation was not addressed.
In this paper, we prove that the non-Zenoness question turns out to be NPcomplete for the LU-extrapolation, that is, given the abstract zone graph over the LU-extrapolation, deciding if the automaton has a non-Zeno execution is NPcomplete. We study the source of this complexity in detail and give conditions on abstraction operators to ensure a polynomial complexity. To this regard, we extend the polynomial construction given in [9] to an arbitrary abstraction function and analyze when it stays polynomial. It then follows that a slight weakening of the LU-extrapolation makes the construction polynomial. In the second part of the paper, we repeat the same for the dual question: given an automaton's abstract zone graph, decide if it has Zeno executions. Yet again, we notice NP-completeness for the LU-extrapolation. We introduce an algorithm for checking Zenoness over an abstract zone graph with conditions on the abstraction operator to ensure a polynomial complexity. We provide a different weakening of LU-extrapolation that gives a polynomial solution to the Zenoness question.
Related work As mentioned above, the LU-extrapolation was proposed in [2] and shown how it could be efficiently used in UPPAAL for the purpose of reachability. The correctness of the classic maximum-bound abstraction was shown in [4]. Extensions of these results to infinite executions occur in [13,11]. The trick involving adding an extra clock for non-Zenoness is discussed in [9]. For the case of checking existence of Zeno runs in timed automata, a bulk of the literature directs to [8,5]. They provide a sufficient-only condition for the absence of Zeno runs. This is different from our proposed solution which gives a complete solution (necessary and sufficient conditions) by analyzing the abstract zone graph of the automaton.
Organization of the paper We start with the formal definitions of timed automata, abstract zone graphs, the Zenoness and Non-Zenoness problems in Section 2. Subsequently, we prove the NP-completeness of the non-Zenoness problem for the LU-extrapolation in Section 3. We then recall the construction proposed for non-Zenoness in [9] and extend it to a general abstraction operator giving conditions for polynomial complexity. Section 5 talks about the dual Zenoness problem and Section 6 concludes the paper with some perspectives.
2 Zeno-related Problems for Timed Automata

Timed Automata
Let R ≥0 denote the set of non-negative real numbers. Let X be a set of variables, named clocks hereafter. A valuation is a function ν : X → R ≥0 that maps every clock in X to a non-negative real value. We denote the set of all valuations by R X ≥0 , and 0 the valuation that maps every clock in X to 0. For δ ∈ R ≥0 , we denote ν + δ the valuation mapping each x ∈ X to the value ν(x) + δ. For a subset R of X, let [R]ν be the valuation that sets x to 0 if x ∈ R and assigns ν(x) otherwise. A clock constraint is a conjunction of constraints x#c for x ∈ X, # ∈ {<, ≤, =, ≥, >} and c ∈ N, e.g. We denote Φ(X) the set of clock constraints over clock variables X. For a valuation ν and a constraint φ we write ν φ when ν satisfies φ, that is, when φ holds after replacing every x by ν(x).
A Timed Automaton (TA) [1] A is a finite automaton extended with clocks that enable or disable transitions. Formally, A is a tuple (Q, q 0 , X, T ) where Q is a finite set of states, q 0 ∈ Q is the initial state, X is a finite set of clocks and T ⊆ Q × Φ(X) × 2 X × Q is a finite set of transitions. For each transition (q, g, R, q ′ ) ∈ T , g is a guard that defines the valuations of the clocks that allow to cross the transition, and R is a set of clocks that are reset on the transition.
A configuration of A is a pair (q, ν) ∈ Q × R X ≥0 . A transition (q, ν) δ,t −→ (q ′ , ν ′ ) with t = (q, g, R, q ′ ) ∈ T and δ ∈ R ≥0 is enabled when ν + δ g and ν ′ = [R](ν + δ). A run ρ of A is a (finite or infinite) sequence of transitions starting from the initial configuration (q 0 , 0): Notice that only infinite sequences can be non-Zeno. As can be seen, the number of configurations (q, ν) could be uncountable. We now define the abstract semantics for timed automata.

Symbolic Semantics, Zenoness and non-Zenoness Problems
A zone is a set of clock valuations that satisfy a conjunction of constraints of the form x i #c and x i − x j #c with x i , x j ∈ X, # ∈ {<, ≤, =, ≥, >} and c ∈ N. For instance, (x 1 ≤ 1 ∧ x 1 − x 2 ≥ 0) is a zone. Zones can be efficiently represented by Difference Bound Matrices (DBMs) [7]. A DBM representation of a zone Z is a |X| + 1 square matrix (Z ij ) i,j∈[0;|X|] where each entry Z ij = (c i,j , ij ) represents the constraint x i − x j ij c ij for c ij ∈ Z ∪ {∞} and ij ∈ {<, ≤}. The special clock x 0 encodes the value 0.
The symbolic semantics (or zone graph) of A is the transition system ZG(A) = (S, s 0 , ⇒) where S is the set of nodes (q, Z) with q a state of A and Z a zone; ν + δ for some δ ∈ R ≥0 and some valuation ν ∈ Z such that ν g. If Z is a zone, then Z ′ is a zone. Moreover, a DBM representation of Z ′ can be computed from the DBM representation of Z (see for instance [4]).
