Timed CTL Model Checking in Real-Time Maude

Size: px

Start display at page:

Download "Timed CTL Model Checking in Real-Time Maude"

Augusta Copeland
6 years ago
Views:

1 Timed CTL Mode Checing in Rea-Time Maude (Extended Version) Daniea Lepri 1, Eria Ábrahám2, and Peter Csaba Öveczy1,3 1 University of Oso, Norway 2 RWTH Aachen University, Germany 3 University of Iinois at Urbana-Champaign, USA Abstract. This paper presents a timed CTL mode checer for Rea- Time Maude and its semantic foundations. In particuar, we give a timed CTL mode checing procedure for that is sound and compete for cosedbound formuas under a continuous semantics for a fairy arge cass of systems. An important benefit of our mode checer is that it aso automaticay provides a timed CTL mode checer for subsets of modeing anguages, ie Ptoemy II and (Synchronous) AADL, which have Rea- Time Maude mode checing integrated into their too environments. 1 Introduction Rea-Time Maude [31] extends Maude [15] to support the forma modeing and anaysis of rea-time systems in rewriting ogic. Rea-Time Maude is characterized by its expressiveness and generaity, natura mode of object-based distributed rea-time systems, that supports mutipe inheritance as we as dynamic creation and deetion of both objects and messages, the possibiity to define any computabe data type, and a range of automated forma anaysis such as simuation, reachabiity and tempora ogic mode checing. This has made it possibe to successfuy appy the too to a wide range of rea-time systems, incuding advanced state-of-the-art wireess sensor networ agorithms [18, 33], muticast protocos [32, 21], scheduing agorithms requiring unbounded queues [27], and routing protocos [34]. Rea-Time Maude s expressiveness and generaity aso mae it a suitabe semantic framewor and anaysis too for modeing anguages for rea-time systems [25]. For exampe, the too has been used to formaize (subsets of) the This paper is the extended version of a wor submitted for pubication. In particuar, more detais about the mode checer impementation and optimizations are given in Section 5, and Section 6 contains two further case studies, about mode checing, respectivey, a simpe networ of embedded medica devices, and the Ptoemy II raioroad crossing benchmar. This wor was partiay supported by the Research Counci of Norway through the Rhytm project, by the DAADppp HySmart project, and by AFOSR Grant FA

2 2 D. Lepri, E. Ábrahám, and P. Cs. Öveczy industria avionics modeing standard AADL [26], a synchronous version of AADL [6], Ptoemy II discrete-event (DE) modes [7], the web orchestration anguage Orc [2], different EMF-based timed mode transformation framewors [35, 10], etc. Rea-Time Maude forma anaysis has been integrated into the too environment of some of these anguages, enabing a mode engineering process that combines the convenience of an intuitive modeing anguage with forma anaysis. In Rea-Time Maude, the data types of the system are defined by an agebraic equationa specification, and the system s instantaneous transitions are modeed by (instantaneous) rewrite rues. Time advance is modeed expicity by so-caed tic (rewrite) rues of the form {t} => {t } in time u if cond, where {_} is an operator that encoses the entire goba state, and the term u denotes the duration of the rewrite. Rea-Time Maude is parametric in the time domain, which may be discrete or dense. For dense time (in particuar), tic rues typicay have the form {t} => {t } in time x if x <= d /\ cond, where x is a new variabe not occurring in t, d, or cond. This form of the tic rues ensures that any moment in time (within time d) can be visited, aso for a dense time domain. Rea-Time Maude extends Maude s rewriting, search, and inear tempora ogic mode checing features to the timed case. For dense time, it is of course not possibe to execute a possibe rewrite sequences. The fairy restrictive timed automaton formaism [3] trades expressiveness for decidabiity of ey properties for dense/continuous time, since the state space can be divided into a finite number of coc regions so that any two states in the same region satisfy the same properties. Such a quotient seems hard to achieve for the much more expressive rea-time rewrite theories. Instead, the genera approach taen in Rea- Time Maude is to use time samping strategies to instantiate the new variabe x in the tic rues, and to anayze the resuting specification instead of the origina one. One such strategy advances time by a fixed amount in each appication of any tic rue. The maxima time samping strategy advances time as much as possibe in each appication of a tic rue. Athough the fixed-increment strategy can cover a possibe behaviors in the origina system when the time domain is discrete, the maxima time samping typicay ony anayzes a subset of a the possibe behaviors. However, in [29], it is shown that for a fairy arge set of reatime systems appearing in practice, the maxima time samping strategy yieds sound and compete anayses for untimed LTL properties. For exampe, systems where events are triggered by the arriva of messages or by the expiration of some timer, and where time eapse does not change the vauation of the atomic propositions (this requirement amost aways hods, since time eapse typicay ony changes timers and cocs, whose vaues are rarey reevant for tempora ogic properties) satisfy the requirements for maxima time samping anayses to be sound and compete. Unti recenty, Rea-Time Maude coud ony anayze untimed tempora ogic properties, but not quantitative properties such as the airbag must depoy within 5 ms of a crash, or the ventiator machine cannot be turned off more than once every 10 minutes. This paper presents a mode checer for Rea- Time Maude for the timed tempora ogic TCTL [5], which is an extension of

3 Timed CTL Mode Checing in Rea-Time Maude 3 the branching time ogic CTL in which the tempora operators are annotated with a time interva, so that, for exampe, the formua E ϕ 1 U [2,4] ϕ 2 hods if there is a path in which ϕ 2 hods after some time 2 r 4 and where ϕ 1 hods in a states unti then. Going from untimed tempora ogic to a timed tempora ogic presents at east two significant chaenges for Rea-Time Maude: 1. What is the intended semantics of a Rea-Time Maude specification with the above tic rue w.r.t. timed tempora ogic properties? For exampe, given a tic rue {f(y)} => {f(y + x)} in time x if x <= 3 y, shoud the property AF [1,2] true (in a paths, a state satisfying true wi be reached in some time between 1 and 2) hod for initia state {f(0)}? There are paths (e.g., jumping directy from {f(0)} to {f(3)}) where no state is visited in the desired time interva. On the other hand, the above rue coud be seen as a natura way to specify a continuous process from {f(0)} to {f(3)} in Rea-Time Maude, so that the intended semantics shoud satisfy the above property. We address this probem by presenting two different semantics for the satisfaction of a TCTL formua in Rea-Time Maude: the pointwise semantics taes a paths into account, incuding the one where we jump directy from time 0 to time 3, whereas the continuous semantics aows us to brea up onger tics in smaer steps. 2. The previous soundness and competeness resuts for maxima time samping anayses no onger hod. In the exampe above, maxima time samping woud not satisfy the existentia formua E F [1,2] true, athough the origina mode satisfies it in both the continuous and the pointwise semantics. Simiar exampes can be given for timed inear tempora ogic. For an exampe that ony uses ower bounds, consider the TCTL property ϕ = E F 1 (E p U 2 q). Then, we can have a sequence of ony maxima tic steps (where we ony show the atomic properties vaid in the corresponding states) p p inst q ( p q forever) that does not satisfy 3 ϕ, whereas if we can spit up the maxima tic step, we get a behavior p 1 p 1 p 1 p inst q which maes ϕ hod. To achieve sound and compete time samping anayses for the continuous semantics and dense time, we aways advance time by a time vaue r 2, where r is the greatest common divisor (as axiomatized in Section 4) of a the (non-zero) time vaues appearing in the annotations in the TCTL formua, as we as a the time vaues of the maxima tic steps reached from the initia state. We have ony impemented our mode checer and proved its competeness for the continuous semantics; however, we conjecture that for the pointwise semantics, we shoud use this time increment, as we as any mutipe of it. This paper describes our mode checer, its semantic foundations, and its impementation in Maude. Most importanty, we prove that our mode checer provides sound and compete mode checing under the continuous semantics for TCTL formuas where the intervas are cosed intervas; i.e., have the forms [r 1, r 2 ] and [r 1, ). We iustrate the use of the mode checer on three case

4 4 D. Lepri, E. Ábrahám, and P. Cs. Öveczy studies: a Rea-Time Maude mode of a simpe networ of embedded medica devices, a Ptoemy II mode of a rairoad crossing system, and a Ptoemy II mode of a faut-toerant traffic ight system. An important benefit of our wor is that a TCTL mode checer for Rea- Time Maude aso gives us a TCTL mode checer for free for Ptoemy II DE modes, synchronous AADL modes, and other modeing anguages for which Rea-Time Maude modes can be generated. As shown in Section 6, our mode checer has aready been integrated into the Ptoemy II too, aowing the user to mode chec TCTL properties of Ptoemy II modes from within Ptoemy II. Reated Wor. The toos Kronos [39], Redib [37], and TSMV [22] impement TCTL mode checers for, respectivey, timed automata, inear hybrid automata, and timed Kripe structures. The too Uppaa [9] provides an efficient symboic mode checing procedure for timed automata for a subset of non-nested TCTL properties. The Roméo too [17, 11], based on a timed extension of Petri nets [1, 23], has an integrated timed mode checer for some non-nested TCTL modaities, with the addition of bounded response properties. These formaisms are significanty ess expressive than rea-time rewrite theories [28], which maes their mode checing probems decidabe. The first approaches to mode checing timed tempora properties for Rea-Time Maude are described in [20, 38] and anayze important specific casses of timed tempora ogic formuas (timebounded response, time-bounded safety, and minimum separation), but ony for fat object-based specifications. Unie in [20, 38], our new mode checer is not imited to specific casses of tempora ogic properties, but offers the fu TCTL. The new mode checer is aso not imited to fat object-oriented systems, but can aso anayze any (sensibe) Rea-Time Maude mode, incuding hierarchica object-oriented specifications, which is crucia, since both AADL and Ptoemy II modes are hierarchica. Paper Structure. Section 2 introduces rea-time rewrite theories and Rea-Time Maude. Section 3 describes our mode checer and its semantics. Section 4 presents our soundness and competeness resuts. We discuss our mode checer impementation in Section 5, and demonstrate its appicabiity on three case studies in Section 6. Finay, concuding remars are given in Section 7. 2 Rea-Time Rewrite Theories and Rea-Time Maude A rewrite theory is a tupe (Σ, E, R), where (Σ, E) is a membership equationa ogic theory [15] that defines the state space of a system as an agebraic data type, with Σ a signature decaring sorts, subsorts, and function symbos, and E a set of conditiona equations and membership axioms, and where R is a set of abeed conditiona rewrite rues of the form [] : t t if cond, where is a abe, t, t are Σ-terms, and cond is a conjunction of rewrite conditions u u, equationa conditions v = v, and membership conditions w : s, where u, u, v, v, w are Σ-terms and s is a sort in Σ. A rue is impicity universay

