Duration Calculus.. A Formal Approach to Real-Time Systems

whether ?jn

it

foralleea.

by IL25 and IL28, i.e. when ,9pec holds on an interval, it holds on all prefix intervals as well. We must consider one base case and two inductive steps.

(X

Case 1: Process pjo has no deadline in the last left open interval in which is running, i.e. for this case we must prove

pi has no deadline in

(b, e]

The process pr is more urgent than the process pio in the interval [a,b], because b is a dea,dline for pi and pio has no deadline in (o,e]. Since p7o is running throughout [o,b], po has no request standing in this interval. Thus ,Req6 holds on [0,b] by Lemma 4.7 and, by Lemma 4.6, also on [0,e]. The proof for Case 1 is now completed. Case 2: Process pj. has one deadline in the last left open interval in which is rrrrrrring, i.
/ ,9..tu. I n jt,,, (flltrrrr;,, ll I ^ \ n 1r//,rn r'.,,, (( .' lt)) lirt rll rr rv.

\

til | .+ ttur, I

.

it

84

4. Deadline-Driven

4.2 Lfu and Layland's

Scheduler

Suppose p7o has one deadline (at time b) in the last left open interval of length y, i.e. we have the situation

|: r

Req

P7o has no deadline

in

holds on f0,b] (by Lemma4.3 and since l!.lTiol: llllTi,l when therefore jo € a.. Hence we have the following situation:

0abe

the interval [0,b] (for all r' e a), then we have finished, because the proof of case 1 implies that Req6 (for all z e a) holds on [0, e] also. Thus, to finish the proof we must establish

/ Spec \ I t lArq^(fRunrol n( : t)) I + nrq,, I n d,Line,o \n -(rlLineio (0 < / < r)) / forallz€4. suffices

/ Spec ^(fRunrolnl:r)) \

I n1I""q I n dLineio \n -( dLinclo

(0

I

< I < r)) /

*,.n

I

To prove this for an interval [0,b], we partition the processes into two gro.rp, u..ording to whether they have used the processol in their last unfinished period in [0, b]. To express this precisely, let a< and a;' be two sets such that

:

Q.<

l) a;., (t<

) a> -

(rrue -

0

llV,... Run,l)<+ ("

\v

in

(a, b)

lYrtt'lll,.:L-,,,il [v,,". nun,11) (true- ||V*.o, Runpl

[Vr,".

Run;l)r/

to split the proof into three cases. Case 2a: The interva,l

10,

bl satisfier

[Vi.o. Run7l

.

Since

t.:0 => A /R""i : j€a<

to prove

foralliea.

e.

liRunyol

p7o has no deadline

We use DC24, i.e.

,Req, holds on

it

and

0

lfRuni"l

According to Lemma 4'I4,

Qoll),

85

(b' e]

Req

If we can prove that

Theorem

we can establish

l(.lTjl .c j

Aj.o= req, by Lemma

,

4.13.

Case 2b: The interval satisfies true ^ [f[i.o -Runnl ^ llVr.,. Run7l. In the diagram below, we know that c must be smaller than or equal to o and, furthermore, we have exploited the fact that if the requirement Req holds on an interval ([0,o]), then Req holds on all prefix intervals also (i.e.

for

10,

d] in the diagram).

Req

[f[o.o

llVi.". Runil

-Runil

0d,cb

and, for the interval [0, b], we have the following:

1. For j € a<; JRmi < V.lri) ' Ci. 2. For k e a;.: JRtt* > Ll'11:k) ' Ch. Since

JRrr, >L(.lrn)'Cp

*

reqi,

we onlv ncc<.I t
./ll

rrrr,,,, ll f'l't,,1

'(

1

t,,

On an interval where no process is running, no process can have (by Sch) a rcqrrcst standing, and we can use Lemma 4.7 to show that

[

i(

./1t,,',,

: llltt'i].Oi

rr

lrolrls rrn l0,r'1. Wc

r';r,rr

rrsl,;rlrlisl'

Ai,,,.

rt.q.,

lw l,rrrrrrrrir,4.lii.

4. Deadline-Driven

4.2 Liv and Layland's

Scheduler

Case 2c: The interval satisfies true

^ liVo.o, Runel ^ llViu.. Runil '

In the diagram below, we know that c must be smaller than or equal to a and therefore Req holds on [0,c].

[V*..,

87

c where any pj is more urgent than any px.Tn this neighborhood pi has no request standing, because processes from o;, are running in that neighborhood.

Using Lemma 4.7, we obtain the result that

/\ ,l'R"", : lllTj].Cj

IVi.o. Run;l

Runpl

Theorem

j€t3

holds on [0, c], and, furthermore, by Lemrna 4.13, that req, holdson [0, b] for

alljeB.

Req

A process pr where i ( B has no deadline in (c,b]. Since Reqn holds on c], we have, by Lemma 4.6, the result that Reqo holds on [0, b] also. [0,

We have lhe following:

1. A process prr, k e a;,, has no deadline in [c,b], as ./Runp > l(.lTk) .Ck holds on [0, b] and pp is not running in fc, b]. 2. If a process pi, for j € a<, has no deadline in (c, b], then we have the situation

pi

has no deadline

fRr': > l(.lrj)'C j

in

(c,

b]

[-Runil

.fRmi < V.lrj)'C

j

where we have exploited the fact that /?eq holds on l0,c]. We have that ll-Runil holds on [c,b], becauseif pi were running somewhere in [c,b] then ./Run7 > LllTil' C7 would hold on [0, b], as l!'lT1) does not change

in

(c, bl.

Let B : {i e *t I pi has a deadline in (c, b]}. By 2. above, o.ly pto""sses pj, with j € B, can be running in [c,b], and we have the situation

llVr.o'

Run7,l

IIV:.8 Runil

0dcb A*eo,,ie a (true A769 (t.,te

^ fiUteiol ^ [-Stdjl

) )

ir rlrrnrllirrt'irr (r',[] , wlrik'rro l)r(]('('r{r{ I)At A: ( (t , lrir,s 1. r[,ir,rllirrc irr lr,,/r], llcrrcr', l)y l,('tuurrl ,[], I'lrlrl is rr h'f'|, trliplltlrnrltoorl ol'

Ev
f

//,

1rrrs

The proof is thereby

completed.

n

5. Relative Completeness

In this chapter, we consider the question of whether there is a proof for every valid formula of DC, i.e. whether the proof system of DC is complete. when using DC formulas in specifications, we want /s to be the integral of a Boolean-valued function. Therefore, to show the completeness of DC, it must be shown that the axioms DCA1 DCA6, together with the rules IR1 and IR2 and the axioms and rules of IL, are enough to ensure that temporal variables of the form /,S are definable by integrals. In so doing, functions and constants, e.g. f and 0, must be interpreted as real functions and constants, and the chop modality ^ occurring in the axioms must be interpreted as a modality that chops intervals of real numbers. Since we shall avoid the issue of formalization of real arithmetic in this book, the completeness result for DC presented here is a relatiue-completeness result, where valid IL formulas (with respect to a model based on real numbers) are taken as provable formulas. To formalize this notion, let TL be the set of all valid IL formuras, and we define Tf'a" to be the set of all DC instances of formulas of TL, i.e. a formula gac €TLa. is obtained from a formula ,g e TL as follows: let o1 , ...,r.tnbe the temporal variables occurring in rp; then 94" is obtained by replacing every occurrence of r-'1 with [56, for some state expression Si and for 1 { ,i 4 n. Each formula 96" is a valid DC formula, since ip is a valid IL formula, and we shall take I.La" as the provable formula set of DC provided by IL. The theorem of relative completeness is that

p/implies TLa"lg, for every formula / of DC. we first sketch the main ideas behind the proof of this theorem. The proof then follows.

5.1 Ideas Behind the Proof l'irr rrvcrv va,lirl l)Cj [irrrrnrlir, /, i.c. l- ry', wc rrurst slxrw l,h
rltrrlttr:t,iorr'1.t.,1,. 1

90

5. Relative

5.2 Proof of Relative

ComPleteness

the axioms of DC together with DC1 and DC2, but not the induction rules IR1 and IR2. This deduction of ILa, I S can be considered to be an IL deduction:

ILa", DCRI

rf

,

where DCR denotes the infinite set of all instances of DCA1 DCA6, DC1 and DC2, and temporal variables have the form of durations' However, for the given @, we construct an IL formula, H4,havrn$1')1,u2, ' ' ' as temporal variables, with the property that a deduction

ILa", DCR

I

'11t

= {up1:0} ? 172 {u11: l.}

IL deduction

Oh itr

'11+

IL I nHo +

dn

.

The main part of the proof is to show thai JH6 + $7 is a valid IL formula, i.e. an elernent of IL, if @ is a valid DC formula' Therefore, if ts d, we have the result that (nH4 + dn) €IL, andthat the DC formula JH + /, obtained from tr114 + dn by "properly" replacing temporal variables uz with durations /,54, is a member of ILa"'Thts,

TLa"l sH + 6.

115

=

r

.\.

[irr' ,5

;

{(Yr)(Vs)(((t'gs1

where we define We define

[ups1-11

by

?rl,s1v,s2l

:

*

r) ^(?,tsl

(tr1s1

I [Sr], [Sr] € S=]

o1^s,nszl

:

a)) =+ (rtsl

: r + y)) | l,Sl e S=},

(true^[u1_s1.Tl) | [s] e ([u1-s1-11^true) | [S] e

:

()

A(l>

,

S=], S=],

0).

o H4 to be the conjunction of all the IL formulas in 111 to Hz, and t $1 to be the IL formula obtained from / by replacing each /S by ,u1s1. The definition and lemmas below are convenient for use in the completeness proof.

J,V,lb,e)l =H,

5

as foll
,S ++ ,cit i,rr, ,,t.ntTtrts/,l,itrrt'rt'l

ltxfit' |

if for

,

any subinterval

semantics of IL.

Let an arbitrary duration calculus formula / be given. We now construct the IL formula H p. Let Pt , . . . , P1 be the state va,riables occurring in /, and let 5 be the set ofstate expressions which can be gcncrated from these I state variables.

SI

{uW,) + ?,[s,]

Definition. We cail a triple (J,V,[b,e)) at H-tri,ple tf

5.2 Proof of Relative Completeness

{,S' €

:

?

= {[f l v (true^lfu1s1-11)V ^true)v 11r = {pl v (lfu1s1'11

i.e.

[^9]

,

Ha

The formula 11 is a conjunction of a finite number of instances of DC axioms and Dc1 and Dc2, and a deduction of TLa. I / is then easily achieved.

We consider equivalelrce clilsstrs of

,

'tfi={uysl>0llsl €5=},

where @;, is obtained from @ by "properly" replacing durations /Si with temporal variables o1, and the formula 114 provides a finite encoding in IL of an essential part of DCR. Using the deducticln theorem of IL, we have the result that

H4l

be the set of equivalence classes:

The size k of 5= is the number of Boolean functions in / variables , i.e. k : 22' . We select k temporal variables ,ut,...,u6 and put them in one-to-one correspondence with the equivalence classes. We can therefore index the selected temporal variables with equivalence classes. For the axioms DCA1 * DCA5 and for the two theorems DC1 and DC2. we construct seven finite sets of IL formulas:

TL,H4l $1,

TL,

91

s=={[s] lses].

rb

can be constructed from an

5;

Furthermore, let

Completeness

,

[c,

fl

of [b,e]: J,V,[",d]

IVotation: When an interpretation present context, we write pfor !/(u).

Lemma 5.1

G,iuen an H-tri12l,e

F

[f to temporal variables

(J,V,lb,e]),

then

- r:)* * 121_s1lc,Q, (i,'i) 0 S :p1s1k:,ll { tl, r:, (t)

,u;51[c,

(riil)

r1,s,11r,, r/J

(iu) il

d]

=

(rl

S

t)1,s,v,s,,1[r., 14

'r,1.s1[1,,,,1

fin'tr,rt,11 ,\',,5't ,,5'..,

(,,

lt),

,

t,lt,t:,rt,

114 according

rr1,slfr,rl]

- ll, - r.),

r .\ arrrl rt,rt41 nr,lt'i,rt,l,t,rtuill',tll utlt4rl,

to the

is given in the

5. Relative

5.2 Proof of Relative

ComPleteness

Proof. (i,) and (?i) are trivial, and (zu) can be proved through ?15' We give

t""rT":"t:?'irilfl?

is a tautologv, we have rrom']7zthe result that

ugllc,d) -- ((1- c)

"l: u;-srv(s1vs,)l[c,

d]

.

From 11a, we have

so we have an infinite collection of open intervals covering the crosed and bounded interval [b,e]. Then, by the Heine-Borel theorern, there is a finite sub-collection C : {1t,...,1^} of the open intervals covering [b,e], where any | (1 < i < has the property (5.1), (5.2) or (5.3). ^)out the following steps we now carry in order to find the finite partition.

Step 1: Select the open interval

J ,V,[b,bi]

Using (?) and'112, we obtain

-

c)

?1s,1[c, d]

-

*

u1s,vs,J 1",'lf

:

(d

-

")

*

9l-s' n(s'v s,yl"'

d)

1

'aq,u

s,llc, dl

since t';-srur(srvs:)l [c,,r]

> 0 by

n

?72'

that

4.

f

:b


lfo1s1ll

or J,V,lto-r,ii] [

e, there are (by

b
land)

It.r.[r.t"] !

lful-s1-ll

I

'lla and'Hr) t' pq

s-11

or J-v-U.t"); flul is an open interval (f',f") covering f, [u1s,-ll

lfu1s1-|l

or

s1-11

l

and

f"

such that

{l,V,lb,t")=

lful-q-ll

f

lfogslll

or J,V,lt',el p

rrrv
|,

arrrl

[op-.s1-11

'

(53)

lt > t'.'l'lrrrs, t,ltcttr is ittt optrtt irrl,rrlv;rl (l/, i/') l,lrc clost'tl iill,t'r'v;rl ll"r'l lr;rs llrr';t,lrrtvt'ptttpt'tlv (5.;t)'

We can select an a,rJlitra,ry

?

lfup-s1-11

.

I

lft'1q-ll and ./,V,lm,,bil

I

[u1-s1-11,

,

J,V,lbr.,m]l [ut-"tl and !/,V,lm,bi] p { m z-bi.

[u1s11,

Repeat step 2 until a partition of [b, e] is achieved. This terminates, since there is only a finite number of open intervals in C. n

Lemma 5.3 An H -triple (J,V,[b,e]), where b < e,,induces a DC,interpretat'ion I such that for euery S e S and t e lb,e),

_ ,, ,t t € lti 1,t) *r \" ^q-{/) ' [| 0, ,/ t e lti-1,t1)

J

(5.2 )

'

J,V,[b7,m]

forsomern:bi{mIb11

(5-1)

We can select an arbitrary | < b. Thus, there is an open interval (it,l") covering b. and the closed interval [b.t"] has the above property (j'2)' ( Similarly, for e, there is,by 176, a l' such that b l/ < e and

J,v,lt',el

or .f ,)),lb,bol

,

and the closed interval Thus, there above ProPertY (5.1). [l', ' t"] has the Fo, the left end point b, there is,by 117, a f/r such that b
J,v,lb,t"l $

lfo1s1-ll

for some ,m : bi

for i, = I,. . .,tu. Proof. For any

f

J,V,[bn,bi]F firtql , 2. J,v,lbo,bil I lfup_s1-ll , 3.

J,V,lti-t,ti] [

b. Then the

7.

,

Lemrna 5.2 Gi,uen an arbi'trary H -tri'ple (J ,V ,lb, e)) , where b < e, then f or : any S e S, there i's a fi'ni,te partition b : to I h I "' I tn e of lb'el such' e'ither

Ii - (ot,b) from C covering

Step 2: Stop if bt : Otherwise, b6 I e. Select an open interval Ii : Qti,bi) ". from C covering ba. Since bi { e, the closed interval lb.;,bi] will (by (5.1) and (iu) of Lemma 5.1) satisfy one of

'

which gives u;s,1[c, d]

93

closed interval [b,b,] satisfies (5.2):

q-s,1[c,d] *tr;s,vsz1 1",4:?l-s,v(,s,vs,;1 [c,d1 +91-s,,r1.s1vs2;1 [c'dJ '

(.d,

Completeness

b:

( tr (

and, and,

J,V,fti_t,r6] ! J,V,lt,i,_r,t;] I

lftrlsl-ll

[ol_s1]l,

t, - e i,s a part'ition of lb,e] sati,sfyi,ng J,V,[t;t,ti] ! lftrpsll or J,V,ltr-r,fn] F firt-ql

where

fo

.. . 4

,

fori,:7,...,1t. Proof. Define an interpretation 7 as follows. For any state variable e / S t € Time, let Qt(t) :0. Furthermore, for any state variable P € ,5, let b : to 1 tt .--'.. I t,,, :e bc a partition of [b,e] for P given by Lemma 5.2. and

5. Relative

5.2 Proof of Relative Completeness

ComPleteness

Using the definition of lfups,vs,,11, we have the result that

We define

( t, tf tn-,'. 1t :-tiand !/,l,lttt,ti] P.(t\=1^'U, .' otnerwlse.

I

lfu;r1'll for

\1i1n'

J,Y,lk-t, ti] f

I

For case (zi), we must prove that J,V,[to_r,ti]

Each such function has only a finite number of discontinuity points in any interval, so 7 is indeed an interpretation in DC. we prove the remaining parts of the lemma by structural induction on ,5. Assume S e 5. The cases where ,9 is 0, 1 or P are trivial, so consider the

following

cases:

Case: S has the

It

follows fromHq that u;s,vsr,, 0i-1s,vs,,;1

Si(t)' Consider an arbitrary t (b
If J,V,ltrr,ti) F llrt-",t], then si(l) But then (-S')z(t) : 1 as required.

0 by the induction hypothesis.

S'V,5". We combine the two partitions of fb,e], for S'and 'S", given by the induction hypothesis to obtain a finite partition b : to ( Ji ( "' I tn : s, one of the four formulas [r.'1s,1-11 n [u;s,,1-ll. [fu1-s'1-ll n lf'u1-s''1-11, *h"re ""a.1ly or [u1-s,1ll n lf'u1s,,1-ll will hold in each section lk-t,tt]' [tr1s,1-11 n lfup-s,,1'll, 'Therefore, using the"induction'hypotheses for ,5' and S", each section lk-t,til of the partition will fulfill one of the following cases:

J,V,lti-r, tll I

- t;t

and

Si(l) : Si(t):

1,

i'e' ('5'v S")7(t) :

1'

forfz-r 1t1tt. (:ii) ?[-s,] = ?;-s,,1 : tt-k-r and Si(t) : Si(t):0, i.e' (S'vS")7(t) :0, for/i-1 (f (t1. g, 1'"' liii) u15,1 - ti - t;t, !!l-s,,1 - tt. - ti r, SL(t) : 1 and Sf(f) : (S' VS";7(f) = l. for l; t I t I I i' (iu) ut-s,t - ti - ti-1, uysrrl - tt - ti 1, SL(t) : 0 and Sl(t) : l' i'e' (S'VS")z(/): l. for /i-r ( I 1ti. For case (z), we must prove that

J,V,lti-r)tif F

[fu1s'vs"1-Tl

'

u1s,1ltr t,tr.7

Therefore, by Lemma 5.1,

0(?[s,vs,,] lti-r,tl 1t,i-t,i,-t

J,V,lt,-t,fl] I

so it f
0(rr1,s,ns,,1[f,-r,tt.)1t'i,-ti,'t,

J,V,ltr_r,t;] |

[f,u1s,vs,,1-ll

t6

-

[fo1s,vs,,1l. Since, by

,

ti_1, i.e.

.

For case (ztr), the proof is similar to that for the case (zzz).

fl

Lemma 5.4 For a giuen H-tri,ple (J,V,[b,e]), let T. be an interpretation giuerr, by Lemma 5.3. Then for euery S eS and'interuallc,QClb,e], T[[S\[c, d] : 721s11c, dl . Proof. Suppose c: d. Then Tffjsllc,d] :0, and oJql",4:0, since we have from Lemma 5.1 the result that 0 ( qlfl[", 4 < d * ,. Now suppose that c < d. Since (J ,V,lb, e]) is an /J-triple, so is (/, V ,lr, rI). Let c: t0 I t1 pretation T given by Lemma 5.3 satisfies the condition that for t €fc,d), ,s_r r\t ut\L

:- ! 1, tt t e [ti_1, ti) and J ,V,lt;t,ti] ! \ o, if t e lti_1, l1) and J,V,ltu_r,r1] I

[t

1s1-ll

[t'i_s1"11.

Thus,

f,' ,sr\) clt : u61[ttt,td, fot

arr
.

4 u1s,v5,,1[k-t,tr) { ti - ti*1

it follows that u1s,vs,, 1lk-r,tt) -

From

Lemma 5.1,

[o1-1s,rrs,';1-ll

For case (iii),we must prove that Lemma 5.1, we have

Case: S has the form

t2ls,l:9-1s,,1: tt

lt*t,ttl:

1[k_t,tt):0. t'i - tt-t

and, hence,

--,5r 9,S/.

(i)

lfol_1s,vs,,)l-ll. From

ups,vs,'1[fr-r,to] ) 0 and o;s,ns,,1[h-t,ti)> 0 uys1lh-r,1,;] : 0 and o1s,,1lt,;-1,t1] : Q.

form -S'.

Letb:to,-1,l

I

Lemma 5.1,

the induction hypothesis. This can also be regarded as a partition for -,5', as

.

[tr1s,vs,,1-ll

i, '/

:

7,.

[,/,5'l|

..

,n,, arrd by 715,

lr,,,t1

--

.l,t,S

r

(t),tt = itrls1 [rr- r, r,:] :,ir1s1 [r:, r4 . it

t'l

96

5.2 Proof of Relative

5. Relative Completeness Let dn be the IL formula obtained from

of /,S in t' with

/

by replacing every occurrence

Lemrna 5.5

means the validity of (nHa) + dn in IL. We first prove that I { implies F (nIlo)

* (aHi )

+

(|Hil + =

dh

dr,. Suppose that

Qn,

f

d]

:

Since "7,V,lb,el

*6-

u6{c,4-

V

Qn, we have the result

To prove the other direction, i.e. that

I

tha| r,V,lb,e]

(n11p)

+

@7,

f

implies

@,

and hence

I

@, suppose

trd, Dc interpretation z, value assignment v and interval such that L,V,lb,")V O. Let us construct an IL interpretation "7:

i.e. there are a u;s1lc, d1

:

[b, e]

TWSlLc. d)

:.[:sr$)dt

.

for all ,S e 5 and any interval [c, d]. By construction, we have from T,V,lb,"]F

J,v.lb.,ll*

4t

the result that

on

and, from Theorem 3.2 (soundness),

J,V,lb,ellrHo.

So

P (nHa)

+

4n'

n

The relative-completeness theorem can now be proved.

Theorem 5.1 (Relati'ue completeness) For euery formula $ of DC,

TLd"lO.

l$

impli,es

TLa"

I ttH =+ O

Prool. Suppose ! 4. By Lemma 5.5, we obtain ? (aHil + dn'Let fI be obtained from H6 by replacing each u1s1 by /S. Then (n11 '+ il e TLa" and .

We have the result lhat

H is a conjunction of a finite mrmber of insta,rtccs of

DC axioms and DC1 and DC2, and, bv PL and IL4,

w
F NH.

A rlrrrlrtr:l,iorr

ril"1 f.,t,.

I

ry'

[irlktws lrv

rr,1rplyitt1"';

Ml',

Remark.

conducting proofs.

dn. By Lemma 5.4, i.e. there is an //-tripl e (J,V, [b, e] ) such that !1, V, lb, el S and for any S e 7 such that interpretation there is a DC [c,d)C[b,e),

I[[Sllc,

97

1. Note that the relative-completeness result was achieved using the theorems DC1 and DC2 instead of the two induction rules IRl and IR2. It is, however, convenient to have the two induction rules available when

ugs1.

itr F(nno) +dn. =d Proqf. Note that $ / means the validity of $ in DC, and

Completeness

ll

2. Reference [38] presents another completeness result of DC. It replaces IR1 and IR2 by an c,.'-rule to axiomatize the finite variability of states, and proves the completeness of the revised DC for an abstract domai,n. See Sect. 11.5 for more explanation of this completeness. tr

6. Decidability

In this chapter we consider a subset of formulas of DC for which the satisfiability of a formula is decidable. Since a formula / is valid iff the formula -d is not satisfiable, we can decide whether a formula in the subset is valid as well. The decidability results presented here are based on [167]. We investigate now the set RDC (resfticted duration calculus) of formulas generated by f . if ^9 is a state expression, then [Sl e RDC, and 2. lf 4,(t e RDC, then -d, OV $,4^$ e RDC. We first present a discrete-tizne interpretation of RDC together with decidability results for the satisfiability of formulas for discrete time. It is also shown that RDC is expressive enough to formalize an interesting case study

under the discrete-time interpretation. We then present a decidability result for RDC with regard to contimrous time, which involves more complication.

6.1 Discrete-Time Duration Calculus What shall we consider to be a discrete-time duration calculus? Even when the set of natural numbers N : {0, 1,2,. . .} is chosen as the discrete structure of the time, questions remain concerning restrictions on interpretations, intervals, and the truth of formulas. First of all,.we require, for every interpretation

T:

SVar -+ (llime -+ {0,1})

,

that the set of discontinuity points of each Pt (P € SVar) must be a subset of N. An irrterpretation satisfying this property is called a discrete interpretati,on. [,ik
only discrete i,nteruals

lb.r'l c llrrl,v.

wlrclr'/r,r'(

N.

l,'irr;rllv, lirl ir llivur /i/)(.'lirlrrrrrlir ,y', wc corrsirlt'r'i1,s Irul,lr vir,lrrc liu itrl.r,t v;rls lrtrrI tlislt'r'1,r, itrlr,t 1rtll;rl,iotrs otrly.


100

As a consequence of this, the definition of chop (d^rh) is different from that given in chap. 2 for continuous time. Assuming thal T is a discrete interpretation and [b, e] is a discrete interval, we define ( T.lb. mlL- 4, and T.frt.el I tr. \ L.lb.ell a- 'b itr m *h"r" m e NJ ro-" elb."] lfor Here we leave out value assignments (v) from the definition, since we have no global variables in formulas of RDC. The other semantic clauses are not given, as they remain as they were in Chap. 3. However, from the semantics, we can derive T.,lb,e)

F [Sl

itr (e - b) > 0 and for any t, b I t I e arLd t /N: /[.9](t) : f. Ln RDC formula Q is uali'd for d'iscrete time Itr I,lb,el I @ for every

discrete interpretationT and every discrete interval lb,e], and $is satisfi,able for d,'iscrete time rfi T,lb,e) I @ for some discrete interpretation 7 and some discrete interval fb, e].

6.1.1 Discrete Tirne Versus Continuous Time One can ask the question of what difference it makes to consider a discretetime domain instead of a continuous-time dornain. For discrete time, we can define l: I in RDC as follows:

|

6.1 Discrete-Time Duration

6. Decidability

: t ? lf1-Jl -([1] ^[1]). ^

We can do this since I : 1 is the unit of time in the discrete-time domain; it is not a time point, and cannclt be divided further into smaller time periods either. However, I : 1 cannot be defined in continuous-time RDC where I is syntactically excluded, as we shall prove in Sect. 6.2 that continuous-time RDC is decidable, whereas continuous-time RDC extended with I : 1 is undecidable, as we shall see in Sect. 7.2. There are also formulas of RDC which are valid for continuous tirne, but no{ valid for discrete 1ime. e.g.

llsl + (llsl ^[sl). This formula is not true for a rliscrete interpretation ovel a rrnit interval, where S has value 1 throughout the interval. In the following sections we shall present algorithms to identify tlte forrnulas of R.DC which are valid for discrete time and ihc, R,Dc forrnula,s whir:h are valid for continuous tirrc, sinr:c the vzrlidil,ics of fottnttlas ttt .R,DC a.r<'. decidable for both rlisr:r'
Calculus

101

6.1.2 Expressiveness of Discrete-Tirne RDC From the proof of the decidability result for discrete-time RDC given in Sect. 6.2, it is not difficult to conclude that discrete-time RDC has the same expressiveness as a formulation in terms of simple timed automata, where each transition takes place at a discrete time point and consumes one time unit. This generalizes to the case where the time consumed by a transition is within specified upper and lower bounds, including infinity and zero. This generalization follows from the following equivalences, which imply that 0 < fP n.fp
[:0

<+

fe:o

<+

-lill

[-Pl Y l!:0 (+ llll -([1] ^ llll ) ^

(,:l

:t e (lp:o)^([l)l t:\^(lp :o) ^ ,fP : tt+1 <+ Up : k)- (lp :r) <+ UP: k)^true IP > k lP>k +, UP >k)^-(lP:k) a+ -(.fP > k) fP S t' ,l'P
where k € N and true can be defined, say, as

lllll

V

-

[1-|.

Remark. Of the above definitions, only the first two are correct for continuoustime R.DC, but the rest of them are not. The expressiveness of continuoustime RDC is, unfortunately, equivalent to that of untimed automata. See the proof in Sect. 6.3 for details. Regarding the gas burner example, it is obvious that the two design decisions (Des1 and Des2) can be expressed in discrete-time RDC. However, the requirement GbReq involves inequalitv between state durations, 20 fLeak

<

!.

.

In the next chapter, it is proved that after [St : /S2 is added to RDC the satisfizr,hility problcm of this extended subset becornes undecidable for both
6.2 Decidability for Discrete

L02 6. Decidability Fortunately, in Sect. 3.5, be refined into

z(1.<30

+

it

was shown

that the requirement GbReq can

where concatenation is defined by:

L1L2

+ D(l < 30 + peak < 1),

for discrete time (see Lemma 3.5), following the decision algorithm developed in the next section.

? {uulu €-L1 and u e L2}.

Since (DNF(S))+ is a regular language, and the family of regular languages is closed under union, complement and concatenation [65], every formula can be denoted by a regular language. More precisely,

r,([sl) : 6.2 Decidability for Discrete Time

L\(il

is nonempty.

Let 5 be the (finite) set of all state variables occurring in alphabet X of the language fi($) is the set

/.

Then the

,b)

Lt(P^rl') :

h(rl'). We define the string 'u : a!...arr € I* to correspond to a discrete interpretationL of Qtf T[a1\(t): l for t € (i-l,i),i € {1,...,,^\r}. (If N : 0, Lr(P)

then o is the empty string which corresponds to any discrete interpretation on the point interval [0,0].)

Lemma 6.1 Let a formula $ e RDC, a di:screte i:nterpreto,ti,onT of $, its correspo'ndi,ng string n : et. . .ay be giuen. Then

t:P(S) of subsets of 5. A letter a € X can denote the state expression (called the basic conjuncf) of S

Arn A

Pea

(rllr(.s))+

: L'(P) o hQh) h(-v) : z.\h(p) h(vv

We show that the satisfiability of a formula O e RDC for discrete time is decidable by defining a regular language 11(/) such that is satisfiable for discrete time Ifr

l1(/) is quite straightforward. Let every letter of I

remains for an arbitrary positive number of time units. Disjunction V is denoted by union, negation - by complement, and chop ^ by concatenat'ion,

which can be expressed in discrete-time RDC. Thus, we can mechanically check the validity of

@

103

correspond to a unit interval. Therefore, the formula [Sl is associated with the positive closure (rl'/F(S))+, which means that the presence of state S

peak<1),

(Des1A Des2)

The definition of

Time

-e,

Q€(S\a)

Z, [0,N]

?

d fo, d'iscrete

time itr u belongs

to Lt(d).

Proof. By induction on the structure of /. The "if" and "only must be proved jointly because of the complement (-) case. Base case:

and,

if"

directions

/ is lfSl.

which asserts that all state variables in a have value one, while those of s not in a have value zero. Flom now on, we shall use a to stand for both a letter of f and the basic conjunct of 5 denoted by that letter. A state expression s of / can be transformed into a disjunctive normal form of state variables of S. Suppose S <+ VLr oi, where n > 0 (when S is 0, n :0). Then ,S can be denoted by a subset of letters of E, {a1,-..,en},

1. "Only if": Suppose [,5] holds on [0,N] for Z. We have ly' ) 0, and for every z € {1,...,N}, Z[Sn(t) : l for t € (i- 1,2). Since u: ar"'aN corresponds toT,for every z € {1,...,,4'/} and I e (i,-l,z), we have the result that T[a1!(t) : t. So rzi e DNf (S) by S <+ Voe ar,,r1s;o. Tlrerefore u e DNF(S)+. That is, o € Ar([Sl).

abbreviated to

2. "If:

Dlff

(.9).

With each formula { we associate a regular language Lt(il e X*, such that 6 holds on a discrete interval lb,el fot a discrete interpretation I itr there is a string u € Lt(/) which corresponds to the interpretatir>t T on for discretc timc iff thc langua,lic fb, e]. Thus, the formula / is satisfiilblc

Q($)

is rtoncrrtptY. Sirr<:
Suppose u € L1(llSl).Then u e ,I'ry(.g)+, and hence l'/ > 0. Sirrcc u corresponds to I, we have T[a,1](t) : 1 for i, e {1,. . . ,l[] and

t e (,i, -1,2). So 7[S](r) : 1 for t € (i -1,2) and i € {7,...,N}, because u,; € DIVF(S) frx r, e {1,...,ly'}. T}rus, we can concludeT,[0,,^/] F [Sl [i:orr

r lro 1,

s
r:


irrit,ion.

104 6. Decidabilitv Indu,ctiue case:

(b

6.2 Decidability for Discrete

is -tb.

1. "Only if":

Suppose -{ holds on [0,]/] forZ. We have the result that'ry' does not hold on [0,]/] for T.By the induction hypothesis, u / h(4'). Therefore u € (t* \ lr(,ry')). Hence u € Lr(-Ib), because we have that

:

([Pl ^[rl)+

Inductiue case: S is rb^p.

1. "Only if": Suppose r/.' ^g holds on [0, ,A/] for Z. We have M € {0, . . . , I'r} such that ql holds on [0,M] for T, and rp holds onlM,l/] for Z. Since u corresponds to I on [0, l/], u7 : at ' ' ' &M corresponds to T on 10, M] and u2 : aM+r '' 'o,1,r corr€sponds to Ixa on [0, N - M], where the definition of Ty1 refers to Lemma 3.1, i.e.

: r[Pl(t+M),

Lt(r/t^g).There must be o1 :

\ t{P}, I i > 1}) : t}. The last equality holds. Therefore, the formula ([P-ll^[pl) + [Pl is valid n for discrete time. Question 2: Is the formula llPl + (liPl ^ [fPl ) valid for discrete time? Again, the alphabet is I : {{P}, {}}. We have itr ttPJ,

(/

&t

vrp). This case is left for those readers who are inter-

ested in the details of the proof.

is obvious that for every string o of length ly' in I* there is an interpretation T of $ such that u corresponds to T and, conversely, for every interpretationl of @ and interval 10, l/] there is a string u of length l[ in f* which corresponds to Z. By Theorem 3.1 and Lemma 6.1, we have:

It

Lemrna 6.2 A formula d e RDC is ular language h(d) is nonempty.

sati:sfi,able

for discrete ti,nr,e i,ff the reg-

Theorern 6.1 The sati,sfi,ability of RDC formulas for discrete t'ime is

dec'id-

able.

We now show how to lurcha,nir:a,ll.y rlr
of

l?,DC [irrrrnrlin

li>2jn(r-

[Pl + (llPl ^lfPl) is valid iff [Pl n -([Pl ^ llPl) is not satisfiable Ifr Lr|lpl)nf,(-ffiPl ^[Pl)) : {} Lr([Pl) n (t. \ 41(llPl ^[Pl])) ffi 11([P-ll) e ar ([Pl ^ llP]l) itr {{P}' l, > 1} q {{P}' I i,>2}. Ifr

"'

aM e 41(r/) and 'uz : aM+t '' 'a.nr € 41 (cp) such that r., : 'u{uz.Then u1 corresponds to Z on [0,M] and o2 tolxa on [0,,V - M]. By the induction hypothesis, f holds on [0,M] for T and tp holds on [0,-Atr - MlforInr.By Lernma 3.1, rp also holds on lM, Nl for Z. Therefore we can conclude fhat $ holds on [0,,n/] for 7.

