Really Visual Temporal Reasoning. Y S Ramakrishna, P M Melliar-Smith, L E Moser, L K Dillon, G Kutty

Really Visual Temoral Reasoning Y S Ramakrishna, P M Melliar-Smith, L E Moser, L K Dillon, Kutty Deartment of Electrical and Comuter Engineering and Deartment of Comuter Science University of California, Santa Barbara, CA 93106 e-mail: ffysr,mms,moser,gkg@nu.ece,dillon@csg.ucsb.edu Abstract Real-Time uture Interval Logic (RTIL) is a visual logic with formul that resemble timing diagrams. It is a dense real-time temoral logic that is based on two simle temoral rimitives: interval modalities for the urely ualitative art and duration redicates for the uantitative art. In this aer we resent the logic, and illustrate its use in secifying the railroad ing examle and roving some of its roerties. The logic in its roositional form is decidable by reduction to the emtiness roblem of Timed Buchi Automata. A theorem rover, based on this decision rocedure, has been imlemented as art of a grahical roof environment. The roofs of the railroad ing examle have been veried using this theorem rover. The combination of an automated theorem rover and a grahical secication language greatly facilitate the task of verifying real-time roofs. This convenience aart, RT- IL is invariant under real-time stuttering and does not admit instantaneous states. These roerties are exected to facilitate roof methods based on abstraction and re- nement. 1 Introduction Timing diagrams have traditionally been used with much success as a secication and documentation formalism in industrial ractice. An imortant reason for their oularity is their simle semantics and visual aeal. owever, because such notation lacks a rigourous semantics, there is often ambiguity in the timing diagrams drawn by system deners. Thus, such diagrams cannot be used directly in formal secication and verication environments. We resent a logic, Real-Time uture Interval Logic (RTIL), whose formul resemble timing diagrams, thus giving it an intuitive semantics and a visual reresentation. 1 RTIL is an extension with real-time of the uture Interval Logic (IL) of This work was artially suorted by NS grant CCR- 9014382 with cooeration from DARPA. 1 In revious work [12, 17, 24] on an untimed version of [12, 17, 24]. ormul in the logic exlicitly deict a \time line", and intervals demarcated by states on the time line. Such a grahical deiction greatly eases the use of a formal secication language by making it more intuitive than existing logical formalisms, which are based rimarily on li text. This simlicity notwithstanding, the logic has a clear and recise semantics. It, thus, combines the intuition of ictures with the rigour of a formal mathematical logic. Interval Logics also oer other advantages over traditional temoral logics. They are able to reresent the nesting of temoral contexts more naturally and often more succinctly. The ability to limit the \scoe" of a roerty within an arbitrary interval also gives interval logics leasant temoral comosition roerties. Unfortunately, most interval logics known until recently were either non-elementary or undecidable [10, 14, 15]. On the other hand, IL is elementary [24], while still allowing most of the interval constructs one exects of an interval logic. Moreover, it is easily extended to dense real-time by adding a single uantitative construct to its vocabulary. The semantics and rules of the original untimed logic extend naturally to this timed logic, much as for Metric Temoral Logic [18] vis-a-vis Proositional Temoral Logic. The resulting real-time logic is decidable in double exonential time [25]. In [17] we resented an examle illustrating the use of the untimed logic, IL. In this aer, we resent the real-time logic RTIL and illustrate its use in secifying a vesrion of the railroad-ing examle, and in roving some of its roerties. this logic, we have referred to the grahical reresentation as rahical Interval Logic (IL) and the textual reresentation as uture Interval Logic (IL). Since the dierence between the two is merely reresentational, and a user of the logic is exosed only to the grahical reresentation, in this aer, we blur that distinction, using RTIL for both the grahical form used in this aer and the textual form used to dene the formal semantics and the decision rocedure in [25].

