Costs and rewards in priced timed automata

Costs and Rewards in Priced Timed Automata Martin Fränzle Department of Computing Science, University of Oldenburg, Germany [email protected] Mahsa Shirmohammadi CNRS & LIS, France [email protected] Mani Swaminathan Department of Computing Science, University of Oldenburg, Germany [email protected] James Worrell arXiv:1803.01914v2 [cs.LO] 15 May 2018 Department of Computer Science, University of Oxford, UK [email protected] Abstract We consider Pareto analysis of reachable states of multi-priced timed automata (MPTA): timed automata equipped with multiple observers that keep track of costs (to be minimised) and rewards (to be maximised) along a computation. Each observer has a constant non-negative derivative which may depend on the location of the MPTA. We study the Pareto Domination Problem, which asks whether it is possible to reach a target location via a run in which the accumulated costs and rewards Pareto dominate a given objective vector. We show that this problem is undecidable in general, but decidable for MPTA with at most three observers. For MPTA whose observers are all costs or all rewards, we show that the Pareto Domination Problem is PSPACE-complete. We also consider an ε-approximate Pareto Domination Problem that is decidable without restricting the number and types of observers. We develop connections between MPTA and Diophantine equations. Undecidability of the Pareto Domination Problem is shown by reduction from Hilbert’s 10th Problem, while decidability for three observers is shown by a translation to a fragment of arithmetic involving quadratic forms. 2012 ACM Subject Classification Theory of computation: Timed and hybrid models Keywords and phrases Priced Timed Automata, Pareto Domination, Diophantine Equations Digital Object Identifier 10.4230/LIPIcs.ICALP.2018.248 Related Version A shorter version of this paper appears in the proceedings of ICALP 2018. Acknowledgements to Dan Segal for discussions on [11] and the reviewers for their feedback. 1 Introduction Multi Priced Timed Automata (MPTA) [5, 7, 8, 10, 17, 18, 19] extend priced timed automata [2, 3, 4, 6, 16] with multiple observers that capture the accumulation of costs and rewards along a computation. This extension allows to model multi-objective optimization problems beyond the scope of timed automata [1]. MPTA lie at the frontier between timed automata (for which reachability is decidable [1]) and linear hybrid automata (for which reachability is undecidable [13]). The observers exhibit richer dynamics than the clocks of timed automata by not being confined to unit slope in locations, but may neither be queried nor reset while © Martin Fränzle, Mahsa Shirmohammadi, Mani Swaminathan, and James Worrell; EA licensed under Creative Commons License CC-BY TC S 45th International Colloquium on Automata, Languages, and Programming (ICALP 2018). Editors: Ioannis Chatzigiannakis, Christos Kaklamanis, Dániel Marx, and Don Sannella; Article No. 248; pp. 248:1–248:22 Leibniz International Proceedings in Informatics Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany 248:2 Costs and Rewards in MPTA taking edges. This observability restriction has been exploited in [17] (under a cost-divergence assumption) for carrying out a Pareto analysis of reachable values of the observers. In this paper we distinguish between observers that represent costs (to be minimised) and those that represent rewards (to be maximised). Formally, we partition the set Y of observers into cost and reward variables and say that γ P RY 1 ě0 Pareto dominates γ P Rě0 Y 1 1 if γpyq ď γ pyq for each cost variable y and γpyq ě γ pyq for each reward variable y. Then the Pareto curve corresponding to an MPTA consists of all undominated vectors γ that are reachable in an accepting location. While cost and reward variables are syntactically identical in the underlying automaton model, distinguishing between them changes the notion of Pareto domination and the associated decision problems. We introduce in Section 3 a decision version of the problem of computing Pareto curves for MPTA, called the Pareto Domination Problem. Here, given a target vector γ P RY ě0 , one asks to reach an accepting location with a valuation γ 1 P RY ě0 that Pareto dominates γ. This has not been addressed in prior work on Pareto analysis of MPTA [17], which considers only costs or only rewards. Other works on MPTA either do not address Pareto analysis [5, 8, 10, 18, 19], or have only discrete costs updated on edges [22], or are confined to a single clock [7]. Our first main result is that the Pareto Domination Problem is undecidable in general. The undecidability proof in Section 4 is by reduction from Hilbert’s 10th problem. Owing to the existence of so-called “universal Diophantine equations” (of degree 4 with 58 variables [14]), our proof shows undecidabililty of the Pareto Domination Problem for some fixed but large number of observers. Undecidability of the Pareto Domination Problem entails that one cannot compute an exact Pareto curve for an arbitrary MPTA. We consider three different approaches to recover decidability of the Pareto Domination Problem, which all have a common foundation, namely a monotone VASS described in Sections 2 and 5, which simulates integer runs of a given MPTA. By analysing the semi-linear reachability set of this VASS we can reduce the Pareto Domination Problem to satisfiability of a class of bilinear mixed integer-real constraints. We then consider restrictions on MPTA and variants of the Pareto Domination Problem that allow us to solve this class of constraints. We first show in Section 6 that restricting to MPTA with only costs or only rewards yields PSPACE-completeness of the Pareto Domination Problem. Here we are able to eliminate integer variables from our bilinear constraints, resulting in a formula of linear real arithmetic. This strengthens [17, Theorem 1 and Corollary 1], whose decision procedures (that exploit well-quasi-orders for termination) do not yield complexity bounds. Next we confine the MPTA in Section 7 to at most three observers, but allow a mix of costs and rewards. Decidability is now achieved by eliminating real variables from the bilinear constraint system, thus reducing the Pareto Domination Problem to deciding the existence of positive integer zeros of a quadratic form, which is known to be decidable from [11]. We consider in Section 8 another method to restore decidability for general MPTA with arbitrarily many costs and rewards, by studying an approximate version of the Pareto Domination Problem, called the Gap Domination Problem. Similar to the setting of [9], the Gap Domination Problem represents the decision version of the problem of computing ε-Pareto curves. This problem, whose input includes a tolerance ε ą 0 and a vector γ P RY ě0 , permits inconclusive answers if all solutions dominating γ do so with a slack of less than ε. We solve the Gap Domination Problem by relaxation and rounding applied to our bilinear system of constraints. In this paper we consider only MPTA with non-negative rates. Our approach can be generalised to obtain decidability results also in the case of negative rates by extending our foundation in Sections 2 and 5 from monotone VASS to Z-VASS [12]. M. Fränzle, M. Shirmohammadi, M. Swaminathan, J. Worrell 248:3 2 Background Quadratic Diophantine Equations. For later use we recall a decidable class of non-linear Diophantine problems. Consider the quadratic equation n ÿ n ÿ aij Xi Xj ` bj Xj ` c “ 0 (1) i,j“1 j“1 whose coefficients aij , bj , and c are rational numbers. Consider also the family of constraints f1 pX1 , . . . , Xn q „ c1 ^ . . . ^ fk pX1 , . . . , Xn q „ ck , (2) where f1 , . . . , fk are linear forms with rational coefficients, c1 , . . . , ck P Q, and „ P tă, ďu. § Theorem 1 ([11]). There is an algorithm that decides whether a given quadratic equation (1) and a family of linear inequalities (2) have a solution in Zn . Let us emphasize that in Theorem 1 at most one quadratic constraint is permitted. It is clear (e.g., by introducing a slack variable) that the theorem remains true if the equality symbol in (1) is replaced by any comparison operator in tă, ď, ą, ěu. Monotone VASS. A monotone vector addition system with states (monotone VASS) is a tuple Z “ xn, Q, q0 , Qf , Σ, ∆y, where n P N is the dimension, Q is a set of states, q0 P Q is the initial state, Qf Ď Q is a set of final states, Σ is the set of labels, and ∆ Ď Q ˆ Nn ˆ Σ ˆ Q is the set of transitions. Given such a monotone VASS Z as above, the family of sets ReachZ,q Ď Nn , for q P Q, is the minimal family (w.r.t. to set inclusion) of integer vectors such that 0 P ReachZ,q0 and for all q P Q, if u P ReachZ,q and pq, v, `, pq P ∆ for some ` P L, then u ` v P ReachZ,p . Ť Finally we define the reachability set of Z to be ReachZ :“ qPQf ReachZ,q . For every vector v P Nn and every finite set P “ tu1 , . . . , um u of vectors in Nn , we define řm the N-linear set Spv, P q :“ tv ` i“1 ai ui : a1 , . . . , am P Nu. We call v the base vector and u1 , . . . , um P P the period vectors of the set. The following proposition follows from [20, Proposition 4.3],[15] (see Appendix B.1). § Proposition 2. Let Z “ xn, Q, q0 , Qf , Σ, ∆y be a monotone VASS. Then the set ReachZ can be written as a finite union of N-linear sets Spv 1 , P1 q, . . . , Spv k , Pk q, where for i “ 1, . . . , k the components of v i and of each vector in Pi are bounded by polypn, |Q|, M qn in absolute value, where M is maximum absolute value of the entries of vectors in Nn occurring in ∆. 