Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download A really temporal logic
Document related concepts
Modal logic wikipedia , lookup
Law of thought wikipedia , lookup
Mathematical logic wikipedia , lookup
Model theory wikipedia , lookup
Propositional formula wikipedia , lookup
Quantum logic wikipedia , lookup
Interpretation (logic) wikipedia , lookup
Curry–Howard correspondence wikipedia , lookup
Quasi-set theory wikipedia , lookup
Structure (mathematical logic) wikipedia , lookup
Sequent calculus wikipedia , lookup
Intuitionistic logic wikipedia , lookup
First-order logic wikipedia , lookup
Transcript
A Really
RAJEEV
Stanford
Temporal
ALUR
Unit ersiV,
AND
Logic
THOMAS
Stanford,
A. HENZINGER
California
Abstract. We introduce a temporal logic for the specification of real-time systems. Our logic,
binds a
TPTL, employs a novel quantifier construct for referencing time: the freeze quantifier
variable to the time of the local temporal context.
TPTL is both a natural language for specification
and a suitable
present a tableau-based decision procedure and a model-checking
genemlizations
of TPTL are shown to be highly undecidable.
formalism for verification.
We
algorithm for TPTL. Several
Categories and Subject Descriptors: C.3 [Special-Purpose
and Application-Based
Systems] —realD.2.1 [Software
Engineering]:
Requirements/Specifications-kmgaages;
D.2.4
tvne systems:
[Software
Engineering]:
Program Verification-correctness
proofs;
F.2.2 [Analysis of Algorithms
of proof proceand Problem Complexity]:
Nonnumerical
Algorithms
and Problems—cornplezity
dures: F.3. 1 [Logics and Meanings of Programs]:
Specifying and Verifying
and Reasoning about
of programs;
rnecha~ziccd ~erification:
specification
techniques;
F.4.1 [MathematiPrograms—logic~
cal Logic and Formal Languages]: Mathematical
Logic—model
theory; F.4.2 [Mathematical
Logic
problems;
1.2.2 [Artificial
Intelligence]:
and Formal Languages]:
Formal Languages—deciston
[edification;
J.7 [Compnters
in Other Systems]—real time
Automatic
Programming—program
General Terms: Theory, Verificatmrr
Additional Key Words and Phrases: Dense time, discrete time, EXPSPACE-completeness,
linear-time temporal logic, model checking, real-time requirements, If ~-completeness
1. Introduction
Linear temporal
reactive systems
logic is a widely accepted language for specifying
and their behavior
over time [Manna
and Pnueli,
and Lamport,
1982; Pnueli, 1977]. The tableau-based
its propositional
version,
PTL, forms the basis for
and synthesis
of finite-state
Wolper,
1984].
PTL is interpreted
which
events
over
occur,
systems
models
retaining
only
[Liechtenstein
that
abstract
temporal
properties
of
1992; Owicki
satisfiability
algorithm
for
the automatic
verification
and Pnueli,
away from
ordering
1985; Manna
the actual
information
and
times
about
at
the
This research was supported in part by an IBM graduate fellowship to T. A. Henzinger, by the
National Science Foundation
under Grants CCR 88-12595 and CCR 92-00794, by the Defense
Advanced Research Projects Agency under contract NOO039-84-C-0211, and by the United States
Air Force Office of Scientific Research under contracts AFOSR-88-0281
and F49620-93-1-O056.
A preliminary
Foundations
version
of Computer
of the 3(Mz Annual SYmposum~ on
of this paper appeared in Proceedings
Science. IEEE Computer
Society Press, New York, 1989, pp. 164-169.
Authors’ current addresses: R. Alur, AT&T
Bell Laboratories,
Henzinger, Department
of Computer Science, Cornell University,
Murray Hill, NJ 07974; T. A.
Ithaca, NY 14853.
Permission to copy wdhout fee all or part of this material is granted provided that the copies are
not made or distributed for direct commercial advantage, the ACM copyright notice and the title
of the publication
and its date appear, and notice is given that copying is by permission of the
Association for Computmg Machinery. To copy othervme, or to republish, requires a fee and/or
specific permission.