The remainder of this aer is organized as follows. In Section 2 we briey resent RTIL, and informally describe its semantics. A formal semantics aears in [25]. Section 3 resents a small suite of useful inference schema for the logic. Section 4 briey recaitulates, within the context of RTIL, the logical framework of axiomatic verication in which our methodology is based. In Section 5 we resent the railroad ing examle to illustrate the use of RT- IL. We rst axiomatize the articiating rocesses in RTIL. We then use our RTIL theorem rover to show that the system satises certain real-time safety and liveness conditions. Section 6 gives a very brief descrition of our rototye RTIL theorem rover and the grahical roof environment of which it is a art. Section 7 comares our logic with some other real-time logics. We conclude in Section 8 with some directions for future work. 2 The Logic RTIL is a li-time temoral logic. Thus, a formula is interreted on a li trace of states, reresenting a ossible execution of a transition system (or a fragment of such an execution). Every trace has an initial state. Traces may, however, be unbounded and may, thus, reresent nonterminating behaviours. A trace is a model for a formula if it satises the formula in the formal sense given in [25]. (Due to sace limitations we rovide here only an informal semantics, referring the reader to [25] for the formal details.) A transition system satises a formula if all of its traces do. We assume that the states of the transition system are continuously observed in real time so that every trace of the system is, in fact, a dense real-time trace. We imose certain restrictions on the traces on which formul are interreted; the traces must be right continuous and nitely variable. Right continuity revents instantaneous states by reuiring that each action of the system takes some measurable amount of time. 2 inite variability ensures that in any nite duration the system erforms only a nite number of actions. The key constructs of RTIL are the interval modality and the duration constraint. Syntactically, an interval modality is constructed by means of searches and other (simler) RTIL formul. Semantically, an interval modality extracts a convex subset 2 In concert with the restricted vocabulary of the logic, it also ensures that any formula of RTIL that is satised at a oint on the trace, is satised for some time in the reexive future of that oint. This roerty of temoral stuttering facilitates renement roofs, where the renement maing may involve an arbitrary RTIL formula. (or interval) from a given dense trace. This then secies the interval over which a roerty denated by a nested formula holds. The duration constraint is exressed using the secial redicate len, and seci- es rational lower and uer bounds on the length of an interval. An interval is constructed using a air of search atterns; searches are shown dashed with arrowheads, and target formul are left justied below the arrowheads. The semantics of a search that starts at a oint in the trace is that the search locates the earliest oint in the reexive future where the target formula holds. When such searches are comosed seuentially into a search attern, every subseuent search begins at the state where the revious search ended. In case the target of a search is not satised at any oint in the future of the current oint within the revious outer interval, the formula is assumed to be true by default if the search is \weak" and false if the search is \strong" (see examle below). Intervals are shown solid with suare brackets on the left and arentheses on the right. A formula drawn left-justied below the start of an interval must hold at the rst state of that interval, while a formula indented below an interval must hold throughout the interval. We illustrate these ideas by means of a formula from the secication of the railroad ing examle. In the grahical reresentation of an RTIL formula, the horizontal dimension shows rogression through the trace (time rogresses from left to right) and the vertical dimension describes the comosition of formul from subformul. len(3.0,5.0] rahical formul are read from to to bottom and from left to right. The to interval reresents an entire behaviour of the system. Since the subformula is indented within the to interval, it reresents a temoral invariant for the execution. A single arrowhead in a search indicates a \weak search" in the sense, for examle, that the above formula is vacuously satised by any execution in which the train never aroaches the railroad ing. On the other hand, a double arrowhead indicates a \strong search," which must succeed and reuires in the above examle that, if the receding searches succeed, then a state is found (in the reexive future of the state located thus far) in which is true. It exresses a liveness roerty that, if a train aroaches the ing, it must eventually start ing. The double solid line for

the interval between the two actions, referred to as a \strong interval," indicates that the interval must be non-emty, i.e. that the aroach must strictly recede the start of the ing. The alternative, the \weak interval", is shown by a single solid line, and may be emty, in which case the nested subformula is vacuously satised. The nested subformula in this examle is a conjunction of two roerties: the duration constraint len(3:0; 5:0] 3 and the invariant. Note that conjunction is the default while using vertical layout, and thus the conjunction symbol is omitted. Any other connective would be exlicitly shown. The duration constraint len(3:0; 5:0] reuires that the length of the interval be more than 3.0 and at most 5.0 minutes. The invariant reuires that the redicate remains true u to, but not necessarily including, the moment at which becomes true. The above formula thus asserts that whenever a train s the ing, it must enter the ing within ve minutes but not before two minutes of the aroach, and between the aroach and the actual ing it remains the ing. Although in the above examle the target for each search is a state redicate, in general, any RTIL formula (including a temoral formula) may be the target of a search. The logic also rovides a reresentation for eventualities within bounded or unbounded intervals. This and other constructs will be exlained as and when they are encountered in the seuel. of the given search, i.e. either all are weak or all are strong deending on whether the given arrowhead is single or double, resectively. The meta-variables and reresent state redicates (rimitive roositions or their boolean combinations), and f and h reresent any general RTIL formula. The \inf" in the duration constraints in some of the rules denotes 1. The rst two rules illustrate how from the duration bounds of two intervals, the duration bounds on a third interval may be deduced. The two rules that follow are variants of the rst two rules and describe transitivity roerties for bounded safety and liveness. The third and fourth are induction rules for these cases, and the fourth rule mixes the two in the antecedent to give a mixed roerty in the conseuent. 5 The last two rules are useful for maniulating duration bounds for a secic interval. Note how the alignment of search targets in each rule hels exlicate the underlying reasoning. The rst two rules illustrate the use of arithmetic on duration bounds of intervals. Interval Dierence: The following rule illustrates the eect of removing an interval from within a larger interval. If d2 < d1 0 then 3 Some Useful Inference Rules len(d1,d2] To familiarize the reader with the semantics of the logic and to motivate some of the inference stes imlicit in our subseuent roofs, we now resent a list of sound rules of inference for RTIL. These rules reresent some of the more common reasoning stes we have used in constructing uantitative temoral roofs. 4 Note that our theorem-rover does not exlicitly recognize these rules of inference but, for a articular instance of a schema, it can check the correctness at the semantic level. In a more interactive style of theorem roving, it might be a useful feature to have the theorem-rover aly these schema exlicitly uon reuest by the user. In the following, we let the meta-variables,, reresent any general search attern. All searches in a given search attern so reresented have the sense 3 All our duration constraints are left- and right-closed. This is necessary for maintaining right-continuity of models under extension [25]. 4 We make no claim of comleteness of the rules resented. The decision rocedure underlying the roof-checker is, however, comlete [25]. len(d1,d2 ] len(d,d] where d = d1 0? d2 and D = d2 0? d1. Interval Union: This rule illustrates the eect of concatenating adjacent intervals. 5 Note how the combination of a strong interval and a weak search is used to secify a time-bounded safety roerty, and the dual combination of a weak interval and a strong search is used for a time-bounded liveness roerty.

