Real-Time Logics: Fictitious Clock as an Abstraction of Dense Time Jean-Francois Raskin and Pierre-Yves Schobbens Computer

Transcription

1 Facultes Universitaires Notre-Dame de la Paix Namur, Belgium Institut d'informatique Rue Grandgagnage, 21 B-5000 Namur BELGIUM Real-Time Logics: Fictitious Clock as an Abstraction of Dense Time Jean-Francois Raskin and Pierre-Yves Schobbens RP December 1996 Phone: Fax:

2 Real-Time Logics: Fictitious Clock as an Abstraction of Dense Time Jean-Francois Raskin and Pierre-Yves Schobbens Computer Science Institute, University of Namur Rue Grandgagnage 21, 5000 Namur, Belgium Tel: Fax: Abstract. In this paper we study two possible semantics for the realtime logic MTL (Metric Temporal Logic). In the rst semantics, called dense time semantics, time is modeled by the positive real numbers. In the second one, called ctitious clock semantics, real-time information is delivered by a global ctitious clock. We show that the ctitious clock semantics can be viewed as an abstraction of the dense time semantics. This abstraction relation is formalized by a parametric conservative connection. This formalization can be used to partially decide undecidable problems in the dense time semantics by reasoning on the ctitious clock semantics. 1 Introduction It is now widely recognized that the use of formal methods is very useful (and often necessary) for developing correct concurrent and reactive systems. This observation is still clearer when dealing with real-time and hybrid systems. One of the favorite formalisms to specify and verify concurrent systems are temporal logics. Temporal logics [10, 17] are modal logics that enable the expression of properties about a.o. the ordering of events in executions of concurrent programs [14]. These logics are more and more used as tools for the verication of concurrent nite state programs [11, 6]. The properties that can be expressed in temporal logics are qualitative constraints about the ordering of events; quantitative timing constraints cannot be expressed. Logics that are able to express quantitative requirements are called real-time logics [5, 4]. Real-time logics have received a lot of attention from the research community since the early 90s [13, 4, 5, 2, 3]. The formulae of a linear real-time logic are evaluated in timed sequences of states. There are two main ways to introduce real-time information in sequences of states, giving two dierent semantics for real-time: { dense time semantics: in this framework an interval of the positive real numbers is associated to each state of the sequence; { ctitious clock semantics: a global ctitious clock generates special events, called ticks, at a xed rate. The granularity of the real-time information depends upon the rate of the clock.

3 Intuitively the ctitious clock semantics is a kind of abstraction of the dense time semantics: roughly, the dense real-time information is rounded by the clock rate. This paper is devoted to the study and the formalization of this relation between the two semantics. An appropriate mathematical framework to relate semantic domains is abstract interpretation [7, 8]. In abstract interpretation an abstract domain is related to a concrete domain by a Galois connection [9]. Properties of Galois connections are used to conduct analysis in the concrete domain by computing in the abstract domain. To formalize the relation between the dense time and the ctitious clock semantics, we use a variant of a Galois connection. By similar principles we show that it is possible to partially decide the model-checking and satisability problems in dense time semantics by computing in the ctitious clock semantics. Dense time logic is an adequate formalism at the specication stage, while ctitious clock logic deals easily with implementations. The formalization of the relation between the two semantics is thus also useful to ensure a proper transition. The rest of this paper is organized as follows: section 2 introduces the two semantics of real-time and their respective logics: MTL DT for the dense time and MTL FC for the ctitious clock. Section 3 develops some denitions of the theory of abstract interpretation and applies it to formalize the relation between the two semantics. Section 4 shows how to partially decide whether a given dense time formula f is satisable by deciding the satisability of a related ctitious clock formulae # f or " f. Section 5 extends the approach to partially decide the model-checking in the dense time semantics. Due to the lack of space, the proofs are not presented in this paper, the interested reader can nd them in [16]. 2 The two semantics and their logics 2.1 The dense time semantics In the dense time semantics, time is modeled by the real numbers 1. State evolves with time: we represent this by a function from instants, i.e. real numbers, to states. As we are interested in discrete event systems, i.e. systems that evolve from state to state by non continuous changes, we can pair each state s of the system with the interval of time during which the system remains in this state s. A model of a system execution is an innite sequence of couples (s i ; I i ) where s i is a description of the system state and I i is the interval of real time during which the system remains in the i th state of the system. It is clear that this numbering is only conventional, hence repetition (stuttering) of states is irrelevant. Notation. Let I be an interval, i.e. a non-empty convex subset of the positive real numbers R + : l(i), respectively r(i), denotes the left, respectively the right, end bound of the interval I. 1 Note that the rational numbers can also be used; the property needed is the denseness of the domain, i.e. between two time points there is always a third point.