5 Timed CTL Mode Checing in Rea-Time Maude 5 quantified by the variabes appearing in t, t and cond, and specifies a set of oca one-step transitions in the system. Rues are appied moduo the equations E. The set T Σ/E,s of states of sort s is defined by the E-equivaence casses of ground terms of sort s. Rea-time rewrite theories [28] are used to specify rea-time systems in rewriting ogic. Rues are divided into tic rues, that mode time eapse in a system, and instantaneous rues, that mode instantaneous change. Formay a rea-time rewrite theory R is a tupe (Σ, E, R, φ, τ) such that (Σ, E, R) is a rewrite theory, with a sort System and a sort GobaSystem with no subsorts or supersorts and with ony one operator {_} : System GobaSystem which satisfies no non-trivia equations; furthermore, for any f : s 1... s n s in Σ, the sort GobaSystem does not appear in s 1... s n. φ : TIME (Σ, E) is an equationa theory morphism which interprets TIME in R; the theory TIME [28] defines time abstracty as an ordered commutative monoid (Time, 0, +, <). We write 0, +,... instead of φ(0), φ(+),... and use Time for φ(time). τ is an assignment of a term τ of sort Time to each rewrite rue in R of the form [] : {t} {t } if cond. Such a rue is caed a tic rue if τ 0; in this case τ denotes the duration of the step. Rues that are not tic rues are caed instantaneous rues and are assumed to tae zero time. Since the initia state has the form {t}, the form of the tic rues ensures that time advances uniformy in the whoe system. r We write t t when t can be rewritten into t in time r by a one-step rewrite, and aso write t inst t for one-step rewrites appying an instantaneous rue. r A tic step t t is maxima if there is no r > r with t t for some t r. A timed path in R is an infinite sequence π = t 0 r 0 1 r t1 2 t2 such that r for a i N, t i i ti+1 is a one-step rewrite in R; or r there exists a N such that t i i ti+1 is a one-step rewrite in R for a 0 i <, there is no one-step rewrite from t in R, and t j = t and r j = 0 for each j. For paths π of the above form we define d π m = m 1 i=0 r i, t π m = t m and rm π = r m. r We ca the timed path π = t 0 r 0 1 r t1 2 t2 a timed fair path if for any ground term of sort Time, if there is a such that for each j > r there is a one-step tic rewrite t j t with d π j + r then there is an with d π, and for each, if for each j > both a maxima tic step with duration 0 and an inst instantaneous rue can be appied in t j then t t +1 is a one-step rewrite appying an instantaneous rue for some >. We denote the set of a timed fair paths of R starting in t 0 by tfpaths R (t 0 ). A term t is reachabe from t 0 in R in time r iff there is a path π tfpaths R (t 0 ) with t π = t and dπ = r for some. A path π is time-divergent iff for each time vaue r Time there is an i N such that d π i > r. r

6 6 D. Lepri, E. Ábrahám, and P. Cs. Öveczy The Rea-Time Maude too [30] extends the Maude system [15] to support the specification, simuation, and anaysis of rea-time rewrite theories. Rea- Time Maude is parametric in the time domain, which may be discrete or dense, and defines a supersort TimeInf of Time which adds the infinity eement INF. To cover a time instances in a dense time domain, tic rues often have one of the forms cr [tic] : {t} => {t } in time x if x <= u /\ cond [nonexec]. ( ), cr [tic] : {t} => {t } in time x if cond [nonexec]. ( ), or r [tic] : {t} => {t } in time x [nonexec]. ( ). where x is a new variabe of sort Time not occurring in {t} and cond. This ensures that the tic rues can advance time by any amount in rues of the form ( ) or ( ) and any amount ess than or equa to u in rues of the form ( ). Rues of these forms are caed time-nondeterministic and are not directy executabe in genera, since many choices are possibe for instantiating the new variabe x. In contrast to, e.g., timed automata, where the restrictions in the formaism aow the abstraction of the dense time domain by coc regions containing bisimiar states [3], for the more compex systems expressibe in Rea-Time Maude there is not such a discrete quotient. Instead, Rea-Time Maude executes time-nondeterministic tic rues by offering a choice of different time samping strategies [30], so that ony some moments in the time domain are visited. For exampe, the maxima time samping strategy advances time by the maximum possibe time eapse u in rues of the form ( ) (uness u equas INF), and tries to advance time by a user-given time vaue r in tic rues having other forms. In the defaut mode each appication of a time-nondeterministic tic rue wi try to advance time by a given time vaue r. The paper [30] expains the semantics of Rea-Time Maude in more detai. In particuar, given a rea-time rewrite theory R and a time samping strategy σ, there is a rea-time rewrite theory R σ that has been obtained from R by appying a theory transformation corresponding to using the time samping strategy σ when executing the tic rues. In particuar, the rea-time rewrite theory R maxdef (r) denotes the rea-time rewrite theory R where the tic rues are appied according to the maxima time samping strategy, whie R def(r) denotes R where the tic rues are appied according to the defaut time samping strategy (tic steps which advance time by 0 are not appied). A rea-time rewrite theory R is time-robust if the foowing hod for a ground terms t, t, t of sort GobaSystem and a ground terms r, r, of sort Time: t = t hods in the underying equationa theory for any 0-time tic step 0 t t. t r+r t if and ony if there is a t r of sort Time such that t t and t. r If t t is a tic step with r > 0, and t inst t is an instantaneous one-step r rewrite, then t t is a maxima tic step. for M = {r t r. t t } we have that either there is a maxima eement in M or M is the whoe domain of Time. t r

7 Timed CTL Mode Checing in Rea-Time Maude 7 Rea-Time Maude extends Maude s inear tempora ogic mode checer to chec whether each behavior, possiby up to a certain time bound, satisfies an (untimed) LTL formua. State propositions are terms of sort Prop. The abeing of states with propositions can be specified by (possiby conditiona) equations of the form {statep attern} = prop = b for b a term of sort Boo, which defines the state proposition prop to evauate to b in a states matching the given pattern. We say that a set of atomic propositions is tic-invariant in R if tic rues do not change their vaues. Since the mode checing commands execute time-nondeterministic tic rues according to a time samping strategy, ony a subset of a possibe behaviors is anayzed. Therefore, Rea-Time Maude anaysis is in genera not sound and compete. However, the reference [29] gives easiy checabe sufficient conditions for soundness and competeness, which are satisfied by many arge Rea-Time Maude appications. 3 Timed CTL Mode Checing for Rea-Time Maude In untimed tempora ogics it is not possibe to reason about the duration of/between events. There are many timed extensions of tempora ogics: both point-based and interva-based, inear-time and branching-time, with discrete or dense time, based on pointwise or continuous semantics, etc. (see [4, 36, 12] for an overview). In this paper we consider TCTL [5] with interva time constraints on tempora operators. 3.1 Timed CTL In computation tree ogic (CTL) [5], a state formua specifies a property over the computation tree corresponding to the system behavior rooted in a given state. State formuae are constructed by adding universa (A ) and existentia (E ) path quantifiers in front of path formuae to specify whether the path formua must hod, respectivey, on each path starting in the given state, or just on some path. Path formuae are buit from state formuae using the tempora operators X ( next ) and U ( unti ). Intuitivey, the path formua p U q ( p unti q ) is satisfied by a path if the property q becomes vaid within a finite number of steps and the property p constanty hods on the path before. As syntactic sugar we use the common abbreviations: E F ϕ is defined as E true U ϕ; A F ϕ is defined as A true U ϕ; E G ϕ is defined as A F ϕ and A G ϕ is defined as E F ϕ. Timed CTL (TCTL) is a quantitative extension of CTL [5], where the scope of the tempora operators can be imited in time by subscripting them with time constraints. In this paper we consider an interva-bound version of TCTL where the tempora operators are subscripted with a time interva. A time interva I is an interva of the form [a, b], (a, b], [a, b ) or (a, b ), where a and b are vaues of sort Time and b is a vaue of sort TimeInf.

8 8 D. Lepri, E. Ábrahám, and P. Cs. Öveczy Definition 1. Given a set Π of atomic propositions, TCTL formuae are buit using the foowing abstract syntax: ϕ ::= true p ϕ ϕ ϕ E ϕ U I ϕ A ϕ U I ϕ where p Π and I is a time interva. We omit the bound [0, ) as subscript and we write b, < b, a and > a for [0, b], [0, b), [a, ) and (a, ), respectivey. We denote by TCTL cb the fragment of TCTL where a time bounds are of the form [a, b] with a < b, or [a, ). 3.2 Timed Kripe Structures and TCTL Semantics The semantics of TCTL formuae is defined on Kripe structures. A Kripe structure is a transition system with an associated abeing function, which maps each state in the transition system to the set of atomic propositions that hod in that state. A timed Kripe structure is a Kripe structure where each transition has the form s r s, where r denotes the duration of the transition step. Definition 2. Given a set of atomic propositions Π and a time domain T, a T timed Kripe structure is a tripe T K = (S,, L) where S is a set of states, T S T S is a transition reation with duration, and L is a abeing function L : S P(Π). The transition reation T is tota, 4 i.e., for each s S there exist r T, s S such that (s, r, s ). T We write s r s if (s, r, s ). T We use a simiar notation for timed paths in a timed Kripe structure T K as for r rea-time rewrite theories. Thus, a timed path is written π = t 0 r 0 1 t1..., we define d π m = m 1 i=0 r i, t π m = t m and rm π = r m, and the set of a timed fair paths originating in state t is denoted by tfpaths T K (t). The semantics of TCTL formuae is defined as foows: Definition 3. For timed Kripe structures T K = (S,, L), states t S, and TCTL formuae ϕ, the pointwise satisfaction reation T K, t = p ϕ is defined inductivey as foows: T K, t = p true aways. T K, t = p p iff p L(t). T K, t = p ϕ 1 iff T K, t = p ϕ 1. T K, t = p ϕ 1 ϕ 2 iff T K, t = p ϕ 1 and T K, t = p ϕ 2. T K, t = p E ϕ 1 U I ϕ 2 iff there exists π tfpaths T K (t) and an index s.t. d π I, T K, tπ = p ϕ 2, and T K, t π = p ϕ 1 for a 0 <. T K, t = p A ϕ 1 U I ϕ 2 iff for each π tfpaths T K (t) there is an index s.t. d π I, T K, tπ = p ϕ 2, and T K, t π = p ϕ 1 for a 0 <. 4 A transition reation T can be made tota by defining ( ) T = T {(s, 0, s) S T S s S, r T s.t. (s, r, s ) }. T T