3 Multi-Priced Timed Automata and Pareto Domination Let Rě0 denote the set of non-negative real numbers. Given a set X “ tx1 , . . . , xn u of clocks, the set ΦpX q of clock constraints is generated by the grammar ϕ ::“ true | x ď k | x ě k | ϕ ^ ϕ , where k P N is a natural number and x P X . A clock valuation is a mapping ν : X Ñ Rě0 that assigns to each clock a non-negative real number. We denote by 0 the valuation such that 0pxq “ 0 for all clocks x P X . We write ν |ù ϕ to denote that ν satisfies the constraint ϕ. Given t P Rě0 , we let ν ` t be the clock valuation such that pν ` tqpxq “ νpxq ` t for all clocks x P X . Given λ Ď X , let νrλ Ð 0s be the clock valuation such that νrλ Ð 0spxq “ 0 if x P λ, and νrλ Ð 0spxq “ νpxq otherwise. A multi-priced timed automaton (MPTA) is a tuple A “ xL, `0 , Lf , X , Y, E, Ry, where L is a finite set of locations, `0 P L is an initial location, Lf Ď L is a set of accepting locations, ICALP 2018 248:4 Costs and Rewards in MPTA x“1 xÐ0 r“1 tc1 “ 0, c2 “ 0u c9i “ 0 c9i “ 1 tc1 ď 1, 1 ď c2 u rÐ0 r“1 rÐ0 Figure 1 Predicates in curly brackets denote observer values enforced by initialisation, ci “ 0 with i P t1, 2u, and the Pareto constraint upon exit tc1 ď 1, 1 ď c2 u. Denoting the initial value of clock x by x˚ , the value of both c1 and c2 after n full traversals of the central cycle is nx˚ . Meeting the final Pareto constraint from initial values thus requires that x˚ be n1 for some positive integer n. X is a finite set of clock variables, Y is a finite set of observers, E Ď L ˆ ΦpX q ˆ 2X ˆ L is the set of edges, R : L Ñ NY is a rate function. Intuitively Rp`q is a vector that gives the rates of each observer in location `. A state of A is a triple p`, ν, tq where ` is a location, ν a clock valuation, and t P Rě0 is a e1 time stamp. A run of A is an alternating sequence of states and edges ρ “ p`0 , ν0 , t0 q ÝÑ e2 em p`1 , ν1 , t1 q ÝÑ . . . ÝÑ p`m , νm , tm q , where t0 “ 0, ν0 “ 0, ti´1 ď ti for all i P t1, . . . , mu, and ei “ x`i´1 , ϕ, λ, `i y P E is such that νi´1 ` pti ´ ti´1 q |ù ϕ and νi “ pνi´1 ` pti ´ ti´1 qqrλ Ð 0s for i “ 1, . . . , m. The run is accepting if `m P Lf and said to have granularity g1 for a fixed g P N if all ti P Q are positive integer multiples of g1 . The cost of such a run is a vector řm´1 costpρq P RY , defined by costpρq “ j“0 pti`1 ´ ti qRp`i q . Henceforth we will assume that the set Y of observers of a given MPTA is partitioned into a set Yc of cost variables and a set Yr of reward variables. With respect to this partition we define a domination ordering ď on the set of valuations RY , where γ ď γ 1 if γpyq ď γ 1 pyq for all y P Yr and γ 1 pyq ď γpyq for all y P Yc . Intuitively γ ď γ 1 (read γ 1 dominates γ) if γ 1 is at least as good as γ in all respects. Given ε ą 0 we define an ε-domination ordering ďε , where γ ďε γ 1 (read γ 1 ε-dominates γ) if γpyq ` ε ď γ 1 pyq for all y P Yr and γ 1 pyq ` ε ď γpyq for all y P Yc . We can think of γ ďε γ 1 as denoting that γ 1 is better than γ by an additive factor of ε in all dimensions. In particular we clearly have that γ ďε γ 1 implies γ ď γ 1 . The Pareto Domination Problem is as follows. Given an MPTA A with a set Y of observers and a partition of Y into sets Yc and Yr of cost and reward variables, with a target γ P RY , decide whether there is an accepting run ρ of A such that γ ď costpρq. The Gap Domination Problem is a variant of the above problem in which the input additionally includes an accuracy parameter ε ą 0. If there is some run ρ such that γ ďε costpρq then the output should be “dominated” and if there is no run ρ such that γ ď costpρq then the output should be “not dominated”. In case neither of these alternatives hold (i.e., γ is dominated but not ε-dominated) then there is no requirement on the output. In the (Pareto) Domination Problem the objective is to reach an accepting location while satisfying a family of upper-bound constraints on cost variables and lower-bound constraints on reward variables. We say that an instance of the problem is pure if all observers are cost variables or all are reward variables (and hence all constraints are upper bounds or all are lower bounds); otherwise we call the instance mixed. Our problem formulation involves only simple constraints on observers, i.e., those of the form y ď c or y ě c for y P Y. However such constraints can be used to encode more general linear constraints of the form a1 y1 ` ¨ ¨ ¨ ` ak yk „ c, where y1 , . . . , yk P Y, a1 , . . . , ak , c P N and „ P tď, ě, “u. To do this one introduces a fresh observer to denote each linear term a1 y1 ` ¨ ¨ ¨ ` ak yk (two fresh observers are needed for an equality constraint). Note that we consider timed automata without difference constraints on clocks, i.e., without clock guards of the form xi ´ xj „ k, for k P N. As discussed in Appendix A all our decidability and complexity results hold also in case of such constraints. M. Fränzle, M. Shirmohammadi, M. Swaminathan, J. Worrell 248:5 1 ? x˚ Integer test x˚ P N: Quotient c Ð c ` i x˚ : i j wrap wrap wrap wrap xi “ 1 r“1 xi Ð 0 Inv r“1 xj “ 1 tc “ 0u c9 “ 0 c9 “ 1 tc “ 1u te “ 0u e9 “ 0 e9 “ 1 rÐ0 r“1 rÐ0 xj Ð 0 rÐ0 r“1 rÐ0 r“1 rÐ0 Decrement c Ð c ` 1 ´ x˚i : wrap wrap Inv xi “ 1 te “ 1u c9 “ 1 c9 “ 0 r“1 xi “ 1 Inv xi Ð 0 c9 “ 1 c9 “ 0 rÐ0 xi Ð 0 wrap wrap Figure 2 The wrap self-loop denotes a family of m wrapping edges, as in [13, Fig. 14], where the j-th edge has guard xj “ 1 and resets xj . In the quotient gadget, e is a fresh observer, as is c in the integer test. The integer test and quotient gadgets are annotated with predicates in curly brackets indicating the initial values of observers on entering and their target values on exiting the gadget. Enforcing these target values through a corresponding Pareto constraint guarantees the desired behaviour of the gadget. 4 Undecidability of the Pareto Domination Problem In this section we prove undecidability of the Pareto Domination Problem. To give some insight we first give in Figure 1 an MPTA, in which the Pareto constraint c1 ď 1, c2 ě 1 is used to enforce that when control enters the MPTA the value of clock x is n1 for some positive integer n. We prove undecidability of the Pareto Domination Problem by reduction from the satisfiability problem for a fragment of arithmetic given by a language L that is defined as follows. There is an infinite family of variables X1 , X2 , X3 , . . . and formulas are given by the grammar ϕ ::“ X “ Y ` Z | X “ Y Z | ϕ ^ ϕ , where X, Y, Z range over the set of variables. The satisfiability problem for L asks, given a formula ϕ, whether there is an assignment of positive integers to the variables that satisfies ϕ. In Appendix B.2 we show that the satisfiability problem for L is undecidable by reduction from Hilbert’s Tenth Problem. § Theorem 3. The Pareto Domination Problem is undecidable. Proof. Consider the following problem of reaching a single valuation in RY ě0 : given an MPTA A “ xL, `0 , Lf , X , Y, E, Ry, and target valuation γ P RY ě0 , decide whether there is an accepting run ρ of A such that costpρq “ γ. One can reduce the problem of reaching a given valuation to the