Duration Calculus.. A Formal Approach to Real-Time Systems

Zhou Chaochen Michael R. Hansen

Duration Calculus A Formal Approach to Real-Time Systems

With zo Figures

Springer Berlin Heidelberg New York Hong Kong

London

Milan Paris

Authors

Series Editors

Prof. Zhou Chaochen

Prof. Dr. Wilfried Brauer Institut fiir Informatik der TUM Boltzmannstr. 3, 85748 Garching, Germany [email protected]

Chinese Academy of Sciences

Institute of Software South Fourth Street 4 Zhong Guan Cun

Prof. Dr. Grzegorz Rozenberg Leiden Institute ofAdvanced Computer Science University of Leiden Niels Bohrweg 1,2333 CA Leiden, The Netherlands [email protected]

100080 Beijing

China [email protected] Assoc. Prof. Dr. Michael R. Hansen

Informatics and Mathematical Modelling Technical University Denmark Building 321

Prof. Dr. Arto Salomaa Turku Centre for Compuler Science Lemminkdisenkatu 14A, 20520 Turku, Finland [email protected]

2800 Lyngby

Denmark [email protected]

Library of Congress Cataloging-in-Publication Data Zhou Chaochen, 1937a formal approach to real-time systems / Zhou Chaochen, M. R. Hansen. (EATCS monographs on theoretical computer science)

Duration calculus: p. cm.

-

Preface

Includes bibliographical references and index. ISBN 3-540-40823-l (acid-free paper) 1. Real-time data processing. 2. Formal methods (Computer science) 3. Mathematics-Data processing.

I.Hansen,Michael R., 1956- II.Title. III.Series. QA76.54.H37 2004 005.2'73-dc22 2003066406

I)rrration calcuius (abbreviated to DC) rcpresents a logical ilpproach to the lirlrnal design of real-time systems. In DC, real numbers are used to model l'i,rrr,t'., antd Boolean-valued (i.e. {0, 1}-valued) functions over time are used to rro(lcl states of real-time systerns. The clurnti,on of a state in a time interval is 1hr: accumulated presence time rif the state in the interval. DC extends l.tt,l,r:ratal loqic to a calculus that carr be used to specify and reascin about I)r'ol)erties of state durations. R.r:search on DC began during the ProCoS project (trSPRIT BRA 3104), ri'lrcn the project was investigating formal techniques for clesigning safetyr.lil,ir:al real-time systems. In a project case study of a gas burner system) il wrrs realized that state duration was useful for spccifyirrg the real-time lrt'lrin,iol of cornputing systenrs. A research program on state duration was llrclcftrre initiated by the project in 1990. The first paper on DC was publislrcrl in 1991. Since then, research on DC has covered the developrnent of l,111ica,l (:irlculi, their applications and mechanical support tools. The success , rl l )(l has aiso stirmrlatecl sirnilar rcsearch on other fonnal approaches. 'l'lrc airn of this book is to present DC in a systematic and coherent way.

l.

'l'h 30 s

60 =+ 2OPeak 1(-, burner.)

O

'lhc dual of O is n, which is definecl as

Zr[ = -O-d. ll.r, r:] satisfies n/ iff any subinterval of [b, e] satisfies /. Witli n, onc cal] forrmlate the first design decision for the gas blrrner, llr;rl irrry k:ak in tlie guarantee period of the gas burner must be stoppable

llt'rrr:c,

where 60 stands for 60 seconds. (Henceforth we choose tlte: second as the tirne

n

1.2.2 lnterval Modalities The set of interr,'als llntv is the semantic domtrin of interval logic. Li irrt 30).

zr$ 2 -Qr-[. To pr6vc the correctness of the two design decisions is therefori: to prove the validity of the formula (Des1 A Des2)

=+

GbRetl

Wit,lr O", one can specify properties related to future time, such as liveness ;rrrrl lirirrress properties of cornputing systems. Corrsider the example of the

.

In fa,ct, the subinterval modality

'l'lrirt is, an intcrval satisfies arf itr any right neighborhood of the endirrg ;roirrl, of thc interval satisfies /.

o

can be derived frorn the chop rnodalitv,

sinr:e

lrurrrcr. Let HeatRcq Lre a state to characterize a request for heat from llrr, grr,s llrrrrrcr', The forrnula

1,,;rs

O,l and :, are assumed to have their standard meanings. In particular, tt and ff are associated with "true" and "false", respectively, i.e. true : tt and false : ff. The meanings of global variables are given by a ualue assignm,ent V, which is a function assclciating a real number with each global variable: J/

d

6

lRl -+ R

/'e

G' € IR' -+ {tt,ff}

The following abbreviations will be used:

true^(/^true) ; -O(-d) ab =

25

We a,ssrrme that a total function

is associated rnith each n-ary function symbol

Abbreviations and Conventions

OO

Semantics

((Vr)-',lt- e).