len(d1,d2] len(0,d1+d2] len(d1,d2 ] The next two rules allow induction over chains to obtain lower and uer bounds, resectively. In both the rules, i > 0 is assumed to range over the naturals, d = d1+ +dn, (i) denotes an indexed search attern, and the intervals in the conclusions are secied by comosing the searches (n); (n? 1); : : : ; (0). Induction Rule for Time-Bounded Safety: len(d,d] where d = d1 + d1 0 and D = d2 + d2 0. The next two rules may be regarded as variants of the last two. While the last two rules reresent reasoning that mixes liveness and safety, the next two rules illustrate time-bounded safety and liveness. Transitivity of Time-Bounded Safety: The following rule laces a lower bound on the duration between the endoints of chains of events. (i) (i-1) len(di,inf) (n) (n-1) (1) (0) len(d,inf) Induction Rule for Time-Bounded Liveness: len(d1,inf) (i) len(0,di] (i-1) len(d2,inf) (n) len(0,d] (n-1) (1) (0) len(d1+d2,inf) Transitivity of Time-Bounded Liveness: The following rule states a form of time-bounded liveness. It allows one to obtain uer bounds between chains of events. Mixing Time-Bounded Liveness and Safety: This rule mixes time-bounded safety and liveness roerties in the antecedent to obtain a mixed roerty as the conclusion. It states that if f does not haen within d1, if h haens within d2 and if d2 < d1, then :f ^ h haens within d2. The invariant over the interval is straightforward. If d2 < d1, then f len(0,d1] len(d1,inf) h len(0,d2] len(0,d2]

len(0,d2] The following two rules allow one to, resectively, slacken and tighten the bounds on the duration of a articular interval. Bound Slackening: This may be considered a form of weakening. If d1 0 d1 and d2 d2 0 then len(d1,d2] len(d1,d2 ] Bound Tightening: This may be considered a form of conjunction. If d = max (d1; d1 0 ) and D = min (d2; d2 0 ) then len(d1.d2] len(d1,d2 ] len(d,d] The logic also rovides urely ualitative rules, for maniulating chains of searches to obtain simler chains, and for nesting and denesting intervals. 4 The Logical ramework A rocess in RTIL is secied as a collection of \axioms" and can be thought of as a suer-theory of RTIL dened by its axioms (secications). The set of traces of a rocess are the set of intended models for this theory. Comosition of rocesses is then the union of the theories of the individual rocesses. If this union is inconsistent, then there is no execution admitted by this comosition. This means that two or more rocess secications may be in con- ict. When it is consistent, this theory reresents f h recisely the comosition of the rocesses. To rove that this comosition satises a given \reuirements secication," one must show that the reuirements secication is in the union of the theories. Since roositional RTIL is decidable, in rincile this check may be done automatically. owever, in ractice, this might be comutationally too exensive. In such a case, the roof must be broken down into simler stes (by means of intermediate lemmas) that are more tractable to verify. rom a model-theoretic ersective, one may recast the above in terms of traces satisfying a given secication. A rocess is the set of traces satisfying a secication. or convenience, assume that each of these traces is over a common alhabet consisting of all the state redicates mentioned in any rocess secication. Since RTIL is invariant under nite stuttering, these trace sets are maximally closed under real-time stuttering. Comosition of rocesses is now the intersection of the trace sets for each rocess. If the comosition is inconsistent, then there is no trace in the intersection. When this set is not emty, it satises a reuirements secication recisely if all of its constituent traces do. Of course, this still leaves unanswered the uestion of mutual consistency of the secications. One way of showing their consistency is by exhibiting a model for the conjunction of the individual theories. Once again, since the logic is decidable, the uestion can in rincile be answered. or most systems, however, this aroach is comutationally infeasible. As a result, methods have been develoed to secify rocesses comositionally, and reuire a set of consistency conditions to hold at their interfaces. In the future, we lan to investigate these methods in the context of RTIL. In addition, there is the imortant notion of realizability: Is a given secication of a rocess realizable under all ossible behaviours of its environment? Clearly, the answer in general is negative. Thus, a realizable secication usually carries with it an assumtion on the behaviour of its environment, and guarantees to satisfy its secication only if the environment satises the assumtions. 6 In this aer we address only the rst issue, that of roving that the reuirements are imlied by the rocess secications, and ignore the other two imortant issues of consistency and realizability. A clear overview of these latter issues aears in [2]. inally, our aroach to roving correctness may be characterized as an exogenous aroach. A gen- 6 or instance, in the case of the secications of the gate and the controller given in the next section, the antecedents for the two liveness roerties serve this urose.