However ZG(A) may still be infinite. Several abstractions have been introduced to obtain a finite graph from ZG(A). A finite abstraction a is a map from P(R X ≥0 ) to P(R X ≥0 ) such that for every zone Z: a(Z) is a zone, Z ⊆ a(Z), a(a(Z)) = a(Z) and a has a finite range. In particular Extra M [4], Extra + M , Extra LU and Extra + LU [2] are well-known finite abstractions. The last two abstractions are usually preferred as they are coarser and hence lead to more efficient algorithms. We define these abstractions below.
Let L : X → N ∪ {−∞} and U : X → N ∪ {−∞} be two maps that associate to each clock in A its maximal lower bound and its maximal upper bound respectively: that is, for every x ∈ X, L(x) is the maximal integer c such that x > c or x ≥ c appears in some guard of A. We let L(x) = −∞ if no such c exists. Similarly, we define U (x) with respect to clock constraints like x ≤ c and x < c. We define Extra LU (Z) = Z LU and Extra + LU (Z) = Z LU+ as: where L(x 0 ) = U (x 0 ) = 0 for the special clock x 0 . The abstraction Extra M is defined in a similar way than Extra LU by replacing every occurrence of L and U by M which maps every clock x to max(L(x), U (x)). The following property is later used to extend our results for Extra LU to Extra + LU . Theorem 1 ( [2]). For each zone Z, we have: For two nodes (q, Z) and (q ′ , Z ′ ), we define the relation (q, Z) The abstract symbolic semantics (or the abstract zone graph) of A is the transition system ZG a (A) induced by ⇒ a with the intial node (q 0 , a(Z 0 )), where (q 0 , Z 0 ) is the initial node of ZG(A). We denote by ZG LU (A) the abstract symbolic semantics when abstraction Extra LU is considered, and ZG M (A) when the abstraction a is Extra M .
A path in ZG a (A) is a (finite or infinite) sequence of transitions: We say that a run (q 0 , 0) . of A is an instance of a path π of ZG a (A) if they agree on the sequence of transitions t 0 , t 1 , . . . , and if for every i ≥ 0, (q i , ν i ) and (q i , Z i ) coincide on q i , and ν i ∈ Z i . By definition of Z i this implies ν i + δ i ∈ Z i . We say that an abstraction a is sound if every path π can be instantiated as a run of A. Conversely, a is complete when every run of A is an instance of some path in ZG a (A).
A classical verification problem for Timed Automata is to answer state reachability queries. For that purpose, runs of A and paths in ZG a (A) are defined as finite sequences of transitions. A reachability query asks for the existence of a finite run leading to a given state. Reachability problems can be solved using ZG a (A) when a is sound and complete and this property holds for the classical abstractions.
Theorem 2 ( [4,2]). Extra M , Extra + M , Extra LU and Extra + LU are sound and complete for finite sequences of transitions.
Liveness properties ask for the existence of an infinite run satisfying a given property. For instance, does A visit state q infinitely often? Soundness and completeness of a with respect to infinite runs allow to solve such problems from ZG a (A). Recently, it has also been proved that classical abstractions are also sound and complete for infinite paths/runs. Theorem 3 ( [12,11]). Extra M , Extra + M , Extra LU and Extra + LU are sound and complete for infinite sequences of transitions.
Thanks to Theorem 3, we know that every path π in ZG a (A) can be instantiated to a run of A. However, soundness is not sufficient to know if π can be instantiated as a non-Zeno run. In the sequel, we consider the following problems, given an automaton A and an abstract zone graph ZG a (A).

Input
A and ZG a (A) Non-Zenoness problem (NZP a ) Does A have a non-Zeno run?
Zenoness problem (ZP a ) Does A have a Zeno run?
Observe that solving ZP a does not solve NZP a and vice-versa: one is not the negation of the other. In this paper, we focus on the complexity of deciding ZP a and NZP a for different abstractions a. We denote NZP M and ZP M when abstraction Extra M is considered. We similarly define NZP LU and ZP LU for abstraction Extra LU . The non-Zenoness problem is solved in polynomial time when abstraction Extra M is considered [9,10]. Surprisingly, this is not true for abstraction Extra LU : in Section 3 we show that NZP LU is NP-complete. The same asymmetry appears in the Zenoness problem as well, which is shown in Section 5.
We give a reduction from the 3SAT problem: given a 3CNF formula φ, we build an automaton A N Z φ that has a non-Zeno run iff φ is satisfiable. The size of the automaton will be linear in the size of φ. We will then show that the abstract zone graph ZG LU (A N Z φ ) is isomorphic to the automaton A N Z φ , thus completing the polynomial reduction from 3SAT to NZP LU .
Let P = {p 1 , . . . , p k } be a set of propositional variables and let φ = C 1 ∧ · · · ∧ C n be a 3CNF formula with n clauses. We define the timed automaton The transitions are as follows: transitions q k − → r 0 and r n − → q 0 with no guards and resets. Figure 1 shows the automaton for the formula (p 1 ∨¬p 2 ∨p 3 )∧(¬p 1 ∨p 2 ∨p 3 ). Intuitively, a reset of x i represents p i → true and a reset of x i means p i → f alse. From r 0 to r 2 we check if the formula is satisfied by this guessed assignment. This formula is satisfied by every assignment that maps p 3 to true. This can be seen from the automaton by picking a cycle containing the transitions q 2 On that path, time can elapse for instance in state q 0 , since x 3 is reset before being zero-checked. Conversely, consider the assignment p 1 → f alse, p 2 → true and p 3 → f alse that does not satisfy the formula. Take a cycle that resets x 1 , x 2 and x 3 corresponding to the assignment. Then none of the clocks that are checked for zero on the transitions from r 0 to r 1 has been reset. Notice that these transitions come from the first clause in the formula that evaluates to f alse according to the assignment. To take a transition from r 0 , one of x 1 , x 2 and x 3 must be zero and hence time cannot elapse.