9 Timed CTL Mode Checing in Rea-Time Maude 9 For a timed Kripe structure T K = (S,, L), a state t S and paths π, π tfpaths T K (t) we say that π is a simpe time refinement of π if either π = π or π r can be obtained from π by repacing a transition t t+1, r r > 0, by a sequence t t r t +1 of transitions for some t S and time vaues r, r > 0 with r + r = r. A path π is a time refinement of another path π if π can be obtained from π by appying a (possiby infinite) number of time refinements. We aso say that π is a time abstraction of π. Definition 4. The continuous-time satisfaction reation T K, t = c ϕ is defined inductivey as foows: T K, t = c true aways. T K, t = c p iff p L(t). T K, t = c ϕ 1 iff T K, t = c ϕ 1. T K, t = c ϕ 1 ϕ 2 iff T K, t = c ϕ 1 and T K, t = c ϕ 2. T K, t = c E ϕ 1 U I ϕ 2 iff there is a path π tfpaths T K (t) such that for each time refinement π tfpaths T K (t) of π there is an index s.t. d π I, T K, tπ = c ϕ 2, and T K, t π = c ϕ 1 for a 0 <. T K, t = c A ϕ 1 U I ϕ 2 iff for each path π tfpaths T K (t) there is a time refinement π tfpaths T K (t) of π and an index s.t. d π I, T K, tπ = c ϕ 2, and T K, t π = c ϕ 1 for a 0 <. T 3.3 Associating Timed Kripe Structures to Rea-Time Rewrite Theories To each rea-time rewrite theory we associate a timed Kripe structure as foows: Definition 5. Given a rea-time rewrite theory R = (Σ, E, R, φ, τ), a set of atomic propositions Π and a protecting extension (Σ Π, E D) (Σ, E), we define the associated timed Kripe structure T K(R) Π = (T Σ/E,GobaSystem, ( T R ), L Π ), where ( T R ) T Σ/E,GobaSystem T Σ/E,φ(Time) T Σ/E,GobaSystem contains r a transitions of the ind t t which are aso one-step rewrites in R and 0 a transitions of the ind t t for a those states t that cannot be further rewritten in R, and for L Π : T Σ/E,GobaSystem P(Π) we have that p L Π (t) if and ony if E D (t = p) = true. We use this transformation to define R, L Π, t 0 = c ϕ as T K(R) Π, t 0 = c ϕ, and simiary for the pointwise semantics. The mode checing probems T K(R) Π, t 0 = p ϕ and T K(R) Π, t 0 = c ϕ are decidabe if the equationa specification in R is Church-Rosser and terminating,

10 10 D. Lepri, E. Ábrahám, and P. Cs. Öveczy the set of states reachabe from t 0 in the rewrite theory R is finite, and given a pair of reachabe states t and t, the number of one-step rewrites of r the ind t t in R is finite. As mentioned above, rea-time rewrite theories generay contain a time-nondeterministic tic rue, but since Rea-Time Maude executes such theories by appying a time samping strategy σ, our mode checer does not anayze R but the executabe theory R σ in which the time samping strategy transformation has been appied. Thus, we associate a timed Kripe structure not to R, but to R σ, and hence the third requirement is satisfied by a but the most esoteric cases; indeed, the tic rues in a Rea-Time Maude appications we have seen are deterministic, in the sense that there is at most one one-step tic rewrite t r t from any state, when the time samping strategy is taen into account. We denote by T K(R, t 0 ) Π the timed Kripe structure associated to R which is restricted to states reachabe from t 0, and for states t reachabe from t 0 we write R, L Π, t = ϕ for T K(R, t 0 ) Π, t = ϕ. 4 Sound and Compete TCTL Mode Checing for Rea-Time Maude As mentioned above, for dense time domains, Rea-Time Maude ony anayzes those behaviors obtained by appying the tic rues according to a seected time samping strategy. The paper [29] specifies some conditions on a rea-time rewrite theory R and on the atomic propositions that ensure that mode checing R maxdef (r), i.e., using the maxima time samping strategy, is a sound and compete mode checing procedure to chec whether a behaviors in the origina mode R satisfy an untimed LTL formua without the next operator. For exampe, if no appication of a tic rue changes the vauation of the atomic propositions in a formua (this requirement amost aways hods in rea appications, since the ony vaues changed by tics are coc and timer vaues that usuay do not appear in the formua); instantaneous rewrite rues can ony be appied after maxima tic steps or after appying an instantaneous rue, then mode checing R maxdef (r) gives a sound and compete mode checing procedure for R. 5 This resut yieds a feasibe sound and compete mode checing procedure for many usefu (dense-time) systems, that incude many systems that cannot be modeed as, e.g., timed automata. Unfortunatey, this competeness resut does not carry over to timed tempora ogic properties. Consider for exampe the TCTL formua ϕ = E F 1 (E p U 2 q). 5 The requirements in [29] are weaer than described here; e.g., the vauation of the atomic propositions may change once in a sequence of maxima tic rewrites.

11 Timed CTL Mode Checing in Rea-Time Maude 11 Then, we can have a sequence of ony maxima tic steps (where we ony show the atomic properties vaid in the corresponding states) p 3 p inst q ( p q forever) that does not satisfy the formua ϕ, whereas if we can spit up the maxima tic step into three non-maxima tic steps, where time eapses by one time unit in each tic step, we get a behavior p 1 p 1 p 1 p inst q ( p q forever) which maes ϕ hod for the system. Notice that the system satisfies the two strong criteria suggested above. It is aso worth mentioning that this probem aso appies to timed inear ogics. For the system R indicated in the exampe, the timed LTL formua ( 1 (p U 2 q)) is satisfied by R maxdef (r) but not by R. In the foowing we focus on dense time, since we can achieve sound and compete mode checing for discrete time by exporing a possibe tic steps in the pointwise semantics, and by advancing time by the smaest possibe nonzero duration in the continuous semantics. Furthermore, as aready mentioned, in this paper we restrict our treatment to TCTL cb formuas under the continuous semantics. 6 Our goa is therefore to find a discrete abstraction of a rea-time rewrite theory R, so that mode checing the abstraction (under the pointwise semantics) is equivaent to mode checing R under the continuous semantics. One part of our soution is to mae sure that time progress stops at any time point when a time bound in the formua coud be reached. This can be achieved if we spit any tic step by an amount that divides a possibe maxima tic durations and a possibe finite non-zero time bounds in the formua. Let r be the greatest common divisor of the durations of a maxima tic steps in R maxdef (r) reachabe from the initia state and each finite non-zero time bound in the formua; then stopping at each interesting time point shoud be acheieved if we divide each maxima tic step into smaer steps of duration r. However, the foowing exampe shows that it is not sufficient to aways advance time by this greatest common divisor r to obtain a sound and compete abstraction under the continuous semantics. Consider a (dense-time) theory R that has ony one behavior in terms of maxima tic steps, which we show here in terms of vaidity of the atomic proposition p in the corresponding states: π = p 1 p inst p inst p 1 ( p forever) That is, a p-state is reachabe in exacty time 1, and tics do not change the vauations of the atomic propositions. In this mode a maxima tic steps have 6 We are currenty woring on reeasing the restriction to cosed bounds. However, our proof for the competeness resut cannot be directy extended to TCTL formuas with open bounds.

12 12 D. Lepri, E. Ábrahám, and P. Cs. Öveczy duration 1. Let s consider the formua ϕ = E ϕ 1 U [1,1] true, where ϕ 1 is the formua E F [1,1] p. The formua ϕ says that ϕ 1 must hod a the way unti we reach time 1. The greatest common divisor of a maxima time increments and a time vaues in ϕ is sti 1, so the greatest common divisor abstraction is equivaent to R maxdef (r). In particuar, this abstraction (i.e., the above behavior) satisfies ϕ w.r.t. the initia state π(0). However, R, L {p}, π(0) = c ϕ does not hod, since ϕ does not hod in the timed refinement (where the first tic has been spit into two smaer ones) π = p 1 /2 p 1 /2 p inst p inst p 1 ( p forever) because ϕ 1 does not hod in the second state in the refinement. Our approach is therefore to capture a these intermediate states by further spitting the gcd tic steps into two smaer tic steps. In essence, we advance time not by r, but by haf the gcd r in each tic step. To formaize this notion, et us first consider the time domain. Rea-time rewrite theories are parametric in their time domain; the time domain must ony satisfy some abstract properties given in some functiona theory defined in [28] that defines the time domain abstracty as a commutative monoid (0,, T ime) with some additiona operators, such as monus, where x monus y denotes x y if y < x, and 0 otherwise. The foowing theory states that there exist functions gcd and haf on the non-zero time vaues with the expected properties. fth GCD-TIME-DOMAIN is incuding LTIME-INF. sort NzTime. subsort NzTime < Time. cmb T:Time : NzTime if T:Time =/= 0. op gcd : NzTime NzTime -> NzTime [assoc comm]. op _divides_ : NzTime NzTime -> Boo. op haf : NzTime -> NzTime. vars T1 T2 T3 : NzTime. vars T T : Time. eq T1 divides T1 = true. ceq T1 divides T2 = fase if T2 < T1. eq T1 divides (T1 + T2) = T1 divides T2. eq gcd(t1, T2) divides T1 = true. ceq gcd(t1, T2) >= T3 if T3 divides T1 /\ T3 divides T2. eq haf(nzt) + haf(nzt) = NZT. endfth In the foowing we assume that a considered time domains satisfy the theory GCD-TIME-DOMAIN, and write gcd and haf for the interpretation of gcd and haf, respectivey. Note that the usua dense time domains, such as the nonnegative rationas, satisfy this theory with the standard interpretation of division and the gcd operator.