4 Denition 1. I m 0 ; Im 1 ; : : : ; Im n ; : : : is a sequence of intervals that partitions R + i: 1. 8i 0 r(i i ) = l(i i+1 ) and I i T Ii+1 = ;; 2. S i I i = R +. The second point of the denition ensures that the time has no bound. It excludes executions where the system executes an innite number of changes in a nite amount of time. This is called \non-zenoness" property [1]. Denition 2. A dense time model m is an innite timed sequence of states m = (s m 0 ; Im 0 ); (s m 1 ; Im 1 ); : : : ; (s m n ; Im n ); : : : where s m i is a subset of the propositions (P), i.e. s m i P, that are true in the i th state of the model m and Ii m the interval of real time during which the model m stays in the i th state. Furthermore, I m 0 ; Im 1 ; : : : ; Im n ; : : : forms a sequence of intervals that partition R +. Let us note that a dense time model can also be viewed as a function from R + to 2 P. We have dened the models of the dense time semantics. We can now dene the logic MTL DT [5, 13]. Denition 3 MTL DT syntax. A formula of MTL DT is composed of propositional symbols p; p 1 ; p 2 ; : : : ; q; : : :, the usual boolean connectives _ and :, the qualitative temporal operator \Until" (U) and the quantitative temporal operators \bounded Until" (U c ). A well-formed formula of MTL DT satises the following syntactical rule: F ormula DT ::= p j f 1 _ f 2 j :fjf 1 Uf 2 j f 1 U c f 2 Where 2 f<; ; =; ; >g, p 2 P, f; f 1 ; f 2 are well-formed formulae of MTL DT and c 2 Q + To dene the semantics of the MTL DT logic elegantly, we dene the notion of f F ine model, adapted from [1]. In the following denitions, we note m j= DT f to express that m is a model of the SC formula f, (m; i) j= DT f to express that f is veried in all points of interval I m i, (m; i; t) j= DT f to express that f is veried at time t 2 I m i of m. Denition 4 f Fine models. For a MTL DT formula f, a timed state sequence m = (s; I) is called f F ine i for all i 0, for all sub-formulae f 1 of f, for all t; t 0 2 Ii m : (m; i; t) j= DT f 1 i (m; i; t 0 ) j= DT f 1. It is important to note that every model m can be rened in a f F ine model. It can be shown that a MTL DT formula is satisable i it has a f F ine model. The model m in the following denition, without loss of generality, is considered to be f1 F ine and f2 F ine 2. The semantics that we give to MTL DT presents some 2 Let us note that denition 4 and 5 are not cyclic since every timed sequence of state is propositions-fine.

5 subtle dierences from the usual semantics as given in [5]. Our semantics of the U operator is invariant to the fact that intervals are open or closed, see [16] for details. Here is our semantics: Denition 5 MTL DT semantics. A MTL DT formula f holds in a dense time model m at real-time t 2 I m i, noted (m; i; t) j= DT f, i (by recursion) : { (m; i; t) j= DT p i p 2 s m i for p 2 P; { (m; i; t) j= DT f 1 _ f 2 i (m; i; t) j= DT f 1 or (m; i; t) j= DT f 2 ; { (m; i; t) j= DT :f i (m; i; t) 6j= DT f; { (m; i; t) j= DT f 1 Uf 2 i 9j i such that 1. (m; j) j= DT f k : i k < j : (m; k) j= DT f 1 { (m; i; t) j= DT f 1 U c f 2, with 2 f<; g, i 9j i such that 1. (m; j) j= DT f k : i k < j : (m; k) j= DT f t 0 2 I m j : t 0? t c; { (m; i; t) j= DT f 1 U =c f 2, i 9j i such that 1. (m; j) j= DT f k : i k < j : (m; k) j= DT f 1 3. either : 9t 0 2 I m j : t 0? t = c and (m; j) j= DT f 1 ; or l(i m j )? t = c and l(im j ) 2 Im j. { (m; i; t) j= DT f 1 U c f 2, with 2 f>; g, i 9j i such that 1. (m; j) j= DT f k : i k < j : (m; k) j= DT f 1 3. either : 9t 0 2 I m j : t 0? t c and (m; j) j= DT f 1 ; or 8t 0 2 I m j : t 0? t c. A formula f holds in a model m, noted m j= DT f i (m; 0; 0) j= DT f; this is the anchored interpretation [1]. As usual we can dene abbreviations: f 1 ^ f 2 :(:f 1 _ :f 2 ), > :f _ f,? :>, f >Uf, f ::f, cf >U c f, cf :c:f. Example 1 Some MTL DT formulae. In the intuitive readings below, we consider that p and q are state formulae and that the time unit is seconds : { (p! 2q). A p state is always followed by a q state within two seconds (bounded response time). { (:2q). q is never true during two seconds consecutively. { (p! =3 q). A p state is always followed by a q state exactly 3 seconds later (exact response time).