Inductiue case: $ is

is valid

-((llPl ^ llPll) + [Pl) is not satisfiable iff (llP]l ^ [Pl) n -llPl is not satisfiable iff c1$pl ^ [pl ) n t1(- lf.P-ll) : {}

for any P e SVar. By Lemma 3.1, rp holds on [0, ,A[ - M) for T.p1 . Thercfore, by the induction hypothesis, u1 € h(th) and u2 € L1(9). Thus, u :'uru2 e hQ!)Lz(v) : Lt({t^q). Suppose u €

lfPl

itr

u / Lr(rh). By the induction hypothesis, ry' does not hold on [0,,A/] for Z. Thus -Ty' holds on [0, ]/] for 7.

2. "If:

105

Quest'ion 7: Is the formula (llP-ll^llpl)=+ lfPl valid for discrete time? Since P is the only state variable occurring in the formula, the alpha,bet E {{P}, {i}. We have

Lr(-t): (r* \ t1(?/)). 2. "If : Suppose u € Lr(-1r),i.e.

rM[P\(t)

Time

:

{}

The last inclusion is false, as the letter {P} belongs to {{P}i I , > 1}, but not {{P}t I i, >_ 2} Namely, for a discrete interpretation and a unit interval over which P has value 1 under the interpretation, the truth value of the formula [Pll =+ (llPl ^lfPl) is false. Thus, the formula [Pl + ([Pl ^lfPl) is not valid for discrete time.

to

Using this technique, we can decide that the formula (Des1 A Des2) =+

n(l < 30 + peak < 1)

is valid.

It is, however, more interesting that the phase automatonof a more "realistic" gas burner specification considered in 1127] can be expressed in discreteLi:nr', R.DC a,s wcll. This phase automaton represents an implementation of a sct of rrrryuir
106 6. Decidability

6.3 Decidability for Continuous

4r([Sl) : ('lrF(S))+ Lz(P v ,lt) : Lr(P) tt Lz({) Lz(-p) :8.\Lz(p) Lt(p-'rb) : 1(Lz(w) L"(rl'))

6.3 Decidability for Continuous Time Consider the formula [Pl + (llPl ^[fPl), which is valid for continuous time, but not for discrete time. Recalling the answer to the question of its validity for discrete time given

in Sect. 6.2, we have

[P] + ([Pl ^[Pl) i'valid iff ar([pl) c 41(llPl ^llPl) Because {P} € lt(llP-ll) and {P} / L1(trPl^[Pl), the inclusion property

is not satisfied. In the discrete-time domain, the intuitive interpretation of {P} is that state P lasts for one time unit. However, a letter, say {P}, cannot be interpreted as lasting one time unit in a continuous-time domain. But with a closure property, it is possible to reuse ideas from the discrete-time construction to achieve a decidability result for continuous time. A language ,L over the alphabet X is called contract'ion closed 1f ur,tcnt

€ tr irrrplies

uanu

€

for any u,w € E* and a € f. The language A1([Pl ^ IIPII) - {{P}tli > 2} is not contraction ciosed, since {P}{P} belongs to the language and {P} does not belong to the language.

denote the contraction closure of L, i.e. the smallest contractionclosed set containing I. By a simple construction on finite automata, we can establish the following lemma.

Let

tL

Lernrna 6.3 If

L 'is regular, then so is tL.

A. The transition relation of and any letter n,

A'

rs defined as follows. For any states q and q'

there is a transition from q to q/ on

o"

q1

11

:

Qrt

Qn:

to q,+r on n, in A, for 1 f i

I

q/ and

n,.

Orr l,lrc llasis of Irolnrnil (i.l], wc (fir]l now corrsl,t'ucl ir tr'llttlirt

t lil)(l in;r

lirtrp;ttit,grr

w;rv sitrril;tt

Q

€ RDC, L2(0) is contract'ion

closed.

Proof. We prove the lemma by induction on the structure of /. However, set subtraction does not preserve the contraction closure property. For example, t. \ {o} is not contraction closed for any a of E. We therefore introduce the auxiliary notions of erpans'ion closed and fully closed. A language Z is expansion closed if

uaw € tr implies uaaw €

J*

and a

L,

€ E. tr is fully

closed

if tr is both contraction

and

expansion closed.

It

can easily be proved that (D,nff'(S))+ is fully closed, and the operators { preserve the full-closure property. Thus, Lz(6) is fully closed for

\ any$eRDC. U,

and

tr

L1 and L2 be contraction-closed languages over

Let,

f

and o €

IQrLr).

The following lemma is easily established.

Lemrna 6.5 Ei,ther there are ut € Lr and u2 € L2 such that u :1)1'D2, or there are u1 € L1, uz € Lz and cr, € E su,ch that u : u'rau'2, where u1 : u\o'

-

aut.

/

€ RDC is satisfiable for continuous time Itr Lr(O)

between an interpretation

T and a string u. Since a letter of o no longer

In order to prove that

is not empty, in the continuous-time domain, we introduce the correspondence

represents a unit of time, the correspondence depends on a partition of the interval considered, which is derived from the finite variability of Z. Given a fcirmula Q, a partition of an interpretation T. over an interval [0, e]

b, e N.)

! [.,2Qlt) l\n'rttt iltlrilt;rrily 1,;ivcrr lirlrtrrtl;r ry' 1rlot r,rltrtr, trit',I lirt rlisltr'lc I itttr':

.

is a collection of reals 0 : bo ( br ( "' ( b.nr : e such that Z[P](l) is constant on (b; 1 ,b1) for every state variable P of $. From the assurnption of tlre finitc va,rizr,bility of states, it is obvious that for any d,7 and [0,e] there cxists a, partition. (Notc that in the special case of discrete time we have

in A' ,

if and only if there exist states Q\,...,q, such tlnt there is a transition from

Lemma 6.4 For anE

anrl u2

Proof. Let "4 be a finite autornaton accepting tr. We give here the main ideas behind a construction of an automaton ,4' accepting +L. A' has the same states (including the same initial and final states) and the same alphabet as

L07

We prove in the following lemma that the above regular languages are contra,ction closed.

for any 1))u €

L,

Time

lo lltt'

'l'lrcsl lirrgrr- u,t-.-u,N € J*rrxrcsllortrlstothcrintcrpretalionl on[0,e] wil,lr 1rir,r'l,it,iotr 0 L1y <.b1 <. "'( b1y:r,if 7[rll](f) -1forf € (bi 1,bi) ;rrrrl rl r { 1,. ..,,ry }. ll ,ry 0, llrcrr rr is I'lrc trtttpl'.y sl,r'ittg iuttl r' : ()lly ;rn irrrlrrcl iorr pt ool'orr Llrl sl lrrcltttc ol',y', wc t';tn t'sl ;rlrlislr Ilrtr firllowirrg It,r trtr

lr,

108 6. Decidability

6.4 Complexity, Tools and Other Decidable Subclasses

Lernma 6.6 Let a formula $ e RDC , an interual l},e], an i'nterpretati'on T of $ with partition 0 : bo t h <. "' ( b.rr : e, o'nd cr' corresponding string r) : ar- . . aN be gi,uen. Then T,10, e] O itr u belongs to Lz(d).

=

Proof. We can present a proof similar to that of Lemma 6.1 by induction on the structure of /. The important changes are in the inductive case: @ is ,b -'p.We now present the details of the proof for this case. There must be an m € [0,e] r/ holds on 10, m] for 7 and rp holds on lm,e] fctr T. First, the cases m : 0 and rn: e are straightforward: they can be dealt with by using the induction hypothesis for rp and 'ry', respectively. The case where 0 < 'm < e is divided into two subcases: such that

Subcase: there is an Ai[

€ {1,

such that rn : bru. to that used in Lemma 6.1, we obtain the corresponds t'o T on the interval l0,rn] with

...,

l/}

By applying similar reasoning

ar"'aM partition 0: bo th 1"'.--bnr:mtthe string a1a41 "'o'tr corresponds to I^ onthe interval l},e-m] with partition 0 ( brrz -m 1"'( b,nr -m, and then u e Lz(rl,)Lz(p). Since Lz(rb)Lr(p) e l@z(tb)Lr(p)) by the definition of .f, we have the result that u €IG2(rh)Lr(p)): Lz(rh ^p), and thus the result that the string

proof for this subcase is completed.

M € {1,...,1[] such thatbm_t 1m1b1ya. Then, by the induction hypothesis t Dr : ar'''aM-raM e L2Qlt), because

Subcase: there is an

?,1correSpondstoIon|0,m]withpartition0:bo1bt<...< and u2 : aMaM+r "'a.nr € Lr(p), because u2 corr€sponds to T- on interval [0, e - m) with partition 0 < bnr - m have u1tr2 - a1 "aM-raMar/raM+r"'orr € Lt(rl')Lr(p), and therefore 1) : ar "'aM-raM&M+r " 'o.nr € J @z(t)Lz@)) : Lz({t^p)"If": Suppose u e Lz1b^p) : t@z(t)Lr(p)). By Lemmas 6.4 and 6.5, there are two subcases. First, consider the subcase

't)t:c4'''aM Then,

if

e Lz(b)

we choose 7n

0(br 0 l bxaa1 -

1 "' (

:

?,r

:

1r112)

where

andu2:aM+r '''arr € Lr(p).

bM, u1 corr€sponds to

*

:

Z on [0,m] with partition

- rn. By the induction hypothesis and Lemma 3.1, ql holds on [O,rn] for T, and p holds on [m, e) for I, so {^p holds ori 10, el for L. Second, consider the subcase p : 71tr71,7r4p!r, wltara 'tt1

;t,ttrl tr2

m,

b,nr

trL

e

- 'tt\(t'1,1 = 11', "'tt X1 (:, ["2(tft) : (t Ittllt (t t(t,It I t " ' rr,,ry [ (i'' (rt') 1

we now choose m: (btr-r +bM)12, u1 corresponds to Z on [0,rn] with partition 0 < br with partition 0 < bur -m, hypothesis and Lemma 3.1, ry' holds on [0,m] forZ and cp holds on lTn,e] for n I, so tfi ^rp holds on 10, e] for Z.

If

It is trivial to show that for any string u of length ly', given an interval partition of [0, e] with l/ sections, there is an interpretation Z such that u corresponds to I on [0, e] with the given partition. Conversely, for any 10,

Lei6berb^p: "Only if": Suppose r!^gholds on [0,e] forZ.

.

109

e] and a

interpretation 7, given an interval [0,e] and a partition of [0,e], there is a unique corresponding string u € t* . Hence, by Lemma 6.6 and Theorem 3.1, we can prove:

Lernrna 6.7 A formula 6 e RDC language L2(Q) is not emptE. Since

42(/) is a regular

i,s sati,sfiable

for

con,tinuous ttme i,ff the

language, we have:

Theorem 6.2 The sati,sfi,abili,ty of RDC

form,u,lo,s

for

conti,nuou,s t'im,e 'is

decidable.

6.4 Complexity, Tools and Other Decidable Subclasses The efficiency of the above decision procedure depends not only on the decision algorithm for the emptiness problem of a regular language, but also on the constructions of the regular language. trach negation occurring in the formula may cause an exponent expansion of the construction. The authors ofl7a2l have proved that the complexity ofthis decision procedure is nonelementary. So the worst case is very poclr indeed.

In [142], the decision procedure was implemented and used to prove the correctness of Fischer's mutual exclusion protocol. The results were not too bad. It took, for example, approximately 12 minutes to verify a formula consisting of 3775 characters on a DECStation 5000-240 with 128 MB of memory. The proof assistant tool for DC described in [1a3] also supports the use of this decision procedure. In the literature, the decidability issue of DC has been investigated further. In [105], after quantifications over states are introduced into.RDC (the result is called qualified discrete-time duration calculus, QDDC, in [103]), the satisfiability of formulas is still decidable. This decision algorithm was implcrnontc
110 6. Decidabilitv that the number of discontinuous points of any state in any unit interval has

7. Undecidability

a fixed upper bound.

In [41], a decidability result was presented for a variant of DC where negation is removed from RDC but an iteration operator is introduced together with the inequalities !. ) k and l. 4 k, whete k e N. In [104], CTL. ([29]) was extended with QDDC, and it was shown how the extension could be reduced to CTL*. On the basis of this reduction, another model-checking tool, CTLDC, was implemented. In 113, 106], the digitization of the validity problem of DC formulas and its reduction to QDDC were investigated, and results were obtained concerning how to check the validity of DC formulas (for continuous time) by using DCVALID.

All the disappointing news

comes in this chapter: even for a very restricted subset of DC formulas, it is undecidable whether a formula in the subset is satisfiable. The general technique used to show these results is to reduce the halting problem of a two-counter rnachine to the satisfiability of formulas belonging to the subset under consideration. The main results are taken frqm [167].

7.1 Extensions of RDC Below we define three different extensions of RDC, cal\ed RDCr(r), RDCz and RDC3. The extensions seem small, but in later sections we shall establish undecidability results (of satisfiability and validity problems) for each of the corresponding subsets. Hence, each of these extensions marks a border between decidability and undecidability.

7.1.1 RDCl(r) In this extension, we add to RDC the atomic formula

!.:r, r is a real number. Hence, the set of formulas RDC1 (r), where the subset of DC generated as follows: where

r € IR is a fixed constant,

is

1. the formula l: r belongs to RDCl(r), 2. if S is a state expression, then lfSl belongs to RDCl(r), and 3. if (b irrrd'/ bclong,to R,DC1(r), then so do -d, Ov 1b, and $-t1,.

r

na,trrr:ill urrrnll<:r, we have previously seen from Sects. 6.1.2 lilr
is

a,

irrr
7I2

7.1 Extensions of

7. Undecidabilitv

RDC1(O) is decidable for continuous time. If r ( 0 \hen (.: r is false, which is expressible in RDC as well. Therefore, the continuous-time domain and r ) 0 are assumed in the undecidability proof for RDCl(r) given in Sect 7.2. This undecidability result illustrates the strength of imposing the precision | : r on the length of an interval for continuous time.

7.1.2 RDC2 In this extension, we allow atomic formulas of the form

T&:

TS2

only, where Sr and ,52 are state expressions. In the case we can still express the formulas of RDC as

fisl <+ (/s : I) ^ -(F : "[o). Hence, the set of formulas RDC 2 is the subset of DC generated as follows: f

. if 51 and Sz are state expressions, then /S1 :

2. it 6 and

/

belong,to RDC2, then so do

-d,

/,92 belon gsto RDC2, and $v (t and rh^rb.

The undecidability results for this case illustrate the strength ofthe notion of duration for both discrete and continuous time.

7.1.3 RDCs In this extension, we add to RDC atomic formulas of the form

r

7.1.4 Two-Counter Machines The main technique used to obtain these undecidability results is to reduce the undecidable halting problem of a counter machine the to satisfiability of formulas belonging to the subsets. In this section, we give a brief and rather informal introduction to two-counter machines. For a more careful treatment, see [11, 65, 96], for example. A. two-counter m,ach'ine has an i'ni'ti,al label q6, two counters Q and c2 which can hold arbitrary natural numbers from N : {0, 1, 2,- - '}, and a finite set of labeled inslruct'ions mi. The only instructions of two-counter machines are to "increase c1 by one" (cf) and "test c1 and decrease it by one if c1 is not zero" (cf ), and similarly for c2. For example, !

Qiicl')Q.i

Qr: ct ) Qj,q*,

which is also an instruction labeled q6. It tests whether the value of c1 is zero; if so, the machine proceeds to the instruction labeled 47; otherwise, the machine decreases c1 by one and proceeds to the instruction labeled qp. A configuration s of a two-counter machine is a triple t: (q,n1,n2) of the current label q and the values IL1,TL2 e N of the two counters c1 &nd c2. The configuration (q,nr,nz) is fi,nal if there is no instruction labeled q in the computati,on ste'p of a two-counter machine, s ::-> s', transforms a nonfinal configuration s into a configuration s' by means of an instruction of the machine as follows (and similarly for c2):

L

,

is a global variable, and we allow quantification over global variables:

lnstruction

Hence, the set of formulas RDC B is the subset of DC generated as follows: f . if S is a state expression, then lf.9l belongs f,o RDC3, 2. if r is a global variable, then !.: r belongs to RDC3, and 3. It d and t! belong to RDC3, then so do -6, Ov $, Q^{ and (1")6,

where

r

is any global variable.

The undecidability results for this case illustrate tlrc strength of cation in an interval klgi<: f
irrrrl

,

is an instruction labeled qi. It increases c1 by one and proceeds to the instruction labeled q7. Another kind of instruction for cr is

F")d.

-)

113

machine.

l::x where

RDC

f)

<1rran1,ifi-

I,irr illl ol l,lrc l,lrrrrc srrlrscl,s, wt'slrir,ll ttst'sl,it,tttlirr
IIrrrrrl O liorrr ll,.

il

A

qici q:ct

_+

q:c1

)

ej -+ qj,

.^f

5-

qk

Qi,qn

(q,nt,nz) :+ (q,o,nz) (q,rrt +7,n2) -4 ---?

D

(rli,nr + I,n2) (ei,o,nz) (qn,u,nz)

com,putati,on of a two-counter machine is a (finite or

infinite) sequence

of armputal,ions (7

:

so.9 I .s2

..'

I

t:tltttllttt'il,l,itlll, s,, =-:) r-, I I lly llt
wllcl'c, lirr irtry s,, itrrrl s,, I I itt

l,lt
LI4

7.2 Undecidability of

7. Undecidability

We call so

:

(q0,0, 0) the 'init'ial configuration, where q6 is the initial label.

A two-counter rnachine starting with the initial configuration halts if all its computations starting with (96, 0, 0) terminate. We shall make use of the fact that the halting problem for a two-counter machine starting with the initial configuration is undecidable [11, p. 78]. This result also holds if we assume that the two-counter machine is determini;st'ic. That, is, every two instructions of the machine are labeled differently, and hence the computation of the machine starting with the initial configuration is determined. This result still holds even if we assume further that the two-counter machine cclntains precisely one final label qpr, i.e. q1n is the only label which no instruction has as its label. In the foliowing, we consider an arbitrary deterministic two-counter machine M with the initial configuration (q6,0,0), where 1. qo,. ..,Qfi, are the labels of M, where q6 is the initial label and qp,

is

the only final label, 2. c1 and c2 are the two counters, and 3. rn1,. . . ,'trlt are the instructions of M.

We reduce the haltirrg problem fctr M to the satisfiability of a formula in RDC1 (r) (for r > 0).The encodingof M uses the following state variables:

r

Qi for each label 91, o two state variables Cr and C2 to represent the counter values, and o two auxiliary state variables B and ,L, used as delimiters. one state variable

Let

lBlctlBl. . .lBlc,lBl

in the follou'ing. The mairr idea is that a machine configuration (rl,nt,n2) is encoded on an interval of length 4r as follows:

I'\2O lVul,l\,/L lVal,l \2 '\"j' TrTr

where val; represents the value of counter c7. This is done so that the rr,th configuratkxr of a cornputaticln ocr:trpies t,hc interval l4nr,4(n * 1)r],'n, ) 0.

,

with rzi sections of C, separated by B. Since this interval is required to have a length r, and since there is no bound on the counter value, the time length of each Ci (and B) section must be arbitrary small. The denseness of the time domain makes this representation possible. This representation was inspired by [3]. The reduction must formalize the computation of M as a formula in RDC1 (r). In particular, we must construct a formula representing the initial configuration and a formula expressing how the (n + 1)th configuration relates to the nth configuration in the computation. To do so, the following alrbreviations of formulas in RDCI (r) are useful: [.il

' :

-ll1l

lll v [tl

l.
r')

^true)

- (l!:r)-(1.:r) t ((:2r) -tlue = -((t - 2r) ^ ((.: t (,1:2r)^(l:2r) - ((.:4r)^((.:r)

[,Sl' ':

Q: {Qo,...,Qn"}

115

The representation, Vah and Val2, of the counter values is the following. Let the value of counter c; be ni ) 0. Then the interval describing Vali has the following form:

true

7.2 Undecidability of RDCl(r)

ADCt(r)

lf.9l

^

(l

r) ^true)

: r)

4*4'a -(d^-(mv,i/)). The formula [f Sl' reads ",9 has value one for a duration of r", and the formula d*',! reads "if the interval starts with @, it must end immediately with [l

or with ty'". The initial configuration is (96,0,0), which is represented by the formula

Initl :

[Qul '' ^

Sl,a,t,c varialll
M'ul,t:t:1

:,

[Bl' ^ [ Ll' - [fBl' ^true

rrurst be rmrtually exclusive:

A t-, llti

A

1'z-Tl

,

l't / IIl

rvlrr,r'r' /'1, /1, r'rrrrl',r' ov|r'

!)

IJ

{('t,

('..,. ll,

l,\.

.

7.2 Undecidability of

116 7. Undecidability certain state expressions have a periodic appearance, since configurations are represented on intervals of length 4r. Lei

Per(fi = n((d

^(t:

ar))

+ (([.: ar)^0D

Machine labels, counter values and the separator tr have a periodic appearance. Let

j

Period'ic

Per(\f n

,nfiQll')

A

Per([Q v Bl')

A

Per([r]l')

A Per([C2

v

Bl')

For each instruction m of M we give a formula F(rn'), encoding the computation steps perforrned by rn. Suppose the machine instruction mis qi,cf -+ 4;. The possible computation steps allowed by m are described by a formula

F(^) -

F1

A F2A F3 A Fa A F5 A F6,

where each 4; is defined below. From the determinism of M, qi is the only label of the succeeding configuration that is reached when m is performed. The formula F1 expresses this:

r' = (llQnl'^(t:

ar)) + ((t,:4r) ^llQil')

The formula f-2 copies the Cr sections to the same place in the next configuration. To encode this process, we use formulas of the form $ "> t!. Here 4! characterizes certain configurations whose label is Q.;, and ry' fixes part of the next configuration. The formula is given by - tnre\ \ / [Crl] "'"n' -[Crl Fzz InO,l'^((
/

\

\

l/

*

(ilcrl -true).

We can copy the B sections before a C1 section in Vah to the same place in the next configuration using the same technique:

/ /[Bl [Crl-rrue\\ n Fr+ {[Q,ll''((
\

\

- -^ ((liQil"-ilBil'^(:4r)) \* (true -(((- r)^(lTBil -lTC' Il

ll

The formulas F+ and F5 increase the value of C1 by replacing thc last B section tf Valy with lBlCl lBl in the next configrtratiort.

)

The formula F5 handles the case nL

\

[B])))/

0:

-'*"))) (t
.

lI7

The formula Jr+ handles the case ??r : 0:

'o

.

RDCt(r)

(true (((: r)

^

([Bl llc,l [Bl

/

Note that the beginnings of successive tr sections are exactly 4r apart, and therefore the length of the lfBl ^pcr-li^[Bl section in the consequent in 'F'5 is precisely as long as the last [fBl section in the antecedent. Thus, Fa A -F5 models the condition that the number of C1 sections is increased by one, as desired. The formula f'6 copies the value of c2 to the next configuration using the same technique as used above:

/

{[q,l''((
\ Fo=n /

-[cz]l

/ [C"l - true\ \

-{

\

n

(:4r

ll-(llGii

Lruc)

//

/ [Bl -rrrre\\ ^(2r<( <Jr)- [Bl { n I I { no,-1' \ \ (:4r //

({lal -rrue).

-

The formula Peri'odic takes care of copying the Z section to the next configuration.

Every instruction rn6 can be encoded as formulas F(^r) by techniques similar to those used above. If this is done" the entire machine is encoded as follows: Machi'ne1

? Muteu A In'it1 A

Pe,iod,ic

n f1 of i-7

1-o;

.

By the construction of the formula Machinel, we know that the computation of M terminates (i.e. the computation is a finite sequence of configurations ending up with a final one) if and only if (Machinel n O[Qn"l) is satisfiable.

Theorerrr 7.1 Tlt,r: sotisfiubi,l,it'y problem of formulas i,n RDCl(r) (r > 0) u,rr,du:i,d,tr,b Lc .fu' utn,ti,rt,rt,otls ti,rn,e.

zs

lltrrt,tu'k:. 'l'lris lcsrrll, rl<'pcrrrls on l,irc a,lrilit,y 1,o
irrl,<,r'v;rls ;rs

lollowr:

7.3 Undecidability of

118 7. Undecidability

l:

r 1 -((1.< r) v (lf1l ^-(l < r)))

expressions:

We reduce the halting problem for M to the satisfiability of a formula in RDC2. We give a reduction which works for both the discrete- and the continuous-time domain. The following state variables are used in this reduction:

1. two state variables Cu+ and C; fot each countet ci,'i : I,2, and 2. state variables Q: {Qo,. . .,Qn,} corresponding to the labels of M. The intension behind using the state variables for counter ci, fori : L,2, is that the value of cl is represented by the value of

Ic; In the reduction, it is only

necessary to

on a suitable interval test whether the value of c; is 0, and this is expressed by the formula

Ic{ : Ico

.

C.f (and C, ), the value of ci can be increased (and Tlre main idea is to encode in RDCz the computation

Hence, using

decreased).

M by a sequence of sections lQEolcolQg rlc'lQE

rlcrl.

of the form

.,

where QEp is a state expression of Q, and C7, is a state expression of

{c{,c{,ct,cz}. If sp :

where Cv describes a possible change of the value of c1 and c2, and C^ actually maintains the value of the counters. Concerning counter values, we introduce the following abbreviations for formrrlas in RDC2:

[s] = (/s:F)^-U0:I)

Incrl Decrl = Incr2 ' Dem2 ? Const ?

(qn,ntr,'np"), then QEu is a state expression representing the label q6, and the values n,k)nk2 of the two counters in the kth configuration are represented by the vaiues of !C{ - [C;, for i : 1,2, ovet the interval covering the sections Co,Ct,Cz,...,Cp. For this idea to work, it mrrst be specifiecl that all sections have the same length and that t,Irc: QE p, art
[C,+ A

-(Ci v C{ v C;)n

llci A-(C1+ v C{ v C;)n [C{ n-(C; v C1+ vCi)l [C; A -(C{ v Cl+ v C1 )l [Cnl

.

The formula 1ncr1 expresses the fact that the value of counter cr is inletting Cr+ be one throughout one section, while the other counter state variables are zero. The formulas Decr1,Incr2, Decr2 have similar explanations. Const is used to keep the counter values constant from one configuration to the next (by increasing [Cd as much as /Cu ). The following abbreviations will also be used for formulas in RDCz: creased by one by

il ' true ' d*,,1' . Js>o

56 51 52 "'

of

cv " cfvcrvC{vC; c^ = cl t c; Aci, AC; Q" = QoV...yQ1n,

7.3 Undecidability of RDCz

(see below).

119

To formalize this idea, we introduce the following abbreviations for state

.

Thus, we cannot achieve a decidable subset by "relaxing the punctuality" ftom l.: r to !. .-r, analogously to the result discussed in [7]. We do not know whether this is possible when I ) r is considered instead of l: r. tr

fcd -

/iDCz

arf zrd Let

.I?

o[sl -[1]l

ffivll1l

-(d^-(lll

reads: "for some prefix interval: reads: "for all prefix intervals:

/"

@"-

ilrrcl S be two exclusive and complete state expressions. Let

l/i l,slnl,sl Irrr ;r

v.t/r))

: @^true ' -(Op(-d)) Rl

(lirril,r'ol irrIirril,rr) so(luon(:c o['ir,lt,
srrr'{,iorrs t'xcr'1r1, k,rr11l,lr.

120 7. Undecidability

7.3 Undecidabilitv of

Below, we construct a formula EqSi'ze(R, S) in RDC 2 which describes the

n

,golcol

'

ffir? <+

-sl v ill)

/

(u)

/(true-([S:.[R>0))\\

+| ((/s

n

ll - J'R > ol ff \ / /(true-t[R-.[S >0))\\ -[s-ll) n + ll -' -il/ | ^trl([sl-il,Bil

^nl([Rl-fisl-llRil) \ \"-'

of the sequence is expanded to

(b)

truel

ilclQ olcf lQ' where only one expansion is possible, owing to the determinism of M. lQ

I

M

.',,) ( l;]t;'' ))l

(c)

G(q1 : cl

-+

qn)

? 'ln',r',rr'

ile"r

are mutually exclusive:

A n-[AA&l Pt#Pz

Muter2?

,

zero. \Me obtain

((*'""t"*;ff,[:"))

sections defined by the formula I

Muterz A EqSize(Qv,

Ct) n Initz A I loG(znr) ,

'

where Init2encodes the initial configuration and ,lf*rlencodes a transition from one configuration to the next caused by the instruction m,;. These formulas are defined below. The initial configuration is (96,0,0):

llQol

-,,r",) i

it'alr.d lor the insl ruction ci -+ qp.qr. of whether the value of counter c1 is

The situation is slight as we must tahe care of

where P1 and P2 range over Q. The computation of M is encoded by a sequence of alternating Q and C

=

Iuil'J.),',,,,'r0", G(q1 : co --r rln,e,)

The formula Init2 tequires that the sequence will start at'Qo, ancl continue with C^. Thts, Init2AEqSize(Qv, Cv) can guarantee that all C sccticins will have the same length, provided C does not appear at the end of tlttl stlqtt
.,,",)

2

^ Const-'true.

The formulas G(rn;) (for ri : 1,...,1), wltit:lt
We

have

\tt1o:-[s>o)^rruel)f

to the labels of

Initz'

qj : c[ --] Q6, w€ must formalize the condition that

"'lQilcl

p,lcol'''

where (a) requires that the state expressions rR and S are complete and mutually exclusive, and (b) and (c) require that the length of each middle section is greater than or equal to the length of its neighboring section. Therefore all the middle sections have the same length. The following property expresses the fact that the states corresponding

Machi'ne2

127

any initial segment

above scquence. EqSize(R, S)

For the instruction

RDCz

11.",,) ( ',111:.:')) (("'""

n: -( /c,F

[C,

,

)

1,hirl, l,lrc rrrtt:otlitrg

(ll:rr

I

)rt'r i)

I

)t'r'r',

ll

(,)u

ll

,

)

122

7.4 Undecidability of .BDC3

7. Undecidability

Tlre first conjunct of G(q1 : cn -+ Qn,Qu) describes the case where the value of counter c.i is zeto) and the second conjunct describes the case of a positive value of counter c;. It can be proved that

if Machine2 n O [Qn"l is satisfiable, then a terof M can be constructed, and vice versa. Thus, the

mirrating computation halting problem for a two-counter machine can be reduced to the satisfiabilitv of formulas in RDCz.

Theorem 7.2 The satisfi,abili,ty problem of formulas for both d'iscrete ti"rne and co'nt'inuous t'im'e.

i,n

RDcz

'is

undecidable

123

where z ranges over real numbers. An instruction ei i .[ + qn transforms configurations as follows:

lQilcl...lc lL'l cl ... lc lL'l n1

-

lQxlclcl.

-.

lc lL'l cl

nr-l-I

. . lc lr,l. n2

Taking into account the determinism of M, we can encode this transformation by means of the formula

H(qi t cf -+

sk)

-

Yn,y, z.

(([QjIl'- llcil, - llz'1" -[cl'- [Lrl'^((:4r t y*z)) \ \+ ttr:3r* a+z) flQi"l"- [Cl'- llc-ll, llZ,li"- [Cl. -[Lrl,))

7.4 Undecidability of RDCB

Vr is the dual of lr and can be expressed in R,DC3, and the for(l :3r i y + z) is an abbreviation of the following formula of RDCy:

where

The halting problem for M can be reduced to the satisfiability of a formula in RDC|. We give a reduction which works for both the discrete- and the

mula

continuous-l ime domain.

ists for

The encodingof hI uses state variables Lt,Lz,C and Qo,...,Q5n,whete tr1 and tr2 delirnit machine configurations, C is used to represent the counter values and the Qs correspond to the labels of the counter machine. All these state variables must be mutually exclusive:

Mu,ters?

A

n-Jf&A&l

Here Q is the label of the configuration of M, n1 is the

r))^([r'l n (!:r))^([rr]l

-\,-

rLI --\-'-

n2

M, these computation

Hkli , ct value of the first

^(t:

z))^true'

ration. We shall 1se th
steps can be encoded

-+ qn,qu) 4

z)) \ [l'1" -[Cl' - ^[Lrl" - -l!:3r*-[Lrn,) -vr'''^ ( (ilQr]':3r I z) fierl, llL,Tl" llCl, \ > ((( ) Yr,y,

z.

( tlQtll" - llcl,

[cl, - [L,l]" {lcl. ILrn, - (:Jr +s + z))\ \+ ttr - 4.r | lt+z)'fl8,[|'- ilCll, llt,l"- [C]l'- lltrll') )

lllrc

^

irrsl,r'rrr:tirin r1i : r:., -+ t11,.,q, calt br: encodcd similarly, and the encod-

irrg of' ,4,/ is givrrrr lry A4tr,t'lt,'irt,t'3 Mul.t,t:11 A lrt,,i,l,,n

/\

it .r'),

n2

as the formula

Each instruc Lion rni of the counter machine is encoded as a formllla H (-,t) R,DCz, which relates a configuration of the machine to the lcxt t:tltlfigtr-

ll,sll)^(/

lQilcl...lc lrrlcl...lc \.-,- lLrl ===a lQ"lcl...lc lLrlcl...lc lLrl. Because of the determinism of

counter c1, &nd nz is the value ofthe second counter cz. The lengtlis ofthe Q, C and I sections must be the same. The initial configuration, (40,0,0), is represented by lQslLllL2l:

(ll ll v

n2

and when the first counter vahre is nonzero,

wlcl. . lc lL'lcl. - - lc lL,l. -,- n2 -- nI

ll,sll'

lQilLrlcl...lc lLrl + lQnlLrlcl...lc lLrl, n2

where Pr and Pz range over {Qo,...,Q5n,C,Ll,L2}. A configuration of the machine is represented by a sequence of sections Q, L and C, ail of the same length:

in

the first counter value is zero,

,

Pt*Pz

Inits-:r.(llQo-ll A((.:

r)^((.: r)''(l: y)^(!,: z). A similar formula of RDCs ex(!: 4r t y -l z). Tlre formula H(qi , -+ qp) can be constructed similarly. An instructiorr qj : ct"[-+ qn, q, transforms configurations as follows. When

(1.: r)-'(l:

I r1t1,,,,1

.

'

124 7. Undecidability The formula M achin4 Ao and hence:

IQ

n"]

is satisfiable if and only if

Theorern 7.3 The satisfi,abi,li,ty problem, of formulas for both d,iscrete time and conti'nuous time'

i,n

M terminates,

8. Model Checking: Linear Duration Invariants

RDcs is undeci'dable

In Chap. 7, it

was proved that the satisfiability (and validity) of simple subclasses of DC formulas is undecidable for both the continuous- and the discrete-time domains. In Chap. 6, decidable subclasses of DC formulas were identified. Some are decidable for both the continuous- and the discrete-time domains, while others are decidable for discrete time only. In the discrete-time domain, interpretations of DC are restricted to those Boolean-valued functions which change their values at integer points only. The research on decidability and undecidability often imposes restriction on syntax and/or on interpretation when exploring this topic. In this chapter, we consider continuous time only, and confine ourselves to interpretations which are generated from a real-ti,me automaton with upperand lower-bound timing constraints on its transitions. F\rrthermore, we syntactically confine ourselves to the subclass of DC formulas which have the

form n

cpin 1l

f",[R<", u'r

)

for 1 1i 1n are real numbers, and fl for 1 ( 'i 1n are state variables. We call a formula of this form a linear durat'i,on inuariant. For example, if we ignore the modality o in GbReq, the simpli,fied requ'irement of the gas burner is a linear duration invariant, since where

c*in, c, and

60<(.

+

ca

2}JLeak<(.

can be reformulated

60
+

as

(20.peak-l)<0

1:

i fNonleak), it can be further reformulated 60
and, by rrsc of

(fi,eak

as

wlrirfi is ir lirurirr rlrrra,l,ion inva,ria,nt with stittc va,r'iablcs Leak and Nonl,eak. (ll,rrtrrrrrrrlrrrr l,lrirl, Norrl,tr;1,11

'l'lrir rk'r'irk'

6

.l,cir,l<.)

clrn,pl,r'r' givcs ;r, posil,ivc ilnsw(rr l,o l,lrc rlrcsl,iorr ol' wlrcl,lr
/]

L26

8.1 Example

B. Model Checking: Linear Duration lnva.riants

127

for 1 ( ,i 1n as its states satisfies a linear duration invariant, and describes how this can be done. An algorithm is pr.esented in this chapter which reduces the problem to a finite number of linear programming problems. Therefore, algorithms for solving linear programming problems can, in combination with this reduction, be used to check the truth of a linear duration invariant with respect to any interpretations generated by a real-time automaton. It is easy to apply this algorithm to check the truth of a conjunction of linear duration invariants and to generalize the algorithm to formulas of the form I

c^in 4 l. 1c-o,

+ t ci' [Si 4 c, i-I

where c-o, is either a real number or oo, and each ,9i is constructed from the states of the real-time automaton using the Boolean connectives. In this chapter, we first use the gas burner example to explain the main ideas of the algorithm and to explain how it can check the correctness of a gas burner design with respect to the requirement, although a formal proof through Dc deduction was given in sect. 3.5. After the example, the reduction is formalized and proved correct. The work presented in this chapter is based on [172].

