Timed Cooperating Automata - Semantic Scholar

Fundamenta Informaticae 42 (2000) 1{21 IOS Press

1

Timed Cooperating Automata Ruggero Lanotte and Andrea Maggiolo-Schettiniy Dipartimento di Informatica, Universita di Pisa, Corso Italia 40, 56125 Pisa, Italy E mail: [email protected] E mail: [email protected]

Adriano Peronz

Dipartimento di Matematica e Informatica, Universita di Udine, Via delle Scienze 206, 33100 Udine, Italy E mail: [email protected]

Abstract. We propose Timed Cooperating Automata (TCAs), an extension of the model Cooperating Automata of Harel and Drusinsky, and we investigate some basic properties. In particular we consider variants of TCAs based on the presence or absence of internal activity, urgency and reactivity, and we compare the expressiveness of these variants with that of the classical model of Timed Automata (TAs) and its extensions with periodic clock constraints and with silent moves. We consider also closure and decidability properties of TCAs and start a study on succinctness of their variants with respect to that of TAs. Keywords: Timed automata, Expressiveness, Closure properties, Succinctness.  Research partially supported by CNR Progetto Strategico \Modelli e Metodi per la Matematica e

l'Ingegneria", by MURST Progetto Co nanziato \Tecniche Formali per la Speci ca, l'Analisi, la Veri ca, la Sintesi e la Trasformazione di Sistemi Software", and by MURST Progetto Co nanziato TOSCA. y Address for correspondence: Dipartimento di Informatica, Universita di Pisa, Corso Italia 40, 56125 Pisa, Italy z Address for correspondence: Dipartimento di Matematica e Informatica, Universita di Udine, Via delle Scienze 206, 33100 Udine, Italy

1. Introduction In [1] Alur and Dill propose Timed Automata (TAs) to model the behaviour of real-time systems over time. The behaviour of a system is described, in an abstract way, in terms of acceptance or non acceptance of timed in nite (!)-sequence. (A timed sequence is a sequence of symbols of a given alphabet where each symbol is annotated with a time value taken from a dense time domain.) A Timed Automaton maintains an ongoing interaction with the environment by reacting to the sequence of environment prompts represented in the form of a timed (!)-sequence. Reacting to an environment prompt means performing a transition. Timed Automata are reactive , since they must have the ability to properly respond to each prompt of the environment, and they are urgent , since a reaction is accomplished instantaneously without any unmotivated delay. Recently, two extensions of TA have been proposed, one (see [5]) permitting a stronger form of control over time (periodic clocks) -denoted TAp -, and the other (see [3]) permitting silent moves -denoted TA -. (Also restrictions of TAs have been considered in [2, 7].) Timed Automata are inherently sequential and lack a way for explicitly representing parallelism and communication. As shown in [6], an advantage of representing parallelism and cooperation is the gain in succinctness, that is the inherent size of the automaton required to accept a given language. In [6], a model, called Cooperating Automaton (CA), is introduced, which represents parallelism and communication while remaining as close as possible to classical nite automata. Besides succinctness, another advantage of this model is that it comes close to the successful speci cation language Statecharts [8]. In fact, CAs correspond to Statecharts devoid of hierarchy and consisting of a single collection of orthogonal components, each of which is merely a nite automaton which evolves synchronously with respect to the other components. In this paper we propose a model, called Timed Cooperating Automaton (TCA), which is a twofold extension of CA. First, we consider transitions guarded with suitable timing constraints. Second, we extend the notion of transition step, which traditionally consists of one only transition ring (as it is also the case of TA), by permitting transitions steps consisting of sequences of transitions. Sequences of transitions can be interpreted as an activity which is triggered by the environment but may go on independently and take a non-null time for its completion (internal activity ). A reason for considering internal activity is that it is permitted in many speci cation formalisms (see e.g Esterel [4] and some variants of Statecharts [10, 12]). In this paper, we study the impact of internal activity, urgency and reactivity over the expressive power of TCAs, and we compare the model and its variants, which we are proposing, with the mentioned models TA, TAp and TA . We show that both the presence of internal activity and (independently) the absence of urgency increase the expressive power of the formalism. As far as the comparison with TA, TAp and TA , we show that the absence of internal activity makes the expressive power of TCAs comparable to that of TAs. By permitting internal activity we have that TCAs have at least the same power of TAp s, and by releasing urgency we have that TCAs have at least the same power of TA s. The role played by reactivity is not at the moment completely clear to us. In the paper we begin also a study of succinctness properties of the model presented with respect to TAs and we show that TCAs may give an exponential saving in

the representation. It is our intention to use TCAs as an intermediate format (in the line of [11]) in which (Timed) Statecharts can be naturally translated and where interesting properties, such as re nement and retiming, can be investigated more easily than in the higher-level formalism. The present paper is a revised and extended version of [9]. The paper is organised as follows. In section 2 we introduce the model of Timed Cooperating Automata and its variants. In section 3, after recalling the de nitions of TA, TAp , and TA , we compare the expressive power of the variants of Timed Cooperating Automata with the three classes of automata mentioned. In section 4 we discuss the issues of closure under boolean operations and of decidability of emptiness. In section 5 we deal with succinctness of TCAs.

2. Timed Cooperating Automata A timed sequence is a sequence of symbols (from a nite alphabet ), where each symbol is annotated with a time value taken from a dense time domain Time (non-negative rational numbers, for instance). In [1] a timed sequence is presented as a pair  = h1 ; 2 i consisting of an !-sequence 1 over  (the untimed version of the sequence) and an !-sequence 2 over Time, where it is intended that the i-th symbol of 1 (also written 1 (i)) occurs at time 2 (i). Timed sequences have to ful ll the two restrictions of monotonicity and progress: monotonicity 2 (i)  2 (i + 1), for all i  0; progress for every  2 Time there is i such that 2(i)   . Monotonicity and progress permit to interpret a timed sequence as the description of an ongoing interaction betweeen the environment which prompts a system with symbols communicated instantaneously and a system which is able (or is not able) to react to such prompts. In this work we extend the notion of timed sequence by considering sequences of elements of the powerset of  (sets of symbols can be communicated by the evironment instead of singletons). Moreover, we assume that symbols can be communicated continuously during intervals of time. To this purpose, we extend a timed sequence by an !-sequence 3 over Time, intending that signals in 1 (i) are communicated continuously during the interval [2 (i); 2 (i) + 3 (i)]. Therefore, an environment is a triple