01994 ACM 0004-5411 /94/0100-0181
$03.50
Journal
LIt the A.>ockitmn
for Computing
Machmcv,
Vol
41, No
1, J.inuary
1994. pp
181-204
182
R. ALUR AND T. A. HENZINGER
states of a system. The analysis of systems with hard real-time
requirements,
such as bounded
response
time, calls, however,
for the development
of formalisms with explicit time. Several attempts
have been made to introduce
time
explicitly
in PTL, and to interpret
it over models that associate
a time with
every system state [Bernstein
and Harter,
1981; Koymans,
1990; Ostroff,
1990;
Pnueli and Harel, 1988]. Although
real-time
requirements,
most of
questions
which
have
timing
decidability
not
answered.
constraints
may
system
extension
states.
it has not
in
PTL
of typical
complexity
been
without
understood
sacrificing
the
problem.
is the development
of the PTL-based
a notational
different
In particular,
be permitted
of the verification
Our objective
a generalization
with,
been
these logics allow the specification
the important
decidability
and
of a real-time
extension
of PTL
tools for algorithmic
verification.
of PTL
One
must
commonly
be capable
proposed
of relating
method
that admits
To begin
the times
employs
of
first-order
temporal
logic, with one of the state variables
representing
time [Abadi
and
Lamport,
1992; Ostroff,
1990; Pnueli
and Harel,
1988]. We claim that the
unconstrained
quantification
of time variables
allowed
by this approach
does
not restrict
Instead,
freeze
the user to reasonable
and readable
specifications.
we propose
a novel, restricted,
form of quantification—we
quarztficatio~l-in
particular
subclass
state.
which
Freeze
of “intended”
notation.
For
every request
asserted
every
quantification
is
identifies,
specifications,
instance,
the
p is followed
variable
and
bound
so we
it leads
to
the
argue,
to a concise
call
time
it
of
precisely
a
the
and readable
typical
time-bounded
response
requirement
that
by a response
q within
10 time units, can be
by the formula
Ux.(p
+
Oy.(q
(read “whenever
there is a request
current
time, the request is followed
at most x + 10”).
Secondly,
we need to identify
Ay
<x
+ lo))
p, and the variable
x
by a response q, at time
how expressive
a theory
is frozen
to the
y, such that y is
of time
maybe
added,
in this fashion, to PTL without
sacrificing
its elementary
complexity.
Our main
results
are twofold:
we develop
a near-optimal
decision
procedure
and a
model-checking
algorithm
for real-time
PTL by restricting
both the syntax of
the timing
constraints
and the precision
of the time
model,
and we show
that
these restrictions
cannot be relaxed without
losing decidability.
In particular,
adding to PTL the theory of the natural
numbers with successor, ordering,
and
congruence
operations,
yields the EXPSPACE-complete
real-time
temporal
logic TPTL.
The tableau
method
for PTL
can be generalized
to TPTL.
However,
allowing
either addition
over time or a dense time domain results in
highly undecidable
(11~-complete)
logics.
Thus, we lay out a theoretical
basis for
state real-time
systems and, simultaneously,
decidability
Alternative
using
and undecidability
of finite-state
approaches
to the automatic
temporal
logic
include
work
on
the automatic
verification
of finiteidentify
a boundary
between
the
formalisms
verification
the
with explicit
of real-time
branching-time
logic
time.
systems
RTCTL
[Emerson
et al., 1990] and the explicit-clock
logic XCTL
[Harel
et al., 1990].
RTCTL
makes the simplifying
assumption
of modeling
synchronous
real-time
systems,
all of whose
events
occur with
the ticks of a global
clock.
In the case of
A Really
XCTL,
Temporal
all formulas
sally quantified,
ing that
tions
183
Logic
are quantifier-free
which
makes
an implementation
and their
it difficult
implies
variables
to compose
are implicitly
requirements,
a specification.