Lemma 1 below states that if the formula is satisfiable, there exists a sequence of resets that allows time elapse in every loop. Conversely, if the formula is unsatisfiable, in every iteration of the loop, there is a zero-check that prevents time from elapsing. The proof of Lemma 1 is given in Appendix A.
has a non-Zeno run.
The NP-hardness of NZP LU then follows due to the small size of ZG LU (A N Z φ ).
The non-Zenoness problem is NP-complete for abstractions Extra LU and Extra + LU .
Proof. We first prove that hence showing the isomorphism. The result transfers to Extra + LU thanks to Theorem 1.
The NP-hardness of NZP LU then follows from Lemma 1. The membership to NP will be proved in Lemma 3 in the next section.
⊓ ⊔ Notice that the type of zero checks in A N Z φ is crucial to Theorem 4. Replacing zero-checks of the form x ≤ 0 by x = 0 does not modify the semantics of A N Z φ . However, this yields L(x) = 0 for every clock x. Hence, the constraints of the form x i − x j ≤ 0 are not abstracted: Extra LU then preserves the ordering among the clocks. Each sequence of clock resets leading from q 0 to q k yields a distinct ordering on the clocks. Thus, there are exponentially many LU-abstracted zones with state q k . As a consequence, the polynomial reduction from 3SAT is lost. We indeed provide in Section 4 below an algorithm for detecting non-Zeno runs from ZG LU (A) that runs in polynomial time when L(x) = 0 for every clock x.

Finding non-Zeno runs
Recall the non-Zenoness problem (NZP a ): Given an automaton A and its abstract zone graph ZG a (A), decide if A has a non-Zeno run.
A standard solution to this problem involves adding one auxiliary clock to A to detect non-Zenoness [12]. This solution was shown to cause an exponential blowup in [9]. In the same paper, a polynomial method has been proposed in the case of the Extra M abstraction. We extend this method to an arbitrary abstraction a and give conditions on a for the method to remain polynomial.
An infinite run of the timed automaton could be Zeno due to two factors: blocking clocks, which are clocks that are bounded from above (i.e. x ≤ c for some c > 0) but are never reset in the run and zero checks, which are guards of the form x ≤ 0 or x = 0 that prevent time elapse in the run. The method in [9] tackles these two problems as follows. Blocking clocks are handled by first detecting a maximal strongly connected component (SCC) of the zone graph and repeatedly discarding the transitions that bound some blocking clock until a non-trivial SCC with no such clocks is obtained. This algorithm runs in time polynomial for every abstraction that is sound and complete. For zero checks, a guessing zone graph construction has been introduced to detect nodes where time can elapse. We now extend this construction to an arbitrary abstraction.

Reduced guessing zone graph rGZG a (A)
The necessary and sufficient condition for time elapse in a node despite zerochecks is to have every reachable zero-check from that node preceded by a corresponding reset. The nodes of the guessing zone graph are triples (q, Z, Y ) where Y ⊆ X is the set of clocks that can potentially be checked for zero before being reset in a path from (q, Z, Y ). In particular, in a node with Y = ∅ zero-checks do not hinder time elapse.
A clock that is never checked for zero need not be remembered in sets Y . In order to lift the construction in [9], we restrict Y sets to only contain clocks that can indeed be checked for zero. We say that a clock x is relevant if there exists a guard x ≤ 0 or x = 0 in the automaton. We denote the set of relevant clocks by Rl(A). For a zone Z, let C 0 (Z) denote the set of clocks x such that there exists a valuation ν ∈ Z with ν(x) = 0. The clocks that can be checked for zero from (q, Z) lie in Rl(A) ∩ C 0 (Z).
Definition 2. Let A be a timed automaton with clocks X. The reduced guessing zone graph rGZG a (A) has nodes of the form Observe that as we require ν (Rl(A) − Y ) > 0 and ν g for some ν ∈ Z, a transition that checks x ≤ 0 (or x = 0) is allowed from a node (q, Z, Y ) only if x ∈ Y . Thus, from a node (q, Z, ∅) every reachable zero-check should be preceded by the corresponding reset. Such a node is called clear. Time can elapse in clear nodes. A variable x is bounded in a transition of rGZG a if the guard of the transition implies x ≤ c for some constant c. A path of rGZG a is said to be blocked if there is a variable that is bounded infinitely often and reset only finitely often by the transitions on the path. Otherwise the path is called unblocked. An unblocked path says that there are no blocking clocks to bound time and clear nodes suggest that inspite of zero-checks that might possibly occur in the future, time can still elapse. We get the following theorem. The proof of Theorem 5 follows from Lemmas 11 and 12 in Appendix B. The proof is in the same lines as for the guessing zone graph in [9].