6 We will now study \stuttering". It allows a simplication of the formalization of the relation between the dense time and the ctitious clock semantics. A step is a stuttering step if it links two successive identical states. Two models are stuttering equivalent, noted Stutt DT(m 1 ; m 2 ), if m 1 can be obtained from m 2 by deleting and adding stuttering steps. Stutt DT is an equivalence relation and denes classes of equivalent models. Theorem 6. MTL DT is invariant to stuttering: Stutt DT(m 1 ; m 2 ) ) 8t 0 ((m 1 ; t) j= DT f, (m 2 ; t) j= DT f) MTL DT is undecidable [4]. 2.2 The ctitious clock semantics Fictitious clock models are innite sequences of states, where each state has a time-stamp which is a natural number. A global clock generates special periodic events called ticks. Those ticks indicate that time has increased of one time unit. Example 2. To illustrate the notion of ctitious clock model, let consider the following sequence of states:! fpg 3! fp; qg 3! tick fp; qg 4! fpg 4! tick fp; qg 5! In this example the rst two states are labeled by the time-stamp 3. When the system is in the second, a tick takes place, time has increased of 1 time unit i.e. the time-stamp of the third state is 4. We avoid the introduction of events in the models for simplicity and adopt the following convention: if the time stamp of two adjacent states are dierent, then the special proposition tick is true in the rst state. With our convention, the sequence of example 2 is represented by:! fpg! fp; q; tickg! fp; qg! fp; tickg! fp; qg! Denition 7 Fictitious-clock model. A ctitious clock model h is a innite sequence of states h = h 0 ; h 1 ; : : : ; h n ; : : : where h i is the subset of the propositions that are true in the i th state of h and contains the special proposition tick if the global clock produces the special event tick just after the i th state. Furthermore there are innitely many h i such that tick 2 h i. (non-zenoness). Denition 8. The time dierence function between the i th state and the j th state of a ctitious clock model h is:td(h; i; j) = ]fk j i k < j : tick 2 h k g. The syntax of MTL FC is as for MTL DT. Nevertheless, to show the intended meaning, we use in MTL FC temporal operators decorated with : U; e U e c ; ; e. e Denition 9 MTL FC semantics. A MTL FC formula f holds in a ctitious-clock model h at state i 2 N, noted (h; i) j= FC f, i (by recursion) :

7 { (h; i) j= FC p i p 2 h i for p 2 P; { (h; i) j= FC f 1 _ f 2 i (h; i) j= FC f 1 or (h; i) j= FC f 2 ; { (h; i) j= FC :f i (h; i) 6j= FC f; { (h; i) j= FC f 1 e Uf 2 i 9j i such that: 1. (h; j) j= FC f k i k < j : (h; k) j= FC f 1 ; { (h; i) j= FC f 1 e U c f 2 i 9j i such that: 1. (h; j) j= FC f k i k < j : (h; k) j= FC f 1 3. TD(h; i; j) c; A formula f holds in a model h, noted h j= FC f, i (h; 0) j= FC f; this is the \anchored interpretation". Denition 10. A step h i ; h i+1 in a ctitious clock model h is a stuttering step i tick 62 h i and h i = h i+1 r ftickg. Two ctitious clock models are stuttering equivalent, noted Stutt FC(h 1 ; h 2 ), if they only dier by stuttering steps. Theorem 11. MTL FC is invariant to stuttering: Stutt FC(h 1 ; h 2 ) ) ((h 1 ; 0) j= FC f, (h 2 ; 0) j= FC f) Example 3 Some MTL FC formulae. The formulae of example 1 have now a different meaning: { e (p! e 2q). A p state is always followed by a q state before the clock ticks 3 times. Thus this constraint is weaker than the corresponding dense time constraint. { e (: e 2q). At every instant, q will become false before the clock ticks 3 times. { e (p! e =3 q). A p state is always followed by a q state between the 3 rd and the 4 th tick of the clock following the p state. The satisability and model-checking problems of MTL FC are decidable. 3 Fictitious clock as an abstraction of dense time 3.1 Introduction A general and elegant framework to relate semantic domains is abstract interpretation. In abstract interpretation terminology, the values of a concrete domain C are related to the values of an abstract domain A. This relation is formalized by two functions: { the abstraction function that associates to each concrete value c its best approximation (c) in the abstract domain;

8 { the concretization function which maps each abstract value a to its concretization (a) in the concrete domain. Here the concrete values will be sets of dense time models and the abstract values will be sets of ctitious clock models. We concentrate now on the mathematical background underlying abstract interpretation. To be useful, the functions and must have particular properties: Denition 12 Conservative Connection. R = hc ; vc ; A ; va ; ; i is called a conservative connection if the following conditions are satised: 1. The pairs hc ; vc i and ha ; va i are partially ordered sets; 2. The functions : C! A and : A! C are monotone; 3. For every c 2 C, c vc ((c)); In abstract interpretation Galois insertions are usually used instead of conservative connections. Galois insertions have the additional property that ((a)) = a, which intuitively means that the abstract domain is in some sense minimal. We do not have this property in our framework because the abstract domain is imposed. Theorem 13. If R = hc ; vc ; A ; va ; ; i is a conservative connection then (c) va a ) c vc (a) Usually, the concrete and abstract domains are sets of sets of concrete and abstract values. In this context, each element of 2 C represents a concrete property and each element of 2 A an abstract property. 3.2 Formalizing the abstraction relation In this subsection we dene formally the relation between the dense time and the ctitious clock semantics. We use an abstraction and a concretization function. Denition 14. The concrete domain is the set of sets of dense time models (2 M DT); on this domain the relation v DT is dened as follows: C 1 v DT C 2, 8c 1 2 C 1 9c 2 2 C 2 : Stutt DT(c 1 ; c 2 ) Denition 15. the abstract domain is the set of sets of ctitious clock models (2 M FC ); on this domain the relation vfc is dened as follows: A 1 v FC A 2, 8a 1 2 A 1 9a 2 2 A 2 : Stutt FC(a 1 ; a 2 ) Before going into details, let us precise the intuition behind this relation. In the ctitious clock semantics, a global clock delivers information through ticks. The rate of this clock, noted, is the real amount of time that separates two ticks. gives the granularity of time in ctitious clock models: the dierence between two instants is rounded by the rate of the clock. Between two ticks we only know the ordering of states in the sequence and that the dierence between two instants in that interval is inferior to the rate of the clock.