We will
find
1989],
an earlier
many
obtained
new
[Alur
version
of this
results
concerning
paper
was published
real-time
et al., 1990, 1991; Alur
[Alur
temporal
restric-
and Henzinger,
and Henzinger,
logics
2. Timed
We
Temporal
define
Timed
adequacy
Propositional
Temporal
specification
STATE SEQUENCES.
state sequences.
N be the
Definition
Let
Logic
1 (Timed
Monotonicity.
The
formulas
integers.
state seque?zce).
of states
of times
and
A timed
of TPTL
are interpreted
A state
A state
r, s ~1+ ~ for all i >0,
state sequence
sequence
demonstrate
its
symbols
(p,
over
q, r, . . .) and
is an interpretation
for
the
state sequence
is an infinite
a time from the discrete time
sequence
~ = PII PI V? “”” $ an
m, c P, i > 0. A time sequence ~ = ~o~l~z “o” is an
~, = T, i > 0, that satisfies the following
two condi-
(2) Progress. For all t E T, there
and a time
and to
(TPTL)
P be a set of proposition
set of nonnegative
sequence
sequence
of TPTL
language.
propositions
in P (i.e., a subset of P). A timed
sequence of states, each of which is labeled with
domain T = N.
infinite
infinite
tions:
been
et al., 1992].
Logic
as a real-time
2.1. TIMED
timed
have
1990; Wang
We refer to Henzinger
[1990] for a complete
axiomatization
Alur and Henzinger
[1992] for a survey of recent results.
(1)
assert-
both
unnecessary.
Since
let
univer-
like
and
is some
p = (u,
i >0
~) is a pair
such that
~, > t.
consisting
of a state sequence
ff
r.
By O=‘(~z) we denote
the
state
(time)
sequence
that
sequence
o (time
sequence
r) by deleting
the
p’ = ( u‘, T‘) and use the convention
that n ~ = O.
results
first
i
from
the
elements.
state
We
let
At this point,
a few words about our model of time are in order. Time is
discrete but not a state counter;
rather, the time between successive states of a
timed state sequence may remain
amount. Although
a state counter
systems,
the
events
of
the same, or it may increase by an arbitrary
would suffice to model synchronous
real-time
asynchronous
processes
take
place
in
a dense
time
domain.
Reasoning
about dense time, on the other hand, maybe
prohibitively
difficult
(see Section 4). As a compromise,
the fictitious-clock
(or digital-clock)
assumption
for real-time
systems has enjoyed increasing
popularity
[Alur
and
Henzinger,
1992; Henzinger
et al., 1992]: The true, dense times of events are
recorded
state
with
the finite
sequences
clock assumption
identical
times).
precision
is chosen
(states
of a discrete
sufficiently
between
successive
2.2. SYNTAX AND SEMANTICS OF TPTL.
of variables
(x, y, z, . . . ). The
symbols and timing
constraints
and freeze quantifiers.
clock.
general
Our
definition
to accommodate
clock
We
ticks
are given
the
of timed
fictitious-
can be labeled
an infinite
formulas
of TPTL
are built from
by Boolean
connective,
temporal
with
supply
proposition
operators,
1’
R. ALUR AND T. A. HENZINGER
184
Definition
2 (Syntax
inductively
defined
of TPTL).
The
terms
m and formulas
@ of TPTL
are
as follows:
for x = V, p = P, and nonnegative
2.2.1. The Timing
integer
Constraints.
The
constants
timing
c, d G N, d # O.
constraints
of TPTL
are of the
form TI s nz and ml =d rrz (“time
T1 is congruent
to time nz modulo
the
constant
d“). The abbreviations
x (for x + O), = , < , > , > , true, n, A, and
V are defined as usual. If each term of a formula
~ contains a variable, we say
that
@ contains
formula
may
Izo absolute
contain
time references.
at most
On the other
one variable.
Although
hand,
from
each term
a logical
of a
point
of
view, this restriction
confines TPTL to the successor operation
on time, we do
not define terms using a unary successor operator;
rather, for determining
the
length
of a formula,
we assume that all constants
are given in a reasonably
succinct (e.g., binary)
encoding.