eral deductive system (embodied in this case by our decision rocedure) is uniformly used in all roofs. Contrast this with the endogenous aroach which is the style of choice in roving the correctness of a secic imlementation, for instance, a timed transition system or a rogram. As for other temoral logics, an endogenous roof system may be constructed for RTIL. On the other hand, if the imlementation is nite-state, model-checking may be used; a modelchecking algorithm for RTIL follows in the usual manner from the decision rocedure for the logic. We refer the reader to [23] for a detailed discussion of the exogenous and endogenous styles of roof. 5 The Railroad Crossing Examle Informally, the system consists of a train sensor, which warns the gate controller while a train is within a certain distance of the ing. The controller then nals the gate to close to road trac. The gate closes within a certain duration of this nal. The train having ed, the controller is notied and nals the gate to once again, allowing the road trac to resume. In the following we give an axiomatic secication of the three \rocesses": the train, the gate and the controller. The secication of the train makes use of two state redicates and, which are, resectively, true when a train is within a certain distance of the ing and when it is in the ing. The controller's secication uses as an inut, and roduces the nal to the gate. inally, the secication for the gate makes use of, as inut, and the state redicate which indicates, when true, that the gate is. The next three subsections give the formal secications of the rocesses, and the fourth subsection gives a art of the correctness roof. 5.1 Axiomatizing the Train 1. Train:Init: Initially no train is or in the ing. the enclosing context, and roduces an interval that is the sux of the revious outer interval, starting at the state where the search for the left endoint ended. len(3.0,5.0] 3. Train:Cross: A train takes at least 2 minutes and at most 5 minutes to comlete the ing. len(2.0,5.0] 4. Train:Se: The aroaches of consecutive trains are searated by at least 15 minutes. len(15.0,inf) 5.2 Axiomatizing the Controller 1. Ctlr:Init: Initially the controller is not nalling the gate to close. 2. Ctlr:Live: If the nals from the sensors remain steady suciently long, the controller nals the gates to close within 30 seconds of the aroach of the train and to within 30 seconds of its exit. 2. Train:Near: A train takes at least 3 minutes and at most 5 minutes from being rst the ing to actually entering it. The second conjunct in the secication ensures that the redicate does not go false until the the train has nished ing and does so recisely when it has nished ing. The last arrow in this formula does not have a target formula, but rather extends to the end of len(0.5,inf) len(0.0,0.5] len(0.5,inf) len(0.0,0.5]

3. Ctlr:Safe: The controller does not nal the gate to (close) unless it detects the aroach (exit) of a train. 5.4 Secication of the Proerties of the System The above formula shows the reresentation of a bounded eventuality. The diamond 3 on an interval indicates that somewhere in the indicated interval, a state exists at which holds. Recall, however, that the existence of such a state is redicated on the existence of the interval. Thus, in the rst conjunct above, we are not reuired to nd a state if we never nd a state. 5.3 Axiomatizing the ate We rove three roerties, one of which is an untimed safety reuirement, one a timed safety reuirement, and one a mixture of a timed safety and a timed liveness reuirement. 1. Untimed Safety: The gates remain closed whenever a train is in the ing. 2. Timed Safety: Once, the gates remain for at least 3.5 minutes. 1. ate:init: Initially the gates are to the road trac. len(3.5,inf) 2. ate:live: If the nal from the controller remains steady suciently long, the gates close between 1 and 2 minutes of a nal to close, and between 1 and 2 minutes of a nal to. 3. Mixed Reuirement: Once closed, the gates remain closed for at least 3.5 minutes and at most 11.5 minutes. len(3.5,11.5] len(2.0,inf) len(1.0,2.0] len(2.0,inf) len(1.0,2.0] 3. ate:safe: The gates do not (close) unless the controller nals them to do so. 5.5 A Samle Proof Sace does not ermit a comlete account of the roofs as done on our RTIL theorem rover. We shall therefore give here only art of one of the roofs for illustrative uroses. The remaining roof in the form of intermediate lemmas and an annotated roof tree aears in the aendix. These roofs have been veried using our theorem rover. (The user is resonsible for constructing the roofs, our rover merely checks their validity, subject to memory limitations. See [17] for a more detailed discussion.) As noted earlier, a major advantage of using a visual roof language, such as RTIL, is that the temoral ow of the argument in a roof can often be

