Completeness and Decidability of a Fragment of ... - Semantic Scholar

UNU/IIST International Institute for Software Technology

Completeness and Decidability of a Fragment of Duration Calculus with Iteration Dang Van Hung and Dimitar P. Guelev April 1999

UNU/IIST Report No. 163

R

UNU/IIST and UNU/IIST Reports UNU/IIST is a Research and Training Center of the United Nations University. It was founded in 1992, and is located in Macau. UNU/IIST is jointly funded by the Governor of Macau and the Governments of

China and Portugal through contribution to the UNU Endowment Fund.

The mission of UNU/IIST is to assist developing countries in the application and development of software technology. UNU/IIST contributes through its programmatic activities:

1. advanced development projects in which software techniques supported by tools are applied, 2. research projects in which new techniques for software development are investigated, 3. curriculum development projects in which courses of software technology for universities in developing countries are developed, 4. courses which typically teach advanced software development techniques, 5. events in which conferences and workshops are organised or supported by UNU/IIST, and 6. dissemination, in which UNU/IIST regularly distributes to developing countries information on international progress of software technology. Fellows, who are young scientists and engineers from developing countries, are invited to actively participate in all these projects. By doing the projects they are trained. At present, the technical focus of UNU/IIST is on formal methods for software development. UNU/IIST is an internationally recognised center in the area of formal methods. However, no software technique is universally applicable. We are prepared to choose complementary techniques for our projects, if necessary. UNU/IIST produces a report series. Reports are either Research R , Technical T , Compendia C or Administrative A . They are records of UNU/IIST activities and research and development achievements.

Many of the reports are also published in conference proceedings and journals.

Please write to UNU/IIST or visit UNU/IIST home page: http://www.iist.unu.edu, if you would like to know more about UNU/IIST and its report series. Zhou Chaochen, Director | 01.8.1997 { 31.7.2001

UNU/IIST International Institute for Software Technology

P.O. Box 3058 Macau

Completeness and Decidability of a Fragment of Duration Calculus with Iteration Dang Van Hung and Dimitar P. Guelev Abstract Duration Calculus with Iteration (DC ) has been used as an interface between original Duration Calculus and Real-Time Automata, but has not been studied rigorously. In this paper, we study a subset of DC formulas consisting of so-called simple ones which corresponds precisely with the class of Timed Automata. We give a complete proof system and the decidability results for the subset.

Keywords: Real-Time system, formal methods, Duration Calculus, completeness, decidability.

Dang Van Hung is from the Institute of Information Technology of National Center for Natural Science and Technology of Vietnam, where he is a researcher. He was Fellow of UNU/IIST from April 1994 till July 1995. He becomes a Research Fellow of UNU/IIST since Octomber 1995. His research interests include Formal Techniques of Programming, Concurrent and Distributed Systems. E-mail: [email protected] Dimitar P. Guelev is a Ph. d. student of logic at the Department of Mathematical Logic and Its Applications, Faculty of Mathematics and Informatics, So a University \St. Kliment Ochridski". He has been a fellow of UNU/IIST since March 1998. His research interests are in modal logic, temporal logic and probability logic. E-mail: [email protected] a.bg, [email protected]

Copyright c 1999 by UNU/IIST, Dang Van Hung and Dimitar P. Guelev

Contents

i

Contents

1 Introduction 2 Duration Calculus with Iteration

1 2

3 A Proof System for DC 4 Completeness of the DC proof system for iteration of simple formulas

5 9

2.1 Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2 3

4.1 From the propositional dynamic logic to DC . . . . . . . . . . . . . . . . . . . . 10 4.2 Local elimination of iteration from simple DC formulas . . . . . . . . . . . . . . 11 4.3 Completeness of DC1 -DC3 for iteration of simple DC formulas . . . . . . . . . . 14

5 Decidability Results for Simple DC and Discussion A Proof of Theorem 2

Report No. 163, April 1999

14 18

UNU/IIST, P.O. Box 3058, Macau

Introduction

1

1 Introduction Duration Calculus (DC) was introduced by Zhou, Hoare and Ravn in 1991 as a logic to specify the requirements for real-time systems. DC has been used successfully in many case studies, see e.g. [ZZ94, YWZP94, HZ94, DW94, BHCZ94, XH95], [Dan98, ED99]. In [DW94], we have developed a method for designing a real-time hybrid system from its speci cation in DC. In that paper, we introduced a class of so-called simple Duration Calculus formulas with iterations which corresponds precisely with the class of real-time automata to express the design of realtime hybrid systems, and show how to derive a design in this language from a speci cation in the original Duration Calculus. We use the de nition of semantic of our design language to reason about the correctness of our design. However, it would be more practical and interesting if the correctness of a design can be proved syntactically with a tool. Therefore, developing a proof system to assist the formal veri cation of the design plays an important role in making the use of formal methods for the designing process of real-time systems. This is our aim in this paper. We achieve our aim in the following way. First we extend DC with the iteration operator ( ) to obtain a logic called DC , and de ne a subclass of DC formulas called simple DC formulas to express the designs. Secondly we develop a complete proof system for the proof of the fact that a simple DC formula D implies a DC formula S , meaning that any implication of this form can be proved in our proof system. To illustrate our idea, let us consider a classical simple example Gas Burner taken from [ZHR91]. The time critical requirements of a gas burner is speci ed by a DC formula denoted by S , de ned R as 2(` > 60s ) (20 leak `)) which says that during the operation of the system, if the interval over which the system is observed is at least 1 min, the proportion of time spent in the leak state is not more than one-twentieth of the elapsed time. One can design the Gas Burner as a real-time automaton depicted in Fig. 1 which expresses that any leak state must be detected and stopped within one second, and that leak must be separated by at least 30s. A natural way to express the behaviour of the automaton is to use a classical regular expression like notation

D =b ((d leake ^ ` 1)_(d nonleake ^ ` 30)) Here we assume that the gas burner starts from the leak state. We will see later that D is a DC formula with iteration. It expresses not only the temporal order of states but also the time constraints on the state periods. By using our complete proof system we can show formally the implication D ) S which expresses naturally the correctness of the design. The class of simple DC formulas has an interesting property that it is decidable, which means that we can decide if a design is implementable. Furthermore, for some class of DC formulas Report No. 163, April 1999


Duration Calculus with Iteration leak

2 [0,1]

nonleak

[30,~)

Figure 1: Simple Design of Gas Burner such as linear duration invariants (see [ZZY94, LDZ97, DP97]), the implication from a simple DC formula to a formula in the class can be checked by a simple algorithm. The paper is organised as follows. In the next section, we give the syntax and semantics of our Duration Calculus with Iteration. In the third section we will give a proof system for the calculus. We prove the completeness of our proof system for the class of simple DC formulas in Section 4. The decidability of the class will be discussed in the last section.