Polynomial algorithms for NZP a
Since we have a node in rGZG a (A) for every (q, Z) in ZG a (A) and every subset Y of Rl(A), it can in principle be exponentially bigger than ZG a (A). Below, we see that depending on abstraction a, not all subsets Y need to be considered.
Let X ′ be a subset of X. We say that a zone Z orders the clocks in X ′ if for all clocks x, y ∈ X ′ , Z implies that at least one of x ≤ y or y ≤ x hold.
Definition 3 (Weakly order-preserving abstractions). An abstraction a weakly preserves orders if for all clocks x, y ∈ Rl(A) ∩ C 0 (Z), Z x ≤ y iff a(Z) x ≤ y.
It has been observed in [9] that all the zones that are reachable in the unabstracted zone graph ZG(A) order the entire set of clocks X. Assume that a weakly preserves orders, then for every reachable node (q, Z, Y ) in rGZG a (A), the zone Z orders the clocks in Rl(A) ∩ C 0 (Z). We now show that Y is downward closed with respect to this order given by Z: for clocks x, y ∈ Rl(A) ∩ C 0 (Z), if Z x ≤ y and y ∈ Y , then x ∈ Y . This entails that there are at most Rl(A) downward closed sets to consider, thus giving a polynomial complexity. Proof. We prove by induction on the transitions in rGZG a (A) that for every reachable node (q, Z, Y ) the set Y is downward closed with respect to Z on the clocks in Rl(A) ∩ C 0 (Z). This is true for the initial node (q 0 , Z 0 , Rl(A)). Now, assume that this is true for (q, Z, Y ). Take a transition (q, Z, Y ) Suppose Z ′ x ≤ y for some x, y ∈ Rl(A) ∩ C 0 (Z ′ ) and suppose y ∈ Y ′ . This could mean y ∈ Y or y ∈ R. If y ∈ R, then x is also in R since Z ′ x ≤ y. If y / ∈ R then we get y ∈ Y and Z x ≤ y. By hypothesis that Y is downward closed, x ∈ Y . In both cases x ∈ Y ′ . ⊓ ⊔ The definition of Extra M in section 2.2 clearly shows that it weakly preserves orders. Hence, rGZG M (A) yields a polynomial algorithm for NZP M . Notice that thanks to the reduction of the guessing zone graph to the relevant clocks, we propose an algorithm that is more efficient than the algorithm in [9] despite using the same abstraction. Proof. It has been proved in [9] that Extra M weakly preserves orders. Note that for a clock x in Rl(A) we have M (x) ≥ 0 and so if x ∈ Rl(A) ∩ C 0 (Z), then it means that Z is consistent with x ≤ M (x). Therefore, by definition, Extra + M (Z) restricted to clocks in Rl(A) ∩ C 0 (Z) is identical to Extra M (Z) restricted to the same set of clocks. Since Extra M is weakly order preserving, we get that Extra + M is weakly order preserving too.
⊓ ⊔ However, the polynomial complexity is not preserved by coarser abstractions Extra LU and Extra + LU .
Lemma 3. The abstractions Extra LU and Extra + LU do not weakly preserve orders. The non-Zenoness problem is in NP for Extra LU and Extra + LU .
Proof. The proof of Theorem 4 gives an example that illustrates Extra LU does not weakly preserve orders. This also holds for Extra + LU by Theorem 1. For the NP membership, let N be the number of nodes in ZG LU (A). Let us non-deterministically choose a node (q, Z). We assume that (q, Z) is reachable as this can be checked in polynomial time on ZG LU (A).
We augment (q, Z) with an empty guess set of clocks. From (q, Z, ∅), we nondeterministically simulate a path π of the (non-reduced) guessing zone graph [9] obtained from Definition 2 with Rl(A) = X and C 0 (Z) = X for every zone Z. We avoid taking τ transitions on this path. This ensures that the the guess sets accumulate all the resets on π. During the simulation, we also keep track of a separate set U containing all the clocks that are bounded from above on a transition in π.
If during the simulation one reaches a node (q, Z, Y ) such that U ⊆ Y , then we have a cycle (q, Z, ∅) ⇒ * a (q, Z, Y ) τ ⇒ a (q, Z, ∅) that is unblocked and that visits a clear node infinitely often. Also, since (q, Z) is reachable in ZG LU (A), (q, Z, X) is reachable in the guessing zone graph. Then (q, Z, ∅) is reachable from (q, Z, X) with a τ transition. From [9] and from the fact that Extra LU and Extra + LU are sound and complete [2] we get a non-Zeno run of A. Notice that it is sufficient to simulate N × (|X| + 1) transitions since we can avoid visiting a node (q ′ , Z ′ , Y ′ ) twice in π.

⊓ ⊔
The abstraction Extra LU does not weakly preserve order in zones due to relevant clocks with L(x) = −∞ and U (x) ≥ 0. We show that this is the only reason for NP-hardness. We slightly modify Extra LU to get an abstraction Extra LU that is coarser than Extra M , but it still weakly preserves orders.
Definition 4 (Weak L bounds). Let A be a timed automaton. Given the bounds L(x) and U (x) for every clock x ∈ X, the weak lower bound L is given by: L(x) = 0 if x ∈ Rl(A), L(x) = −∞ and U (x) ≥ 0, and L(x) = L(x) otherwise.