8.1 Example

Fig. 8.1. Real-time automaton for the

a transition to the Leak state can take place, and it can even stay in the Nonleak slate foreverSuppose for the moment that Nonleak is the i,n'itial state of the automaton. A finite sequence of transitions represents an untimed behavior of the automaton, e.g. an untimed sequence of transitions f

The main ideas and concepts of this chapter will be introduced here using the gas burner example. Consider the formula's

n(fl,eakl

+ !.
r((lf[,eakl ^flNonl,eakl ^lfleakl)

+

I > 30),

which model a design for the gas burner. This design can be represented by the real-time automaton in Fig. 8.1' whiclr has lwo states, Leak and Nonleak. The two edges of the automaton are called transi,tions, and are labeled f (for failure) and r (for recovery). The state Nonleak is called the pre-state of f and Leak is called the Ttost-state of f, and similarly for the transition labeled r. The transitions are also labeled with timi,ng constraints. The timing ctnrstraint on transition r is a boundexl anci closecl int
gas burner

rf

,

which starts with an f (failure) transition since Nonleak is the initial state, and then an r (recovery) transition followed by another failure transition. L timed behavior of the automaton is obtained from an untimed transition sequence by marking each transition with the number of time units the automaton spends in the pre-state of the transition, e.g. (f,31) (r,0.5) (f,50)

is a timed sequence of transitions describing a timed behavior of an automaton which spends 31 tirne units in the Nonleak state before a failure transition to the Leak state occurs. It then stays for 0.5 time units in the Leak statc bcfore a relcovery transition to the Nonleak state occurs. Finally, th
faihrrc

l,r':r,rrsil,iorr 1,o 1,]rc [,cak sl,a,{,
A

(l', / r ) (r', /:t) (l.,

/r)

the tirnirrg constrains

II 728 8. Model Checking:

8.1 Example

Linear Duration Invariants

must satisfy

Constraints:

t1 ) 30, 0 ( lz ( 1 andt3 > 30.

f1

)

30, 0 (

For this timed sequence) the total acr:urnulated time the automaton spcrrds

in the Nonleak state is f r f,lonl,eak

: tr I

t:t

*

l: ( I, Ob.jelt

f.;:

19tz

.

r If the maximal value

Sirnilarly, the (accumulated) time spent in the Leak state is 12 and thc length of tlre total time period covered by this timecl sequence is f1 -ft'z I f3, i.e.

peak:

129

t3>. 30 and

ile

(tr+tz *r.:) > 60.

funcr,ion:

- (tr + tu)

.

of the obiective function is positivc, thcn the linear

rf. e If the maximal r':r,lue of the objectivc {unction is less than or equal to dura.tion invariant is violatcd by f

then f rf sa,tisfies the linea,r drrr:r,tion invariant.

0,

12

Fig. 8.3. Linear programming problem

and

1!: ff eak *./Nonl,eak : tt I

tz

I h.

In thc following, we investigatc how to check the truth of the linear duraticin invariant representing the simplified requirement of the gas burner 60

< {.

+ (19peak fionleak) (

0,

regular language

with respect to all tinied sequences of transitions of the gas burner automaton. First, Iet us fix an untimed transitiorr sequence. Note that infinitely nrany timed sequences may be obtained frorn a given untimed sequence. An untimed scquence of transitions of a real-tirne automaton satisfies a lincar duratiorr invariant iff ail tirned scquences of the automaton obtained frorn the untirred

thc invariant. Considcr the problem in Fig. 8.2.

sequence satisfy

Is the linea.r duration invari:rnt 60 <

| +

19peak

-

Thus, if the gas burner automaton has only finitely many untirned transi tion sequences, then the satisfaction probiem of the linear duration invariant can be transforried into a finite mrmber of linear prograrrrming problems, and solved erffcctivcly. Unfortunately, this automaton carr producc infinitcly many untimed transition sequerrces) and they can be expressed in terms o{

JNonleak

(

0

satisficd by the untimcd sequence of transitions f r f of the gas burner

as

(fr)- U (fr)*f, where * stan
automaton?

Fig. 8.2. Satisfaction problem for an untimed

Is the linear dur:r,tion invariant

sequence 60

Fortunately, this problem can bc formulated and solvecl by usitrg iinr:ar prograrnming (see Fig. 8.3). Therefore, the problern of wlietlxlr att ttttl,itttt:rl sequence satisfies a linear duration invarianl, is rltt<:i
< 1 + 19./Lcak ./Nonleak < 0

sa,iisficrl lry cvrrry rrrrl,irn
(lr)-'/

130 8. Model Checking:

8.2 Real-Time

Linear Duration Invariants

Interestingly, any timed sequence obtained from a pair of transitions f r decreases the value of (19peak - JNonleak) by at least 11, since the automaton can stay in the state Nonleak for at least 30 time units and in the state Leak for at most 1 time unit. Thus, if the timed sequences obtained from repetition of f r k times, (f r)k, always cover a time interval which is not less than 60 time units and the values of (19peak - /Nonleak) given by them are not greater than 0, then repetition m times to give (f r)- (for arly tn ) k) satisfies the linear duration The above reasoning implies that if the timed sequences obtained from r)k always cover atime period not less than 60 time units, then the satisfaction problem for (f r)* can be reduced to a similar problem for

131

!{t';ut.

z-0

Therefore we can reduce the satisfaction problem of the linear duration invariant for the gas burner automaton to a finite number of linear programming problems. In fact, it can be reduced to four linear programming problems, which correspond to the untimed behaviors

invariant. (f

Automata

f, fr,

if

frf

and

frfr,

we exclude the plain behavior for the empty sequence. Their objective

functions have maximum values

k

-60, -40,

[J{r')0,

i,-o

which produces only finitely many untimed transition sequences. Flom the timing constraint that the automaton has to stay in Nonleak for at least 30 time units, it can be proved that the timed behavior obtained from (f r)2 always covers a time period not less than 60 time units. See Fig. 8.5.

If the linear duration invariant 60 <

| + 19Peak-

-fNonleak <

included in 2

I rf.t' I

Y'

it is also satisfied by every untimed transition

sequence of the

automaton included in

(f.).

and

-22,

respectively, and the answers are all positive. So we can prove the correctness of the design of the gas burner with respect to the simplified requirement by model checking. The observations in the above example can be easily generalized to cover other cases. For example, if there exists a timed sequence obtained from f r which increases the value of (tgpeak-/\onleak) by a positive amount, then the linear duration invariant will be violated eventually, since the repetition of f r wili eventually cover a time period not less than 60, and increase the value of (19peak - JNonleak) to go beyond any given bound.

In the following we elaborate and formalize the

0

is satisfied by every untimed transition sequence of the gas burner automaton

then

-4I

above observations,

and develop systematically an algorithm to check linear duration invariants against real-time automata. The notion of a real-time automaton is formalized in Sect. 8.2, and Sect. 8.3 formalizes the notion of a linear duration invariant. In Sect. 8.4 an algorithm is developed to reduce the satisfaction of a linear duration invariant for a (possibly infinite) regular language of untimed sequences into a finite set of linear programming problems. Section 8.5 briefly discusses possible generalizations of the algorithm.

.

8.2 Real-Time Automata Fig. 8,5. Reduction of a satisfaction problem Similarly, any timed sequence obtained frorn a pair of transitions r f also decreases the value of (igpeak-.fl\onleak) by at least 11, and tlre timed sequences obtained from f r f always cover a timer period not l
The n
1,32 8. Model Checking:

8.3 Linear Duration

Linear Duration Invariants

A. real-time automaton following conditions:

14.

is a tuple

(V,

T,low,zp) which satisfies the

1. V is a finite set of sfafes {P1,.. ., Pn},where the states are erclusi'ue and complete.

2.

T C V x V is a finite sel of transitions. If P : (Pt,Pi) is a transition, then P, is called the pre-state of p and P7 is called lhe post-state of p. We denote the indices of pre- and post-states by I and p', i.e. f, : i 6n6

i:

j.

8.3 Linear Duration Invariants A

LDI = c-in4l + Dl:rci.{Pi1c, where

The ualue of

denote the lower- and upper-bound timing constraints on the transitions, and we require, for any P €T,

00, where we accept r < oo for r € IR, and oo )

TSeq

A is a finite sequence of transitions of

:

-'{,

- PtPz"'Pn, where rn t 0, pt eT (I ( i (

rn) and

By i o:F o+, we express the fact that pi and pr+r are two consecutive transitions, which are linked to each other at state Pr*. The empty sequence (rn : 0) is written as e. Let Ln denote the set of untimed sequences of A- La is a regular language over the alphabet T, as il is accepted by a finite automaton (where every state is both an initial and an accepting state). A timed sequence of A is a finite sequence ,

1i

ff:'iy.

- L'j'-rti

.

The value of the linear function LF for a timed sequence TSeq is

rseq(LF) : D\-rci' Lemma 8.1 For any

ti,med sequences TSeqr, TSeq, and a state P,

(TSeqt^ rseqr)([P)

(-^-)

stands

TSeq([P1).

:

(TSeq2^ TSeqt)(JP)

for the concatenati,on

is

L'a'

I t; I up(p;) (1 < i < m).

Flom now on we assume thnt a (V,T,l,orn, tlJr), wlttrttr V

and the fact that addition

I

o[ Llul iutl,orrtiltort. Howervor, the value of IP (P e V) cirrr lrrr r:orrrprrl,trrl Irll ir,ny l,irnrx[ (or rtnl,irrr
r
= ll'r,.",

[P)

for ti'med sequences.

Rern,o,r'k. Ca,refirl readers may notice that a reordered timed sequence may viola,i,
and

Lowlp;)

commutative.

,

operator

Proof . This follows from the definition of TSeq(

PrPz"'P*

is givcrt.

,

LF ; D?:r"o.lPn

where

where

A:

:Diqoott

The l'inear functionin LDI is denoted by

d:Fo*, g
€

A

<m,an
: (pr,tt) (p",tt) "' (p^,t,n)

sequence of

- (pt,tr) Q",tt) "' (p^,t*)

TSeq([P1) 0.

[Pi (I < i < n) for a timed

is

seq

TSeq

l'inear duration i,nuariant for the real-time automaton ,4 is a DC formula

of the form

up:7-+(Ru{-})

sequence of

133

o cm1nt ci (1 1i < ,) and c are real numbers, and o Pi (1 < i < ,) are states of A.

3. The functions low:T -+R

An untimed,

Invariants

/1,,

)

,

134 8. Model Checking:

8.4

Linear Duration Inva,riants

(: DL, c,li6^uti), where ai : U I 1 < i I m ancl ff:'i1. TSeq(LF)

cminl( + L]:rc;'[P;1c is sati,sfied by the ti'med sequence TSeq of A if

4 f setl@) implies

If the maximal value of the objective function exceeds c, the linear duran tion invariant is violated by Seq. Otherwise, it is satisfied by Seq.

TSeq(LF) < c.

Otherwise, we say that the linear duration invariant is uiolatedby

TSer1.

I

=+ DT:t ci ' [Pi <

is sat'isf,ed by the unt'imed

A linear duration invariant LDI is satisfied by a set L c T* of untimed written L I LDI , it Seq I LDI fot every ,9eq € tr. Furthermore, a linear duration invariant LDI is satisfied by a real-time automaton A if it is satisfied by all untimed (and hence all timed) sequences of A, i.e. iff sequences,

The linear duration invariant ("*nn 4

135

The objective function of the linear programming problem is

The linear duration invariant

c,min

Reduction

c)

seEt"ence

Ln l: LDI

of A

.

S"'l:PtPr"'Pn, written

8.4 Reduction

as

Seq

I LDI

In this section we formalize the algorithm sketched in sect. 8.1, in order to

,

reduce

if it is satisfied by every timed sequence obtained from seq. otherwise, we say tlrat LDI is uiolatedby Ser1.

to a finite set of linear programming problems. In the following, we identify a regular expression with the language it

Theorem 8,1 The problem Seq

I LDI

is soluable using

denotes.

Li'near programming.

Proof. Let S"q : PtPz' ' ' P*Consider the timed sequence TSeq

LA ts LDI

: (pt,tt) (p",tr) "' (P-,t,

)

,

and consider each tr as a real variable. The constraints of the linear programminS; problem are obtained from the timing constraints of ,4,

A regular expression C(,1) constructed from the transitions of 7, the empty sequence e and the letter ,{, using union, concatenation and repetition, is called a regular contert. For a given regular language L I T* , C ('L) denotes the regular language obtained from C(/) by replacing every occurrence of l[ in C(X) with tr. Two regular languages -Lr and Lz of T are called congruently equi:ualent or simply equiualent with respect t'o LDI , written L1 :r,p17 L,2,

if for any regular context C(X),

low(p1)4ti1up(pi), for 1 ( of LDI

i 1m,

c(L,) l: LDr

and from the left-hand side of the implication in the definition

,

c^i,n

iff c(L')

LDI

.

=

Giverr .LD1, for sirnplir:ity we shall often drop the index LDI , and simply use lllSt(ril(l t)l :t,t)t. Irr l,lrrr lcsl, of'l,lris
=

1

TSeq(!)

G D[, t)

.

'l',\t't1,_,((')'l'5u11(() ;tnrl'1"\t't1,;(1,1")

'l',lrt1,(

l,lt)

136 8. Model Checking:

8.4

Linear Duration Invariants

and vice versa. In most case, we even prove

TSeq2(LF): TSeqt(LF),by

Theorem 8.2 For languages Lr, Lz C T*

137

:

: (LzLt). 2.(LtsLz)* : (LiL;). 3. (Lt(L;)). = ({.} u (r1(ri)(r;))).

showing

1. (LrLz)

TSeqr([P)

: TSeqt(fP),

for anv state P €

v.

A proof of equivalence can also be conducted at the level of untimed if we can find a correspondence between untimed sequences of and L2 which can be carried over to timed sequences.

sequences,

-L1

The problem

LA

Proof. A proof can be given by showing that each untimed sequence of an original language has a corresponding sequence in the equivalent language which contains the same letters but may have a different order among the letters, and vice versa. For example, for the second equivalence, it is obvious that

LDI

(Lru L2)* ) (LiL;)

=

is reduced to a finite set of linear programming problems in two steps. In the first step, we derive from L a an equivalent norm,al form,, and in the second step, we reduce the satisfaction problem of LDI for a normal form to a finite set of linear programming problems. In order to deflne the normal form, we need the following concepts:

1. An untimed sequence hpz...p^ of y' is called a finite terrn. Note that the empty sequence e is a finite term. 2. An i,nfi,nite term is an untimed sequence of A followed by a repetition of a single transition with zero as its lower-bound timing constraint, i.e. an infinite term has the form

PrPz"'P^P*, where /oto(p)

:

0.

3. A. normal form is a regular expression over the alphabet 7 of the form k

U to'

i:t

where -Li is either a fini,te term or an 'infi,ni:te term. Ls a special case 0, a regular expression for the empty language, is in normal form, as a

R,eduction

: l)?:, Lo.

Note that it is decidable whether a finite term satisfies .LD1 (Theorem 8.1). Therefore, the main part of the second step is to solve the problem of whether an infinite term satisfies LDL

8.4.1 Congruent Equivalence Reordering the elements of a timed scqllonco docs not charrgc th
and that by reordering the letters of an arbitrary string of (Lv U tr2)* into SeqySeq", where Seq, is a string containing only letters in -L1 and Seq2is a string containing only letters in L2, we can obtain the corresponding string

in

!

(LiL\).

By Theorem 8.2, the distribution law for the concatenation over the union and the idempotent law for the repetition in a regular language, we can transform any regular language into an equivalent finite union of regular expressions of the form

pt-..p^Seqi...S"qI. For example,

(np$ u (pzpn).)* pu TH8.2(2) = (np$). (pspq)** ps ps Idempotent ({.} U npip$)(pzp+)* = (pzp+)* psu ptpipi?sp+)*ps TH8.2(3), Distribution

= pb(psp4)* =

U

nprpip\Q3pa).

TH8.2(1).

(In the above equations, "TM" means "Theorem".) We now prove the following four theorems in order to reduce a regular expression of the form

pt...p-SeQi...S"si" to normal form. The first two theorerns are concerned with the equivalence between untirned sequences having 0 as the lower bound of the timing constraints. Tlr
8.3 #

(1,t1,2...

knn(p;,)

l),,,)* -

=0

Itip!,

"'

(rl

= 1,2,...,rrr,),

l)1,,.

tlr,cp'

138 8. Model Checking: Proof.

It

(prpr

8.4

Linear Duration Invariants

TSeqr(l)

is obvious that the right-hand side includes the left-hand side:

"'

P-)*

e pIpi " ' p;-.

For example,le\

: rseqr(fP). m:

'(fr I /2) TSeq2(LF):r" pL >cPr 't, lc*P2 'lt - TSeq''(LF), Sect.

2 and let

:

Theorem 8.4 If low(p1)

0 and

,i ,2 ,r,,

Corollary 8.1 # low(p6): 0 (i : 1,2,.

, \* \PrPz"'Pm) -

S"q

to

demonstrate a proof of the other half of the

equivalence. Let

l*in

: hPr "'

be the shortest time period which ,9eq covers, i.e. n

lnin : ltow(p). We can also obtain from Seq a timed sequence

be a timed sequence of pipi.According to the definition of a real-time automaton given in Sect. 8.2, up(pr) ) 0. We define

TSecl-o,

: (h,tt) (pz,tz) ''' (p-,t*)

,

where

k: lt2lup(pr)J and 6 : tz - k. 'up(n) ,

t;

i.e. we have

t[c*> o - ["p(p,) I low(p;) otherwise

,o, t
This seqllcncc has thc ntaximal vtrlue of -Lf' among all timed sequences of

tz:k'up(p1)+6.

Seq,

Then the following timed sequencc for pf

,

'l',9tr1 (1t1

Pm,

i:7

: (h,tr),(pr,tr)

collcsporrtls

*

P1'

The following two theorems are concerned with the equivalence of untimed with a positive lower bound on the timing constraints.

let

We shall use an example

=

and

Given an untimed sequence

pi.

(p, , t,,)

,m)

sequences

is trivial to show that

TSeq,

..

then

th"n

/ * *\ * \PtPz) : Pr'

TSeq,

n

c* : man{"F, I i : \,2, "',m},

is the corresponding timed sequence on the left-hand side. We omit further details of the proof.

)

in the introduction to

8.4.

corollary.

(pr,tr) (pz,ts) (pr,tr) (pr,o)

@Ipil

(asr'Pt- )r:-Pz )

By use of Theorems 8.3 and 8.4, we can directly derive the following

be a timed sequence on the right-hand side. Then

It

: TSeqt(l) : ttttz

where we have used the proof technique discussed

bt,tt) bt,tr) (p",ts)

Proof.

139

and

We can also prove that for any timed sequence TSeqt on the right-hand side there exists a timed sequence TSeq, on the left-hand side such that, for any state P,

TSeqr([P)

Reduction

,

rt,yt(1t1))u

to 7l9r'q,, sittt't'

w('

(p, , ,i)

('illt l)tov{'

,,,,,.,.(l,l|) l,',;,

.

t,

,

it

,

wlr('r'(, wt,

lll, '/15r11,,,,,,.(/,/") ,x, il'Holttt'/; il

,r,.

I40

8.4 Reduction

8. Model Checking: Linear Duration Invariants

l*m ) 0 and, TSeq*o,(LF) > 0, then for

any re4ular contert C(X) containi,ng o'n occurrence of X, C(Seq*) uiolates LDL

Theorern 8.5 A Proof . Since

Pj'Pj"

.t occurs in C (X), there is an untimed sequence

"'

Pj-S"qi firPt2

"

' Pt-

in C(Seqi), for any z ) 0, with a corresponding timed

^

TSeq"(i)

of the form

Proof. This follows directly from the definition of a normal

where TSeql is a timed sequence for pirpir''' pi- and TSeqt is a timecl quence for pr, prr "' Pt.The value of the linear function for TSeq6(i') is

:

Since

TSeqi(LF) +

)

TSeq-,,(LF)

i'

0 the value

TSeq*o,(LF) + TSeq(LF)

se-

.

of TSeqg(i)(LF) is a strictly monoton-

ically increasing function of z. Let

m

: L+ L(1" -

TSeqlQF)

-

respect to a given linear duration invariant LDI .The proofs of the closure properties are constructive, and they constitute the main parts of the algorithm for the clerivation of a normal form for a regular expression over the alphabet 7.

we now investigate closure properties of normal forms with

Theorem 8.7 The regular erpressions 0,e and p eT are'in normal form.

sequence

TSeqi TSeqi*o,TSeq,.

TSeqs(i)(LF)

8.4.2 Closure Properties of Normal Forms

Theorem 8.8 Normal forms are

i,

)

Since

k:

Theorem 8.9 If Lr,Lz e form equi,ualent to L1L2.

T* are in norrnal

fornr,, then there is a norrnal

Proof. Since -L1 and L2 are in normal form, we have TSeql(LF)l) I TSeq*",(LF))

.

mi

Lr

: U Lu (i:1,2)

,

where each tri1 is either a finite term or an infinite term. By distributing the concatenation over the union, we can transform to an equivalent regular expression

c

m.

l^,io

)

0, by using ft repetitions of Seq, where

l"^onl(.*tn1

Theorern 5.6 U l,-,1, ^*ak ' Deq

k:

DeQ

m2

j:t k:L

)

0 and TSeq-",(LF) <-0, then

,

lc*mll*tnl

n1

-L1-L2

U U LuL'n '

,

we obtain f seqs(k)(l) ) c^'i,, thereby making the left-hand side of LDI true. Therefore, folio: mar{k,m}, we have the result that TSeqs(i's) vio' ! lates LDI , and so does C(,Seq*).

.

Proof. Ln argument concerning this theorem was given in Sect. 8.1 when we derived the conclusion shown in Fig. 8.5; we shall not repeat this argument here.

closed wi'th respect to uni'on.

J:L

TSeqs(i)(LF) >

where

n

Proof. For any normal forms, trr and L2,the regular expression L1 U L2 is, n by definition, in normal form.

Then

for all

form.

We can show that for each

LtjLzx there is an equivalent normal form, by

considering the following three

cases:

t. LU and L2p are finite terms. By definition, so is L1iL2p. 2. One of L11 and L2p is a finite term and the other is infinite. By Theorem 8.2(1), the necessary permutations can be applied in order to obtain an equivalent infinite term for LtjL"n. 3. Both Ly and L2p ateinfinite terms, i.e. Lq - Seqrpi, with low(p1) : 0, and. L21, - S"qrpi, with low(p2) : 0. By Theorem 8'2(1), we obtain Lt jLzr,,

-

SeQt"

S"q, Pi Pi'.

a,lrlrlving Tlrcor
Ilv ltt

L1.i I',2tr',

L42 8. Model Checking:

8.5 Generalization I43

Linear Duration Invariants

Theorern 8.10 # L C T* is 'in normal form, then either there is a normal frtrrn for L* or the li,'near duration inuar'io,nt LDI i,s uiolated, bll L*. -Li is the normal form for tr. By Theorem 8.2(2),

lJ[, L* : LiL;.. . L;

Prool. Suppose

i < -,) is either a finite or an infinite term. We show that every tri has an equivalent normal form, unless it (and also ,L*) violates lDI. When we have done this, the proof is completed because (by Theorem 8.9) normal forms are closed with respect to concatenation. We consider the following cases: Srq

- hpz...p^is

a finite term. This part is split further into

three cases:

l^in:0 (for .9eq). By Corollary 8.1, Seq* is equivalent to a pj j, where 1< j < m) which is an infinite term. !-,1n Case b: ) 0 and TSeq^rr(LF) > 0. By Theorem 8.5, for any regu-

Case a:

(for some

lar context C (X), C (L;) violates LD I . So does tr*. Case c: l*tn ) 0 and TSeqn,*r(LF) < 0. By Theorem 8.6, we can transform Li into an equivalent concatenation of finite terms.

2. Lt - ptpz. .- p^p* is an infinite term. Let S"q : ptp"' finite term. By Theorem 8.2(3),

LI : (rj l

Theorem 8.1 demonstrates how to transform the satisfaction of LDI for a finite term into a linear programming problem. Here we show how to transform the satisfaction problem for an infinite term into a linear programming problem.

.

where ,L; (for 1 <

I. Lt -

8.4.4 Infinite Term

Seq Seq. p*)

..

P^, which is a

Let tr be an infinite term

L : prp""'p*p* where low(p) where

:

,

0. We introduce an extra state

<

p' : n-l 7, low(p'):0

and

Pral

and a new transition p/,

up(p'): cn,

and introduce a new linear invariant such that

LDI| derived

fuom

LDI by changing,L,F

LF, ; LF+cF[Pn+r. In other words, we simulate p* by ptpz-

..

p'

, and we have the result that

p^p* | LDI iff hpz. . . p^p' I LDI'

By transforming the satisfaction problem of

.

LDIt for

the finite term

.

PtPz

"'

PrrPl

There is an equivalent normal form for Seq* ,by Case 1, unless trDl is violated. Since e , Seq and p* are normal forms, and normal forms are closed with respect to union and concatenation (Theorems 8.7, 8.8 and 8.9), there is a normal form equivalent to ,Lf , unless LDI is violated.

into a linear programming problem, we can solve the satisfaction problem of LDI for the infinite term p1p2." g^p*.

tr A simple consequence of the closure properties is expressed in the follow-

8.5 Generalization

ing theorem.

Theorern 8.ll A'ny regular language ouer the alphabet T has an equiualent normal form, unless the li,near duration i:nuariant LDI is u'iolated. 8.4.3 An Algorithm Deriving Norrnal Forrns Since the proofs of the closure properties given in the previous scction are all constructive, it is easy to construct a recursivc algoritirrn wiri<:h r:a,n titke a regular expression over arr alphabct 7 as inprrt, anrl llnlrhr<:c a,rr
An easy generalization is to introduce an upper bound c^o, for duration invariant:

I in the linear

LDI - (ryi,n11.{c*n, * i cifPi?c. i:7

Tlur
*l

L44 8. Nlodel

Checking: Linear Duration Inveuiants

-P1 e

"'V P1, ancl Pl n P3 <+ 0,

P2Y

and therefore the duration of a disjunction of states (4) is equal to the sunl of the durations of the individual states. By Theorem 8.11, we Carr transform any regular language ovet T to a normal form unless thc linear cluration invariant is violated. Hence, the definitiorr of il real-time automaton (in Sect. 8.2) can be generalized in any possible way, as long as tire set of untimed sequences of the autornaton is regular. It is also not a difficult generalization to allow several states of the autornaton to be labeied with the same DC state variable, as the algcirithrn presentecl herc reqqires only that the DC state variables are complete and exclusive.

it

is possible to check whether a linear driration invariant holds for all subirrtervals with respcct to the timed sequences gerrerated by a real-time autornaton A, as one can add extra states a,nd transitions (with new upper and lower bounds) to A to sirnulate this. with this techrrique it can, for example, be checked whether

with

these gencralizations,

n(60 <

t! .+

20 fLeak

< l)

holcls for the the gas burner autornaton. Details are left for the rea,der.

In tlie literature, there are othcr interesting algorithms to check a li1-

ear cluration invariant against an automaton. For example, [70] rcdrrces the satisfaction problem of linear duration invariants with respect to tim,ed autom,ata ([6]) to tlte rnired i,nteger prograrnm,ino probleln) and 112] redrtces it to the linear programming probiern. Ref'erences [80, 81] solve this problenl for a subset ctf hybri,d auto'mata ([4, 99]), restrictions t-in linear cluration invariants to reduce the complexity of model checking are r:onsidered in [84, 159], and automata' [158] establishes a reduction for a network of real-time

9. State Tlansitions and Events

9.1 Introduction A real-time systern may comprise both states and events. A statc of a system characterizes a stable aspect of the systeln behavior. By sto,bl,c, we rlean that oncc the system entcrs a state, it will stay in that state throughout a period. An event of a systcm characterizes an in,sta'ntinterilction of the system with its environrnent. This can drive both the s}'stcrn and its environment to change their behavior dramatically. For example, in the casc of the gas burner, a flame failure causecl by the environment can bc taken as an event sent to the gas burner from the environment, which drives the gas burner to change its behavior from the norrnal (Nonl,eak) state to an abnormal (Lcak) state. Two a,pproaches to exten
Let ,9r and 52 be two different Boolean states of a rcal-time system. They characterize two distinct aspects of the system beliavior. ^9;(t) : 1, got i : I,2, rnea,ns that the system stays in Si at, t. We say that the systeill satisfns S,. at t when S;(t) - t. A, state. trtlls//i,on, of the sr-stem frorn 51 to 52 occtrrs at time f iff imrnerlia,t,
il 146 9. State Thansitions

9.1

I

and Events

Fig. 9.1. Automaton for refined design of the gas burner

This automaton has five states: Idle, Purge, Ignite, Burn and Failure, which rrake up a lefined Boolean state model of the gas burner. These five states characterize five erclu,s'iue aspects of the behavior of the gas burner, and form a completc characterization of the behavior of the gas burner. That is, at any time, the Bas burner is in one and only one of these states. This automaton responds to four events frorn its ent'ironrnent: HeatOn, Heatoff, DeFail and out30. Tire behavior of the automaton can be explained iriformally as follows, and a formal specification of the autrlmaton can be

found in Sect. 9.4. Idie: When the gas burner is in the Idle state, the gas is turned off, and thc gas burner awaits a hcat request. The burner will transfer to the Purge state on receiving a heat rcquest from its erivironment. In the atrtomaton, a hea,t requcst is denoted by the event HeatOn. Purge: 11 this state, the gas is still turned off, ancl the gas brrrrrcr pzluses for 30 seconds by first setting a tirnerr, and thcrr trarrslilrirrg 1,o t,lrc lgrritr-' state on recciving a tirnc-out sigrral rr,11r:r 30 s
liy

l,lrrr rrvrrrrl Ortl,ll0.l

lrt'lltt';tttlottt;t llris:rrtl,orrr;tlrtttl;t.lit'rtittl.o;tttrtttltl oltlYcvcttlstrrlivt'rl 'N*'tl'"f lrt lltr';rttlottt;tlolt"l;ttllt Iorr,srrllr;lrllr,;rl()rr;rrrrl()rrlil(1,;trr,li1',tr,'tlr;r'tlttlr;rtlttl :l r rrcl I in 1', I lrl I it tt,'r

147

Ignite: In the Ignite state, gas is supplied, and igniticin is performed rvith a pilot flarne. If the ignition succeeds, the gtrs burner trarrsfers to the Burn state. Otherwise, it transfers to the Failure state upon receiving an ignition failure signal, which is presumably detected as soon as the gas supply reaches a leak threshold. The detected failure is denotecl by the

For exattple, an event of flame failure in the gas burner can be identified by a state transition from Nonleak to Leak, if flame failure is the only cause of gas leakage in the gas burner. Let us considcr the gas burrrer exarrple again. A refirrement of the two design clecisions ofthe gas burner is given in [127]. A revised version ofthis refinement is shown as an autolnaton in Fig. 9.1.

Ignite

Introduction

event DeFail.

Burn: When the gas burner is in the Burn state, the flame is on. Thc gas burncr will remain in the Burn state until the heat lequest is cancclled (denoted by the everrt HeatOff) or a flame faihire is detected (denoted by the event DeFail). When the heat rcquest is cancelled, the gas is thcrr turrred off and the ldle state is entcrcd. Wherr a flarne failure occurs, the gas burner immediately transf'cls to the Failure state. Failure: In the Failure state, ignition failure and flame failurc are treated urgcrrtly. The gas valve is closed rvithin onc second, and tlien thc gas burncr transfers to the Idle state. (In the automaton, by assigning to thc transition from Failure to Idle a real-tirrrc constraint written as 1. 1, wc rnean that the transition from Failure to Idle must take place within one second iifter thc gas bur:ner enters the Failure state.) In the Failure state, i.e. during the treatment clf failures, it is assurned that gas is leaking. From thc above description, one can see that the automaton will not to the event HeatOrr unlcss it is in ldle, and it will transfer from Irllc to Purge when it responds to the cverrt HeatOn. Hence, as far as the behavior of the automaton is concerned. HeatOn can bc iderrtificd as the state transition of the autclmertorr from ldle to Purge. Similarly, Out30 can be identified as the statc transition from Purge to Ignite, and HeatOff as the state transition from Burrr to ldle. However, DeFail denotes Lwo causes of gas leaka,ge, namely ignition failure and flarne failure. When DeFail happens, the gas burner rnay bc in either the Ignite cir the Brirn statc, arid n'ill be driven to the Failure state by DeFail. The event DcFaii can therefore be identified as a forrnula (i.e. a disjunctiorr) of these two state transitions. State transitions are instarrt actions. Hence, they can be expressed as formulas that are true in point intervals. A formula expressing a statc transition from Sl to 52 rnust have a syntactic structure to indicate the source state ,S1 and the destirration state ,52 of the state transition. Howerver, in DC there is rro such folmula. Trvo kinds of atomic fcirmul:rs c:orrstnrr:tcrl frorn st,ates to cxllcss state transitions are intrciduced in S
l

i rolr,;rrr r;l ;rl l

trr,,r

li'l

148 9. State Ttansitions

9.2 Tlansition Formulas

and Events

s:1

The syntax and semantics of transition formulas are given in sect. 9.2, and extra axioms for transition formulas are given in Sect. 9.3. The extra axioms, together with the axioms and rules of Dc, make up a calculus to describe r.rd ,"uron about real-time systems in terms of both states and events. This ca,lcrrlus is called state transiti,on calculus. State transition calculus retains the result of relative completeness of DC. A formal description and verification of the refinement of the gas burner shown in Fig. 9.1 are presented in Sect. 9.4.

,9:0

\s

b-6

9.2 TYansition Formulas

,9:1

This section introduces transition formulas, and also demonstrates by examples how to use transition formulas to specify the behavior of real-time ,yrl"-, in terms of both states and events. Among the examples is a NOR

,9:0

blSe

circuit.

Fig. 9.2. Meaning

\ S, I S, \S and lS

9.2.1 Forrnulas

To the syntax of DC, we add the following two special symbols, and the following rule for building formulas:

r If

,5 is a state expression, then

\ s

and

/ s

\and Z

T,V,lb

- 6,bl F lfSl,

\S1^ lS2

for some d > 0,

\Idle

I .75 iff

T,V,le,e +

dl

F

lf,Sl, for some d > 0,

where the interpretatiot I and the talue assignment v are defined as in Chap. 3. Thus, \,5 or lS holds for an interval iff,5 has a constant presence in a left or right neighborhood of the beg'inn'ing or ending point, respectively,

\s

= \,s

(l:

S and

I S define a constant

tu

presence
rrsc
lPurge

A

/Purga.

The ev
o)

in a, Ieft aild a ilold l,Y1ltr, \ a,rltl irr ytoi,n,t. syrnllols <'t! ix rcslu:r:tivcly, right neighborhood,

\

A

sition formulas. For examples, the everrt HeatOn can be identified with a state transition from Idle to Purge, and hence HeatOn can be expressed as

\Idle

/S = 7S ^^(l:0).

The formula

,Sr is constantly present

describes a state transition of the automaton from Idle to Purge. Events identified with state transitions can be expressed in terms of tran-

of the interval. See Fig. 9.2. Two abbreviations are introduced here:

f

that

in a left neighborhood of a point and ,52 present in neighborhood is constantly a right of this point. Hence, when ,51 and 52 are distinct states, (\Srn /52) describes a state transition of the system from ,5r to Sz at a point. For example, means

and

T,V,lb,"l

of\S andlS on the interval fb,e]

are formulas, also called

The semantics of \ s and 7 S are defined in terms of lfsl as follows. Given an interpretationT, avalue assignment 7 and an interval [b,e],

ifi

et6

We can express instant state transitions in terms of \ ,5 and / S with propositional connectives. Let ,91 and 52 be states of a system. The formula

transition formrtlas.