 = h1 ; 2 ; 3 i; where: 1. 1 : IN ?! 2 gives the set of events communicated at each interaction; 2. 2 : IN ?! Time gives the time of each interaction and satis es the requirements of monotonicity and progress; 3. 3 : IN ?! Time gives the duration of communication during interaction and satis es the requirement that communication intervals do not overlap (but possibly in their borders), namely 2 (i) + 3 (i)  2 (i + 1). We assume that the interaction with the environment starts at time 0, and that, for any environment , 1 (0) = ;, 2 (0) = 0, and 3 (0) = 0. One can interpret this rst interaction as

the swiching on of the system. The meaningful interaction with the environment is then given by + = h+1 ; +2 ; +3 i, where +i , for i 2 f1; 2; 3g, is the restriction of i to positive natural numbers. We brie y recall the idea of a Cooperating Automaton. A CA consists of n automata each with its own set of states, an initial state and a transition table. These automata work together in a synchronous manner, taking transitions according to the common input symbol being read, their internal states and a set of propositions over atomic formulas having the form \component i currently enters state q" (condition formulas). Condition formulas are interpreted to take on truth values according to the states of possibly all the components, thus permitting cooperation among them. In the extension of CA we are proposing, condition formulas impose constraints not only on the set of current states but also on the relative time of entering or exiting a state. Let  denote the collection of propositional formulas over  (environment conditions), inductively de ned as follows: 1. true;    ; 2. p1 ^ p2 , p1 _ p2 , :p1 are in  for p1 and p2 in  . For an alphabet of state symbols Q, let ?Q denote the collection of internal conditions inductively de ned as follows: 1. true; q =  , q[ ] and qf g are in ?Q with q 2 Q and  2 Time; 2. p1 ^ p2 , p1 _ p2 , :p1 are in ?Q for p1 and p2 in ?Q. As well as cooperating automata, a TCA is the parallel composition of sequential automata. In order to generalize the standard notion of step (consisting of one only transition for each sequential component) to a notion of step admitting sequences of transitions, we distinguish between input states (starting and ending an internal activity) and non-input states (intermediate states of an internal activity). The acceptance condition is a Buchi acceptance condition (see [13]).

De nition 2.1. A Timed Cooperating Automaton (TCA) is a tuple M = hM1 ; : : : ; Mn ; I ; Fi; where: 1. each sequential automaton Mi (with 1  i  n) is a triple hQi ; qi0 ; i i such that (a) S Qi is a nite set of states (Q1 ; : : : ; Qn are required to be pairwise disjoint and Q is 1in Qi ); (b) qi0 2 Qi is the initial state; (c) i  Qi    ?Q  Qi is the transition relation; S 2. the set I of input states is such that 1in fqi0 g  I  Q; 3. F  I is the set of accepting states.

q >  b; True  a; True    - q  -q - q a; True- q True; q a; q f g

5

1

2

3

2=1

2

0

4

>s a; True  b; True  - s  - s -b;sq _ q- s True; s b; s f g 1

3 [0]

4 [0]

2

3

2=1

2

0

5 4

Figure 1. An example of TCA. A TCAI is a TCA with only input states, i.e. I = Q. A Sequential Timed Cooperating Automaton (STCA) is a TCA consisting of only one sequential automaton. An example of TCA is given in Fig.1. This automaton consists of two sequential automata. Boxes are input states and circles represent states which are non-input states. Initial states are depicted as states associated with a dangling arc. A local con guration for a sequential automaton Mi is a tuple

Ci = hqi; ini ; outi; i i, where: 1. qi 2 Qi is the enabled state of Mi ; 2. ini : Qi ?! Time is the state enabling (partial) function; 3. outi : Qi ?! Time is the state disabling (partial) function; 4. i 2 Time is the local time. The enabling function ini (q) gives, whenever it is de ned, the time when the state q 2 Qi has most recently been enabled. If ini (q) is unde ned, then q has never been enabled. The disabling function outi (q) gives, whenever it is de ned, the time when a state q 2 Qi has most recently been disabled (whenever it has been previously enabled, i.e. whenever ini (q) is de ned). If ini (q) is de ned and either outi (q) is unde ned or outi (q) < ini (q), then q is currently enabled. Viceversa, if ini (q) and outi (q) are both de ned and ini (q)  outi (q), then q is currently disabled. A local con guration Ci = hqi ; ini ; outi ; i i is an input con guration if qi 2 I , and it is initial if qi = qi0 , i = 0, ini (qi0 ) = 0 (with ini unde ned elsewhere) and outi is unde ned for any q 2 Qi . Such a con guration is denoted by Ci0 . A (global) con guration C is a tuple hC1 ; : : : ; Cn ; ; mi, where: 1. Ci is a local con guration, for 1  i  n;

2.  is an environment; 3. m 2 IN is the number indicating that C is concerned with the m-th interaction with the environment, namely h1 (m); 2 (m); 3 (m)i. Let C = hC1 ; : : : ; Cn ; ; mi be a con guration with Ci = hqi ; ini ; outi ; i i. An atomic proposition true; q[ ], qf g and q =  with q 2 Qi , is evaluated to ? (i.e. unde ned) in C at time , if i > . An atomic proposition q[ ] with q 2 Qi is evaluated to True at time  in C i 1. i  ; 2. q = qi and ini (q)   ?  , namely if state q is currently enabled and it has been enabled at least since a time  . An atomic proposition qf g with q 2 Qi is evaluated to True at time  in C i 1. i  ; 2. either  ?   outi (q)   or q = qi , namely if state q is currently enabled or it has been disabled since at most a time  . An atomic proposition q =  with q 2 Qi is evaluated to True at time  in C i 1. i  ; 2. q = qi and ini (q) =  ?  , namely if state q has been enabled exactly since a time  . In all of the remaining cases the above mentioned atomic propositions evaluate to False in a con guration C at time . Given the evaluation of atomic formulas, a formula 2 ?Q is evaluated in a con guration C at a time  by exploiting the standard semantics of connectives ^, _ and : over the truth-values True, False and ?. An environment proposition  2  is evaluated in an environment  at time  and at the m-th interaction with the environment by interpreting to True all the symbols in the set

ftrueg [ fa : a 2 1 (m); 2 (m)    2 (m) + 3(m)g; and to False all the other symbols. Given a con guration C = hC1 ; : : : ; Cn ; ; mi, there is a local derivation from Ci = hqi ; ini ; outi ; i i to Ci0 = hqi0 ; in0i ; out0i ; i0 i, written Ci !C Ci0 , if 1. 2. 3. 4. 5. 6.

i0  2 (m); hqi; ; ; qi0 i 2 i for some  and ; in0i (qi0 ) = i0 and in0i (q) = ini (q) for qi0 6= q; out0i(qi ) = i0 and out0i(q) = outi (q) for qi 6= q;  evaluates to True in  at time i0 and interaction m;

evaluates to True in C at time i0 .