The size of a formula
will be important
for
locating
the computational
complexity
of problems
whose input includes
formulas
of TPTL.
2.2.2. The Temporal
tors of PTL
state sequence that
p. The until formula
state
satisfying
proposition
Additional
Operators.
[Gabbay
is based
on the two
next formula
Op
temporal
asserts
opera-
about
a timed
the second state in the sequence satisfies the proposition
p &q asserts about a timed state sequence that there is a
the proposition
p.
temporal
ally operator
TPTL
et al., 1980]. The
q, and all states
operators
O@ stands
for
are defined
true YO,
before
as usual.
and the
always
this
q-state
In particular,
satisfy
the
the ez,entu-
❑ @ stands
operator
for
7074.
2.2.3. The Freeze Quantifier.
fier
“x,”,
which
be a formula
“freezes”
in which
x to the time
the variable
the timed state sequence
formula
@(~O) is obtained
variable
x with
A variable
x is bound
To. For
to the
time
it asserts that
❑x.(p
temporal
freely.
Then
example,
intuition
Definition
and let
is captured
3 (Semantics
%: V -
context.
x. ~(x)
quantiLet
asserts
~(x)
about
AX
<
in the formula
10),
of a state
in which
p is satisfied
+x
formally
of TPTL).
T be an interpretation
is
p
time
10.
< 10)
in a state,
by the following
Let
the proposition
in some state before
asserts that whenever
the proposition
p is satisfied
at most 10 (i.e., p is not satisfied
after time 10).
This
by a freeze
p = (CT, ~) that @(~O) is satisfied
by p, where the
from
~(x) by replacing
all free occurrences
of the
the constant
“eventually”
satisfied;
Similarly,
the formula
of the local
x occurs
Ox.(p
the variable
x can be bound
p = (o,
the time
is
definition.
r) be a timed
(environment)
then
for
the
state sequence
variables.
The
A Really
Temporal
Logic
pair (p, %) satisfies the
relation
R is inductively
Here
%(x
185
TPTL-formula
@ iff
defined
as follows:
+ c) = %(x)
+ c and
environment
that agrees with
maps .x to t G T.
A TPTL-formula
is closed
5cope of a freeze
formulas
of TPTL.
The
truth
= c. Moreover,
the environment
if every
quantifier
value
%(c)
p ~% ~, where
“x.”.
of a closed
shall
formula
of a variable
henceforth
is completely
satisfaction
:= t] denotes
% on all variables
occurrence
We
%[x
the
except
x is within
consider
only
determined
the
x, and
the
closed
by a timed
state sequence
alone. The timed state sequence
p is a model of the (closed)
TPTL-formula
@, denoted
by p I= ~, if the pair (p, 8) satisfies
@ for any
environment
%. The formula
~ is satisfiable ( ualid) if p K ~ for some (every)
timed state
models.
sequence
2.3. TPTL
freeze
formulas
AS A SPECIFICATION
tive extensions
of PTL with
quantification
universal
p. Two
2.3.1. TPTL
equit)alerzt
LANGUAGE.
explicit
time
can be viewed
and existential)
are
if they
We compare
references.
have
TPTL
In particular,
as a constrained
form
the
same
to alternawe show that
of classical
(i.e.,
quantification.
versus First-Order
Temporal
Logic.
The freeze
quantifier
allows
us to relate the times of different
states. A typical real-time
requirement
for a
reactive system is that a multi-valued
switch must be turned from position
p to
position
q within
10 time units. In TPTL,
this condition
can be expressed by
the formula
❑x.(p
Using
assumes
standard
first-order
the value
of the current
the condition
temporal
time
<x
logic
+ 10)).
with
in every
(1)
a state
variable
now
state, we may attempt
that
to write
(1) as
El((p
or, in closer
Ay
-+pZy.(q
resemblance
❑((p
Arzow
‘X)
-+p%(q
ArZOW
to the TPTL-formula
Anow=x)~pZ(q
<X
+
10))
(l),
Anow=y
Ay<x+lO)).