The following conventions for quantifiers will be used:

: (lr)(r > 0 A $) and similarly for )' (' " ' (Vz)(r > e + il and sirnilarly for )'('"' Y11,lr2,...,rn.Q' (Vr1)(Vrr) "' (Y"-)4t 1r1,12....,rn.d' (1r1)(3rr) "' (1".)d'

3r > 0.(t Yr > 0.$'

?

GVo,r -+ R.

Two value assignments Y,V' € Val are called r-equ'iualent if V(y) : V'(y) lirl cvery global variable y which is different from r. R,emember that llntv stands for the set of all bounded and closed intervals ,rl rral rrumbers: Ilrrtv

] t[b,.]

A b < e].

'fhe rneanings of ternporal variables and propositional letters, i.e. the "irrl,crval-dependent symbols", are given by an interpretation:

/ Tvo.r \

/

[ntv -+

R \

Lj l, u l,l' ;/cl ' - rtlrr,,,) \ \0n,"-+-1tt.n1/ (

wlr,'r','

2.2 Semantics r1o stl The meanings of terms ancl formulas are explained in this section' T0Ay>0)=+

(;

il'rl thcn (.V")Q

l\

il

y'r

4,,

ill.,/,v,f/r,rll ry'firlt'vovirrl,t'r'lrlll,rrliotr .'/,v;r,lrtcirssil"rrrttctr{ }'";rrtrl ittlt't r';tl t/' lirt riottt. l/r,rl. I'rrr.tlrr,,:,,,,,,.,,, ;r lirr.rrrrrl;r rf,itt ,trr,lr.s.li.tr,hl,t'tll'.'7,1:,l/,,,| | i',t.,'it,rt'l;tli.tt .'/, r';tlttr';t:ir;il',ltttt.ttl )';rttrl itllr't'lrl l/r''

llrcrr

i['4, tlrt'rr

M t,!,'i

1.

is not free in iy'' is not free in /.

(E '

D (1.'d ^ tlt) =+ =n'(Q- {) 1f r L 1r.($^r/t) if r tb)

PX

Xr{b,el)

t/l n -(d^d) =+ @^(4' n -P))' N \0 _ ^' ((d ^ $) + ((d n -p)^/). ^-lp^r/,)) A2 ((,b-,b)^d e (O^(,b ^,P)). A)

The definition of "7[@] is Itr

2.3 Proof System

A0 l>0.

J[6\ e (Vat x [ntv) -+ {tt,ff},

I.

27

The proof system of IL that we adopt here is called ,S' in [28]. To formulate the axioms and inference rules, we need the standard notions of free (global) variables. A term or formula is called fl,erible if a temporal variable including the symbol I or a propositional letter occuls in the term or formula. A term or formula which is not flexible is called rigi'd" Note that a rigid formula may include the chop modality. For example, the formula ((" > A) ^true) is rigid. The axioms of IL are:

-+ R,

defined inductively on the structure of terms by

J[rl(V,

System

) i

-(--rh tl') -1r,' ,q))

r/, llrrrtr (,1,-

r/' l,lrcrr (V,

. .

q) .+ U,-p) ,1,) > (P - /')

l'lrr,irrli'r'r,rr1r'r'rrlr,N4l'is r';rllr,rl "trrlrltts p61t'lri-i".'l'lrs irrli'r'r'rttt't'ttlrr (i is l lrtl tttL'l'r'ortr lit:il, oltlt't lo11ir', rrrrrl (i is r';rlllrl 1';r'lrrrt;tl 'l'lrc i:i llrll,',1 llr tttll ol ttllrl.liil),,;ttttl llrc itrli'tt'rtlr' irrli,r'r,rrcr,rrrl,,N ru;rli,rr

:,1;rrrrl;r1rl l,,r,t1,t;tliz;tliott

rrrll l\l

iri

lltl utott'l nttilill ttll,'r; lirt

r'lrop,

2.3 Proof System

2. Interval Logic of the sequence. We write

Predicate Logic The proof system also contains axioms of first-order predicate logic with equality. Any axiomatic basis can be chosen. Special cale must, howevcr, be taken when universally quantified formulas are instantiated anrl when an existential quantifier is introduced. A term d is called free for r in. $ If r does not occur freely in @ within the scope of 19 orYy, where E is any variable occurring in d' Furthermore, a formula is called t:hop free if ^ does not occur forrnula. We first illustrate bv simple exaniples why side-conclitions a'r'e nceded in the axiom schemas fclr the quarrtifiels. For example, the term y is free for r in (12)(z ) r), whcreas E is not free for r it (1y)(y ) r). These two forrnulas are both valid. Instarrtiat,ion of r with u in the first formula yielcls (12)(z ) g), which is a va,lid forrnula. However, instantiation of r with g in the second formula yields (ly)(y > y) , which is not valid. Flrther.more, consicler the following universally quantified and va,lid Ibrrnula:

