Model Checking for Extended Timed Temporal Logics  (extended abstract) Ahmed Bouajjani yx

Yassine Lakhnechzx

Sergio Yovine yx

Abstract We introduce the real-time temporal logic BTATLp which is obtained by extending CTL with both past operators and timed automata constraints. These operators allow to express that, given a run of the system, the nite segment between the current state and some designated previous or future state of the run is accepted by a given timed automaton. Considering together past operators and automata constraints allows expressing timing requirements in a simple and natural way. Model-checking for full BTATLp is undecidable. Fortunately, there exist signi cant (both lineartime and branching-time) fragments for which the veri cation problem is decidable. In particular, we identify a sublogic of BTATLp , which is more expressive than TCTL, and for which modelchecking can be eectively done. The practical interest of this logic is illustrated through the example of the Philips audio protocol.

 To appear in FTRTFT'96, Uppsala, Sweden, Sep 11-13, 1996. y Verimag, Miniparc-Zirst, Rue Lavoisier, 38330 Montbonnot St-Martin, France. z Institut fur Informatik und Praktische Mathematik Christian-Albrechts-Universitat zu Kiel, Preuerstr. 1-9,

D-24105 Kiel, Germany.

x [email protected],

[email protected], [email protected]

0

1 Introduction One of the major approaches for specifying and verifying (reactive) systems consists in using ! automata and/or temporal logics as speci cation formalisms with model checking algorithms for automatic veri cation [Pnu77, QS82, CES83, EL86, VW86]. This framework has been extended to the case of real-time systems by adapting the existing speci cation formalisms and veri cation techniques in order to take into account hard timing constraints [AH89, ACD90, AFH91, HNSY92]. Timed ! -automata and timed temporal logics have been de ned by adding the ability of reseting and testing clocks, which allows to express upper and lower bounds on the time distances between events. For instance, this extension allows to express in the logic TPTL (timed PTL) [AH89] properties like \whenever P occurs, eventually Q will be observed within 5 time units". Unfortunately, this natural extension of the usual speci cation formalisms does not preserve in general the decidability of their veri cation problem. Indeed, this problem is undecidable for (densetime) TPTL [AH89]. Moreover, while the emptiness problem of timed ! -automata is decidable, their universality problem is undecidable [AD94], and hence, verifying a property expressed by timed ! -automata is in general undecidable. Nevertheless, model checking algorithms have been proposed for timed logics like the branchingtime logic TCTL [ACD90, HNSY92] and the linear-time logic MITL [AFH91]. However, in many practical cases we have considered, speci cations are either not expressible in these logics or expressible in a cumbersome and not natural way. It is indeed possible the make the following observations. First, as it is well known, many properties are more simply expressed using past operators. It has also been shown in [AH92] that adding past operators enhances the expressiveness of timed logics like MITL. Second, it is often convenient and sometimes necessary to express parts of the speci cation using automata, especially those involving complex timing dependencies between events. Third, it is often the case that we need to express branching-time properties (i.e., requiring nested alternation of universal and existential path quanti ers) involving nontrivial path constraints (i.e., linear-time properties). The aim of this paper is to propose a formalism which is powerful enough to express all the kinds of properties mentioned above and for which model checking can be eectively done. We start by de ning as a general speci cation framework a logic called BTATLp , which is a branching-time temporal logic with past operators where timed automata are used as constraints. Automata constraints allow to say that the computation from some designated position to the current one is accepted by some given automaton on nite timed sequences. In particular, this automaton can simply check that the time length of the considered computation segment satis es some upper or lower bound constraint, and hence, the use of automata as constraints generalizes the way of expressing constraints in timed logics like TPTL. Clearly, the veri cation problem for BTATLp is undecidable. Indeed, the language of its path formulas, called TATLp , subsumes the logic TPTL. Therefore, we introduce a sublogic called BTATLp for which we provide a model checking algorithm. To de ne the logic BTATLp we consider two dierent fragments of TATLp for describing path formulas, called TATL+p and TATL?p . These fragments are dual in the sens that negations of TATL+p formulas are equivalent to TATL?p formulas and conversely. BTATLp is de ned by allowing TATL+p formulas under universal path quanti cation and TATL?p formulas under existential path quanti cation. BTATLp allows to express all the useful properties like invariants and response properties. In particular, we use it to describe properties of the Philips audio protocol [BPV94]. This experience shows that BTATLp allows a natural expression of properties that are in general not expressible in the other existing logics for which the veri cation problem is decidable. Our model checking algorithm for BTATLp is based on the fact that we can translate each path formula in TATL?p into a timed Muller ! -automaton. Hence, by the fact that existentially quanti ed path formulas are in TATL?p and universally quanti ed ones are in the dual fragment 1

TATL+p , the model checking algorithm consists in, roughly speaking, solving nested emptiness problems for timed ! -automata (which is decidable). To prove that TATL?p formulas can be characterized by timed ! -automata, we give a construction which associates with every formula a 2-way timed ! -automaton with a bounded number of reversals, and then use the fact that these kind of 2-way automata are convertible into 1-way automata [AH92]. Moreover, we show that direct constructions of 1-way automata, without resorting to 2-way automata, are possible for signi cant fragments of TATL?p , in particular for TPTL?p which consists of formulas that are in both TATL?p and TPTLp . The remainder of this paper is organized as follows. In Section 2, we de ne 2-way timed automata and timed systems. The logic BTATLp is introduced in Section 3, and its sublogic BTATLp is de ned in Section 4. In Section 5, we use BTATLp to specify requirements the Philips audio protocol. In Section 6, we give the constructions of timed ! -automata for TATL?p and TPTL?p formulas. Then, in Sections 7 and 8, we present the model checking procedures for the linear-time logic TATL+p and the branching-time logic BTATLp . Concluding remarks are given in Section 9.

2 Timed automata and timed systems

We give hereafter the de nitions of 2-way timed graphs and (! -)automata, and introduce the notion of timed systems. These de nitions are inspired from those introduced in [AH92] and [AD94].