illustrated in the icture reresenting the roof. In RTIL, the grahical notation of the timeline, allows one to align aroriate oints in the antecedents to a roof. This allows the user, as well as a reader of the roof, to see the oints at which an invariant is being instantiated, the intervals being aligned to roduce a reuired bounded liveness condition, the relationshi between secic intervals so that secic real-time delays are achieved, and so on. These visual cues can be extremely helful, not only in constructing roofs, but for discovering otential fallacies. Note, however, that this visual \syntactic sugar" has no semantic content in the roofs below. We are, however, currently investigating a techniue that will rovide semantic content to such alignment by \forcing" states to be identical or ordered in a secic manner uon reuest by the user. Currently, such ordering or identication of states must be exlicitly encoded as an RTIL formula. 7 This alignment and ordering of oints on a timeline has other uses as well. or instance, the toolset rovides a counterexamle generation facility that allows the user to uery the rover for a counterexamle in case of a failed roof. The counterexamle is dislayed in the form of a seuence of states (or alternatively, a timing diagram), with aroriate duration constraints indicated. Aligning the searches in the formul aroriately with this counterexamle can hel the user discover a otential cause of failure of a urorted roof. In the roof given in igure 1 this idea of aligning searches is used to highlight the underlying correctness argument. The deduction reresents the last major ste in the roof of Theorem 3 (Mixed Reuirement). The annotations alongside the icture show the secication formul and intermediate lemmas that are used in the antecedent. The lemmas are stated in the aendix. As shown by the annotations, Theorem 3 is roved from? Lemmas 5 and 6, which state uer and lower bounds on the durations of maximal and : intervals, resectively? Lemmas 7 and 8, which state unconditional liveness roerties of the gate during any run of the system? The safety condition of the gate, and? The initial conditions for the gate and controller. Note that we have ordered the conjunctions in the antecedent (for instance, the three conjunctions in the 7 Of course, such alignment would now generate a set of new roof obligations (what would reviously have aeared as RT- IL formul encoding the alignment and ordering conditions) which must be searately discharged. ate:init Ctlr:Init ate:safe.1 ate:safe.2 Lemma 7 Lemma 5 ate:safe.3 Lemma 8 Lemma 6 Theorem 3 len(1.0,2.0] len(4.5,10.5] len(1.0,2.0] len(3.5,11.5] len(4.5,inf) igure 1: Examle of a roof ste in RTIL. safety secication of the gate, have been slit aart) to allow the reader to visually follow the temoral ow of the roof. The inference hides 8 within it, for instance, an alication of the \interval dierence" and \interval union" rules that we gave in the last section for arithmetic on bounds. The interval dierence rule is alied to Lemma 5 and ate:safe.3 to deduce the bound len(2:5; 9:5] on a maximal : to : interval. The interval union rule then ermits us to deduce, along with Lemma 8, the bound len(3:5; 11:5] on a maximal : interval, as shown in the conseuent. The rule also hides an induction. Although not immediately aarent, the role of the last conjunct, Lemma 6, is crucial for this. It ensures that the induction can be carried through in the \next cycle", by ensuring a state identical with the initial state at the end of the rst cycle, and by induction, after the nth cycle. Our initial attemt to rove Theorem 3 without this lemma, led to the generation of the counterexamle shown in igure 2. The invariant in the conseuent fails in the second cycle, because the 8 \ides", because these rules are not searately or exlicitly alied, but may be considered as being imlicit in the inference, which is veried as a whole by the decision rocedure.