T,V,lb,€l F\S

149

lr,,

\

(lgrril,c V Ilrrrrr) A

sirrr:r'i1, r'ir.tr

l,o ll;rilrttr'.

f

Fir,ilrrrrr,

lrr,irlr,rt,ilicrl wil,lr

l,wo sl,itlc l,t';t.lrsiliotrs: [j'otn rril,lr
ot'Burrr

150 9. State Tlansitions 9.2.2 Formulas

9.2 Ttansition

and Events

IS, tS' 6 and TS

J.91A tS2

\sn rz-s

is equivalent to

is true at a point iff the value of s changes from 1 to 0 at a point. That is, the systern leaves ,5 at that point' Similarly, \ -S n I S is true at a point iff the value of S changes from 0 to 1 at that poirrt. That is, the system enters state ,5 at the point. For these formulas, rn'e introduce the abbreviations

A /2,52

under the condition that 51 =* -,Sz is true. For the case of the automaton in Fig. 9.1, the formula

|Idle

A

f Purge to Purge. Moreover,

the formula

\-SAlS. |S

\,Si

describes a state transition of the automaton from Idle

JS = \S A.7-S I The meanings of

151

mearringful, and forms another description of a state transition of the system from,51 to 52. In fact, we prove in the next sectiorr that

For a state S of a system, the formula

ts

Formulas

{Idle + f Purge

and f S are illustrated in Fig' 9'3'

defines Purge as the only transition destination of Idle, and can form part of a formal specification of the automaton. Similarly, the formulas

{Purge + flgnite

S:1 and

jlgnite + t(Burn

.9:0 +s

s:1

V Failure),

can also become a part of a formal specification for the automaton, to define the condition that from Purge, the automaton can transfer only to Ignite, and from Ignite it can transfer either to Burn or to Failure. In circuit design, a Boolean-valued function ,9 over time can be used to model the voltage of a wire, where ,5(f) : 1 means that the wire ,S is connected to a power source (i.e. it is at a high voltage) at time l, while S(t) : 0 means a connection of the wire ,5 to ground (i.e. low voltage) at f The formula I S describes a falling edge of the wire voltage which represents an instant fall of the wire voltage from high to low. Similarly, f ,S describes a ri,si,ng ed,ge of the wire voltage, which represents an instant rise of the wire voltage from low to high. Circuit designers also use formulas to express the stability of a voltage. For cxample, -J-S is used to mean that the wire represented by S remains connected to ground at some time, and TS means a continuous connection of the wire to pclwer at sorne time. Thcse two frrrmulas can also be defined by the transition formulas .

s:0 ts Fig. 9.3. Meanings of {S and f S one can also describe state transitions in terms of I and ,52 be two states of a system. Consider the formula J.91 A

s

and

f s. Let st

tS2.

This formula holds at a point iff the systern lezrves St arr
-[q:= \-SA \,9A 1.9

l-S /.x.9.

Ifrorrr l,lrc rlcfirril,i<;,rrs, 1,5'irrr
9.3 Calculus for State Transitions

9. State Tlansitions and Events

t52

153

NoR circuit iff at that time both the inputs receive a falling signal, or one of the inputs receives a falling signal while the other is at low voltage. with

,9:1

the transition formulas, this statement can be formally expressed

s:0

f -(Inr V In2) L9

e

((JIn1A |In2) V (|In1 A IIn2) v (IIn1A

V

TS

consider a NoR circuit with one output wire and two input wires as shown in Fig. 9.5.

A

the proved. be can statements next section, these two one can also apply DC to specify and reason about the real-time behavior of combinational and sequential circuits [52]. Although we do not elaborate on r.eal-time issues of circuit design in this book, we indicate here how a transmission clelay ancl an i,nertio,l delay in a rising signal Out can be expressed in DC extended with transition formulas. For example,

Fig. 9.4. Meanings of L9 and TS

9.2.3 Example: NOR Circuit

IIn2) V (IIn1A tln2))' for the transition formulas in

In2) e ((f InlA f In2) v (f In1

After we have established a calculus

.9:0

+I"r))'

symmetrically, we can express a corresponding statement for a falling signal:

j-(Inr S:1

as

(f -(Inr v In2)^(l

: d)) <+ ((l:

d)

^ f Out)

specifies a transmission delay of d > 0 in the output rising signal of the NoR circuit, such that the time difference between an input rising signal and its corresponding output rising signal is d, and the formula

(f -(Inr v In2)^(lf-(In1 v In2)l

a))) e (((':

^(':

d)

^ f Out)

of d > 0 of the output rising signal of the NoR circuit. Namely, an input rising signal will not be propagated to the output wire unless the inputs are stable for d time units. similarly, we can specify the transmission and inertial delavs of the falling signals of the circuit by the specifies an inertial delay

Inr

formulas

Inz

({-(inr v In2)^(l = d)) <+ ((!':

Fig. 9.5. NOR circuit

d)

^

JOut)

and

Let Out, In1 and Inz be three Boolean-valued furrctions (i.e. Boolean

states), which denote the voltages ofthe output and input wires ofthe circuit. Thus, f out and.f out represent output signals of the circuit. If we neglect the propagation delay of signals in the circuit, then the functionality of the

circuit is specified by

f Out

<+

f -(In1 V In2)

({-(Inr v In2)^(lfln1

V

In2l A ((': a))) <+

((l:

d)

^ {Out),

respecitvely.

9.3 Catculus for State Tbansitions Tlur sl,irl,c l,r'ir,rrsilion t'trlcrrlrrs tlt'sclilrcrl lrt'r
and

{Out

<+

J-(Inr

V Irr2).

will lrt'itttrttttcrl l,o Llrc orrllrrtl, witt'. ltt lltt't'ottvltrl'iotrir,l l,ltt'oty ol't'otttlri tt;tlirttt;t.l t'itlrtils, il is rlillt'rl llllrl ;r tiriitrlt, riiP',lt;tl lr1rl'r';ttri ltl lltc ottl'pttl ol';r

Ilprrt

rliirl,llv

sigrrals wlrir:lr r:irrrsc lisirrg;r,rrrl ftr,llirrg o['l,lttr ottllrrrl,

propir,11;r,l

llorrp lrrovirlcs ptoposil,irtttitl ;t,xiottts [irr"1,lr
Lwp p,r.errps.'l'lrr, lirsl,

154 9. State Tlansitions

and Events

9.3.1 Proof Systern: Part

9.3 Calculus for State Tlansitions

I

Proof . We present proofs of two of these assertions only.

The formula

The first group of axioms provides a propositional calculus of the transitiorr formulas:

STI \1 and 71. ST2 \(,Sr v,9z) e 5.,5rv\Sz) and /(Stv,5r) e ?Stv 75). ST3 \-,S <+ -\.9 and 7-S c - 75 ST4 If Sr +,52, then\Sr =)\,Sz and 7St + 7Sz. .

The axiom ST1 formalizes the constant presence of 1 in terms of the transition formulas. sT2 and sT3 certify the distributivity of \and /over disjunction and negation. ST4 defines the monotonicity of \and / With this group of axioms, we can prove the following theorem.

(Sr V 5z)

c (\^9rV \,52) is proved as follows:

\ (,S1 v,92) c ((. :0)^ \(sl v &) Def(\ c ((.:0) N"91v\.9r) ST2 ^ <+ \ SlV \,S2 Def(\ The formula \ -,9 <+ ((l : 0) A - \.9)

.

is proved as follows:

\-,5 e (1.:0)A\-S Def(\ c (1.:0) A -\.9 ST3 e (!. :0) A (-(l = 0) v - \s) PL e (l:0) -((l:0)A\s) PL e (!.:0) ^A - \S Def(\.

Theorern 9.1

1. -\0 and -70. 2. \(Sr nSr) c KSrn\Sz) and 76tA,9r) e TStAlSr)' Proof. We present here proofs of - \ 0 and of the distributivity of \ over

We can also derive a propositional calculus for

conjunction only. A proof of the first case is

{S,

1,9, _tS and

Theorern 9.3

-\0 {+ -\-1 s --\1 <+ \1 € true

1.

ST4 ST3

Com,pleteness and Erclus'iueness

(tsv Js v Ts v.].s) e ((.:0) and -(xSA*tS), for x,x'€{t,+,T,1} and*f

PL ST1,

and a proof of the second case is

\(51 A 52) <+ \-(-SI1 V -,92) <+ -\(-,Sr V -,Sz) {} -5.-SrV\-,9r) s -(-\,51V -\.92) ++\,5r4\Sz

o

ST4 ST3 ST2 ST3 PL.

A similar propositional calculus for STl - ST4.

t(sr v,5r) tr(Sr v Sr)

\

S and ,v S can be derived from

\1++((.=0) and l1++((.:0). - \0 and - ,V0. \(,SrvSr) e(\.S1v\.9r) rt,ntl ,/(Srv Sr) e (lStv lSz)' an,d, l-S c((l=0) A-' lS). 1,. \-S<+((l:0)n-\S) 5. \ (,9r A ,92) e (\ o-A \,9r) tt,rt,il, / ('\r n,9':) <+ (l'9t A ,/ S')

.

I'ltt'tt'

-11, n<+(l:0)

Constant Zero

and -ll.

- 10, - J0, -T0 and f0 <+ (/:0).

1. 2. 3.

> ,\'2,

-fl,

4. Disjunct'ion

Theorem 9.2

^5'r

*t.

Constant One

n

(;. ll ,'ir

\

,5t )'f'' ,5;q n,rr,tl' ..'n ,\t

>'

l,\'t

.

c c

((tsrn t,sz)v (tsr n lsr) v (ljr^ f sr)), ((lsrn JSz) v (J,Sr n l5z) v (l,5,^ J,9r))

T(.91 v S') <+ (TS1 v TS2 v (+^914 r(^91 v,sz) (Is1 A 1,92).

e

,

tSz) v (t,9rn {52)) and

5. Negation f S <+J-S, JS <+t-S, T,5 e r-S and 1,5 <+ T-S. 6. Conju,nr:tion, t(^Sr n Sz) e ((tSrn t,9z) v (f Sr TS2) v (T,S1^ t,9z)) , n TS2) v (T,S1^ .l.,Sz)) , l(,Sr ,9r) e ((lSrn JSr) v (.1.S, ^ ^ 11.51 A,9r) c (1,9r A 'l'52) u,rr,d, l(,Sr A,5?) <) (1,5r V 1,9.j V (t,grA.l",9z)v (J,9rn t,gr)). 7. ( lott,tlrtt,rtt,r'r' ll ,\t.:'t,\"1., I.lt,t'rr, +,{1 .l) +,\,;,ruln'tt, +. {l,L f, l}

T,S.

155

156 9. State Ttansitions

9.3 Calculus for State Tlansitions

and Events

The statement

Proof . We present only the following proofs'

Proof of

-(f sA |s):

if Sr * -52, then

fs^ +s + \-,5n /zSA \ SA /-S + \ (-S A S)A /v (S A -S) =+ \oA lo + false prool sf

e

true

To prove

f0

<+

TH9.2(5) TH9.2(6)

J,51^ t,S2 <+ <+

TH9'2(2)'

(S1

Defo

f -(Inr

PL THe.2(2). we use the definition of

Iand

Theorem 9'2(1): <+

e

e ((tSlA tSz) v (t'9t n T'S2) v (TS1A f Sz))'

ts

rHe.2(5) TH9.2(6), (S1 + -Sr).

V

In2) e ((JIn1A.f In2)

V (JIn1 A

IIn2) V (-lln1A +Inr))

rHe.3(5)

{Inr)

TH9.3(a).

The formula

{-(In1

V In2)

THe.3(5) <+f(In1 VIn2) (f (IIn1A In2) THe.3(4). (f In1 IIn2) InlA In2) v A V e f f

9.3.2 Proof System: Part

II

The second group of axioms consists of two axioms to reason about the transition formulas with respect to the chop modality:

Nl \.9 <+ (\S^true) and 73 <+ (true^ lS). N2 ((l> 0)^ \S) <+ (true^lfSl)and (lS^Q >0))

<+ (lf,Sl^true).

Thc a,xionr Nl expresses the assertion that the truth of \ ^9 over an intcrva,l is rkrt
Defo TH9.2(6)

Dt'f(j).

Wr':rrr,r'r';rrlv lo tttrtvt'l,ltt't'r'ol'l,lrc ll'itlltttl'ttlri tttittlt'irr Slcl''

f -(In1 V In2) |(In1 V In2) (llnrn f In2) v (|In1 A IIn2)V (IIn1A

is proved by

e,L-S:

e \-SA /zS e \-,SA l--S e J-S

Def(|f)

|-(Inr V In2) <+ ((flnl A f In2) v (flnl A IIn2) v (-lln1A tln2))

,9r)

Defo \-(Sr^ n Sz)A /(51 n Sz) rHe.2(6) Sz) n (-,Sr v -,52)A /(Sr \ rHe.2(3)(5) (\-Sr V <+ \-S2)A /SA lSz (\-SrA <+ /Stn /Sz) PL V(\-szA /sr\ /s2) Def(f) (I52^ (t^9r^ lSr) <+ lSz)v v (1,914 SzA <+ 1(S2 -Sz)) / rHe.2(6)(1) v(t,924 l&A\(S1v-S1)) (\szv A (t,s1A \-sr)) <+ lsz rHe.2(3) v(tsz^ l& (\,Srv \-Sr)) ^ (,/Szn \-Sz))) (tSr e v(f ,sz^((/52^\^92)v \Sr)v (lst^ \-sr))) Pt (TS2v tsz)) v (tSz n (TS1v f ,S1)) Def(fi r) c (lSr ^((/Sr^ e (ts1^^ tsr)v (1,9r n -rS2)v (TS1^ ts2) PL. ,5

n ,zSz)

is proved by

<+ <+

Proof of f

\sr A l-st A \-sz A ,r'sz \ (,5r A -Sz)A lFSr A Sz)

a)\sr Alsz

r0 e (\1411) € (:0. t

(\Sr

The formula

(l:0),

Proof of t(,Sr n Sr)

(J,Sr n t,Sz) <+

is proved as follows:

Def('1,{)

- f1:

- t1 e -(\0A /1) <+-\0 Y -/7

r57

1)'2'

158 9. State Ttansitions

9.3 Calculus for State

and Events

Theorern 9.4 7.

or /S holds in, a prefir or suffir, respecti'uelA, of an i'nterual''it will hold,'in the i'nterual:

#\S

\,S^true) +\.9

2#\

and' (true^ ,ZS)

=+

,VS

'

S or / S hold's in an 'interual, it wi'll hold in any prefir or sffir, -(true ^

l-S) \S + -(\ -S lrue) and, 7S + 3. \S o'r I S holds in an 'interual iff there erists a left or ri'ght neighborhood of the begi,nni,ng or ending point, respect'iuely, of the interual where S takes the ual'ue 1 constarr'tly. That is, for any r ) 0, (({. = r) ^ \S) <+ (((l : r) n (true ^ lfSl)) ^true) <+

^true \.9 ^true ^true

N1

+

\s

N1.

9.3.3 Soundness and Relative Cornpleteness The proof systert of DC, together with

ST1

ST4, l{1 and N2, forms the

sound.

Proof . The reasoning used in the proof of the soundness of DC (Theorem 3.2) can also be applied to the proof of this theorem, provided we can first prove that the additional axioms, ST1 - ST4, N1 and N2, are sound. The soundness of any axiom (designated /) of ST1 - ST3, Nl and N2 can be formulated as the validity of /. That is, for any interpretation Z, value assignment V and

M

interval

* -5.-S^true): \S A (\-S ^true) ^ + (\ S ^true) A (( -.9 true ^ tnre) N1 IL17 + (\SA \-,S)^true ^true ST3 =+ false IL13. + false Proof of ((L:r)^\S) <+ (((l:r)n (true^lfSl))^true):

Proof of \S

[b, e],

T,V,lb,e) ts

O.

The soundness of ST4 is formulated as follows: if 51 ? Sz is valid in propositional logic, then for any interpretaLion T, value assignment V and interval [b, e],

I,V,lb,"l

F \,Sr +\,52

T,V,lb,el

I l&

and

(l=r)^\S N1 <+ (L : r) ^ \,9 ^true ^true : ^ N2. e (((. r) A true llSl )

+752.

Thtr pro
cv
! Flom N2, wo (jiur
n

Theorem 9.6 The state transition cak:ulus is

\.9 ^true) + \S:

\S

+ + \,g^true

(1.: r) ^ tS^(l > 0) Defo e (1. : ") ^ (\ -,9n ,v S) ^ (l > 0) ^true ^ : ^ (true N2. ((l r) n <+ li-Sl )) [,Sl

state transition calculus considered here. We formulate here the theorems of the soundness and relative completeness of the state transition calculus, and sketch their proofs.

(true^((l: r)n (lfsl ^true))).

Proof . We sketch proofs below. Proof of

.

Proof . We sketch a proof of the first assertion only, as the rest can be proved similarly.

.

und

(75^(l: r))

159

Theorem 9.5 For any r > 0: 1. (((.:r)^ IS^(!, > 0)) e (((t:r) A (true^ll-sl))^lfSl ^true). 2. ((!. : r)^ IS^(t,> 0)) <+ (((1, : r)A (true^llsl)) ^[-Sl ^true). s. ((!.: r)^TS^(L > 0)) <+ (((1.: r) A (true^[Sl))^l[.,5] ^true). 4. ((1.: r)^ )S^((. > 0)) <+ (((L: r) A (true^[-Sl))^ll-Sl ^true)

respecti,uely, of the i'nterual:

^

Tlansitions

lrtrl'w
Irir,s

ir virlrrr,rrl'r,il,lrr,r' I or' 0. Wr, slrirll rrol, ptt'sr.trl,

rlrrl,;r,ils

o['lltc lrroo['ltct'tr.

ll

160 9. State Transitions

9.4 Example:

and Events

Theorem 9.7 The state trans'it'ion calculus is relatiuely

o select k temporal variables, where k :22t , and o select 2k temporal propositional letters Xt,Xz,.-.,Xp and Y1 ,Y2,"',Yk' We index these temporal propositional letters with the k equivalence classes of the state expressions of the I state variables appearingin d. Let S be a state expression of the I state variables of /. Then

properA formal specification of the automaton can be given by formulating calculus' transition state the in events and ties of its states, state transitions Boolean The resulting formulas are considered nonlogical axioms to define Let automaton' the of state models of the behavior

Idle, Purge, Ignite, Burn and Failure

of the be the five state variables used to denote the corresponding states the are 9.4.2) in sect' etc. Autol(a), automaton. The formulas (referred to as following. 1.. State Completeness and Erclusiueness

(a) At any time, the automaton is in one of its five states:

o the formula\S is transformed to Xpsl , and r the formula /S is transformed to {s1 .

- ST4, N1 and N2 are transformed accordingly' For example, ST1 is transformed into The axioms ST1

lf

I v lfldleV

ll-ll

N1 is transformed into a set of formulas of the form

^true) and tq c

(true

^ ((l :

PurgeV lgnite V Burn V Failurel'

(b) At any time, the automaton is in at most

Xlrl and Yltl, 0) n X1s1)

161

9.4.1 Specification

complete.

Proof . we apply the same technique that was used in the proof of the relative completeness of DC (Theorem 5.1). To transform a formula / of I state variables ofthe state transition calculus into a formula of IL, we do the following:

X1s1 <+ (((l :

Automaton

(s, + -sz)l A St*Sz

v ll

one of the five states:

,

where,SrandSzrangeoverthesetofthefivestatevariables. 0) A

tq))

,

and ST4 is transformed into a set of formulas of the form

2. Euents and State Transiti'ons (a) Four events:

: (|Idle A fPurge) Out30' (|PurgeAflgnite) DeFail' ({(IgniteV Burn) A fFailure)

HeatOn X1sr1 =+

X;s,1 and {s,1 } }is,1'

where ,Sr and Sz range over the state expressions of the / state variables of S, and Sr + Sz holds in propositional logic. In order to follow the proof of Theorem 5.1, all lemmas and theorems established for Theorem 5.1 must be revised to conclude the necessary properties ofnot only the selected temporal variables, but also the selected propositional letters. We can therefore prove the relative completeness of the state transition calculus. However, the details of the proof are left to readers as an

exercise.

HeatOff' ({Burn

(b)

Seven state transitions:

Jldle + f Purge |Purge + flgnite jlgnite + f (BurnVFailure) |Burn + f(IdleVFailure) |Failure+fldle'

n

9.4 Example: Automaton

A f Idle) '

3. Real-ti'rn'e C orr'stru,i,n'ts (a) Th
s
ilfttl'

l,h
Pttt gr':

This section presents, in the state transition calculus, a formal specification and verification of the refinement of the gas burner example shown as an automaton in Fig. 9.1.

(f I'rrlgc " (/ = ;]0))

(lr)

'l\.r,1,1,rrrr,rrl,

f)

(f l'rrlgc

-

* lfl'rrrg
Orrt:|0)'

1f'rr tirilrrlr, tttttsl lrt' lirrislrtrrl wil,lril 6ltt'

ll'l"n,ilrrrr'fl

) (/':

l)

'

H1t'9ltrl:

762 9. State Tlansitions

and Events

9.4 Example: Automaton

The above three groups of formulas constitute a specification of the automaton. Let Auto denote the set of all formulas in these three groups. To verify the refinement, a deduction

1.

2.

Auto F DesrADesz must be established in the state transition calculus. This is done in the following subsection.

fi(X) F ft(ll l),this is covered by the base case F i?([ l). n(x) r fi(lfsl ^x): llsl ^fisl ^x^ll-sl ^ ll-sl DC17 =+ llsl ^x ^ ^true ^ |S ll-Sl /?(x). lls-ll

3. .R(x)

Failure is the only state of the automaton in which gas is leaking. Thus, we can introduce Leak as corresponding to Failure:

Leak

With this lemma, we can prove the following theorem. Theorem 9.8

Lemma 9.1 For any state erpressi,on S,

Auto F

([Sl ^true^ll-Sl) + ([s'| ^ .f,S^t.re^[-sl).

The base case l-

^x^[-sl) +

([s]l ^ JS^true^ll-s]).

Desl'l(fl,eakl .+ l.<1) and - l((lfl,eakl^[-Leakl^lfl,eakl) + l>30).

Proof. The case Auto

Auto l-

IL18

)

Des2

^ lf-Leakl ^ lfl,eakl ^ ]Leak^lf-Leakl ^lfl-eakl + ^ f Idle^[-Leakl ^flLeakl + ^ + (!,> 0) flIdlel ^true ^ lfl,eakl =+ (l > 0) ^ lfldlel ^true ^ ffl,eak 4 -Idlel + (t! > 0) ^ {Idle ^tme ^ lfl,eakl + (l > 0) ^ f Purge ^true ^ fl,eakl * true ^ fPurge ^ fPurgel ^true ^ fl,eakl * true^ f Purgc^ ffPurgel ^ l,rrur ^ [flca,k A -Prrrl4
THe.5(2) L3.

^x)v ([-sl ^x)), where the formula fi([ I v (llsl ^x)v (ll-.91 ^X)) fisl ^([ I v (fisl ^x) v (ll-sl ^x))^ [-sl F

Desl is established by using Auto3(b) and IL4.

in the following.

fisl

The inductive step is

R(x)

I

We sketch a deduction of

R([ l) is established as follows: ^ [-sl Def(

,

Des2

'l]

[sl ^ ll + [sl ^ [-S-ll 4 ar ) 0.((!. : r) n fsl ) ^ ll-Sl =+ 1r.(((. : r) n fisl) ^ JS^ [-S]l + [S]l ^ [S ^true ^ ll-,Sl

Desy A Des2

uh,ere

Proof. The proof is by induction using Theorem 3.5, and the induction hypothesis is

([sl

n([-Sl ^x)'

tr

Failure.

We present a lemma first.

/i(x)'

I-

[sl ^ [-sl ^x ^ [-sl ]S ^true ^ [-Sl ^x ^ [-,91 R([ ll) -''.? [Sl ^^.fS^true^[-Sl M. [Sl

9.4.2 Verification

i

163

a([-ll v (llsl

is:

([Sl ^ [,5^true^ll-Sl). Since lfSl ^ ([ I v ([Sl ^x) v ( [-Sl ^x)) ^ [-.91

+

* tttttt[fPrrrg
implies, by IL14,

trsl^lll^[-sl

v illsl ^([sl ^x)^ [-sl) v 0lsl ^([-sl] ^x) ^[-sl), it, srr[Tir:cs (lr.y l'1,) Lo lrtovrr Llrc [ollowirrg lltt<,t'r'it,st's itr ot rlct l,o csl,;rlrlisll irrrlrrt'l,ivo slr'p:

-' { I'rtrg
f Prrrg
)./.;10

1,lrc

liv ir

irrl lorlrtlitrp, I I rrri lrovr,,

itr ll,

I

w{, (';rn

t,r'rttr

THe.5(2)

Auto2(b)

rHe.5(i) Autol(b) LMg.1

Auto2(b) THe.5(1)

Autol(b) LMg.1 A rrt,o2(lr)

l,r'urr

l,o2 (i

A

rr

A

rrl,ol|(l

r,) )

tllt ivt' /)r',r', ll otrr I ltt' r'ottllrtsiott

oIrl it.ittt'rI

I

10. Superdense State Tlansitions

10.1 Introduction In the Boolean state model) we assume stat,e stabil'ity. That is, whenever a system enters a state, it will stay in the state throughout some period,

although the length of the period can be arbitrarily small. Therefore, a state transition is a transition of a system from one stable state to another, and two consecutive state transitions must pass through an intermediate stable state which separates these two state transitions from each other. For example, let

\Sr

A

zzsz and \S2

A

lS3

be two consecutive state transitions of a system as shown in Fig. 10.1. The transition \Sr A /Sz occurs at time C, and \S2 A lSz occurs at (t+d)' They are separated by a period of presence of the intermediate state sz. The distance between them (i.e. the length of the presence period of s2) is 6 > 0. Sz

,9r

\SrAlSz Fig. 10.1. Two transitions

d

t+6

Ss

\s, AlSz

sepa,rated by a stable state

As d can be arbitrarily small, one can ask the question of what coulta,in il situatirlrt with a, statcl trattsition from ,9r t
166

1

10. Superdense State Transitions Sr

I

Fig. 10.2. trffect of a superdense transition

\Sr

A

it

is interesting to allow the two corrsecutive state transitions

l,9z and \S:

A zz^9r

to happel irrstantaleously by assurling that the interme{iate statc

,S1 is

unstable and invisible, the result beeing the state transition

\,9r

A ,'2,9s

Introduction

167

consurnes rro time, tliey r:an also happen consecutively an
cAL(x,u)

5s

\Sr ^ l'5:

Thcrefore,

10.1

comilrunicate. A computation of a sequence of operations which is assunrecl to be tirntrlcss is called a su'perdense c.om'putati'on,. A super{ense computation is in fact an abstraction of a real-tirrlo (:()lrr putatiorr within a context with a grand time granularity. For instanctl, in Ilrt' digital control system, the cycle tirne of the computer may be nanostr<:otrtls, w-hilc the sampling period of the plant may be seconds. In other wor'
the Zeno phen'om'enon ()t fin,ite di'uergen'r:e 148]Superclense cornput:rtion also arises in the area of prograln rtlfitttlltrt'ltl O1e of the wcli-k1own algebraic laws for untirned programs is tlt
knorn'n as

.

.

These twcl consecutivc and instanttrneous state trarrsitions arc called .s?,Tterdense trans,iti,orts. In general, a finite Sequencle clf state tra,nsitions which takes place instantaneously will be callc
.superdensq we mean that cven a tirle point has a del]se structure, so that it carr host .i series of state transitiorrs. Thc superdcnse state transition is not only a corrceptual gcnerzr,lizatiorr of

an ordinary state transitiorr. It also has irnportant applications to real-tirne systems. We present in the followirrg subsection an application that motivatcs the introcluction of superdense state transitions.

10.1.1 Superdense Computation

In a digital control system, there is always a picce of prograrn, hostcd in a computer', that acts as a controller. The pl'ogram can periodically receive sarnpled outputs fiorn a plant, an
u); actuatorlu; wait 7,

where CAL(X,u) stands for a prograrn segment, rn'hich decides the current control signal from the current sampled data x ancl the previous control signal u. 7 is thc samplirrg period. Typically, the time spent in the calculation of control signals is negligible comparecl with the santpling pcriod T. So contrtil crrgin
T|1s, CAL(x,rr) lrc<:orrr<)s il sc(luolr(:r.o1's1;tl,crtt<'ttls wlritlt lttt't'xt't ttlt'tl ottt' lry 11r', l;r1, r'orrsrrrrrc rro lirrrt,.'l'lrc rcccivirrl,,;tttrl llx'scrrrlirryl (i.r'. st'rrsot/x ;tttrl;t.r'ltt;tlotltt) irr llri'l)l{)Jr,l'llll;ll. ri{'lr;tt;rllrl ll'rlrr (1,\l'(r,tt)';rtlrl,:;ittcc

Y': .r | 1:x:= X t2 are r:quivalent to the sirrgle assignmtlnt

x:=x+3. In older to retain the cornbine law for real-time progriillls, ollo lllily lrssllrr r(' tlat the execution of ari assignmcnt takes no timc. Ot,lrtlwis
x:-x*llx:-x*2. 1e1,i6rr r.rf sqlrrrrrlcrrsc r:orrrlrttlitl,iott is :trlolrlr:rl irr l'ls(t'r'r'l l l{)l ;rrrrl sl;rlt' <:hit,r'l,s fllll], ;rrrrl scrrr;rrrl i<' rrrorlcls ol'srtp<'trlt'ttsc t'rttttlrtt(:ll iott tr,rtrtt' itrl torlttccrl

A

itr f67,7:i,1)ll. ln llris r:lr;r1rit:r', w('('xl)l('sr-j supclrlt'ttst't'ttttt;rttl;t{iotr itt l)(l l,t' ttsitrg sttl rlt rl('lts(' sl -rl r' I l ;r ll\il i( )ll\. A sirrg,lt'slr'p ol-;r corrrprrl;rliotr r';ttt lrt't'x;rtt':l:;t'rl;ts;t rrl;llc ll;tttrlililrtt,;lttrl lrctrcr';t su1rr,r'rlr,tr:ic cottrpill;rlion r';ttt lrr','x;rt,'slt,',1;tll;r li,ttttttl;t ol :itt1t,'t,llttrl'' sl;rlt.l,r';trrsiliorr:;.'l'1r,,t{';lii()l il llr;rl llrl r;rlttc ol;t 1ttol',t;tttt t';rti;rlrlr',;ttt lrt' irrit.tp|r,1,',1;ilt:t r;l;rlr'. .\ tr';tl Vltltt,',1 r';rti;rlrl| x,rl ;t 1tl{,J',1:rlrl r';ttt Ilt:ttt1',r'tlr' ( r.;tlrtr,,lttt.itr1,, ll1,r,r:r,r'ttlt,,tr ,,l l lr,, ;,r,,1,,t;rttt lttc r:ttt lttlll lrll'l \ ;t:; ;t ltttl, li,'tt ol littr'. i

'll'ttrr,' t

Lll

168

10.1

10. Superdense State Tlansitions

For v € IR, the property

becomes a time-dependent property of x. It is reasonable to assume that the program is t'imely progressi'ue, and hence a program variable can only change its value finitely many times in

any finite period. Thus, the property x : v is f'ni'tely uariable, and can be taken as a Boolean state of the program. Let us use x : v as an overloaded notation to designate the program state which characterizes the property x : v. The assignment -- r 1I Af

can then be expressed as a formula of state transitions

\(*:v)A,7(x:v*1), where we assume that the initial value of x before the assignment is v. This formula defines the condition that the assignment first inherits a value (v) of x from its predecessor in the left neighborhood, and then passes the new value (v + 1) to its successor in the right neighborhood. Similarly, the assignment r

--.--.

O

can be expressed

\(*:v+1)

as

A7z(x:v*3)

if we assume that the initial value of x before the assignment is (v* 1). A superdense computation of the two consecutive assignments

x::xi1;x::xf2 :: x* 1) to (x :: x* 2) takes : (x v 1) f of the program is unstable no time. Thus, the intermediate state expressed as a superdense state and invisible. The computation can then be transition assumes that the passing of a value of x from (x

The chop moclality can chop a nonpoint interval into subintervals, but cannot chop a point. At a point, the chop modality degenerates into the conjunction connective. For example,

((\s' n ,r'l)^(\S,

n

lSz)) c ((\S'

^,vSz) ^

(\,5r

A ,V Sz)

. (\

Sz

n ,v

St)

that an interpretat'ion of states, 7, is given. Then we define the by stipulating that this formula is satisfied by T al a point t meaning i{I there exists a ref'necl interpretation of states (designated T')' In L', the point t of I rsexpanded into an interval lt,t + 5) of I' (for some d ) 0), such thatT'satisfies (\,Sr A /Sz) at time t and (\ Sz n /Sz) at time f *6, and the intermediate state sz holds stably throughout the interval (t, f + d), which links the two transitions in z/. This situation is sketched in Fig. 10.3. of .

,9,

Ss

v*3).

The result of these superdense state transitions is

\(*:r)A,V(x=vf3). I'

which expresses the assignmerrt r,-xfd -- r t

rrrtrlcr'llrc

ir,ssrrrrrlrl,iorr

lrig. lO.:|, llrirl, t,lrc irril,irr.l virlttc ol'x lrclirtc l,lrl

rt,stip,;tttttcttl, is v.

n ,zss))'

.

Suppose

followed by

l$=

(\S,

Thus, with the chop modality, one can express two simultaneous state transitions at a time point, but cannot express two consecutive state transitions at a time point. In order. to express superdense state transitions in Dc, we need a new modality to introduce a dense structure into a point. The new rnodality is called the superdense chop and is denoted by o. It can map a time instant \n a granrl,time space (called rnacro time in [73]) into anonpoint interval in a fi,nelime space (called mi,crotime in [73]), so that an instant action (such as the value passing of x) in a grand time space can take some time in a fine tirne space, and hence an unstable intermediate state (such as x : v * 1) of a superdense state transition in the grand time space can become stable in the fine lime space. To explain the meaning of the superdense chop, let us consider two state trarrsitions: (\,9r n I Sz) and (\,Sz n ,V Sz).Combining them with the superdense chop, we obtain the formula

\(*:v)Al(x:vf1). \(*:v*1)A

169

10.1.2 Superdense Chop

x:v

-- .I.

Introduction

5r

< / +d

llr'lirrr,rl ittllt';rrt'lirl.iott lirl l,lrl rittlrt't rlt'ttst' r'ltolt

,5s

170

10.2 Calculus for Superdense State

10. Superdense State Tbansitions

In the above explanation, both Z andT' are interpretations of states, and the relation between these two interpretations is quite similar to the relation between the value assignments )l and V' with which we introduce semantics for quantification over a global variable. In [60] and [163], it is indicated that the superdense chop can be defined by the original chop if we allow quantification over a state variable. A formal calculus for superdense state transitions, called superdense state trans'ition calculus, is presented in Sect. 10.2. Using this calculus, we define in Sect. 10.3 a real-time semantics for an OCCAM-like language with superdense computations.

Tlansitions I7I

In the semantic definition,

Pa,(t): Pr,(m+612)

(m


expresses the condition that every state variable

P (and

hence every statc) h;r,s

interval (m,m*6). The intermediate, invisilrkr value of P in a superdense state transition expressed by the superdensc
lSe\.9

10.2 Calculus for Superdense State TYansitions lO.z.L Syntax The superdense state transition calculus contains durations of states, i.e. /S, as terms, and transition formulas, i.e. \S and /5, as atom'ic formulas. The conventional connectives and quantifiers are also adopted. However, this calculus contains the superdense chop modality, o, instead of the original chop modality, ^.In other words, formulas of the superdense state transition calculus can be obtained from formulas ofthe state transition calculus presented in Chap. 9 by replacing ^ rvith o and vice versa. In this section we shall use the fact that if / is a formula of the superdense state transition calculus, and rfl^lol is obtained from / by replacing r with ^, then O[^1.] is a formula of the state transition calculus. Furthermore,

if /

does not contain any transition formulas becomes a formula of DC.

is valid for any consistent state,g (i.e. S is not equivalent to 0). Let T, V and [b, e] be an arbitrarily given interpretation, value assigrtrtrurl, and interval. We establish

I,V,lb,el f /So \S by letting m be an arbitrary point in lb,e),5 be an arbitrary positivrr |c;r,l number andT' be an interpretation obtained fronl by inserting an irit
:1

for

m

1t 1(m + d)

.