2.1 Two-way timed graphs

Let  be a nite alphabet. We call timed sequence over  any nite or in nite sequence  = h1; 1i


hi; ii


where the i's are symbols in  and the i's are positive real numbers such that 8i  1: i < i+1 and limi!1 i = 1. Two-way timed graphs are nite control machines running back and forth over timed sequences. They consists of nite transition systems supplied with a nite set of variables called clocks. Transitions of these graphs correspond to moves on the input timed sequence that can be either to the left or to the right of the current position. These transitions are conditioned by constraints on the time distances between the current position and some other designated positions on the input timed sequence. For that, a special variable T is used to represent permanently the time in the current position, and the other clocks are used to memorize the time values at dierent positions in the sequence. Let us give the formal de nitions. Given a set of clocks, a clock constraint is a boolean combination of atomic formulas of the form jT ? xj  c where x is a clock,  stands for either  or 1 and `0 = ` ? 1. Let  = hq; ; ti be a con guration of G . Then, a run of G over  starting from  is a sequence of situations  = hq1; 1 ; t1; `1i


hqi ; i ; ti; `ii


such that  hq1; 1; t1i =  and `1 = 1,  8i: 1  i  jj: (qi) = `i and ti = `i , e  8i: 1  i < jj: 9e 2 E : hqi; i; ti; `ii ?! hqi+1; i+1; ti+1; `i+1i,  8i: 1  i  jj: 9j: 1  j  jj: `j = i. For every nonnegative number k, the 2-way timed graph G is k-bounded if for every timed sequence , every run  of G over , and every i  1, the number of position indices `j 's that are equal to i is less than or equal to 2k + 1. When for every edge of G , the direction indicator  is \+" (i.e., G is 0-bounded), we say that G is a 1-way timed graph, or simply a timed graph. To simplify the description of timed graphs, we omit sometimes direction indicators in their edges, and write their clock constraints as T ? x  c instead of jT ? xj  c. We also write X := T for the set of reset clocks X . Given a timed graph G over , a run  of G over a timed sequence  can be considered as a sequence of con gurations instead of situations since the indices `i 's are not relevant. In this case, the timed sequence  coincides with the sequence h(q1); t1i


h(qi ); tii


obtained from the run  and denoted by Trail(). We can also interpret timed graphs as generators of timed sequences, and hence, we say that  generates the timed sequence Trail().

2.2 Two-way timed automata on nite sequences

A 2-way timed automaton on nite timed sequences over the alphabet  is a triplet A = (G ; I ; F ) where G = (Q; ; X ; E ) is a 2-way timed graph over , I  Q is a set of initial control locations, and F  Q is a set of nal control locations. We say that A is a 1-way timed automaton if G is a 1-way timed graph. Let  = h1; 1i


hn ; ni be a nite timed sequence over . We say that A accepts  if there exists a run  = hq1 ; 1; t1; `1i


hqn ; n ; tn ; `ni of G over  such that q1 2 I , 1 (x) = t1 for every x 2 X n fT g, and qn 2 F . We denote by L(A) the set of nite timed sequences accepted by A. Deterministic (2-way) timed automata can be de ned as in [AH92]. They have at most one run over every nite timed sequence and they are closed under all boolean operations whereas nondeterministic timed automata are not closed under complementation [AD94]. We omit their formal de nition since it is not necessary for the understanding of the paper.

2.3 Two-way timed !-automata on in nite sequences

A 2-way timed Buchi (resp. Muller) ! -automaton over , is a triplet A = (G ; I ; ?) where G = (Q; ; X ; E ) is a 2-way timed graph over , I  Q is a set of initial control locations, and ? is a set F  Q (resp.
 2Q) called Buchi (resp. Muller) acceptance condition. We say that A is a 1-way timed Buchi (resp. Muller) ! -automaton, or simply a timed Buchi (resp. Muller) ! -automaton, if G is a 1-way timed graph. 3

Let  = h1 ; 1i


h ;  i


be an in nite timed sequence over . Then, given a run  = hq1; 11; t1; `1i


hq ;  ; t ; ` i


of G over , we denote by Inf () the set of control locations q such that 9 i  1: q = q . Then, we say that  is an accepting run of the timed Buchi (resp. Muller) !-automaton A = (G ; I ; ?) over the timed sequence  if q1 2 I , 1 (x) = t1 for every x 2 X n fT g, and Inf () \ ? = 6 ; (resp. Inf () 2 ?). We denote by L(A) the set of in nite timed sequences having accepting runs of A. i

i

i

i

i

i

i

As in the case of automata on nite timed sequences, deterministic (2-way) timed ! -automata can be de ned. We recall that deterministic timed Muller ! -automata are closed under all boolean operations, whereas deterministic and nondeterministic Buchi and nondeterministic Muller timed !-automata are not closed under complementation [AD94].

2.4 Timed systems

We call timed system a timed graphs with self-loops on all the control locations and a fairness constraint on the edges. Self-loops allow to make several successive observations at the same location (with strictly increasing times) whereas the fairness constraint allows to prevent staying at the same location forever. Formally, a timed system over  is a pair T = (G ; ) where G = (Q; ; X ; E ) is a timed graph over , such that 8q 2 Q, (q; true; ;; q ) 2 E , and  E is a set of fair edges. Given a con guration  of T , a sequence of con gurations  = 1


i


is a computation of T starting from1 , if  is an in nite run of G starting from  on the timed sequence Trail() such e that 9e 2 : 9 i  1: i ?! i+1 . We denote by C (T ; ) the set of computations of T starting from .