13 Timed CTL Mode Checing in Rea-Time Maude 13 The rea-time rewrite theory R gcd(t0,r,ϕ) is obtained from the tic-robust reatime rewrite theory R, a state t 0 in R, and a TCTL formua ϕ, by advancing time by haf the greatest common divisor of a the foowing vaues: a tic step durations appearing in paths from tfpaths R maxdef (r)(t 0 ) and a finite non-zero ower and upper bounds of a tempora operators in ϕ. Definition 6. For a rea-time rewrite theory R whose time domain satisfies the theory GCD-TIME-DOMAIN, a non-zero time vaue r, a TCTL formua ϕ and a state t 0 of R we define T 1 (R, t 0, r) = {r NzTime π tfpaths R maxdef (r)(t 0 ). i 0. r = r π i } T 2 (ϕ) = {r NzTime there exists a subformua E ϕ 1 U I ϕ 2 or GCD(R, r, ϕ, t 0 ) = gcd(t 1 (R, t 0, r) T 2 (ϕ)). A ϕ 1 U I ϕ 2 of ϕ with r a non-zero finite ower or upper bound in I} If T 1 (R, t 0, r) and T 2 (ϕ) are finite then the GCD vaue is we-defined and we can define the rea-time rewrite theory R gcd(t0,r,ϕ) as foows: Definition 7. Given a rea-time rewrite theory R whose time domain satisfies the theory GCD-TIME-DOMAIN, a non-zero time vaue r, a TCTL formua ϕ, a state t 0 of R, and assume that r = GCD(R, t 0, r, ϕ) is a defined non-zero time vaue. Then R gcd(t0,r,ϕ) is defined as R but where each tic rue of the forms ( ), ( ), and ( ) is repaced by the respective tic rue: cr [tic] : {t} => {t } in time x if x := haf ( r) /\ cond [nonexec]. cr [tic] : {t} => {t } in time x if x := haf ( r) /\ cond [nonexec]. cr [tic] : {t} => {t } in time x if x := haf ( r) [nonexec]. The foowing emma states that the evauation of the formua ϕ and its subformuas does not change inside tic steps of R gcd(t0,r,ϕ). Lemma 1. Assume a time-robust rea-time rewrite theory R whose time domain satisfies the theory GCD-TIME-DOMAIN. Let Π be a set of tic-invariant atomic propositions, and assume a protecting extension of R defining the atomic propositions in Π and inducing a abeing function L Π. Let t 0 be a state of R, r a non-zero time vaue of sort Time, ϕ a TCTL cb formua over Π, and assume that r = GCD(R, t 0, r, ϕ) is a defined non-zero time vaue. Then for each subformua ϕ of ϕ, each time-divergent path π tfpaths R (t 0 ) r π i and for a tic step sequences t π i... rπ j 1 t π j in π satisfying n r < dπ i < dπ j < (n + 1) r for some n we have that R, L Π, t π i = c ϕ iff R, L Π, t π j = c ϕ. Proof. In the foowing we use N 0 and N for the set of a natura numbers incuding resp. excuding 0. The proof is by induction on the structure of ϕ. Base cases:

14 14 D. Lepri, E. Ábrahám, and P. Cs. Öveczy ϕ = true: R, t = c true for a t by the definition of = c. ϕ = p: Since a steps between t π i and t π j are tic steps, the property foows from the tic-invariance of p. Assume now that the emma hods for the subformuae ϕ 1 and ϕ 2. ϕ = ϕ 1 : ϕ = ϕ 1 ϕ 2 : R, t π i = c ϕ 1 not (R, t π i = c ϕ 1 ) induction not (R, t π j = c ϕ 1 ) R, t π j = c ϕ 1. ϕ = E ϕ 1 U I ϕ 2 : R, t π i = c ϕ 1 ϕ 2 R, t π i = c ϕ 1 and R, t π i = c ϕ 2 induction R, t π j = c ϕ 1 and R, t π j = c ϕ 2 R, t π j = c ϕ 1 ϕ 2. We define d 1 = d π i n r, d 2 = d π j dπ i and d 3 = (n+1) r d π j. Let furthermore π pre denote the prefix of π ending at t π i and et πpre i denote the tic sequence t π r i r j 1 i... t π j. Let m r be the ower bound of I. The upper bound of I is either INF or a finite bound m u r. : The proof structure is iustrated on Figure 1. Assume that R, t π i = c E ϕ 1 U I ϕ 2 hods. Then by definition there is a path π i tfpaths T K (t π i ) such that for each time refinement π i tfpaths T K(t π i ) of π i there is an index s.t. d π i I, T K, tπ i = c ϕ 2, and T K, t π i = c ϕ 1 for a 0 <. Let π i be such a path. Due to time robustness, π i has a time refinement π i tfpaths T K(t π i ) which contains the state tπ j at time point d 2, a state t at time point 7 m r d 1 /2 in case m > 0, and a state t at time point m r + d 2 (which is t π j in case m = 0). Note that time robustness assures that the state in π i at time point d 2 is t π j. Let π i be such a path. Let πpre i and π j be the prefix resp. suffix of π i ending resp. starting at t π j at the time point d 2. We show that π j satisfies the conditions for R, t π j = c E ϕ 1 U I ϕ 2. Let π j be a time refinement of π j. Then the concatenation π i of π pre i π j is a time refinement of π i. By assumption there is an index s.t. d π i I, T K, t π i = c ϕ 2, and T K, t π i = c ϕ 1 for a 0 <. Let be such an index and et π be the concatenation of π pre and π i. Remember that m r is the ower bound of I. We distinguish between (i) d π i I 1 = [m r, m r + d 2 + d 3 ) and (ii) d π i I 2 = I\I 1. 7 For intuition we sampe the midde point between m r d 1 and m r. However, any time point in the interva (m r d 1, m r) woud fit for our purpose. and

15 Timed CTL Mode Checing in Rea-Time Maude 15 π : 0 r 2 r 3 r 4 r 5 r t π i t π j n r d 1 d 2 d 3 π pre π pre i π i : t π i π i : t π i π pre i I d 2 m r d 1 2 m r+d 2 t π j t t π j π j : π j : t π j t t t π j t t I π i : π pre i I 1 I 2 I t π i t π j t t π j π : t π i t π j t t π pre π i Fig. 1: Lemma 1: Proof structure for the direction of existentiay quantified bounded unti

16 16 D. Lepri, E. Ábrahám, and P. Cs. Öveczy (i) Assume first that d π i I 1 = [m r, m r + d 2 + d 3 ). We observe that π i contains the state t at time point m r + d 2 (we added this sampe point when refining π i to π i ), thus t appears in π at time point (n + m ) r + d 1 + d 2. Furthermore, we assumed that d π i d π i < m r + d 2 + d 3, impying that t π i I 1, i.e., m r appears in π at a time point in [(n + m ) r + d 1, (n + m + 1) r). Thus both t and t π i appear in π in the interva ((n + m ) r, (n + m + 1) r), and from T K, t π i = c ϕ 2 we get by induction that T K, t = c ϕ 2. Note that t aso appears in π j. We want to show that the index of t in π j satisfies the conditions for the satisfaction of the unti formua by π j. We aready have shown that T K, t = c ϕ 2. Additionay, t appears in π i at time point m r + d 2, therefore it appears in π j at time point m r, which is the eft end point of the interva I. In case m = 0 we are done, because t π j satisfies ϕ 2 and there are no states prior to t π j in π j. Otherwise, if m > 0, it remains to show that a states prior to t in π j satisfy ϕ 1. There are two cases. We now that a states t π i with < (especiay a states at time points ess than m r) satisfy ϕ 1. We concude that the states in π j at time points ess than m r d 2, buiding a subset of the above states, a satisfy ϕ 1. It remains to show that a states at time points from [m r d 2, m r) in π j aso satisfy ϕ 1. Notice that π i contains the state t at time point m r d 1 /2. Since this time point is beow the ower bound of I we have T K, t = c ϕ 1. This state t appears in π at time point (n r + d 1 ) + (m r d 1 /2) = (n + m ) r + d 1 /2. By induction we get that a states appearing in π at time points from the interva ((n + m ) r, (n + m + 1) r) satisfy ϕ 1. I.e., a states in π j at time points from ((n + m ) r (n r + d 1 + d 2 ), (n + m + 1) r (n r + d 1 + d 2 )) = (m r d 1 d 2, (m + 1) r d 1 d 2 ) [m r d 2, m r) satisfy ϕ 1. (ii) For the case d π i I 2 = I\I 1 et v be the number of states in π pre i. We show that v is a proper index for the satisfaction of the bounded unti aong π j. We observe that t π j = t π i +v T K, t π j v = c ϕ 2. Since d π i i for a. Therefore, T K, tπ I 2 we have d π i = c ϕ 2 impies m r + d 2 + d 3 and thus d π j v = dπ i d 2 m r + d 3, i.e., the duration of π j unti the ( v)-th state is above the ower bound of I. It is easy to see that this

17 Timed CTL Mode Checing in Rea-Time Maude 17 duration is aso beow the upper bound (d π i and d π j v = dπ i d 2 < d π i ). is beow the upper bound Finay, T K, t π i +v = c ϕ 1 impies T K, t π j = c ϕ 1 for a < v Therefore, the index ( v) is appropriate to show that the path π j satisfies the bounded unti property. : The proof structure is iustrated in Figure 2. Assume that R, t π j = c E ϕ 1 U I ϕ 2 hods. Then by definition there is a path π j tfpaths T K (t π j ) such that for each time refinement π j tfpaths T K(t π j ) of π j there is an index s.t. d π j I, T K, tπ j = c ϕ 2, and T K, t π j = c ϕ 1 for a 0 <. Let π j be such a path. Remember that m u r denotes the upper bound of I in case it is finite. Let π j be π j if the upper bound of I is INF or 0 and a time refinement of π j which contains the state t at the time point m u r d 2 otherwise. Then the above properties hod aso for π j. Let π i be the concatenation of π pre i (appearing in π) and π j. We show that π i satisfies the requirements for R, t π i = c E ϕ 1 U I ϕ 2. Let π i be a time refinement of π i. Then t π j appears in π i at time point d 2 at some position v. Let π j be the suffix of π i starting at position v. Then π j is a time refinement of π j j. Therefore there must be an index s.t. dπ I, T K, t π j = c ϕ 2, and T K, t π j = c ϕ 1 for a 0 <. We distinguish between = 0 and > 0. = 0 For the case = 0 notice that t π j 0 = t π j and thus T K, tπ j = c ϕ 2. By induction we get T K, t π i = c ϕ 2. Furthermore, since d π j 0 = 0 and d π j 0 I, the ower bound of I must be 0. I.e., the index 0 satisfies the condition for the bounded unti on the path π i. > 0 Otherwise, if > 0 then, since t π j 0 = t π j we get T K, tπ j = c ϕ 1 and by induction T K, t π i = c ϕ 1 for a < v (i.e., a states in the prefix π pre i of π i ending at tπ j at time point d 2 satisfy ϕ 1 ). (i) If the upper bound of I is INF then we show that +v is an appropriate index to satisfy the bounded unti aong π i j. From T K, tπ = c ϕ 2 and t π j = t π i +v we concude that T K, tπ i +v = c ϕ 2. Furthermore, d π j is above the ower bound of I and d π i +v = dπ j + d 2, i.e., d π i +v I. Finay, a states with indices from v to ( + v 1) in π i satisfy ϕ 1, since they aso appear in π j before the index. We have aready shown above that the states with indices up to v aso satisfy ϕ 1, therefore the bounded unti is satisfied aong the path π i. (ii) Assume next that the upper bound m u r of I is finite. Note that > 0 impies m u > 0. We first assume d π j and consider d π j I 1 = I\I 2 in case (iii). I 2 = (m u r d 2, m u r],

18 18 D. Lepri, E. Ábrahám, and P. Cs. Öveczy π : 0 r 2 r 3 r 4 r 5 r t π i t π j π j : π j : n r d 1 d 2 d 3 π pre π pre i t π j t π j I m u r d 2 t π i : t π i π pre i t π j π j t π i : π j : t π i π pre i t π j t π j I π j t I 1 I 2 I t π : π pre t π i t π j t π i Fig. 2: Lemma 1: Proof structure for the direction of existentiay quantified bounded unti