2 Duration Calculus with Iteration This section presents the formal de nition of Duration Calculus with iteration, which is a conservative extension of Duration Calculus [ZHR91].

2.1 Language A language for DC is built starting from the following sets of symbols: a set of constant symbols fa; b; c; : : :g, a set of individual variables fx; y; z; : : :g, a set of state variables fP; Q; : : :g, a set of temporal variables fu; v; : : :g, a set of function symbols ff; g; : : :g, a set of relation symbols fR; U; : : :g, and a set of propositional temporal letters fA; B;R: : :g. These sets are required to be pairwise disjoint and disjoint with the set f0; ?; :; _;_ ; ; 9; ; (; )g. Besides, 0 should be one of the constant symbols; + should be a binary function symbol; = and should be binary relation symbols. Given the sets of symbols, a DC language de nition is essentially that of the sets of state expressions S , terms t and formulas ' of the language. These sets can be de ned by the following BNFs:

S =b 0 j P j :SR j S _ S t =b c j x j u j S j f (t; : : : ; t) ' =b A j R(t; : : : ; t) j :' j (' _ ') j ('_') j (' ) j 9x' Report No. 163, April 1999


Duration Calculus with Iteration

3 R

Terms and formulas that have no occurrences of _ (chop), nor of temporal variables, or , are called rigid.

2.2 Semantics The linearly ordered eld of the real numbers,

hR; =R ; 0R ; 1R; +R; ?R; R; =R ; Ri ; is the most important component of DC semantics. In this section, we denote by I the set of the bounded intervals over R, f[1 ; 2 ] j 1 ; 2 2 R; 1 R 2 g. For a set A R, we denote by I(A) the set f[1 ; 2 ] 2 I j 1 ; 2 2 Ag of intervals with end-points in A. Given a DC language L, a model for L is an interpretation I of the symbols of L that satis es the following conditions: I (c); I (x) 2 R for constant symbols c and individual variables x; I (f ) : Rn ! R for n-place function symbols f ; I (v) : I ! R for temporal variables v; I (R) : Rn ! f0; 1g for n-place relation symbols R; I (P ) : R ! f0; 1g for state variable P , and I (A) : I ! f0; 1g for temporal propositional letters A. Besides, I (0) = 0R, I (+) = +R, I (=) is =R , and I () is R. The following condition, known as nite variability of state, is imposed on interpretations: For every [1 ; 2 ] 2 I such that 1 < 2 , and every state variable S there exist 10 ; : : : ; n0 2 R such that 1 = 10 < : : : < n0 = 2 and I (S ) is constant on the intervals (i0 ; i0+1 ), i = 1; : : : ; n ? 1.

For the rest of the paper we omit the index :R , that distinguishes operations on reals from the corresponding symbols.

De nition 1 Given a DC interpretation I for the DC language L, the meaning of state expressions S in L under I , SI : R ! f0; 1g, is de ned inductively as follows: for all 2 R 0I ( ) =b 0 PI ( ) =b I (P )( ) for state variables P (:S )I ( ) =b 1 ? SI ( ) (S1 _ S2 )I ( ) =b max((S1 )I ( ); (S2 )I ( ))



Duration Calculus with Iteration

4

Given an interval [1 ; 2 ] 2 I, the meaning of a term t in L under I is a number I12 (t) 2 R de ned inductively as follows:

I12 (c) =b I (c) I12 (x) =b I (x) I12 (v) =b I (v)([1 ; 2 ]) 2 I12 (R S ) =b R SI ( )d 1 I12 (f (t1; : : : ; tn)) =b I (f )(I12 (t1); : : : ; I12 (tn))

for constant symbols c; for individual variables x; for temporal variables v; for state expressions S; for n-place function symbols f:

The de nitions given so far are relevant to the semantics of DC in general. The extension to the semantics that comes with DC appears in the de nition of the j= relation below. Let us recall the following tradition relation on interpretations.

De nition 2 Let I , J be interpretations of the symbols of the same DC language L. Let x be a symbol in L. The interpretation I x-agrees with the interpretation J i I (s) = J (s) for all symbols s in L, but possibly x. De nition 3 Given a DC language L, and an interpretation I of the symbols of L. The relation I ; [1 ; 2 ] j= ' for [1 ; 2 ] 2 I and formulas ' in L is de ned by induction on the construction of ' as follows:

I ; [1; 2 ] 6j= ? I ; [1; 2 ] j= A

i I (A)([1 ; 2 ]) = 1 for temporal propositional letters A I ; [1; 2 ] j= R(1; : : : ; n) i I (R)(I12 (t1 ); : : : ; I12 (tn)) = 1 I ; [1; 2 ] j= :' i I ; [1 ; 2 ] 6j= ' I ; [1; 2 ] j= (' _ ) i either I ; [1 ; 2 ] j= ' or I ; [1 ; 2 ] j= I ; [1; 2 ] j= ('_ ) i I ; [1 ; ] j= ' and I ; [; 2 ] j= for some 2 [1 ; 2 ] I ; [1; 2 ] j= (' ) i either 1 = 2 , or there exist 10 ; : : : ; n0 2 R such that 1 = 10 < : : : < n0 = 2 and I ; [i0; i0+1 ] j= ' for i = 1; : : : ; n ? 1 I ; [1; 2 ] j= 9x' i J ; [1 ; 2 ] j= ' for some J that x-agrees with I