(Vr)(((l : r) -'({ : r)) .+ (! :2r))

((L

:

() ^ ((

: l)) .+ (1. :

2t!)

to denote tlrat there exists a proof of $ in IL, and we call $ a th,eorem of IL in this case. A. detluct'iort, of Q i,'n IL from a set of form,'ula.s I is a sequence of formulas (hr . . -6,,, where /r is @, and each y',; is either a member of f , an insta,nce

one of the above axiom schemas or obtained by applying one of the above inference rules to previous members of the sequence. We write



.') : i deduction of n/ + k..6 - 1Lt ) k.,rL6 k+Lad=+altt k + 2. ntl4 + -(-/r ^rp) IL5

f

l. JQ =+ \tbt => a) ) rpll I + r. 1r4' + (b' I + 3.

By the induction hypothesis, there is a deduction of n@ + ry'1 frorn z$ + -(-tf4 ^cp) from l- can be given as follows:

$

k

PL l',1 + 1', MP

f.

A

deduction of

+3. tO

+ -6th^v)

k + 1., k

ty'1

frorn

f

+2.,PL.

M: We give only a proof of the first rule of M. The second rule can be lrrrived similarly. Let / irave the form (rltt^p) + (b, ^rp), and the deduction llrim l- U {/} have the form Co,se

k',1 + 2', MP'

has the form Case G:q/., has the form (Vr)T/1, and the deduction from ]. u{@} :

rh.+ {z :

,bt

:

U't^q)

'(Y*)r/,t

r

does not occur freely

l,[rc induction hypothesis, there is a deduction of n@ + 0h + tbz) from f . A rlcrltt ( tOt-(rrLnl:r))\ ^,)-((dr ^ nl:r))' \n (d, - t',tr'no:"r;;)r*y

Dce

5.

DCA5, PL PL.

((tL, Isi 10 ^(I3,

fso 3 (-))

+ (I[,

[&

be used: mmm

(Lr,1 i:t

z1A\'un i-7

1r) ) I("0

-t

at) < zr

t

zz

(3 3)

Having introduced the variables (rt.,Yt,z1,z2) for durations and lengths, we can write the main part of the proof as

/ ALJJs,:',)\ / AT,(/,s; : vi)\ Il;=, '],,, ol (

-,'

zr 'r z':)) / AL,I/S i -( .ri t y;) A ((: y' < ... ) \ n ll:, .., z1 A Il'_, ( l\'i'r(./.s, r, | !ti)A (/ :r I ::r)) ) \nf"',(.r', r t/,) . rr r ',,

I )]j",./'e,' I

^,*:],,',)

Af]_.(/si

rtr^r!1-t... rA-, zl,

proof above

22.

(igiii":)))

t,t,, (:i.;r)

4., PL

t < (.) 3.,5., PL.

The introduction and elirnination of variables, as done in the steps 1., 2., 3. and 5. above, have an archetypical form. Usually, we shall omit these steps in proofs and thereby just focus on the main part. n

*)^$S >e)) + ([s>r+y). (Us 0) v ((/s : 0) ^ lfsl^true)) 2. ([-Sl^x) + ((/s:0)^-us > o)) v((/s:0)^(us - 0) [.el^true)) + (/S : 0) v (Us : 0)^lfSl^true)) + (Us > o) + ((/s: o)^lfSl^true))

.

Isr

v^92

v 53)

:

.[St +

/(S, v Sr) - /(Sr

^

(,S2

r)0Ay)0 DC16 +

((t.: n +y)

ltom the antecedent ll-(s2

DC14

[Vf:, s,]l

IS, + [Sz A

s3)l

[sl)



l(!i-l

DC17

s')

lllrrr:c, lr.y ustr o['1,lrc rlclirtil,iort

ol'll

Il

, *,'t'it,tt cottt'lttrlt'l,ltc

z2))

we can apply DCA5 and DC6 to conclude Therefore we complete the proof. As a <xrrollzrrv of DC16, we can establish

kk

y)A [sl)).

the other direction, using L2 we can chop the interval into (/ Assuming arbitqary values for /S over the two subintervals

Proof. From DCA4 and DCA3, we derive

(I

^

Proof . The direction /(Sr n 52) : Lnl> 0

tr

DCA4,DC6 def. [-1.