3 Branching-time TATLp

3.1 De nition

Let P be a nite set of atomic propositions, and let  = 2P . We use letters P; Q; : : : to range over elements of P . Let us introduce a set W of position variables and use letters u; v; : : : to range over W . We use letters A; B; : : : to range over (1-way) timed automata on nite timed sequences. The set of state (resp. path) BTATLp formulas is the set of formulas ' (resp. ) de ned by the following grammar:

' ::= P j :' j ' _ ' j 9 ::= ' j u: j Au j : j _ j U j S In addition, we introduce abbreviations as the usual boolean connectives ^ and ), and the temporal operators 3 = trueU , 3p = trueS , 2 = :3: , and 2p = :3p: , and universal path quanti cation 8 = :9: . Given a timed system T over , state formulas are interpreted as sets of con gurations of T whereas path formulas are interpreted as sets of computations of T . The operators U , S , 3, 3p, 2, and 2p are the classical until, since, eventually in the future, sometime in the past, always in the future, and always in the past operators of the linear-time propositional temporal logic PTLp [LPZ85]. The state formula 9 means that there exists a computation starting from the current con guration which satis es the path formula . Hence, when interpreting the past cannot go beyond the current con guration. This way of introducing past modalities in branching-time logics corresponds to the interpretation adopted in [HT87]. The construction \u:" associates the current position (index) on the computation with the position variable u. Then, u can be used as a label allowing to refer to the position associated with it. The formula Au when interpreted at some position i means that the automaton A accepts the timed sequence generated by the nite subcomputation starting at u and ending at i, by running 4

either forward or backward on the computation according to the fact that i is greater or smaller than the position of u. We call formulas of the form Au automata constraints. For example, let T5 be the automaton represented by the following picture: jT ? xj  5

 ? ?jT ? xj >-    P Q

x := TThen, the property that \whenever expressed by the formula

5

will be eventually true within 5 time units" is

holds,

2 (P ) u: 3(Q ^ Tu5)) (1) and the property that \whenever Q holds, P was necessarily true no longer than 5 time units ago"

is expressed by the formula

2 (Q ) u: 3p(P ^ Tu5)) (2) In the formula u: , the construction \u:" binds the position variable u in the subformula . We call the construction \u:" position quanti cation. We suppose without loss of generality that in every formula, each position variable is bound at most once. Then, every variable appearing in some formula is either bound or free. A formula is closed if all the variables occurring in it are bound, otherwise it is open. For the sake of simplicity, we suppose from now on that all state formulas are closed, i.e., each automata constraint refer to some position introduced within the scope of the inner-most path quanti er under which the constraint occurs. However, path formulas may be open. The formal semantics of BTATLp is given by means of two satisfaction relations, namely j=T , de ned between con gurations and state formulas, and jT , de ned between computations and path formulas. The relation jT is parametrized by a position association E that associates with each position variable the position (index) on the computation where it has been introduced. We denote the parametrized satisfaction relation by jT ;E . The de nition of jT ;E depends on the current position on the computation. Hence, we write (; i) jT ;E to say that the computation  satis es at position i w.r.t. E . In the de nition of jT ;E , the position association E is updated due to the introduction of new position variables. We denote by ; the position association whose domain is empty, and denote by E [u 7! i] the position association whose domain is the extension of the domain of E by u, and which associates with u the position i and coincides with E on all the other variables. We denote simply jT the relation jT ;;, and write  jT for (; 1) jT . Let T be a timed system over . Then, for every con guration hq; ; ti of T and every state formula ', the meaning of hq; ; ti j=T ' is inductively de ned by: hq; ; ti j=T P i P 2 (q ) hq; ; ti j=T :' i hq; ; ti 6j=T ' hq; ; ti j=T '1 _ '2 i hq; ; ti j=T '1 or hq; ; ti j=T '2 hq; ; ti j=T 9 i 9 2 C (T ; hq; ; ti):  jT where, for every computation  of T , every i  1, and every position association E , the meaning of (; i) jT ;E is inductively de ned by: (; i) jT ;E ' i [i; i] j=T ' (; i) jT ;E u: i (; i) jT ;E [u7!i] (; i) jT ;E Au i Trail([E (u); i]) 2 L(A) (; i) jT ;E : i (; i) 6jT ;E (; i) jT ;E 1 _ 2 i (; i) jT ;E 1 or (; i) jT ;E 2 (; i) jT ;E 1 U 2 i 9j  i: (; j ) jT ;E 2 and 8k: i  k < j: (; k) jT ;E 1 (; i) jT ;E 1 S 2 i 9j: 1  j  i: (; j ) jT ;E 2 and 8k: j < k  i: (; k) jT ;E 1 5

where for every computation  = 0


i


, [j; i] denotes the nite subcomputation j0


jn where n = jj ? ij and for all 0  k  n, jk is j +k if j  i, or j ?k otherwise. Given a closed state formula ', [ '] T is the set of con gurations  such that  j=T '.

3.2 Sublogics

Several sublogics of BTATLp can be considered. We de ne the linear-time logic TATLp as the set of BTATLp path formulas without any occurrence of path quanti ers ( formulas where the ''s can only be atomic propositions). The semantics of TATLp formulas can actually be given in terms of sets of timed sequences instead of computations of a xed timed system T . Given a closed TATLp formula , we denote by [ ] the set of timed sequences satisfying . Then, the logics TATL [BL95] and BTATL are the \future" fragments of TATLp and BTATLp , i.e., they correspond respectively to the sets of TATLp and BTATLp formulas without occurrences of past operators. The linear-time temporal logic TPTL [AH89] is the sublogic of TATL where automata constraints can only constrain time distances. Indeed, for every integer constant c, let Tc and T c  ?    

x := T-

jT ? xj < c

x := T-

 ?jT ? xj  c  ?    

Notice that the automata above are deterministic, and hence, the complements of their languages are recognized respectively by the automata T>c and Tc obtained by inversing nal and non nal locations. Then, the logics TPTL [AH89] and TPTLp are de ned as the respective sublogics of TATL and TATLp where automata constraints are only expressed by means of Tc and Tc and Tc ), for any integer constant c. The same restriction applied on BTATL and BTATLp leads to the de nitions of the branching-time logics TCTL [ACD90] and TCTLp, respectively. Finally, the branching-time logic TCTL [ACD90] is the fragment of TCTL such that path formulas can only be of the forms u: 1U 2 or :u: 1U 2 , where the i 's are boolean combinations of automata constraints (e.g., Au ) and state formulas.