(NOT ) (NOT ) (NOT ) (NOT ) (NOT ) (NOT ) (NOT ) (NOT ) (NOT ) (NOT ) (NOT ) <=2.0, >1.0 <=10.5 >4.5 <=2.0, >1.0 <=10.5, >4.5 <=3.5, <=2.0, >1.0 igure 2: Counterexamle for a failed roof attemt. stage has not been set for the induction to succeed: is allowed to be asserted before the gates have had a chance to. In the counterexamle dislay, reresenting an eventually eriodic innite trace, the unshaded art denotes the initial trace and the shaded art the eriodic ortion. A timing diagram dislay with timing constraints indicated is also shown. 6 The RTIL Toolset In [25] we give a decision rocedure for the roositional fragment of RTIL based on reducing the decision roblem for the logic to the emtiness roblem for Timed Buchi Automata (TBA) [3]. This rocedure is an extension of the decision rocedure for the untimed logic IL [24], since RTIL is a conservative extension of IL. To decide the satisability of an RTIL formula, one rst constructs an \untimed" Buchi Automaton, whose states are annotated with duration formul. A duration formula is one that involves a len redicate nested in a string of interval modalities. The duration formul rovide the means to augment the automaton's states with active clock sets and its edges with clock setting and comarison actions, reuired to enforce the timing restrictions. Liveness conditions are treated in the usual manner by encoding them into a set of fair (or acceting) states. The most interesting art of the construction is the manner in which the \correct" instances of interval endoints are identied for starting clocks and comaring their values against their rescribed uer and lower bounds. The resulting automaton has the roerty (not true of TBAs in general) that all fair timing-consistent runs are non-zeno. 9 This is a direct conseuence of the fact that every timing reuirement in RTIL has an exlicit liveness reuirement associated with it: The right endoint of an interval with a timing assertion must eventually be reached. or deciding the emtiness of the TBA constructed in this manner from an RTIL formula, we use an adatation of the timing consistency algorithms of Alur and Dill [3, 4, 11] to check if there is a fair run of the automaton that is also timing-consistent. The actual imlementation of the theorem rover builds a tableau, instead of the comlete automaton. This method is essentially similar to the symbolic xed oint techniues used elsewhere in the literature (see for instance [16]). Our rototye imlementation of the decision rocedure consists of aroximately 1500 lines of Lis code. The rocedure is art of a grahical roof environment, which includes a syntax-directed editor 10 for the logic and some roof management functions. More details of an earlier version of the toolset (i.e. without real-time) are given in [17]. 7 Related Work Much work has recently been done in the realm of real-time models of concurrency as well as in real-time temoral and interval logics. ere we mention only some of the work on real-time logics for comarative uroses. 9 A run of a TBA is non-zeno if time always rogresses beyond any bound. 10 All the grahical formul in this aer were roduced with the editor. The counterexamle dislay was automatically generated by the toolset from a countermodel trace generated by the decision rocedure for the failed roof attemt for Theorem 3.

Until a few years ago, the only real-time logics known to be decidable were of the discrete time variety. An examle is the Quantitative Temoral Logic of Emerson and Srinivasan [13]. owever, a dense notion of time is often referable, and sometimes unavoidable, in the secication and verication of realtime systems [3, 21]. In [6], Alur and enzinger characterize the decidability of a range of temoral logics. They show that most of the dense real-time temoral logics in use at that time are undecidable. The satisability roblem for their recent Timed Comutation Tree Logic [16], is also undecidable (over a dense time domain), although the model-checking roblem is solvable. The Metric Interval Temoral Logic (MITL) of Alur et al. [5] is a dense real-time temoral logic similar to the Metric Temoral Logic of Koymans [18]. MITL achieves decidability where MTL does not, by restricting the syntax to reclude the statement of absolute unctuality. The satisability roblems for both MITL and RTIL are solvable in EXPSPACE. We conjecture that MITL and RTIL have incomarable exressive ower (see [25, 26] for related discussion). owever, there may be natural real-time roerties which RTIL can state more succinctly than MITL. We believe that RTIL oers several advantages over most other dense time logics. The visual reresentation of the logic, and its timing diagram lookand-feel might make it more readily acceted in industrial ractice. The method of lacing bounds on the durations of intervals, obtained by chaining states, ermits a very natural secication and reasoning style. The interval construct of RTIL allows a more convenient way of exressing comlicated seuencing and nesting behaviour than do, for instance, nested untils (see [24] for some examles). 