19 Timed CTL Mode Checing in Rea-Time Maude 19 Assume that d π j I 2 and et π be the concatenation π pre and π i. The state t π j appears in π j by assumption at a time point in (m u r d 2, m u r], and therefore aso in π i at a time point in (m u r, m u r + d 2 ] and in π at a time point in ((n + m u ) r + d 1, (n + m u ) r + d 1 + d 2 ]. By construction π j contains the state t at time point m u r d 2. Again by construction, aso π i contains t at time point m u r d 2 + d 2 = m u r. Therefore, the state t appears aso in π at time point (n + m u ) r + d 1. We concude that both t π j and t appear in π within the time interva ((n + m u ) r, (n + m u + 1) r). From T K, t π j = c ϕ 2 we get therefore by induction T K, t = c ϕ 2. Since t appears in π i at time point m u r being the upper bound of I, aso the time bound of the unti is satisfied for t on π i. Finay, we have aready shown that a states up to index v in π i satisfy ϕ 1. This hods aso for a remaining states preceeding t in π i, since they aso appear in π j before the index. Thus the index of t in π i satisfies the condition of the bounded unti on π i. (iii) For the case d π j I 1 = I\I 2 we observe that t π i Therefore, T K, t π j = c ϕ 2 impies T K, t π i we have d π j m u r d 2 and thus d π i +v = dπ j duration of π i = t π j v for a v. +v = c ϕ 2. Since d π j I 2 + d 2 m u r, i.e., the unti the ( + v)-th state is beow the upper bound of I. It is easy to see that this duration is aso above the ower bound (d π j is above the ower bound and d π i +v = dπ j + d 2 > d π j ). We have aready shown above that the states with indices up to v satisfy ϕ 1. Furthermore, T K, t π j = c ϕ 1 impies T K, t π i +v = c ϕ 1 for a < Therefore, the index ( + v) is appropriate to show that the path π i satisfies the bounded unti property. ϕ = A ϕ 1 U I ϕ 2, : This proof case it quite anaogous to the direction of the existentiay quantified bounded unti case. The proof structure is iustrated in Figure 3. Assume that R, t π i = c A ϕ 1 U I ϕ 2 hods. Then by definition each path π i tfpaths T K (t π i ) has a time refinement π i tfpaths T K(t π i ) such that for some index with d π i 0 <. I we have T K, tπ i = c ϕ 2, and T K, t π i = c ϕ 1 for a We show that R, t π j = c A ϕ 1 U I ϕ 2 hods. Let π j tfpaths T K (t π j ) be a path. Due to time robustness, π j has a time refinement π j tfpaths T K(t π j ) which contains a state t at time point m r (which is t π j in case m = 0) and a state t at time point m r d 2 d 1 /2 in case m > 0. Let π j be such a time refinement and et π i be the concatenation of π pre i and π j. From R, tπ i = c A ϕ 1 U I ϕ 2 we concude that there is a time refinement

20 20 D. Lepri, E. Ábrahám, and P. Cs. Öveczy π : 0 r 2 r 3 r 4 r 5 r t π i t π j π j : π j : n r d 1 d 2 d 3 π pre π pre i t π j m r d 2 d 1 2 m r t π j t t I π i : π i : t π i t π j t t π pre i π pre i π j I 1 I 2 I t π i t π j t t π j π j : t π j t t I π : π pre t π i t π j t t π i Fig. 3: Lemma 1: Proof structure for the direction of universay quantified bounded unti

21 Timed CTL Mode Checing in Rea-Time Maude 21 π i of π i and an index s.t. d π i I, T K, tπ i = c ϕ 2, and T K, t π i = c ϕ 1 for a 0 <. Let π i be such a path and such an index. Note that π i contains the state tπ j at time point d 2. Let π pre i and π j be the prefix resp. suffix of π i ending resp. starting at that state. Let v be the number of states in π pre i and et π be the concatenation of π pre and π i. We show that the bounded unti is satisfied aong π j, being a time refinement of π j. Remember that m r is the ower bound of I. We distinguish between (i) d π i I 1 = [m r, m r + d 2 + d 3 ) and (ii) d π i I 2 = I\I 1. (i) Assume first that d π i I 1 = [m r, m r + d 2 + d 3 ). We observe that π i contains the state t at time point m r + d 2 (we added this sampe point when refining π j to π j ), thus t appears in π at time point (n + m ) r + d 1 + d 2. Furthermore, we assumed that d π i d π i < m r + d 2 + d 3, impying that t π i I 1, i.e., m r appears in π at a time point in [(n + m ) r + d 1, (n + m + 1) r). Thus both t and t π i appear in π in the interva ((n + m ) r, (n + m + 1) r), and from T K, t π i = c ϕ 2 we get by induction that T K, t = c ϕ 2. Note that t aso appears in π j. We want to show that the index of t in π j satisfies the conditions for the satisfaction of the unti formua by π j. We aready have shown that T K, t = c ϕ 2. Additionay, t appears in π j at time point m r, which is the eft end point of the interva I. In case m = 0 we are done, because there are no states prior to t in π j. Otherwise, if m > 0, it remains to show that a states prior to t in π j satisfy ϕ 1. There are two cases. We now that a states t π i with < (especiay a states at time points ess than m r) satisfy ϕ 1. We concude that the states in π j at time points ess than m r d 2, buiding a subset of the above states, a satisfy ϕ 1. It remains to show that a states at time points from [m r d 2, m r) in π j aso satisfy ϕ 1. Notice that π i contains the state t at time point m r d 1 /2. Since this time point is beow the ower bound of I we have T K, t = c ϕ 1. This state t appears in π is at time point (n r + d 1 ) + (m r d 1 /2) = (n + m ) r + d 1 /2. By induction we get that a states appearing in π at time points from the interva ((n + m ) r, (n + m + 1) r) satisfy ϕ 1. I.e., a states in π j at time points from ((n + m ) r (n r + d 1 + d 2 ), (n + m + 1) r (n r + d 1 + d 2 )) = (m r d 1 d 2, (m + 1) r d 1 d 2 ) [m r d 2, m r) satisfy ϕ 1.

22 22 D. Lepri, E. Ábrahám, and P. Cs. Öveczy (ii) For the case d π i I 2 = I\I 1 et v be the number of states in π pre i. We show that v is a proper index for the satisfaction of the bounded unti aong π j. We observe that t π j = t π i +v for a. Therefore, T K, tπ i = c ϕ 2 impies T K, t π j v = c ϕ 2. Since d π i I 2 we have d π i m r + d 2 + d 3 and thus d π j v = dπ i d 2 m r + d 3, i.e., the duration of π j unti the ( v)-th state is above the ower bound of I. It is easy to see that this duration is aso beow the upper bound (d π i and d π j v = dπ i d 2 < d π i ). is beow the upper bound Finay, T K, t π i +v = c ϕ 1 impies T K, t π j = c ϕ 1 for a < v Therefore, the index ( v) is appropriate to show that the path π j satisfies the bounded unti property. : This proof case is quite anaogous to the case of the existentiay quantified bounded unti. The proof structure is iustrated in Figure 4. Assume that R, t π j = c A ϕ 1 U I ϕ 2 hods. Then by definition for a paths π j tfpaths T K (t π j ) there is a time refinement π j tfpaths T K(t π j ) of π j and an index s.t. d π j I, T K, tπ j = c ϕ 2, and T K, t π j = c ϕ 1 for a 0 <. We show that R, t π i = c A ϕ 1 U I ϕ 2 hods. Let π i tfpaths T K (t π i ) be a path. Due to time robustness, π i has a time refinement π i tfpaths T K(t π i ) which contains the state t π j at time point d 2, and in case the upper bound of I is finite aso a state t at time point m u r. Note that time robustness assures that the state at time point d 2 is t π j. Let π pre i and π j be the prefix resp. suffix of π i ending resp. starting at time point d 2, i.e., at the state t π j. From R, tπ j = c A ϕ 1 U I ϕ 2 we concude that there is a time refinement π j of π j and an index such that d π j I, T K, t π j = c ϕ 2, and T K, t π j = c ϕ 1 for a 0 <. be the concatenation of π pre i and π j Let π i. Note that π i is a time refinement of π i. We show that the bounded unti hods aong π i. We distinguish between = 0 and > 0. = 0 For the case = 0 notice that t π j 0 = tπ j and thus T K, tπ j = c ϕ 2. Using the path π, by induction we get T K, t π i = c ϕ 2. Furthermore, since d π j 0 = 0 and d π j 0 I, the ower bound of I must be 0. I.e., the index 0 satisfies the condition for the bounded unti on the path π i. > 0 Otherwise, if > 0 then T K, t π j = c ϕ 1 and we get by induction that T K, t π i = c ϕ 1 for a < v (i.e., a states in the prefix π pre i of π i ending at t π j at time point d 2 satisfy ϕ 1 ). (i) If the upper bound of I is INF then from T K, t π j t π i +v we concude that T K, tπ i +v = c ϕ 2. Furthermore, d π j the ower bound of I and d π i +v = dπ j + d 2, i.e., d π i +v I. = c ϕ 2 and t π j = is above

23 Timed CTL Mode Checing in Rea-Time Maude 23 π : 0 r 2 r 3 r 4 r 5 r t π i t π j n r d 1 d 2 d 3 π pre π pre i π i : t π i π i : t π i d 2 t π j I m u r t π pre i π j π j : t π j t π j : t π j I 1 I 2 I t π i : t π i t π j t π pre i I π j π : t π i t π j t π pre π i Fig. 4: Lemma 1: Proof structure for the direction of universay quantified bounded unti