That is, state S can be taken as the intermediate state of the sull
(i.".\,,/ / $), then dl^l.l

/,sr \-$ is never satisfiable, since for any m and d, one cannot firrrl a valtttl

1O.2.2 Semantics The calcuhrs retains the Boolean state model. Only the semantics of o need to be explained, as all the other semantic definitions remain as in Chap. 9. The semantics of / o ty' is as follows. Given an interpretation Z, a value assignment V and an interval [b, e],

T,,V,lb,")

?

d.

=

4 and I',V,lm*d,e*d] F,r/,,

and for every state variable P, Itn' l,

t\,(t)

I constant and equal t<-i /S , is violated bv T' .Itt othrtr wor
\-S

10.2.3 Proof Systcrrr

rlt

iff there exist m € [b,e], d > 0 and Z/ such that

T',V,lb,"r)

tf 5' ir l l lll

interval (m,ml d) inserted to obtain I' sucb.that /S is satisfictl itr l/r,rrr,l and at the sarre time\-$ is satisfie
I

rtt,

,t) d) [irr'/ tt t ,\f')) lirl rrr - /- (rrr I ,l). :, (rrr, I

Irr t,his s
Sl)(ll

(r[1

tlrfr; r/r'1))

.i

] ((/,r trft;lr ltt).

I72

10.2 Calculus for Superdense State

10. Superdense State Transitions

SDC2 Suppose z is not free in

since the above three formulas contain no occurrences of

Ty'.

dz) e ((d' . da) v (dz. dz)) (Qz. (hv dz)) e ((dr . dr) v (,bz.,bz)) ((lr.d) . Q) c 1t.(qo tP)

(@'v

.

6z)

(true

.

Q!.1r.0 c =r.(t[ofi.

(6t .

d)

([sll^lfsl)

@3), then

(h . dz) and (62. dr) +

=>

(6s

.

Qt)

.

state ,s can become an intermediate state to link the two formulas on the intermediate @ A 75) and (\,s A d) if $ and 1., place no demands and link can states intermediate \ -S' Hence, we no /,5 state. However, axioms. the following introduce ,5 is cr.tnsistent,

(O

^,VS).

7/

(\S

^

4 and

4,))

e

\ / (O.

t!, rh)

173

and

,

and

<+ flsl

are provable in DC. The semantics of the transition

A

SDC4 If

true

\or I

(US:")^(/S:a)) # lS:(r+y) (n,y)0),

.

-

SDC3 It (62 =>

^true) I

Tbansitions

t'hen .

formulas\,5 and /S is as given in the state transition calculus described in Chap. 9. Therefore, the axioms ST1 ST4 can also be adopted here. However, axioms N1 and N2 cannot be used in the superdense state transition calculus, since they are expressed in terms of the original chop, ^. In fact, SDC4 SDC6 replace N1 and N2 in the context of

o.

We have the result that SDC1 - SDC7, together with tute the superdense state transition calculus.

ST1 ST4, consti-

1O.2.4 Theorems

SDC5

We prove the fbllowing theorems. In the proofs, predicate calculus is tacitly

('75 ' When

\-'9)

<+ false

assumed.

'

$ /, the formula \,S A /) merely places on a left neighborhood (\S o

the requirement that S holds. The same requirement is placed by

/)'

Theorem 10.1 (false.

Thus, we have:

sDc6 If \/

false

(\s . d) <+ 5.s ^d). @.lS) \,.7//,

/ /

@,

then

(O^/S). between . and ^ <+

and

dl^l.lis

provable in DC, then @ is provable in the

With SDCT we can, for examPle, Prove (true. true) <+ true,

((./S:r).(./,S:u)) tr .ll,sll) (>

false.

ll,cll

,

.l',9-

SDC3 SDC7.

Theorern 10'2 disappears if we are not concerned with

superdense state transition calculus.

([,sll

+

.d

* false r true * false

The difference the transition formulas.

SDCZ If

r false)

Proof . We present a proof for the first case.

/, then

Symmetrically, If

/) + false and (/

(r rq) (:r:,ir)0), a,rrrl

NSr.lSt)

c \Sr

^,7Sz).

Proof.

\.91r lS2

<+ (\,91 r l,r'rur) r (trtt (\,9r A (llrrc r l,r'rtt')) A 1,52 Sl)Cl6

{) \,sr A/,\,.r

slx17.

I

174

10. Superdense State Tlansitions

10.3 Real-Time

Corollary 10.1

Semantics

175

10.3 Real-Time Semantics

(\,S.true) <+\,S

In this section, an OCCAM-like notation and a real-time semantics of the notation are presented, where assignment statements and message passing of

and

(true.

communications are assumed to be timeless actions.

/S) c 75.

Proof. The first part of the corollary can be derived by letting ,91 be ,S and I Sz be 1 in Theorem 10.2. The second part can be derived similarly.

Theorem lO.3 If ((d n 7Sr).

(Sr n Sz) 'is consistent,

(\S'

^

?i)) <+ @.,,h)

l/

O

and\/ {,

then

delay, x,

y for

program uariables,

c,

d for

for arithmet'ical

by the following grammar:

5::: x,:

ST4, SDC3

n/)

ST2, SDC2 sT4, SDC3, SDCS ST4, SDC3 ST2, SDC2 sT4, SDC3, SDC5 SDC4.

r\,53) is consistent, then

((\S' nlSz).(\Ss nlS+)) e \S' nlSa,). Proof. From Theorem 10.3, we can derive

n,7S+))

(E) | c!(E) | c?x lwait I S;S I B -+ S S) I (c?x "-r Sflwait 7 -+ 5) I pY.S P :::3 1@ llP), where ,S stands for sequentiol processes, and P for parallel processes. The informal meanings of the statements can be given as follows. | (c?x -+ S[d?y -+

n

((\St ATSz).NSs

T € (0, oo) stand for a time

erpressi,ons of program variables, and B for Boolean erpress'ions of program variables. The syntax of the notation is given

.

($ n 7Sr). SS2 qr) <+ (d /((S1 ,S2) v ^(S1 -S2))) . N.92 d) ^ A i/) ^ <+ (d ^n 7(Sr, n^Sz)) r \,52 v ((d n 7(St n -Sz)) . (\S, /)) <+ (d n 7(& n Sr)) o \S2 nTl) ^ <+ (d n ./(& nsr)). (\((Sz ASr) v (,52 -Sr)) ^ <+ (d n /(St n sr)) o \(S2 51) ^ n -,51) ^1r) n /)) v ((d n 7(St n Sz)) . (\(S, <+ (d .7(Sr rt Sr)) . (\(S2 ^91) 4) ^ ^ + d.rh^

(,Sz

Let

channels, (E)

Proof.

Corollary 10.2 If

10.3.1 Program Notation

e \Sr.7S+).

Therefore, by Theorem 10.2, we can obtain the required

conclusion.

tr

* ,: (E) assigns

the value of (E) to x.

c!(E) sends the value of (E) on channel c. c?x receives a message from channel c, and assigns wait

7

delays the program for

T (T > 0) time

it to x.

units.

Sr;52 is the sequential composition of 51 and 52. (B -+ S) behaves like S if the values of the program variables satisfy B. Otherwise, B is false, and the process terminates imrnediately. (c?x -+ 51 [d?y -+ 52) is a choice. If a communication on c can be completed earlier than one on d, the first branch 5r is chosen; similarly, if a communication on d can be completed earlier than one on c, then the second branch 52 is chosen. If these two communications can be completed at the same time, the choice is random. (c?x *+ 51 fiwait T -+ 52) is also a choice. If a communication on c can be completed within 7 time units, the first branch is chosen. Otherwise, the second branch is chosen.

pY.S is a conventional recursion, where Y is the name of the recursion process and Y may occur in 5.1 We exclude finite divergent behavior of processes by assuming that any occurrence of Y in 5 is guarded by a wait statement, so that a process will not be engaged in infinitely many assignrnents or communications in a finite period. 2 allows a pa,rilllcl svstcm constructed from sequential processes. Shared verriirtrl
\/dr, $2 andl/rh,('2, then ((\s,.dr) (\,sr.dz))+ (\(srAs2) r(d1ndz)). ^ (rhr.,vS)) ((rltt ((th. /St) A At/z) . 16r ASr)). e

Theorem LO.4 U

Proof. We prove the first equivalence only.

(\Sr.dt) n (\Sz.dz) c (\,9' dr)^ \sz n dz) sDC6 TH9.1(2) <+ \(sr ^ ,52) A (h n dr) ^ r (r[1 (Sr tlt'2) A ,52) A SDC6. <+ \

twrxrrr s
tr

I Wr rlrn,ll roltttxiott,

ouc

rt,l, t,tt,t,lt

rrrrl, t,lnlrornt.r,

trttrl.

Iss,11, 1111

Llrr, rL,l,nils ol' Llrr, svtrl,ilx rt'rlttirtrrl l,o

lruilrl

a

L76

10.3 Real-Time

10. Superdense State Transitions

state uariables

10.3.2 Prograrn States

In order to model the behavior of real-time programs, program states

: {x,y,z,c,d,c!,

dl, c?, d?,

..

.}

are

,

where x, y and z, called program uari'ables, record the values of variables of a pro-

gram;

c and d, called trace uar,iables,2 record communication histories over individual channels; c! and cl! record readiness to send messages over channels; and c? and d? record readiness to receive messages over channels. The variables c!, dl, c? and d? are called readiness aariables. Let the real numbers IR be the value domain of the program variables. The domain of the communication traces of channels is the set of the finite sequence of the real numbers Trace

When

Let us extend the set of qlobal aariables) 8V, so that we have

1. v, v1, v2, . . . &s global variables to range over IR, and 2. h,h1,h2, . . . &s global vaiables to range over Trace. Accordingly, we extend the set of function symbols to include the concatenat'ion operator

x

Trace

-+

1. 0, 1 and every state variable are states. 2. If S and ,9t are states, so are -,S' S V S', lv.S and lh.S. By the definition above, a state is in fact a forrnula ofthe program and channel variables and of the global variables such as v and h, in a first-order logic with equality. In a formula, quantifiers are applied only to global variables. We shall use

\ar,or,. .. ,a^)^\br,b2, - . . ,bn) ) (or,o",. . . ,a^,bt,bz, "' ,b^) ' The operator

^ is assoc'iat'iue,

and has the empty sequence,

represent a state S which contains the program and channel va'ria,bles x, c, c! and c?, and free occurrences of v and h. An interpretation of a state is determined by an interpretation of the program and channel variables and a value assignment for those global variables which occur (freely) in the state. we also use 7 to stand for an interpretation of the program and channel variables, and use xTt cT, c!7 and c?a for the interpretations assigned by Z to x, c, c! and c?. We assume that

to

xr :lfime -+ R cl : 'lfime -+ Trace clz : llime -+ {0, 1} c?z : lfime -+ {0, 1}

Trace,

with the definition

0,

as

the left and

also the ri,qht :unit.

'

State erpressions (also simply called states) are generated from state variabies by the propositional connectives - and V, and also the quantifier l, since state expressions may contain global variables (".g. u and h). We can say the following:

,5(x, c, c!, c?, v, h)

truth values {0,1}

Trace

are generated from the program and channel variables

1. If x is a program variable, and (E) is an arithmetical expression of global variables v,v1)v2,... , then (x: (tr)) is a state variable. 2. If c is a trace variable and tr is a trace expression constructed, by using ^, from global variables h,h1 ,h2,... and arithmetical expressions of v, v1, v2, . . . , then (c : tr) is a state variable. 3. Any readiness variable is a state variable.

? lJ m'. n)0

n:0, IR' = {0}, where 0 stands for the empty sequence. Let the be the domain of channel readiness.

^:

177

PV by the following rules:

introduced into the superdense state transition calculus as state variables. We consider the following sel of prograrn and channel uariables:

PY

sv

Semantics

We car. introduce a trace variable to record the communir:ation historics of all channels of a process, if ordering among <:omnruni<:ittions over'
,

and that they are ,fi,nitely uariable for any interpretation T- That is, they cannot changc thcir values infinitely often in a finite period. 7 also assigns irrtcrpr<:ta,l,ions t
V(v)

<-

llli ;lnrl

V(lr)

r

'l\n,u:.

is interesting.

Of'r'lrtt'rit', V irlse;rsl'i11ttx vitlttlri I'o ollrt't 1';lolxrl v;l,ti;tlrlts,;ts trxlrlil,irrctl itt (llrrlrH. 2 rrrrtl il,

I7B

10.3 Real-Time

10. Superdense State Tlansitions

Given Z and y, the value of a state at any time is determined. Let ,9 be a state written as,S(x,c,c!,c?,v,h), and let I € lfirrre. We define,5 to have value 1 at I under I andV, ifr S (xa(t), ca(t), cl7(t),

7(t), V(v), U(h))

c?

Theorern 10.6

\(" : vr) n ./(*: v2))) <+ \(* : ((\(" : v1) n 7(*: v2)) o Cnt(x)) <+ f\(" : (Cnt(x)r [fx: <+ [x: vl "l) ([fx: vl r Cnt(x)) <+ [fx: vl (Cnt(x) .

3,

lV(v).

that

Proof.We merely sketch the proofs here. Observe first that

(\ (" : v) A ,7 (x : v)) . N(" <+ (\ (x : v) n 7(": v)) o \(*: <+ \ (x : v) o /(x: v2) c \(x : v)n /(x: v2) Observe next that rt (v

xr(t)

:

v'(")

((\(":

.

In fact, the state lv.(x: v) has value 1 at any time under any interpretation and value assignment, since for any interpretation Z, value assignment V and time f one can always find a value assignment V' which is v-equivalent to V and has V'(v)

As we have introduced first-order quantifications in state expressions, we need an additional axiom concerning the distributivity of \and,Zover the

existential quantifier: ST5

where

r

<+

lr.\S

and l1r.S <+ )r.lS,

stands for any global variable.

Vr.\S

' :n.(\

v) n

I

:

vr)A /(x: v) n l(x:

if (v:

.

\(x:

v1), then

v2))

,rr)) Def(\rl SDC4 SDC6.

v1), then by SDC5, the definition of

v)) r

l(*:

v1) n

l(*:

I

and SDC3,

v2))) e false.

The first two parts of Theorem 10.6 follow from the above two observations. A proof of the last two parts can be given as follows:

Cnt(x)olfx=vl

3v'.\(x : v') n (1. :0) A l(x : v/)) o\1 A [x: vl) Def(l),STl <+ fv'.(\(x : v') A ((. :0)A /(x : v/)) .N1 A [x: vl)) SDC2 e 3v/.(\(x : v') A ((.:0)) r lfx: vl) TH10.3 SDC2 <+ lv.\(x : v) n ((. :0)) o ffx : vl ST5 <+ \3v.(x : v) n (!. : 0)) o ffx : vl (lv.(x : v)) <+ 1 <+ \1 A (!. :0)) o lfx : vl ST1 + ((. :0) r [x : vl SDC7. <+ [x: vl define Cnt(c) ' :n.(\

and /Yr.S

<+

Yr./S.

(x

: v) A ,V (x:

expresses the continrril,y of statcs of x.

x

(c

:

h)A

I

(c

:

h))

similarly and prove the following theorem.

Theorern 10.7

The formula Cnt(x), defined by

Cnt(x)

v2))

We can

Theorem 10.5 <+

.

n

The following theorem is proved using ST5 and ST3.

\Vr.,S

ur))

<+

: v(t).

\12..9

l(x: v1) n /(x: v1) n

.

:

However, the state lv.(x : v) has value 1 at f under T andV, since we can construct a value assignment V' which is v-equivalent to 7 and has V'(v) - 2, so

179

.

is valid in a first-order logic with equality. For example, if, for a given T and V, we have xT(t) : 2 and 1/(v) then the state (x: v) has value 0 at f under 7 and V, since

xa(t)

Semantics

v))

r\(t::hr)A./(r,: hr))) c (\(":hl) Al(c:hz)). (C\.(,' = h1) n/(x - l,.r))o Orrt(r:)) <+ f\(<': hr) A /(c:h2)). (( rrrl (r') r ll c lr ll ) < I ll t' l,ll (Crit,(r:)

,

a,l a, lroiul; arrrl irr:l,s as

it

rt,rt,i,l

ol

r

for l)logrir,ln

(ll,'

lrllr(lrrl(r'))

{r ll,'

I'll.

180

10.3 Real-Time Semantics

10. Superdense State TYansitions

[c?x]r"'' [c?x]'

10.3.3 Program Semantics we shall use a technique given in [56], where the semantics of each process p is simultaneously defined by two formulas, [?]r", and [2]. These formuIas define the terminating behavior and the entire behavior, respectively, of P. The formula [P\ is prefir-closed. By prefir-closed, we mean that for any interpretation Z, value assignment V and interval lb,e), If

T,V,lb,"l

F [2],

F

lhr,h2.Syncr(ht,hr) V [c?x]r"',

where

Syncr(h1,hr)

= (^

Comml(h1,hz,t)

e,

\((c :

h1) A (d

[c? n -d? n

= hz))

-c!n

(c: hL) n (d : hr)l-,/\

t l((" :h1^v)

n (d

:

h2) A (x

In the formula Syncl(h1 ,h2) and henceforth, we

[2].

As indicated before, our aim is to show the expressive power of the superdense state transition calculus, so we shall nof concern ourselves with other details, for example, a proof of the continui,ty of the semantics of all program constructors, and hence the existence of a fixed point of a recursion. Furthermore, for simplicity, we also assume that a process has only one variable, say x or y, and two channels, say c and d, over which the process may communicate. It should not be difficult to generalize the semantics to more realistic cases by introducing process alphabets. For each process considered below, we state its semantics by defining the communications on its channels (c and d) and the evaluation of its variable

(x or y).

Sequential Process:

lh1,h2.(Synct(h1,h2) r lv.Comml(h1,h2,v))

and

then for any c, where b I c I

T,V,lb,"l

181

*,:

(E)

The assignment terminates immediately. neighborhood and passes

It

: v)).

use the abbreviation

[sl.=flv[sl The formula Syncr(h1,h2) therefore defines the behavior of the process while it is waiting to receive a value from channel c. The process first inherits the values (h1 and h2) of the histories of channels c and d, and keeps the readiness variable c? at 1 as long as its partner does not engage in communication (i.e. c! :0). During the waiting period (if any), the process will keep the channel histories of c and d constant, so that no communications over c and d are possible. Note that Synct deliberately avoids specifying the value of x in the waiting period, since it follows the assumption that only the initial and terminating values of a program variable are observable. The following definitions of Sync2, Syncr, Waitr and Wait2 follow the same assumption. The formula Comml(h1,hz,v) describes the time instant when v is received over channel c and assigned to x. Note that the trace of c is changed, while the trace of d is kept constant.

inherits a value of x from its left

the changed value

to its right neighborhood. The

communication histories of c and d do not change:

[x :: (E)]t"" ' :,t.(\ (x : v) n .r'6: (o)(v))) A Cnt(c) A Cnt(d) [x :: (E)] ' [*,: (tr)]t"',

Sequential Process:

c!

(E)

We assume that this process has y as its program variable and that it outputs messages over d. The semantics is described in a way similar to c?x:

: lhr,h2,v. [c!(n)] : lhr,h2,v. fcl(E)]1"'

where (E)(v) is the expression obtained from (E) by replacing x with v'

(Sync2(ht,hr,v)

o Comm2(h1,h2,v))

Sync2(hr,hz,v)

v

flcl(E)]1",,

where

Sequential Process: c?x We assume that this process can input messages from d also. As soon as this process synchronizes with its partner, it will receivc ?I Incssagc) rrpdate the communication history of cha,nncl c and assiglt th
Sync, (lt

1

,

h2,

\ v) : / \((.:hr)A(d=h2)A(y=v)) \n lf,,! A -rl! n -c? A (c : hr) A (d : hz)'ll-/

ilrr
(lrrrrrrr12(1r1,l12,

v) t ,r'(c

hr- (l,l)(v)) A (rl ',, lr,r) A (y

I82

10.3 Real-Time Semantics

10. Superdense State Tbansitions

Sequential Process: wait

?]t"' ' Waitl A ((':

: v * 1, then v-r 1)). (\(x : v/) n,7(*:v' +2))

This formula can be proved by showing that if v'

?

We assume that this process has x as its program variable and can input messages from both c and d. The process aiways terminates, and nothing happens to its program variable and channels until a time T > 0 has elapsed: flwait

183

T)

(\(" : v) n /(x:

coR10.2 \(x:v) n l$:v'+2) v/:v*l, \(x:v)n l$:v-13) and if v' f v i7,then by (x : v+ 1) + -(x : v/) and SDC5, (\(": ") A,r'(x: v+ 1)). (\(": v') A l(x:v'+2)) <+ fa,lsc. <+ <+

(In the above equations, "COR" means "Corollary".) Hence, by SDC2,

:".(\(x:v) A l(x: v* 1)).1v.(\(x: v) A,/(x: v+ 2)) n ,7(*: v'+2))) € 3v,"'.((\(x:v) n,V(x =v+1)).(\(":v/) <+ lv.(\ (x : v) n ,r'6: v + 3))

where

/ \tt":hr)A(d:h2) A(x:v)) \ Waitl3 fhr.h2.v. In [-q:A d?A(c:h1)A(d:hr)1. | \n/((. - hr) A (d: h2) A (x: v)) / When wait T controls y and the outputs of c and d, the semantics of .

wait

T

.

Sequential Process: (B -+ 5) We assume that this process contains x and can input from c and d.

[B -+ 5]t",

can be defined by Wait2 in a similar way:

/ \(t" -hr)A(d:h2,1A(v:v)) \ Wait2 i lh1,h2.v. I n [-c!A-d!A(c:h1)A(cl:hr)l| \n ltt" : hr)A (d : h2)A (y : v)) /

[B '+ .

s]

= NB A [S],",) v ((\-B)A Cnt(c) A Cnt(d) A Cnt(x)) = (\B ^ [S]) v ((\-B) A Cnt(c) n Cnt(d) A Cnt(x)),

where we assume that B can be expressed as a program state, i.e. a first-tlrtlcr formula of the program and channel variables.

* 5z)

Sequential Process: .Sr; 5z

Sequential Process: (c?x --+ 51 [d?x

The prefix of the behavior of Sr;52 consists of the prefix of the behavior of 5r and its terminating part, continued with &:

We assume that this process contains x and can input frclm c arl
[St;Sr]t"' 3 [Stnt.'. [52]t"'

[Sr;&n =

[5r] v ([Srn,"'. [5r]).

[c?x -+ 51[d?x

Now we can prove the combine law introduced in Sect. 10.1.1. Consider,

!h1

[x

:: x* l;x :: x+2] <+ [x :: x*3].

According to the semantic definitions of assignment and sequential composition, the equivalence above can be transformed to the formula

:".(\(x : v) n,V(x: v+ 1)).1v.(\(x : v + 3)) <+ -v.(\ (x : v) n l$:

v) n

l6=

vf

. [.S1]i,,' . [Sz]i"'

-1Srn '

.Svnr:r (h1 , h2 ) V lhr, h2.(Syn<:.,(h1, h2) o 3v.C)orIIlIIt (iI1, lr2, v)) V 3h1, lt2.(Svn
for example,

<1.

, h2 ,

r . r v)) lv.(lorrrrrr;j(h1,1r2, V !h1,lr2.(S.yrrt;,(h1,lr2)

[S1] [S''rll

'

wlterrc

2))

Synt:.,(lr1 , lr2)

.

;t,t tr

lr1)A (tl lr:r)) / \(t, \ \n 11,"lArl'iA 'r'lA 'rllAlr' lrr)A(rl 1",)ll-/

I

( lotrrrrr,r(lrr, lr,r, r,)

'((,'

lrl ) A

(rl l',

v) A

(r

v))

784

10.3 Real-Time

10. Superdense State Ttansitions

Sequential Process: (c?x --+ .S1fiwait

T

[5' ll &n,",

]

=

lhr,frr.((Syncr(trr,hr)A (l
[c?x

rsr

+

V lh1,h2.((Syncr(hr,hz)A ((
that Y may occur in 5. The terminating and complete behaviors of pY.s(Y) can be extracted from iterations of 5. Let 5i(Y) :5(5(...5(Y)...)) denote the zth iteration of 5. We also introduce denote

an auxiliary syntactical entity, called

[M]t", I [M] i

M, with

the definition

szn -

|

\v1[sn^[s,]) I)

We specify here bhe real-time properties of program termination and liveness. As we have discussed in Chap. 1, DC with contracting modalities is not able to formulate and prove unbounded liveness including termination. Only bounded liveness is discussed here. In Chap. 11, two expanding modalities are introduced, and unbounded liveness can therefore be treated there.

Partial Coruectness The partial correctness of a program

false

as

false.

M actsllke a miracle, from which one can derive any conclusion.3 The terminating and nonterminating behaviors of p,Y.s(Y) can be defined, using M and iterations of 5, by [/,Y.S(Y)],", 4 1n 10.[5"(&1)]t"' [pY.s(]')l '- rn ) O.tS"(M)1,

2 with Pre as its pre-condition and Post its post-condition can be formulated as

\Pre A[Pnr",) + /Post, where Pre and Post are first-order formulas of program and trace variables.

Bounded Terrnination The bounded termination of P with the pre-condition Pre holds if there exists

r)0suchthat

means an'i,nfi,ni'te disjunction of dt,dz," ' ' We sliall not discuss here how to define (lr1 > 0.0; in DC. References [39, 41, 60, 108, 110] have introduced an operator p into DC for this purpose'

where

lt

\((" : 0tn 1a = 1;11 \ t[s,]r", A ([Sznr", . WaiL2))\ (^ / (([5r]r." o Wair ,) n[Srn,",) \v )/ \((" : 0)n 1a = 1;11 \ / v ([s'] n ([&nr", . wair.z))\ | (^ I tt[S'jr"".WaiL1)^[Sr]) I I'

10.3.4 Program Specification

Sequential Process: PY-.S(Y)

we write 5(Y) to

185

The semantics o[ (S1 ll Sr) is

--+ E2)

We assume that this process contains x and can input from c and d'

*[c?x -+ S1[wait T -+ 32]1",

Semantics

(lri > 0.0;

[2]) =+ (!. < r) Let 5r (i:7,2) be two sequential processes, \Pre

.

^

51 : wait 2;c?x

Parallel Process: (.Sr ll 5z)

52:waitt:c!y; y':yf1.

We assume that 5r contains the variable x and can input from c and d, and that Sz contains y and can output to c and d. 51 and ,S2 syrlchronize the communication histories of the channels c and d first, by initializirrg them as 0, and then run in parallel. Any terminating process rn:r,intains its status (described by waitl for 51 ancl by wait2 for s:) unl,il th
t I,I,*'.,*" wait

sl;r,l

sirr
ir,

where 51 has the variable x and input c?, and orrtput r:!. L
?1 : 51 ll5'2.

&

has the variable

y and

186

L0.3 Real-Time

10. Superdense State Tlansitions

we can expect Lhat Pr always terminates in two time units, and y holds when

?r

:

1-1-

l

terminates:

\

Since the consequent part of the implication contains no occurrences of Z *e obtain, by replacing o with ^ in the consequent part of the

implication, the following DC formula:

((.:0)^((
v ((1.:0)^(t: v (((. : 0) ^ (l :

and

since\1

is true

(sTl),

: xr

1).

fzrn

+./(v:x*1)'

1 \(tt-0)n(Y:.')) v)A (x

[prnr",

=

ii]

r

. ^

((

<,,t)

'\ I

we do not present the proof of the simplification here, since derive program properties directly from program semantics' With the simplified semantics of Pr, we can prove

it

is tedious

(\Pre

\u tto:

Q)o

A

Consider, for example,

\

(l = 1)o (l < 1)) I (l :!)o((: r)) /

u

+ 1)) SDC6

Def()-

[2n) =1 n"4"Vh1, hr.([(. : hr) A (d : h2)l +

)"a"d ? tr1uso@otrue D"a"d ? -Qra"-d.

follows. By SDC3, we have Q)o

:

(!.

< r))

,

where [sdc is the counterpart of D in the context of the superdense chop, i.e.

Q<2)

+ I u tt,':

v) n (y

A program is not deadlocked if the communication traces of the program are expandable. A bounded liueness can therefore be established by proving an upper bound on the time period in which the communication traces of the program remain constant. Let P be a process which has channels c and d. P has r ) 0 as its upper bound of liveness under the pre-condition Pre, if

I

ri [Pr] tr

:

Bounded Liveness

Iu=,f.h1:;jll,l',l =ii],^(r=r))) \.1ii"ln-c?A(c:0)ll-n1t
/ ((=o).(l<1)

n ("

I

: v)n (Y = v + L)) /

( r" (. hl[ ; lll i',1

+]$:x*1),

* lv. 7((c:0) + 7$:x*1)

\

rv I : [[;.;:;;,iJ:1\?lili;,\,, \. l((":

["r] +

Q<2)

can be derived easily from the simplified [21]1,,, since

of Pt:

<+

+

[Ptnt",

In order to prove the above properties of 2r, we first simplify the semantics

rpn

.

is easily proved using DC. The property

and

r2rl,", <*

1)^(l < 1)) r)^ ((: 1))

Therefore, by use of SDC7, the conclusion

the termination properties can be simplified to:

[Zrn + ( <2)

[Prnt",

187

and

(\1^[2r]) + (52) e\1 A [Pr\t*) + 7(v

Semantics

.

53 = trr,Y.S1;Y .$n

e pY.S2;Y

ilrrrl .S'1

ll

.S,1

,

188

10. Superdense State TYansitions

We can prove that P2 always has 2 as an upper bound of liveness:

(\14 [pzn) +

l"4"Vh1,hz.([(c

11. Neighborhood Logic

: hr)A (d : h2)l + (' S2)) '

The proof from the semantic definition of Pz is too tedious to present here. Verification techniques with DC formulas as specifications have been investigated in 193]. This book will not cover this topic.

11.1 Introduction The chop-based interval temporal logics, such as ITL [43], IL and DC, are useful for the specification and verification of safety properties of real-time systems. In these logics, one can easily express properties such as

. "lf O holds for an interval, then there is a subinterval where iy' holds", and c "lf $ holds for an interval, then { holds for all subintervals". However, these logics cannot express (unbounded) liveness properties such AS

o

"eventually there is an interval where / holds", and r "/ will hold infinitely often in the future". Surprisingly, these logics cannot express even state transitions, and hence we had to introduce extra atomic formulas \,S and /S) in Chap. 9. The reason for this limitation is that the modality chop ^ , is a contracting modality, in the sense that the truth of O^(t on the interval [b,e] depends

only on subintervals of lb,el:

/^r/

holds on

fb, e]

iffthere exists m elb,el such that

/

holds on [b,m] and,ry' holds onfm,e):

oa m

l-l th

Hence, with ^, one cannot access any interval outside a given reference irrterval. Therefore, formulas constructed from the connectives of first-order logic arr
190

11.2 Syntax and

11. Neighborhood Logic

limit at a point must refel to neighborhood properties of the point, i.e. properties over superintervals of the point. To cope with this, an informal mathematical theory of real analysis was assumed in 1170] and also in other languages for specifying hybrid systems, e.g. in hybrid siatecharts [92], hybrid automata [ ] and TLA+ [76]. In order to improve the expressiveness of the chop-based interval temporal logic, people have introduced infinite intervals 197,1621 and erpanding modalities be formalized. The definition of a

[31, 103, 139, 148]. For example, [148] establishes a complete propositional calculus for three binary interval modalities: ^ (denoted by C in [148]), T and D. The last two are expanding in the sense that the truth value of formulas STtl,t and $Dt! on an interval [b, e] depends on intervals "outside" fb, e]:

/TTl holds on

[b, e]

iffthere exists c ) e such that

fTrlt

@

holds on [e,c] and

/

holds on fb,c]:

191

In this chapter, we present a first-order interval logic [165], which has two simple expanding modalities:

. Otd . Ord

reads "for some left neighborhood $", and reads "for some right neighborhood".

They are defined as follows:

r Q/ holds on [b, e] iff there exists d ) 0 such that @ holds on [b - d, b], and . O,Q holds on lb,e]itr there exists d ) 0 such that Q holds on [e,ef d]. With q and Or, one can reach left and right neighborhoods, respectively, of the beginning and ending points of an interval:

ooft abe

a,O

0

Semantics

d

bec 4)

to an expansion of a given interval in future time. Symmetrically, D refers to an expansion in past time:

Hence, T refers

/D{

holds on

iffthere exists n (

[b, e]

b such thal' O holds on [o,b] and

O

r/ holds on [o,e]:

ODrl'

4)

Liveness can be specified using these modalities [139], and there is a com-

When the interval is a point interval (i.e. b: e in the definitions), these neighborhoods can become the conventional left and right neighborhoods of a point, if we assume d > 0. We therefore call Q and O, the left and right neighborhood modalities, respectively. They are expanding modalities, and very similar to (A) and (A) of the six basic modalities of [44]. This first-order interval logic is cal\ed nei,ghborhood logi,c (abbreviated to NL). NL is adequate in the sense that the six basic unary modalities of [44] and the three binary modalities of l7a7l are expressible in NL. Similarly to the axiomatizalion of IL in 1271, we can give a complete proof system for NL. This proof system is much more intuitive than the propositional calculus for the modalities C,T and D given in [147]. On the basis of NL, we can also establish a duration calculus which can express state transitions, and liveness and fairness properties. In [165], notions from real analysis are also expressed in an Nl-based duration calculus.

plete axiomatization of a propositional modal logic of the three modalities C, T and D. Some of the axioms and rules of this logic are, however, complicated.

Interval modalities are not necessarily binary. In [1], there is a list of thirteen possible unary interval modalities, and in [44] it was shown that six of them are basic in the sense that the remainirrg trnary rnodalities carr bc derived from the basic ones in propositional l
47],

11.2 Syntax and Semantics Thcl syntax and scmantics of NL are similar to those of IL given in Chap. 2, cx<xpt that thc <:hop rno
ry'::.- .T l(i"@t,..,,/i,,)

I ,,hl,hVl, l('lr)r/ lq,/ lq,l,

192

11.3 Adequacy of Neighborhood Modalities

11. Neighborhood Logic

The semantics of the formulas Qd and Or$ are given below:

Table 11.1. The six basic modalities listed in

J ,V ,lb, el ? Otd iff there exists d ) 0; J ,V ,lb - 6,bl ts 4t J,V,lb,ell: o,Q iffthere exists d ) 0: J,V,le,e + d] F d,

Modality

where .7 and v are the interpretation and value assignment, as defined in Chap. 2 for IL. The notions of ualid'i'ty and sati'sfi'abil'ity are defined as for IL' We introduce the following abbreviations:

qd = Q,otd q"rl, = og/lJ, The modalities

reads "for some left neighborhood of the end point: /" Ty'" reads ,,for some right neighborhood of the start point:

of and oi

are called the conuerses of the modalities

Q

Or, respectively.

The following semantical calculations show the meaning of

Of

:

J,V,lb,"]? rytO lfr J,V, [b' F O,Orb "] d' ) 0: J,V,le,e + d'] qd iff there exists F iff there exists d ) 0: J,V,le - 6,")? O

144]

Intervals reachable from "reference interval"

(A)

Nonpoint right neighborhoods

(A)

Nonpoint left neighborhoods

(B)

Strict prefix intervals

(B)

Intervals which have the reference interval as a strict prefix

(E)

Strict suffix intervals

(tr)

Intervals which have the reference interval as a strict suffix

and

193

11.3 Adequacy of Neighborhood Modalities In this section, we show that the six basic unary interval modalities of [44] and the three binary interval modalities (i.e. C, T and D) of [1a8] can be defined in NL. The six basic modalities of [44] are denoted by the symbols listed in Table 11.1.

.

The meaning of these six unary modalities and the three binary modalities

^, T and D is given by:

J,V,[b,"] F (A)d itrthere exists &> ei J,V,le,") l,b 2. J ,V,lb,"l I (A)d itr there exists a 1b : J,V,la,bl l: d 3. J,V,[b,e]l @)Q iffthere exists a such that b 1a 1e and {f ,V,lb,a)l Q. 4. J,v,[b,"] F (B)ditrthereexists a>e: J,V,lb,")a6. 5. J,V, [b,e] [ (tr)/ iff there exists n such that b < a 1e and J,l ,la,e)l $. 1.

wherea:e-6. o

A similar calculation for Of establishes that

J ,V ,lb, ? Oi',! iff for some 6 ) 0: J ,V ,lb,b + dl F ti "]

'

6. J,V,[b,u]

wherea:b+6. 6 We use the same conventions for precedence of the morla,lities introduced in this chapter as for IL (see Sect.2.1). Hence, the trrra,rv tnoclalitics hiivtl the same precedence as n and O, ilrr
I

(tr)d itr there exists a 1b: J,V,la,"] ?