11. A direct recursor and insiration of RTIL is the Real-Time Interval Logic of Melliar-Smith [20]. That logic diers from RTIL in two major ways: the resence of searches into the ast and the construction of modalities that allow a oint of reference to be oset by a xed duration. It is not too dicult to show that the rst construct makes RTIL non-elementary even without real-time, and the second construct makes it undecidable on a dense domain, even without the rst construct. While both these constructs might lead to more natural secications in some cases, in most situations their use can be avoided. The undecidability, 11 In [24] we argue that this should not mean giving u the familiar constructs of other logics. or instance, the (timeless) until is easily dened in our logic, and so are Proositional TLA's action and riming oerators. urther, the enriched logics can be decided with no essential comlexity enalty[26] over a dense time-domain, of the real-time interval logics of Narayana and Aaby [22] and of Razouk and orlick [27] can also be roved, by a simle adatation of the roof of undecidability of MITL with singular intervals [5]. The Duration Calculus [9] diers from the interval logics noted above in that it treats intervals as rimitive. The calculus is well-suited to describing and reasoning about cumulative behaviour, a feature extremely useful for hybrid systems. The oerator R in that logic, for instance, allows one to bound the duration of a (fragment of a) comutation for which a redicate holds. This ability to integrate over nonconvex intervals, combined with the \non-local" character of the logic, makes it very exressive. owever, as shown in [10], over dense time, the simlest realtime fragment of the calculus is undecidable. RTIL should be contrasted with the more rogram oriented Proof Outline Logic (POL) of Schneider [28] and with the Temoral Logic of Actions (TLA) with an exlicit time variable of Lamort and Abadi [1]. These two logics are oriented towards concurrent rogram code verication and state-machine verication, resectively. We believe that bounded modal oerators, such as resent in RTIL or MITL, ermit more intuitive reasoning, which becomes more aarent at the higher, more abstract levels of a roof hierarchy. At the lower-levels where one is dealing directly with imlementations, the TLA, POL and model-checking oriented techniues might be more aroriate. Two other very oular verication styles are based in automata theory and in higher-order logic. These lie at oosite ends of the sectrum. Automatabased secication and verication is robably the most oular \industrial-strength" method; for examle, it is the chosen style in the COSPAN system of AT&T [8, 19]. The classical and higher-order logic aroach to real-time usually denes a comutation as a maing from time to valuations for state variables. One axiomatizes the underlying theory of time (say dense li-time or branching-time) in the base logic, and then freely uses uantication over time and all of the standard roof methods available in the base logic. While such an aroach is, in rincile, the \strongest," it reuires a good working knowledge of classical logic; modal logics, on the other hand, have a few simle and \intuitive" constructs, and hide time uantication from the user. 8 Conclusion We have resented RTIL, an interval logic of dense real-time, and have given an examle of its

use. The logic has a natural grahical reresentation and sucient exressive ower reuired for real-time reasoning. The model theory underlying the logic is state-based and the logic is invariant under nite in- nitesimal stuttering. These features are exected to facilitate hierarchical abstraction and renement based roofs. Although the decision rocedure for the logic is relatively exensive, some heuristics recently roosed for deciding the emtiness of TBAs [8] might be alicable to the logic, and may cut down the search sace of the satisability rocedure substantially. Another aroach to dealing with the comutational intractability of the decision roblem for realtime interval logic is to allow user guidance, in the form of invoking secic inference rules at secic oints of the roof. This interactive style might turn out to be the more aroriate aroach, not only because most real-time logics are rovably exensive, but also because as has been recently shown [7] veri- cation of arametric roofs can uickly become undecidable. To this end, we are currently develoing a comlete inference system for the logic. One would still exect to use a raw decision rocedure for lowlevel simlication, however. A useful additional feature, which we are currently investigating, is the ability to deal with assertions in secialized decidable (non-temoral) theories and decide their consistency by couled decision rocedures for these theories. This might allow the user to reason, for instance, with functions and euality, or use simle Presburger arithmetic, within correctness roofs using temoral logic. References [1] Abadi M, Lamort L, An Old-ashioned Recie for Real- Time, Proc REX Worksho \Real-Time: Theory in Practice," 1991, LNCS 600, 1-27. [2] Abadi M, Lamort L, Woler P, Realizable and Unrealizable Secications of Reactive Systems, Proc 