Pareto Domination Problem as follows. Transform the MPTA A to an MPTA A1 that has the same locations and edges as A but with two copies of each observer y P Y, with each copy having the same rate as y in each location. Formally A1 has set of observers Y 1 “ ty1 , y2 : y P Yu, where y1 is a 1 cost variable and y2 is a reward variable. Then, defining γ 1 P RY 1 1 ě0 by γ py1 q “ γ py2 q “ γpyq, we have that A1 has an accepting run ρ1 such that costpρ1 q dominates γ 1 just in case A has an accepting run ρ such that costpρq “ γ. Now we give a reduction from the satisfiability problem for L to the problem of reaching a single valuation. Consider an L-formula ϕ over variables X1 , . . . , Xm . We define an MPTA A over the set of clocks X “ tx1 , ¨ ¨ ¨ , xm , ru. Clock xi corresponds to the variable Xi , for i “ 1, . . . , m, while r is a reference clock. The reference clock is reset whenever it reaches 1 and is not otherwise reset—thus it keeps track of global time modulo one. After an initialisation phase the remaining clocks x1 , . . . , xm are likewise reset in a cyclic fashion, whenever they reach 1 and not otherwise. We denote by x˚i the value of clock xi whenever r ICALP 2018 248:6 Costs and Rewards in MPTA is 1. During the initialisation phase the values x˚i are established non-deterministically such that 0 ă x˚i ď 1. The idea is that x1˚ represents the value of variable Xi in ϕ; in particular, x˚i i is the reciprocal of a positive integer. For each atomic sub-formula in ϕ the automaton A contains a gadget that checks that the guessed valuation satisfies the sub-formula. To present the reduction we first define three primitive gadgets. The first “integer test” gadget checks that the initial value x˚i of clock xi is a reciprocal of a positive integer, by adding wrapping edges on all clocks xj other than xi to the MPTA from Figure 1. The construction of each gadget is such that the precondition r “ 0 holds when control enters Źm the gadget and the postcondition r “ 1 ^ j“1 xj ď 1 holds on exiting the gadget. This last postcondition is abbreviated to Inv in the figures. For an observer c and 1 ď i, j ď m, we define these three gadgets as in Figure 2. In the following we show how to compose the three primitive operations in an MPTA to enforce the atomic constraints in the language L. The initialisation automaton below is such that for i “ 1, . . . , m the value x˚i of clock xi is such that x1˚ P N. Herein the Guess self-loop i denotes a family of m edges, where the j-th edge non-deterministically resets clock xj . Note that the incoming edge of the integer test gadget enforces r “ 1 such that the initial guesses for the clocks xi satisfy x˚i P r0, 1s. Of these, only reciprocals x1˚ P N pass the subsequent i series of integer tests. Guess Initialisation X1 , . . . , Xn P N : 1 ? 1 ? Źm Źm t i“1 ci “ 0u x˚ P N ¨¨¨ P N t i“1 ci “ 1u 1 x˚ m Sum Xi “ Xj ` Xk : According to the encoding of integer value Xn as clock value xn “ X1n , we have to enforce x1˚ “ x1˚ ` x1˚ , which is achieved by the following sequential combination i j k of two quotient gadgets. x˚ x˚ tci “ cj “ ck “ 0u ci Ð ci ` i x˚ ci Ð ci ` i x˚ tci “ cj “ ck “ 1u j k 1 1 1 Product Xi “ Xj Xk : The following gadget enforces x˚ “ x˚ ¨ x˚ : i j k x˚ x˚ tci “ cj “ ck “ 0u ci Ð ci ` i x˚ ci Ð ci ` i x˚ j k ci Ð ci ` 1 ´ x˚j ci Ð ci ` 1 ´ x˚k tci “ 2 ^ cj “ ck “ 1u The satisfiability problem for a given L formula ϕ can now directly be reduced to the problem of reaching a single valuation γ P RY ě0 by translating each of the conjuncts of ϕ into the corresponding above MPTA gadget. The valuation γ encodes the target costs of the respective gadgets. đ Let us remark that the proof of Theorem 3 shows that undecidability of the Pareto Domination Problem already holds in case all observers have rates in t0, 1u. Separately we observe that undecidability also holds in the special case that exactly one observer is a cost variable and the others are reward variables, and likewise when exactly one observer is a reward variable and the others are cost variables, when allowing multiple rates beyond t0, 1u. The idea is to reduce the problem of reaching a particular valuation γ P RY ě0 in an MPTA 1 A to that of dominating a valuation γ 1 P RY ě0 in a derived MPTA A 1 with set of observers Y 1 “ Y Y tysum u, where ysum is a fresh variable. In A1 we designate all y P Y as cost variables M. Fränzle, M. Shirmohammadi, M. Swaminathan, J. Worrell 248:7 and ysum as a reward variable, or vice versa. Valuation γ 1 is specified by γ 1 pyq “ γpyq for ř all y P Y and γ 1 pysum q “ yPY γpyq. Automaton A1 has the same locations, edges, and rate ř function as those of A except that R1 pysum q “ yPY Rpyq. 5 The Simplex Automaton This section introduces the basic construction from which we derive our positive decidability results and complexity upper bounds. Let A “ xL, `0 , Lf , X , Y, E, Ry be an MPTA. For a sequence of edges e1 , . . . , em P E, define Runspe1 , . . . , em q Ď Rm ě0 to be the collection of sequences of timestamps pt1 , . . . , tm q P m e1 e2 em Rě0 such that A has a run ρ “ p`0 , ν0 , t0 q ÝÑ p`1 , ν1 , t1 q ÝÑ . . . ÝÑ p`m , νm , tm q. Recalling that by convention t0 “ 0 and ν0 “ 0, once the edges e1 , . . . , em have been fixed then the run ρ is determined solely by the timestamps t1 , . . . , tm . When the sequence of edges e1 , . . . , em is understood, we call such a sequence of timestamps a run. § Proposition 4. Runspe1 , . . . , em q Ď Rm ě0 is defined by a conjunction of difference constraints. The proof of Proposition 4 is in Appendix B.3. § Proposition 5. Runspe1 , . . . , em q is equal to the convex hull of the set of its integer points. Proof. Fix a positive integer M . From Proposition 4 it immediately follows that the set Runspe1 , . . . , em q X r0, M sm can be written as a conjunction of closed difference con- straints At ď b, where A is an integer matrix, t the vector of time-stamps t1 . . . tm , and b an integer vector. Given this, it follows that Runspe1 , . . . , em q X r0, M sm , being a closed and bounded polygon, is the convex hull of its vertices. Moreover each vertex is an integer point since the matrix A here, being by Proposition 4 the incidence matrix of a balanced signed graph with half edges, is totally unimodular [21, Proposition 8A.5]. đ Proposition 6 shows that for Pareto reachability on an MPTA A with |Y| “ d observers, it suffices to look at d ` 1-simplices of integer runs. § Proposition 6. For any run ρ of A there exists a set of at most d ` 1 integer-time runs S, all over the same sequence of edges as ρ, such that costpρq lies in the convex hull of costpSq. Proof. Let ρ be a run of A over an edge-sequence e1 , . . . , em with time stamps t0 , . . . , tm , given e1 e2 em by ρ “ p`0 , ν0 , t0 q ÝÑ p`1 , ν1 , t1 q ÝÑ . . . ÝÑ p`m , νm , tm q. By Proposition 5, pt1 , . . . , tm q lies in the convex hull of the set I of integer points in Runspe1 , . . . , em q. Since the map cost : Runspe1 , . . . , em q Ñ Rd is linear we have that costpρq lies in the convex hull of costpIq. Moreover by Carathéodory’s Theorem there exists a subset S Ď I of cardinality at most d ` 1 such that costpρq lies in the convex hull of costpSq. đ We now exploit Proposition 6 by introducing the so-called simplex automaton SpAq, which is a monotone VASS obtained from a given MPTA A. The automaton SpAq generates pd ` 1q- tuples of integer-time runs of A, such that each run in the tuple executes the same sequence of edges in A and the runs differ only in the times at which the edges are taken. The basic component underlying the definition of the simplex automaton is the integer-time automaton ZpAq. This automaton is a monotone VASS that generates the integer-time runs of A, using its counters to keep track of the running cost for each observer. The definition of ZpAq is as follows. Let A “ xL, `0 , Lf , X , Y, E, Ry be an MPTA. Let also MX P N be a positive constant greater than the maximum clock constant in A. We define a monotone VASS ZpAq “ xd, Q, q0 , Qf , E, ∆y, in which the dimension d “ |Y|, the set of ICALP 2018 248:8 Costs and Rewards in MPTA states is Q “ L ˆ t0, 1, . . . , MX uX , the initial state is q0 “ p`0 , 0q, the set of accepting states is Qf “ Lf ˆ t0, 1, . . . , MX uX , the set of labels is E (i.e., the set of edges of the MPTA), and the transition relation ∆ Ď Q ˆ Nd ˆ E ˆ Q includes a transition