Note that only the modelling relation j=, and not the interpretations I , makes the dierence between DC and DC. Besides, the clauses that de ne the interpretation of constructs other than in DC are the same as in DC. This entails that DC is a conservative extension of DC. Report No. 163, April 1999


A Proof System for DC

5

For convenience, we introduce the following notations. Let I be a DC interpretation, ' be a DC formula, and J1 ; J2 ; J I be sets of intervals. Let k < !. We de ne

I~(') =b f[1; 2 ] 2 I j I ; [1; 2 ] j= 'g J1_J2 =b f[1 ; 2] 2 I j (9 2 R)([1 ; ] 2 J1 ^ [; 2 ] 2 J2 )g J0 =b f[; ] j 2 Rg for k > 0 Jk =b J| ; :{z: : ; J}

J =b

k times S k

k
J

In words, I~(') is the set of intervals that satisfy ' under I , J1 _J2 is the set of intervals that are the concatenation of an interval in J1 and an interval in J2 , and J is the iteration of J corresponding to the operation _. The language de nition in Section 2.1 introduces a minimal set of DC syntactic elements just in order to enable the concise de nition of DC semantics in Section 2.2. In fact, a richer set is employed in the rest of the paper for its providing convenience of reading. We use the customary in x notation for terms with +, and formulas with and = occurring in them. We introduce the constant >, the boolean connectives ^, ) and ,, the relation symbols 6=, , < and >, and the 8 quanti er as abbreviations in the usual way. We assume that boolean connectives bind more tightly than _. Since _ is associative, we omit parentheses in formulas that contain consecutive occurrence of _. Besides, we use the following abbreviations, that are generally accepted in Duration Calculus:

1 =b :R 0

` =b 1R d S e =b S = ` ^ ` 6= 0 3' =b >_'_> 2' =b :3:' ('+ ) =b '_(' ) '0 =b ` = 0 for k > 0 'k =b |'_:{z: :_'} k times

3 A Proof System for DC In this section, we propose a proof system for DC which consists of a complete Hilbert-style proof system for rst order logic (cf. e.g. [Sho67]), axioms and rules for interval logic (cf. e.g. [Dut95]), Duration Calculus axioms and rules ([HZ92]) and axioms about iteration ([Gue98b]). We assume that the readers are familiar with Hilbert-style proof systems for rst order logic and do not give one here. Here follow the interval logic and DC-speci c axioms and rules. Report No. 163, April 1999



6

Axioms and rules for Interval Logic (A1l ) (A1r ) (A2) (Rl ) (Rr ) (Bl ) (Br ) (L1l ) (L1r ) (L2) (L3l ) (L3r )

('_ ) ^ :(_ ) ) (' ^ :_ ) ('_ ) ^ :('_) ) ('_ ^ :) (('_ )_) , ('_( _)) ('_ ) ) ' if ' is rigid ('_ ) ) if is rigid (9x'_ ) ) 9x('_ ) if x is not free in ('_9x ) ) 9x('_ ) if x is not free in ' (` = x_') ) :(` = x_:') ('_` = x) ) :(:'_` = x) ` = x + y , (` = x_` = y) ' ) (` = 0_') ' ) ('_` = 0)

(Nl )

' :(:'_ ) ' :( _:')

(Nr )

')

(Monol )

('_) ) ( _)

(Monor )

(_') ) (_

')

)

Duration Calculus axioms and rules (DC 1) (DC 2) (DC 3) (DC 4) (DC 5) (DC 6)

0=0 1=` R S 0R R R

R

R

R

S + S2R = (S1 _ SR2 ) + (S1 ^ S2 ) R 1 (R S = Rx_ S = y) ) S = x + y S1 = S2 if S1 , S2 in propositional calculus.

(IR1 )

[` = 0=A]' ' ) [A_d S e =A]' ' ) [A_d :S e =A]' [>=A]'

(IR2 )

[` = 0=A]' ' ) [d S e _A=A]' ' ) [d :S e _A=A]' [>=A]'

(!)

8k < ! [(d S e _ d :S e )k =A]' [>=A]'




7

Axioms about iteration (DC1 ) (DC2 ) (DC3 )

` = 0 ) ' (' _') ) ' (' ^ _>) ) ( ^ ` = 0_>) _ (((' ^ : _') ^ )_>).

The meaning of DC1 and DC2 is quite straightforward. As for DC3 , it has the following meaning: Assume that some initial subinterval of a given interval satis es , and can be chopped into nitely many parts, each satisfying '. Then the smallest among the initial subintervals of the given one formed by these parts makes hold exists which is either the 0-length initial subinterval, or otherwise consists one that does not satisfy . A restriction is made on the application of rst order logic rules and axioms that involve substitution: [t=x]' is de ned if no variable in t becomes bound due to the substitution, and either t is rigid or _ does not occur in '. It is known that the above proof system for interval logic is complete with respect to an abstract class of time domains in place of R [Dut95]. The proof system for interval logic, extended with the axioms DC1 -DC6 and the rules IR1 , IR2 is complete relative to the class of interval logic sentences that are valid on its real time frame [HZ92]. Taking the in nitary rule ! instead of IR1 and IR2 yields an !-complete system for DC with respect to an abstract class of time domains, like that of interval logic [Gue98a]. Adding appropriate axioms about reals, and a rule like, e.g.,

8k < ! kx 1 x0 where k stands for 1| + :{z: : + 1}, extends this system to one that is !-complete with respect to k times

the real time based semantics of DC given above. In the rest of this section we show that adding DC1-DC3 to the proof system of DC makes it complete for sentences where iteration is allowed only for a restricted class of formulas that we call simple. The following theorem gives the soundness of these axioms.