) n (true^ [Sr]l)) 0Ae1 )

0) A

(/S

:

rL

*yt)) +

(US

:

:

"t)-(F

(x^[-Sl) +

DC2e,

z will be the only possible

with Dc29, we can establish

!

case.

the reversal of DcS and then the general-

ization of DC15.

Dc30 ((">0ns>0)^(/s> r+aD + DC3r

((" 2

0)

^

(/s > r)) 60 + 20Peak1l,


30] tt 2 Ay (:Y,

i:

/ PrRAl[rqentASchl \ / 0(.ur (uz (I,n" Ll:li.Ci) " !. > l.(Drc.ctlTt) LM4.1 D,eo CilTi Sf .

Sufficiency

o"o

This part is the difficult part of the proof of Liu and Layland's theorem. Before giving this proof, we establish some further lemmas. The first Iemma expresses the fact that, for a given subset 0 e a, if an interval can be chopped into two parts such that

The formula s Schl and Sch2 together specify that at any time, one of the most urgent processes with a standing request must be running. Therefore, the deadline-driven scheduler can be specified as follows:

1. the run time of any process pl with i, e B reaches l(.1T1].Ct in the first interval, and 2. the accumulated run time of processes in B in the second interval equals the length of the interval,

Lemrna 4.11

Gix:,:frlij

Sch

?

1;l;",

il,),

Urgent A Scht A Schz.

then the sum of the accumulated run time for the processes in B will be no Iess than 16.9lllTr,).Ci, provided (Drep Cilfi tI).

Lemma 4.12 For any B C a:

4.2 Lilu and Layland's Theorem

(t._, c,/7, < t\ \Lt\i-,t-,--'

The theorem of Liu and Layland has two parts. one part is the necessity of the condition (!r.. QlTt, S 1) for the correctness of the scheduler. The other part is the sufficiency of this condition for the correctness. Necessity Consider the formula (Sh,P A PrR, A Srh, A R,u1)

* (I0.,,, Cil'f i)
0)) I I nldLinel- (:-(0 0.(("
0).The encodingof M uses the following state variables:

r

Qi for each label 91, o two state variables Cr and C2 to represent the counter values, and o two auxiliary state variables B and ,L, used as delimiters. one state variable

Let

lBlctlBl. . .lBlc,lBl

in the follou'ing. The mairr idea is that a machine configuration (rl,nt,n2) is encoded on an interval of length 4r as follows:

I'\2O lVul,l\,/L lVal,l \2 '\"j' TrTr

where val; represents the value of counter c7. This is done so that the rr,th configuratkxr of a cornputaticln ocr:trpies t,hc interval l4nr,4(n * 1)r],'n, ) 0.

,

with rzi sections of C, separated by B. Since this interval is required to have a length r, and since there is no bound on the counter value, the time length of each Ci (and B) section must be arbitrary small. The denseness of the time domain makes this representation possible. This representation was inspired by [3]. The reduction must formalize the computation of M as a formula in RDC1 (r). In particular, we must construct a formula representing the initial configuration and a formula expressing how the (n + 1)th configuration relates to the nth configuration in the computation. To do so, the following alrbreviations of formulas in RDCI (r) are useful: [.il

' :

-ll1l

lll v [tl

l.
'l'lrir rk'r'irk'

6

.l,cir,l. 30 and

ile

(tr+tz *r.:) > 60.

funcr,ion:

- (tr + tu)

.

of the obiective function is positivc, thcn the linear

rf. e If the maximal r':r,lue of the objectivc {unction is less than or equal to dura.tion invariant is violatcd by f

then f rf sa,tisfies the linea,r drrr:r,tion invariant.

0,

12

Fig. 8.3. Linear programming problem

and

1!: ff eak *./Nonl,eak : tt I

tz

I h.

In thc following, we investigatc how to check the truth of the linear duraticin invariant representing the simplified requirement of the gas burner 60

< {.

+ (19peak fionleak) (

0,

regular language

with respect to all tinied sequences of transitions of the gas burner automaton. First, Iet us fix an untimed transitiorr sequence. Note that infinitely nrany timed sequences may be obtained frorn a given untimed sequence. An untimed scquence of transitions of a real-tirne automaton satisfies a lincar duratiorr invariant iff ail tirned scquences of the automaton obtained frorn the untirred

thc invariant. Considcr the problem in Fig. 8.2.

sequence satisfy

Is the linea.r duration invari:rnt 60
cPr 't, lc*P2 'lt - TSeq''(LF), Sect.