24 24 D. Lepri, E. Ábrahám, and P. Cs. Öveczy Finay, a states with indices from v to ( + v 1) in π i satisfy ϕ 1, since they aso appear in π j before the index. We have aready shown above that the states with indices up to v aso satisfy ϕ 1, therefore the bounded unti is satisfied aong the path π i. (ii) Otherwise m u r is the finite upper bound of I. Note that > 0 impies m u > 0. We assume first d π j cover d π j I 1 = I\I 2 in case (iii). I 2 = (m u r d 2, m u r] and Let π be the concatenation π pre and π j. The state tπ j appears in π j by assumption at a time point in (m u r d 2, m u r], and therefore aso in π i at a time point in (m u r, m u r + d 2 ] and in π at time point ((n + m u ) r + d 1, (n + m u ) r + d 1 + d 2 ]. By construction π j contains the state t at time point m u r d 2. Again by construction, aso π i contains t at time point m u r d 2 + d 2 = m u r. Therefore, the state t appears aso in π at time point (n + m u ) r + d 1. We concude that both t π j and t appear in π within the time interva ((n + m u ) r, (n + m u + 1) r). From T K, t π j = c ϕ 2 we get therefore by induction T K, t = c ϕ 2. Since t appears in π i at time point m u r being the upper bound of I, aso the time bound of the unti is satisfied for t on π i. We have shown above that a states with indices up to v in π i ϕ 1. The remaining states preceeding t in π i aso satisfy ϕ 1, since they appear in π j before the index. Thus the index of t in π i satisfies the condition of the bounded unti on π i. (iii) For the case d π j Therefore, T K, t π j I 1 = I\I 2 we observe that t π i = t π j v for a v. = c ϕ 2 impies T K, t π i +v = c ϕ 2. Since d π j I 2 we have d π j m u r d 2 and thus d π i +v = dπ j + d 2 m u r, i.e., the duration of π i unti the ( + v)-th state is beow the upper bound of I. It is easy to see that this duration is aso above the ower bound (d π j is above the ower bound and dπ +v i = dπ j + d 2 > d π j ). We have shown above that a states with indices up to v satisfy ϕ 1. Furthermore, T K, t π j = c ϕ 1 impies T K, t π i +v = c ϕ 1 for a <. Therefore, the index ( + v) is appropriate to show that the path π i satisfies the bounded unti property. Based on the above emma we gain our competeness resut: Theorem 1. Assume a time-robust rea-time rewrite theory R whose time domain satisfies the theory GCD-TIME-DOMAIN. Let Π be a set of tic-invariant atomic propositions, and assume a protecting extension of R defining the atomic propositions in Π and inducing a abeing function L Π. Let t 0 be a state of R, r a non-zero time vaue of sort Time, ϕ a TCTL cb formua over Π, and assume

25 Timed CTL Mode Checing in Rea-Time Maude 25 that r = GCD(R, t 0, r, ϕ) is a defined non-zero time vaue. Then R, L Π, t = c ϕ R gcd(t0,r,ϕ), L Π, t = p ϕ for a states t reachabe in R gcd(t0,r,ϕ) from t 0. Proof. Notice that t 0 is aso a state of R gcd(t0,r,ϕ). Furthermore, a states t reachabe in the abstraction R gcd(t0,r,ϕ) from t 0 are aso states reachabe in R from t 0. Since t is reachabe in T K gcd, there is a path π pre tfpaths T K gcd(t 0 ) eading from t 0 to t. Let π pre be such a path and et n 0 be the number of states in π pre. Note that π pre has tic steps of ength r/2 and aso that π pre tfpaths T K (t 0 ). We denote by T K the timed Kripe structure associated to R, by T K gcd the timed Kripe structure associated to R gcd(t0,r,ϕ). By definition R, L P, t = c ϕ T K, t = c ϕ, R gcd(t0,r,ϕ), L P, t = p ϕ T K gcd, t = p ϕ. Thus the theorem is equivaenty proved, if we show that T K, t = c ϕ T K gcd, t = p ϕ. Given a TCTL cb formua of the ind E ϕ 1 U I ϕ 2 or A ϕ 1 U I ϕ 2, we refer to the path formua ϕ 1 U I ϕ 2 as the unti path formua. The proof is done by induction on the structure of ϕ. Base cases: ϕ = true: We have R, L P, t = c true and R gcd(t0,r,ϕ), L P, t = p true for a t by definition of, respectivey, = c and = p. ϕ = p: We have R, L P, t = c p iff p L P (t) iff R gcd(t0,r,ϕ), L P, t = p p, by definition of = c and = p. Assume now that the theorem hods by induction hypothesis for ϕ 1 and ϕ 2 that is, respectivey, R, L P, t = c ϕ 1 R gcd(t0,r,ϕ), L P, t = p ϕ 1, R, L P, t = c ϕ 2 R gcd(t0,r,ϕ), L P, t = p ϕ 2, for a states t reachabe in the abstraction R gcd(t0,r,ϕ) from t 0. ϕ = ϕ 1 : ϕ = ϕ 1 ϕ 2 : T K, t = c ϕ 1 not (T K, t = c ϕ 1) (by def. of = c) not (T K gcd, t = p ϕ 1) (by ind. on ϕ 1) T K gcd, t = p ϕ 1. (by def. of = p) T K, t = c ϕ 1 ϕ 2 T K, t = c ϕ 1 and T K, t = c ϕ 2 (by def. of = c) T K gcd, t = p ϕ 1 and T K gcd, t = p ϕ 2 (by ind. on ϕ 1 and ϕ 2) T K gcd, t = p ϕ 1 ϕ 2. (by def. of = p)

26 26 D. Lepri, E. Ábrahám, and P. Cs. Öveczy ϕ = E ϕ 1 U I ϕ 2 : We need to show both impication directions. : Assume T K gcd, t = p ϕ. By definition T K gcd, t = p ϕ iff there exists π tfpaths T K gcd(t) and an index j s.t. d π j I, T K gcd, t π j = p ϕ 2, and 0 i < j T K gcd, t π i = p ϕ 1. Let π be such a path and j such an index. Note that a tic steps in π have duration r/2. This path π is aso in tfpaths T K (t). We show that for each time refinement π tfpaths T K (t) of π there is an index j s.t. d π j I, T K, tπ T K, t π i = c ϕ 1 for a 0 i < j. Let π tfpaths T K (t) be a time refinement of π. Then t π j π at the same time point d π j at some index j, i.e., d π j T K, t π j = c ϕ 2 and from t π j = tπ j we get T K, tπ j d π j is a mutipe of r/2 we have that dπ j = dπ j Let π 0 be the concatenation of π pre and π. Then t π j n 0 + j and time point d π0. If dπ0 n 0+j j = c ϕ 2, and aso appears in I. By induction = c ϕ 2. Furthermore, since is aso a mutipe of r/2. appears in π 0 at position n 0+j is a mutipe of r then we define be in the time interva (n r, (n + 1) r) for some (n r, (n + 1) r). Then j = j. Otherwise et d π0 n 0+j n N 0. Let j be the smaest index such that d π0 n 0+j by Lemma 1 we concude from T K, t π j = c ϕ 2 and t π j T K, t π0 n 0+j = c ϕ 2, i.e., T K, t π j = c ϕ 2. = tπ0 n 0+j that aso Simiary, by induction we get that T K, t π i = c ϕ 1 for a i < j in case d π i is a mutipe of r/2, since these states aso appear in π at the same time points and they satisfy ϕ 1 in the pointwise semantics by assumption. For the other states t π i in π appearing before the index j we use the concatenation π 0 of π pre and π to show that they satisfy ϕ 1 using Lemma 1. Note that those states t π i a appear in π 0 in some time interva (n r, (n+1) r). Furthermore, in this interva there is aso a state t mid at the time point n r + r/2, for which we have aready shown that T K, t mid = c ϕ 1. Thus by Lemma 1 and using the path π 0, aso t π i satisfies ϕ 1. : Assume T K, t = c E ϕ 1 U I ϕ 2. By definition T K, t = c E ϕ 1 U I ϕ 2 iff there is a path π tfpaths T K (t) s. t. for each time refinement π tfpaths T K (t) of π there is an index j s.t. d π j I, T K, tπ j = c ϕ 2, and 0 i < j T K, t π i = c ϕ 1. Let π be such a path. Let π be a time refinement of π in which a state appears at a time points n r/2 for n N 0. By the above definition we concude that there is an index j such that d π j I, T K, tπ j = c ϕ 2, and T K, t π i = c ϕ 1 for a 0 i < j. Next we define an index j satisfying the same conditions as j but additionay such that d π j is a mutipe of r/2. If dπ j is aready a mutipe of r/2 then et j = j. Otherwise et again π 0 be the concatenation of π pre and π.

27 Timed CTL Mode Checing in Rea-Time Maude 27 Then d π j is in π 0 in an interva (n r, (n + 1) r) for some n N 0. Furthermore there is another state t mid at time point n r + r/2 and index n 0 + j in π 0. Again by Lemma 1 we have T K, t π j = c ϕ 2. Now we can buid a time abstraction of π which we obtain by repacing each r tic step sequence t r +i 1... t+i with d π = n r/2 and d π +i = (n+1) r/2 r for some n N 0 by t t +i with r = +i 1 i= r i. This time abstraction π is a path of T K gcd, and the states of π appear at the same time points aso in π. Furthermore, since d π j is a mutipe of r/2, it aso appears in π at some position j. Finay, since a states in π with index ess that j satisfy ϕ 1, aso a states in π with index ess that j, buiding a subset of the previous ones, satisfy ϕ 1. Thus π satisfies the bounded unti path formua, i.e., T K gcd, t = p E ϕ 1 U I ϕ 2. ϕ = A ϕ 1 U I ϕ 2 : We need to show both impication directions. : Assume that T K gcd, t = p A ϕ 1 U I ϕ 2. By definition T K gcd, t = p A ϕ 1 U I ϕ 2 iff for each π tfpaths T K gcd(t) there is an index j s.t. d π j I, T K gcd, t π j = p ϕ 2 and 0 i < j T K gcd, t π i = p ϕ 1. In order to prove that T K, t = c A ϕ 1 U I ϕ 2, we have to show that for each path π tfpaths T K (t) there exists a time refinement π tfpaths T K (t) of π and an index j s.t. d π j I, T K, t π j = c ϕ 2, and 0 i < j T K, t π i = c ϕ 1. Let π tfpaths T K (t) and et π tfpaths T K (t) be a refinement of π containing a state at each time point n r/2, n N 0. We obtain π from π r +i 1 by repacing each tic step sequence t... t +i with d π = n r/2 and d π +i = (n + 1) r/2 for some n N r 0 by t t +i with r = +i 1 i= r i. Note that π is in tfpaths T K gcd(t) and thus by assumption there is an index j such that d π j I, T Kgcd, t π j = p ϕ 2 and T K gcd, t π i = p ϕ 1 for a 0 i < j. Let j be such an index. Then by construction and induction there exists an index j such that d π j is a mutipe of r/2, d π j I, T K, tπ j = c ϕ 2 and T K, t π i = c ϕ 1 for a 0 i < j with d π i being a mutipe of r/2. For the other states prior to the index j we construct π 0 as the composition of π pre and π. Note that in each interva (n r, (n + 1) r) with (n + 1) r < t π j there is a point at n r + r/2, for which we have aready shown to satisfy ϕ 1. Thus by Lemma 1 aso the states that are prior to the index j and are not at mutipes of r/2 satisfy ϕ 1. Hence π = c ϕ. : Assume T K, t = c A ϕ 1 U I ϕ 2. T K, t = c A ϕ 1 U I ϕ 2 iff for each path π tfpaths T K (t) there is a time refinement π tfpaths T K (t) of π and an index j s.t. d π j I, T K, t π j = c ϕ 2, and 0 i < j T K, t π i = c ϕ 1. r