pp`, νq, t ¨ Rp`q, e, p`1 , ν 1 qq for every t P t0, 1, . . . , MX u and edge e “ p`, ϕ, λ, `1 q in A s.t. ν ‘ t |ù ϕ and ν 1 “ pν ‘ tqrλ Ð 0s. Here pν ‘ tqpxq “ minpνpxq ` t, MX q for all x P X . We then have: § Proposition 7. Given a valuation γ P RY ě0 , there exists an integer-time accepting run ρ of A with costpρq “ γ if and only if γ P ReachZpAq . The simplex automaton SpAq is built by taking d`1 copies of ZpAq “ xd, Q, q0 , Qf , E, ∆y dpd`1q that synchronize on transition labels. Formally, SpAq “ xdpd ` 1q, Qd`1 , q 0 , Qf , E, ∆y, d`1 dpd`1q d`1 where q 0 “ pq0 , . . . , q0 q and ∆ Ď Q ˆZ ˆEˆQ comprises those tuples ppq1 , . . . , qd`1 q, pv 1 , . . . , v d`1 q, e, pq11 , . . . , qd`1 1 qq s.t. pqi , v i , e, qi1 q P ∆ for all i P t1, . . . , d ` 1u. From Propositions 6 and 7 we have: § Proposition 8. Given γ P RY ě0 , there exists an accepting run ρ of A with costpρq “ γ if and only if there exists pγ1 , . . . , γd`1 q P ReachSpAq with γ in the convex hull of tγ1 , . . . , γd`1 u. We now introduce the following “master system” of bilinear inequalities that expresses whether γ ď costpρq for some accepting run ρ of A. γ ď λ1 γ1 ` ¨ ¨ ¨ ` λd`1 γd`1 1 “ λ1 ` ¨ ¨ ¨ ` λd`1 (3) pγ1 , . . . , γd`1 q P ReachSpAq 0 ď λ1 , . . . , λd`1 The system has real variables λ1 , . . . , λd`1 P RY Y ě0 and integer variables γ1 , . . . , γd`1 P N . The key property of the master system is stated in the following Proposition 9, which follows immediately from Proposition 8. § Proposition 9. Given a valuation γ P RY ě0 there is an accepting run ρ of A such that γ ď costpρq if and only if the system of inequalities (3) has a solution. Given Proposition 9, the results of Section 4 imply that satisfiability of the master system (3) is not decidable in general. In the rest of the paper we pursue different approaches to showing decidability of restrictions and variants of the Pareto Domination Problem by solving appropriately restricted versions of (3). 6 Pareto Domination Problem with Pure Constraints In this section we show that the Pareto Domination Problem is decidable in polynomial space for the class of MPTA in which the observers are all costs. We prove this complexity upper bound by exhibiting for such an MPTA A and target γ P RY ě0 a positive integer M , whose bit-length is polynomial in the size of A and γ, such that there exists a run ρ of A reaching the target location with γ ď costpρq iff there exists such a run of granularity M11 for some M1 ď M . To show this we rewrite the bilinear system of inequalities (3) into an equisatisfiable disjunction of linear systems of inequalities. We thus obtain a bound on the bit-length of any satisfying assignment of (3) from which we obtain the above granularity bound. A similar bound in case of all reward variables is obtained in C. Consider an MPTA A “ xL, `0 , Lf , X , Y, E, Ry. Recall that the reachability set ReachSpAq can be written as a union of linear sets Spv i , Pi q, i P I. More precisely, let MY be the maximum rate occurring in the rate function R of the given MPTA A. We then have the following, see Appendix B.4 for the proof. Ť § Proposition 10. The set ReachSpAq can be written as a finite union of linear sets iPI Spv i , Pi q such that for each i P I the base vectors v i and period vectors in Pi have entries of magnitude bounded by polypd, |L|, MY , MX qdpd`1q|X | . M. Fränzle, M. Shirmohammadi, M. Swaminathan, J. Worrell 248:9 z z y y x x Figure 3 The target T is the green rectangular region and the blue region is S. The pink region is πpT q and the light blue region πpSq. The grey region F is described in equation (5). Suppose that the set of observers Y with |Y| “ d is comprised exclusively of cost variables. We will apply Proposition 10 to analyse the Pareto Domination Problem. The key observation is that in this case we can equivalently rewrite the bilinear system (3) as a disjunction of linear systems of inequalities. As a first step we can rewrite the constraint pγ1 , . . . , γd`1 q P ReachSpAq in (3) as a disjunction of constraints pγ1 , . . . , γd`1 q P Spv i , Pi q, for i P I. But since the period vectors in Pi are non-negative we can further observe that in order to satisfy the upper bound constraints on cost variables, the optimal choice of pγ1 , . . . , γd`1 q P Spv i , Pi q is the base vector v i . Thus we can treat γ1 , . . . , γd`1 as a constant in (3). Thus we rewrite (3) as a finite disjunction of systems of linear inequalities—one such piq piq system for each i P I. For a given i P I let v i “ pγ1 , . . . , γd`1 q be the base vector of the linear set Spv i , Pi q. The corresponding system of inequalities specialising (3) is piq piq γ ď λ1 γ1 ` . . . ` λd`1 γd`1 , 1 “ λ1 ` ¨ ¨ ¨ ` λd`1 , 0 ď λ1 , . . . , λd`1 (4) Recall that if a set of linear inequalities Ax ě a, Bx ą b is feasible then it is satisfied by some x P Qn of bit-length polypn, bq, where b is the total bit-length of the entries of A, B, a, and b. Applying this bound and Proposition 10 we see that a solution of (4) can be written p in the form λ1 “ pg1 , . . . , λd`1 “ d`1g for integers p1 , . . . , pd`1 , g of bit-length at most piq piq polypd, |X |, |L|, logpMY q, logpMX qq. This entails that the cost vector λ1 γ1 ` . . . ` λd`1 γd`1 arises from a run of A with granularity g1 , thus indirectly addressing the open problem stated in [17, Section 8] on the granularity of optimal runs in MPTA. Together with Proposition 10, this yields PSPACE-membership for the Pareto Domination Problem. As reachability in timed automata is already PSPACE-hard [1] we have: § Theorem 11. The Pareto Domination Problem with pure constraints is PSPACE-complete. 7 Pareto Domination Problem with Three Mixed Observers In this section we consider the Pareto Domination Problem for MPTA with three observers. In the case of three cost variables or three reward variables the results of Section 6 apply. Below we show decidability for two cost variables and one reward variable. The similar case of two reward variables and one cost variable is handled in Appendix E. Consider an instance of the Pareto Domination Problem given by an MPTA A with |Y| “ 3 observers, and a target vector γ P RY ě0 . Our starting point is again Proposition 9. To apply this proposition the idea is to eliminate the quantifiers over the real variables (the λi ) in the system of equations (3) and thereby obtain a formula that lies in a decidable fragment of arithmetic (namely disjunctions of constraints of the form considered in Theorem 1). To explain this quantifier-elimination step in more detail, let us identify RY 3 ě0 with Rě0 . Denote by T Ď R3ě0 the set of valuations that dominate a given fixed valuation γ P R3ě0 . We ICALP 2018 248:10 Costs and Rewards in MPTA can write T “ tpx, y, zq P R3ě0 : x ď a ^ y ď b ^ z ě cu , where a, b, c are non-negative integer constants (see the left-hand side of Figure 3). We seek a quantifier-free formula of arithmetic that expresses that T meets a 4-simplex S Ď R3ě0 given by the convex hull of tγ1 , . . . , γ4 u, where pγ1 , . . . , γ4 q P ReachSpAq . However, since T is unbounded, it is clear that T meets a given 4-simplex S just in case it meets a face of S (which is a 3-simplex). Thus it will suffice to write a quantifier-free formula of arithmetic ϕT expressing that a 3-simplex in R3ě0 meets T . Such a formula has nine free variables—one for each of the coordinates of the three vertices of S. We describe ϕT in the remainder of this section. It is geometrically clear that S intersects T iff either S lies inside T , the boundary of S meets T , or the boundary of T meets S. More specifically we have the following proposition, whose proof is given in Appendix B.5. § Proposition 12. Let S Ď R3ě0 be a 3-simplex. Then T X S is nonempty if and only if at least one of the following holds: (a) Some vertex of S lies in T ; (b) Some bounding edge of S intersects either the face of T supported by the plane x “ a or the face of T supported by the plane y “ b; (c) The bounding edge of T supported by the line x “ a X y “ b intersects S. The following definition and proposition are key to expressing intersections of the form identified in Case (c) of Proposition 12 in terms of quadratic constraints. The idea is to identify a bounded region F Ď R3ě0 such that in Case (c) one of the vertices of S lies in F . The proof of Proposition 13 can be found in Appendix B.6. Define