7. J,V,lb,"lts d^rb iffthere exists m €lb,elt 8.

J,V,lb,^]l

J ,V,lb,el ,bTr, if1 tlrcrc exists = n

) e'. ,/,V,le,ct,] ! /

!). .'I

l:

S and

O.

l/,V,lm,e)1,!.

and

J,V,lb,o,)C4t.

ir,rrrl

!/,V,lrt,,rr]

rltD'lt

'V,lb,t'l ifl'l,lrrrrrr cxisl,s rr z,

lt'. ,'/,V,ltr,,lt) !

ry'

I

i/r.

L94

11.4 Proof

11. Neighborhood Logic

i]..l

Theorern

(Ad,equacy) The aboue nin,e modalities can be erpressed'in

NL. Proof. The following equivalences establish the theorem. The validity of each of them can be easily concluded by using the semantic definitions.

(l )

In the following axiom and rule schemas, O is a parameter, which can be instantiated by either Q or O". As is usual when a schema is instantiated, the instantiation must be consistent for all occurrences of O in the schema. We adopt the abbreviations

0) guarantees that the right expansion is a nonpoin,f interval.

2. \A),b <+ q((l > 0)^,/), where (l > 0) guarantees that the left expansion is a nonpo'inf interval. 3. (B)d c 1r.((!.: r) n €,((l < r) d)), where of clefines an interval that ^has the same beginning point as the original interval, and (l ( r) stipulates that the defined interval is a strict subinterval of the original interval.

4. (Ft)O <+ 1r.((t.: r) n ry,(Q > ") d)). This equivalence is similar to that ^for (B)@, except that (l > r) is used to stipulate a strict superinterval of the original interval' 5. (E)d ++ -r.(((.: r) n q(Q < ") d)). This equivalence is similar to that ^for (B)@, except that here of defines

to stipulate a strict superinterval of the original interval'

7 O^4' Q 2r,y.((!: r *il AqW:,,)n O AO,((l': Y) Alh))), where (l : r -t !)) stipulates that the two consecutive right expansions of lengths r and y exactly cover the original interval' 8. OTrl, Q 1r,y.((L :r) n O'((l : v) A O AOt(Q' : r * U)Atl))), where (l : r * a) guarantees that the left expansion, of, exactly covers where

no1((!.: a) A O Aai(V.: r'r a) A i')))' (l : r ]' a) guarantees that the right expansion, of , exactly

covers

r

secti<11 w
-O-

-

-Ooo.

Interval length is nonnegative:

it

strl, o['

!.> 0.

o Rigid formulas are not connected to intervals:

NLA2 r

Od => /,

provided

/

is rigid.

A neighborhood can be of arbitrary length:

NLAS

r)0

+ 9(1.:r).

o Neighborhood modalities

can be distributed over disjunction and the exis-

tential quantifier:

+ (oo v o,.l)' NLA4 o(ov'l) a1r.$ + 1r.a$. o A neighborhood is determined by its length:

r

NLA5 o((!.: r) il + n((!.: r) + O) ^

.

Left and right neighborhoods of an interval always end and start, respectivelv, at the same point:

NLA6

11.4 Proof System Irr this

LI:

NLA1

the original interval and its left expansion, Q'

n

!o,.tt

To formulate the axioms and inference rules, we need the notions of fl,erible and rigid terms and formulas, as introduced for IL. A term is called "flexible" if it contains temporal variables or !. A formula is called "flexible" if it contains flexible terms or propositional letters. A term or formula is called "rigid" if it is not flexible. The axiom schemas of NL are:

the original interval and its right expansion, O''

9 $D{ € 1r,y.((l: r)

o: e Iq,iro:o"

1\-

-o.

an interval that has the same ending point as the original interval.

6 (tr)d + =r.((t.: r) n oi((l > r) d)) ihis equivalence is similar to that^for (E)/, except that (1. > r) is used

195

11.4.L Axiorns and Rules

1. (A)d <+ o,(((. > 0)^ d), where

System

QOq, -) nad.

196 r

11.4 Proof

11. Neighborhood Logic

NLAT

r) +

(d

e c(((':

We list and sketch proofs of a set of theorems which can help in understanding the calculus.

The first deduction to be derived is the monotonicity of n:

") ^ d)).

NLI

o Two consecutive left or right expansions can be replaced by a single left or right expansion, if the latter expansion has a length equal to the sum of the lengths of the two former expansions:

d =+

,h

I

Zr!

+

Zrlt

.

Proof.

l.

(r>OAy>0) + (o((l : r) no((l : y) Aod)) <+ o((!: r +y)^od)).

NLAS

L97

lL.4.2 Theorerns

Left neighborhoods of the ending point of an interval must be the same interval if they have the same length, and, similarly, right neighborhoods of the beginning point of an interval must be the same interval if they have the same length:

(!.:

System

4

=+

rh

assumption

2. -1b + -d 3. O-t! + O-d

1., 2.,

4. -Q-cb

3., PL.

) -Q-tft

PL NLM

The rule schemas of NL are:

NLM NLN MP G

If

6 .+

If

@ then !@.

/ If / If

and

O$

ry' then

+

Atl:.

(monotonicity) (necessity)

d + ,h then r/.

then (V")d.

(generalization)

1. (0 > 0) + 2. O (!.: 0) 3. O true

logic.

similarly to IL, the proof system also contains axioms of first-order predicate logic with equality, including Q1 and Q2 with side-conditions: e rs lree for r in p(r). and \either d is rigid or d(r) is nrodalitv

(:t

\ free )

Theorem 11.2

(Sound'ness)

,f lOthenlr!.

false.

o(l: 0) NLA3 (0 > 0), 1., MP

NLM.

The second part of NL2 is an instance of

NLA2.

tr

The following theorem proves the truth of the inverse of NLA4. '

where a formula is called modati,ty free if it contains neither Q nor O'. The proof system also has to include a first-order theory for the time and value domain, i.e. a first-order theory of real arithmetic. We shall discuss this issue in Sect. 11.5 with regard to the cornpleteness of IL and NL' The notions of proof, theore'm and deduct'ion are defined as for IL' The soundness of the NL proof system can be established by proving the sounclness of every axiom and rule. In [93], NL is encoded in PVS and the soundness of NL proved.

+

Prool. Note that a reference interval is neither a left nor a right neighborhood of itself when its length is nonzero. That is, Q and O, are not reflexive, and ,h => Od is not valid for an arbitrary formula /. So the proof of the first part is a little tricky:

(rnodus ponens)

The monotonicity and necessity rules are taken from modal logic, and the modus ponens and generalization rules are taken from first-order predicate

Ql Vr.d(r) + A\0) Q2 O@ + lr.d(r)

true. Ofalse O

NT,2

(ofv oID =, o(Ov rb). 1r.Ort' =+ O)n.Q. Proof. Proof of the first part:

NL3

7.d .+ G'v $) Od + O(6v ,h)

PL

2.

1.,

3.

PL

d' + (Ov ,l)) 4. arb =+ o(dv ',b) 5. (od v ori

)+

NLM

3., NLM o(d v 1r) 2.,4.,PL.

Proof of the second part:

+

l. S 2. O(b

1r.$

+

i\. Y.r.(Orf

.+ Q1:r.4t)

4.Yr.(Otlt > l-r.

l:r,.O,/r

PL

O1rll>

i

O'1r.r/) O1:r'.r/

-1 (1r.Qtlt -+ O!r.r/)

1., NLM 2.,G

PL, rr is not frcc in O1r.$ :|.,4., Ml'. t1

198

11.4 Proof

11. Neighborhood Logic

The modalities

NL4

n

.o => ao.

(od A tr?r) + o(d (nd .r',) ++ t(O ^'i)

1. 6'o0 +!aod +!-od 2. O"oq t, -o6

^rlt).

Proof. We present proofs of the first two parts only. Proof of the first part:

.o =+ =+

+

+

o(d v -d) NL2, PL Od v O-d NLA4 Def(!), PL. od

+

o(- o/A o -od) +oo(od A -od) * false

3. -"oq

ni/

o((d 1/) v (o ^-rhD ^ (o(d ^ v o(d^-,i/)) ^1b) Dd,) v (o-/^ (o(d^'/)

+ + + o(O 0 ^ ^

E,l, n{)

PL,NLM

^

Pr, PL, Def(n)'

n

6 + cd. NLs -"o4 e o6.

^

+c4 3.0

that

PL,NLM

r

PL, NL2, NLM

2.,PL.

^

n

From NLA6 and NLA7, we can derive more properties of combinations of

-.

r

is not free in

@:

NL6 a"rd e nO. (oo n o-a) € o(dn-ir). Proof. The proofs of these theorems are similar to those for NL5, and are n omitted here.

NLAT

1.,PL,

l..NL5(part 1).PL NL4 (O" : o a) NL4,NLM

o-O + !!@.

U).

Proof . Proof of the first part, where we assume

1. (L: r) n rf + c((t, : r) d) =, O"d ^ 2. 1r.((L : r) A 6)

NLA6, NL1

oo A 4"4, +od A tra1/NLA6,PL + .(d o ?/) NL4.

O, O and

O'u) <+ o(d^ a

=+ orP

NLA6(O"O:OOO)

Proof of the third part: The direction € follows from PL and NLM. The following proof estabIishes the direclion +:

NLA4

As explained above, O is not reflexive when the length of the reference interval is nonzero. However, O" is reflexive, and the intervals reachable by of and $ have the same ending and beginning points, respectively, as the reference interval. So we can prove the following theorem'

(od

- o@ A a'-op

tr

_}

Proof of the second part:

od A o4)

199

Proof of the second part: The direction + follows from the first part when NLM is applied. The following proof establishes the direction J:

and O have the typical relations of modal logic'

^

System

not free in C$

+ (1r.((.: n)) A d PL =+ 1r.((!.: r) n O) PL,r not free in 2.,3.,PL. 4. ,b =>
In order to understand the application of NLA8, we prove the following theorems. In the formulation of these theorems, we assume that (r > 0) and (v 2 o).

@

11.5 Completeness for an Abstract Domain

11. Neighborhood Logic

1. (!.:

r) + (o((!.: a) A od) <+ c(((.: r + y)

((:r\ NL7

5.

od))

1.."((1.: r) n c((!.:

c 2.

=+

(:,,:;.,o,] ?*a^."(((:y)n d))) ( ottn: r) n o((/: o) n Ol) \

3.

4.

^

\<+ O11f : r

(y>r)

l_U)A Oc((/

: fi

no))

-"11

^

od))

r) n o((1. : y -

r)^

Od)) NL7 (part 1)

:r) no((l :u - r)Aod)) : n) A a"o((|. : y - r) n oo

=+O(((.:y*n)nO$)

3. true + 4. Otrue +

)

+ ( U"rro: r)A o'((( = y)n od)))

(y>r) +

+

O'11t = -"11!.

e)

S.

\o ottl:e-r)^od) ) ( O"rto:r)A o"((( =a) AO)) \ \<+ Ottf : !/ - x)n O"(( ( = sl A il) ) .

Q"(!.: r)

((.

=

r)

o a ((.:

r)

6. o(((.:y*r)Aod)

NLM,PL NL5, PL

PL,l'{LA3 3., NLM 4., NL2, MP

O"(1.: r) n O'O((l : y - r) n a$) 5., NL5, PL y - r) od)) NLs + o(O (!.: r) ^o"(((.: : y - r)^^ od)) NLs + o o ((l : ") ^c((t!. 7. o"(((. : n) A ry((. :s) A od)) <+ o((l : a - r)A od) =+

Proof. Proof of the first part:

!:r

. (oy:il^oil

A

O((/

-

\

y1

n Oil) )

\ + (o(tt=fiAa6) :r*A)nOil) O'ttf \<+

NLA8, NLM, PL.

= Zraratnrll) reads "for all intervals: 'ry'". Theorern ll.3 (Ded,uct'ion) If a deducti,on f,Ol 4,, i,nuolues no appl'icati,on Dolb

of the general'izat'ion rule G i,n whi,ch the quantifi,ed uariable'is free in S, then

(=n

flJaf*Ib.

(otro=y)A6) o11f

:

y)A Oc(((

: il

A o))

\

C"11f

=

r-t !/)A O"((( :

!J) AOD

Prool. See [130].

NLAT

)

('rtn:s)^il

\ )

Nl7(part

1).

We now give a proof of the fourth part, Ieaving the proofs of the third and fifth parts to the reader. Assume y

2.,6.,PL.

A deduction theorem can be proved for NL which is similar to the deduction theorem for IL given in Chap. 2. The following abbreviation is useful for formulating the theorem:

NLAT

Proof of the second part:

\<+

1.,

n

=? <+ O"ttZ : r) \

\<+

201

) r:

11.5 Completeness for an Abstract Domain So far, real numbers (lR) have been used as the time and value domain for IL and NL, and we have indicated that each of the proof systems of IL and NL considered has to include a first-order theory of real arithmetic for its time and value domain. In this section, we discuss the issue of completeness of IL and NL with regard to the first-order theory chosen. Given a first-order theory of the domain of time and value, denoted by ,4, zr forrnula is A-uali,d if it is valid for any time and value domain satisfying

A. '[tr slrow l,lu, r:ttrtt,,,tl,r'l,ttr,r:ss of IL or I'{L 'with rr:spect to A-ualidi,ty, one must slrow llrir,l, ilrry;{ vrrlirl ll, or N[, frlrrrtula is 1lr
lotrrtritr.

202

11.5 Completeness for an Abstract

11. Neighborhood Logic

This completeness is called completeness fo'r an abstract d,ornain.

In this section, we assume that "4 always includes the following axioms. Dl Axioms for :: 1 l-

J, -_^

-

L.

2. (n:A) -+ (Y:r). 3. ((r: Y) n(A: z)) + (r: z). 4. ((rt = yr) n..' A (*,: U,)) ) (f"(*r,...,rn) : f (At,...,un)), where

5. (("r :

where

D2

/"

is an n-ary function symbol.

yr)

G'

A... A(rn : U)) * (G"(r1,...,rn) € Gn(At,...,?ln)),

is an n-ary relation symbol'

Axioms for

):

1.0>0.

2.(("> 0)n(y>0)) + (r+E)>0. 3.(r>a) c )z >0.(":(Y+z)). 4. -(n > ,A) <+ (a > *), where (E > r) = ((a 2

")

n -(Y

:

r)).

e y:(y*z).

The above axioms constitute a minimal first-order theory that can guarantee the completeness of IL and NL with respect to "4,-validity. However, they are far away from the "best" theory to characterize real numbers. For example, a singleton of 0 will satisfy all the above axioms. One may wish to introduce multipl'ication and di'uision, or to have additional axioms and rules that capture more features of real numbers, such as lhe infini,ht,de and the density of the reals, as follows.

D5

Axioms for infinitude:

D6

1:.((:r

If I

Theorem 11.4

(Soundness)

Theorem ll.5

(Completeness)

Q

thenF"q6.

If l"qd thenl

$.

theorem can be given by proving that each

axiom is sound and that each inference rule preserves soundness in the sense that it gives a sound formula when applied to sound formulas. A proof of the completeness theorem for IL can be found in [27]. One can first prove the completeness of the calculus with respect to a kind of Kripke model, and then map the interval models to the Kripke models. Following [27], a completeness proof for NL is given in [9]. Rernark. In [38], there is a similar completeness result for DC for an abstract domain. The main ideas are the following:

1. The induction rules IR1 and IR2 are replaced by an c,-'-rule to axiomatize the finite variability of states. Let us use {S, -,5} as the set of complete state expressions to explain the cu-rule. In Sect. 3.3, we introduced the

[l

rAi+'(s)

FAi(S) v ([Sl^F,40(S)) v

'l'lrc r,r t'ttlc t'ittt lrr' [irrrrrtrlirl'rttl

Axioms for
) u) )

Ln A-model Mn is a pair consisting of an ,4-set, i.e. D, and an interpre-

r-40(s) = :'

(n-rI)>*.

(rr:

r nntvp = {[b,e)lb,e €lDAb(e], . %r : GVar -+ D, . Jm(u) : Ilntvp -+ D, for u € TVar, and . Ju,(X) :llntvp -+ {tt,ff}, for X € PLetter.

abbreviations

1.1>0. 2.

Given ,4, a set lD is called an ,4-set if the function symbols and the relation symbols of IL or NL are defined over D and satisfy "4. When an " -set D is chosen as a time and value domain of IL or NL, we denote the set of time intervals of D by llntvp, denote a value assignment from global variables to D by Vp, and denote an interpretation with respect to ID by "fi1:

A proof of the soundness

D4 Axiom for -:

@-a):z

'. :)

A

(: "

U))

.

203

tation .7n. The truth value of aformula 6 of IL or NL for the.,4-model ,AZp' value assignment vp and interval [b, e] e llntvp is similar to the semantic definitions given in Sect,.2.2 for IL and Sect. 11.2 for NL. We write My1,Yyn,[b'e] fu d to denote that / is true for the given "4-model, value assignment and interval. Formula $ is A-ualid (written 11 il iff @ is true for any "4-model Mn, value assignment V11 and interval lb,el e llntvp. $ is A-satisfiablelff / is true for some ,A-model "Alp;, value assignment Vu and interval [b, e] e llntvpr. The proof systems of IL and NL are sound and complete with respect to the "A-models. For both IL and NL, we have:

Axioms for -l-:

7. (r -l0) : (y+r). 2. (r+y) : ". : (r-ta)+2. r*(:a+z) 3. a. (("+y) : @ +z)) -+ (Y : z).

D3

Domain

lf I

ll(l"A' (,5)), lirl

lrr,rr /l

(|

r'lr,)

,

its

rrrrv i

([-Sl-

F.4'(S)).

-1

204

11.6 NL-Based Duration

11. Neighborhood Logic

basis of the finite variability of states, we can calculate /S over an interval of llntvn, (given an '4-set lD and an interpretation -hr) by stunming the lengths of the subintervals where the valuc of S is the constant 1 rrnder Therefore, we can avoid thc concept of an integral w-hen we define

2. On the

"7p.

the semantics of ./S for an abstract

domain.

n

11.6 NL-Based Duration Calculus

[130] . )

The incluction mles for this Nl,-based Dc are restricted to fonnulas ,I{(x) havirrg a specific form. Let x be a propositional letter and @ be a formula in which X
rRr

Suppose two processes are competing fclr a resource and Si(l) : 1 denotes that process i (i:1,2) iras access to the resourcc at time f. Assume that s1 and Sz are mutually exclusive (i.e. -(S1 n ^92)). w-e can use thc following formula to specify an cqual clistribution of the resource in the sense that the two processes should eventually have the sarne access time

to the resource:

) 0. =:[..il.

where e and

7

>T

+

l/Sr

-

JSrl < .),

are regarded as global variables'

Liveness The following formula specifies that the state,S occurs infinitely often: tnf

(S)'

n'O'O'[Sll

.

For example, an oscillator is spccified for S bv

If H(ffi) and 11(x) =+ H(x vV;'-,(r^[fs;11)) t

205

Equal Distribution

Ve

An Nl,-based duration calculus can be established as an extension of NL irr the same way as DC was established as an extension of IL in Chap. 3' The indlction rules of DC mlst, however, be weakened when t|e DC is based on NL, as it turns out that the origirral induction rules for DC are nrlt sclund when the DC is an extension of NL [130]. (A counterexample is given in

Calculus

inf 15) n,n/(-S).

hen H (t rue)

Strong Fairness

and

IR2

If /1(ffi) and 11(x) .+ H(x vVl'([s,l^x)) then 11(true)

,

,S' are statc expressions which are complete. 11 the Nl,-based Dc, the deduction theorem and relative-r:ornpieteness result can also be proved 1130] in a way similar to the proofs presented in Cliaps. 3 and 5. Completeness {br an abstract dorrrain can aiso be proved if we replace the above IR1 and IR2 by the c"'-r'ule. As a possible applir:ation cif the Nl-bascd DC, we introduce belorv some icleas about liow tr.i ()xpress state transitions, liveness ancl fairness in-ithin this

where

51 , 52, . . . ,

If

,51 clenotes

a request for a resource and ,92 denotes a response from the

resource, then strong fairness requires that if rcquests occur infinitelv often then responses rnust occur infinitely s16.r. This can be formulated as

inf (Sy)

+

inf (Sz).

Weak Fairness The following formula express the condition thal a state

sto.bili,ze(S)

State Tbansitions The atomic fornrulas\S andf S given irr Chiip.9 r:art lrt: rlr:firrtrrl irt llttr Nl-basecl DC. The dcfinitirxis iLrtr

\,s'orll,sll ..',

/,\

ll,\'ll

1

after some tilne:

logical fiamework.

11.6.1 State TYansitions, Liveness and Fairness

s stabilizes to s -

where

- O'n' llSl *

,

[Sl- = [l] v lf,Sl as in Sect. 10.3.3. rc
wcak fair.ncss 1,lrr:r'c will lrc t<'slronsrr flrrm slrt,lt'i.1.'i.,.r'(,\1\

:

1,lie

irt.l (,5'.').

for a lesourcc stabilize, then resoilrce infinitely often:

206

11.6 NL-Ba^sed Duration Calculus

11. Neighborhood Logic

I1.6.2 Example: Delay-Insensitive Circuits A delay-insensitive circuit is a circuit which can behave correctly regardless of the delays in its components. Its components may have unknown delays, which may even vary with time because of, for example, dependences on data or temperature. In [52], there is a DC specification of a delay-insensitive circuit and a proof of its correctness. This specification contains a free (global) variable for each component, denoting a changeable delay. The introduction of these free variables makes the specification and also its correctness proof rather clumsy. However, by applving the Nl-based DC, we can model delay-insensitive circuits succinctly. Let us use an example to explain the main idea. Figure 11.1 shows a delayinsensitive oscillator, which has an input P and an output Q and consists of a C-gate and an inverter with unknown delays.

C-gate

Fig. 11.1. A delay-insensitive oscillator The input P and output Q are modeled by state variables

P and Q, i.e.

P,Q , lfime -+ {0,1}. The behavior of the C-gate is: if -(P ++ Q) then I will take the value of after a delay, and if P <+ Q then Q will retain its value after a delay. This can be specified in the Nl-based DC as CG ; CGL A CG2 A CG3 A CGa,

P

where

CGt

= tr,([Pn-Ql + qo,[Al)

CGz = n.(lf-P^ 0l + o'o,ll-Q]) cG:t = tr,,([P A Ql + q,o,,ll(jl) OG4 e tr,([-/'A ,Q] + O,,O,,l[ .Qll).

207

The behavior of the inverter is: P will take the complementary value of after a delay. This can be specified as 1G I IG1 A IG2, where Q

IGt' n"(llQl + O,o,ll-Pl) IGz = l"(ll-Ql + o,o,[Pl). An oscillator is a circuit whose output cannot be stable:

oC = inf (Q) n tn|1-91

.

The above circuit is an oscillator no matter what the initial values of P and Q are. That is, we can prove

(CG^IC) +

OC.

12. Probabilistic Duration Calculus

12.1 Introduction This chapter provides a DC-based approach to the analysis of the dependability of real-time systems. For a safe gas burner, a flame detector designed to detect failure of the flame of the burner is necessary. However, no flame detector is perfect. That is, no flame detector will always be able to detect a flame failure immediately. The dependability of a flame detector can be described by a probability function that depends on time. Therefore, undesirable behavior of a gas burner with an imperfect flame detector may not be avoidable; the dependability of the gas burner relies on the dependability of the flame detector. In this chapter we shall use a probabilistic automaton to model a faultprone implementation of a system, where transitions are attached to (historyindependent) probabi,lity functions, following an idea presented in [45, 77]. We shall also develop a probabilistic extension of DC. Using this extension, called probabilistic duration calculus (PDC), we can calculate and reason about the system dependability of an imperfect implementation. This chapter is based on 186, 87, 89, 90] and concentrates on discrete time. Transitions of a (discrete-time) probabilistic automaton can take place only at discrete time points. Each transition of a probabilistic automaton is labeled with a constant p (0 < p < l), which is the probability of the transition occurring in one time unit. A continuous-time version is presented in 1221. In Fig. 12.I, a (discrete-time) probabilistic automaton to model an abstract implementation of the gas burner is shown. For the gas burner automaton, we assume that the gas and the ignition are turned on at the start, and that the gas remains on throughout the time period of interest. The ignition is ideal and instant, so that the flame is established whenever ignition is applied. However, the flame may disappear at any discrete time point, and cause a gas lcakag
12.2 Probabilistic

12. Probabilistic Duration Calculus

2t0

Pt

(:

Ptz

1)

Pz

(:

o)

Leak

NonLeak Pzt

Automata

2I1

t2.2 Probabilistic Automata A probo,bilisti,c automaton is a tuple

PA: (V,zs,r),

where

1. V is a finite but nonempty erclusiue and complete set of state variables, i.e.

Prt

Pzz

!ret

F,ig. 12.1-. Probabilistic automaton: abstract implementation of a gas burner

P€V and

In this gas burner automaton, p1 and p2 ate the probabilities of the gas burner starting in Nonleak and Leak, respectively. By assumption, the gas burner always starts in Nonleak, and hence Pt = r and p2: 0'plr is the probability that the flame keeps burning for another time unit, i.e. the probutritity for the gas burner to remain in Nonleak for another time unit. The probability that the flame fails in one time unit is p12, i.e. the probability for lh" gur burner to transit from Nonleak to Leak in one time unit. Therefore, 0

( prr < 1, 0 < Ptz I land

P11

p

2. rs

p"r(

1, 0

I

Pzt

I

1 and Pzr

*

P22

:

thr1sc axi
lo csl,irrrir,l,c l,lrc lrlolrtrlrilil,y I'lrir,1,1'lrc ttrrlttittrtttcttl,s rlf' will lrr,violir.l,r'rl lrv llrc itttl,ottt;tlotr sltowtl irr lfi11. 12.1.

mass functi'on and must

Ep6yrs(P) = 1. Note that rs(P) is the probability that the automaton starts in state P.

3.

r : V xV

-+ [0,1] is called the single-step'p'robabi,lity transiti.on fun'cti'on and must satisfy the condition

Eqqyr(P,Q) :1, forevery

1'

Given this automaton as an implementation of the gas burner, it is interesting to know the satisfaction probability of this implementa,tion with respect to the two design decisions (Des1 A Des2) in a given time period' with PDc, we provide axioms and rules to calculate and reason about such saLisfaction probabilities. The continuous-time probabilistic automaton described in [22] preserves the Markov property (i.e. the property of history independence), but assigns to each transition a probability of choosing this transition and a density function to determine the probability that the automaton performs the chosen transition in any time Period. In Sect. 72.2, we shall present a mathematical definition of a (discretetime) probabilistic automaton, and introduce the satisfaction probability of a Dc formula with respect to a given automaton. In Sect. 12.3, er set of axioms and rules will be established in or
: V -+ [0, 1] is called the ini,ti,al prohab'ili,ty

satisfy the condition

since

04

-e,

forany P,Qe Vand P#Q.

I Pn : I,

in Nonleak the gas burner can, in one time unit, make either an idle transition, thereby staying in the Nonleak state, or make the other possible transition to reach Leak. similarly, the probability that a missing flame remains undetected for another time unit is p22, and.the probability that a missing flame is detected in one time unit is Pzt, and we have

=+

PeV.

The gas burner automaton of Fig. 12.1 is a tuple

V,

r

ze and

PA: (V,r6,r), where

are defined as follows:

1. The set V is given by

-

1z

{Nonleak,

Leak} and

Nonleak <+ -Leak.

2. The initial probability mass function is given by rs(Nonleak)

: Pt:1 and rs(Leak) : Pz:0.

3. The single-step probability transition function is given by r(Nonl
l,
-

= ptt

p12,

r(l,r'irli, l,r';r.li)'l)2.t, r

(l,r,rrh,

Nrrrrl,r'irli)

'l)'tr

.

,

212

12.2 Probabilistic

12. Probabilistic Duration Calcuhrs

L2,2.1 State Sequence The behavior of a probabilistic aritomaton PA c:an be defined by its state seqlrences. Given a positivc integer f, a sequence of states in V

defines a possible bchavior of PA for the first t tirne units. The automatorr starts in P1 and rerna,ins there for one time unit. Then it rnakes a tratrsiticin from Pr to Pz and remains in P2 fcir another one time urrit, and so cln. It cunpletes f - 1 trarrsitions artd sti,rys in P1 for one time unit. For state sequcrlces strch as o, wc also use the notation

\Pt,Pz,..-,Pt).

p,(o)

o 0 < pl(o) 1!, for o EoEy, 1t(o) : l.

:

ro(PL)' r(Pt, Pz)'

"''

r(P7-1, P1)'

o

€Vt,

a'nd

Proof . The first part is obvious frorn the definitions of p,, ro and r. The second part can be proved by inducticin on f using the following facts:

yt-rt - VLV : {rr^o,

I o1

€Vt

Aoz e

V}

p((Ncinl,eak)):pr =1

] state sequen ces of length J" : : p; yr((NonLeak. Norrleak) ) P1 Prr l p((Nonl,eak,Leak)) : py p1,2: pt2 I state sequen ces of length p((Lcak.Nonl-eak)) : Pz' Pzt :0 t p1(Leak. Leak)) : P:' Pz'z: 0 ) yr1(Leak))-Pz:0

Note that the sum of the probabilities of all state sequences of length 1 is 1 and that thc sum of the probabilities of all state sequences of icngth 2 is 1. Irr fact, given anv length I ) 0, the surn of the probabilities of all state sequences of length f is 1, as we shall prove belorv. Given arr arbitrary probabilistic automaton PA: (V,r"0, T) 1 the probability function

I V* -+ [0,1]

P) :

il,' r\l't r./i) il,t

p@)

.

n 12.2.2 Satisfaction ProbabilitY

r r

0

(!'r,/f,,

ry', we

The statement that the forrnula t/ holds for a given state sequence o € V*.

The probability that

/

holds for all state sequences

in v"

rn''here

I is a

ilonnegalive integer'. To this encl, rn'e assume that PA starts at time 0 arrd we consider discrete interpretations over the state variables in V over discrete tirne intervals [0, t] fcir the first I time units. A state sequence o € Vt of PA determines the presence and absence of tiie state variables in L/ in the first f timc units, and thus defines a disr:rete interpreta,tion (see Chap. 6) of the state Variables in V in thc interval [0,1]. For exarnple, the state sequence

(Nonleak, Leak) dcfirrcs a cliscrete irrterprctation inherval [0,2], [
is definctl as follows:

(t 1,,,(/',) r(/i./r,)

Ep6y 1,t(o^

For a given probabilistic automaton PA: (V,r6,r) and DC formula shall define the following concepts in this section:

calculate

lt\(t)

a,rry

and

For example, for the gas burner autolnaton strown in Fig. 12.1, rve cart

lr

Furthermorc, l
for

l:0,

the state scquence is empty (written 0). Tlie probability that PA starts in Pr is defined by the mzrss function as ro(Pr), and the probability that PA makes a transition from fl to P,a1 is defirred by the transition function as r(P,, P,+r). Theteforc, the probabilitv p,(o) that PA follows thc behavior o is

When

21'3

Theorem l2.L For u,n'u PA: (V,ro,r) and non'negat'iue'intetler t,

PrPz"'Pt

o:

Automata

7 for Leak

(anr1 thus

for Nonleak) in thc

/tt li,r o<. l<1 II|orI- l..:'2.

l.'lrr,rr'llr,'r;rlrr,',,1 l,r';rlil ;rl llrr,r'rrrl ;roirrl ol l{l,ll i:l ittlllr':rtrl ;rtrrl tlill rr,rl llrr,lrrrtlr,,l;r l)('l.nultl:r,rvll ltrr.inlltvrrl ltl,:'}1 1,r,,tirllrl llr;rl l,r';rli

;rlli,r.t

,/i)

;rrr,l l\r,trl,,';rl,;tt,'llt,

rrttl\ r,l;tll't;tli;rl,l,'r'

trlti,lt,,,rtlt

tll lllr'lllllllll;t

214

12.3 Probabilistic Duration Calculus: Axioms and

12. Probabilistic Duration Calculus

We say that, T. is cons,isten,t with the above state sequence in the interval This gerreralizes easily to arbitrary state sequences' [0,2]. ' A DC forrmrla ry' is called av-formula if @ contains onlv state variables in v, and does rrot contain temporal propositiorlal letters. The truth of 95 is therefore inclependent of the interpretation of temporal propositional letters and of state variables outside V. Fcir any v-formula @, value assignrnent v aild state sequen(:e o e J,rt, we say

that $

for o

hold,s

r,v,lo,tl

giuen' V,

written

o,V l:

Q,1f

c o,

where Z is any discrete interpretaticin consisterit with o for the state variables

in V in the interval [0,1]. In the follclwing text we shall always refer to an arbitrarily given value assignment, but, for simplicity, we shall not mention it explicitly' ihe probabil'ity tho't PA satisfi'es a V-form'ula $ ouer the i'n'te'rual l],t], denotecl bv p(d)lt], can be defincd as the sum of the probabilities of state

I

and satisfv /' scquences in of state Let Vt(O) be the set

sequences which are of lerrgth

Vi

which satisfy

@;

thcn

consider the probabilistic automaton PA defined in Fig. 12'1- The first design decision (Des1) for the gas burncr,

r(lfleakl

=+ !' < I)

is a V-formula, where J,r

-

{Nonleak,

Leak} and Nonleak g

-Leak

'

The set of state sequences of length 2 satisfying this formula is

:

{(Nonleak, Nonleak), (Nonleah, Leak), (Leak, Nonleak)}, and we have the result that tire satisfaction probability overr the interval [0,2] V2

(nes1)

is

p'(Des1)l2l: p, 'Ptt

*

Pt 'Pt'z

t Pz'pzt : I '

So the gas burner automaton shown in Fig. 12.1 represents a fully depcndable implerncntation of thc gas burner in thc first two time lrnits as far as the first design decision is coricerned. Si'ce (Vi,p) is a probabilistic space (Thec-rrern 12.1), thc following tlrtrrirem follows frcim thc defirrition of ihe satisfiltrti
Theorem 12.2 For rt,rr,'u I'''1 u'rtl' l)'"(l'

t 0 1- 1r(rfilll < l, .litr rr'rtt1 l . yr(lrrrr')l/l I

.[rttttttt'l'rt' 'l'

215

12.3 Probabilistic Duration Calculus: Axioms and Rules In

accordance

with the defirrition of the satisfaction probability given in

Sect. 12.2, this scction proposes a set of axioms and rules to calcula,te and reason about p,(4r)ltl with respect to an arbitrarily given probabilistic automaton

PA and V-formula /. Since il(/)[l] is a real number and J is a nonnegative integer, PDC is an exterrsion of real arithmetic and integer arithmetic. PDC is also an exterrsion of cliscrete-time DC u'hich can derive properties of V-forrnulas. The proof systenr for PDC presented here is not cornplete, but [40] provides a complete calculus for a probabilistic neighbor'hood logic.

12.3.L Syntax Syntacticallv, PDC extends real and integer arithructic with p(/)[t] as the additional terrns, where / ranges over the V-formulas of a given PA.

For exarnple, the following formulas are well-formed formulas of PDC with rcspect to the gas burner autornaton: 1.

tt?Dttl ? Eoev,(ilp(o).

Rules

p(GbR.er1)lt] - p, which expresses the condition that p is the probability that the gas burncr autclmatorr satisfies the requirentent itr the first t tirne

rrnits. ( (- Gb Req)ltl < p (- D e s y)ltl 1' p, (- D e s 2)lt] ), which expresses the condition that tire probability of violation of the requirement of the gas burrrer automaton is not greater than the sum of the probabilities of violation of tlie two clesign decisions. 3. Yt.(p(GbH.eq)ltl : 7 p"(-GbRe(l)ltl), which expresses how to calculate the satisfaction probability of the requirernent frorn its violation proba-

2. Y t.

11,

bility. In these exarnples, I is regarded as a global variable ranging ot'er nonnegative integers.