9 Example 4. Let us consider this fragment of a ctitious clock model h =! tick fpg! fqg! tick between the two ticks we have no information about the real-time. We do not know how long the system remains in state fpg, we only know that it evolves to state fqg before the following tick of the global clock. Furthermore, when the system is in a given state, we do not know the exact amount of time it will take for the next tick to be produced. It is only known that this delay, noted d in the sequel, is strictly inferior to the rate of the clock (0 d < ). To relate the two semantics, we will dene the behavior of a ctitious clock in the dense time semantics. If we consider a model m at time t the behavior of a particular clock is determined by the delay that separates t of the following tick of the clock and the rate of the clock. The behavior of the clock is determined in the sense that with d and we can predict the exact time of all the following ticks. We can now dene a function which, given a dense time model m (concrete model), returns the ctitious model that is its abstraction for a given global clock of delay d and rate. To dene the function in an elegant way, we rst put the model in \sliced" form: Denition 16 S d;. A dense time model m respects the slicing induced by the clock of parameters (; d), noted S d; (m) i the following is veried: 8n 0 9i 0 : r(i m i ) = n + d Theorem 17. 8m 2 M DT 8d0 d < 9m 0 2 M DT : S d; (m 0 )^Stutt DT(m; m 0 ) As stated by the theorem 17 every dense time model m has a stuttering equivalent model m 0 which respects the special form imposed by a particular clock (d; ). We can now dene the function that abstracts a given dense time model for a particular clock: Denition 18 TickIn d;. The predicate TickIn d; has the following denition: TickIn d; (I m i ), 9n 0 r(i m i ) = n + d Denition 19 Function f d; DT!FC. The function f d; DT!FC : M DT 6! M FC is a partial function which maps a dense time model m to its abstraction, a ctitious model h. The partial function is dened as follows: 8m 2 M DT S d; (m) : h = f d; (m) DT!FC, 8i i 0 : (TickIn d; (Ii m )! h i = s m i [ ftickg ^ :TickIn d; (Ii m )! h i = s m i ) We can also dene the relation which exists between a ctitious clock model h and its possible concretizations for a particular clock:

10 Denition 20 Relation R d;. The relation Rd; : M FC!DT FC!DT FC M DT relates a ctitious clock model h to its corresponding dense time models for a given clock (d; ): 8m 2 M DT S d; (m) 8h 2 M FC : R d; d; (h; m), h = f (m) FC!DT DT!FC We can now dene the abstraction and concretization functions. Those functions are extensions of f d; and Rd; to sets of models. They will be DT!FC FC!DT parameterized by the clock rate, but the parameter d of the clock will be considered as unknown to t with the semantics of formulae, we only can state that 0 d < : Denition 21. The abstraction function is a function which maps a set of dense time models C to its best approximation A, a set of ctitious clock models, for a given clock rate. a 2 (C) i 9c 2 C 9d 0 d < 9c 0 2 M DT S d; (c 0 ) ^ Stutt DT(c; c 0 ) ^ a = f d; DT!FC (c0 ) Denition 22. The concretization function is a function which maps a set of ctitious clock models A to its corresponding set of dense time models C for a given clock rate. More formally : : 2 M FC! 2M DT and c 2 (A), 9a 2 A 9d 0 d < : R d; (a; c) FC!DT Theorem 23. The concrete domain 2 M DT is pre-ordered by v DT and the abstract domain 2 M FC is pre-ordered by v FC. h2 M DT ; v DTi and h2 M FC ; v FCi are pre-ordered sets, they are not partially ordered as it is required by the theorem 3 to obtain a conservative connection. However the preorders v DT and v FC are constructed with equivalence relations Stutt DT and Stutt FC. Those two relations induce the denition of equivalent classes of models in the two semantics. Sets of those classes are partially ordered by the set inclusion relation. It can easily be shown that monotonicity of and on those preorders induce monotonicity of and on the partially ordered sets (A ; C ) of sets of classes induced by the relations Stutt DT and Stutt FC. In the sequel, for simplicity, we will work directly on the preorder instead of on the partially ordered sets of classes. This is equivalent as the two logics are invariant to stuttering. Theorem 24. The structure R = h2 M DT ; v DT; 2 M FC ; v FC; ; i is a conservative connection. Corollary 25. As the structure R = h2 M DT ; v DT; 2 M FC ; v FC; ; i is a conservative connection, we have that: 8 > 0 8C 2 2 M DT ; A 2 2M FC : (C) v FC A ) C v DT (A)