a region F Ď R3ě0 (depicted as the grey-shaded region on the right of Figure 3) by: F “ tpx, y, zq P R3ě0 | z ă c ^ px ` ay ď apb ` 1q _ y ` bx ď bpa ` 1qqu. (5) Then we have: § Proposition 13. Let S Ď R3ě0 be a 3-simplex such that S X T is non-empty but none of the bounding edges of S meets T . Then some vertex of S lies in F . Denote by π : R3 Ñ R2 the projection of R3 onto the xy-plane, where πpx, y, zq “ px, yq for all x, y, z P R. Write πpT q and πpSq for the respective images of T and S under π. p1q p2q p3q We write separate formulas ϕT , ϕT , ϕT , respectively expressing the three necessary and sufficient conditions for T X S to be nonempty, as identified in Proposition 12. These are formulas of arithmetic whose free variables denote the coordinates of the three vertices of S. p1q Some vertex of S lies in T . Denote the vertices of S by p, q, r. Formula ϕT expresses that p P T or q P T or r P T . This is clearly a formula of linear arithmetic. p2q Some bounding edge of S meets a face of T . It is straightforward to obtain ϕT 3 given a formula ψ expressing that an arbitrary line segment xy in Rě0 meets a given fixed face of T . We outline such a formula in the rest of this sub-section. For concreteness we consider the face of T supported by the plane x “ a, which maps under π to the line segment L “ tpa, yq : 0 ď y ď bu. Formula ψ has six free variables, respectively denoting the coordinates of x “ px1 , x2 , x3 q and y “ py1 , y2 , y3 q. Formula ψ is a conjunction of two parts. The first part expresses that πpxqπpyq meets L. Since the complement of πpF q is a convex region in R2ě0 that excludes πpT q we have that either πpxq P πpF q or πpyq P πpF q. Moreover since πpF q contains finitely many integer points, we can write separate sub-formulas expressing that πpxqπpyq meets L for each fixed value of πpxq P πpF q and each fixed value of πpyq P πpF q. Each of these sub-formulas can then be written in linear arithmetic, see Appendix D. Suppose now that πpxqπpyq meets L. Then the line xy meets the face of T supported by the plane x “ a iff the line in xz-plane connecting px1 , x3 q and py1 , y3 q passes above pa, cq. This requirement is expressed by the quadratic constraint (8) in Appendix D. M. Fränzle, M. Shirmohammadi, M. Swaminathan, J. Worrell 248:11 y y f1 f1 πprq πprq Case 1: Case 2: c πpqq c f2 πpqqf πppq πppq 2 x x Figure 4 Two cases for expressing that c P πpSq. The grey region is πpF q. p3q A bounding edge of T meets S. We proceed to describe the formula ϕT expressing that the bounding edge E of T , supported by the line x “ a X y “ b, meets S. Note that image of E under the projection π is the single point c “ pa, bq. Thus E meets S just in case c P πpSq and the point pa, b, cq lies below the plane affinely spanned by S. We describe two formulas that respectively express these requirements. Denote the vertices of S by p, q, and r. We first give a formula of linear arithmetic expressing that c P πpSq. Notice that if c P πpSq then at least one vertex of πpSq must lie in πpF q. We now consider two cases. The first case is that exactly one vertex of πpSq (say πppq) lies in πpF q. The second case is that at least two vertices of of πpSq (say πppq and πpqq) lie in πpF q. The two cases are respectively denoted in Figure 4, that we refer to in the following. In the first case we can express that c P πpSq by requiring that the line segment πppqπpqq crosses the edge f 2 c and πppqπprq crosses the edge f 1 c. By writing a separate constraint for each fixed value of πppq P πpF q the above requirements can be expressed in linear arithmetic. In the second case we can express that c P πpSq by requiring that c lies on the left of each of the directed line segments πppqπpqq, πpqqπprq, and πprqπppq. By writing such a constraint for each fixed value of πppq and πpqq in πpF q we obtain, again, a formula of linear arithmetic, see Appendix D. It remains to give a formula expressing that pa, b, cq lies below the plane affinely spanned by p, q, and r under the assumption that c P πpSq. Note here that the above-described formula expressing that πpcq P πpSq specifies inter alia that πppq, πpqq, and πprq are oriented counter-clockwise. Thus pa, b, cq lies below the plane affinely spanned by p, q, and r iff q1 ´ p1 r1 ´ p1 a ´ p1 q2 ´ p2 r2 ´ p2 b ´ p2 ă 0 q3 ´ p3 r3 ´ p3 c ´ p3 The above expession is cubic, but by Proposition 13 we may assume that p lies in the set F , which has finitely many integer points. Thus by a case analysis we may regard p as being fixed and so write the desired formula as a disjunction of atoms, each with a single quadratic term, whose satisfiability is known to be decidable from Theorem 1. This leads us to: § Theorem 14. The Pareto Domination Problem is decidable for at most three observers. Theorem 14 was proven by reduction to satisfiability of a system of arithmetic constraints with a single quadratic term. For the case of four observers this technique does not appear to yield arithmetic constraints in a known decidable class. Note that satisfiability of systems of constraints featuring two distinct quadratic terms is not known to be decidable in general. In Appendix F we consider (a generalisation of) the Pareto Domination Problem for MPTA with at most two observers. In contrast to the case of three observers, we are able to show decidability for two observers by reduction to satisfiability in linear arithmetic. ICALP 2018 248:12 Costs and Rewards in MPTA 8 Gap Domination Problem In this section we give a decision procedure for the Gap Domination Problem. Given an MPTA A, valuation γ P RY ě0 , and a rational tolerance ε ą 0, our procedure is such that if there is an accepting run ρ of A such that γ ďε costpρq then we output “dominated”; if there is no accepting run ρ of A such that γ ď costpρq then we output “not dominated”. To do this, our approach is to find approximate solutions of the bilinear system (3) by relaxation and rounding. Recall from Proposition 9 that (3) is satisfiable iff A has an accepting run ρ such that γ ď costpρq. Now we use the semi-linear decomposition of ReachSpAq to eliminate the constraints on integer variables from (3). In more detail, fix a decomposition of ReachSpAq as a union of linear sets and let S :“ Spv, P q be one such linear set, where P “ tu1 , . . . , uk u. Then we replace the constraint pγ1 , . . . , γd`1 q P ReachSpAq in (3) with pγ1 , . . . , γd`1 q “ v ` n1 u1 ` ¨ ¨ ¨ ` nk uk , where n1 , . . . , nk are variables ranging over N. We thus obtain for each choice of S a bilinear system of inequalities ϕS of the form (6), where I and J are finite sets and for each i P I and j P J, it holds that fi , gj are linear forms (i.e., polynomials of degree one with no constant terms) with non-negative integer coefficients and ci and dj are rational constants. fi pn1 λ1 , n1 λ2 , . . . , nk λd`1 q ď ci pi P Iq λ1 , . . . , λd`1 ě 0 gj pn1 λ1 , n1 λ2 , . . . , nk λd`1 q ě dj pj P Jq λ1 ` ¨ ¨ ¨ ` λd`1 “ 1 (6) n1 , . . . , n k P N Fix a particular system ϕS , as depicted in (6). Let µ be the maximum coefficient of the fi , i P I. Given T Ď t1, . . . , d ` 1u, we define the following constraint ψT on λ1 , . . . , λd`1 : ľ ľ ε ε ψT :“ λi ď pd`1qkµ ^ λi ě pd`1qkµ . iPT iRT Intuitively, ψT expresses that λi is “small” for i P T and “large” for i R T . Given any satisfying assignment of ϕS it is clear that λ1 , . . . , λd`1 must satisfy ϕT for some T Ď t1, . . . , d ` 1u. Now fix a set T Ď t1, . . . , d ` 1u and consider the satisfiability of ϕS ^ ψT . If i R T then for any term λi nj that appears in an upper-bound constraint with right-hand side c in ϕS , we must have nj ď r cpd`1qµ ε s in order for the constraint to be satisfied. Thus by enumerating all values of nj we can eliminate this variable. By doing this we may assume that in ϕS ^ ψT , for any term λi nj that appears on the left-hand side of an upper-bound constraint we have i P T and hence that λi must be “small” in any satisfying assignment. The next step is relaxation—try to solve ϕS ^ ψT (after the above described elimination step), letting the variables n1 , . . . , nk range over the non-negative reals. Recall here that the existential theory of real closed fields is decidable in polynomial space. If there is no real solution of ϕS ^ ψT for any S and T then there is certainly no solution over the naturals. and we can output “not dominated”. On the other hand, if there is a run ρ with γ ďε costpρq then for some S and T , the system ϕS ^ ψT will have a real solution in which moreover the inequalities fi pn1 λ1 , . . . , nk λd`1 q ď ci for i P I all hold with slack at least ε. Given such a solution, replace nj with rnj s for j “ 1, . . . , k. Consider the left- hand side fi pn1 λ1 , . . . , nk λd`1 q of an upper bound constraint in ϕS . Since the variables λi mentioned in such a linear form are small, the effect of rounding is to increase this term by at most ε. Hence the rounded valuation still satisfies ϕS thanks to the slack in the original solution. This then leads to Theorem 15 below: § Theorem 15. The Gap Domination Problem is decidable. M. Fränzle, M. Shirmohammadi, M. Swaminathan, J. Worrell 248:13 References 1 R. Alur and D. Dill. A theory of timed automata. TCS, 126(2):183–235, 1994. 