3.3 Veri cation problem

Let T be a timed system and  be a con guration of T . The veri cation (model-checking) problem for a state formula ' consists in deciding whether  2 [ '] T , whereas for a path formula , it consists in deciding whether Trail(C (T ; ))  [ ] , or equivalently, whether  2 [ 8 ] T . It has been shown that the veri cation problem of TCTL is decidable [ACD90]. This problem is however undecidable for TPTL [AH89]. Hence, the veri cation problem is also undecidable for TATL(p) , TCTL(p), and BTATL(p) , where the subscript (p) means with or without past operators.

4 The logic BTATLp

4.1 De nition

BTATLp is the sublogic of BTATLp whose set of state (resp. path) formulas ' (resp. ) is de ned by the following grammar: ' ::= P j :' j ' _ ' j 9 ::=  j u: j _ j ^ j U j S  ::= ' j Au ; A is deterministic j : j  _  j U  j S  6

Notice that, while the set of path formulas is closed under negation in BTATLp , negation is not allowed in the formulas above. It is convenient, however, to dispose of universal path quanti cation. Then, we extend the set of BTATLp formulas by state formulas of the form 8 0 and path formulas 0 de ned by: 0 ::=  j u: 0 j 0 _ 0 j 0 ^ 0 j 2 0 j 2p 0 j 0U  j 0U  j 0S  j 0S 

where 1 U 2 = 1 U ( 1 ^ 2 ) and 1 S 2 = 1 S ( 1 ^ 2). We can show that this extension does not enrich the expressiveness of the logic because formulas are equivalent to negations of 0 formulas and conversely (see Proposition 4.1 below). However, this extension allows to consider two dierent languages of path formulas, each of them characterizing the class of path properties that are either existentially or universally quanti ed.

4.2 Linear-time fragments

We introduce two linear-time timed logics TATL?p and TATL+p whose sets of formulas are respectively the sets of path formulas and 0 de ned above, without occurrences of path quanti ers (where each state formula can only be an atomic proposition). We introduce also the fragments TPTL?p and TPTL+p of TPTL de ned in the obvious way. The denotations of the corresponding fragments without past operators are obtained by removing the subscript p.

Proposition 4.1 For every TATL+( ) (resp. TPTL+( )) closed formula , there exists a TATL?( ) (resp. TPTL?( )) closed formula 0 such that [ : ] = [ 0] , and conversely. Proof. The proposition follows from the following equivalences: :( 1U 2) = (2: 2) _ (: 2U: 1) :( 1U 2) = (2: 2) _ (: 2U: 1) :( 1S 2) = (2 : 2) _ (: 2S: 1) :( 1S 2) = (2 : 2) _ (: 2S: 1) p

p

p

p

p

p

and the fact that position quanti cation distributes w.r.t. boolean operators, in addition to standard distributivity and duality laws for boolean and temporal operators.

4.3 Expressiveness

Let us discuss brie y the expressiveness of BTATLp and its linear-time sublogics. It can be shown that there is a TATL+ formula (which is actually a TPTL+ formula) such that the set of timed sequences [ ] is not de nable by means of timed ! -automata [BL95]. We show in the next section that, however, every TATL?p formula can be characterized by a timed Muller automaton. Moreover, we can prove that TATL+ as well as TATL? are more expressive than deterministic timed Muller ! -automata. Indeed, if A = (G ; fqinitg;
) with
= fF1;


; Fn g, then the corresponding formula, which is in both TATL+ and TATL? , is given by:

u:

_ ^ n

=1

i

((

q

2Fi

23Auq) ^ (

^ q

62Fi

:23A ))

(3)

u q

where, for every control location q of A, we denote by Aq the timed automaton (G ; fqinitg; fq g) (i.e., the automaton which accepts the set of nite timed sequences reaching q ). TATL+p and TPTL+p can express interesting classes of timed properties like time-constrained invariance properties corresponding to formulas of the form

^ n

u0 : 2(A(0 0) )


un: 2(p)( A( u0 ;

=0

i

i

u i;n

7

)

^ n

) v: 2( )( B i ^ C ))


) p

=0

i

u i

v

(4)

and the time-constrained response properties corresponding to formulas of the form: u: 2(Au ) v: 3(p)(B0u ^ C0v ^ 3(p)(B1u ^ C1v ^


3(p)(Bnu ^ Cnv ))


)) (5) For instance, the two formulas given by (1) and (2) are TPTL+p formulas expressing time-constrained response properties. As for the fragments TATL?p and TPTL?p , they allow to express the dual properties that are time-constrained eventuality and time-constrained persistence properties. The logics TATL+(p) and TATL?(p) are not comparable with TPTL(p). Indeed, TPTL(p) allows to express properties that are expressible in TATL+(p) but not in TATL?(p) , whereas their negations are expressible in TATL?(p) but not in TATL+(p). On the other hand, as we have seen above, both TATL+(p) and TATL?(p) can express all the properties that are expressible by deterministic timed !-automata whereas TPTL(p) cannot. For the same reasons, the logic BTATL(p) is not comparable with TCTL(p) . We can also show that BTATL(p) subsumes the logic TCTL as de ned in [ACD90]. Finally, the logics TATL+p and TATL?p , as well as their fragments TPTL+p and TPTL?p are incomparable with the linear-time logics MITL [AFH91], its extension with past operators MITLP [AH92], and EMITL [Wil94]. Indeed, all these logics forbid punctual time constraints whereas TATL+p and TPTL+p do not. Moreover, as it is mentioned above, each time constraint in these logics is related to one temporal operator whereas constraints in TATL+p and TPTL+p are related to position variables, which allows to constrain overlapped computation segments.