We denote Extra LU the Extra LU abstraction obtained by choosing L instead of L. Notice that Extra LU and Extra LU coincide when zero-checks are written x = 0 instead of x ≤ 0 in the automaton. By definition of Extra LU , we get the following. Extra LU coincides with Extra LU for a wide class of automata. For instance, when the automaton does not have a zero-check, Extra LU is exactly Extra LU , and the existence of a non-Zeno run can be decided in polynomial time.

The Zenoness problem
In this section we consider the Zenoness problem (ZP a ): Given an automaton A and its abstract zone graph ZG a (A), decide if A has a Zeno run.
As in the case of non-Zenoness, this problem turns out to be NP-complete when the abstraction operator a is Extra LU . We subsequently give the hardness proof by providing a reduction from 3SAT.

Reducing 3SAT to ZP a with abstraction Extra LU
Let P = {p 1 , . . . , p k } be a set of propositional variables. Let φ = C 1 ∧ · · · ∧ C n be a 3CNF formula with n clauses. Each clause C m , m = 1, 2, . . . , n is a disjunction of three literals λ m 1 , λ m 2 and λ m 3 . We construct in polynomial time an automaton A Z φ and its zone graph ZG LU (A Z φ ) such that A Z φ has a Zeno run iff φ is satisfiable, thus proving the NP-hardness.
The automaton A Z φ has clocks {x 1 , x 1 , . . . , x k , x k } with x i and x i corresponding to the literals p i and ¬p i respectively. We denote the clock associated to a literal λ by cl(λ). The set of states of A Z φ is given by {q 0 , q 1 , . . . , q k } ∪ {r 0 , r 1 , r 2 , . . . , r n } with q 0 being the initial state. The transitions are as follows: As an example, Figure 2 shows the automaton for the formula (p 1 ∨¬p 2 ∨p 3 )∧ (¬p 1 ∨ p 2 ∨ p 3 ). Clearly, the automaton A Z φ can be constructed from φ in O(n) time. It remains to show that ZG LU (A Z φ ) can also be calculated in polynomial time from A Z φ and to show that φ is satisfiable iff A Z φ has a Zeno run. This is proved below.
The proof of Lemma 5 is given in Appendix C. We note that the size of the ZG LU (A) is the same as that of the automaton.
The Zenoness problem is NP-complete for Extra LU and Extra + LU .
Proof. By looking at the guards in the transitions, we get that for each clock x, L(x) = 1 and U (x) = −∞. The initial node of the zone graph ZG LU (A Z φ ) is (q 0 , Extra LU (Z 0 )) where Z 0 is the set of valuations given by ( , the non-negative half-space. After resetting a clock x in a transition from R X ≥0 , we get back to R X ≥0 . On taking a transition with a guard x ≥ 1 from R X ≥0 , we come to a zone R X ≥0 ∧x ≥ 1.
This extends to Extra + LU by Theorem 1. NP-hardness then comes from Lemma 5. NP-membership is proved in Lemma 7.
⊓ ⊔ In the next section, we provide an algorithm for the zenoness problem ZP a and give conditions on abstraction a for the solution to be polynomial.

Finding Zeno paths
We say that a transition is lifting if it has a guard that implies x ≥ 1 for some clock x. The idea is to find if there exists a run of an automaton A in which every clock x that is reset infinitely often is lifted only finitely many times, ensuring that the run is Zeno. This amounts to checking if there exists a cycle in ZG(A) where every clock that is reset is not lifted. Observe that when (q, Z) x≥c =⇒ (q ′ , Z ′ ) is a transition of ZG(A), then Z ′ entails that x ≥ c. Therefore, if a node (q, Z) is part of a cycle in the required form, then in particular, all the clocks that are greater than 1 in Z should not be reset in the cycle.
Based on the above intuition, our solution begins with computing the zone graph on-the-fly. At some node (q, Z) the algorithm non-deterministically guesses that this node is part of a cycle that yields a zeno run. This node transits to what we call the slow mode. In this mode, a reset of x in a transition is allowed from (q ′ , Z ′ ) only if Z ′ is consistent with x < 1.
Before we define our construction formally, recall that we would be working with the abstract zone graph ZG a (A) and not ZG(A). Therefore for our solution to work, the abstraction operator a should remember the fact that a clock has a value greater than 1.
For an automaton A over the set of clocks X, let Lf(A) denote the set of clocks appear in a lifting transition of A.
Definition 5 (Lift-safe abstractions). An abstraction operator a is called lift-safe if for every zone Z and for every clock We are now in a position to define our slow zone graph construction to decide if an automaton has a Zeno run.
Definition 6 (Slow zone graph). Let A be a timed automaton over the set of clocks X. Let a be a lift-safe abstraction. The slow zone graph SZG a (A) has nodes of the form (q, Z, l) where l = {free, slow}. The initial node is (q 0 , Z 0 , free) where (q 0 , Z 0 ) is the initial node of ZG a (A). For every transition (q, Z) t ⇒ a (q ′ , Z ′ ) in ZG a (A) with t = (q, g, R, q ′ ), we have the following transitions in SZG a (A): A new letter τ is introduced that adds transitions (q, Z, free) τ ⇒ a (q, Z, slow).