Theorem 1 Let I be a Duration Calculus interpretation. Then I validates DC1 ? DC3. Proof: The proof about DC1 and DC2 is trivial and we omit it here. Now consider DC3. Let [1 ; 2 ] 2 I be such that I ; [1 ; 2 ] j= ' ^ _>, and I ; [1 ; 2 ] j= :( ^ ` = 0_>). We shall prove k that I ; [1 ; 2 ] j= ((' ^: _') ^ )_>. We have that [1 ; 1 ] 62 I~ ( ), and [1 ; ] 2 I~(') \ I~( ) Report No. 163, April 1999



8

for some k < !, and some 2 [1 ; 2 ]. Then there exist 10 ; : : : ; k0 +1 such that 1 = 10 < : : : < k0 +1 = and I ; [i0; i0+1 ] j= ' for i = 1; : : : ; k. Since [1 ; k0 +1 ] j= and [1 ; 10 ] 6j= there must be i k for which [1 ; i0 ] 6j= and [1 ; i0+1 ] j= . Therefore I ; [1 ; i0+1 ] j= (' ^ : _') ^ , which implies that I ; [1 ; 2 ] j= ((' ^ : _') ^ )_>. 2 Note that from the proof of the above theorem we can see that the scope of the soundness of DC1 ? DC3 is, in fact, interval logic. Let us prove the monotonicity of from these axioms. Let ) . We prove that ) .

^ : ) (: ^ ` = 0_>) _ ((( ^ _) ^ : )_>) by DC3 ) ((( ^ _) ^ : )_>) by DC1 ) (: ^ )_> by DC2 and )

)?

The following theorem, a proof of which is given in the Appendix, is useful in practice.

Theorem 2

`DC 2(' ) :(>_:) ^ :(: _>)) ^ 2(` = 0 ) ^ ) ) ' ) 2(_' _ ) :

As an example for the use of the proof system, let us prove the implication for the correctness of the simple Gas-Burner mentioned in the introduction of the paper. We have to prove that R

((d leake ^ ` 1)_(d nonleake ^ ` 30)) ) 2(` 60 ) leak (1=20)`) : Let us denote

' =b d leake ^ ` 1_d :leake ^ ` 30 ; =b ` = 0 _ d :leake _ (d leake ^ ` 1_d :leake ^ ` 30) ; =b ` = 0 _ (` 1 ^ d leake _` = 0 _ d :leake ) : From DC axioms it can be proved easily that `DC 2(' ) :(>_:) ^ :(: _>)) and `DC 2(` = 0 ) ^ ). Therefore, Rfrom Theorem 2 we can complete the proof of the above if we can derive that ((_' )_ ) ) 20 leak `. This is done as follows. R

) 31 R leak ` R ' ^ 31 R leak > ` ) (' ^ 31 leak > `_>) ' ) 31 Rleak ` (' ^ 31 leak > `_>) ) R (` = 0 ^ 31R leak > `_>)_ R (((' ^ 31 Rleak `_') ^ 31 leak > `)_>) 5 ` = 0 ) 31 leak `

1 2 3 4


DC DC DC by DC3 DC UNU/IIST, P.O. Box 3058, Macau

Completeness of the DC proof system for iteration of simple formulas R

(' ^ 31 Rleak > `_>) ) R (((' ^ 31R leak `_') ^ 31R leak > `)_>) 7 (' ^ 31 R leak `_') ) 31 leak ` 8 ' ) 31 leakR ` 9 (_'R ) ) 31 leak ` 10 ) leak 1 R 11 ((_' )_ ) ^ ` 60 ) 20 leak `

6

9

by 4, 5, Monor by 2, 3, DC by 6, 7, Monor by 1, 8, DC DC by 9, 10, DC, arithmetic

4 Completeness of the DC proof system for iteration of simple formulas As said in the introduction to the paper, our purpose is to give a rigorous study of a class of DC formulas that play an important roles in practice. The formulas in the class are called simple formulas and will be considered to be executable. In this section we extend the class of simple formulas, originally introduced in [DW94], so that conjunction is freely allowed in simple formulas. We give a rigorous proof of the completeness of the axiom system from the previous section for this class of formulas.

De nition 4 Simple DC formulas are de ned by the following BNF: ' =b ` = 0 j d S e j a ` j ` a j (' _ ') j (' ^ ') j ('_') j ' Before giving our main result on the completeness, we rst explain where from and how we obtained our axioms DC1 ? DC3 about DC iteration (Subsection 4.1). Then we show that given simple formula ' and DC formula , DC interpretations I that validate (DC1;'; ) ` = 0 ) (DC2;'; ) ( _') ) (DC3;'; ) ( ^ _>) ) ( ^ ` = 0_>) _ ((( ^ : _') ^ )_>)

for all DC formulas should satisfy the equality I~(') = I~( ). This means that the axioms 3)for simple DC1 ? DC3 enforce the clause about iteration in the DC de nition of j= (De nition formulas '. We do this in the following way: Given the assumption that I~ (') 6= I~ ( ), we nd an interval [1 ; 2 ] and a formula that refute some of DC1;'; ? DC3;'; under I . Having found an appropriate interval [1 ; 2 ], the formula we need is a -free one that satis es I~(: ) \ I([1 ; 2]) = I~(') \ I([1; 2 ]).



Completeness of the DC proof system for iteration of simple formulas

10

4.1 From the propositional dynamic logic to DC In this subsection we point to a certain degree of semantical compatibility between interval logic frames and propositional dynamic logic (PDL) frames. We give a truth-preserving translation of PDL formulas into interval logic ones, that is based on this semantic correspondence. We apply this translation to obtain our axioms for iteration from the corresponding axioms in PDL. The readers who are not familiar with PDL can skip this section. Basic de nitions about PDL can be found in, e.g., [AGM92]. Let F = hhT; i; hD; +; 0i; mi be an interval logic frame with time domain hT; i, duration domain hD; +; 0i, and measure function m : I(T ) ! D, where I (T ) = f[1 ; 2 ] j 1 ; 2 ; 2 T; 1 2 g (cf. [Dut95] for interval logic terminology). The set of time points T can be taken as the set of possible worlds of a PDL frame. Let v be a valuation of the propositional letters p 2 P and the relation letters r 2 R of a PDL language LPDL into such a frame, i.e. v assigns a set of possible worlds to a propositional letter, and a set of pairs of possible worlds to a relational letter. Let v(r) for every relation letter r in this language. Since IdT , and R; S implies R [ S; R S; R , we can assume that the standard extension v~ of v over relation terms gives only subrelations of , too. Assume that T has a least and a greatest time point, i.e. T = [min T; max T ]. Let us build a language for interval logic with iteration LIL with P [ R as its set of temporal propositional letters. Let us de ne an interpretation I of the temporal propositional letters of LIL from P [ R on F as follows:

I (p)([1; 2 ]) = 1 i 1 2 v(p) and 2 = max T for p 2 P ; I (r)([1; 2 ]) = 1 i h1; 2 i 2 v(r) for r 2 R. Now consider the translation t of LPDL into LIL that is de ned inductively by the following clauses: t(?) = b ? t(q ) = b q for q 2 P [ R; t(' _ ) = b t(') _ t( ) t(:') = b :t(') t(Id) = b l=0 t( [ ) = b t() _ t( ) t( ) = b t(()_t( )) t( ) = b (t()) t(hi') = b (t()_t('))

The relationship between the PDL model based on T and v that we described, and the interval logic model hF; Ii can be expressed using t by the following proposition: Report No. 163, April 1999



11

Proposition 1 Let ' 2 LPDL. Then T; v; min T j= ' i hF; Ii; [min T; max T ] j= t('). 2

Proof: Direct check by induction on the construction '.

PDL has the following axioms for iteration in its proof system ([AGM92]): (1 ) (2 )

[ ]' ) (' ^ [][ ]') [ ](' ) []') ) (' ) [ ]')

The t-translations of these axioms are equivalent to (I1 ) (I2 )

_ ((_ )_ ) ) ( _ ) ( _( _ ) ^ : ) _ (( _ ) ) )

where =b :' for short. The validity of 1 for some given PDL relation term for all possible values v~( ) T for enforces (~v()) v~( ). The corresponding inclusion about interval logic iteration can be enforced by two simpler axioms, namely DC1 and DC2 from our proof system. Similarly, the validity of 2 enforces (~v()) v~( ). The corresponding inclusion is enforced by DC3 in our system. Now notice that DC3 can be obtained from the translation I2 of 2 by replacing _2 ), and some simple interval logic subformulas with of the kind (_ 1 ^ 2 ) by (1 ^ transformations. See [Gue98a] for details on the kind of convenience that this last transformation provides. Note that, although I1 and I2 are not part of our proof system for DC , they are valid DC formulas, that possibly have the same expressive power as DC1 ? DC3 as DC .

4.2 Local elimination of iteration from simple DC formulas Elimination of iteration from timed regular expressions, that are closely related to DC simple formulas, has been employed earlier under various other conditions as part of model-checking algorithms by Dang and Pham[DP97], and Li, Dang and Zheng[LDZ97]. The contents of Lemma 1, Lemma 2, and Proposition 2 give a slightly stronger form of Lemma 3.6 from [LD96]. Iteration can be locally eliminated from a formula ', if, for every DC interpretation I and every interval [1 ; 2 ] 2 I, there exists a -free formula '0 such that I ; [1 ; 2 ] j= 2(' , '0 ). Due to the distributivity of conjunction and chop (_) over disjunction, simple formulas that have no occurrences of are equivalent to disjunctions of very simple formulas, that are de ned as follows: Report No. 163, April 1999



12

De nition 5 Very simple formulas are de ned by the following BNF: ' =b ` = 0 j d S e j a ` j ` a j (' ^ ') j ('_')

Lemma 1 Let I be a DC interpretation. Let [1; 2 ] 2 I. Let ' be a disjunction of very simple formulas that contain no subformulas of the kind a ` with a = 6 0. Then there exists a k < ! k W such that I ; [1 ; 2 ] j= 2(' , 'j ). j =0

Proof: For [10 ; 20 ] [1 ; 2 ], by the de nition of the semantics of ' , we have that I ; [10 ; 20 ] j= ' i there exists a n < ! such that I ; [10 ; 20 ] j= 'n . WeWshall prove that there exist k such that for all [10 ; 20 ] [1 ; 2 ], m we have I ; [10 ; 20 ] j= 'm ) kj=0 'j . p W

Let ' =b i , where i are very simple formulas. By the nite variability there exist 1 ; : : : ; r 2 i=1 [1 ; 2 ] such that 1 = 1 < : : : < r = 2 and for every i = 1; : : : ; r ? 1 and every state expression S that occurs in ' either I ; [i ; i+1 ] j= d S e , lor I ; m[i ; i+1 ] j= d :S e . Let b0 = min(fb j ` b occurs in ' and b > 0g [ f1g). Let d = 2b?01 + 1. Let I ; [10 ; 20 ] j= 'm for some m with 0 < m < ! and 10 < 20 . This implies that there exist 1 ; : : : ; n+1 2 [1 ; 2 ] and 1 ; : : : ; n 2 f1 ; : : : p g such that n m 10 = 1 < : : : < n+1 = 20 and I ; [i; i+1 ] j= i for i = 1; : : : ; n. There are at most r ? 1 such indices i for which there exist j r ? 1 satisfying i < j < i+1 . For all other values of i there exists j r ? 1 such that [i ; i+1 ] [j ; j+1 ]. Therefore, we can nd l indexes 1 = i1 < : : : < il = n, l 2 r such that for 1 s l ? 1 either is+1 = is + 1 or [is ; is+1 ] [j ; j+1 ] for some j r. Hence, I ; [is ; is+1 ] j= is holds for the former case. Consider the latter case, i.e. [is ; is+1 ] [j ; j +1 ]. Let is contain subformulas of the kind ` b. Since b b0 , since for every state expression S that occurs in is d S e holds in all nonpoint subintervals of [j ; j +1 ], since there is no subformula of the form a ` with a > 0 in is , and since I ; [is ; is+1 ] j= is , we have that any subinterval of [j ; j+1 ] with the length less than (2 ? 1 )=b0 should satisfy . Hence, because j+1 ? j 2 ? 1 , for any m is l ( 2b?01 +1) . I ; [; ] j=