2 and let

:

Theorem 8.4 If low(p1)

0 and

,i ,2 ,r,,

Corollary 8.1 # low(p6): 0 (i : 1,2,.

, \* \PrPz"'Pm) -

S"q

to

demonstrate a proof of the other half of the

equivalence. Let

l*in

: hPr "'

be the shortest time period which ,9eq covers, i.e. n

lnin : ltow(p). We can also obtain from Seq a timed sequence

be a timed sequence of pipi.According to the definition of a real-time automaton given in Sect. 8.2, up(pr) ) 0. We define

TSecl-o,

: (h,tt) (pz,tz) ''' (p-,t*)

,

where

k: lt2lup(pr)J and 6 : tz - k. 'up(n) ,

t;

i.e. we have

t[c*> o - ["p(p,) I low(p;) otherwise

,o, t 0, then for

any re4ular contert C(X) containi,ng o'n occurrence of X, C(Seq*) uiolates LDL

Theorern 8.5 A Proof . Since

Pj'Pj"

.t occurs in C (X), there is an untimed sequence

"'

Pj-S"qi firPt2

"

' Pt-

in C(Seqi), for any z ) 0, with a corresponding timed

^

TSeq"(i)

of the form

Proof. This follows directly from the definition of a normal

where TSeql is a timed sequence for pirpir''' pi- and TSeqt is a timecl quence for pr, prr "' Pt.The value of the linear function for TSeq6(i') is

:

Since

TSeqi(LF) +

)

TSeq-,,(LF)

i'

0 the value

TSeq*o,(LF) + TSeq(LF)

se-

.

of TSeqg(i)(LF) is a strictly monoton-

ically increasing function of z. Let

m

: L+ L(1" -

TSeqlQF)

-

respect to a given linear duration invariant LDI .The proofs of the closure properties are constructive, and they constitute the main parts of the algorithm for the clerivation of a normal form for a regular expression over the alphabet 7.

we now investigate closure properties of normal forms with

Theorem 8.7 The regular erpressions 0,e and p eT are'in normal form.

sequence

TSeqi TSeqi*o,TSeq,.

TSeqs(i)(LF)

8.4.2 Closure Properties of Normal Forms

Theorem 8.8 Normal forms are

i,

)

Since

k:

Theorem 8.9 If Lr,Lz e form equi,ualent to L1L2.

T* are in norrnal

fornr,, then there is a norrnal

Proof. Since -L1 and L2 are in normal form, we have TSeql(LF)l) I TSeq*",(LF))

.

mi

Lr

: U Lu (i:1,2)

,

where each tri1 is either a finite term or an infinite term. By distributing the concatenation over the union, we can transform to an equivalent regular expression

c

m.

l^,io

)

0, by using ft repetitions of Seq, where

l"^onl(.*tn1

Theorern 5.6 U l,-,1, ^*ak ' Deq

k:

DeQ

m2

j:t k:L

)

0 and TSeq-",(LF) 0. By Theorem 8.5, for any regu-

Case a:

(for some

lar context C (X), C (L;) violates LD I . So does tr*. Case c: l*tn ) 0 and TSeqn,*r(LF) < 0. By Theorem 8.6, we can transform Li into an equivalent concatenation of finite terms.

2. Lt - ptpz. .- p^p* is an infinite term. Let S"q : ptp"' finite term. By Theorem 8.2(3),

LI : (rj l

Theorem 8.1 demonstrates how to transform the satisfaction of LDI for a finite term into a linear programming problem. Here we show how to transform the satisfaction problem for an infinite term into a linear programming problem.

.

where ,L; (for 1
0 of the output rising signal of the NoR circuit. Namely, an input rising signal will not be propagated to the output wire unless the inputs are stable for d time units. similarly, we can specify the transmission and inertial delavs of the falling signals of the circuit by the specifies an inertial delay

Inr

formulas

Inz

({-(inr v In2)^(l = d)) 0 has elapsed: flwait

183

T)

(\(" : v) n /(x:

coR10.2 \(x:v) n l$:v'+2) v/:v*l, \(x:v)n l$:v-13) and if v' f v i7,then by (x : v+ 1) + -(x : v/) and SDC5, (\(": ") A,r'(x: v+ 1)). (\(": v') A l(x:v'+2)) 0) guarantees that the left expansion is a nonpo'inf interval. 3. (B)d c 1r.((!.: r) n €,((l < r) d)), where of clefines an interval that ^has the same beginning point as the original interval, and (l ( r) stipulates that the defined interval is a strict subinterval of the original interval.