A node of the form (q, Z, slow) is said to be a slow node. A path of SZG a (A) is said to be slow if it has a suffix consisting entirely of slow nodes. The τtransitions take a node (q, Z) from the free mode to the slow mode. Note that the transitions of the slow mode are constrained further. Lemmas 13 and 14 in Appendix D show that there is a cycle in the SZG a (A) consisting entirely of slow nodes iff A has a Zeno run.
The above two lemmas prove the correctness of the approach. From the definition of SZG a (A) it follows clearly that for each node (q, Z) of the zone graph there are two nodes in SZG a (A): (q, Z, free) and (q, Z, slow). We thus get the following theorem.
Theorem 8. Let a be a lift-safe abstraction. The automaton A has a Zeno run iff SZG a (A) has an infinite slow path. The number of reachable nodes of SZG a (A) is atmost twice the number of reachable nodes in ZG a (A).
We now turn our attention towards some of the abstractions existing in the literature. We observe that the classical Extra M is lift-safe and hence the Zenoness problem could be solved using the slow zone graph construction. However, in accordance to the NP-hardness of the problem for Extra LU , we get that Extra LU is not lift-safe. Proof. Observe that for every clock that is lifted, the bound M is at least 1.
It is now straightforward from the definitions of Extra M , Extra + M that they are lift-safe.
⊓ ⊔ Lemma 7. The abstractions Extra LU and Extra + LU are not lift-safe. The Zenoness problem for Extra LU and Extra + LU is in NP.
Proof. That Extra LU and Extra + LU are not lift-safe follows from the proof of Theorem 7. We show the NP-membership using a technique similar to the slow zone graph construction. Since Extra LU is not lift-safe, the reachable zones in ZG LU (A) do not maintain the information about the clocks that have been lifted. Therefore, at some reachable zone (q, Z) we non-deterministically guess the set of clocks Y that are allowed to be lifted in the future and go to a node (q, Z, Y ). From now on, there are transitions (q, Z, Y ) t ⇒ a (q ′ , Z ′ , Y ) when: If a cycle is obtained that contains (q, Z, Y ), then the clocks that are reset and lifted in this cycle are disjoint and hence A has a Zeno run. This shows that if A has a Zeno run we can non-deterministically choose a path of the above form and the length of this path is bounded by twice the number of zones in ZG LU (A) (which is our other input). This proves the NPmembership.

Weakening the U bounds
We saw in Lemma 7 that the extrapolation Extra LU is not lift-safe. This is due to clocks x that are lifted but have U (x) = −∞. These are exactly the clocks x with L(x) ≥ 1 and U (x) = −∞. We propose to weaken the U bounds so that the information about a clock being lifted is remembered in the abstracted zone. Let Extra LU denote the Extra LU abstraction, but with U bound for each clock instead of U . This definition ensures that for all lifted clocks, that is, for all x ∈ Lf(A), if a zone entails that x ≥ 1 then Extra LU (Z) also entails that x ≥ 1. This is summarized by the following lemma, the proof of which follows by definitions.
Lemma 8. For all zones Z, Extra LU is lift-safe.
From Theorem 8, we get that the Zenoness problem is polynomial for Extra LU . However, there is a price to pay. Weakening the U bounds leads to zone graphs exponentially bigger in some cases. For example, for the automaton A Z φ that was used to prove the NP-completeness of the Zenoness problem with Extra LU , note that the zone graph ZG LU (A Z φ ) obtained by applying Extra LU is exponentially bigger than ZG LU (A Z φ ). This leads to a slow zone graph SZG LU (A Z φ ) with size polynomial in ZG LU (A Z φ ).

Conclusion
We have shown a surprising fact that the problem of deciding existence of Zeno or non-Zeno behaviours from abstract zone graphs depends heavily on the abstractions, to the extent that the problem changes from being polynomial to becoming NP-complete as the abstractions get coarser. We have proved NP-completeness for the coarse abstractions Extra LU and Extra + LU . In contrast, the fundamental notions of reachability and Büchi emptiness over abstract zone graphs have a mere linear complexity, independent of the abstraction.
On the positive side, from our study on the conditions for an abstraction to give a polynomial solution, we see that a small modification of the LUextrapolation works. We have defined two weaker abstractions: Extra LU for detecting non-Zeno runs and Extra LU for detecting Zeno runs. The weak bounds L and U can also be used with Extra + LU to achieve similar results. Despite leading to a polynomial solution for checking Zeno or non-Zeno behaviours from abstract zone graphs, these abstractions transfer the complexity to the input: they could lead to exponentially bigger abstract zone graphs themselves.
While working with abstract zone graphs, coarse abstractions (and hence small abstract zone graphs) are essential to handle big models of timed automata. These, as we have seen, work against the Zenoness questions. Our results therefore provide a theoretical motivation to look for cheaper substitutes to the notion of Zenoness.
A Proof of Lemma 1 Lemma 9. Let φ be a satisfiable 3CNF formula, then A N Z φ has a non-Zeno run Proof. Assume that φ is satisfied by some variable assignment χ. Let ρ be a sequence of transitions such that: Now, we prove that ρ is a run of A N Z φ . We need to prove that zero-checked transitions can be crossed despite elapsing 1 time unit. Recall that every infinite run visits infinitely often a configuration with state r n . Consider two successive configurations on ρ with state r n .