(2)
The meaning
of these formulas
(i.e., their
truth
values over timed
state
sequences) depends on the interpretation
of the variables
.x and y. The explicit
quantification
of variables,
however,
is typically
omitted
from first-order
temporal specifications
[Ostroff,
1990; Pnueli and Harel, 1988]. Moreover,
specification
languages
quantifier
prefwes
are often
restricted
[Harel,
1988; Harel
to formulas
et al., 1990].
with
implicit
or
explicit
186
R. ALUR AND
The
condition
the intended
(2) is an example
meaning
any prefix.
In particular,
that is equivalent
to (1):
A now
Elvx.((p
that
the choice
may not be obvious
the
following
=x)
of quantifiers
and, indeed,
(q A now
HENZINGER
that
provides
may not correspond
quantification
+p$?l~y.
T. A.
of (2) yields
=y
Ay
s~
+ 10))
(3)
(to be precise,
a timed state sequence
p and an environment
Z satisfy
formula
3x. @ iff p *%,X .,] ~ for some t e T).
On the other hand, no quantifier
prefix makes the formula
(2) equivalent
(l).
For example,
(1) does not imply
~x.~y.El((p
The difference
A now
is subtle:
‘X)
while
the stronger
+~%(~
‘Y
AY
(1) asserts that
x is followed
by p-states
and, eventually,
a q-state
formula
(4) demands more; that if there is a p-state
o) + ({q}, o) + ({p}>o)
+ ({q},l)
to
10)).
(4)
every p-state
of time
<X
+
of time y s x + 10, the
of time x, then there is a
time y s x + 10 such that every p-state of time x is followed
by p-states
eventually,
a q-state of time y. For instance, the timed state sequence
({p},
the
condition
A I1OW
the formula
to
a formula
+ ({},2)
+ ({},3)
+
and,
““”
(presented
as a sequence of state-time
pairs) satisfies (1) but not (4).
In general, TPTL identifies
a fragment
of the first-order
temporal
logic with
the
state
variable
formulas
now.
in which
to the time
TPTL-formula
includes
precisely
in V is, immediately
Vx.(x
= now
+
=x.(x
= now
A
words,
TPTL
restricts
quantification
allows (and
all time
over
limits)
to
temporal
introduction,
frozen
now):
the
())
+).
references
uersus Bounded
add
an
Tenlporal
infinite
to times
of states,
rather
(compare
(1) with (3)). It is also
of the PTL-based
tableau
algofor TPTL
will be developed
in
Section 3; the validity
problem
for TPTL with
cation was recently shown to be nonelementary
TPTL
first-order
the entire time domain.
It is precisely this
us to express timing
constraints
between
states by concise and readable
specifications
this restriction
that leads to a generalization
rithms
for verification:
the tableau
method
2.3.2.
upon
to the formula
than permitting
restriction
that
proposed
those
of the local
temporal
context
(i.e., the value
of
x.@ is equivalent
to the first-order
temporal
formula
or, equivalently,
In other
TPTL
each variable
supply
of
unconstrained
classical
[Alur and Henzinger,
quantifi19aO].
Operators.
Several
researchers
real-time
modalities
such
have
as 0< ~
(“eventually
within
8 time units”)
to PTL [Koymans,
1990; Pnueli and EIarel,
1988], or branching-time
logics [Emerson
et al., 1990]. These bounded
temporal
operators
are definable
in TPTL.
tor O. ~ @ can be expressed
For instance,
I.oy. (y
Although
temporal
bounded
contexts,
the bounded-eventu~lity
opera-
by the TPTL-formula
<x
+ 8/7
(b).
temporal
operators
always relate
TPTL
admits
constraints
between
the times of adjacent
distant
contexts.
For
A Real~
Temporal
Logic
example,
the formula
187
❑ x.(p
asserts that
the
time
most
~
every p-state
difference
A Oy.(r
O(q
is followed
between
the
reasoning
identified
with
about
“next
tions
for nested
synchronous
by an r-state,
corresponding
r-state
and
is at
3. Timed
[Emerson
a tableau-based
doubly-exponential-time
problem
how the
real-time
tableau
systems.