4. (Ft)O ") d)). This equivalence is similar to that ^for (B)@, except that (l > r) is used to stipulate a strict superinterval of the original interval' 5. (E)d ++ -r.(((.: r) n q(Q < ") d)). This equivalence is similar to that ^for (B)@, except that here of defines

to stipulate a strict superinterval of the original interval'

7 O^4' Q 2r,y.((!: r *il AqW:,,)n O AO,((l': Y) Alh))), where (l : r -t !)) stipulates that the two consecutive right expansions of lengths r and y exactly cover the original interval' 8. OTrl, Q 1r,y.((L :r) n O'((l : v) A O AOt(Q' : r * U)Atl))), where (l : r * a) guarantees that the left expansion, of, exactly covers where

no1((!.: a) A O Aai(V.: r'r a) A i')))' (l : r ]' a) guarantees that the right expansion, of , exactly

covers

r

secti 0.

o Rigid formulas are not connected to intervals:

NLA2 r

Od => /,

provided

/

is rigid.

A neighborhood can be of arbitrary length:

NLAS

r)0

+ 9(1.:r).

o Neighborhood modalities

can be distributed over disjunction and the exis-

tential quantifier:

+ (oo v o,.l)' NLA4 o(ov'l) a1r.$ + 1r.a$. o A neighborhood is determined by its length:

r

NLA5 o((!.: r) il + n((!.: r) + O) ^

.

Left and right neighborhoods of an interval always end and start, respectivelv, at the same point:

NLA6

11.4 Proof System Irr this

LI:

NLA1

the original interval and its left expansion, Q'

n

!o,.tt

To formulate the axioms and inference rules, we need the notions of fl,erible and rigid terms and formulas, as introduced for IL. A term is called "flexible" if it contains temporal variables or !. A formula is called "flexible" if it contains flexible terms or propositional letters. A term or formula is called "rigid" if it is not flexible. The axiom schemas of NL are:

the original interval and its right expansion, O''

9 $D{ € 1r,y.((l: r)

o: e Iq,iro:o"

1\-

-o.

an interval that has the same ending point as the original interval.

6 (tr)d + =r.((t.: r) n oi((l > r) d)) ihis equivalence is similar to that^for (E)/, except that (1. > r) is used

195

11.4.L Axiorns and Rules

1. (A)d 0)^ d), where

System

QOq, -) nad.

196 r

11.4 Proof

11. Neighborhood Logic

NLAT

r) +

(d

e c(((':

We list and sketch proofs of a set of theorems which can help in understanding the calculus.

The first deduction to be derived is the monotonicity of n:

") ^ d)).

NLI

o Two consecutive left or right expansions can be replaced by a single left or right expansion, if the latter expansion has a length equal to the sum of the lengths of the two former expansions:

d =+

,h

I

Zr!

+

Zrlt

.

Proof.

l.

(r>OAy>0) + (o((l : r) no((l : y) Aod)) 0), 1., MP

NLM.

The second part of NL2 is an instance of

NLA2.

tr

The following theorem proves the truth of the inverse of NLA4. '

where a formula is called modati,ty free if it contains neither Q nor O'. The proof system also has to include a first-order theory for the time and value domain, i.e. a first-order theory of real arithmetic. We shall discuss this issue in Sect. 11.5 with regard to the cornpleteness of IL and NL' The notions of proof, theore'm and deduct'ion are defined as for IL' The soundness of the NL proof system can be established by proving the sounclness of every axiom and rule. In [93], NL is encoded in PVS and the soundness of NL proved.

+

Prool. Note that a reference interval is neither a left nor a right neighborhood of itself when its length is nonzero. That is, Q and O, are not reflexive, and ,h => Od is not valid for an arbitrary formula /. So the proof of the first part is a little tricky:

(rnodus ponens)

The monotonicity and necessity rules are taken from modal logic, and the modus ponens and generalization rules are taken from first-order predicate

Ql Vr.d(r) + A\0) Q2 O@ + lr.d(r)

true. Ofalse O

NT,2

(ofv oID =, o(Ov rb). 1r.Ort' =+ O)n.Q. Proof. Proof of the first part:

NL3

7.d .+ G'v $) Od + O(6v ,h)

PL

2.

1.,

3.

PL

d' + (Ov ,l)) 4. arb =+ o(dv ',b) 5. (od v ori

)+

NLM

3., NLM o(d v 1r) 2.,4.,PL.