2 R. Alur, S. La Torre, and G. J. Pappas. Optimal paths in weighted timed automata. In M.-D. Di Benedetto and A. S-Vincentelli, editors, HSCC, volume 2034 of LNCS, pages 49–62. Springer, 2001. 3 G. Behrmann, A. Fehnker, T. Hune, K. G. Larsen, P. Pettersson, J. Romijn, and F. W. Vaandrager. Minimum-cost reachability for priced timed automata. In M.-D. Di Benedetto and A. S-Vincentelli, editors, HSCC, volume 2034 of LNCS, pages 147–161. Springer, 2001. 4 P. Bouyer, T. Brihaye, V. Bruyère, and J.-F. Raskin. On the optimal reachability problem of weighted timed automata. Formal Methods in System Design, 31(2):135–175, 2007. 5 P. Bouyer, E. Brinksma, and K. G. Larsen. Optimal infinite scheduling for multi-priced timed automata. Formal Methods in System Design, 32(1):3–23, 2008. 6 P. Bouyer, U. Fahrenberg, K. G. Larsen, N. Markey, and J. Srba. Infinite runs in weighted timed automata with energy constraints. In F. Cassez and C. Jard, editors, FORMATS, volume 5215 of LNCS, pages 33–47. Springer, 2008. 7 P. Bouyer, K. G. Larsen, and N. Markey. Model checking one-clock priced timed automata. Logical Methods in Computer Science, 4:1–28, 2008. 8 T. Brihaye, V. Bruyère, and J.-F. Raskin. On model-checking timed automata with stop- watch observers. Inf. Comput., 204(3):408–433, 2006. 9 I. Diakonikolas and M. Yannakakis. Small approximate pareto sets for biobjective shortest paths and other problems. SIAM J. Comput., 39(4):1340–1371, 2009. 10 M. Fränzle and M. Swaminathan. Revisiting decidability and optimum reachability for multi-priced timed automata. In J. Ouaknine and F. W. Vaandrager, editors, FORMATS, volume 5813 of LNCS, pages 149–163. Springer, 2009. 11 F. Grunewald and D. Segal. On the integer solutions of quadratic equations. Journal für die reine und angewandte Mathematik, 569:13–45, 2004. 12 C. Haase and S. Halfon. Integer vector addition systems with states. In J. Ouaknine, I. Potapov, and J. Worrell, editors, RP, volume 8762 of LNCS, pages 112–124. Springer, 2014. 13 T. A. Henzinger, P. W. Kopke, A. Puri, and P. Varaiya. What’s decidable about hybrid automata? J. Comput. Syst. Sci., 57(1):94–124, 1998. 14 J. P. Jones. Undecidable diophantine equations. Bull. Amer. Math. Soc., 3:859–862, 1980. 15 E. Kopczynski and A. W. To. Parikh images of grammars: Complexity and applications. In LICS, pages 80–89. IEEE Computer Society, 2010. 16 K. G. Larsen, G. Behrmann, E. Brinksma, A. Fehnker, T. Hune, P. Pettersson, and J. Rom- ijn. As cheap as possible: Efficient cost-optimal reachability for priced timed automata. In G. Berry, H. Comon, and A. Finkel, editors, CAV, volume 2102 of LNCS, pages 493–505. Springer, 2001. 17 K. G. Larsen and J. I. Rasmussen. Optimal reachability for multi-priced timed automata. TCS, 390(2-3):197–213, 2008. 18 V. Perevoshchikov. Multi-weighted automata models and quantitative logics. PhD thesis, University of Leipzig, 2015. 19 K. Quaas. Kleene-Schützenberger and Büchi theorems for weighted timed automata. PhD thesis, University of Leipzig, 2010. 20 A. W. To. Parikh images of regular languages: Complexity and applications. CoRR, 2010. URL: http://arxiv.org/abs/1002.1464. 21 T. Zaslavsky. Signed graphs. Discrete Applied Mathematics, 4(1):47 – 74, 1982. 22 Z. Zhang, B. Nielsen, K. G. Larsen, G. Nies, M. Stenger, and H. Hermanns. Pareto optimal reachability analysis for simple priced timed automata. In Z. Duan and L. Ong, editors, ICFEM, volume 10610 of LNCS, pages 481–495. Springer, 2017. ICALP 2018 248:14 Costs and Rewards in MPTA A Difference Constraints As summarized in [4, Section 5.3] for the setting of a single observer, given an MPTA A with difference clock constraints, we can find an MPTA A1 without difference clock constraints such that A and A1 are strongly time-bisimilar. The Domination Problems for A can thus be reduced to those for A1 . Although eliminating difference clock constraints from MPTA results in an exponential blow-up in the number of locations and edges [4, Section 5.3], the PSPACE complexity for the Pareto Domination Problem in the case of all cost variables and all reward variables (see Section 6 and Appendix C) remains true. Indeed the granularity bounds that were used to establish PSPACE complexity, while exponential in the number of observers, are only polynomial in the number of locations of the MPTA and hence remain singly exponential in magnitude even after an exponential blow-up in the number of locations. B Missing Proofs B.1 Proof of Proposition 2 Proof. Given Z and q, we can construct an NFA B over alphabet Σ1 “ tσ1 , . . . , σn u with at most |Q|2 nM states such that ReachZ is the Parikh image of the language of B. The idea is that each transition pp, v, p1 q in A is simulated in B by a gadget consisting of a sequence of transitions whose Parikh image is v. Having obtained B, the proposition follows from the bound in [20, Proposition 4.3],[15] on the size of the semilinear decomposition of the Parikh image of the language of an NFA. đ B.2 Proof that Satisfiability for Language L is Undecidable (Section 4) § Proposition 16. The satisfiability problem for L is undecidable. Proof. The proof is by reduction from Hilbert’s Tenth Problem: given a polynomial P P ZrX1 , . . . , Xk s, does P have a zero over the set of positive integers? Given such a polynomial P , we write an L-formula ϕP whose variables include X1 , . . . , Xk , such that the satisfying assignments of ϕP are in one-to-one correspondence with the positive integer roots of P . The idea is simple: write P “ P1 ´ P2 , where all monomials in P1 and P2 appear with positive coefficients. We then introduce an L-variable for each subterm of P1 and P2 and write constraints to ensure that the variable takes the same value as the corresponding term. Finally we assert that P1 is equal to P2 through the constraint P1 “ P2 X ^ X “ XX. đ B.3 Proof of Proposition 4 Proof. Given a sequence pt1 , . . . , tm q P Rm ě0 , we define a corresponding sequence of clock valuations ν1 , . . . , νm P RX ě0 by ν i pxq “ ti if none of the edges e1 , . . . , ei´1 reset clock x and otherwise νi pxq :“ ti ´ tj , where j ă i is the maximum index such that x is reset by edge ej . In order for a sequence pt1 , . . . , tm q to be an element of Runspe1 , . . . , em q we require that the ti be non-negative and non-decreasing and that for every index i P t1, . . . , mu, the guard ϕi of edge ei be satisfied by the clock valaution νi defined above. Clearly the above requirements can be expressed by difference constraints on t1 , . . . , tm . đ B.4 Proof of Proposition 10 Proof. The number of control states of ZpAq is at most pMX q|X | |L| and the number of states of SpAq is at most ppMX q|X | |L|qd`1 . Moreover the vectors occurring in the transitions of M. Fränzle, M. Shirmohammadi, M. Swaminathan, J. Worrell 248:15 SpAq have entries of magnitude at most MY MX . We now apply Proposition 2 to SpAq. We get that the the base vectors v i and period vectors in Pi have entries of magnitude at most polypd, |L|, MY , MX qdpd`1q|X | . đ B.5 Proof of Proposition 12 Proof. Observe that T X S is nonempty just in case there exists a point x “ px1 , x2 , x3 q P S such that πpxq P πpT q X πpSq and x3 ě c. But πpT q X πpSq, being a bounded convex polygon, is the convex hull of its vertices. It follows that T X S is non-empty just in case there exists a point x P S such that πpxq is a vertex of πpT q X πpSq and x3 ě c. Now the vertices of πpT q XπpSq come in three types: piq vertices of πpSq, piiq intersections of bounding line segments of πpT q and πpSq, and