We say that i0 is the time of the local derivation Ci !C Ci0 . The local derivation Ci !C Ci0 is urgent if does not exist a local derivation Ci !C Ci00 at time 00 with maxfi ; 2 (m)g  00 < i0 . The behaviour of a sequential component of the automaton consists of a sequence of local derivations. While the con guration of the considered component changes, the local con gurations of all the other components are assumed to be xed. A local step from a con guration C = hC1 ; : : : ; Cn ; ; mi is a sequence of local derivations Ci !C Ci1 !C1 : : : !C ?1 Civ !C Ci0 , written Ci )C Ci0 , where 1. Ci and Ci0 are input local con gurations and Cij is not an input local con guration for any 1  j  v; 2. C j is hC1 ; : : : ; Ci?1 ; Cij ; Ci+1 ; : : : ; Cn ; ; mi. A local step is urgent if it consists of urgent local derivations. A local step Ci )C Ci0 with Ci = Ci0 is said to be a ghost local step. The behaviour of an automaton is a concurrent composition of local steps which guarantees causality and maximality. The local step of a component is performed with respect to the local con gurations of the other components which are either in the starting con gurations or in the con gurations reached in the same step, provided that a causal justi cation can be given. Given two con gurations C = hC1 ; : : : ; Cn ; ; mi and C 0 = hC10 ; : : : ; Cn0 ; ; m + 1i, there is a step from C to C 0 , written C ) C 0 , whenever 1. for any 1  i  n, if Ci 6= Ci0 or Ci = Ci0 and there exists a ghost local step Ci )C Ci , then there exists a local step Ci )C Ci0 with C i = hC1? ; : : : ; Ci ; : : : ; Cn? ; ; mi and either Cj? = Cj or Cj? = Cj0 , with 1  j  n; in this case, we de ne a relation !i  f0; : : : ; ng  f1S; : : : ; ng such that !i = fhj; ii : Cj? 6= Cj ; j 6= ig [ fh0; ii : Cj? = Cj ; j 6= ig. The relation i !i is required to be a partial order with least element 0 (causal justi cation); 2. if Ci = Ci0 , then either there is a ghost local step or there is no local step Ci )C 0 Ci0 having local time 2 (m)  i0  2 (m + 1) (maximality). A step is urgent if it consists of urgent local steps only. A step is reactive if each local step Ci )C Ci0 has nal local time i0  2 (m + 1) and the step is maximal with respect to the local steps satisfying such a constraint (namely if the step terminates before the next interaction with the environment). To achieve reactivity, local steps which violate the reactivity condition, are aborted. v

v

i

i

A run is an !-sequence of global con gurations C 0 ; C 1 ; : : : ; C i ; : : : such that C 0 is an initial con guration and C j ) C j +1 , for any j  0. A run is urgent (resp. reactive) if its steps are urgent (resp. reactive). Given a run R, let Inf (R) be the set of input states which occur in nitely often in R. A run R is successful if Inf (R) \ F 6= ; (Buchi acceptance condition). An environment  is accepted by a TCA (resp. TCAU , TCAR , TCARU ) if there exists a successful run (resp. successful urgent run, successful reactive run, successful urgent and reactive run) starting from the initial con guration with environment . The language accepted by a TCA M , written L(M ), is the set f+ :  is accepted by M g.

a; True  -q q - q a; True-  True; q m a; q True; q m 2

1

2[

]

2[

3

]

- q4

3=0

Figure 2. The TCA of Example 2.2.

Example 2.1. The language accepted by the TCARU of Fig.1 (taking F = fs4 g) consists of words of the form h1 ; 2 ; 3 i with 1. 1 (i)  fa; bg (for i  0); 2. there are j  0 and k  j + 1 such that a 2 1 (j ), a 2 1 (j + 1), b 2 1 (k) and b 2 1 (k + 1);

2 (j + 1) = 2 (j ) + 1 and 2 (k + 1) = 2 (k) + 1. Example 2.2. Let us consider the automaton M of Fig.2 (taking F = fq4g). If M is reactive and urgent (i.e. M is a TCARU ), then the language L(M ) accepted by M is fha! ; 2 ; 3 i : 2 (i + 1) ? 2(i) = km; for some i  0; k > 0g: If M is not reactive but urgent (i.e. M is a TCAU ), then the language L(M ) is fha! ; 2 ; 3 i : 2 (j ) ? 2(i) = km; for some 0  i > j; k > 0g: If M is not urgent but reactive (i.e. M is a TCAR ), then the language L(M ) is fha! ; 2 ; 3 i : 2 (i + 1) ? 2 (i) > m; for some i  0g: Finally, if M is neither urgent nor reactive (i.e. M is a TCA), then the language L(M ) is fha! ; 2 ; 3 i : 2(j ) ? 2(i) > m; for some 0  i > j g: In the following sections we discuss TCAs from the point of view of expressiveness, closure with respect to boolean operations and succinctness.

3. Expressiveness of TCAs In this section we compare the expressive power of TCAs with respect to the expressive power of three classes of automata: Timed Automata TAs, Periodic Timed Automata TAp s (see [5]) and Timed Automata with silent moves TA s (see [3]). The section is organised as follows: we rst recall the de nition of the three above mentioned classes of automata and then we present the expressiveness results for TCAs.