Proof of the second part:

+

l. S 2. O(b

1r.$

+

i\. Y.r.(Orf

.+ Q1:r.4t)

4.Yr.(Otlt > l-r.

l:r,.O,/r

PL

O1rll>

i

O'1r.r/) O1:r'.r/

-1 (1r.Qtlt -+ O!r.r/)

1., NLM 2.,G

PL, rr is not frcc in O1r.$ :|.,4., Ml'. t1

198

11.4 Proof

11. Neighborhood Logic

The modalities

NL4

n

.o => ao.

(od A tr?r) + o(d (nd .r',) ++ t(O ^'i)

1. 6'o0 +!aod +!-od 2. O"oq t, -o6

^rlt).

Proof. We present proofs of the first two parts only. Proof of the first part:

.o =+ =+

+

+

o(d v -d) NL2, PL Od v O-d NLA4 Def(!), PL. od

+

o(- o/A o -od) +oo(od A -od) * false

3. -"oq

ni/

o((d 1/) v (o ^-rhD ^ (o(d ^ v o(d^-,i/)) ^1b) Dd,) v (o-/^ (o(d^'/)

+ + + o(O 0 ^ ^

E,l, n{)

PL,NLM

^

Pr, PL, Def(n)'

n

6 + cd. NLs -"o4 e o6.

^

+c4 3.0

that

PL,NLM

r

PL, NL2, NLM

2.,PL.

^

n

From NLA6 and NLA7, we can derive more properties of combinations of

-.

r

is not free in

@:

NL6 a"rd e nO. (oo n o-a) € o(dn-ir). Proof. The proofs of these theorems are similar to those for NL5, and are n omitted here.

NLAT

1.,PL,

l..NL5(part 1).PL NL4 (O" : o a) NL4,NLM

o-O + !!@.

U).

Proof . Proof of the first part, where we assume

1. (L: r) n rf + c((t, : r) d) =, O"d ^ 2. 1r.((L : r) A 6)

NLA6, NL1

oo A 4"4, +od A tra1/NLA6,PL + .(d o ?/) NL4.

O, O and

O'u) r) +

+

O'11t = -"11!.

e)

S.

\o ottl:e-r)^od) ) ( O"rto:r)A o"((( =a) AO)) \ \*.

(rr:

r nntvp = {[b,e)lb,e €lDAb(e], . %r : GVar -+ D, . Jm(u) : Ilntvp -+ D, for u € TVar, and . Ju,(X) :llntvp -+ {tt,ff}, for X € PLetter.

abbreviations

1.1>0. 2.

Given ,4, a set lD is called an ,4-set if the function symbols and the relation symbols of IL or NL are defined over D and satisfy "4. When an " -set D is chosen as a time and value domain of IL or NL, we denote the set of time intervals of D by llntvp, denote a value assignment from global variables to D by Vp, and denote an interpretation with respect to ID by "fi1:

A proof of the soundness

D4 Axiom for -:

@-a):z

'. :)

A

(: "

U))

.

203

tation .7n. The truth value of aformula 6 of IL or NL for the.,4-model ,AZp' value assignment vp and interval [b, e] e llntvp is similar to the semantic definitions given in Sect,.2.2 for IL and Sect. 11.2 for NL. We write My1,Yyn,[b'e] fu d to denote that / is true for the given "4-model, value assignment and interval. Formula $ is A-ualid (written 11 il iff @ is true for any "4-model Mn, value assignment V11 and interval lb,el e llntvp. $ is A-satisfiablelff / is true for some ,A-model "Alp;, value assignment Vu and interval [b, e] e llntvpr. The proof systems of IL and NL are sound and complete with respect to the "A-models. For both IL and NL, we have:

Axioms for -l-:

7. (r -l0) : (y+r). 2. (r+y) : ". : (r-ta)+2. r*(:a+z) 3. a. (("+y) : @ +z)) -+ (Y : z).

D3

Domain

lf I

ll(l"A' (,5)), lirl

lrr,rr /l

(|

r'lr,)

,

its

rrrrv i

([-Sl-

F.4'(S)).

-1

204

11.6 NL-Based Duration

11. Neighborhood Logic

basis of the finite variability of states, we can calculate /S over an interval of llntvn, (given an '4-set lD and an interpretation -hr) by stunming the lengths of the subintervals where the valuc of S is the constant 1 rrnder Therefore, we can avoid thc concept of an integral w-hen we define

2. On the

"7p.

the semantics of ./S for an abstract

domain.

n

11.6 NL-Based Duration Calculus

[130] . )