11 3.3 Order of approximations In abstract interpretation, a value a of an abstract domain A is an approximation of a value c of an concrete domain C i c vc (a). A notion of order of approximation can be dened as follows: Denition 26 Order of approximations. An abstract value a 1 is a better approximation for the value c that the abstract value a 2 in the connection induced by (; ) i: 1. c vc (a 1 ) and c vc (a 2 ) 2. (a 1 ) vc (a 2 ) This order can be directly applied to our parameterized connection ( ; ). More interesting is the notion of precision induced by the parameter of the connection. It seems intuitive to assert that if an abstraction is obtained by a more precise clock ( 1 < 2 ) then this abstraction is more accurate. Formally, this is stated by 1 < 2 ) 1 ( 1 (c)) v DT 2 ( 2 (c)). But this assertion is not valid. Let us consider the following counter example: Example 5. Let m be the following model: m = (fg; [0; 8))(fpg; [8; 8])(fg; (8; 16))(fpg; [16; 16]) In m, the proposition p is true at each multiple of 8. Let C be the singleton fmg. If we choose 1 = 7 and 2 = 9 ( 1 < 2 ) we have that: { 2 (C) j= FC e e 1p. In fact, as in m there is a p at each multiple of 8, two consecutive p states are at most separated by 1 tick. This implies that 2 ( 2 (C)) j= DT <18p. { 1 (C) j= FC e e 2p. Furthermore, as in m p is true at each multiple of 8, there is a clock (d 1 ; ) such that h = f d; (m), with: DT!FC h = fg! tick fg! tick fpg! fg! tick fg! fpg! fg! tick this model is obtained by the clock d = 0 and = 7. Now we can easily see that the model m 0 m 0 = (fg; [0; 6))(fg; [6; 13])(fg; (13; 20))(fpg; [20; 20])(fg; (20; 27]) can be obtained by concretizing the model h with a clock d = 6, = 7. Thus m 0 belongs to 1 ( 1 (C)). Clearly there is no model m 00 equivalent to m 0 modulo stuttering steps that belongs to 2 ( 2 (C)), as in this set all models respect <18p, which is not the case of m 0. Thus, we have that 1 ( 1 (C)) 6v DT 2 ( 2 (C)). To rene the approximation we must strengthen the requirement. The following theorem establishes that we obtain a renement if 2 = 1 n, for n > 0. Theorem 27. If we have that 1 = 2 n, with n 2 N+ then we have that:

12 1 ( 1 (C)) v DT 2 ( 2 (C)) In [12] Henzinger et al have studied how to use digital techniques to decide problems in the dense time semantics. Their work is not easily comparable to our because of the rather dierent semantical models used in the two works. Nevertheless we can assert that we propose a more general approach while in [12] they propose more preservation for restricted properties, i.e. digitizable properties, see the paper for details. 4 The satisability problem In this section we apply the development of previous sections. We show that it is possible to reason on the satisability of MTL DT formulae by deciding the satisability of related MTL FC formulae. The satisability problem of a formula f is to decide whether there exists a model that satises f. The satisability problem is undecidable for MTL DT but decidable for MTL FC [4]. As we have dened a formal link between the two semantics, we can use this link to infer satisability of MTL DT formulae by computing satisability of related MTL FC formulae: Theorem 28. Let f 1 be an MTL DT formula and f 2 an MTL FC formula: 1. if (Mod FC (f 2 )) v DT Mod DT (f 1 ) 3 and Mod FC (f 2 ) 6= ; then Mod DT (f 1 ) 6= ; and f 1 is satisable. 2. if (Mod DT (f 1 )) v FC Mod F C (f 2 ) and Mod FC (f 2 ) = ; then Mod DT (f 1 ) = ; and f 1 is not satisable. The theorem 28 gives us the basis for a partial automatic treatment of the satisability problem in MTL DT, provided we dene which formulae of MTL FC must be used for a given MTL DT formulae. In the point 1 of theorem 28 the formulae f 2 is a kind of under-approximation of f 1. On the other hand, in the point 2, f 2 is an over-approximation of f 1. We dene now two constructive functions: one noted ", which maps a MTL DT formula to its over-approximation in MTL FC, the other noted #, which maps a MTL DT formula to its under-approximation. Denition 29. The over-approximation " and the under-approximation # are dened inductively as follows: { " (p) = p if p 2 P; { " (f 1 _ f 2 ) =" f 1 _ " f 2 { " (:f 1 ) = : # f 1 { " (f 1 Uf 2 ) =" f 1 e U " f 2 { " (f 1 U c f 2 ) =" f 1 e U d c e " f 2 { " (f 1 U <c f 2 ) =" f 1 e U d c e " f 2 3 ModFC (f) = fm j (m; 0) j= FC fg and Mod DT (f) = fm j (m; 0; 0) j= DT fg.