[; ] [j ; j +1 ], 6= , is , the same holds trivially.

is

In case no formula of the kind ` b occurs in

Consequently, for all 1 s l ? 1 either IW ; [is ; is+1 ] j= ' or I ; [is ; is+1 ] j= 'd holds. Therefore, for k = (2r ? 1)d we have I ; [is ; is+1 ] j= kj=0 'j holds. k W

Now obviously the existence of an n such that I ; [10 ; 20 ] j= 'n entails that I ; [10 ; 20 ] j= 'i , i=0 and the lemma follows immediately. 2

Lemma 2 Let I be a DC interpretation. Let [1; 2 ] 2 I. Let ' be a disjunction of very simple formulas. Then there exists a -free simple formula '0 such that I ; [1 ; 2 ] j= 2(' , '0 ). Report No. 163, April 1999


Completeness of the DC proof system for iteration of simple formulas p W

13

q W

Proof: Let ' =b i _ j , where i , i = 1; : : : ; p, contain no subformulas of the kind i=1 j =1 a `, a 6= 0, and j does contain such occurrences for every j = 1; : : : ; q. The case in p q W which there are no s has been dealt with in Lemma 1. Let A =b i , B =b W j and i=1 j =1 a0 = minfa j a ` occurs in B and a l> 0g. mBy the property of j0 s it must be that a0 > 0. Then obviously I ; [1 ; 2 ] 6j= B k for k 2a?01 . Hence, 0

l

B

I ; [1; 2 ] j= 2 B @' ,

?

2 1 a0

W

i=0

m

1 C

(A _(B _A )i )C A:

By Lemma 1, there exists a simple formula A0 with no occurrences of , such that I ; [1 ; 2 ] j= 2(A , A0). Hence 0 B

I ; [1; 2 ] j= 2 B @' , which completes the proof.

l

?

2 1 a0

W

i=0

m

1 C

(A0 _(B _A0 )i )C A;

2

Lemma 3 Let ' be a -free simple formula. Then there exists formula '0 which is a disjunction of very simple formulas, such that `DC ' , '0 . Proof: The lemma follows trivially from the distributivity of the operators _ and ^ over the operator _. 2

Proposition 2 Let I be a DC interpretation. Let [1 ; 2] 2 I. Then for every simple formula ' there exists a -free simple formula '0 such that I ; [1; 2 ] j= 2(' , '0 ). Proof: Proof is by induction on the number of occurrences of in '. Let be a subformula of ' and let be -free. By Lemma 3, `DC , 0 for some disjunction of very simple formulas 0 . Now I ; [1 ; 2 ] j= 2(( 0 ) , 00 ) for some -free simple formula 00 by Lemma 2. Hence I ; [1; 2 ] j= 2(' , '0 ), where '0 is obtained by replacing the occurrence of in ' by 00 . Thus the number of the occurrences of in ' is reduced by at least one. 2



Decidability Results for Simple DC and Discussion

14

4.3 Completeness of DC1-DC3 for iteration of simple DC formulas In this section, we show our main result about the completeness. Namely, we prove that a formula is the iteration of a simple formula ' if and only if it satis es the axioms DC1 , DC2 and DC3 for all DC formulas. The following proposition has a key role in our proof.

Proposition 3 Let I be a DC model that validates DC1;'; , DC2;'; and DC3;'; for some simple DC formula ', some arbitrary DC formula , and all DC formulas . Then I~( ) = I~(') .

Proof: The validity of DC1 and DC2 entails that I~( ) I~(') . The proof of this is trivial and we omit it. For the sake of contradiction, assume that [1 ; 2 ] 2 I~ ( ) n I~(') . By Proposition 2 there exists a simple formula '0 such that I~ ('0 ) \ I([1 ; 2 ]) = I~(') \ I([1 ; 2 ]). Let =b :'0 . Since I ; [1 ; 2 ] j= and [1 ; 2 ] 62 I~(') , we have I ; [1 ; 2 ] j= ^ , and hence I ; [1; 2 ] j= ^ _>. Since [1; 1 ] 2 I~(') , I ; [1; 2] 6j= ^ ` = 0_>. Now assume that I ; [1; 2 ] j= ( ^ : _') ^ _>. This entails that for some 0; 00 2 [1 ; 2] I ; [1; 0 ] j= : , and I ; [ 0; 00 ] j= '. Then for some k < ! there exist 10 ; : : : ; k0 +1 such that 1 = 10 < : : : < k0 +1 = 00 and I ; [i0 ; i0+1 ] j= ' for i = 1; : : : ; k, and besides, I ; [10 ; k0 +1 ] j= . This implies that [1 ; k0 +1 ] 2 2 I~(') k and [1 ; k0 +1] 2 I~( ) I n I~(') , which is a contradiction.

Now let us state the completeness theorem for DC with iteration of simple formulas.

Theorem 3 Let ' be a DC formula. Let that all of its -subformulas be simple. Then either ' is satis able by some DC interpretation, or :' is derivable in our proof system. Proof: Assume that :' is not derivable. Let ? be the set of all the instances of DC1 -DC3 . Then ? [ f'g is consistent, and, by the !-completeness of DC , there exists an interpretation I , and an interval [1 ; 2 ] such that I; [1 ; 2 ] j= ?; '. Now Proposition 3 entails that I~( ) = I~( ) for all such that occurs in ', whence the modelling relation I j= ' is as required for a DC interpretation. 2

5 Decidability Results for Simple DC and Discussion In this section, we will discuss about the decidability of the satis ability of simple DC formulas and the related work.



Decidability Results for Simple DC and Discussion

15

One of the notions in the literatures that are closed to our notion of simple DC is the notion of Timed Regular Expressions introduced by Asarin et al in [EPO97], a subset of which has been introduced by us earlier in [LD96]. Each simple DC formula syntactically corresponds exactly to a timed regular expression, and their semantics coincide. Therefore, a simple DC formula can be viewed as a timed regular expression. In [EPO97], it has been proved that from a timed regular expression E one can build a timed automaton A to recognise exactly the models of E in which the constants occurring in the constraints for the clock variables (guards, tests and invariants) are from the expression E (see [EPO97]). It is well known ([AD94]) that the emptiness of the timed automata is decidable for the case that the constants occurring in the guards and tests are integers [AD94], we can conclude that if only integer constants are allowed in the inequalities in the de nition of simple DC formulas, then the satis ability of a simple DC formulas is decidable.