piiiq vertices of πpT q. Let x P S be such that πpxq is a vertex of πpT q X πpSq and x3 ě c. Assume moreover that for all y P S such that πpxq “ πpyq we have x3 ě y3 . If πpxq is a vertex of πpT q X πpSq of the first type then x is a vertex of S. If πpxq is a vertex of the second type, but not of the first type, then x is the intersection of a bounding edge of S with one of the two faces of F identified in Item 2 in the statement of the proposition. Finally, if πpxq is a vertex of the third type, but not of the first or second types, then x is the intersection of S with the edge of F supported by the line x “ a X y “ b. đ B.6 Proof of Proposition 13 Proof. Since S X T ‰ H, we have πpSq X πpT q ‰ H. Hence there are vertices x, y of S such that the edge πpxqπpyq meets πpT q. By Proposition 17 we have either that one of πpxq and πpyq lies in πpT q or that both πpxq and πpyq lie in πpF q. Suppose πpxq P πpT q. Since the edge xy is assumed not to meet T we must have that x3 ă c and hence x P F . Likewise the assumption that πpyq P πpT q yields y P F . Finally, if both πpxq and πpyq lie in πpF q then the assumption that xy does not meet T implies that either x3 ă c or y3 ă c. Hence x P F or y P F . đ C Pareto Domination with All Reward Variables Now we suppose that the set of observers Y is comprised exclusively of reward variables. We will again apply Proposition 10 to rewrite (3) as a finite disjunction of systems of linear inequalities. Fix an index i P I. Let the base vector of the linear set Spv i , Pi q be v i “ pγ1 , . . . , γd`1 q. We write a linear constraint to express that there exists a vector pγ11 , . . . , γd`1 1 q P Spv i , Pi q and řd`1 Y a convex combination j“1 λj γj1 that dominates a given γ P Rě0 . We write this constraint as a disjunction of finitely many systems of linear inequalities—one system for each possible choice of the support S 1 Ď t1, . . . , d ` 1u of the the convex sum. Fix such a set S 1 and let YS 1 Ď Y be the set of variables y such that there is some period vector pγ11 , . . . , γd`1 1 q P Pi 1 1 and j P S with γj pyq ą 0. Then the system of inequalities is as follows: γpyq ď λ1 γ1 pyq ` . . . ` λd`1 γd`1 pyq py R YS 1 q 1 “ λ1 ` ¨ ¨ ¨ ` λd`1 (7) 0 ă λj pj P S 1 q 0 “ λj pj R S 1 q To see why this works, note that for y P YS 1 there exists some period vector pγ11 , . . . , γd`1 1 q P Pi and j P S 1 with γj1 pyq ą 0. By adding suitable multiples of to the solution of the above ICALP 2018 248:16 Costs and Rewards in MPTA system we can make value of the variable y arbitrarily large. Recall that if a set of linear inequalities Ax ě a, Bx ą b is feasible then it is satisfied by some x P Qn of bit-length polypn, bq, where b is the total bit-length of the entries of A, B, a, and b. Applying this bound and Proposition 10 we see that a solution of (7) can be written p in the form λ1 “ pg1 , . . . , λd`1 “ d`1 g for integers p1 , . . . , pd`1 , g of bit-length at most polypd, |L|, logpMY q, logpMX qq. This entails that the cost vector λ1 γ1 ` . . . ` λd`1 γd`1 arises from a run of A with granularity g1 . D Geometry Background We will need the following elementary geometric facts. Let v i “ pxi , yi q with i P t1, 2, 3, 4u be four distinct points in R2 . Consider the determinant x1 y1 1 ∆pv 1 , v 2 , v 3 q “ x2 y2 1 x3 y3 1 involving three points v 1 , v 2 and v 3 . Then ∆pv 1 , v 2 , v 3 q “ 0 if and only if the three points v 1 , v 2 and v 3 are colinear, and ∆pv 1 , v 2 , v 3 q ą 0 if and only if v 3 lies on the right of the directed line passing through v 1 and v 2 . We say that two line segments properly intersect if they meet at a single point that is not an end point of either line segment. The line segment v 1 v 2 properly intersects the line segment v 3 v 4 if and only if the following two conditions hold: 1. v 3 and v 4 are on the opposite sides of the line passing through v 1 and v 2 : p∆pv 1 , v 2 , v 3 q ą 0 ^ ∆pv 1 , v 2 , v 4 q ă 0q _ p∆pv 1 , v 2 , v 3 q ă 0 ^ ∆pv 1 , v 2 , v 4 q ą 0q, 2. v 1 and v 2 are on the opposite sides of the line passing through v 3 and v 4 : p∆pv 3 , v 4 , v 1 q ą 0 ^ ∆pv 3 , v 4 , v 2 q ă 0q _ p∆pv 3 , v 4 , v 1 q ă 0 ^ ∆pv 3 , v 4 , v 2 q ą 0q. For use in Section 7 and Appendices E and F we note that if v 1 , v 2 and v 3 are fixed, then the constraint expressing that v 1 v 2 and v 3 v 4 properly meet is a formula of linear arithmetic in variables x4 and y4 . Let us also note that line segment v 1 , v 2 properly intersects the half-line parallel to the x-axis with lower endpoint having coordinates pa, cq if and only if the following constraint holds: ¨ ˛ ¨ ˛ x1 y1 1 x1 y1 1 ˝ a c 1 ą 0 and x1 ă x3 ă x2 ‚ or ˝ a c 1 ă 0 and x2 ă x3 ă x1 ‚ (8) x2 y2 1 x2 y2 1 Let v i “ pxi , yi , zi q with i P t1, 2, 3, 4u be four distinct points in R3 . Assume that the list of vertices v 1 , v 2 , v 3 describes a triangle with anti-clockwise orientation. Consider the determinant x2 ´ x1 x3 ´ x1 x4 ´ x1 ∆ “ y2 ´ y1 y3 ´ y1 y4 ´ y1 . z2 ´ z 1 z3 ´ z1 z4 ´ z 1 Then ∆ “ 0 if and only if the point v 4 lies in the plane affinely spanned by the three points v 1 , v 2 and v 3 , and ∆ ą 0 if and only if v 4 lies above that plane. For use in Section 7 and Appendix E we note that if v 1 and v 4 are fixed, then the constraint expressing that v 4 lies above the plane affinely spanned by v 1 , v 2 and v 3 is a quadratic formula in the variables x2 , y2 , x3 and y3 . M. Fränzle, M. Shirmohammadi, M. Swaminathan, J. Worrell 248:17 E Pareto Domination with Three Mixed Observers: Two Reward Variables and One Cost Variable Recall the set F , defined in Equation (5) and consider its projection πpF q in the xy-plane. Moreover write R :“ tpx, yq P R2ě0 : x ď a ^ y ď bu (see Figure 5). z z πpyq πpxq e πpxq y c y πpyq x x Case 1 Case 2 Figure 5 Two cases in the proof of Proposition 17, where the grey region is F and the pink region is R. § Proposition 17. Let L be an edge in R2ě0 that intersects R. Then L has either one endpoint in R or has both endpoints in πpF q. Proof. Let L have endpoints x, y P R2ě0 . Since the complement of πpF q is a convex region in R2ě0 that excludes R, at least one of x or y lies in πpF q. Without loss of generality, assume that x P πpF q. To prove the proposition it suffices to show that if x R R then both x, y P πpF q. Suppose x R R. Now πpF qzR “ F0 Y F1 , where F0 “ tpx, yq P R2ě0 | y ` bx ď bpa ` 1q and x ě au and F1 “ tpx, yq P R2ě0 | x ` ay ď apb ` 1q and y ě bu. Thus x lies in either F0 or F1 . We show that x P Fi only if y P F1´i for i P t0, 1u and conclude that both x, y P F . Assume that x P F0 . Since the edge xy meets R, clearly y R F0 . Draw a line through x and c, shown as the dashed red line in the diagram. The point y is below this line for otherwise edge xy fails to meet R. Consider the point e “ p0, b ` 1q. Then the edges ec and xc meet at c. Since edge xc intersects the x-axis above e, it intersects the y-axis below the edge ec, i.e. in πpF q. We conclude that y P F1 . The argument for the case x P F1 is symmetric. Thus we have shown that xq, y P πpF q. đ Consider a reachability objective T Ď R3ě0 given by two upper-bound constraints and one lower-bound constraint, see Figure 6. Write T “ tpx, y, zq P R3ě0 : x ě a ^ y ě b ^ z ď cu , where a, b, c are non-negative integer constants. We write a quantifier-free first-order for- mula ϕT of arithmetic expressing that a 3-simplex S Ď R3ě0 meets T . This formula has nine free variables: one for each of the coordinates of the three vertices of S. ICALP 2018 248:18 Costs and Rewards in MPTA z y x Figure 6 The target T is the green rectangular region, the grey region is F , and the pink region is πpT q. Write πpT q for the projections of T in the xy-plane, see Figure 6. The following two propositions are syntactically identical to Proposition 12 and Proposi- tion 13, although now referring to a different form of the target set T . While the proof of Proposition 12 carries over verbatim to the new setting of Proposition 18, we need to slightly modify the proof of Proposition 13 in order to prove Proposition 19. § Proposition 18. Let S Ď R3ě0 be a 3-simplex. Then T X S is nonempty if and only if at least one of the following holds: 1. Some vertex of S lies in T . 