By proving the truth of the last tw-o fcrrmulas (2 and 3) above, one can estimate the dependability of the gas burner autornaton through tiie calcuIation of vioi:r,tion probabiiitics of the design decisions. hr the following, we shall use R,(p(il, t'bli)) as trn allbrcviation of Y

t. R

Q

t(

Oltl, 1,(r/) [r] ),

/i is ;r tcl;rliotr o{';ttillttttcl,itr. l,irl r,x;rrrlrl,,. llr,li,rrrrrrlirs 2;rrrrl ll;rlrovc t:;rtt

n,lrt'r'r'

1tl '(iltli,,1)

lrltiltlir,ll

I

1tl'l),;;r) I 7r( l)r';;') 1tl Iiltlitrl)

lrrr

rtlrlrtcviitlt'rl

a,s [trll
216

12.3 Probabilistic Duration Calculus: Axioms and

12. Probabilistic Duration Calculus

The axioms and rules of real arithmetic, integer arithmetic and Dc are taken as axioms and rules of PDC, as PDC extends these logics. In the following sections we list the additional axioms and rules for p, and assume that all formulas appearing in the scope of p' ate V-formulas' The proof system is presented in two parts, where the axioms a,nd rules in the first part are generic, and can be applied to any probabilistic automaton, while the axioms and rules in the second part are specific to a given automaton.

I

P(true)

:

t'@) +

F?6)

PA4

p'(GbReq)

- 1-

hold for the

sequences of length same sequences.

PA5

L'@)ltl

:

p(O

t !. :

l, the formulas / and (O A (. : t)

t)lt).

:

p(true

n(.:t)[t]: pt(L: r)lt] : t.

Furthermore, using PA2, we have

The additivity axiom of probability theory holds for PDC'

t'@v

p(Ir)ltl:a'

p(true)[l]

tt'(-GbRert)'

PA3 p(il + t QD :

p((^: t\t): r '

PDC2

Proof. From PA5, PA1 and PDC1, we have

: t.

From PA2, we can straightforwardly derive

p,Q

I t)ftl : r - p(t : r)[t] : o. n

rl') + P@ n'Q)'

A formula / holds for a state sequence of length i if and only if the formula : d) holds for any extension of the sequence to a length (f + d), where d is a nonnegative integer.

The satisfaction probability is monotone.

(d^ t

If $ =+ Ty', then P(il S tt(l')'

The following theorem can be easily derived from the above a,xioms and rules.

PA6

p(O ^ tl

:

d)

[f +

6]

:

p(illtl

.

Using this axiom, the following theorem can be proved.

: g. 2.0
PDCs

3.t@vjr) < 1t($)+u@).

Proof.

1. p(false)

PDCl

PA4 1 rr(d nth) S pk!) p(il + u(4') : tL(Ov 4') + p@ PA3 t. p(il: 1 * t'@v Ib) < p(d) ^rb) PAl, t1 +. p@) - 1 * p(O > t'(1,) ^$) p\h) 7.,4. 5 p,(d:1 * p(6A$): z.

Using this axiom, the following theorem can be proved.

1.

For any interval, S and -$ form an exclusive partition of all state sequences of any probabilistic automaton.

PA4

Proof. The proofs ofthe first five cases are trivial. The iast case can be proved as follows:

If we consider state

The DC formula "true" holds for state sequences of a1y probabilistic automaton in any interval.

PA2

217

n

12,3.2 Proof Systern: Part

PAf

Rules

4. If -(4) A iy'), then Lt(Ov ',lt) : p@) + lL(|,)5. If O e iy', then p(il : p\b) a. p(il : 1 * p(O A r!) -- t'(Ib) . .

p((O

^

l : t)^t/')lt+ dl <

p,@)ltl.

t'(@ t: t)^$)[t + 6] p(@ ^t (.: t)^1b A !.: t t d)[r + d] PA5 p(@ t, ! : t) ^ (rl,n l : d))[r + d] PDCI PA4 1 t'kh A ( = t) ',-f: d)[r + d]

: :

=1t,(tltn(-t,)ltl ,=

/,(,r)l/l

PA6 ['A]-r. t-J

218

12.4 Example: Gas Burner 2Ig

12. Probabilistic Duration Calculus

L2.3.3 Proof Systern: Part

In [90], PDC is extended with classical probability matrices, and the sat-

II

isfaction probabilities of many useful DC formulas, such as

The axioms and rules in this section refer to an arbitrarily given probabilistic automaton PA. We shall use the abbreviation

llPll' .

[Pl

^

t:7.

p(n_([Pll ^figl)), /,(o([P-ll ^ llQl )) , p(@ (true ^ IlPl )) ^ [8-ll), p(@ ^ (true ^ [P])) ^o [8] ) , ^

P([Pl')[1] : ro(P)'

For the transition probability function

PA8

It 6 =+ (true ^ liPl rhen 1r($^

r

of PA, we have

can be computed using matrix scalar products.

)

[8lt)[t + 1] : r(P,Q) ' tt@)lt).

L2.4 Exarnple: Gas Burner

Using these two axioms, we carl prove the following theorem'

1. re(P) :0 + /r(llPll^d):0. 2. r(P,Q) :0 + P(4^[P'11^[Ql'):0

PDC4

proof. The first part can be proved as follows. Let us assume r6(P)

I)

: [

3n4

1. From PA7, we can derive

pfllPl')[r]

:

p(n-[Pl), p(ollPl),

We refer to Sect. 7.2 fot the definition of lfPl'' For the initial probability mass function ol PA, we have

PA7

p(true^[P-llt),

In this section, we use PDC to give an estimate of the violation probability of GbReq with respect to the probabilistic automaton shown in Fig. 12.1. In obtaining this estimate, we assume that the time unit is one second, and we often reason informally in order to focus on the main ideas. Since

o;

(DeslADes2)

then

+

GbRerl,

we have

/,(llPl ^,il1t)

: /,(llPl'^([ I v [lPl) ^O)lt] PDcl

/r([Pl')[1] -0 When t :0, we have <

-GbReq

PDC3

Then, using PA4 and PDC1, we obtain

PA7.

p,(-GbReq)

/,(llPl ^d)tol = /,(([Pl ^d)^ (l:0))[0]

: p(false)[O] -0

PA5 PDC1

PDCI.

For the second part, let us assume

r(P,Q):0'

When

t)

1, using PAS we

p@^[Pl^[Ql')[t] : :

Therefore, the sum of the violation probabilities of the two design decisions is an upper bound on the violation probability of the requirement. In the next'two subsections, we use the proof system of PDC to derive recursive functions for the computation of the violation probabilities of the design decisions, i.e. we give programs (in terms of recursive functions) for computing pr(-Des1)lt) and p"(-Des2)[t] and prove the correctness of the Hence, using these programs, we can estimate the violation probability of

0.

0, we can follow the same reasoning

p(d,^liPl ^[0]lr)lol

S Lt(-DestV -Desz) I lt(-Dest) -l 1.t(-Des2).

p1'ograms.

can derive

when I

* (-Des1Y -Des2).

a,s

for tile first pil,r:t to llrrlvtr

= o.

the requirements as p(-GbReq)lt) < 1t(-De.s1)[f] + p'(-Des2)ltl. Thc
s l)t't2 l)r':t

|l

ll ", ( < 1) Il((lll,r,;rkfl ll ,l,cll:10). l l( ll l,r';rk

220

12.4 trxample: Gas

12. Probabilistic Duration Calculus

However, for the discrete-time domain, the second design decision, i.e. that the distance between two leaks is not less than 30 seconds' must be reformulated by taking into account the fact that each leak lasts for at least one second:

r((flLeakl ^if-Leakl ^fl,eakl)

+

('

> 32).

p,(-Des1)lt +

tr1(-Desr^

!.: l)lt + 1] :

fi

1)

p((Des1^(.: l) n-Dest)lt*

1], we expand Desl and exploit

the fact that

P]

(Des1- 1.: 1) A -Desr <+ (ffLeakl2 v (Des1^lf-Leakll ^lfl,eakl2)).

can be defined recursively by the program:

/'(o) - o /'(1) - o

From PDC1, we obtain

o

fi (r) ! pn'

Pzz'

and that the auxiliary function

n(t

gr

p,((Desl ^ !. : 1) n -Des1)[t

- L), fot t ) 2,

: p(lfl-eakl')[t + t] t

carr be defined recursively bv the program:

sr(o) - o

gt(1) - 1 gr(2) : Ptr gt(t I !) : pry Sr(t) + Prz' Pzy St(t -

1]

^ [L"uk]l')[t + 1]

,

and from PDC4 and PA8 we obtain

:

1), for I

)

2.

is easy to see that fi and 91 terminate for any natural number We now use PDC to prove that they compute the correct functions' We shall exploit the fact that

where

t)

0.

-Dest e O(lfl,eakl A l>1). The formula Desr is violated in the interval comprising the first I -F 1 time units if and only if Dest is violated in the first f time units or Desr holds for the first I time units but is violated in the full interval comprising the t * 1 time units: <+

+

p,(Des1^ ll-Leakll

p((Des y ^ (. :

It

-DesrAl:t+l

1t(-Des1)[t].

In the rest of this subsection and in the next subsection, we shall often apply the following expansion of J$:

To calculate

fr(2) .h(t +1) :

1],

u@ <+

p(Des1^ [f -Leakl

We show below that

Il

. ( (ll.ll ^@) \ \u iitiO^'lf-Leakl') v (nd-fLeakl'D nnil)'

11,(-Des1)ltl

and

:

The two formulas on the right-hand side above are mutually exclusive.

and from PA6 we have

Here we establish a recursive function to calculate p"(-Desl)lt]' In order to calculate p(-Des1)lt), we shall need an auxiliary function. Let

gr(t)

22L

Frorn PDC1 and PA5, we have

: F(-Desr^l: l)lt + 1] + p,((Des1^1.: l) n -Desr)[t *

12.4.1 Calculation of P'(-Des1)

ft(t) :

Burner

( ((-D"t,-( l)Al:r*1) \ \v 11n,.', ( - l)A .l)r'.sr A( : I I 1) )

l) n -Des1)[t + 1] prz .p22 . 1l(Desr ^ ll-Leakl t)[f

f)

-

1]

,

2.

In order to calculate p,(Des1^ lf-Leakl 1), we establish the expansion

/ lf-Leakl'

(Des1- rf-Leakr

\

lfl;:fi[-fi11]u\" - -Leaklr)/ lf-Leakl' \v

) <+ I v

1.a.r,

^

^

liLeaklr

fl

Using PDCI, we obtain pr(Des1^ lf-Leakl l )[t +

1]

/ t,(lf-Lcaklltlpr t1 t t] I r l,( l)t's1 - Ii-Lcakll'?)[t I ' l,(ll l,t';rli flr - Il-l,t';rkll I )[t + ll \ t1r(/),'s1 ll 'l,t';rliflr ll,r';rlilr

lf .lxraklr)[t

, ,,)

I

222

12. Probabilistic Duration Calculus

12.4 Example: Gas

Furthermore, from PDC2, PA8 and PDC4, we have the result that

yr(Des1^

/ = \* when J ) 2.

f-Leakll)[t + 1] P' ' P'\Des 1 lf -Leakl ' )[/] ' 'P21 ' P\Des, - lf-Leakl')lt 0,,

we ca., now establish the recursive cases for we have the result that p,(-Des1)lt +

1l

fi

Burner

12.4.2 Calculation of p(-Des2) The calculation of p(-Des2) can also be done recursively. To establish this, we show that the functions

\

)

- p,(-Des2)lrl : sz(t) p,(Des2)ltl fr(t)

and

91

, since when

I

)

2,

h2(t) k2(t)

: :

p,(Des2 A

1)) [i] 1))

(Des2^ f-Leakl

1"r\Des2 A (Des2

^

lfl,eakl

[t]

can be defined by mutual recursion as follows:

7l

( 111-Des 1)ltl ^ = \ n O,, ' Pzz' H(Des1 f-Leakl'

)[/

\ - t] /

'

p(Dea^ lf-Leakll)[t + 1] ' 1t(Desr - [-Leak-Jlt)l/] ( = \ * P'" 0,, 'Pzt ' lt(Desl lf-Leakl')lt -

e e

: (lnrt,l + k2(t) ifr:o olherwise I

ifr=o

(o

hr(f) :(1 t)

\ )

'

which establishes the recursive case for 91' In order to establish the base cases for fi and 9r, w€ observe first that 1. (-Desr n (1= 2)) 2. (-Des1 A (l < 1))

fr(t):r-s2(t) 9zu)

which establishes the recursive case for /1, and

ift:l lprt'hr(t * 1) + pzy kz(t - 1) otherwise (O ift:0orf:1 k2ft) : 1 ptr. kz(t -l) + p'rr" - p,., tf 2 < t <32 * ' p?? prr kz(t 1) ' hz(t if 32 < t. 30) + lpzz In this case also, it is not difficult to see that these programs all terminate for any natural number , > 0. We shall now prove that they compute the

lfl-eakl2 false

t) fi-Leak] n l{ :211 \ ^ 11oesr( -Leak .'' ^ t p-Leakll I v [-Leakl2 )/ ll \ <+ l 4. ((Dea ^ f-Leakl l) A (l' :1)) e f-Leakl 5. ((Des1^lf-Leaklt)n (l:0)) <+ false'

(

correct functions. The recursion formula for /2 is easy to justify, since from PA2 we have

lf

p(-Desz) - 1-

p,(Des2).

In order to justify the recursion formula for 92, we expand

Des2:

We can derive the following using PA5:

t.

1,r\-Des1)12]

: :

O

: 0 l) pt,. Z. 1t(Des1^ f-Leakl 12] = 4. p(Desy^lf-Leaklt)[1] :1 5. p'(Des1^lf-Leakll)[0] =O 2. p,(-Desr)lLl

223

1t(-Des1)[0]

PDC4 PDC I PDC1, PDC4, PAS, PA7 PA7 PDC1'

These account for all the base cases of /1 and p1, and we have now shown how to calculate the violation probability of Dest with respect to the imple-

mentation shown in Fig. 12.1.

(Des2

A/ > o) <+

Gi\z::;i"z::

[;"'Jiil,nr,,)

By using PDC1, we obtain 1L\Des2

A (. >

0) :- (

\+

A

(Des2 [-Leakl

' ))

'\Des2 trt(Des2 A(Des2-lfleaklI))

whir:h establishes the recursive case for 92. For the tra,sc r:a,se for 92, we must show

\ )'

that p(Des2)10): t.

224

225

which establishes the recursive case for h2. We leave the base cases for the

Since

reader.

p(l:0)l0l :1

To establish the two recursive cases for k2, we assume lhat expand Des2 as follows:

by PDC2, and

l: 0 + holds in

Burner

12.4 Example: Gas

12. Probabilistic Duration Calculus

Desz A (Des2

Dc, the base case can be established by using PA4 and PDc1,

as

we have

To establish the recursive case for h2, we assume that the length of the interval concerned is not less than 2, i.e. l) 2, and expand Des2 as follows:

l) Desz A (Des2^ ff-Leakl A \De:s2 \Des2

^ lf -Leak ll2 )) \ A(Des2lileaklt - p-t eaklrl)/ 1att,

'' \ v 1l"rr

1)) 1r(Des2 A (Des2^ lf-Leakl P'\Des2 A \Des 2 f-Leakl2

A(Des2- lfLeaklt

))

Desz A (Des2-

lf-Leakll)

)

\

Case: 2

es

:

^ lfl,eakl'?)) [t] p22.pt(Des2 A(Des2^lfleaklt))[,

A(Des2^ f-Leakl2) l t)) ^ (Des2 A (Des2^ f-Leakl fl-Leakl

<

!.

< 32. In this case we have

^ fl,eakl 1 ^ lf -Leakl 1) l (Des2 A (Des2 ^ flLeakl i)) ^ ll-Leakl '

)

(Des2^f-Leakll ^lfteat<11))[l] : pt - plt2

trr(Des2 A (Des2

as

pr

Case: !.

2, we can derive

)

'

[t]

-

1] + pt

:

1. Tiris establishes the first recursive case for 32. In this case we have

c

^ - [-Lt'r'kl')[/]\ : ( pllDcs2 A (Drs2 [l-Lt';'l<-Tlr))- [-l't'lklr;lt] ) \+ 1((Dt:s2A(l)t:s',- lfl,r';rkl')) ll\ ( t,,,' 1r(l)ts'; A(l)r's., ll l,t'rrkllr))lt \ , /,r, ' 1t(l)t's'; A ( /)r"v, ll l,r';rli llr))lt ll )

1))

pzz. 1l(Des2 A (Des2^ ffl,eakll))[t

Des2 A (Des2

)) [t]

^ fleakl

^ -Leakl 1 ^ lfl,eakl [f

((Des2 A (Des2^

.

ptz

r' .pt", k2.

1)

lf-Leaklt)) ^ [-Leakl2e ^ fl,eakll)

;r,rrrl, l,lrtrtrrirt c, a,lso

ltll)t's,; A (l)cs.,

[ .l,rrrlh'llr [lrrahllr))f/l .1r1" 1t,(l)t's,; A (/)r's,, ll l,r'rrkllr))l/ 1rir,'

.

< t < 32, the

and

Des2 A (Des2

l

A(Des2^ff-Leakll ^ lfteaklt)) <+ (f-Leakl ^ lfl,eakll)

pt(Des2 A

:

f

,

1].

result that

and

^ f-Leakl

-

Hence, by PA5, PDC1, PA7 and PA8, we have, when 2

#

p,(Des2 A (Des2

fl,eakll))^lfl,eakll

2 A (D es2

(Des2

Des2,

So, by use of PDC1 and PA8, when

1Det, A(Des2^

CASES:

-1;-teaklr))/'

lf-1,s3t1

c

lfl,eakl\ c

2. If Des2 ends with (fl-Leakl 1 ^ fl,eakl 1), then in order to keep Des2 (i.e. I ((lfl,eakl ^ f-Leakl ^ flLeakl ) + | > 32)) true, we must consider two

since Des2 is a constraint about the distance between two leaks, and the last t is irrelevant to this constraint' Thus, we have occurrence of Des2

\ ^ r - lfleakl'zll li-Leaklr lf t-eakl lt /

since both fl,eakl2 and lileakll are regarded as a single gas leakage and have the same effect on the truth of Des2. Hence, by PDC1 and PA8, we have, when t ) 2, the result that

However, in DC we have the result that

(Des2-'

A (Des2

We consider the two cases in the above disjunction:

p,(D

Hence, by PDC1,

: ( p1l.t, \+

1)

I. If Des2 ends with lfl,eakl 2, then we can prove in DC that

| : rr(l = 0)[0] < pr(Des2)f}l < I.

€. ( [v

lfl,eakl

^ lnesz A(Des2

(

Desz

^

l, ) 2 and

;l()l

12. Probabilistic Duration Calculus

226

References

and trt(Des2 A

=

( \+

(Des2^ lfl,eakl 1 )) [t] pr, ' p(Des2 A (Des2 ^ fleakl t ))[f r?? 'pp'

1t(Des2 A (Des2

- 1] - f-Leakll))[l -

30]

\ )

'

which establishes the second recursive case for kz. We leave the base cases for k2 for lhe reader. In [90], the recursions required to calculate pt(-Dest) and p,(-Desz) were derived in a more direct way by using probability matrices and the satisfaction probabilities of a set of useful DC formulas. The dependability of a communication protocol over an unreliable medium [45] was also calculated

in

feOl.

1. Allen J.F. (1984) Towards a General Theory of Action and Time' Artificial Intelligence 23:123-154

2. Chetcutiserandio N., L.F. del Cerro L.F. (2000) A Mixed Decision Method for Duration Calculus. Journal of Logic and Computation, 10(6):877-895

3. Alur R., Courcoubetis C., Dill D. (1990) Model-Checking for Real-Time 4.

Sys-

tems. In: Fifth Annual IEtrE Symposium on Logic in Computer Science. IEEE Press, Piscatawav, NJ, 414-425 Alur R., Courcoubetis C., Henzinger T.A., Ho P-H. (1993) Hybrid automata: An Algorithmic Approach to the Specification and Verification of Hybrid Systems. In: Grossman R.L., Nerode A., Ravn A.P., Rischel H. (Eds.) Hybrid Systems, Lecture Notes in Computer Science 736. Springer, Berlin, Heidel-

bery,209-229

5. Alur R., Dilt D. (1992) The Theory of Timed Automata. In:

de Bakker J.W., Huizing C., de Roever W.P., Rozenberg G. (Eds.) Real-Time: Theory in Practice. Lecture Notes in Computer Science 600. Springer, Berlin, Heidelberg,

45,73

6. Alur R., Dill D. (1994) A Theory of Timed Automata. Theoretical Computer Science 126:45-73

7. Alur R., Feder T., Henzinger T.A. (1991) The Benefits of Relaxing Punctuality. In: Tenth Annual ACM Symposium on Principles of Distributed Computing. ACM Press, New York, t39 152 8. Barua R. (2003) Completeness of a Combination of Neighbourhood Logic and Temporal Logic. Formal Aspects of Computing. To appear

9. Barua R., Roy S., Zhou C.C. (2000) Completeness of Neighbourhood Logic. Journal of Logic and Computation 10(2):27I-295 10. Berry G., Gonthier G. (1992) The Esterel Synchronous Programming Language: Design, Semantics, Implementation. Science of Computer Program-

ming 19:87'152 11. Bird R. (1976) Programs and Machines. Wiley, London 12. Braberma.n V.A., Dang V.H. (1998) On Checking Timed Automata for Linear Duration Invariants. In: Proceedings of the 19th IEEE Real-Time Systems Symposium. IEEE Press, Piscataway, NJ,264 273 13. Chakravorty G.,Pandya P.K. (2003) Digiiizing Interval Duration Logic. In: Hunt Jr., Warren A., Somenzi F. (Eds.) Computer Aided Verification (CAV 2003), Lecture Notes in Computer Science 2725. Springer, Berlin, Heidelberg,

167 179

14. Chan P., Dang V.H. (1995) Duration Calculus Specification of Scheduling for Ta"cks with Shared Resources. In: Kanchanasut K., Levv J.-J. (Eds.) Asian Computing Scicnce Conference 1995, Lecture Notes in Computer Science 1023. Springer, Borlin, Htri
228

R,eferences

229

Relerences

15. chellas B.F. (1980) Modal Logic: An Introrluction. cambridge tlniversitv Press, Carnbriclge

16. chcn 2.J., wang

J., Zhot c.c. (1995) An Abstraction of Hybrid control

Systcms. In: IEtrE Singapore International Conference on Intelligent Clontrol

and Instrumentation. IEEE Press, Piscatarvzry, NJ, 1 6 17. Dang V.H. (1998) Modelling and verification of Bipha,se lVl:r,rk Protocols in Durition Caicul's using PVS/DC-. In: Application of Concurrcncy to Systcm Design (CSD'98). IEEE Press, Piscatar'-ay, NJ, BB 98 1g. Dan[ V.H., Guclev D.P. (1999) Completencss and Decidability of a Fragmeni of Duration Calculus rvith ltcration. In: Thi:rgarajan P'S', Yap R" (Eds') A
IEtrE Press, Piscata;u'ay, NJ, 4 15 20. Dang V.H., Phan H.G. (1996) A Sarnpling Semantics of Duration calculus.

J"onsson 8., Pa,rrow J. (trds.) Formal Techniques in Real-Time and Fault Tolerant Syste[ts, Lccture Notes in Computcr Science 1135. Springer, Bcrlin, Hcidelberg, 188 207 21. Dang V.fi., $ru"g J. (1996) On f)esigt of Hybrid Control Systcrns usiilg I/O AutJrnata Model.i. In: Chandru V., Vinay V. (trds.) Foundations of Software Technology and Thcoretica,l cornputcr Science, Lecture Notes in computer Science 1180. Springcr, Berlin, Hcidelberg, 156 167 22. Dang V.H., Zhou c.c. (1999) Probabilistic suration calculus lbr continuous Timc. Forrnal Aspects of Comprrting l1(L):21 44 23. f)ierks H. (2003) cornpa,ring N{orlel-checking and Logic:rl Rea,soning for Rea'lTime Systerrs. Formal Aspccts of Cornputing. To appear 24. Dierks H., FehnLer A., Nlader A., Vaandragcr F.W. (1998) operational and Logical Sernantics for Polling Real-Timc systems. In: R.avn-A.P., R.is
In:

2g. Emer.son E.A., Lci c.-L.(1985) \,{od:r,lities for Model checking: Branching Tinre strikes Back. In: 12th symposium on Principles of Programrning Langu?iges. ACM Prcss, New York, 8'1 96 30. Eng"el M., Kubica M., \,{aclev J., Par'as D.L., R.av' A'P , v^n Sr:h.rrwc' A"J' (1g'g3) A Formal Approach to Computer Systcrns R.ccptit
Engel N{., Rischel H. (1994) D:rgstuhl-Seminar Specification Problem -'a, Dtrration Calculus Solution. Technical report, Derpartment of Computer Scierce, Technical Univcrsity of Denmark, Lyngbv Frdnzle M. (1996) Svnthesizing controllers from Duration calculus. In: ,Jonsson B., Parrorn J. (Eds.) Formal Techniques in R.eal-Time and Fault-Tolcrant Systems, Lecture Notes iil Computer Scicnce 1135. Springer, Berlin, Heidelberg, 168 187 Frtnzle M. (1997) controller Design fiom Temporal Logic: Undecidability Need Not Matter. PhD thesis, Institut fiir Informatik und Praktische IVIathematik der Christian-Albrechts-Universitet Kiel, Germany 31 Frrinzle M. (2002) Take it NP-Easy: Bounded Nlodel constnrction for Drrration Calculus. In: Damrn W., Olderog E.-R.. (trds.) Forrnal Techniques in Real-Time and Fault-Tolerant Systems, Lecture Notes in Computer Sr:ience 2,169. Springer, Berlin, Heidelbcrg, 245 264 .)J. FYdnzle \,'I. (2003) Nlodel-Checking Dense-Time Duration Calculus. Formal Aspects of Computing. To appeiu 36 Gao J.P., Xu Q.W. (1999) R,igorous Design of a Fault Diagrrosis and Isola,tion Algorithm. In: Antsaklis P.J., Kohn W., Lemmon M., Nerodc A., Sastrv S. (trcfs.) Hybrid Systerns V, Lecture Notcs in Cornputer Science 1567. Springcr, Berlin, Heideiberg, 100-121 George C., Xia Y. (1999) An Operational Semantics for Timed RAISE' In: Wing J., Woodcock J., Davies J. (Eds.) World Congress on Formal Methods (FM '99), Lecture Notes in Computer Scicrce 1709. Springcr, Berlin, Heidelberg, 1008 1027 3B Guclev D.P. (1998) A Calculus of Durations on Abstract Dornains: complete-

31.

ncss ancl Extensions. UNU/IIST R.eport No. 139, Ilternational Institute {br Software Technology, Macau 39. Guelev D.P. (2000) A Complete Fbagrnent of Higher-Order Duration g,calculus. In: Kapoor s., Prasad S. (trds.) Foundations of Software Technologv ancl Thcoretical comp[ter Scicnce, Lecture Notes in computer sr:ience 1974.

Springer, Berlin, Hcideiberg, 264 276 Guelc" D.P. (2000) Probabilistic Neighbourhood Logic. In: Joseph M. (Ed.) Formal Techniqucs in Real-Time and Fault-Tolerant systcms, Lecture Notes in Computer Science 1926. Springer, Berlin, Heidelberg, 264 275 47. Guclev D.P., Dang V.H. (1999) On the Compietcness and Decidability of Duration Calculus with Iteration. In: Thiagzr.rajan S.' Yap R,. (Eds.) Advanccs in Computing Science, Lecture Notes in Computer Science 1742. Springer, Berlin, Hcidelberg, 139 150 42. Guelcv D.P., Dang V.H. (2002) Prefix and Projection onto State in Drrra'tion Calculus. In: Asarin E., Maler O., Yovine S. (trds.) Electronic Notes in Theoretica,l Computer Science 65:6. Elsevier, Amsterdam 43 Halpern J., Moszkou,ski B., Nianna Z. (1983) A Hzrrd.nare Semantir:s bascrl on Temporal Intervals. In: Di:r,z J. (trd.) ICALP'83, Lecturc Notes in Cornpulcr Scicnce 154. Springer, Berlin, Heideiberg, 278 291 ,1,1. H:r,lpcrn J.Y., Shoham Y. (198G) A Propositional Nlodal Logic of Time Intervals. In: Proceedings of the First ItrEE Syrnposium on Logic in Computer Sciencc. IEEE Press, Piscatawav, NJ, 279 292 .15 FJa,rrscn H., .lonsson B. (1994) A Logic fbr R.easoning :rborr.t Time anrl R,eliaIrililv. l,'orrrr;rl Asp
40.

230

References

References

M.R. (1994) Nlodel-Checking Discrete Duration Calculus. Formal Aspects of Computing 64:826 845 48. Hansen \4.R.., Pandya P.K., Zhou C.C. (1995) Finite Divergence. Theoretical Computer Science 138:113 139 49. Hansen M.R., Sharp R. (2003) Using Interval Logics for Temporal Analysis of Securitv Protocols. In First ACM Workshop on Formal Methods in Security Engineering (FN{SE'03). ACNI Prcss, New York, 24 31 50. Hansen M.R.., Zhou C.C. (1992) Semantics and Completeness of Duration Caiculus. In: de Bakker J. W, Huizing C., de Roever W.-P., Rozenberg G.

47. Hansen

(Eds) Real-Time: Theory

in Practice, Lecturc

Notes

in Computer Sc:icnce

600. Sprirrger, Berlin, Heidclberg, 209 225 51. Hansen NI.R., Zhou C.C. (i997) Duration Calculus: Logical Foundations. Forrnal Aspects of Computing 9:283 330

J. (1992) A Real-Time Duration Sernantics for Circuits. In: TAU'92: 1992 Workshop on Timirrg Issues in the Specification nnd Synthesis of Digital Systems, Princeton Univcrsitv, Princt'-

65

Hopcroft J.E., Uilman J.D. (1979) Introduction to Automata Theory, Lan-

66.

gtages, and Computzrtion. Addison-Weslev, R,eading, Massachusetts Hughcs G.E., Crestwell M.,I. (1968) An Introduction to Modal Logic. R,outledge, London

67. Huizing

i).1.

54.

55.

56.

57.

58.

59.

60.

Harel D. (1987) Statesharts: A Visual Formalism for Complex Systerns. Science of Computer Programming 8:23L 274 Harel E., Lichtenstein O., Pnueli A. (1990) Explicit Clock Temporal Logic. In: 5th IEEE Symposirim on Logic in Computer Science. IEEE Press, Piscataway, NJ, 402 413 He J.F. (1994) Ilom CSP to Hybrid Systems. In: Roscoe A.W. (Ed.) A Classicai Mind: Ess:tys in H6nour of C.A.R. Hoare. Prentice Hall Intern:rtional, London, L77 790 He J.F. (1995) Provably Correct Systems: Modelling of Communication Languages and Design of Optimized Compilers. McGraw-Hill, New lbrk He J.F. (2000) An Integrated Approach to Hardware/Softrn'are Co-design. In: Yulin Feng, Notkin D., Gaudel NI.-C. (trds.) ICS 2000, 16th IFIP World Cornputer Congress 2000. Publishing House of Elcctronics Industry, Beijing, 11 16 He J.F., Bowen J. (1992) Time Interval Semantics and Implementtr,tion of a Real-Time Progr:rmming Langrrage. In: 1992 Euromicro Workshop on RealTime Systems. TEEE Press, Piscataway, N'I, 110 115 He .1.F., Verbovsky V. (2002) Integrating CSP and DC. In: Proceedings of the Bth IEEE International Conference on Enginecring of Complex Computcr Systems. IEEE Press, Piscatawa5', N,l, 47 54 Hc J.F., Xu Q.W. (2000) Advanced Fcatures of the Duration Calculus. In: Davies J., R.oscoe B., Woodcock J. (Eds.) \.'Iillennial Perspectives in Computer

Science. Palgrave Macmillan, Houndmills, Hampshirc, 133 146 61. He .I.F., Xu Q.W. (2000) An Operational Semantics of a Simulator Algorithm.

In: Arabnia H.R. (Ed.) Prococccdings of thc International Conference on Paral1cl and Distributed Processing Techniques :r,nd Applications. CSR,EA Press, Las Vcgas, 203 208

W.D., Zhou C.C. (1995) A Case Study of Optimization. Thc Computer Journal 38(9):734 746 63. Hoenicke J., Olderog tr.-R. (2002) CSP-OZ-DC: A Combination of Spccific:rtion Tcchniqlcs for Processes, Data ancl Time. Nordic .Jortrnitl of ()ornplrting 9(4):301 33a 64. Hong K.T., Dang V.H. (2001) Forrn:rl D
C., Gerth R., de Roever W.P. (1988) Modelling StateCharts

Be-

h:r,viour in a Fully-Abstract way. In: Dauchet M., Nivat XtI. (Eds.) CAAP'88, Lecture Notes in Computer Science 299. Springer, Berlin, Heidelberg, 271 294 68. Inal R. (1994) Ntlodular Specification of Real-Tirne Systems. In: 1994 Euromicro Workshop on Real-Time Systcns. IEEE Press, Piscataway, NJ, 16 21 69.

Jahanian F., N{ok. A.K.-L. (1986) Saletv Analysis of Timing Properties in Real-Time Systems. IEEE Transactions on Software Engineering 12(9):890

904 70. Kesten

Y., Pnueli A., Sifakis J., Yovine S. (1993) Integration Graphs: A Cla,ss of Decidablc Hybricl Systcms. In: Grossman R.L., Nerode A., Ravn A.P., Rischel H. (Eds.) Hybrid Systems, Lecture Notes in Computer Science 736.

52. Hansen M.R., Zhou C.C., Staunstrup

ton, NJ

237

71

Springer, Berlin, Heidelberg, 179 208 Kleuker C. (2000) Constraint Diagrams. PhD thesis, Oldenburg Universitv, Germany

Koymans R.. (1990) Spccilving Real-Time Properties with \{etric Temporal Logic. Real-Tirne Systems 2(4):255 299 73. Koyrnans R. (1992) Specifying Messagc Passing :r,nd Time-Critical Systems with Temporal Logic, Lecture Notes in Cornputcr Science 651. Springer, Berliri, Heidelberg 74. Kddramccs M. (1995) Transformzrtion of Duration Cak:ulus Specifications to DISCO La.nguage. Master's thesis, Tallinn Te
72.

Academia, Sinica BO

Li X.D.. Dang V.H. (1996) Checking Linear Duratioa Inviuiants bv

Lirrcar

Programming. In: Jaffar J., Roland H., Yap C. (Eds.) Concurrency and Par:rllclism, Programming, Nctworking, :rnd Securitv, Lecture Notes in Compritcr Scicncc 1179. Springer, Berlin, Heidelbcrg, 32L 332 t31 Li X.D., Dang V.H., Zheng T. (1997) Checking Hybricl Automata for Linear Duration Invariants. In: Shy:lmasundar R.K., Ileda K. (Eds.) Arlvances in Computing Science, ASIAN '97, Lecture Notcs irr Computer Science 13'15. Springer, Berlin, Hei
232

R,ef'erences

Refercnces

g4. Li Y., Dang V.H. (2002) checking Temporal Duration Propcrties of Timed Automata. .Journal of Computcr Science and Technology 17(6):689 698 85. Liu c.L., Layland. J.w. (1973) scheduling Algorithm for Multiprogramming in a Harcl R.eal-Time Environment. Journal of the ACI\I 20(i):a6 61 86. Liu Z. (Lgg6) specification and verification in DC. In: Joseph M. (trd.) Mathematics of Dependable systems, International series in computer Science. Prentice Hall, London, 782 228 g7. Liu 2., Nordahl J., sorensen E.v. (1995) composition and Refinement 6f Probabilistic Real-Timc systcrns. In: Mitchcll c., stavridou v. (Eds.) Mzr,thcmatics of Dependable Systems. Oxfbrd University Press, Oxford, 149 163 gB. Liu 2., R.avn A.P., Li X.S. (2003) unifying Proof Methodologies of Duration calculus arrcl Timed Linear Temporal Logic. Formal Aspects of computing. To appear 89. Liu 2., Rurrtr A.p., Sorensen E.V., Zhou C.C. (1993) A Probabilistic Dura,tion Calculus. In: Kopetz H., Kakuda Y. (Eds.) Depcndable Computing and FaultTolerant Svstcms Vol. 7: Responsivc computer systems. springer, Berlin, Hci delberg, 30 52 g0. Liu 2., Ravn A.P.,

Sl,rrensen

E.V., Zhot

c.c.