5 Example

In this section we show using the Philips audio control protocol [BPV94] that BTATLp allows to naturally express the requirements of a realistic case study. The system is composed of a sender and a receiver connected through a wire. The sender sends bit streams using Manchester encoding. A \1" is sent by raising the voltage in the middle of the bit slot, that is, the voltage is low during the rst half of the slot and high in the second one. Sending a \0" is just the reverse. When the same bit is sent in two consecutive bit slots, an additional edge is placed in between. The following picture illustrates the encoding of the bit stream \110100". 1

1

6?6 up up in down

0

?

down

1

6

up

0

0

down

down

? up6 ?

out

The length of the bit slot is 4. The events in and out model respectively the request to transmit a bit stream and the corresponding output. Upgoing and downgoing edges are modeled by the events up and down. The rst up occurs concurrently with the input in. The particular hardware used by Philips is such that downgoing edges cannot be reliably detected, and therefore the receiver must decode the binary signal only from the upgoing ones, and that the length of the bit slot can only be measured with some known error   201 . Following [BPV94] we also assume that sender and receiver synchronize on the event up, that is, there is no propagation delay, and that whenever an action in happens before the action out corresponding to the previous message, the protocol moves to a chaotic state where everything is allowed. We do not model here the behavior of the components of the system but we concentrate instead on the properties the protocol is required to satisfy. Timed automata based descriptions of the sender and the receiver are given in [HW95, DY95]. The rst requirement is that the received bit stream is equal to the one sent, provided the protocol is not in a chaotic state. 8

That is, whenever the receiver produces an out in a non-chaotic state then necessarily an in occurred in the past when the sender started transmitting the bit stream, and since this last occurrence of in the system must have transmitted correctly the bit stream according to the Manchester encoding. In order to express this property in BTATLp we need to characterize the set of behaviors leading to non-chaotic out-states, and the ones corresponding to correct transmissions. Non-chaotic states are those satisfying that everywhere in the past, between any two consecutive occurrences of in there is an out and vice versa. Besides, it must be ensured that no bit has been sent nor received between an out and the next in. This means that the transmission terminates with the out event (i.e., both the sender stopped transmitting and the receiver stopped receiving). Behaviors leading to non-chaotic states where out holds are characterized by the automaton A depicted below where Else stands for the set of events not containing neither in nor out.

## "! # "!  "!

-

in

6

out

ZZ~

Else



out

 kQQ

In order to characterize the correct transmissions we have to ensure that the bit stream has been sent using Manchester encoding and that it has been correctly received. For that we construct a timed automaton B as follows. B uses a clock x to measure the time elapsed since the last change in the voltage of the wire. The value of x also allows to distinguish between the rst half and the second half of the bit slot. Let x = c stand for c ?   T ? x  c + . An occurrence of up when x = 4 corresponds to the emission of a \1" which is modeled by the event sen1. Otherwise, if up  occurs when x = 2, then it must be the required upgoing edge between to consecutive \0"s. To send a \0", modeled by the event sen0, the sender produces a down when x = 4. down's occurring when x = 2 correspond to downgoing edges placed between to consecutive \1"s. Besides, up's and down's must alternate. Since the receiver does not see out's, it cannot decode \0"s at the same time they are sent but must wait until the next up, so it may be behind the sender, that is, the received bit stream may be shorter than the one sent. Anyway, the receiver is only allowed to decode at most two bits at a time, namely a single \0" or \1", or a sequence \01", respectively modeled by the events rec0, rec1 and rec01. Thus, proving that the receiver correctly decodes the bit stream comes down to showing that at any time the receiver is at most a \0" behind the sender, and that it eventually adds the missing \0" at the end of message whenever required. Besides, since the voltage must be low at the end of the transmission, the event out can only occur after a down. The automaton B is depicted in the following picture where the labeling of a location must be interpreted as a set of events that must occur simultaneously, and the clock x is set to T by every transition (omitted in the gure).

# "! # "!

-

#   "!

x = 2

out



x=3 

up sen1 rec1

6

# "! # "!

x=4

x = 2

? down 

9

down sen0

# "! #   "!

-

up

 rec0 @ 6 @x = 2 @ @ x=5 x=4 x=4 @ @@R ? up

x=2 

x = 2







sen1 rec01



out rec0

Then, the required property can be expressed by the following BTATLp formula: 8u:2 [Au ) :in S (in ^ v:3Bv)] (6) The previous property stated that every non-chaotic out state corresponds to the end of a correct transmission. Now, we need also to express that every non-chaotic in state is the starting of a correct transmission. We do not exclude that some behaviors after in correspond to incorrect transmissions leading to chaotic states (if another in occurs before out). However, the protocol must guarantee that: whenever the sender starts transmitting a message in a non-chaotic state, there exists at least one behavior leading to a correct transmission. To express this property, we need a universal path quanti cation over paths leading to non-chaotic in states, and existential path quanti cation on paths starting at these states. Non-chaotic in states are characterized by an automaton A de ned as A above, by considering as nal control location the in location instead of the out one. Then, the property we are interested in can be expressed by the following BTATLp formula: 8u:2(Au ) 9v:3Bv ) (7) out

in

out

in

6 Relating logics to automata

We show in this section that TATL?p closed formulas can be eectively characterized by means of 1-bounded 2-way timed Buchi ! -automata. By transforming these automata into 1-way automata, we get a construction of timed Buchi ! -automata for TATL?p closed formulas. We give also a direct construction of (1-way) timed Buchi ! -automata in the case of TPTL?p closed formulas. First of all, we need to put TATL?p formulas in a special syntactical form. We say that a TATL?p formula is in normal form if it is a disjunction of formulas  de ned by:  ::=  j u:  j  ^  j U  j S   ::= P j :P j Au ; A is deterministic j  _  j  ^  j 2 j 2p  j U  j S  Lemma 6.1 Every TATL?p formula can be transformed into an equivalent formula in normal form. Proof. We use the fact that deterministic automata are closed under complementation, distributivity and duality laws as well as the equivalences used for proving Proposition 4.1, and the fact that 0#( 1 _ 2 ) is equivalent to ( 0# 1) _ ( 0# 2), where # stands for either U or S .