Theorem 4 Given a simple DC formula ' in which all the constants occurring in the inequal-

ities are integers. The satis ability of ' is decidable.

The complexity of the decidability procedure, however, is exponential in the size of the constants occurring in the clock constraints (see, e.g. [AD94]). In [EPO97] it is also shown that from a timed automaton, one can build a timed regular expression and a renaming of the automaton states such that each model of the timed regular expression is the renaming of a behaviour of the automaton. In this sense, we can say that the expressive power of the simple DC formulas is the same as the expressive power of the timed automata. If we restrict ourselves to the class of sequential simple DC formulas then we can have a very simple decidability procedure for the satis ability, and some interesting results. The sequential simple DC formulas are de ned by the following BNF:

' =b ` = 0 j d S e j ' _ ' j ('_') j ' j ' ^ a ` j ' ^ ` a Because the operators _ and ^ are distributed over _, and because of the equivalence (' _ ) , (' _ ) , each sequential simple DC formula ' is equivalent to a disjunction of simple formulas having no occurrences of _. Therefore ' is satis able i at least one of the components of the disjunction is satis able. The satis ability of sequential simple DC formulas having no occurrence of _ is easy to decide. To each simple DC formula ' having no occurrence of _, we can associate numbers min(S ); max(S ) 2 R [ f1g as follows. min(` = 0) =b max(` = 0) =b 0 min(d S e ) =b 0 max(d S e ) =b 1 min('1 )_'2 ) =b min('1 ) + min('2 ) max('1 )_'2 ) =b max('1 ) + max('2 ) Report No. 163, April 1999


References

16

min(' ) =b 0 if max(') > 0 then max(' ) =b 1 otherwise max(' ) =b 0 min(' ^ a `) =b maxfmin('); ag max(' ^ a `) =b max(') min(' ^ ` a) =b min(') max(' ^ ` a) =b minfmax('); ag It is obvious that ' is satis able i min(') max('). In [LD96, LDZ97], we have developed some simple algorithms for checking a real-time system whose behaviour is described by a `sequential' timed regular expression for a linear duration R P invariants of the form 2(a ` b ) s2S cs s M ). Because of the obvious correspondence between sequential simple DC formulas and sequential timed regular expressions, these algorithms can be used for proving automatically the implication from a sequential simple DC formula to a linear duration invariant. An advantage of the method is that it reduces the problem to several number of linear programming problems, which have been well understood. Because of this advantage, in [DP97], we tried to generalise the method for the general simple DC formulas, and showed that in most cases, the method can still be used for checking the implication from a simple DC formula to a linear duration invariant. Together with the proof system presented in the previous sections, these decidability procedures will help to develop a tool to assist the designing and veri cation of real-time systems. It seems that the with the extension of DC with the operator , we can only capture the \regular" behaviour of real-time systems. In order to capture their full behaviour, we have to use the extension of DC with recursions. However, we believe that in this case the proof system would be more complicated, and would be far from to be complete.

References [AGM92] S. Abramsky, D. Gabbay and T.S.E. Maibaum, eds. Handbook of Logic in Computer Science, Clarendon Press, Oxford, 1992. [AD94] R. Alur and D.L. Dill, A Theory of Timed Automata, Theoretical Computer Science 126, 183-235, 1994. [EPO97] E. Asarin, P. Caspi and O. Maler, A Kleene Theorem for Timed Automata, in G. Winskel (Ed.), Proceedings of IEEE International Symposium on Logics in Computer Science LICS'97, 1997, pp. 160-171. [DW94] Dang Van Hung and Wang Ji. On The Design of Hybrid Control Systems Using Automata Models. V. Chandru and V. Vinay (eds.) LCNS 1180, Foundations of Software Technology and Theoretical Computer Science, 16th Conference, Hyderabad, India, December 1996, Springer, 1996. Report No. 163, April 1999


References [Dan98]

[DP97]

[Dut95] [Gue98a] [Gue98b] [HZ92] [HZ97] [HZ94] [LD96]

[LDZ97] [ED99] [Sho67] [BHCZ94]

17

Dang Van Hung. Modelling and Veri cation of Biphase Mark Protocols in Duration Calculus Using PVS/DC? . Presented at and published in the Proceedings of the 1998 International Conference on Application of Concurrency to System Design (CSD'98), 23-26 March 1998, Aizu-wakamatsu, Fukushima, Japan, IEEE Computer Society Press, 1998, pp. 88 - 98. Dang Van Hung and Pham Hong Thai. On Checking Parallel Real-Time Systems for Linear Duration Invariants, in Bernd Kramer, Naoshi Uchihita, Peter Croll and Stefano Russo (eds.) Proceedings of the International Symposium of Software Engineering for Parallel and Distributed Systems (PDSE'98), 20-21 April, 1998, Kyoto, Japan. IEEE Computer Society Press, 1998, pp. 61-71. B. Dutertre. On First Order Interval Temporal Logic Report no. CSD-TR-94-3 Department of Computer Science, Royal Holloway, University of London, Egham, Surrey TW20 0EX, England, 1995. Dimitar P. Guelev. A Calculus of Durations on Abstract Domains: Completeness and Extensions. Technical Report 139, UNU/IIST, P.O.Box 3058, Macau, May 1998. Dimitar P. Guelev. Iteration of Simple Formulas in Duration Calculus. Technical Report 141, UNU/IIST, P.O.Box 3058, Macau, June 1998. M. R. Hansen and Zhou Chaochen. Semantics and Completeness of Duration Calculus. In: Real-Time: Theory and Practice, LNCS 600, Springer-Verlag, 1992, pp. 209-225. Michael R. Hansen and Zhou Chaochen. Duration Calculus: Logical Foundations. Formal Aspects of Computing, 9, 283-330 , 1997. He Weidong and Zhou Chaochen. A Case Study of Optimization. The Computer Journal, Vol. 38, No. 9, pp. 734-746, 1995. Li Xuan Dong and Dang Van Hung. Checking Linear Duration invariants by Linear Programming. Joxan Jaar and Roland H. C. Yap (Eds.), Concurrency and Palalellism, Programming, Networking, and Security LNCS 1179, Springer-Verlag, Dec 1996, pp. 321-332. Li Xuan Dong, Dang Van Hung, and Zheng Tao. Checking Hybrid Automata for Linear Duration Invariants. R.K.Shamasundar, K.Ueda (eds.), Advances in Computing Science, LNCS 1345, Springer-Verlag, 1997, pp.166-180. E. Pavlova and Dang Van Hung. A Formal Speci cation of the Concurrency Control in Real-Time Databases. Technical Report 152, UNU/IIST, P.O.Box 3058, Macau, January 1999. J. Shoen eld. Mathematical logic. Addison-Wesley, Reading, Massachusetts, 1967. Belawati H. Widjaja, He Weidong, Chen Zongji, and Zhou Chaochen. A Cooperative Design for Hybrid Systems. Logic and Software Engineering International Workshop