The incluction mles for this Nl,-based Dc are restricted to fonnulas ,I{(x) havirrg a specific form. Let x be a propositional letter and @ be a formula in which X 1). The formula Desr is violated in the interval comprising the first I -F 1 time units if and only if Dest is violated in the first f time units or Desr holds for the first I time units but is violated in the full interval comprising the t * 1 time units: 32)) true, we must consider two

since Des2 is a constraint about the distance between two leaks, and the last t is irrelevant to this constraint' Thus, we have occurrence of Des2

\ ^ r - lfleakl'zll li-Leaklr lf t-eakl lt /

since both fl,eakl2 and lileakll are regarded as a single gas leakage and have the same effect on the truth of Des2. Hence, by PDC1 and PA8, we have, when t ) 2, the result that

However, in DC we have the result that

(Des2-'

A (Des2

We consider the two cases in the above disjunction:

p,(D

Hence, by PDC1,

: ( p1l.t, \+

1)

I. If Des2 ends with lfl,eakl 2, then we can prove in DC that

| : rr(l = 0)[0] < pr(Des2)f}l < I.

€. ( [v

lfl,eakl

^ lnesz A(Des2

(

Desz

^

l, ) 2 and

;l()l

12. Probabilistic Duration Calculus

226

References

and trt(Des2 A

=

( \+

(Des2^ lfl,eakl 1 )) [t] pr, ' p(Des2 A (Des2 ^ fleakl t ))[f r?? 'pp'

1t(Des2 A (Des2

- 1] - f-Leakll))[l -

30]

\ )

'

which establishes the second recursive case for kz. We leave the base cases for k2 for lhe reader. In [90], the recursions required to calculate pt(-Dest) and p,(-Desz) were derived in a more direct way by using probability matrices and the satisfaction probabilities of a set of useful DC formulas. The dependability of a communication protocol over an unreliable medium [45] was also calculated

in

feOl.

1. Allen J.F. (1984) Towards a General Theory of Action and Time' Artificial Intelligence 23:123-154

2. Chetcutiserandio N., L.F. del Cerro L.F. (2000) A Mixed Decision Method for Duration Calculus. Journal of Logic and Computation, 10(6):877-895

3. Alur R., Courcoubetis C., Dill D. (1990) Model-Checking for Real-Time 4.

Sys-

tems. In: Fifth Annual IEtrE Symposium on Logic in Computer Science. IEEE Press, Piscatawav, NJ, 414-425 Alur R., Courcoubetis C., Henzinger T.A., Ho P-H. (1993) Hybrid automata: An Algorithmic Approach to the Specification and Verification of Hybrid Systems. In: Grossman R.L., Nerode A., Ravn A.P., Rischel H. (Eds.) Hybrid Systems, Lecture Notes in Computer Science 736. Springer, Berlin, Heidel-

bery,209-229

5. Alur R., Dilt D. (1992) The Theory of Timed Automata. In:

de Bakker J.W., Huizing C., de Roever W.P., Rozenberg G. (Eds.) Real-Time: Theory in Practice. Lecture Notes in Computer Science 600. Springer, Berlin, Heidelberg,

45,73

6. Alur R., Dill D. (1994) A Theory of Timed Automata. Theoretical Computer Science 126:45-73

7. Alur R., Feder T., Henzinger T.A. (1991) The Benefits of Relaxing Punctuality. In: Tenth Annual ACM Symposium on Principles of Distributed Computing. ACM Press, New York, t39 152 8. Barua R. (2003) Completeness of a Combination of Neighbourhood Logic and Temporal Logic. Formal Aspects of Computing. To appear

9. Barua R., Roy S., Zhou C.C. (2000) Completeness of Neighbourhood Logic. Journal of Logic and Computation 10(2):27I-295 10. Berry G., Gonthier G. (1992) The Esterel Synchronous Programming Language: Design, Semantics, Implementation. Science of Computer Program-

ming 19:87'152 11. Bird R. (1976) Programs and Machines. Wiley, London 12. Braberma.n V.A., Dang V.H. (1998) On Checking Timed Automata for Linear Duration Invariants. In: Proceedings of the 19th IEEE Real-Time Systems Symposium. IEEE Press, Piscataway, NJ,264 273 13. Chakravorty G.,Pandya P.K. (2003) Digiiizing Interval Duration Logic. In: Hunt Jr., Warren A., Somenzi F. (Eds.) Computer Aided Verification (CAV 2003), Lecture Notes in Computer Science 2725. Springer, Berlin, Heidelberg,

167 179

14. Chan P., Dang V.H. (1995) Duration Calculus Specification of Scheduling for Ta"cks with Shared Resources. In: Kanchanasut K., Levv J.-J. (Eds.) Asian Computing Scicnce Conference 1995, Lecture Notes in Computer Science 1023. Springer, Borlin, Htri