Theorem 6.1 For every TATL? closed formula , we can eectively construct a 1-bounded 2-way timed Buchi ! -automaton A over  such that L(A ) = [ ] . Proof. From Lemma 6.1 we can assume that is in normal form. We show hereafter how we can construct a 2-way timed Buchi ! -automaton A for any disjunct  of that recognizes precisely p



the set of timed sequences [  ] . Then, the theorem follows from the fact that 2-way timed Buchi !-automata are closed under union. The construction generalizes the one given in [BL95] for TATL? by taking into account the fact that, due to the combination of future and past operators, automata constraints can now be expressed forward and backward starting from some given position. The basic observation behind our construction is that every TATL?p formula allows to consider only a nite number of positions on timed sequences from which automata constraints can start. This is due to the fact that position quanti cation cannot occur in the left-hand side of U and S as well as in the scope of 2 and 2p (see de nition of normal form above). Hence, for each position variable appearing in the formula corresponds one position on the sequence. This fact allows to decompose the construction of A by considering separately the two following problems: 10

 checking \propositional consistency", that is, whether a timed sequence satis es the formula

modulo abstraction from automata constraints,  checking \automata constraints consistency", that is, whether a timed sequence respects the automata constraints imposed by the formula. To construct the automaton A , we proceed in the following manner: First, we abstract from position quanti cation and automata constraints and replace them by special atomic propositions; these propositions are used later as markers of the positions where automata (involved in automata constraints) must start running and where they must accept. So, let us associate with each position variable u (resp. constraint Au ) appearing in  a new atomic proposition at-u (resp. [Au ]). We denote by   the formula obtained by substituting in  each occurrence of a position quanti cation u: (resp. constraint Au ) by the corresponding proposition at-u (resp. [Au ]). Clearly, the formula   is syntactically in the propositional temporal logic with past operators PTLp . Therefore, we can construct (using [VW86] for instance) a Buchi ! automaton B which accepts all the in nite sequences satisfying (according to PTLp semantics) the PTLp formula  . Then, by considering   as a TPTLp formula, a timed ! -automaton A recognizing the set of timed sequences [  ] is straightforwardly obtained from B by adding trivial constraints on its transitions. Then, we introduce a 1-bounded 2-way timed Buchi ! -automaton Aconst which ensures that the timed sequences ful l the automata constraints, i.e., every proposition at-u occurs exactly at one position, and all subsequences delimited by propositions at-u and [Au ] must be accepted by the automaton A. The construction of Aconst is done as follows: The automaton Aconst starts by a forward pass where it looks for the rst position in the sequence where all the propositions at-u's have been previously encountered. Then, Aconst checks the satisfaction of automata constraints in two independent phases, backward until the initial position is reached, and then forward, forever. In each phase, whenever Aconst encounters a proposition at-u, it starts simulating in parallel all the automata involved in formulas Au referring to u, together with all the automata already running since previously visited initialization positions. Several propositions of the form at-u can be true at the same position, and hence, Aconst must consider all their related automata simultaneously. Then, whenever some proposition [Au ] holds, Aconst checks that the corresponding automaton A is at some nal control location. In the backward pass, Aconst simulates the automata involved in automata constraints after reversing the direction indicators of their edges (all the  's become equal to \?"). Moreover, during these two phases, Aconst checks also that each proposition at-u does not occur twice on the sequence. A special atomic proposition init is introduced to mark the initial position on the sequence. The proposition init is true at the initial location of Aconst and false in all the other locations of the rst forward pass (the initial location has no self loops). Then, init is used to detect the end of the backward pass and becomes false in all the locations of the last forward pass. The set of repeating control locations of Aconst are all those corresponding to the last forward pass. Finally, we consider the product automaton A  Aconst which works in the following manner: First, it starts by simulating Aconst during its rst forward pass and its backward pass, and then, it simulates A in parallel with Aconst in its last forward pass. The repeating control locations of A Aconst are the pairs of A and Aconst locations whose rst components are repeating locations of A . Clearly, A  Aconst recognizes the intersection of the languages of the two automata A and Aconst . We obtain the automaton A as a projection on P of A  Aconst .

Corollary 6.1 For every TATL? closed formula , we can eectively construct a timed Buchi !-automaton A over  such that L(A ) = [ ] . Proof. By Theorem 6.1, we can associate with each TATL? closed formula a 1-bounded 2way timed ! -automaton. Moreover, it has been shown in [AH92] that, for every integer k  0, p

p

11

k-bounded 2-way timed automata on nite sequences can be transformed into equivalent 1-way timed automata. Since, the 2-way ! -automata we construct for TATL?p formulas have only one

reversal, it is possible to adapt the transformation of [AH92] to their case, and get equivalent 1-way

!-automata.

We present hereafter two subclasses of TATL?p for which it is possible to construct a 1-way !-automaton directly without resorting to 2-way automata. The rst class consists of the set of formulas where between every occurrence of a position variable u and every occurrence of a formula Au there is no past operator. Indeed, in the proof of Theorem 6.1, reversals of the automaton are only needed to check automata constraints Au expressed between the position u and some other position in the past of u. For an example of a formula in this class, see formula (6) given in Section 5. Then, the second class is the sublogic TPTL?p . The following theorem holds. Theorem 6.2 For every TPTL?p closed formula , we can eectively construct a timed Buchi !-automaton A over  such that L(A ) = [ ] . Proof. The automaton Aconst of the previous construction can be de ned as a timed Buchi automaton in the following manner: To check the satisfaction of past time constraints, for each subformula Tuc (resp. Tuc ) of  , where  (resp. ) stands for either < or  (resp. > or ), the automaton Aconst memorizes the time t of the rst (resp. last) occurrence of the proposition [Tuc ] (resp. [Tuc ]) before the position where at-u is true. When Aconst reaches this latter position at some time tu , it checks that tu ? t  c (resp. tu ? t  c) holds. This procedure is possible since only a nite number of clock variables are needed, one for each time constraint appearing in  . Now, in order to check the satisfaction of future time constraints, the automaton Aconst memorizes the time tu associated with each proposition at-u, and then, it can check that all the forthcoming occurrences of the propositions [Tuc ] and [Tuc ] are at time distances from tu that satisfy the corresponding constraints. Again, this procedure is possible since there are only nitely many positions where the propositions at-u's occur.