28 28 D. Lepri, E. Ábrahám, and P. Cs. Öveczy In order to prove that T K gcd, t = p A ϕ 1 U I ϕ 2, we have to show that for each π tfpaths T K gcd(t) there is an index j s.t. d π j I, T Kgcd, t π j = p ϕ 2, and 0 i < j T K gcd, t π i = p ϕ 1. Let π tfpaths T K gcd(t). We now that π is aso a path in T K, thus by assumption there exist a path refinement π of π that satisfies the unti path formua in the continuous semantics in T K. By definition, a tic durations in π are r 2, thus, we can define π to be the same time abstraction of π that we defined in the proof for the ( ) of the existentia unti, where we removed a states at time points non-mutipe of r 2. We have aready shown how this path aso satisfies the unti path formua in T K, thans to Lemma 1. In particuar, we have that π = π and, by using the induction hypotesis on ϕ 1 and ϕ 2 as we did for the proof, we now that π satisfies the unti path formua in the pointwise semantics in T K gcd, and hence T K gcd = p ϕ. 4.1 Soundness and competeness for TACLT and TECLT Since it is the theory R σ that is mode checed, not a behaviors in the theory R are anayzed. Therefore, R σ, L Π, s = ϕ does not necessariy impy R, L Π, s = ϕ. However, for the universa fragment TACTL 8, in the pointwise semantics, if a counter-exampe exists in the mode checing of R σ, then this is aso a counterexampe in R; that is, for ϕ A a TACTL formua, we have R σ, L Π, s = p ϕ A = R, L Π, s = p ϕ A. Thus, R σ is a compete abstraction of R for TACTL. However, if a counter-exampe does not exist in R σ, then this does not excude the existence of a counter-exampe in R. Conversey, in the existentia fragment, if the given state satisfies the TECTL formua in R σ in the pointwise semantics, meaning that there exists a path π satisfying the given formua, then this hods aso for R, since π is aso a path in R; that is, for ϕ E a TECTL formua, we have R σ, L Π, s = p ϕ E = R, L Π, s = p ϕ E. Thus, R σ is a sound abstraction of R for TECTL. 5 Impementation Our mode checer maes the natura and reasonabe assumption that given a rea-time rewrite theory R, and an initia state t 0 on which we woud ie to chec some TCTL formua ϕ, a behaviors starting from t 0 are time-diverging 8 The universa and the existentia fragments [13] of TCTL are defined by aowing negation ony in front of propositions and by restricting quantification to the universa quantifier TACTL, and to the existentia quantifier in TECTL.

29 Timed CTL Mode Checing in Rea-Time Maude 29 w.r.t. the seected time samping strategy σ. This assumption aso impies that the transition reation T R σ in the timed Kripe structure T K(R σ, t 0 ) Π is tota. The current impementation of the mode checer assumes that time vaues are either in NAT-TIME-DOMAIN-WITH-INF or POSRAT-TIME-DOMAIN-WITH-INF, and provides the user with two possibe mode-checing strategies: (i) The basic strategy, which performs the mode checing on the mode obtained by appying the user-defined time samping strategy on the origina mode. As we expained in section 4.1, this strategy provides a sound anaysis for TETCL and a compete anaysis for TATCL. (ii) The gcd strategy, which extends the maxima time samping strategy with the gcd transformation to perform the mode checing for the satisfaction probem R gcd(t0,r,ϕ), L Π, t 0 = p ϕ. Soundness and competeness of the gcd strategy might come at the cost of a arger state space due to the appication of the gcd transformation. When the gcd strategy is impractica, the user can sti perform mode checing with the generay faster basic strategy, which does not increase the system state space and can sti be very usefu to discover potentia bugs, as iustrated beow. Rea-Time Maude, and hence our mode checer, is impemented in Maude, maing extensive use of Maude s meta-programming capabiities. Therefore, our mode checer gets as input the meta-representation R of the Rea-Time Maude mode R to anayze, as we as the meta-representations t 0 and ϕ of, respectivey, the initia state t 0 and the TCTL formua ϕ to chec. The agorithm first appies the user seected time samping strategy to R, and then expores the reachabe state space to incrementay construct the timed Kripe structure T K(R σ, t 0 ) Π, which is subsequenty mode checed (directy as it is in the defaut strategy, whie, in the gcd strategy, it is further refined by spitting the transitions into smaer ones of duration equa to the computed greatest common divisor in the gcd strategy and then mode checed). This is done by repeatedy using Maude s meta-eve descent functions metasearch, to find a states reachabe from a state in one rewrite step, and metareduce, to chec whether an atomic proposition hods in a state. Since the meta-representation of the states can be fairy arge 9, performing the rest of the mode checing procedure on the generated timed Kripe structure is fairy inefficient. In our current impementation, we assign a unique natura number to each (meta-represented) state in the generated timed Kripe structure, and construct a more compact timed Kripe structure, where a the occurrences of these meta-represented states are repaced by their respective identifiers. We then perform the main part of the mode checing procedure, namey, the recursive computation of the satisfaction set of ϕ on this compact representation. This optimization ed to a arge performance improvement and made it feasibe to appy our mode checer to a number of case studies in reasonabe time, whereas woring directy on meta-represented terms made mode checing unfeasibe even for simpe case studies. 9 For exampe, each state in the Maude representation of the Ptoemy II mode in Section 6 contains the entire Ptoemy II mode.

30 30 D. Lepri, E. Ábrahám, and P. Cs. Öveczy Our impementation of the TCTL mode checer is based on the expicit-state CTL mode checing approach [8] that, starting with the atomic propositions, recursivey computes for each subformua of the desired TCTL formua the set of satisfying reachabe states. We impemented specific procedures for a basic set of tempora moda operators and we expressed other formuas into this canonica form. The basic set consists of the CTL moda operators E ϕ 1 U ϕ 2, E G ϕ, the TCTL 10 moda operators E ϕ 1 U r ϕ 2 with {>, }, E ϕ 1 U r ϕ 2 with {<, }, A ϕ 1 U >0 ϕ 2 and the TCTL cb moda operator E ϕ 1 U [a,b] ϕ 2. The procedures for CTL modaities foow the standard expicit agorithm [8]. For TCTL modaities, our impementation adapts the TCTL mode checing procedure defined in [19] for time-interva structures and to timed Kripe structures with time-diverging paths. We briefy expain the mode checing procedure for ϕ = E ϕ 1 U [a,b] ϕ 2. We first compute the satisfacton set for the CTL formua ˆϕ = E ϕ 1 U ϕ 2, then we restrict the transition reation (which we here denote by tr) in the timed Kripe structure, to those transitions between states satisfying ˆϕ except transitions from ϕ 1 -states, obtaining tr. We then recursivey compute a the time distances from any state to some ϕ 2 state up to b time units. This is computed by the operator computedistances. The first two arguments of this operator are set of pairs of the ind < r, s > with r a time vaue and s a state (represented by a natura number in the current impementation), where each pair means that it is possibe to reach some ϕ 2 -state from state s in time r b. The first set of such pairs is the set of time distances that sti have to be visited, that is the predecessors of s sti have to be visited with the given time stamp r. The second of such sets contains time distances that have aready been visited. The third argument is the time bound b and the fourth argument is the restricted transition reation tr. The operator is initiay caed with computedistances({< 0, ϕ 2 -state >},emptyratnatpairset,b, tr), since each ϕ 2 -state can obviousy be reached in zero time. vars RNPS0 RNPS1 RNPS RNPS : RatNatPairSet. vars TIME0 TIME : Rat. var TRTKS : TransReTKS. var N0 : Nat. op computedistances : RatNatPairSet RatNatPairSet Rat TransReTKS -> RatNatPairSet. ceq computedistances(( < TIME0, N0 > RNPS), RNPS, TIME, TRTKS) = computedistances((rnps1 RNPS), (< TIME0, N0 > RNPS ), TIME, TRTKS) if RNPS0 := atimedpredecessors(trtks,n0) /\ RNPS1 := addtimeandfiter(rnps0, TIME0, TIME). eq computedistances(emptyratnatpairset, RNPS, TIME, TRTKS) = RNPS. 10 We denote by TCTL the restricted TCTL ogic with time constraints on the tempora modaities of the form r, where {<,,, >},

31 Timed CTL Mode Checing in Rea-Time Maude 31 The operator atimedpredecessors computes the set of < r, s > pairs where s is a predecessor of N0 that can reach N0 in r time in the given transition reation, for each pair of time distances that sti have to be visited. Then addtimeandfiter seects a pairs such that TIME0 + r b, which are then recursivey added to the set of pairs to be visited, whie < TIME0, N0 > is moved to the visited pairs. The computation terminates by returning a the visited pairs when a possibe pairs have been visited. The satisfaction set of ϕ consists of a states that can reach a ϕ 2 -state in a time within the interva [a, b]. Notice that this procedure wors aso for open bounded intervas, and indeed our impementation covers aso open bounded intervas, however, the mode checed ogic is cosed under negation ony for cose bounded intervas. In particuar, for modaities with cose bounded intervas, we transform each formua of the ind A ϕ 1 U [a,b] ϕ 2, with a 0, into its equivaent one A G <a ϕ 1 E F [a,a] (A ϕ 1 U (b a) ϕ 2 ), whose canonica form in terms of basic tempora moda operators is: (E true U <a ϕ 1 ) (E true U [a,a] (E ϕ 2 U >(b a) true) (E ϕ 2 U ( ϕ 1 ϕ 2 )). The ease and fexibiity of the Maude meta-eve aowed us to impement the mode checer reasonaby quicy and easiy. However, the convenience of operating at the meta-eve comes at a certain cost in terms of computationa efficiency, even with our optimizations. Therefore, the current Rea-Time Maude mode checer shoud be regarded as a woring prototype for a C++ impementation that we pan to impement in the future. Our mode checer is avaiabe at together with the specifications and anaysis commands of the case studies in this paper. 5.1 Using the Mode Checer To run the TCTL mode checing commands, the user needs to incude the modue TCTL-MODEL-CHECKER into his/her Rea-Time Maude specification. In this modue, we can aso find the definition of the syntax of the possibe TCTL formuas. In Rea-Time Maude, the user is provided with two TCTL mode checing commands, corresponding respectivey to the basic and the gcd strategy, with syntax (mc-tct t = ϕ.) and (mc-tct-gcd t = ϕ.) for t the initia state and ϕ a TCTL formua. The syntax of TCTL formuas is fairy intuitive, with syntactic sugar for (untimed) CTL formuas, common abbreviations and booean connectors such as AF, EF, AG, EG, iff and impies, etc. For exampe, E true U r ( ϕ A G (E F [a,b] ϕ )) is written The mode checer syntax for TCTL formuas supports aso open bounds, e.g. the user coud write [c 0, b o] for [0, b), which woud be internay reduced to [< than b].