16 th ICALP, 1989, LNCS 372, 1-17. [3] Alur R, Dill D, Automata for Modelling Real-Time Systems, Proc 17 th ICALP, 1990, LNCS 443, 322-335. [4] Alur R, Courcoubetis C, Dill D, albwachs N, Wong-Toi, An Imlementation of Three Algorithms for Timing Verication Based on Automata Emtiness, Proc 13 th RTSS, 1992, 157-166. [5] Alur R, eder T, enzinger T, The Benets of Relaxing Punctuality, Proc 10 th PODC, 1991, 139-152. [6] Alur R, enzinger T, Real-Time Logics: Comlexity and Exressiveness, Proc 5 th LICS, 1990, 390-401. [7] Alur R, enzinger T, Vardi M Y, Parametric Real-Time Reasoning, Proc 25 th STOC, 1993,???. [8] Alur R, Itai A, Kurshan R P, Yannakakis M, Timing Verication by Successive Aroximation, Proc 4 th CAV, 1992, LNCS???,???. [9] Chaochen Z, oare C A R, Ravn A P, A Calculus of Durations, Inf Proc Let 40(5), 1991, 269-276. [10] Chaochen Z, ansen M R, Sestoft, Decidability and Undecidability Results for the Duration Calculus, Proc 10 th STACS, 1993. [11] Dill D L, Timing Assumtions and Verication of inite- State Concurrent Systems, Proc Worksho on Automatic Verication Methods for inite State Systems, 1989, LNCS 407, 196-212. [12] Dillon L K, Kutty, Moser L E, Melliar-Smith P M, Ramakrishna Y S, rahical Secications for Concurrent Software Systems, Proc 14 th ICSE, 1992, 214-224. [13] Emerson E A, Mok A, Sistla A P, Srinivasan J, Quantitative Temoral Reasoning, Proc 1 st CAV, 1990, LNCS 531, 136-145. [14] alern J, Manna Z, Moszkowski B, A ardware Semantics Based on Temoral Intervals, Proc. 10 th ICALP, 1983, LNCS 154, 278-291. [15] alern J, Shoham Y, A Proositional Modal Logic of Time Intervals, J. ACM, 38 (4), 1991, 935-962. [16] enzinger T A, Nicollin X, Sifakis J, Yovine S, Symbolic Model-Checking for Real-Time Systems, Proc 7 th LICS, 1992, 394-406. [17] Kutty, Ramakrishna Y S, Moser L E, Dillon L K, Melliar-Smith P M, A rahical Interval Logic Toolset for Verifying Concurrent Systems, Proc 4 th CAV, 1993, LNCS???,???. [18] Koymans R, Secifying Real-Time Proerties with Metric Temoral Logic, Real-Time Systems 2 (4), 1990, 255-299. [19] Kurshan R, Analysis of Discrete Event Coordination, LNCS 430, 1990, 414-453. [20] Melliar-Smith P M, Extending Interval Logic to Real- Time Systems, Proc Conf Temoral Logic in Secication, 1987, LNCS 398, 224-242. [21] Maler O, Manna Z, Pnueli A, rom Timed to ybrid Systems, Proc REX Worksho \Real-Time: Theory in Practice," 1991, LNCS 600, 447-484. [22] Narayana K T, Aaby A A, Secication of Real-Time Systems in Real-Time Temoral Interval Logic, Proc 9 th RTSS, 1988, 86-95. [23] Pnueli A, In Transition from lobal to Modular Reasoning about Concurrent Programs, in (ed) K R At, Logics and Models of Concurrent Systems, Sringer, 1984. [24] Ramakrishna Y S, Dillon L K, Moser L E, Melliar-Smith P M, Kutty, An Automata-Theoretic Decision Procedure for uture Interval Logic, Proc 12 th ST&TCS, 1992, LNCS 652, 51-67. [25] Ramakrishna Y S, Dillon L K, Moser L E, Melliar-Smith P M, Kutty, A Real-Time Interval Logic and Its Decision Procedure, Proc 13th ST&TCS, 1993, LNCS, to aear.

[26] Ramakrishna Y S, Interval Logics for Temoral Secication and Verication, PhD Dissertation, Det of Electrical and Comuter Engineering, University of California, Santa Barbara, 1993, to aear. Train.Near Train.Cross Train.Se [27] Razouk R R, orlick M M, A Real-Time Interval Logic or Reasoning About Executions of Real-Time Programs, Proc 3 rd TAV, SISOT SE Notes, 114 (3), 1989, 10-19. [28] Schneider B, Bloom B, Marzullo K, Putting Time into Proof Outlines, Proc REX Worksho \Real-Time: Theory in Practice," 1991, LNCS 600, 618-639. Lemma.1 Lemmas.5 & 6 Lemma.2 Ctlr.Live Lemmas.3 & 4 ate.live Ctlr.Init Train.Init Ctlr.Safe A Proof Structure The intermediate lemmas used in the roofs of the Theorems 2 and 3 are listed below. Also given is a roof tree that reresents the use of these lemmas and of the secication axioms for Theorems 2 and 3. Lemmas.7 & 8 ate.init Ctlr.Init ate.safe A.1 Lemmas Theorems.2 & 3 1: igure 3: Proof tree for Theorems 2 and 3. len(5.0,10.0] A.2 Theorems 2: len(5.0,inf) Theorem 1: Untimed Safety Theorem (of the main body of the aer). Theorem 2: Timed Safety Theorem. Theorem 3: Mixed Reuirement Theorem. 3: 4: 5: 6: len(0.0,0.5] len(0.0,0.5] len(4.5,10.5] A.3 Proof Tree igure 3 shows the roof tree for Theorems 2 and 3. Note that the roofs of Lemmas 3 and 4 are analogous to the roofs of Lemmas 7 and 8, as are the roofs of Lemmas 5 and 6 to the roofs of Theorems 2 and 3. This is not a mere coincidence, but a result of the fact that the secications of the controller and the gate are analogous modulo timing constants. As we mentioned before, the need for the intermediate lemmas arises in our examle due to the memory limitations of the imlementation of the theorem rover. Since the secications and roerties are urely roositional, one could, in rincile, rove all the theorems in one shot from the conjunction of the secications aearing in the leaves of the roof tree (the conclusions aear at the root). The roof of Theorem 1 may be done in a similar fashion, after roving a few reliminary lemmas, but is omitted for lack of sace. len(4.5,inf) 7: len(1.0,2.0] 8: len(1.0,2.0]