7 Model checking: the linear-time case In this section, we consider the veri cation problem of timed systems with respect to the linear-time logic TATL+p . We show that this problem is decidable. Let be a TATL+p closed formula. Then, by Proposition 4.1 and Corollary 6.1, we can eectively construct a timed Buchi ! -automaton A: which recognizes the set of timed sequences [ : ] . Hence, given a timed system T and a con guration  of T , verifying that Trail(C (T ; ))  [ ] (i.e., that  satis es ) consists in deciding whether Trail(C (T ; )) \ L(A: ) = ;. To do so, we proceed as in [AD94] by introducing a nite partition of the con guration space which preserves the emptiness property above. Given a timed graph G = (Q; ; X ; E ), for every x 2 X , we denote by m(x; G ) the maximal natural number c such that T ? x  c occurs in the clock constraints on the edges in E . Then, given two valuations  and  0 , and two time values t and t0 , we write (; t) G ( 0 ; t0) if and only if the following assertions are true:  for every x 2 X , and every natural numbers c; c0  m(x; G ), t ?  (x) = c i t0 ?  0(x) = c, and c < t ?  (x) < c0 i c < t0 ?  0 (x) < c0 ,  for every x; y 2 X such that t ?  (x)  m(x; G ) and t ?  (y)  m(y; G ), fract(t ?  (x))  fract(t ?  (y)) i fract(t0 ?  0(x))  fract(t0 ?  0 (y)). It can be veri ed that G is a nite index equivalence between the valuations of the clocks of G . Moreover, it is not dicult to show the following facts: 12

Lemma 7.1 If (1; t1) G (2; t2) then 1. 8X  X : (1 [X 7! t1 ]; t1) G (2 [X 7! t2 ]; t2), 2. 8t01 > t1 with (1 ; t01) j= f , 9t02 > t2 such that (2; t02 ) j= f and (1 ; t01) G (2 ; t02). Then, given two con gurations hq; ; ti and hq 0;  0; t0 i of G , we write hq; ; ti G hq 0;  0 ; t0i if and only if q = q 0 and (; t) G ( 0 ; t0). For every con guration  of G , we denote by [] its class of

equivalence. Using Lemma 7.1, we can prove the following fact: Lemma 7.2 Let T = (G ; ) be a timed system,  and 0 two con gurations of T such that  G 0, and A = (G 0; I ; ?) a timed ! -automaton. If there exist a computation  = (hqi ; i; ti i)i1 starting from  and an accepting run hq~i ; ~i ; ti ii1 of A over Trail(), then there exist a computation 0 = (hqi ; i0; t0ii)i1 starting from 0 and an accepting run (hq~i; ~i0; t0ii)i1 of A over Trail(0) such that 8i  1: hqi ; i; ti i G hqi ; i0 ; t0ii and hq~i ; ~i; ti i G 0 hq~i ; ~i0; t0ii. As an immediate consequence of Lemma 7.2, we have the following fact: Lemma 7.3 Let T = (G ; ) be a timed system, and let  and 0 be two con gurations of T such that  G 0 . Then, for every timed ! -automaton A, Trail(C (T ; )) \ L(A) = ; i Trail(C (T ; 0)) \ L(A) = ;. Using Lemma 7.3 we prove: Lemma 7.4 Given a timed system T , a con guration  of T and timed !-automaton A. The problem whether Trail(C (T ; )) \ L(A) = ; is decidable. Proof. Let T = (G ; ),  = hq; ; ti of T , and A = (GA; IA; FA). First, we transform the timed system T in such a way that the fairness condition expressed as a set of fair edges becomes a Buchilike fairness condition expressed by a set of repeating control locations F . This transformation uses a standard technique which consists in considering a new set of locations obtained as the product of the set of locations of T with the set of its edges E , and taking all the edges ((q; e); f; X; (q 0; e0)) such that e0 = (q; f; X; q 0). The set of clocks is obviously unchanged, and each new location (q; e) inherits the label of q . Let G  be the new timed graph obtained by this transformation. The corresponding set of repeating locations F is the set of locations whose projections on E are in . Then, consider the timed graph G   GA obtained as a product of G  and GA : The control locations of the product are pairs of locations in G  and GA with the same label, the set of clocks is the union of the two sets of clocks (supposed to be disjoint without loss of generality), and the edges are parallel compositions of edges in the two graphs (the clock constraints of the paired edges are obtained by conjunction and their sets of reset clocks are obtained by union). By Lemma 7.3, we can decide the emptiness of the set Trail(C (T ; hq; ; ti))\L(A) by considering the nite-state region graph de ned as the quotient of G   GA w.r.t. the equivalence G  GA , and by checking on this nite graph that, starting from some vertex ([hq; ; ti]; [hqinit; t; ti]) where qinit 2 IA , and t is the valuation associating t with all the clock variables of A, there exists a path which visits in nitely often locations in F and in FA . This reasoning can be straightforwardly adapted to the case where A is a timed Muller ! -automaton.

Since verifying that a con guration  satis es a TATL+p closed formula consists in checking whether Trail(C (T ; )) \ L(A: ) = ;, we have Theorem 7.1 The veri cation problem of timed systems w.r.t. TATL+p is decidable.

13

8 Model checking: the branching-time case

Let us address now the veri cation problem of timed systems w.r.t. BTATLp . We proceed in the following manner. First, we introduce a logic, called timed-ECTL9 , where path properties are expressed by means of timed Muller automata, in the spirit of [VW86]. We show that it is possible to construct for every BTATLp formula an equivalent formula in timed-ECTL9 , and then, we give a model checking algorithm for the logic timed-ECTL9 .