32 32 D. Lepri, E. Ábrahám, and P. Cs. Öveczy E tt U[<= than r](not ϕ and AG (EF[c a, b c] ϕ )) Our mode checer can decide whether a TCTL property is satisfied by a rea-time rewrite theory and a given state. We do not support counter-exampe generation, since, in contrast to inear tempora ogics, where counter-exampes are just paths, it is generay more compex to generate counter-exampes in branching-time tempora ogics, where counterexampes are parts of computation trees (see, e.g. [14]). For exampe, a counter-exampe to the vaidity of the formua E F p, for p an atomic proposition, is the entire computation tree (where each state is a p-state). 6 Case Studies In this section we present three case studies that satisfy the requirements for having a sound and compete anaysis when using the gcd strategy. In particuar each of them uses the POSRAT-TIME-DOMAIN-WITH-INF, has time-divergent behaviors, whie the specification is time-robust and the atomic propositions used in the formuae are tic-invariant. The anaysis has been performed on a 2.4GHz Inte R Core 2 Duo processor with 4 GB of RAM. 6.1 A Networ of Medica Devices We have appied our TCTL mode checer on a Rea-Time Maude mode of an interoc protoco for a sma networ of medica devices, integrating an X-ray machine, a ventiator machine, and a controer. The exampe was proposed by Lui Sha, and the Rea-Time Maude mode is expained in detais in [24]. This case study has been anayzed aso using the bounded response and minimum separation mode checing commands in [20]. The ventiator machine heps a sedated patient to breathe during surgery. An X-ray can be taen during the surgery by pushing a button. To aow an X-ray to be taen without burring the picture, the ventiator must be turned off. Within a given time bound, the X-ray must be taen and then the ventiation machine must be restarted. Furthermore, the ventiation machine shoud not be stopped too often. The mode aso addresses nondeterministic message deays and coc drifts. The specification used here is sighty different from the one in [20]. In order to mae the reachabe state space finite, we now reset the controer s coc each time the controer initiates a pause of the ventiation machine (in the previous specification, this coc woud just count the time eapsed, maing the reachabe state space infinite). In the mode, a events tae pace when some timer expires or when a message arrives. Therefore, we use the maxima time samping strategy which advances time unti the next timer expires. One time unit in the specification corresponds to one miisecond in the case study. One requirement is that the ventiation machine shoud not pause for more than two seconds at a time. This can be expressed by the TACTL formua A G ( machine is pausing A F 2sec machine is breathing )

33 Timed CTL Mode Checing in Rea-Time Maude 33 In order to anayze this property, we first define two state propositions, ispausing and isbreathing, in the expected way. The bounded response property is mode checed using the foowing Rea-Time Maude command: Maude> (mc-tct initstate = AG(isPausing impies AF[<= than 2000] isbreathing).) The mode checer says that the property is not satisfied, whie if we set the time bound to 2500 then it says that the property is satisfied. This is due to the fact that the ventiation machine may indeed pause for 2.22 seconds, since its interna coc is a itte sower due to coc drifts (see [24]). The execution time is reativey arge compared to the corresponding bounded response command used in [20] (e.g. it taes about 15 seconds to chec the response property with time bound 2000, and the timed Kripe structure consists of about 1300 states and 1600 transitions, whie the respective bounded response command taes ess than one second), which is expected, since the mode checer for the time-bounded response transforms the mode checing probem into an untimed search probem, that is executed with Maude s efficient buit-in search command. Even though the speciaized commands for mode checing the bounded response and minimum separation run faster than the newy introduced mode checing command, an important achievement is the fact that now we can mode chec the combined property that, once the ventiation machine is paused for no more than 2 seconds, then, before another pause can be taen, the ventiation machine must be breathing for at east 10 minutes: A G ( machine is pausing (A F 2sec (A G 10min machine is breathing )) The property is anayzed using the foowing command in Rea-Time Maude: Maude> (mc-tct initstate = AG(isPausing impies (AF[<= than 2000](AG[<= than ] isbreathing))).) In about 37 secs, Rea-Time Maude dispays that the property is not satisfied. We were aso abe to chec that the property is sti vioated when we reax the response time bound to 2500 instead of Whie, the mode checer says that the property is satisfied when the separation time between two pauses is aso reaxed to be smaer than An important aspect to consider is whether the above anayses are sound and compete. Reca that the the mode-checed anayzes the theory R σ, and hence a subset of a behaviors of the origina theory R. Since both anayzed properties are in the universa fragment TACTL, when the mode checer reports that the property is vioated, then we can concude that the property is aso vioated in the origina theory R (in the pointwise semantics). On the other hand, when the mode checer returns that a property is satisfied, we can not excude the presence of a bad behavior in R. This strategy is particuary usefu for such a system, where the tic step durations under the maxima time samping strategy can easiy vary from an order of 10 to an order of 10 5, and hence the gcd strategy is sti impracticabe in our prototype, since the size of the construction of the refined timed Kripe structure can easiy exhaust the memory.

34 34 D. Lepri, E. Ábrahám, and P. Cs. Öveczy Fig. 5: A Ptoemy II DE mode of the rairoad crossing benchmar. 6.2 Ptoemy II Discrete Event Modes As mentioned, Rea-Time Maude provides a forma anaysis too for a set of modeing anguages for embedded systems, incuding Ptoemy II discrete-event (DE) modes. Ptoemy II [16] is a we-estabished modeing and simuation too used in industry that provides a powerfu yet intuitive graphica modeing anguage. Our mode checer has been integrated into Ptoemy II by Kyungmin Bae, so that we can now mode chec TCTL properties of Ptoemy II DE modes from within Ptoemy 12. We show the TCTL anaysis of the rairoad crossing and the hierarchica traffic ight existing Ptoemy II modes. In this second case study, our mode checing has uncovered a previousy unnown faw in the mode. Rairoad Crossing Mode Figure 5 shows the Ptoemy II mode of the we nown rairoad crossing benchmar. In this mode, a train approaches a rairoad crossing, and a gate shoud be owered when a train is in the intersection. The 12 Rea-Time Maude verification commands can be entered into the diaog box that pops up when the button Doube cic to generate code in Fig. 6 is ciced.

35 Timed CTL Mode Checing in Rea-Time Maude 35 mode contains two finite state machines: one for the train and one for the gate. One transition is taen in each time unit in the state machine Train. We refer to [7] for a thorough expanation of the mode. The Rea-Time Maude specification for Ptoemy II DE modes provides an intuitive syntax for specifying state propositions, so that e.g. the state proposition the train is in state approaching is written RairoadSystem. approaching One important property that the system shoud satisfy is that the gate shoud open within a reasonabe time (here 11 time units) after being owered, which can be mode checed by the foowing Rea-Time Maude command: Maude> (mc-tct {init} = AG(( RairoadSystem. cosed) impies AF[<= than 11] ( RairoadSystem. open)).) Our mode checer finds (in about 1 second 13 ) that the property is satisfied for 11 time units (but not for 10 time units). Another interesting property is that when the gate coses, it stays cosed for at east 2 time units, which can be mode checed (aso in about 1 second) as foows: Maude> (mc-tct {init} = A not ( RairoadSystem. Gate)@ cosed U AG[<= than2] ( RairoadSystem. Gate)@ cosed.) The same consideration about soundness and competeness carried out for the previous case study hods aso in this case, since we are again mode checing properties in TACTL. Hierarchica Traffic Light Mode Figure 6 shows a hierarchica Ptoemy II mode of a faut-toerant traffic ight system at a pedestrian crossing, consisting of one car ight and one pedestrian ight. Each ight is represented by a set of set variabe actors (Pred and Pgrn represent the pedestrian ight, and Cred, Cye and Cgrn represent the car ight). A ight is on iff the corresponding variabe has the vaue 1. Assuming that the coc actor generates an event every time unit, the FSM actor Decision generates faiures and repairs by aternating between staying in ocation Norma for 15 time units and staying in ocation Abnorma for 5 time units. Whenever the mode operates in error mode, a ights are turned off, except for the yeow ight of the car ight, which is bining. We refer to [7] for a thorough expanation of the mode. An important faut toerance property is that the car ight wi turn yeow, and ony yeow, within 1 time unit of a faiure. We can mode chec this bounded response property with the command: 13 The generated timed Kripe structure has 51 states for this case study.

36 36 D. Lepri, E. Ábrahám, and P. Cs. Öveczy HierarchicaTrafficLight Decision TrafficLight TrafficLight Norma Error Fig. 6: A hierarchica faut-toerant traffic ight system in Ptoemy II. (a) Pedestrianight (b) Caright Fig. 7: The FSM actors for pedestrian ights and car ights

Timed CTL Mode Checing in Rea-Time Maude 37 Fig. 8: Diaog window for the hierarchica traffic ight code generation. Maude> (mc-tct {init} = AG(( HierarchicaTrafficLight.

37 Timed CTL Mode Checing in Rea-Time Maude 37 Fig. 8: Diaog window for the hierarchica traffic ight code generation. Maude> (mc-tct {init} = AG(( HierarchicaTrafficLight. Decision (port Error is present)) impies AF[<= than 1] ( HierarchicaTrafficLight ( Cye = # 1, Cgrn = # 0, Cred = # 0)))).) In about 15 secs, the command returns that the property is not satisfied. This mode checing uncovered a previousy unnown scenario, which shows that, after a faiure, the car ight may show red or green in addition to bining yeow. The same property can be aso mode checed in 14 secs using the bounded response command described in [20]. What is interesting to notice is that 11 of the 15 seconds used by the timed CTL mode checer were used to generate the timed Kripe structure. Hence, we can concude that the pure mode checing agorithm too 4 seconds to execute. On the other side, the 14 seconds used by bounded response command were mainy used by the untimed search performed in Maude. This is most probaby due to the fact that a singe state in this case study is represented by a very arge term: we can here appreciate how the timed CTL mode checer taes advantage on the mapping the state space to natura numbers. Because of the arge size of the system states in this case study, it was impossibe to run the same anaysis before impementing the optimization that mapped each state to a unique identifier. The same property can be mode checed with the sound and compete gcd strategy command mc-ts-gcd in about 22 secs. The extra time is due to the greater size of the generated timed Kripe structure in this case.

XSAT of linear CNF formulas

XSAT of linear CNF formulas XSAT of inear CN formuas Bernd R. Schuh Dr. Bernd Schuh, D-50968 Kön, Germany; bernd.schuh@netcoogne.de eywords: compexity, XSAT, exact inear formua, -reguarity, -uniformity, NPcompeteness Abstract. Open