3.1. Preliminaries

Timed Automata (TAs)

We brie y recall the de nition of a Timed Automaton (TA)). Timed Automata are statetransition diagrams annotated with timing constraints over real-valued clocks. When an untimed automaton makes a state-transition, the choice of the next state depends on the input symbol read. In case of a timed automaton, the choice depends also on the time of the input symbol relatively to the times of the symbols previously read. This is done by associating a nite set of clocks with the automaton. A clock can be set to zero simultaneously with any transition. At any instant, the reading of the clock equals the time elapsed since the last time it was reset. A transition may be taken only if the current values of the clocks satisfy a timing constraint associated with the transition. For a set of clocks C , let (C ) be the set of clock constraints consisting of propositions obtained by freely applying boolean connectives to the atomic propositions x <  and x =  , with  2 Time. A TA is a tuple A = h; S; S0 ; C; E; F i, where 1.  is a nite alphabet; 2. S is a nite set of states and S0 a set of initial states; 3. C is a nite set of clocks; 4. E  S  S    2C  (C ) gives the set of transitions. An arc hs; s0 ; a; ; i represents a transition from state s to s0 on an input symbol a. The set   C gives the clocks to be reset with this transition and  is a clock constraint over C ; 5. F  S is the set of accepting states. An example of TA with a clock x is given in Fig.3 where x := 0 means the reset of clock x. Let us recall now how a timed sequence is recognised by a timed automaton (we take the following de nitions from [3]). A path of an automaton A = h; S; S0 ; C; E; F i is an in nite sequence of consecutive transitions ;1 ;1 a2 ;2 ;2 P = s0 a1?! s1 ?! s2 : : : such that s0 2 S0 and hsi ; si+1 ; ai+1 ; i+1 ; i+1 i 2 E , for i  0. A run R of A over the path P is a timed sequence of consecutive transitions a2 ;2 ;2 1 ;1 ;1 R = s0 a?! 1 s1 ?!2 s2 : : :

; ; si is taken provided where, informally, i 2 Time is the time at which the transition si?1 a?! that the clock constraint i is satis ed by the current clock valuation and the clocks in i are reset at time i . More precisely, the value of clock x at time  belongs to Time and is written x( ), and the clock valuation at time  can be written as the tuple C ( ) = hx( )ix2C . Clocks are set to 0 at time 0 = 0 and the clock valuation for  > 0 is determined by the considered run according to the following equation: ( if x 2 i ; x(i) = 0x( ) +  ?  otherwise, i

i?1

i

i?1

i

i

a; x < 5 ? a; x < 2  q1 - q0  - q2 b; x := 0

c; x := 0

Figure 3. A Timed automaton. and x( ) = x(i?1 ) +  ? i?1 for i?1   < i . The clock constraint i is satis ed at time i if C (i?1 ) + i ? i?1 j= i in the standard way. A run R over a path P is successful if Inf (P ) \ F 6= ;, where Inf (P ) is the set of states of a2 ;2 ;2 1 ;1 ;1 A which occur in nitely often in P . A run s0 a?! 1 s1 ?!2 s2 : : : induces a timed sequence ha1 ; 1i; ha2 ; 2 i; : : : and the language accepted by an automaton A, denoted by L(A), is the set of timed sequences induced by a successful run of A. Example 3.1. The TA of Fig. 3 with F = S accepts the language fh1 ; 2 i : 1 2 fab; acg! ; if 1(2i + 1) = b; then 2 (2i) ? 2(2i ? 1) < 5; if 1(2i + 1) = c; then 2 (2i) ? 2 (2i ? 1) < 2; for i  0g:

Timed Automata with periodic clock constraints (TAps) The de nition of automata with periodic clock constraints (see [5]) diers from the de nition of TAs only in the type of conditions on clocks (C ). Let [1 ; 2 ] denote the closed interval of Time bounded by 1 and 2 , with 1 ; 2 2 Time and 1  2 . For  2 Time, let T [1; 2 ] denote the set

fk +  : k 2 IN; 1    2g: The set p(C ) of periodic clock constraints consists of propositions obtained by freely applying boolean connectives to the atomic propositions x 2 T [1 ; 2 ], x belonging to the set of clocks C . Intuitively, a constraint x 2 T [1 ; 2 ] is satis ed if the current value of the clock x belongs to the set T [1 ; 2 ]. A TAp is a tuple A = h; S; S0 ; C; E; F i, de ned exactly as in the case of TA with p (C ) taking the role of (C ). Also the concept of path, run and language accepted by a TAp can be inherited from the de nition of TA. Example 3.2. The TAp of Fig. 4 with F = S accepts the language

fh1 ; 2 i : 1 2 fag! ; 2 (i + 1) ? 2(i) is even, for i  0g:

Timed Automata with silent transitions (TAs) The de nition of automata with silent transitions (see [3]) diers from the de nition of TAs only since it permits transitions labelled over the alphabet  extended with the special symbol

 - 

a; x 2 T2 [0; 0]; x := 0

-

a; True; x := 0

Figure 4. A TAp .

-

   a; x

; 1  x  2 ; x := 0

a; True; x := 0

=0

Figure 5. A TA .

. A Timed Automaton with silent transitions (TA ) is a tuple A = h; S; S0 ; C; E; F i, where the set of transitions is

E  S  S   [ fg  2C  (C ) and the other items are de ned as in the case of a TA. The concept of path and (successful) run of a TA is the same as in the case of TAs. A run a2 ;2 ;2 1 ;1 ;1 s0 a?! 1 s1 ?!2 s2 : : : induces the timed sequence obtained from ha1 ; 1 i; ha2 ; 2 i; : : : by removing any occurrence of a silent transition, i.e. pairs belonging to fg Time. The language accepted by the automaton A, denoted by L(A), is the set of timed sequenced induced by a successful run of A. Example 3.3. The TA of Fig. 5 with F = S accepts the language fha! ; 2 i : for each i exists k s.t. 2 (i + 1) ? 2 (i) 2 [1k; 2 k]g:

3.2. Results

Given a class X of automata we denote with L(X ) the set of languages accepted by the automata of the class X . It is known from the literature (see [3] and [5]) that the three classes L(TA), L(TAp), L(TA ) have dierent expressive power and that, in particular,

L(TA)  L(TAp )  L(TA): We are interested in comparing L(TCA) with the classes mentioned, by investigating how

expressive power is aected by the features of internal activity, urgency and reactivity. Since

L(STCA L(TCA Tj IRU ) Sj RU ) L(TTA)  L(TA  L(T TA ) p) T j j j L(TCAIRU )  L(TCA ) L ( TCA U R) S S jj j j G G L(TCAIR ) = L(TCAIU ) L(STCAU )  L(STCARU )  L(STCA Sj R ) jj L(TCAGI ) L(STCA) Figure 6. The hierarchy of classes of languages accepted by TCA's.