(1994) Towards a calculus of

Systems Dependability. High lntegritv Systems 1(1):49 75 91. Malcr O., Manna 2., Pnueli A. (1992) From Timed to Hybrid Systerns. In: de Bakker J.W., Huizing C., de R,oever W.P., Rozcnberg G. (Eds') R'eal-Titre: Theory in Practice, Lecture Notes in computer science 600. springcr, Berlin, Heidelberg, 147 184 g2. Manna 2., Pmreli A. (1993) Verifyirrg Hybrid systems. In: Grossman R.L., Nerode A., Ravn A.P., R.ischel H. (Eds.) Hybrid Systcms, Lecture Notcs in Computer Science 736. Springer, Berlin, Heidclberg, 4 35 g3. Mao X.G., Xu Q.W., Dang V.H., Wang J. (1996) Towards a Proof Assistant {br Interval Logics. UNII/IIST Report No. 77, International Institute fcrr Software Tcchnology, Macau 94. P.C. Nlasicro, A.P. R.avn, and H. Rischcl. (1993) Refincment of real-tirne specifications. ProCoS Technical R.eport ID/DTH PCNI 1/1, Departrnent of computer Science, Technical University of Denmark, Lyngbv

95. Midclelburg

c.A. (1998) Truth of Duration calculus Formulae in

Timed

Ftames. Fundamenta Informaticae,Journal 36(2 l3):235 263 96. Minsky \,{.L. (1967) Computation: Finite and Infinite Machines. Prentice Hall, Englewood Cliffs, NJ g7. Moizkorn'ski B. (1995) compositional Reasoning about Projected and Infinite Time. In: First International confcrence on Engineering of complex computer Systems. IEEE Press, Piscataway, NJ, 238 245 gB. MOrk S., Goclskesen J.C., Hansen M.R., Sharp R. (1996) A Timed Semarrtir:s for sDL. In: Gotzhein R., Bredereke J. (Eds.) Formal Description Techniques IX: Theory, Application and Tools. Chapman & Hall, London, 295 309 99. Nicollin X., Olivero A., Sifakis J., Yovine S. (1993) An Approach to the Description ancl Analysis of Hybrid Systems. In: Grossman R,'L', Nerocie A', R.avn A.P., R.ischel H. (trds.) Hybrid Systerns, Lecture Notes in Computer Science 736. Springer, Berlin, Heidelberg, 149 178 100. olderog E.-R.., Ravn A.P.. Skakkebak.I.u. (1996) R,cfining systc[r R.cqtrirtrrnents io progra,m Specifications. In: Hcitmcyu'O., \.tl'rr
London, 107 134

R.rrslrlry.1. (11)1):t) (Jscrs

(lrrirlc

liil llrc l'\"S S;ilt ilir';rliorr

101. Orvrc S., Slra,rrl<:rr N., irrrrl \,i'rilir';rliorr Syslcrn. l,:rrrl1rr;r1,,r'.;rttrl I'trtol ('ltcclicr'(lrll;t

rclr';rrrr') (llrtcr

233

volurnss). lllrr:hnical report, Computer Scicnce Lzrboratory, SRI International, I\tlenlo P:rrk, CA 102. Pandya P.K. (1996) some Extcnsions to Propositional \,{ean va,hrc calculus: ExpressiveDess arrtl Decidability. In: Kleinc Buening H. (Ed.) CSL'95, Lecture Notcs in Cornputer Science 1092. Springer, Bcrlin, Heidclberg, 434 451 103. Pandya P.K. (1996) Weak Chop Inverses and Liveness in Duration Calculus. In: Jonsson I]., Parrow J. (Eds.) Forrnal Techniques in Real-Time and FaultTolerant Systcurs, Lecture Notcs in Computer Scicnce 1135. Springcr, Berlin,

Heidelberg, 148 167 104. Pandya P.I{. (2001) Nlodel Checking CTL-lDC]' In: Margari:r T., Wang Yi (Eds.) Tools and Aigorithms lbr the Construction :r,nd Analysis of Systems, Lecture Notes in Computcr Science 2031. Springer, Berlin, Hcidelberg, 559 i)/J

105. P:r,ndya P.K. (2001) Spccifving and Deciding Quantified Discrete-Time Duration calculus Formulae using DC\ALID: An automata theoretical approach. In: Workshop on R.eal-Time Tools (RITOOLS'2001), Aalborg 106. Pandya P.K. (2002) Interval Duration Calculus: Exprcssiveness arrd Decidability. In: Asarin E., Maler O., Yovinc S. (Eds.) Electronic Notes in Theord,ical Computer Science 65:6. Elsevicr, Amsterdam 107. Pandya P.K., Dang V.H. (1998) Duration C:r,lculus with \Vcakly Monotonic: Time. In: Ravn A.P., R.ischcl H. (Eds.) Formal Techniques in Real-Time and F:rult-Tolera,nt Systems, Lecturc Notes in Computer Science 1486. Springer, Berlin, Heidelberg, 55 6,{ 108. Pandya P.K., Ramnkrishna Y.s. (1998) A R,ecursive Mean Value Calculus. In: Arvincl V., R.amanujalr R. (Eds.) FSTTCS 1998, Lecturc Notes in Computcr Science 1530. Springer, Bcrlin, Heidelberg, 257 268 109. Pancly:r, P.K., R.a,rnakrishna Y.S., Shyarnasundar R.K. (1995) A Compositiontrl sern:rntir:s of Estcrel in Duration calculus. Tcchnical rcport, cornputer scicnce Group, TIFR, Bombay 110. Pandya P.K., Wang H.P., Xu Q.W. (1998) Towar
l!i.

rrr;rl

i.rr ;rtrrl ('ottt;rttl;rtiorr, 156(1-2):320

344

li;rl,irr,,r.i, lr ,\ (:ll)(lll) Srrccirr'l rrcss (l;rp lrci u'ccrt Nrlorra,rlit'T,ogit: antl Dttr:zrtitlrt ('.r1, rrlrr', l'rrrrrl.rrrlrrl;r lrrlirt ttt;rlir';rr'. 'l l: I l0

231

Ref'crcnces

Rclcrcrrr:cs

119. Rabinovich t\. (2002) Finite Variabilitv Interpretation of Monadic Logic of Order. Tlreoretical Computcr Scicn<:r:, 275(1 2):III 725 120. R.asmussen T.M. (1999) Signed Interval Logic. In: Flum J., RodriguezArtalcjo M. (Eds.) Computer Science Logic, CSL'99, Lecture Notes in Cornpnter Science 1683. Springcr, Berlin, Heidelberg, 157 171 121. Rasmusscn T.M. (2001) Automa,ted Proof Support for Interval Logics. In: Nietwenhuis R,., Voronkov A. (Eds.) LPAR. 2001, Lccture Notes in Artificia,l Intelligence 2250. Springer, Berlin, Heidelberg, 3I7 326 122. Rasmussen T.M. (2001) Labelled Natural Deduction lbr Interva,l Logics. In: Fribourg L. (Ed.) Computer Scicncc Logic, CSL'01, Lecture Notes irr Computer Science 2142. Springcr, Berlin, Heideiberg, 308 323 123. R,asmusscn T.M. (2002) Interval Logic: Proof Theory and Theorern Proving. PhD thesis, Technical University of Denmark, Lyngby 124. Ravn A.P. (1995) Dcsign of Embedded Real-Time Computing Systems. Doctoral disserta,tion, Technical Univcrsity of Denmark, Lyngby 125. Ravn A.P., Erikscn T.J., Holdgaard M., Rischel H. (1998) Engineering of Rcal-Time Systems with zrn Experimcnt in Hybrid Control. In: Rozenbcrg G., Vaandragcr F.W. (Eds.) Embedded Systcms, Ler:ture Notcs in Computer Science 1494. Springer, Berlin, Hcidelberg, 316 352 126. R,avn A.P., Rischcl H. (1991) R.equiremcnts Capture lbr Embcdded R.ealTime Systerns. In: Proceedings of IMACS-MCTS'91 Symposium on Modclling and Control of Tcchnological Systerns, Villencuve d'Ascq, Francc, voiurne 2. IMACS, Paris, 147 152 127. R.avn A.P., R,ischel H., Hansen K.M. (1993) Spccifying and Verilying Requiremcnts of Real-Time Systems. IEEE Transactions on Software Engineering

t9(1):a1

55

128. Rischel H. (i992) A Duration Calculus Proof of Fischer's Mutual Exchrsion Protocol. ProCoS II, ESPR.IT BR,A 7071, Report No. DTH I{P., 111,, Department of Computer Science, Techrrical University of Dcnmark, Lyngby 129. R,oscoe A.W., Hoarc C.A.R.. (1988) The Lau's of OCCAN{ Programming. Theoretical Computer Science 60:177 229 130. Roy S., Zhou C.C. (1997) Notes on Neighbourhood Logic. UNII/IIST Rcport No. 97, International Instittte for Softwarc Technology, \,,Iacau 131 . Satpathy M., Dang V.I{., Pandva P.K. (1998) Some R.esults on the Der:idability of Duration Calculus under Synchronous Interpretation. In: R.avn A.P., R,ischel H. (Eds.) Formal Techniques in R,eal-Tirne and Fault-Tolcrant Systems, Lecture Notes in Computcr Science 1486. Springcr, Berlin, Heidclbcrg, 186 197 132. Schenke M. (1994) Specification and Tbansformation of Reactive Systerns with Timc Restrictions and Concurrency. In: Langmack H., dc Roever W.-P., Vytopil J. (Eds.) Formal Techniques in Rcal-Time and Fault-Tolerant Systems, Lecture Notes in Computer Scicnce 863. Springer, Bcrlin, Heidelberg, 605 620 133. Schenke M. (1995) Roquirements to Prograrns: A Developmcnt Mothodologv for Real Time Systems, Part 2. Tcchnical report, Fachbereich lnfcrrmatik, Universitiit Oldenburg, Gerrnany 134. Schenke M., Olderog E.-R.. (1995) Rcquirements to Progr;rms: A Dcveloprncnt Methodology for Real Time Systems, P:rrt l. Tc<:hni<::rl rcpott, Fa,r:lrb
2illr

136. Schnrrirlcr ( I . \rr ( ) \\i. (191)8) Towards a Forma'l Semantics of Vcrilog rrsirrt', Dur:rtiorr (l;rl, ulrrr. lrr: ll:tvtt A.P., R,ischel H. (Eds.) Fornal Te<:Iurirltrcs irr Real-'I.'irrrr' ;rrr,l l";rttll 'l'olr:t:rnt SYstems, Lecture Notes in Computelr St ictrr '' 1486. Slrrirrllr'r . li'r lirr. llrrirlrlberg, 282 293 137. Siewe F., l)rrrrli \'ll. (2(XX)) Ilrom Continuous Specification to Dis
Ii'rlirr. llcitllllrtrg, 92 97 .l.U (11)1) l) l,ir,<:rrcss and Fairness in Duration

139. Skakkebarl<

Calt:trlus. Itt: .l,,tr

Concurrcncy Theory, Ler:tult' N.l.r. in Computtt St it'ttt t' 8il(i. Springer Verlag, 283 298 1.40. Skakkebir:k.I.tl. (lf){) l) r\ \hrification Assistant lbr a Real-Timc Logir'. I'lrlr thesis, Tet:lirri<:rr,l I Jlrivclsilv of Dcnma,rk, Lyngbv 141. skakkcba:k.I.II., ll;rvrr i\.1)., R,ischel II., Zhou c.c. (1992) sp
8.,

P1rr.orv

.l.

(1,)rls.) (]ONC]UR.'94:

I

1'.

236

Relerenccs

References

152. Xu Q.W. (1997) Semantics and Verification of the Extended Phase TYansition Systems in the Duration Calculus. In: \tlaler O. (Ed.) Proceedings of International Workshop on Hybrid and Real-Time Systems, Lecture Notes in Computcr Scicncc 1201. Springer, Berlin, Heidelberg, 301 315 153. Xu Q.W., He W.D. (1996) Hierarchical Dcsign of a Chemical Concentration Control System. In: Alur R., Henzinger T.A., Sontag D.tr. (trds.) Hvbrid Svsterns III: Verification and Control, Lecturc Notcs in Computer Science 1066. Springer, Berlin, Heidelberg, 270 281 154. Xu Q.W., Swamp l{. (1998) Compositional Reasoning using AssumptionCommitment Paradigm. In: Languraack H., Pmreli A., dc R,ocver W.-P. (Eds.) Compositionality The Significant Differcnce, Lecture Notes in Computer Science 1536. Springer, Berlin, Heidelberg, 565 583 155. Xu Q.W., Y;r,ng Z.Y. (1996) Derivation of Control Programs: a Fleating Svstem. UNU/IIST Report No. 73, International Institute for Softr,vare Technology, N{a,cau

156. Yu H.Q., Pandya P.K., Sun Y.Q. (1994) A Calculus for Hybrid Sa,mpled Data Systems. In Langmack H., de Roever W.-P., Vvtopil J. (trds.) Forrlal Techniques in R,eal-Time and Fault-Toierant Systems, Lecture Notes in Computer Sr:icnce 863. Springer, Berlin, Heidelberg, 716 737 157. Yu X.Y., \Vang J.,Zhott C.C., Pandy:r P.K. (1994) Form:rl Design of Hvbrid Systems. In: Langmack H., de Roever W.-P., Vytopil J. (Eds) Formal Techniqucs in Real-Time and Fault-Tolerant Systems, Lecture Notes in Computer Science 863. Springer, Berlirr, Heidelberg, 738 755 158. Zhao J.H., Dang V.H. (1998) On Checking Real-Time Parallel Systems for Linear Duration Propcrtics. In: Ravn A.P., Rischel H. (Eds.) Formal Techniques in Real-Time and Fault-Tolerant Systems, Lecture Notes in Computcr Science 1486. Springer, Berlin, Hciclclbcrg, 24I 250 L59. Zltao J.H., Dang V.H. (2000) Checking Timed Automata for some Discretisable Duration Propcrtics. Journal of Corrrputcr Sciencc and Tcchnology, 15(5):423 429

160. Zlreng Y.H., Zhon C.C. (1994) A Formal Proof of the Deadline Driven Schedulcr. In: Langmack H., de Roever W.-P., Vytopil J.(Eds.) Formal Techniques in Reai-Time and Fault-Tolerant Systems, Lecture Notes in Computer Scicncc 863. Springer, Bcrlin, Heidellierg, 756 775 16l. Zhon C.C. (1993) Duration Calculi: An Ovcrview. In: Bjorner D., Broy M., Pottosin I.V. (trds.) Proceedings of Formal Methods in Progrnmming and Their Applications, Lecture Notes in Cornprrtcr Science 735. Springer, Berlin, Heidelberg, 256 266 162. Zhor C.C., Dang V.H., Li X.S. (1995) A Duration Calculus with Infinite Intervals. In: Reichel H. (Ed.) Fundamentais of Computation Theory, Lecture Notes in Cornputer Scir:ncc 965. Springer, Berlin, Hciddbcrg, 16 41 163. Zhou C.C., Guelev D.P., Zhan N. (2000) A Higher-Order Duration Calculus. In: Davies J., Roscoe 8., Woodcock,I. (Eds.) N{illennial Perspectives in Computer Science. Palgrave Macmillan, Houndmills, Hampshire, 407 416 1,64. Zhon C.C., Hansen M.R. (1996) Chopping a Point. In: Cooke J., He Jifeng, Wallis, P. (Eds.) BCS FACS 7th Refinement Workshop, Elcr:tronic Workshops in Computing. Springer, Berlin, Heidelberg 165. Zhou C.C., Hansen M.R. (i998) An Adeqtate First Orrl<:r T,ogir: of Trrtcrvals. In: Langmaack H., dc Roevcr W.-P., Prnrrli A. (Il
Bcrlin,

H
166. Zlrorr(j.(1., IIirrrsr,nN4.ll..,ll;rvrr A.l'., llisclrr,l ll.(11)l)l)l)rrr';rliorrSlrccilicirliorrs lirl Slr;r.r'r,rl l)roccrisors. lrr: \'tlopil .1. (l), 1.)lilrrrIosiurrr orr l,irrrr;rl 'l'r,r'lrrrrlrrls

'2:l'i

in R.ea,l-'l'irrrr';rn,l I,:rrrll 'lirlrrr':rrrt Systems, Lecture Notes in Computot St ictt, r' 571. Sprirrllr'r'. li'r lirr, l l,'irlr:llrrrrg, 21 32 167. Zhott (1.(l , ll;rrr:rcrr Nl.lt., Strstoft P. (1993) Decidability and f.lrrtlx:irl;rl'il ity Rtrsults lirr l)rrr;rli,,tr ( jrrlt:ultrs. In: Enjalbert P., Finkel A', \Va'gnrrl K \\1 (Eds.) S'l'Af lS'1):t, l,r.r'trrlc Notcs in Computer Scicnce 665. Sprirrgrrr', li'r'lirr, Heidelb
(iN

11.. [i,in'n A.P. (1991) ma,tion Pror:t'ssirrl', l,r'l lcrs tt0(5):269 276

168. Zhou

c.(i., llol.r'r,(l.i\

A Calculus of Duratiorrs.

lrrlirr

l,i \ S (199,1) A Nlcan Value Calculus of Durztt,iotrs. lrr A.W. (l'),1.) A (lll,ssica,l N{ind: Essays in Honour of C'A'll llr';rr'' Prentice IIall Irrl,r'r'rr;rliotral, Ltxrdol, 431 451 (l;tlt rrlrtr; 170. Zyott C.C., Ililvrr A.l'., IIarrs
169. Zhou C.(1., Roscoe

530

772. Zhort c.c., Zharrg.1.2., Y:rng L., Li X.S. (1994) Linear Duraliort Ittr';tti;tttl:;. In: Langmack tI., rkr R.oer.er w.-P., vvtopil J. (Eds.) Formal 1i{lrrrirlrr|s irr Real-Time a1d Finrlt-Tolerant Systems, Lecturc Notes in C)orttlrrtlcl St i,'tt,,' 863. Springer, Bcrlin, Heidelberg, 86 109

173. Zhn H.8., I-Ic J.F. (2000) A DC-based semantics for verilog. Irr: Nol,liirr l). Y1lin Feng, Gnudel N4.-C. (Eds.) Proceedings of International (lottli'tt'ttcc orr Software: Theory-:r,ndPractice. PublishingHouseof Electrrxri<:s lrrtlttsl tt.ll'r jing, 421 432

Abbreviations

- A2: axioms of lL,

A0

27

Autol(a) Auto3(b): specification of an automaton for the gas burner,

Nl, N2: axioms of state transition calculus, 157 N: necessity, inference rule of IL, 27 nert(X,S): the formula

processes, 9

-D6:

rL,27

161

COR: Corollary, 183 CSP: communicating sequential D1

MP: modus ponens, inference rule of

axioms for abstract domain,

202

DC: duration calculus, 14, 41 DCA1 DCA6: axioms of DC, 45 Desl: design decision 1 (gas burner), 11, 60

Des2: design decision 2 (gas burner),

xv(x^fisl)v(x^ll-sl), 49

NL: neighborhood logic,

NLA1 NLAS:

191

axioms of neighborhood

logic, 195 NLNI, NLN, MP, G: inference rules of

NL,

196

12, 60

d,Liner: deadline of p;, 69

PAl-PAB: axioms of PDC,

DNF(S): dis.junctive normal form for

PDC: probabilistic duration calculus,

s, lo2

216

209

PLC: programmable logic controller, 19 ProCoS: provable correct systems (ESPRIT BRA 3104, 7071), t4 Pr.R: periodic request, 71

E: axiom of IL,27 FAi (S)t finite alternation, 46

G: generalization, inference rule of IL, 27

Ql, Q2: axioms of IL,

28

Gbfueq: requirement (gas burner), 10, 60

H6: IL encoding of DC axioms for Q,9l

IR1, IR2: induction rules of DC, 45

- L3: axioms of IL, 27 LDI: linear duration invariant, 133 ,LF: lirrrrar firnction (in LDI), L33

L1

M:

rrronol

6l'r

otrililt,

irrli'r'cncc rrrlc

software engineering, 19

RDC: resfticted duration calculus, 99 RDCt(r), RDCz, RDCs: subsets of

TL: sel of valid IL formulas, 89 ILa.: DC instances of LL, 89 IL: interval logic, 23

J,M: Lcrrrrrnir,

R: axiom of [L,27 RAIStr: rigorous approach to industrial

DC formulas, 111 requirement of every process on every prefix interval, 73 reqr: requirement ofp; on an interval, -Req:

iJ

requirement of pr on all prefix intervals, 73 Il,urri: 2r is nrnning, 68 -Reqo:

ol ll,, ,9,'/i,:

sllrr',Irrlrrr sptx'ifir';r,l iorr, 7(i

240 SDC1

Abbreviations

- SDCT:

axioms for suPerdense

state transitions,

171

TLA: temporal logic of actions, TM: Theorem, 137

Symbol Index

9

ShP: shared processor, 68

SIL: signed interval logic, 17 Spec: assumptions in Liu and Layland's theorem, 78 ST1 ST4: axioms of state transition calculus, 154 Stdl: pr; has a standing request, 68

Urg,,: p; is more urgent than P;, Urgi,nt: urgency of processes. 74 $7,:

IL encoding of

68

@, 91

[-]r.., [-n:

/': meaning of n-ary function symbol, -25

Program semantics, 180

fl-l: point interval, 44 [.9]: .9 holds throughout nonpoint

FSymb: set of global function symbols,

interval, 44 [Sl': ,5 holds for interval of length

r)0,115 [Sl': S holds

for interva] of length r,

23

G": n-ary relation symbol, 23 G": meaning of n-ary relation symbol, 25

L23

ihe smallest integer greater than or equal to r,7l lrl: the la.rgest integer not exceeding $, 7L n: for all subintervals, 24 !o: for all prefix intervals, 39 O: for some subinterval, 24 Oo: for some prefix interval, 39 Q: for some left neighborhood, 191 Oi: for some left neighborhood of the end point, 192 O,: for some right neighborhood, 191 Of : for some right neighborhood of the sta,rt point, 192 r: superdense chop modality, 169

frl:

-:

chop,24 ^: concatenation of sequences, 133, 176 { -L: contraction closure of -L, 106 { S, t S, J5, T,9: transition formulas, 150 \S,lS, \ S, I S: transition formulas,

GVar: set of global variables,

23

Z: interpretation (duration calculus), 42

I,V,lb, e] I 6: semantics of formula,

43

Z[@]: semantics of formula, 43 Ilntv: set of all intervals, 25

.7: interpretation (interval logic), 25 J ,V,lb, I Q, semantics of a formula, 26

"]

.7[/]: semantics of a formula, ./[d]: semantics of a term, 25

26

.72: induced interpretation, 43

,La: regular language of A, 132 l: interval length. 23. 25 lotu: lower-bound timing constraint,

r32

M: two-counter machine,

114

N: set of natural numbers,

61

148

/5: state duration, 41 0: empty sequence, 176

:irl:

equivalence with respect

to

a

linear duration invariant, 135

I I

Qt d is valid, 26 Q: $ is provable, 29. 46

A: real-timc automaton,

132

C,

T, D: tttorlnlil,ics,

!"

rg" r,, ,i tf-Rt'y l\tttt'l,iott nytrtlrols, 2ll

190

P,Q, R,. . .: state variables,

?: parallel

41

process, 175

PA: probabilistic automaton, 210 PLetter: set of temporal propositional Ietters, 23 IR: real numbers, 24 R,Sym,h: sct of global

relation symbols,

23

,9: rrl,trl,e (rxl)r(!HHiolr

4l

242

Symbol Index

X,Y,. ..: temporal propositional letters,

,92: meaning of state exPression, 42

5: sequential process, ,Seq:

Index

175

untimed sequence of transitions'

fr ,.U,

z,...:

(global) variables, 23

132

SVar: set of state variables, 41

7:

f

set of transitions, 132

e:

lfime: time dornain, 4, 42 Trace: set of traces, 176 ?Seg: timed sequence of transitions,

r32 132

V: exclusive and complete set of state variables,211 Vt: set of all state sequences of length

t,2I3

V: value assignment, 25 u,u' ,, ..: temporal variables, 23 Val: set of all value assignments, 25 tr7: meaning of temporal variable, 25 XJr: meaning of temporal propositional letter, 25

f,29,

16

0: term,23 ttGt)lt], satisfaction probability of Q at

tine t,2t4

TVar: se| of temporal variables, 23 zp: upper-bound timing constraint,

F @: deduction of / from empty sequence, 132

p

:

(Pt., P1):

transition of real-time

automaton, 132 |-: pre-state of transition, 132 p-: post-state of transition, 132 o: computation of two-counter machine,

abstract doma,itt, 20, 20i|

completeness for abstract domain, 20

- semantics tlf rlur;rl ions, 203 adequacy of rruigltlrollrro
-

193

assumption-txlrrttttil,ttttrttt logic, 20 automaton, 9, 2(), l{)1, 146, 160

continuous tirtur lrrolrabilistic, 210 hybrid, 20, 144, l1)0

113

o: state sequence of probabilistic automaton, 212

r:

phase,105

probabilistit:, 16, 209

single-step probability transition

tion, 211 re: initial probability mass, fun<

211

211

constraint diagram,

19

19

continuity, l80 continuous time, 3,

100

axioms

-

duration ca,kltlus, interval logic, 27

neighborhoorl logi<:, 195 probabilistir:
2t6,2L8

basic coniunct, 102 Boolean state, see state bounded liveness, 187 bounded termination, 185 calculus

duration,

duration calculus, 40 probabilistic duration, 215 state transition, 1,47, 153, 157, L70 - superdense state transition, 170, 173 channel, I 75 see

channel variables, 176 chop, see modality, chop chop free, 28, 34 combine law, 167 cornrmrnicating sequential processes, 9,

l0 r:otn plr,l

4t

t'

contraction closure, see language contraction-closed language, see language

45

state transition <:illculus, 153, 157 superdense statc transitions, 171

-

languages),135 consistent state, see state

programma,blrr logi<: trtrrtroller (PLC),

real-time, 21., l2l-r, 131 timed, 7, 20, 131 , l,44

6,4,, q,. . .: formulas, 23

duration calculus, 20,97,204 interval logic, 20, 34,203 - neighborhood logic, 20,20L,203 complexity, 109 concatenation, 176 - of languages, 103 congruent equivalence (of regula,r

r'oI lt.r:l,iorr o{t st;a,tc
counter machine, 113 CSP, see communicating sequential processes

DC,

see duration calculus deadline, 69 deadline-driven scheduler, L, 4, 6, 67

decidability (of duration calculus),

99,

109

continuous time, 106 discrete time, 102, 106 decision procedure, 20

deduction duration calculus, 46, 48,90 interval logic, 28, 90 - neighborhood logic, 196 deduction theorem, 48 - duration calculus, 204 interval logic, 31 - neighborhood logic, 201

-

neighborhood-logic-based D C, 204 delay

inertial,153

- transmission,

153

clcliw-inscnsitivc <;irr:rrits, 206

d-firnr:tirttt, Il'r,

I4l-r

244

Index

Index free

density, 202

density funt:tion, 210 dependability, 16, 209, 226 discrete time, 3, 100

duration,

'

implementables, 20 probabilisttt'., 22, 209 RDC r(r), lll RDC z, Itl 111

variable, 23 25,176 113

Esterel, 1.9, 167 event, 4, 14,145 expansion-closed language, see language see

expressiveness

189

97, 110, 159, 168, 203 Fischer's mutual exclusion protocol, 19'

interpretation

-

integer programming, 20, 144

109 180

flexible {brmula, 27 terrr.,27 formula duration calculus, 43 interval logtc,23,26

-

neighborhood logic' 191 probabilistic duration calculus, 215 state transition calctrltrs, 118' 150, 170 sttpct rltrttsrr sl it,l't' I

i'l)

It

ilrlsil iott t:;ll< ttltts'

'

Liu and Layland's Theorem, 76

logic

mixed integer programming problem,

t44 modal logic, 10,

modality,

partition,

closed, 70 discrete, 99, 102, 213 infinite, 18, 190 left open, 70 lr:ngth, 70, 77, 23 l
opctt, 7{l lrlllix, lll). l:t, ll):l

29

10

chop, 11, 12, 17,24,26,157, 169, 170, 189, 190, 193

107

9

-

chop (discrete time), 99 contracting, 12, 17, L89 expanding, 12,17, I90 191

superdense chop, 17, 18, 169, 170 moda,lity licc, 196 rrrr,,lcl clrcr'ltitrg, 2(1. I25

;r olrct;tl.ot, lll rr:rl

rtr;rl tttttrrl'r'lr. (il

semantics, 19, 180

.. specification, 19, 185 states,176 variables, 175 verification, 19, 188 proof, 34 duration calculus, 46 interval logic, 28 neighborhood logic, 196 proof assistant, 20, 109 proof system duration calculus, 45 interval logic, 27 neighborhood logic, 194 neighborhood-logic-based DC, 204 probabilistic duration calculus, 216,

interval, 10, 190, 193 neighborhood, 13, 16, 17, 190, subinterval, ll,12,24

probability function, 212 probability matrix, 219 refinement, 19, L67

Markov property, 210 matrix scalar product, 219 mean value, 15, 745 metric temporal logic, iee temporal

211

predicate logic, 28, 34, 196 prefix interval, see interval probabilistic automaton, see automaton probabilistic duration calculus, 22, 215 probabilistic space, 213 program

liveness, 12, L3, 185, 204

discrete, 99, 102, 213 duration calculus, 42, 93, 96 interval logic, 25, 96

interval,

1"34,

143

2L6, 2t8 superdense state transitions, 171

periodic request, 69 phase automaton, 105 PLC automaton, 19 post-state, 126, I32 pre-state, 126,132 precedence, 24

sequence,134

neighborhood logic, 195 probabilistic duration calculus, 210,

infinite terrr, 136 infinitude, 202 initial probability mass function,

10

linear programming, 20, 126, I28,

45

175

partial correctness (of program), 185 pzutition of an interpretation, 107

135

hypothesis,45

L42

parallel processes,

satisfied or violated by arr untimed

base case, 45

l4l,

occAM, 19, t75 o'-rrrle, 20, 97, 203, 201

satisfied or violated by an automaton,

mles, 45, 90, 97, 203

weak, 205

203

language contraction-t:los
induction

fault tree, 19 finite alternation, 46 finite divergence, 77, 167 finite terrn, 136 finite variabiiitv, 15, t7, 42, 44, 45, 50,

fi.xed point,

136,

Kripke model,

implementables, 20

-

NOR circuit, 152 normal fbrm (of regular expression),

iteration operator, l8

sequence, 134

153 inference rules, 27

strong, 205

non-Zeno phenomenon, 15 nonelementary complexity, 109

.- satisfied or viol:r,ted by a timed

inertial delay, fairness, 12, I3r 201

variable,9

135

hybrid automaton, see automaton hvbrid statecharts, see statecharts hybrid system, 3, 9, 16 19, 190

letter,

neighborhood logic, 13, 189

linea,r duration inv:rriant, 125, 133 satisfied or violatcd by a language,

16

Hoare logic, 20

-

168, 190

suffix, 193

length,

Heine Borel theorem, 93

embedded systern, see hybrid svstem equivalence of DC formulas, 46

.- of chop-based interval logic, of discrerc RDC, 101

91

history independence,

neighborhood, 148, 151, 157, 159, 165,

70

signed int
Isabelle, 20

gas burner, 2,5,7, B, 10, 13, 44, 60, 101, 105, 1.25,146,160, 209, 2lL,219 global - function, 23, 24 relation, 23, 24

I{-triple,

explicit clock temPoral logic, temporal logic

see global

halting problem,

right opcn,

interval logic, sr:c irttclva,l

closed language, see language

function,

-

RDCs' 1I1 restricted (R.DC)' 99, toois, 20

-

r in 0,28, 34 X in $(X), 47

variable, 27

fully

see state

duration calculus, 3, t4,40 " applications, 18 - based on neighborhood logic, 204 discrete time,99 ' higher-order, 18, 20

*

for for

245

218

state transition calculus, 154, I57 superdense transitions, 171 punctuality) relaxing the, 118 PVS, 20 rlrr;r.rrl,ililr, 2ll, l|,1 lrisl ( l), ll l

246

Irrdcx

Index

for all (V),

24

global variable, 28 state variables, 177

RAISE,

-

superdense chop, 170 superdense state transition calculus,

19

readiness variable, 176 real analysis, 6, 16, 190, 191 real arithmetic, 24, 28, 34, 89, 196, 207

real time, 3 real-time automaton, see automaton real-time logic, 7 real-time prograrlming, 18, 167 real-time scheduler, 19 real-time semantics, 19 real-time specification, 19 real-time system, 1, 14, 18, 145, 148,

170

temporal propositional letter, 25 -- temporal variable, 25, 4I, 42

-

saquential processes. I 75 shared processor, 68 signed interval logic (SIL), see interval, signed interval logic single-step probability transition

function, soundness

state transition calculus, 159 restricted duration calculus (RDC), duration calculus

Boolean,4,

formula, 27, 35

-. tetm,27

stablility, 14, 165, 169 - superdense transition, 165, 170 -- transition, L4, 16, 1,32, 1.45, 149, 165, 189, 204

safety, 12, 189 satisfzr,ction probability,

2

-

13

satisfiability discrete time, 100

duration calculus, 43, 44,69,

111,

114, 118, 122, 125

interval logic, 26 neighborhood logic, 192 prefix intervals, 43 state transition calculus, 148 SDL, 19 semantics chop, 26

duration calculus, 41 formula (duration calculus), 43 interval logic, 24 inttrrva,l logi<:, t
l1) l

sl;tlc rlttt;rl.iorr. lll, il{lil

variable, 41, 43,68, L77 state transition, see state state transition calculus, 117, L53,157 state variable, 93 statecharts, 9, 167

hybrid, 190 structural induction,

94

srrperdense chop, see modality

superdense r:omputation, 17, 19, 166 superdcnse state transition, 165, 170 calculus, 170, 173 synchrony hypothesis, 17 syrrtax

dttration

<:a,l<:trhrs,

4.1

irrtcrval logi<:, 2li ttcigltlrorlrrtotl lol1ir:, ll)l plol,;rlrilisl ic rlrtt irl iorr r';tL ttlrts, sl;rll lr;rrlrili,rtr r'ltI ttltl;, I IX

170

temporal logic

explicit <:locli, i -. metric, 7 of actirirrs, f), ll){)

machine

temporal lxoposililrr;rl lcl lr,r, 23 temporal vari:rlr[,, :l:t, :1.1. ll, .,12, 89, term interval logir', 2ll, 2 l, 23

undecidability, Il7, 125 continuous time, 112 discrete time, 112

91

superderrsrr Lr';r,rrsil iorr cirlt:rrhrs, 170

untimed sequence,

validity

terminatiorr, llllr

-

theorem

duration r:alr:rrlrrs, .l(i, 5l -- interval lotl lo11ir',

I

132

{Xi

41

-

continuorrs time, 106 discrete time, 100, 106 duration calculus, 43, 44,69, 111, 114, 118, 122, 1.25

interval logic, 26 neighborhood logic, prefix intervals, 43

192

RDC,IO4 state transition calculus, 148 value assignment, 25, 170

z-equivalent, 25 variable, see global Verilog, 19

upper bourr<1, lil2

sequence, 212

,27

transition, see state, transition transition formula, 147, 1,48, 150, transmission delay, 153 two-counter machine, see counter

lower bourrl, li12

14

-

s4,29

;rrrsil iorr r:alculus,

timed sequ
distance between, 7 duration, 6, 10, 17, 41, 42, L70,203 expression, 41, 42, !77 real, 5, 14, 16

rigid

r

timed

consistent, 1,71, L72, 174 see

I

time (in rela,tiorr l,o sl,;rlc va,ria,bhs), time unit, 100, 102 timed autolt:rton, sr r' :r.rrl,otraton,

duration calculus, 45 47 interval logic, 29 neighborhood logic, 196, 203 - state transition calculus, 159 stability of state, 14, 165, 169 stable, 169 state, 4

19

regulir,r language, L02, 129, 131, 132 relation, see global relative completeness, 20, 204 duration calculus, 45, 89, 96, 97

S'

211

software-embedded system, see hybrid system

166, 209

real-time verification, reduction, 135 refinement, 20 regular context, 135

superclctrsc sl ;rl.r' L70

state expressir:n, 42 state transition calculus, 148 state variable, 41

217

12

I

5

TLA,

see

tcrrlrourl logir:, of actions

tools, 20 trace variabl
176

r-equivalence of value assignment, 25 Zeno phenomerot, L7, 167