Throughout
if
of
first
tion
in the
for
It
the
constructing
the
reduced
initial
to
paths.
with
as the
3.1.1. Preliminary
the
be
TPTL
to
1981,
tableau
if
the
special
case
timing
constraints
in
~
@ of
and
[Smullyan,
the
wish
to
for
1968],
logic
a
and
of computa-
of
integers
decision
Wolper,
tableau
PTL
1984]
satisfiability
is,
@ contains
procedure
and
of
begin
@ can
for
@ contains
in
fact,
subsumed
no
timing
For the moment,
are
TPTL
a modal
the
initial
for
in which
y + c, for nonnegative
solve
is satisfiable.
systematically
tableau-based
and
@ Checking
finite
Assumptions.
to
of
1980].
of the
method
that
negation
searches
for
the
TPTL-properties
calculus
procedure
the
that
we demonstrate
observe
if its
a formula
Manna
for
tableau
we
method
[Pratt,
presentation
al.,
First,
given
We then justify
verify
to check
@ contains no absolute time references;
variable.
Thus, we may perform
simple
x -~
can
by showing
Finally,
to
propositional
logic
checking
The
procedure
applied
tableau
a decision
standard
et
be
are
The
dynamic
[Ben-Ari
for TPTL.
decision
it suffices
we
to obtain
of
procedure
FOR TPTL.
a formula,
originated
case
follow
procedure
can
subsection,
applied
PTL
infinite
state”
1.
is EXPSPACE-complete.
@ is satisfiable.
+.
was
TPTL
techniques
this
determine
We
=x+
of the
PROCEDURE
problem
model
“next
et al., 1990]. We can restrict
oy.y
decision
cost
for
3.1. DECISION
validity
systems,
Tableaux
We present
validity
real-time
case by postulating
Elx.
(2)
and, later,
the
and timing
constraints
may be expressed in PTL
In this case, bounded
temporal
operators
are abbrevia-
next formulas
the synchronous
(1)
and
time,”
using the next operator.
be
by a q-state
p-state
+ 10)))
10.
For
for
A y <x
by
then
certain
by
our
constraints.
we assume
that
that is, every time in ~ contains a
arithmetic
manipulations
so that all
the
form
x s y + c
or
x + c s y
or
d > c > 0.
~ contains
only the temporal
operators
argument
of every occurrence
of the until
O and ❑ ; that is, the
operator
% in @ is true.
first
Although
neither
of the two restrictions
is essential,
they simplify
the
exposition
of the decision
procedure.
Later, we accommodate
both absolute
time references
and until operators.
We also assume that @ is of the form
z. @‘; this can be easily achieved, if necessary, by prefming
@ with any variable
z that does not occur freely in @
A timed state sequence
p = (CT, t-) is A-bounded,
~1 s ~,_ ~ + A for all i > O; that
is, the time
for
of the initial
a constant
A G N, if
state of a A-bounded
R. ALUR AND T. A. HENZINGER
188
timed
state
sequence
is at most
A and the time
successor state by no more than A.
To begin with, we restrict
ourselves
satisfiability.
This case has finite-state
with states can be modeled
by finitely
PreL18, O <8<
A, that represent
to
increases
A-bounded
from
a state
models
for
character:
the times that
many (new) time-difference
in the initial
state, the initial
to its
checking
are associated
propositions
time
8, and in all
other states, the time increase
8 from the predecessor
state. Formally,
we can
capture the (state and) time information
in a timed state sequence
p = (u, ~)
by a state sequence
& with
for all i >0.
us to adopt
This reduction
the tableau
of timed
techniques
we show how we can find
3.1.2.