TCAs accept timed sequences augmented with duration of transmission, in this section, to permit comparisons, we consider only environments of the form  = h1 ; 2 ; 3 i where 1 (i) is a singleton and 3 (i) is 0 for each i  0. In the following we shall show that the strongest limitation to expressiveness is due to the lack of internal activity. We prove that L(TCAIRU ) is at least as powerful as L(TA) and that L(TA) is at least powerful as the sequential subclass of L(TCAIRU ). Actually, it is not yet clear to us whether the sequential subclass of Timed Cooperating Automata (and its variants) is as expressive as the parallel class. Moreover, in absence of internal activity one does not gain from urgency and reactivity if transitions are controlled by the environment, as it follows from the fact that, if the transitions are guarded by the environment (denoted by an upper index G), we have L(TCAGI ) = L(TCAGIU ) = L(TCAGIR ) = L(TCAGIRU ) = L(TCAIRU ). If internal activity is permitted, Timed Cooperating Automata are at least as expressive as L(TAp ). In this case the request of urgency is a bound to expressiveness. In fact when we release this request, we attain at least the expressiveness of L(TA ). This shows a strong connection between silent moves and lack of urgency. The role of reactivity has been studied, at the moment, only in the sequential case and it remains to be studied in the parallel case. In fact, we prove that the reactive classes can simulate the non-reactive ones (i.e. L(STCAU )  L(STCARU ) and L(STCA)  L(STCAR )) but we are not yet able to say whether these inclusions are proper. (We believe that the results given for the sequential subclasses can be extended to the general case.) The hierarchy of the mentioned classes of timed languages is summarised in Figure 6.

Theorem 3.1. The class of languages L(TA) is included in L(TCAIRU ). Proof: We give the translation of a TA A = h; S; S0 ; C; E; F i into a TCAIRU M accepting the same

language. For the sake of simplicity, we assume that the automaton A is such that, for each pair of states s1 and s2 in S , any transition from s1 to s2 resets the same set of clocks, namely for each pair of transitions hs1 ; s2 ; a; ; i and hs1 ; s2 ; a0 ; 0 ; 0 i in E ,  = 0 . This assumption is not

restrictive since an automaton not ful lling this requirement can be transformed, by suitably duplicating states and transitions, into an automaton accepting the same language and full lling the requirement. If C = fx1 ; : : : ; xn g is the set of clocks, the automaton M = hM1 ; : : : ; Mn+1 ; I ; Fi is composed by n + 1 sequential components, i.e. a sequential component for each clock (components M1 ; : : : ; Mn) and one simulating the state transition diagram of the automaton A (component Mn+1 ). The sequential component for the clock xi consists of one state only and looping arcs which are taken when a transition resetting the clock is performed. More formally, Mi = hfci g; ci ; i i with i = fhci ; True; s1 f0g ^ s2 = 0; ci i : hs1 ; s2 ; a; ; i and xi 2 g. As regards the component simulating the state-transition diagram, we assume for simplicity that the set of initial states is a singleton (i.e. S0 = fs0 g). The state-transition diagram of Mn+1 is isomorphic to that of A. Each condition c is transformed into a condition T (c) by replacing each atomic proposition xi = d (resp. xi < d) with ci = d (resp. :ci [d]). Hence, Mn+1 = hS; s0 ; n+1 i, where n+1 = fhsi ; a; T (c); sj i : hsi ; sj ; a; ; ci 2 E g. We also assume F = F and I = S [ fci : xi 2 C g. An example which illustrates the procedure is given in Fig.7. It is easy to see that L(A) = L(M ). ut

Theorem 3.2. The class of languages L(STCAIRU ) is included in L(TA). Proof: We show that any STCAIRU M = hhQ; q0 ; i; I ; Fi can be simulated by a TA A. In order to

express conditions in A which are the equivalent of conditions of the form q =  and q[ ] in M , A is endowed with a clock xin which is reset each time a transition is performed. Conditions q =  and q[ ] can be evaluated to true only if q is the currently enabled state (the automaton is sequential) and can be replaced in A by xin =  and xin >  . To express a condition equivalent to qf g over a state q 2 Q, the automaton A is endowed with a clock xq for any q 2 Q (actually a clock would be required only for states referenced by this kind of condition). The clock xq is reset by any transition having the state q as source and keeps track of the time elapsed from the last disabling of q. Since the condition qf g is equivalent to the fact that q has been enabled at least once and xq   , we have to keep track of the set of states visited at least once. To this purpose we use a set of states having the form Q  2Q , where the intended meaning is that the second component of the state stores the set of already visited states. For a (current) state q and a set of visited states W , the function T translating a condition 2 ?Q of M into a condition of A is de ned inductively as follows: T (q; W; True) = True; T (q; W; q0 [ ]) = False if q0 6= q and xin   otherwise; T (q; W; q0 =  ) = False if q0 6= q and xin =  otherwise; T (q; W; q0 f g) = True if q0 = q and otherwise T (q; W; q0 f g) = xq0   if q0 2 W and False otherwise; T (q; W; 1 ^ 2 ) = T (q; W; 1 ) ^ T (q; W; 2 ) and T (q; W; : ) = :T (q; W; ). Hence the TA A simulating M is h; Q  2Q ; fhqo ; ;ig; C; E; Fi, where 1. C = fxin g [ fxq : q 2 Qg; 2. E = fhhq1 ; W i; hq2 ; W [ fq1 gi; a; fxin ; xq1 g; T (q1 ; W; )i : hq1 ; a; ; q2 i 2 g; W 2 2Q g [ fhhq; W i; hq; W i; a; ;; Truei : a 62 q ; W 2 2Qg [

q1

a; :q[5]



? a; :q[2]q2 - q0 

b; True

c; True

 ? True; q f g_ ^ q True; q f g ^ q q  0 2 0 1

0=0

0=0

Figure 7. The translation of the automaton of Fig.3 into a TCAIRU .

fhhq; W i; hq; W i; a; ;; : q;a i : a 2 q ; W 2 2QWg where q = fa : hq; a; ; q0 i 2 g and q;a = f : hq; a; ; q0 i 2 g.

In the de nition of E , the two last subsets of self-loops simulate the idling of M in the state q when no transition exiting q can be taken. It is easy to see that L(A) = L(M ). ut Let us denote by L(TCAG ) the subclass of L(TCA) where transitions are guarded by the environment, i.e., more formally, where transitions have environment conditions in the set  ? fTrueg.

Proposition 3.1. The classes L(TCAGI ), L(TCAGIR ), L(TCAGIU ), L(TCAGIRU ) and L(TCAIRU ) coincide.