2. Some bounding edge of S intersects either the face of T supported by the plane x “ a or the face of T supported by the plane y “ b. 3. The bounding edge of T supported by the line x “ a X y “ b intersects S. The following Proposition refers to the set F as defined in (5). § Proposition 19. Let S Ď R3ě0 be a 3-simplex such that S X T is non-empty, but no bounding edge of S meets T . Then some vertex of S lies in F . Proof. Under the assumptions of this proposition, Items 1 and 2 of Proposition 18 do not hold. Hence the bounding edge of T that is supported by the line segment x “ a X y “ b meets S at some point not on a bounding edge of S. In particular, considering the projection in the xy-plane, we have that the point pa, bq lies in the interior of πpSq. Now consider the plane in R3ě0 affinely spanned by S. Write the equation of this plane in the form z “ f px, yq for some affine function f . From the assumption that no bounding edge of S meets T , we deduce that pa, bq is the only vertex of the convex set πpSq X πpT q at which f is bounded above by c. It follows that f has positive derivative in the direction of the positive x-axis and positive y-axis. Hence f is bounded above by c on the entire region R :“ tpx, yq P R2ě0 : x ď a, y ď bu. Now since pa, bq lies in the interior of πpSq, there is a bounding edge xy of S such that πpxqπpyq meets the region R. By Proposition 17, πpxqπpyq either has some endpoint in R (say πpxq) or has both endpoints in πpF q. Since f is bounded above by c on R, in the first case we have that x3 ď c and hence x P F . In the second case we have that either x3 ď c or y3 ď c and hence either x P F or y P F . đ p1q p2q p3q We write separate formulas ϕT , ϕT , ϕT , respectively expressing the three necessary and sufficient conditions for T X S to be nonempty as identified in Proposition 18. These are formulas of arithmetic whose free variables denote the coordinates of the three vertices M. Fränzle, M. Shirmohammadi, M. Swaminathan, J. Worrell 248:19 p1q p3q of S. The definitions of the formulas ϕT and ϕT are almost identical to those of the p3q corresponding formulas in Section 7. The only difference is that for ϕT we ask to express that the point pa, b, cq lies above the plane affinely spanned by p, q, and r (rather than below the plane, as in Section 7). p2q There are more substantial differences in the definition of the formula ϕT . Recall that this formula expresses that some bounding edge of S meets a face of T . As in Section 7, p2q it is straightforward to obtain ϕT given a formula ψ expressing that an arbitrary line 3 segment xy in Rě0 meets a given fixed face of T . We outline such a formula below. For concreteness we consider the face of T supported by the plane x “ a, which maps under π to the line segment L given by x “ a X y ě b (see Figure 7). Formula ψ has six free variables, respectively denoting the coordinates of x and y. y L πpxq c πpyq x Figure 7 To express that πpxqπpyq meets line segment L. The grey region is πpF q. Formula ψ is a conjunction of two parts. The first part expresses that πpxqπpyq meets L. The key is to express this requirement via a formula of linear arithmetic. For each fixed value of πpxq P F we can write a linear constraint expressing that πpxqπpyq meets L, and likewise for each fixed value of πpyq P F . Thus we may assume that both πpxq and πpyq lie in the complement of πpF q. But then πpxqπpyq meets L just in case πpxq and πpyq lie on opposite sides of the line x “ a, which is also a linear constraint. Suppose now that πpxqπpyq meets L, say at a point πpzq where z lies on line segment xy. The second part of ψ expresses that z lies below the plane z “ c. Such a formula is a disjunction of atoms, each with a single quadratic term, whose satisfiability is known to be decidable from Theorem 1. F Reachability for Two Observers In this section we consider MPTA with two observers and reachability of sets of valuations T Ď RY ě0 described by arbitrary conjunctions of constraints of the form γpyq „ c for y P Y, „ P tď, ěu, and c P Z. Since the set of valuations in RY ě0 dominating a given valuation can be written in the above form, this reachability problem subsumes the Pareto Domination Problem. In contrast to the situation with three observers, in the case at hand we will be able to translate the reachability problem into satisfiability in linear arithmetic. F.1 Bounded Cost Objective We show how to construct a quantifier-free formula ϕObj of linear arithmetic that is satisfiable if and only if the bounded rectangular cost objective can be achieved. ICALP 2018 248:20 Costs and Rewards in MPTA y x Recall that for a MPTA featuring two non-negative cost variables, a configuration of the simplex automaton SpAq determines a triangle in the plane whose vertices are non-negative integers. We denote the vertices p, q, and r. Draw a line with slope 45 degrees, intersecting the two positive coordinate axes and passing through the top right corner x of the target rectangle T . This line divides the upper right quadrant of the plane into two regions—a bounded region below the line (shaded blue) and an unbounded region above the line (shaded grey). Clearly the number of vertices of 4pqr that lie in the blue region is either one, two, or three. Since the blue region contains finitely many integer points, the case in which 4pqr lies completely in the blue region is trivial. The two remaining cases are as follows: y y y x ñ p q p x x x Case 1 Case 2 Case 1: the blue region contains two vertices of 4pqr—say p and q. We proceed by a case analysis on the coordinates of p and q (for which there are finitely many possibilities). Fix values for p and q in the blue region. Then the condition that 4pqr intersects the target can be written as a linear constraint on the coordinates of the remaining vertex r—specifically that one of the vertices of 4pqr lies in the target T or that one of the bounding line segments of 4pqr intersects one of the bounding line segments of the target T . Case 2: the blue region contains a single vertex of 4pqr—say p. Fix a value of p and assume that p is not in the target T . Now consider the “shadow” of the target rectangle T created by a light source at point p (the pink region in the diagram). This shadow is is a region in the plane that is bounded by two lines that respectively pass through p and vertices of the target T (shown as pink dashed lines in the diagram). Then in case vertices q and r lie in the grey region, 4pqr fails to meet the target rectangle if and only q and r both lie on the same side of both of the pink dashed lines. Again this condition can be expressed as a Boolean combination of linear constraints on q and r since the pink dashed lines are fixed. M. Fränzle, M. Shirmohammadi, M. Swaminathan, J. Worrell 248:21 y y q q r p p x x q in the pink region q, r in separate grey regions F.2 Unbounded Cost Objective We show how to construct a quantifier-free formula ϕObj of linear arithmetic that is satisfiable if and only if the unbounded rectangular cost objective, as shown in the diagram below, can be achieved. We consider an objective where the observer x is unbounded above while y is bounded. The case when x is bounded with y unbounded above is symmetric. The last case for an unbounded cost objective is when both observers x, y are unbounded above. The following argument can be used in this last case with a slight modification. y x Draw a line with slope 45 degrees, intersecting the two positive coordinate axes and passing through the top left corner P of the target rectangle T . This line divides the upper right quadrant of the plane into two regions—a bounded region below the line (shaded blue) and an unbounded region above the line. We further divide the region above the line into three horizontal bands with boundaries given by the horizontal sides of the target (the upper bound is shaded pink and lower band is shaded grey in the diagram). We now consider two cases according to whether 4pqr has a vertex in the blue region. y y y p x ñ q p x x x Case 1 Case 2 Case 1. No vertex of 4pqr lies in the blue region. Then 4pqr meets the target iff it is not the case that all vertices lie in the grey region or all vertices lie in the pink region. ICALP 2018 248:22 Costs and Rewards in MPTA Case 2. Some vertex of 4pqr lies in the blue region—say p. Fix p. Then 4pqr meets T if one of the line segments pq or pr intersects the boundary of the target T . Given that p is fixed this condition can be expressed as a Boolean combination of linear constraints on q and r.