13 { " (f 1 U =c f 2 ) =" f 1 e U =d c e " f 2 _ " f 1 e U =b c c " f 2 { " (f 1 U c f 2 ) =" f 1 e U b c c " f 2 { " (f 1 U >c f 2 ) =" f 1 e U b c c " f 2 { # (p) = p if p 2 P; { # (f 1 _ f 2 ) =# f 1 _ # f 2 { # (:f 1 ) = : " f 1 { # (f 1 Uf 2 ) =# f 1 e U # f 2 { # (f 1 U c f 2 ) =# f 1 e U b c c?1 # f 2 { # (f 1 U <c f 2 ) =# f 1 e U b c c?1 # f 2 { # (f 1 U =c f 2 ) = e d c e (# f 1 ) ^ e =d c e(# f 2 ) ^ e =b c c(# f 2 ) { # (f 1 U c f 2 ) =# f 1 e U d c e+1 # f 2 { # (f 1 U >c f 2 ) =# f 1 e U d c e+1 # f 2 Theorem 30. For all dense time formula f, we have: { (Mod FC (# f)) v DT Mod DT (f) { (Mod DT (f)) v FC Mod F C (" f) Corollary 31. For all dense time formulae f, we have: { if " f is not satisable then f is also not satisable { if # f is satisable then f is also satisable 4.1 An example To illustrate the applicability of the theory developed so far, we treat here an non-trivial problem which is part of the CSMA/CD protocol. This protocol is used to share an unique communication medium among several computers. The principle of the protocol is illustrated by the following scenario: Example 6 CSMA/CD. When a computer wants to send some message, it tests if the line is busy. If not, it begins to send; on the contrary, if the line is busy, the computer waits. A collision occurs when more than one computer are transmitting at the same time. The delay of propagation plays an important role in the protocol: If one station begins to send, the other stations see that the station is sending, not directly but at most time units after, where is the propagation delay. Consequently, a collision may occur between 0 and time units after a computer has begun to send. The noise of the collision can also take time units to reach the sending computer. A computer is only sure that no collision will occur after 2 time units. A sending which is interrupted by a collision is lost. The sender of such a message must know that the message was lost. We now formalize a part of the protocol in MTL DT. This set of axioms, noted S, describes the behavior of a computer taking part in the network:

14 1. :Sending Initially the computer is not sending. 2. (C! 2SeeC) A collision is always perceived within 2, 2 times the maximal propagation delay. 3. (SeeC! :EndSend) If a collision is detected then the sending is lost. 4. (SeeC _ EndSend! :Sending) If a computer ends sending or detects a collision then it does not send anymore. 5. (BeginT osend! Sending) If a computer begins to send something, Sending becomes true. 6. (Sending! SendingU(EndT osend _ SeeC)) If a computer is sending, it continues to send until it has sent the entire message or it has detected a collision. 7. (:Sending! :SendingUBeginT osend) A computer evolves to state Sending only if it begins the sending of a message. 8. (BeginT osend! :EndT osend) A sending lasts at least. 9. ((Sending ^ :C)! :CUEndSend) If there is no collision after, then no collision occur during this sending. This set of axioms denes a solution for the following requirement R: :((Sending ^ SendingUEndT osend) ^ C) expressing that a computer cannot succeed in sending if a collision has occurred during this sending. This requires that the computer is always aware of the lost of one of its messages due to a collision. In the ethernet protocol the parameters are = 25:6s and = 782s. To show that the solution proposed ensures R, we must prove that S! R is valid. Which is equivalent to show that :(S! R) is not satisable. There does not exist an algorithm to check this in MTL DT but by the corollary 31 if we can establish that " :(S! R) is not satisable for some then :(S! R) is also not satisable. We have tested the satisability of " :(S! R) with the implementation of [15]. For the parameters = 50s and also for = 150s the automatic procedure can establish the non-satisability of " :(S! R) and thus, by corollary 31, that S! R is valid in the dense time semantics. On the other hand, the validity of S! R can not be established with a clock rate = 500s: in this case, the granularity of time is not ne enough. Thus if the non-satisability or satisability of f can not be established by corollary 31 with clock rate 1, we can retry with a more precise clock rate 2 < 1. 5 The model-checking problem The model-checking problem is to decide whether a program P satises a given property expressed in a temporal logic. Here we are interested in verifying that a concurrent program exhibiting real-time behaviors veries some property expressed as a real-time logic formula. A real-time program P can be modeled by a timed automaton which denes a set of timed sequences of states: the models of its possible executions. As for the logic MTL, we can dene the semantics of timed automata in the dense time framework or in the ctitious clock framework.

15 - - l 0 l 1 l 2 x 2 x 1 ^ x 5 x := 0 fpg fqg fg I Fig. 1. Timed automaton A. A timed automata is a nite state machine augmented with clocks and clock constraints. A clock can be reset simultaneously with any transition. For instance, in the timed automaton of gure 1 the clock x is reset each time the automaton evolves from location l 0 to location l 1. In the dense time semantics, at any time t 2 R + the value of a clock is the time elapsed since the last time it was reset. In the ctitious clock semantics, the value of the clock is the number of ticks since the clock was reset. In an timed automaton, locations are decorated by: { propositions: a location l is labelled by the propositions that are true when the automaton stays in l. For instance, in location l 1 of the automaton of gure 1, the proposition q is true. { clock constraints: those constraints impose real-time requirements on the behavior of the automaton. In our example, the automaton can stay in location l 2 only if it has crossed the edge from l 0 to l 1 at most 5 time units and at least 1 time unit earlier. In the ctitious clock semantics, the interpretation is dierent: the automaton can stay in location l 2 only if the clock has produced at least 1 tick and at most 5 ticks since the automaton has crossed the edge from l 0 to l 1 for the last time. Having the intuition of what a timed automaton is, we can dene it formally: Denition 32 Clock constraints. For a set of clocks C, the set of timing constraints is dened inductively as follows: ::= x c j 1 _ 2 j 1 ^ 2, 2 f<; ; =; ; >g, 1 and 2 are well-formed timing constraints, c is a rational number. The set of constraints is noted Q+ (C). Denition 33. A Timed Automata A is a tuple hl; L 0 ; C; E; L P ; L C ; Fi where: { L is a nite set of locations; { L 0 L is the subset of initial locations; { C is a nite set of clocks; { E L 2 C L a set of edges. An edge (l 1 ; ; l 2 ) represents a transition from location l 1 to location l 2, is the subset of clocks that are reset when crossing the edge;