Updating
requirement
the eventuality
the initial
in
this
state
way
Constraints.
demands
The
to state sequences
the conclusion
key
observation
can be split into
the initial
state
checking
for
more
care;
Since
the number
satisfiability
to
obtain
the
formula
underlying
~.
the
two conditions:
a
and a temporal
the successor state). For
* or O O* being true in
of conditions
is reducible
the initial
tableau.
into a present
allows
of this section,
A for the given
on the rest of a model (i.e.,
V+ can be satisfied by either
satisfiability
in a finite structure,
The splitting
of TPTL-formulas
condition
At
constant
is that any formula
requirement
on
of a state sequence.
is finite,
PTL.
an appropriate
Timing
tableau method for PTL
nontemporal
(“present”)
(“future”)
example,
state sequences
for
and
to
generated
checking
a future
requirement
on
for
(next-state)
the
successor
state, all timing constraints
need to be updated appropriately
to account for the
time increase
8 from the initial
state to its successor. Consider,
for example,
the formula
x.Oy. @( x, y), and recall that the free occurrences
of x in + are
references
the initial
to the initial time. This eventuality
can be satisfied either by having
state satisfy y. @( y, y), with all free occurrences
of x in @ replaced
by y, or by having
8, y).”
For
8>0,
the next
a naive
sively generate
infinitely
of time can be exploited
state
satisfy
replacement
the updated
eventuality
of x by x – 8 would,
“x.Oy.
however,
~(.x
–
succes-
many new conditions.
Fortunately,
the monotonicity
to keep the tableau
finite;
the observation
that y is
always instantiated,
in the “future,”
to a value greater
than or equal to the
initial time x, allows us to simplify
timing assertions of the form x s y + c and
y + (c + 1) < x to true and false, respectively.
We define,
therefore,
the
references
in @ on the initial
x.@ is the formula
formula
x. ~(x)a
that results
time x by the time difference
X.uy.(p
then
X.41,
X.*5,
and
x.*
+y.y
G are the following
X.ny.(p
x. ❑ y.(p
x. ❑ y.(p
<x
+ 5),
formulas:
+y.y
<x + 4),
+ y.y < x),
~ false).
from updating
all
8. For instance, if
A Really
Temporal
In general,
is defined
—x. +”
given
a TPTL-formula
inductively
equals
189
Logic
x. ~ and
8 c N, the TPTL-formula
x. ~ 8
as follows:
x. ~.
results from x. ~ a by replacing
every term of the form x + (c + 1)
—X.$6+1
with x + c, and every subformula
of the form x s y + c, y + (c + 1) s x,
and x -~ y + c with true, false, and x =~ y + ((c -t 1) mod d), respectively,
provided
that the occurrence
of x in the specified terms and formulas
is free
in @a.
The
following
lemma
confirms
that
this
effect and updates all time references
expresses the condition
“x. +(x – 8).”
transformation
correctly;
that
has the
intended
formula
x.+(x)8
is, the
LEMMA 1 (TIME STEP).
Let p = (u, r) be a timed state sequence, let & be an
environment,
and let 6 = N such that 6< To. Then p R= X. *s iff p ~z[. .,,]. 81 +
for et’ery TPTL-formula
PROOF
the
OF LEMMA
structure
of
3.1.3. Closure
by recursively
closure
of
symbol
mula
x. ~.
1.
The
proceeds
is a freeze
the formula
quantifier.
z. @‘ is the smallest
operation
@ into
to define
the
The
closure
symbol
closure
cllj)
@[x := z] results
that occur
kx+.
LEMMA
and freeze
constants
z. ~‘
may arise
parts
whose
in the
outermost
of the TPTL-for-
that
is closed
under
+)
Z.00
= {Z. *[X
from
@},
= z]},
Y by replacing
all free
occurrences
set are of the form z. ~.
@ if @ contains a subformula
the predicate
that occurs in the formula
6> C and for all formulas
& The
z.+ in
2.+ a is Z.*C.
in the TPTL-formula
where
formulas
x s y + (c – 1) or x + (c – 1) s y, or @ contains
The size of the closure
constants
that
and future
set Closure( z. +‘)
= {Z.*,
=C. Let C be the largest constant
set of @ is finite,
because for all
Closure(o),
for
containing
of x with z. Note that all formulas
in a closure
A constant
c >0 occurs in the TPTL-formula
of the form
on
Sub:
Sub(z.x.
the formula
induction
all conditions
its present
closure
set of formulas
Sub(z.
where
by a straightforward
We collect
of a TPTL-Formula.
splitting
~. It suffices
the following
proof
❑
+.
set of @ depends
in @. We define
~, inductively
k.,
on both
the product
the structure
of @ and the
of all constants
that occur
as follows:
= c+landkc=c+l.