· · · (r n , ν) By definition of ρ, λ m j is a literal that evaluates to true according to χ. Hence, the clock cl(λ m j ) is reset before being zero-checked and ν ′′ (cl(λ m j )) = 0. As a consequence, the run ρ exists. Furthermore, it is non-Zeno as 1 time unit elapses infinitely often.
⊓ ⊔ has a non-Zeno run Proof. Consider a non-Zeno run ρ of A N Z φ . Since ρ is non-Zeno, time elapses on infinitely many transitions in the run. Every infinite runs of A N Z φ visits infinitely often a configuration with state r n . Consider two consecutive configurations on ρ such that time elapses on some transition on the segment from (r n , ν) to (r n , ν ′′ ).
· · · (r n , ν) − → · · · (q k , ν ′ ) − → · · · (r m−1 , ν ′′ ) By construction, for each i ∈ [1; k] either x i or x i is reset on the segment from (r n , ν) to (q k , ν ′ ). Let χ be the variable assignment that associates true to p i when x i is reset, and f alse otherwise, that is when x i is reset. We prove that χ satisfies φ.
Consider the transition (r m−1 , ν ′′ ) It must be the case that ν ′′ (cl(λ m j )) = 0. Notice that time cannot elapse from (q k , ν ′ ) to (r n , ν ′′ ) because of zero-checks. Hence, time elapse can occur between (r n , ν) and (q k , ν ′ ). Thus the clock cl(λ m j ) must be reset before reaching (r m−1 , ν ′′ ). Thus, χ(λ m j ) = true, hence C m also evaluates to true. This holds for all the clauses. As a consequence, φ is satisfied by χ.
⊓ ⊔ B Proof of Theorem 5 Lemma 11. If A has a non-Zeno run, then in rGZG a (A) there is an unblocked path visiting a clear node infinitely often.
Proof. Let ρ be a non-Zeno run of A: Since a is complete, ρ is an instantiation of a path π in ZG a (A): Let σ be the following sequence of transitions: We need to see that σ is indeed a path in rGZG a (A). For this we need to see that every transition i ) > 0 and ν g i where g i is the guard of t i . We prove this by an induction on the run. As by the definition of ρ, ν i + δ i g i for all i ≥ 0, we only need to prove that . Therefore a clock x ∈ Rl(A) − Y i+1 either belongs to Rl(A) − Y ′ i in which case it is greater than 0 by induction hypothesis, or otherwise we have x ∈ Y ′ i but x / ∈ C 0 (Z i+1 ). By the definition of C 0 (Z i+1 ), all valuations ν ∈ Z i+1 satisfy ν(x) > 0 and so in particular, ν i+1 (x) > 0. This leads to ν i+1 (Rl(A) − Y i+1 ) > 0 which easily extends to ν i+1 + δ i+1 (Rl(A) − Y ′ i+1 ) > 0. Since ρ is non-Zeno there are infinitely many i with Y ′ i = ∅. It is also straightforward to check that σ ′ is unblocked.
⊓ ⊔ Lemma 12. Suppose rGZG a (A) has an unblocked path visiting infinitely often a clear node then A has a non-Zeno run.
Proof. The proof follows the same lines as the proof of Lemma 6 in [9] with the additional information that for all clocks x that do not belong to Rl(A), we have g ∧ (x > 0) consistent for all guards g. We recall the proof, with this slight change incorporated. Let π : (q 0 , Z 0 , Y 0 ) t0 − → . . . be the unblocked path of rGZG a (A) that visit a clear node infinitely often. Since a is sound, take an instantiation ρ : Suppose ρ is Zeno, there exists an index m such that all clocks ν n (x) < 1/2 for all x ∈ X r and for all n ≥ m. Take indices i, j ≥ m such that Y i = Y j = ∅ and all clocks in X r are reset between i and j. We look at the sequence (q i , ν i ) δi,ti − −− → . . . (q j , ν j ) and claim that every sequence of the form is a part of a run of A provided there is ζ ∈ R ≥0 such that the following three conditions hold for all k = i, . . . , j: x ∈ X r and x has not been reset between i and k. 3. ν ′ k (x) = ν k (x) otherwise, i.e., when x ∈ X r and x has been reset between i and k.
It is easy to see that the run obtained by replacing every such i − j interval of ρ by the above sequence gives a non-Zeno run, since a 1/2 time unit has been elapsed infinitely often.
We now show that the above is indeed a valid run of A. For this we need to first show that ν ′ k + δ k satisfies the guard in t k . Let g be the guard. For x ∈ X r , from the assumption that ρ is unblocked, we know that g could only be of the form x > c or x ≥ c. So ν ′ k (x) clearly satisfies g. If x ∈ X r and is reset between i and k, ν ′ k (x) = ν k (x) and so we are done. Consider the case when x ∈ X r and is not reset between i and k. Observe that x ∈ Y k . This is because Y i = ∅, and then only variables that are reset are added to Y . Since x is not reset between i and k, it cannot be in Y k . By definition of transitions in rGZG a (A), if x ∈ Rl(A) this means that g ∧ (x > 0) is consistent. But for x ∈ Rl(A) by definition, g ∧ (x > 0) is consistent. We have that 0 ≤ (ν k + δ k )(x) < 1/2 and 1/2 ≤ (ν ′ k + δ k )(x) < 1. So ν ′ k + δ k satisfies all the constraints in g concerning x as ν k + δ k does.