We show now that permitting internal activity increases the expressive power.

Theorem 3.3. The class of languages L(TAp ) is included in L(TCAU ) and L(TCARU ). Proof: We sketch the translation of a TAp A = h; S; S0 ; C; E; F i into a TCAU M accepting the same

language. The translation is similar to the one given in Th.3.1 and it diers only in the simulation of clocks. As in Th.3.1, we assume that the automaton A is such that for each pair of transitions hs1 ; s2 ; a; ; i and hs1 ; s2 ; a0 ; 0 ; 0 i in E ,  = 0 . Let CC = fx1 2 T1 [11 ; 12 ]; : : : ; xn 2 T [n1 ; n2 ]g, with xi 2 C , be the set of clock constraints occurring in the labels of transitions of A. The TCAU M has at most 2n +1 sequential components, i.e. at most a couple of components for each clock constraint in the set CC , and a component simulating the state transition diagram of the automaton A. Let us see how a clock constraint xi 2 T [i1 ; i2 ] 2 CC is simulated. If i2 ? i1  i, then each condition xi 2 T [i1 ; i2 ] is equivalent to xi  i1 , and the clock for evaluating such a constraint is the sequential component given in the proof of Th.3.1. Hence, let us consider the case in which i2 ? i1 < i and let d = 0 if i2  i , d = i2 ? i otherwise. Note that the set T [i1 ; i2 ] is equal to d + T [i1 ? d; i2 ? d]. The two components required for the simulation of a clock xi suitable for checking the constraint xi 2 T [i1 ; i2 ] are represented in Figure 8. The rst component simulates a clock which, after waiting for an amount of time d, goes on with a periodic tick i (loop beetween states c1i and c5i ). The loop beetween states c1i and c5i is non-deterministically suspended either to permit the n

i

i

i

i

i

r d   c HH:c f g _ r *     HHj* c  - c c d-6c H?6True f g _ r HHH  : c  j  c c  ? c r ^ c 

ri1 = 0 0 i

1 i =

0= i

5= i i

1 i 5 i

1 i i

3 i

0 i [0]

2 i

1 i

2= i i

i

4 i

? c3i [0]^ 6 ri0

0 i [0]

ri1 = d

1 i [0]

 ? r  reset reset

1 i

Figure 8. The clock for evaluating the condition xi 2 T [i1 ; i2 ]. i

evaluation of the clock xi 2 T [i1 ? d; i2 ? d] constraint (state c2i ) or to respond to a reset (state c3i ). If the non-deterministic guess is wrong (for instance the loop is exited too early), the state of error c4i is reached and the whole computation is aborted. The second component keeps track of reset requests issued for clock xi (no request in state ri0 , one or more requests in state ri1 ). (In W the Figure, reset stands for the condition k;j sk f0g^ sj [0] such that hsk ; sj ; a; ; i 2 E; xi 2 .) The condition xi 2 T [i1 ; i2 ] is therefore equivalent to the condition i

i

(xi; i ; i1 ; i2) = (c2i [i1 ? d] ^ (c2i = i2 ? d _ :c2i [i2 ? d]))_ (ri0 [0] ^ c3i [i1 ? d] ^ (c3i = i2 ? d _ :c3i [i2 ? d])): The state transition diagram of A can be simulated by a sequential component de ned as in Th.3.1 with the only dierence that each condition  occurring in a transition of A which reset V V n 4 the set of clocks  is substituted by a condition i=1 :ci [0] ^ x 2 c3i [0] ^ , with  the condition obtained from  by replacing each constraint having the form xi 2 T [i1 ; i2 ] by (xi ; i ; i1 ; i2 ). Moreover, in order to stop the computation whenever a state c4i is reached in a clock component, to the component simulating the state transition diagramWof A, a state q is added, and for each state q0 a transition is added labelled by the constraint ni=1 c4i [0] taking from q0 to q. Now, it can be easily proved that L(A) = L(M ). The proof that a TAp can be simulated by a TCARU is quite similar and then is omitted. ut i

i

Since the simulation of a TCAIRU by a TCAU is straightforward, by Th.3.3 and by the strict inclusion of the class of languages L(TA) in the class L(TAp ) (see [5]), we have the following corollary.

Corollary 3.1. The class of languages L(TCAIRU ) is strictly included in L(TCAU ). We show now that TCAR s are at least as powerful as TAs.

Theorem 3.4. The class of languages L(TA) is included in L(TCAR ).

Proof:

Let A = h; S; S0 ; C; E; F i be a TA . Without loss of generality, we assume that A is such that for each pair of states s1 and s2 in S any transition from s1 to s2 resets the same set of clocks, namely for each pair of transitions hs1 ; s2 ; a; ; i and hs1 ; s2 ; a0 ; 0 ; 0 i in E ,  = 0 . Moreover, since we are concerned only with Non-Zeno languages, it is not restrictive to assume that all of the states in F are sources of at least one guarded (non-) transition which is secured by assuming the property of progress. We rst transform A into an equivalent TA A0 which has only one initial state and whose set of states can be partitioned into a set of states which are sources of -transitions and another set of states which are sources of guarded transitions. The automaton A0 is the tuple h; S  f; g; fs0 g; C; E 0 ; F  fgi, where E 0 is de ned as follows: fhhs1 ; i; hs2 ; i; a; ; i; hhs1 ; i; hs2 ; i; a; ; i : hs1; s2; a; ; i 2 E; a 2 g[ fhhs1 ; i; hs2 ; i; ; ; i; hhs1 ; i; hs2 ; i; ; ; i : hs1; s2 ; ; ; i 2 E g[ fhs0 ; s; ; ;; x = 0i : s 2 S0  f; g; for some x 2 C g: Now, the automaton A0 can be translated into an equivalent TCAR M , by following exactly the same procedure given in the proof of Th. 3.1 but xing the set of input states to be equal to (S  fg) [ fs0 g and replacing  by True. ut In the remaining part of this section we compare the variants of our model with respect to the features of urgency and reactivity, limiting ourselves to the sequential case. In the following theorem we show that by releasing the requirement of urgency we obtain an increase of expressiveness.