Proof of Theorem 2

18

in Honor of Chih-Sung Tang, pp. 127-150, Edited by A. Pnueli and H. Lin World Scienti c, 1996. [XH95] Xu Qiwen and He Weidong. Hierarchical Design of a Chemical Concentration Control System. Proceedings of Hybrid Systems III: Veri cation and Control, U.S.A., LNCS 1066, Springer{Verlag, 1995, pp. 270-281. [YWZP94] Yu Xinyao, Wang Ji, Zhou Chaochen, and Paritosh K. Pandya. Speci cation of an Adaptive Control System. Research Report 19, UNU/IIST, P.O.Box 3058, Macau, 1. April 1994. Published in: Formal Techniques in Real-Time and Fault-Tolerant systems, LNCS 863, 1994, pp. 738{755. [ZZ94] Zheng Yuhua and Zhou Chaochen. A Formal Proof of a Deadline Driven Scheduler. Formal Techniques in Real-Time and Fault-Tolerant Systems, LNCS 863, 1994, pp. 756{775. [ZHR91] Zhou Chaochen, C. A. R. Hoare and A. P. Ravn. A Calculus of Durations. Information Processing Letters, 40(5):269-276, 1991 [ZZY94] Zhou Chaochen, Zhang Jingzhong, Yang Lu, and Li Xiaoshan. Linear Duration Invariants. Formal Techniques in Real-Time and Fault-Tolerant systems, LNCS 863, 1994.

A Proof of Theorem 2 We shall prove that

' ) :(>_:); ' ) :(: _>); ` = 0 ) ; ` = 0 ) `DC ' ) 2(_' _ ): Then the theorem will follow by the deduction theorem for DC [HZ97]. 1 2 3 4 5 6 7 8 9 10

' ) :(>_:) ' ) :(>_:(_` = 0)) ` = 0 ) ' ' ) :(>_:(_' )) `=0) ` = 0 ) (` = 0_` = 0) ` = 0 ) (_' )) (>_:(_' )) ) :` = 0 :((>_:(_' )) ^ ` = 0_>) (' ^ (>_:(_' ))) ) ((>_:(_' )) ^ ` = 0_>)_ ((' ^ :(>_:(_' ))_')^ (>_:(_' ))_>)


asumption by 1 by DC1 by 2, 3, Monor asumption L2 by 5, 6, DC1 , Monol , Monor by 7, DC by 8, Nl by DC3 UNU/IIST, P.O. Box 3058, Macau

Proof of Theorem 2 11 (' ^ :(>_:(_' ))_')^ (>_:(_' )) ) _ _ (> ( ' _') ^ :(_' ))_ (' ^ (>_:(_' )))) _ 12 ( ' _') ) (_' ) 13 :((_' _') ^ :(_' )) _(' ^ (>_:(_' ))) _ 14 :(> ((_' _') ^ :(_' )) _(' ^ (>_:(_' )))) 15 :((' ^ :(>_:(_' ))_')^ (>_:(_' ))) 16 ' ) :(>_:(_' ))) 17 (_' ) ^ (:(_' _ )_>) ) ( ^ (:(_' _ )_>)_>)_ (_(' ^ (:(' _ )_>))) 18 ` = 0 ) 19 ` = 0 ) ((' _ )_>) 20 ) (_` = 0) 21 ) ((_' _ )_>) 22 (_' ) ^ (:(_' _ )_>) ) (_(' ^ (:(' _ )_>))) 23 ' ^ (:(' _ )_>) ) (' ^ (:(' _ )_>)_>) 24 ' ^ (:(' _ )_>) ) (` = 0 ^ (:(' _ )_>)_>)_ (((' ^ :(:(' _ )_>))_')^ (:(' _ )_>)_>) 25 ` = 0 ) (' _ ) 26 (:(' _ )_>) ) ` 6= 0 27 ((' ^ :(:(' _ )_>))_') ^(:(' _ )_>) ) _ (' ' ^ (: _>)) 28 ' ) :(: _>) 29 :(' _' ^ (: _>)) 30 :(((' ^ :(:(' _ )_>))_')^ (:(' _ )_>)_>) 31 ' ) :(:(' _ )_>) 32 :(_(' ^ (:(' _ )_>))) 33 (_' ) ) :(:(_(' _ ))_>) 34 ' ) :((>_:(_(' _ )))_>)


19

DC by DC2, Monor by 4, Monor , 14 by 13, Nr by 11, 14 by 9, 10, 15, Monol DC assumption by 6, DC1, 18, Monol , Monor by L3r by 19, 20, Monor by 17, 21, Monol by Monor by DC3 by 6, DC1, 18, Monol , Monor by 25, Monol DC assumption by 28, Nr by 29, Nl by 23, 24, 26, 30 by 31, Nr by 22, 32 by 16, 33, Monol , Monor