It can also be seen that the valuation obtained from ν ′ k by resetting the clocks in transition t k is the valuation ν ′ k+1 . ⊓ ⊔

C Proof of Lemma 5
Proof. For the left-to-right direction, suppose that φ is satisfiable. Then there exists a variable assignment χ : P → {true, f alse} that evaluates φ to true. We now build the Zeno run of A Z φ using χ. Pick an infinite run ρ of A Z φ . Clearly, it should have the following sequence of states repeated infinitely often: We choose the transitions for ρ that allow time elapse only by a finite amount.
If χ(p i ) = true, then we put q i−1 Otherwise χ(p i ) = f alse and we put q i−1 {xi} − −− → q i . We now need to choose the transitions r m−1 − → r m for m = 1, . . . , n. Since χ is a satisfying assignment, every clause C m has a literal λ that evaluates to true with χ. We choose the corresponding transition r m−1 cl(λ)≥1 − −−−− → r m . Observe that if λ evaluates to true, it implies that cl(λ) was reset in one of the q i − → q i+1 transitions but not cl(λ). Therefore, the above construction yields a sequence of transitions with the property that all clocks that are reset are never checked for greater than 1. This sequence can be taken by elapsing 1 time unit in the very first state, and then subsequently elapsing no time at all, thus giving a Zeno run in A Z φ .
We now prove the right-to-left direction. Let ρ be an infinite Zeno run of A Z φ . An infinite run should repeat the sequence of states given in (1). Since ρ is Zeno, it has a suffix ρ s such that for every clock x that is reset in ρ s , x ≥ 1 never occurs in the transitions of ρ s . This is because if every suffix of ρ contains a clock that is both reset and checked for greater than 1, this would mean that there is a time elapse of one time unit occurring infinitely often, contradicting the hypothesis that ρ is Zeno.
Consider a segment S = q 0 − → . . . q n − → r 0 − → r 1 − → . . . r k in ρ s . We construct a satisfying assignment χ : P → {true, f alse} for φ from S. This shows that for a literal λ, if cl(λ) is reset in S, then χ(λ) = true. From the property of ρ s that no clock that is reset is checked in a guard, for every transition r m−1 λ≥1 − −− → r m in S, it is clock cl(λ) that is reset and hence χ(λ) = true. By construction of A Z φ , λ is a literal in C m . Therefore, we get a literal that is true in every clause evaluating φ to true.
⊓ ⊔ D Proof of Theorem 8 Lemma 13. If A has a Zeno run, then there exists an infinite slow path in SZG a (A).
Proof. Let ρ be a Zeno run of A: Let π be its concretization in ZG a (A): We construct an infinite slow path in SZG a (A) from the path π. Let X l be the set of clocks that are lifted infinitely often in π and let X r be the set of clocks that are reset infinitely often in π. Let π i denote the suffix of π starting from the position i.
Clearly, there exists an index m such that all the clocks that are lifted in π m belong to X l and the ones that are reset in π m belong to X r . Since ρ is Zeno, we have X l ∩ X r = ∅. This shows that all the clocks that are reset in π m are never lifted in its transitions. Therefore, there exists an index k ≥ m such that for all j ≥ k, Z j is consistent with x < 1 for all clocks x ∈ X r and we get the following path of SZG a (A): If SZG a (A) has an infinite slow path, then A has a Zeno run.
Proof. Let π be the slow path of SZG a (A): Take the corresponding path in ZG a (A) and an instance ρ = (q 0 , ν 0 ) δ0,t0 − −− → (q 1 , ν 1 ) . . . which is a run of A, as we have assumed that a is a sound abstraction.
Let X r be the set of clocks that are reset infinitely often and let X l be the set of clocks that are lifted infinitely often in ρ. By the semantics of the slow mode and from our hypothesis of a being lift-safe, after the index j, all clocks that are lifted once can never be reset again. Therefore, there exists an index k ≥ j such that the following hold: all clocks that are reset in ρ k belong to X r and all clocks that are lifted in a transition of ρ k belong to X l , -for all x ∈ X l and for all i ≥ k, ν i (x) ≥ c where c is the maximum constant appearing in a lifting transition of ρ k .
We now modify the time delays of ρ k to construct a run that elapses a bounded amount of time. Pick the sequence of indices i 1 , i 2 , . . . in ρ k such that δ im > 0, for all m ∈ N. Define the new delays δ ′ i for all i ≥ k as follows: Consider the run ρ ′ obtained by elapsing δ ′ i time units after the index k: Clearly, ρ ′ is Zeno. It remains to prove that ρ ′ is a run of A. Denote ν k by ν ′ k . We need to show that for all i ≥ k, ν ′ i + δ ′ i satisfies the guard in the transition t i . Call this guard g i . Clearly, since ν ′ i + δ ′ i ≤ ν i + δ i by definition, if g i is of form x < c or x ≤ c then it is satisfied by the new valuation. Let us now consider the case when g i is of the form x ≥ c or x > c. If c ≥ 1, then we know that x ∈ X l from the assumption on k. But since ν k (x) ≥ c and x is not reset anywhere in ρ k , ν ′ i (x) ≥ c for all i and hence the new valuation satisfies g i . We are left with the case when g i is of the form x > 0. However this follows since by definition of the new δ ′ i , ν ′ i + δ ′ i = 0 iff ν i + δ i = 0. ⊓ ⊔