Theorem 3.5. The class of languages L(STCARU ) is strictly included in L(STCAR ). Proof: Let M = hhQ; q0 ; i; I ; Fi be a STCARU . We assume, without loss of generality that transitions from states in I ?fq0 g are guarded (since the environmente gives each time a symbol, the condiW tion true can be replaced by a2 a). For simplicity, we assume also that there is no transition hq1; ; ; q0 i 2  and that any internal condition 2 ?Q is the conjunction of positive/negative occurrences of condition of the form q =  , q[ ] and qf g. The set of formulas having this form is denoted by ?NQ . We introduce a function TT : Q  ?NQ ! 2Time which, for a state and an internal condition labelling a transition diparting from the state, gives the set of times in which the condition satis ed. The urgency of the transitions depending from states in I ? fq0 g is guaranteed by the fact that these transitions are guarded. The urgency of the transitions depending from non-input states of the given automaton M can be simulated in a TCAR by requiring that the source state q of the transition is left at time min(TT (q; )), if such minimum exists. Transitions of M such that min(TT (q; )) does not exist, will not be considered as they are never performed in a urgent automaton. The function TT is de ned as follows: TT (q; q0 [ ]) = [; 1) if q = q0 and ;, otherwise; TT (q; :q0[ ]) = [0;  ) if q = q0 and Time, otherwise;

TT (q; q0 =  ) = [;  ] if q = q0 and ;, otherwise; TT (q; :q0 =  ) = Time ? f g if q = q0 and Time, otherwise; TT (q; q0 f g) = TT (q; True) = Time; TT (q; :q0f g) = ; if q = q0 and Time otherwise; TT (q; False) = ;; TT (q; 1 ^ 2) = TT (q; 1 ) \ TT (q; 2 ). The TCAR M 0 simulating the automaton M is hhQ; q0 ; 0 i; I ; Fi where 0 = fhq1 ; ; ^ q1 = min(TT (q1 ; )); q2 i : hq1 ; ; ; q2 i 2 ; q1 2 Q ? I and min(TT (q1 ; )) existsg [ fhq1 ; ; ; q2 i : hq1; ; ; q2 i 2 ; q1 2 I ;  6= trueg [ fhq0 ; true; ^ q0 = min(TT (q0; )); q1 i : hq0; true; ; q1 i 2  and min(TT (q0; )) existsg: It is easy to see that L(M ) = L(M 0 ).

As for the strictness of the inclusion, let us consider the language of Example 3.3 which is accepted by a TA . It can be easily proved that such a language, which can be accepted by a STCAR , cannot be accepted by any TCARU . ut We show now that urgent reactive Timed Cooperating Automata can simulate the urgent non reactive ones.

Theorem 3.6. The class of languages L(STCAU ) is included in L(STCARU ). Proof: Let M = hhQ; q0 ; i; I ; Fi be a STCAU . Without loss of generality we assume that if hq1 ; ; ; q2 i 2  and q1 2 Q ? I , then  = True. We assume also, without loss of generality, that any formula labelling transitions (as in Th. 3.5) belongs to ?NQ . A TCAU with internal activity may perform non reactive steps, namely steps that are completed after the next prompt from the environment. In order to simulate such a non reactive step on a TCARU , it should be possible to suspend the step at any stage of its progress and to resume it after the synchronization with the environment. This is obtained by duplicating non input states anticipating sequences of transitions for any possible suspension. The TCARU simulating M is M 0 = hhQ0 ; q0 ; 0 i; I 0; Fi, where: Q0 = I [ (Q ? I )  fi; ng; I 0 = I [ (Q ? I )  fig); 0 = fhq1 ; ; f ( ); q2 i : hq1 ; ; ; q2 i 2 ; q1 ; q2 2 Ig [ fhq1; ; f ( ); hq2 ; xii : hq1; ; ; q2 i 2 ; q1 2 I ; q2 2 Q ? I ; x 2 fi; ngg [ fhhq1 ; xi; ; f ( ) ^ hq1 ; xi = min(TT (q1; )); hq2 ; yii : hq1; ; ; q2 i 2 ; q1 ; q2 2 Q ? I ; x; y 2 fi; ng; if min(TT (q1; )) existsg [ fhhq1 ; xi; ; f ( ) ^ hq1; xi = min(TT (q1; )); q2 i : hq1; ; ; q2 i 2 ; q1 2 Q ? I ; q2 2 I ; x 2 fi; ng; if min(TT (q1; )) existsg, with TT : Q  ?NQ ! 2Time de ned as in the proof of Th.3.5, and f : ?Q ! ?Q0 de ned as follows f (True) = True; f (q[ ]) = q[ ] if q 2 I and hq; ii[ ] _ hq; ni[ ], otherwise; f (qf g) = qf g if q 2 I and hq; iif g _ hq; nif g, otherwise; f (q =  ) = q =  if q 2 I and hq; ii =  _ hq; ni =  , otherwise;

f commutes with respect to :, ^ and _. It is easy to see that L(M ) = L(M 0 ).

ut

Proposition 3.2. The class of languages L(STCA) is included in L(STCAR ). Proof:

The technique for simulating non reactive steps of a STCA by a TCAR is the one used for the proof of Th. 3.6. ut As a conclusion, we observe that, while the simulation of non reactivity in a context of reactivity is possible, it is not clear to us whether and how in a non reactive context reactivity can be simulated.

4. Closures under boolean operations and decidability properties All the classes of Timed Cooperating Automata we have considered are closed under union and intersection. Let M = hM1 ; : : : Mm ; I ; Fi and M 0 = hM10 ; : : : ; Mn0 ; I 0 ; F 0 i be two Timed Cooperating Automata which share the alphabet  and such that their sets of states are disjoint. An automaton accepting the language L(M ) \ L(M 0 ) is

M \ M 0 = hM1 ; : : : Mm ; M10 ; : : : ; Mn0 ; Mcheck ; I ; Fi where Mcheck is the sequential component in Fig.9; I = I [ I 0 [ fq0 ; q1; q2; q3 g; F = fq1 ; q3g. An automaton accepting the language L(M ) [ L(M 0 ) is

M [ M 0 = hM1 ; : : : Mm ; M10 ; : : : ; Mn0 ; I [ I 0; F [ F 0 i: Notice that both the operations of union and intersection of languages L1 and L2 are implemented by composing in parallel the automata accepting L1 and L2 in a straightforward way. This permits to preserve the structure of the component automata and to have, in general, a more compact representation than that obtained by the cartesian product of automata which is necessary in the case of TAs.

Proposition 4.1. Let M and M 0 be two Timed Cooperating Automata, then L(M [ M 0 ) = L(M ) [ L(M 0) and L(M \ M 0 ) = L(M ) \ L(M 0). We have no results on complementation. We have a result on decidability of emptiness, which follows from the analogous result for L(TA) and from the containment of L(STCAIRU ) in L(TA).