16 { L P : L! 2 P is a labelling function which labels a location with the set of atomic propositions that are true in that location; { L C : L! Q+ is a labelling function which assigns to each location a constraint of Q+ on the value of clocks that should be veried when staying in that location; { F is a set of sets of accepting locations. Timed automata also admit two semantics: in the dense time semantics clocks are of type real whereas in the ctitious clock semantics they are of type natural. The evolution of their value along time in a run of a timed automaton is formally described by the two functions DT and FC, one for each semantics. 4 But before dening them let us precise the notion of run: Denition 34. A Dense Time Run is an innite sequence r = (l r 0 ; Ir 0 )! 0 (l r 1 ; Ir 1 )! 1 (l r n ; Ir n)! n { l i are locations; { I 0 I 1 I n is a sequence of intervals that partition R + ; { i are sets of clocks to reset. Denition 35. A Fictitious Clock Run is an innite sequence r = l 0! 0 t 0 l 1! 1 t 1 l n! n tn { l i are locations; { t i = tick if there is a tick during the transition from l i to l i+1 otherwise l i = :tick; { i are sets of clocks to be reset. Denition 36 Clock Interpretation. The clock interpretation is dened as follows: { in the dense time semantics: the clock interpretation in time t 2 I r i, noted DT r t, along a run r respects the following denition: 8x 2 C : DT t r t? r(i r (x) = j ) if x 2 j and 8k j < k < i : x 62 k (t 2 Ii r) t if 8j : 0 j < i : x 62 j { in the ctitious clock semantics: the clock interpretation in state r i of a ctitious clock run r respects the following denition: 8x 2 C : FC i r (x) = TD(j; i; r) where 0 if 8k 0 k < i : x 62 k j = l + 1 if x 2 l ^ 8k l < k < i : x 62 k 4 In the following we use f d; DT!FC, Sd;,... on runs instead of models, their extension to runs is obvious.

17 Denition 37. A dense time run r is accepted by A i it respects the following requirements: { Initiality: l r 0 2 L 0; { Consecution: 8i 0 : (l r i ; i; l r i+1) 2 E or l r i = l r i+1 and i = ; (stuttering); { Timing constraints: 8i 0 8t 2 I i : DT r t j= L C(l r i ); { Acceptance: for all F i 2 F, there exists a location l i 2 F i which appears innitely often along r (Buchi condition). The timed sequence of states (dense time model) m corresponding to an run r is dened as follows: { Interval: 8i 0 : I m i = I r i ; { Adequation: 8i 0 : s m i = L P (l r i ); The set of dense time runs of A is noted Run DT (A) and the set of corresponding dense time models Exec DT (A). Denition 38. A ctitious clock run r is accepted by A if it respects the following requirements: { Timing constraints: 8i 0 : FC r i j= L C(l i ); { Initiality, consecution and acceptance are the same as in denition 37. The ctitious clock model h = h 0 ; h 1 ; ; h n ; corresponding to an run r is dened as follows: { Timing: 8i 0 : tick 2 h i, t i = tick; { Adequation: 8i 0 : h i nftickg = L P (l i ); The set of ctitious clock runs of an automaton A is noted Run FC (A) and the set of corresponding models Exec FC (A). As we already said, the model-checking problem is undecidable in the dense time semantics. But as for the satisability problem of MTL DT, we claim that the dense time model-checking problem can often be decided by deciding a related problem in the ctitious clock semantics. The following theorem is the basis for a partial decision procedure for the model-checking problem in the dense time semantics: Theorem 39. The automaton A veries the dense time property f if: 1. Exec DT (A) v DT (Exec FC (* A)) 2. (Mod FC (# f)) v DT Mod DT (f) 3. Exec FC (* A) v FC Mod FC (# f) This theorem is of practical interest because exact real-time information is often not necessary to prove interesting properties of real-time systems. It remains us to dene formally the function * which must return a ctitious clock over-approximation of a given dense time automaton:

18 Denition 40. The function * maps a dense time automata A to its ctitious clock over-approximation A 0 : { L = L 0 ; L 0 = L 0 0 ; C = C0 ; E = E 0 ; L P = L 0 P ; F = F0 ; { For all the locations l 2 L, we dene the function % as follows: induction cases: L C (l) = 1 _ 2 ) L 0 C (l) =% 1 _ % 2 ; L C (l) = 1 ^ 2 ) L 0 C (l) =% 1^ % 2 ; base cases: % (x c) = (x d c e) % (x < c) = (x d c e) % (x = c) = (x = d c e _ x = b c c) % (x c) = (x b c c) % (x > c) = (x b c c) This function relaxes the constraints in the ctitious clock automaton. Theorem 41. Exec DT (A) v DT (Exec FC (* A)) 6 Conclusion The formalization presented in this paper claries the common intuition according to which the ctitious clock semantics can be seen as an abstraction of the dense time semantics. A conservative connection between the two semantics has been dened. We have presented a method to partially decide the logic MTL DT. Another way to obtain an algorithmic approach to dense time is to dene a decidable subset of MTL DT, for instance: MITL [1]. The postulate on which our approach is based, which is also a postulate of abstract interpretation in general, is that the exact real-time information is seldom necessary to prove interesting properties of systems. On the other hand the approach of MITL is to restrict the logic but all the exact real-time information is preserved during verication. It would be interesting to compare pragmatically the applicability of the two approaches. To our knowledge there is no implementation of satisability and model-checking of MITL formulae. An important problem to implement eciently decision procedures in dense time is the absence of a good data structure which would allow combining discrete information (system state) and continuous information (dense time). In our proposal this problem disappears and symbolic data structures as Sharing Trees or BDDs can be used. This has already given good results for a satisability checking procedure [15]. Some designs or implementations use a global clock to rule their real-time behavior. The ctitious clock semantics is well-suited to study those systems. On the other hand, the dense time semantics is natural in early phases of program development and should be preferred to ctitious clock in this context. If the two semantics are used in the development of a same program, it is important to have a formal link between the two semantics. Our parameterized connection is such a formal link.

19 References 1. R. Alur. Techniques for Automatic Verication of Real-Time Systems. PhD thesis, Stanford University, R. Alur, C. Courcoubetis, and D. Dill. Model-checking for real-time systems. In Proceedings of the 5th Symposium on Logic in Computer Science, pages 414{425, Philadelphia, June R. Alur and T.A. Henzinger. Logics and models of real time: a survey. In J.W. de Bakker, K. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Real Time: Theory in Practice, Lecture Notes in Computer Science 600, pages 74{106. Springer-Verlag, R. Alur and T.A. Henzinger. Real-time logics: complexity and expressiveness. Information and Computation, 104(1):35{77, Preliminary version appears in the Proc. of 5th LICS, R. Alur and T.A. Henzinger. A really temporal logic. Journal of the ACM, 41(1):181{204, Preliminary version appears in Proc. 30th FOCS, J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang. Symbolic model checking: states and beyond. In Proceedings of the 5th Symposium on Logic in Computer Science, pages 428{439, Philadelphia, June P. Cousot and R. Cousot. Abstract interpretation: A unied lattice model for static analysis of programs by construction or approximation of xpoints. In Conference Record of Fourth ACM Symposium on Programming Languages (POPL'77), pages 238{252, Los Angeles, California, January P. Cousot and R. Cousot. Abstract interpretation frameworks. Journal of Logic and Computation, 2(4):511{547, P. Cousot and R. Cousot. Comparison of the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation (Invited Paper). In M. Bruynooghe and M. Wirsing, editors, Proceedings of the Fourth International Workshop on Programming Language Implementation and Logic Programming (PLILP'92), Lecture Notes in Computer Science, Leuven, August Springer- Verlag. 10. E.A. Emerson. Handbook in Theoretical Computer Science, Formal Models and Semantics, chapter Temporal and Modal Logic, pages 995{1072. Elsevier, R. Gerth, D. Peled, M. Y. Vardi, and P. Wolper. Simple on-the-y automatic verication of linear temporal logic. In Proc. 15th Work. Protocol Specication, Testing, and Verication, Warsaw, June North-Holland. 12. T.A. Henzinger, Z. Manna, and A. Pnueli. What good are digital clocks? In W. Kuich, editor, ICALP 92: Automata, Languages, and Programming, Lecture Notes in Computer Science 623, pages 545{558. Springer-Verlag, Ron Koymans. Specifying message passing and time-critical systems with temporal logic. LNCS 651, Springer-Verlag, A. Pnueli. The temporal logic of programs. In Proc. 18th IEEE Symposium on Foundation of Computer Science, pages 46{57, J.-F. Raskin. Model-Generation of a Fictitious Clock Real-Time Logic: A Symbolic Decision Procedure Using Sharing-Trees. Research Paper RP-09-96, Computer Science Department, FUNDP, Namur (Belgium), March J.-F. Raskin and P.-Y. Schobbens. Real-Time Logics: Fictitious Clock as an Abstraction of Dense Time. Research Paper RP-17-96, Computer Science Department, FUNDP, Namur (Belgium), September 1996.

20 17. C. Stirling. Comparing linear and branching time temporal logics. In B. Banieqbal, H. Barringer, and A. Pnueli, editors, Temporal Logic in Specication, volume 398, pages 1{20. Lecture Notes in Computer Science, Springer-Verlag, This article was processed using the LATEX macro package with LLNCS style