8.1 The logic timed-ECTL9

Timed-ECTL9 is an extension a timed version of ECTL [HT87]. The set of timed-ECTL9 (state) formulas ' is given by: ' ::= P j :' j ' _ ' j 9A('1; : : :; 'n ) where A is a timed Muller ! -automaton over a nite nonempty alphabet V = fa1; : : :; an g. In timed-ECTL9 , timed Muller automata on in nite sequences are used to express path properties: the formula 9A('1 ; : : :; 'n) says that there exists a computation , and there exists an in nite timed sequence haj1 ; t1ihaj2 ; t2 i


accepted by the automaton A, such that, at each position i of , the state formula 'ji is satis ed. Let us give the formal semantics of timed-ECTL9 formulas. This semantics is given by means of a satisfaction relation between con gurations and formulas. Let T be a timed system over . Then, for every con guration hq; ; ti, and every formula ', the meaning of hq; ; ti j=T ' is inductively de ned by:

hq; ; ti j=T hq; ; ti j=T hq; ; ti j=T hq; ; ti j=T

P

i :' i '1 _ ' 2 i 9A('1; : : :; 'n) i

P 2 (q) hq; ; ti 6j=T ' hq; ; ti j=T '1 or hq; ; ti j=T '2 9 2 C (T ; hq; ; ti): 9 haj1 ; t1ihaj2 ; t2i


2 L(A): 8i  1: [i; i] j=T 'ji

For every timed-ECTL9 formula ', [ '] T denotes the set of con gurations  of T satisfying '.

Theorem 8.1 Let T be a timed system. Then, for every BTATL state formula ', we can eecp

tively construct a timed-ECTL9 formula '0 such that [ '] T = [ '0] T .

Proof. By induction on the level of nesting of path quanti ers, and is based on the fact that we

can associate a timed Buchi ! -automaton with every TATL?p closed formula, using Theorem 6.1 and the translation of bounded 2-way timed automata into 1-way timed automata.

8.2 Model checking algorithm

Given a timed system T and a timed-ECTL9 formula ', we propose a model-checking algorithm which consists in deciding for each of its subformulas '0 which con gurations of T satisfy '0, starting from the inner-most subformulas and nishing by the formula ' itself. This algorithm generalizes the one given in [ACD90] for the logic TCTL. We start by proving the following key lemma. Lemma 8.1 Let T = (G ; ) be a timed system and let  and 0 be two con gurations of T such that  G 0 . Then, for every timed-ECTL9 formula ',  j=T ' i 0 j=T '. Proof. By induction on the structure of the formulas. The cases of atomic propositions and boolean connectives are immediate. The case of a formula of the form 9A('1 ;


; 'n) is tackled using Lemma 7.2 and the induction hypothesis. 14

Roughly speaking, Lemma 8.1 allows to reason about classes of con gurations instead of con gurations. Let us present informally the main steps leading to the de nition of the model checking algorithm. Given a timed system T = (G ; ) where G = (Q; ; X ; E ), the algorithm runs on a region timed system TR . The control locations of TR correspond to equivalence classes of con gurations of T w.r.t. the equivalence G , and the edges of this system are compatible with these classes (they ensures that each location can be reached only when the current con guration is in the corresponding class). So, the construction of the timed system TR can be seen as a duplication of the control locations of T according to the equivalences classes of the possible valuations of the clocks. The system TR generates the same timed sequences as the original system T . More precisely, we can prove that for every con guration  = hq; ; ti of T , we have  j=T ' i h[]; ; ti j=TR '. This fact implies, by Lemma 8.1, that given two equivalent con gurations  = hq; ; ti and 0 = hq;  0; t0 i of T , and a timed-ECTL9 formula ', we have h[]; ; ti j=TR ' i h[];  0; t0i j=TR '. Hence, the model checking algorithm consists in recursively labelling the control locations of the timed system TR by the subformulas of ' such that a control location [hq; ; ti] of TR is labelled by a subformula '0 i h[hq; ; ti]; ; ti j=TR '0. Since the number of subformulas is nite, the algorithm terminates, and then, we have  j=T ' if and only if the location [] of TR is labelled by '. It is worth to note that, in contrast to the algorithm for TCTL in [ACD90] which runs on an untimed region graph, our algorithm labels the locations of a timed system. Indeed, to take into account the time constraints imposed by the formula, the algorithm in [ACD90] consists in extending the system by the clocks used in the formula, and then reasoning about the region graph of the obtained extended system. In the case of timed-ECTL9 , taken into account the time constraints imposed by the formula is technically more complicated, and the time constraints on the clocks of T (or equivalently of TR) must be considered at each step of the algorithm for deciding the satisfaction of nested state formulas involving ! -automata, e.g., 9A('1 ; : : :; 'n). In fact, at each level of nesting, deciding such a satisfaction problem consists in nding a computation  = (i )i1 of TR and a timed sequence (haji ; ti i)i1 accepted by A (over some alphabet fa1; : : :; an g) such that, at each position i, the con guration i satis es the formula 'ji . Since for each subformula 'i, we know already whether it is satis ed or not at each location of TR , the problem we have to solve reduces to checking the emptiness of a timed ! -language de ned in terms of a product of the timed graphs of TR (with an updated labelling function) and A. Now, to decide this emptiness problem, we proceed as in the proof of Lemma 7.4 by reasoning about the untimed region graph of the considered product timed graph. Let us formalize the description of the algorithm. Before giving the de nition of the timed system TR , let us introduce some notations. First of all, it is easy to see that for every equivalence class [] with  = hq; ; ti, there is a clock constraint
[] such Vthat for every 0 = hq;  0; t0 i,  G 0 i ( 0; t0) j=
[]. In fact,
[] can be written in the form x2X ax 1x T ? x 2x bx where V 1 2 ax ; bx 2 IN [ f1g and x; x 2 fV