W

?? ?

q2F q[0]

q1

@@

True

?

q4

I@@True @ q3

??

@R q2 ?W

q2F 0 q[0]

Figure 9. The component Mcheck .

Proposition 4.2. The emptiness problem for L(STCAIRU ) is decidable. We note that if the class L(TCAIRU ) could be proved to coincide with L(TA), the classes L(TCARU ) and L(TCAU ) to coincide with L(TAp ) and the class L(TCAR ) to coincide with L(TA), then also the following results would hold: 1. the classes L(TCAIRU ), L(TCARU ), L(TCAU ), and L(TCAR ) are not closed under complementation; 2. the emptiness problem for the classes L(TCAIRU ), L(TCARU ), L(TCAU ), and L(TCAR ) is decidable (as a consequence of the decidability for the class L(TA ), see [3]).

5. Succinctness As suggested in [6], a criterion for comparing classes of automata (besides the obvious criterion of expressiveness) is succinctness, namely the inherent size of an automaton required to accept a given language. Given two classes of automata A and B, B is more succinct then A if 1. for each automaton A 2 A accepting the language L(A) there exists an automaton B 2 B accepting L(A) and such that size of B is polynomial in the size of A; 2. there is a family of languages Ln, for n > 0, such that each Ln is accepted by the automaton B 2 B of a size polynomial in n, but the smallest A 2 A accepting Ln is at least of size exponential in n. The notion of size of a TCA and of a TA is standard and it is de ned as follows. The size of a TCA M = hM1 ; : : : ; Mn ; I ; Fi, with Mi = hQi ; qi ; i i, is obtained by counting states, transitions and length of transitions labels, i.e. it is i jQi j + iji j, where ji j is the number of conditions True, q[ ], q =  , qf g occurring in i . The size of a TA A = h; S; S0 ; C; E; F i is jS j + jE j, where jE j is the number of conditions True, x <  , x =  occurring in E .

? a ?@@ ? Rb



True?



True?

a

   @?

 ?True

?True b @ ? b @ R? a

?

?

?True a ?@ b - ? @R  True? ?True True

a

b

?True

 ??@ - ? @R    ? ? @? ?? 

?True b ? @R? a

True

a

b

True

True

True

True

a

b

@R?

a

b

Figure 10. A TCA accepting L3 . In [6], exponential discrepancies are proved in the size of nite automata, when augmented with mechanisms of concurrency, over sequential models. In particular, CAs are shown to be more succinct than Buchi automata. We can prove that an analogous result holds also in the timed case, namely that TCAIRU s are more succinct than TAs.

Theorem 5.1. TCAIRU s are more succinct than TAs. Proof:

(Sketch) The rst requirement of succinctness is satis ed since, at is it is easy to see, the TCAIRU which simulates a given TA de ned in the proof of Th. 3.1 has polynomial size in the size of the given TA. As far as the second requirement is concerned, let us consider the family of languages L1 ; : : : ; Ln ; : : : over the alphabet  = fa; bg, de ned as follows:

Ln = fh1 ; 2 ; 3 i : 1 (i) = 1 (i + n) for i  0g: The idea of a TCA accepting Ln may be easily gathered from Fig.10, where it is presented the case for n = 3. Notice that number of components is n, and that the size of each component can be polynomially bounded by n. Viceversa, it is easy to see that a TA accepting the same language must use an exponential number of states (or clocks) to keep track of the 2n possible sequences of words over fa; bg of length n. ut

Our study of succinctness is at an early stage. We believe that it is interesting to investigate whether the features of internal activity, reactivity and urgency, besides aecting expressiveness, do aect also succincteness. Morever, a comparison of TAp s, TA s and the various classes of Timed Cooperating Automata from the point of view of succinctness should be performed.

References [1] Alur, R. and Dill, D.: \A Theory of Timed Automata", Theoretical Computer Science, 126, 1994, 183{235. [2] Alur, R., Fix, L. and Henzinger, A.: \Event-Clock Automata: A Determinizable Class of Timed Automata", Theoretical Computer Science, 211, 1999, 253{273. [3] Berard, B., Petit, A., Diekert, V. and Gastin, P.: \Characterization of the Expressive Power of Silent Transitions in Timed Automata", Fundamenta Informaticae, 36, 1998, 145{182. [4] Berry, G. and Gonthier, G.: \The Esterel Synchronous Programming Language: Design, Semantics, Implementation", Science of Computer Programming, 19, 1992, 87{152. [5] Chorut, C. and Goldwurm, M.: \Timed Automata with Periodic Clock Constraints", Rapport L.I.A.F.A. n. 99/28, Universite Paris VII, 1999. [6] Drusinsky, D. and Harel, D.: \On the Power of Bounded Concurrency I: Finite Automata", Journal of ACM, 41, 1994, 517{539. [7] D'Souza, D. and Thiagarajan, P.S.: \Product Interval Automata: a Subclass of Timed Automata", Proc. FSTTCS'99, LNCS 1738, Springer, Berlin, 1999, 60{71. [8] Harel, D.: \Statecharts: A Visual Formalism for Complex Systems", Science of Computer Programming, 8, 1987, 231{274. [9] Lanotte, R., Maggiolo-Schettini, A. and Peron, A.: \Timed Cooperating Automata", Proc. of the CS&P'99 Workshop (H.-D. Burkhard, L. Czaja, H.S. Nguyen, P. Starke Eds.), Warsaw University Press, Warsaw, 1999, 96{106. [10] Maggiolo-Schettini, A. and Peron, A.: \Retiming Techniques for Statecharts", Proc. FTRTFT '96, LNCS 1135, Springer, Berlin, 1996, 55{71. [11] Mikk, E., Laknech, Y. and Siegel, M.: \Hierarchical Automata as Models for Statecharts", Proc. ASIAN '97, LNCS 1345, Springer, Berlin, 1997, 181{196. [12] Peron, A. and Maggiolo-Schettini, A.: \Transitions as Interrupts: A New Semantics for Timed Statecharts", Proc. TACS '94, LNCS 789, Springer, Berlin, 1994, 806{821. [13] Thomas, W.: \Automata on In nite Objects", Handbook of Theoretical Computer Science (J. van Leeuwen Ed.), Elsevier Science Publishers, Amsterdam, 1990, 134{191.