2 (SIZE
Let n – 1 be the number of boolean, temporal,
TPTL-fonruda
~, and let k be the product
of all
OF CLOSURE).
operators
that occur
in the
in &
Then
lClosure(
+)1 < 2nk.
190
R. ALUR
OF LEMMA
2.
Given
structure
PROOF
of
set
D ~
updating
of
@‘,
the
timing
a formula
of
z. @‘, we
formulas
the
constraints;
that
set
AND
define,
contains
Cd
is,
HENZINGER
by induction
~’
in
T. A.
on
and
is closed
addition,
closed
the
under
under
subformulas:
C’P=DP=
c
{p},
=D,
,<L+C
<V+C ={x<y+c,
C,=,,~C=D,=~jh,=
{x-~y+(d
c *I + *2 == C@, UCJ,
Cob
x<y+(c–
1),...,
-l),
UD@, +O,,
= C* u DO*,
xsy},
x-,y+(d
Dt, +t,
=Di,
D .$=
OD$,
-2),...,
x=,y},
+D$,,
Here x.E = {x.1171* e E} for any set E of formulas;
the other operators
are
applied
to sets in an analogous
fashion.
The case of formulas
of the form
x + c s -Y is treated similarly
to the timing constraints
x s y + c. Furthermore,
let
E+= E U {true, false].
Observe
that Dv s Ct.
structure
(1)
~’
(2)
For all
= Do
(3) z.C~i
From
that
and, hence,
8>0,
is straightforward
~’
to show
by induction
on the
is closed
under
sequence,
tableau
graphs
which
that
lC@ I <2
Tableau
state
z. @‘8 G z.C~.
Ckmwe(
z. @‘) c z.CJ.
~zk, which
may again
Thus,
be done
it suffices
to show
by induction
on the
❑
of @‘.
3.1.4. Initial
and, therefore,
Sub.
(1) and (3) it follows
directed
= C@.
z. @’$ = z.D$
ID+ I s k and
structure
vertex
It
of @‘ that
of a TPTL-Fomwda.
(Kripke
determine
are labeled
of a tableau
with
structures).
the truth
arbitrary
express
values
formulas
conditions
Tableaux
Unlike
the
for
states
TPTL
of all propositions,
of TPTL.
state
finite,
state
the vertices
The formulas
on the annotated
are
of a timed
that
of a
label
a
and its successor
states. In addition,
every vertex is labeled
with a time-difference
proposition
states.
PreLa, O < 8< A, that denotes the time increase from the predecessor
Formally,
the vertices of a tableau for @ are the maximally
consistent
subsets
of the finite
universe
Closure’(+)
= Closure(d)
u {PreZ’81 O <8<
A]
consistent
if it
of TPTL-formulas.
A subset @ of Closzu-e*( +) is (maximally)
satisfies the following
conditions,
where all formulas
range only over the finite
set Closure*(~):
—PreLla
—z.(z
is in
@ for
precisely
one O s 8 s A; this
w z + c) is in @ iff O = c holds
in N (for
8 = N is referred
-
being
one of
=,).
—z.false
is not in 0.
—Z.(y!Jl ~ *Z) is in @ iff either z.~l
is not in @ or z. jbz is in 0.
—z. ❑ ql is in @ iff both z.* and z.O R ~ are in 0.
—z. x.* is in @ iff z.*[x
:= z] is in 0.
to as 80.
s , > , and
A Really
The
Temporal
initial
vertices
from
191
Logic
tableau
T(+)
for the TPTL-formula
are the consistent
@ to T
This
subsets
iff, for all formulas
definition
ensures
z. Otj
the global
constraints
in the initial
tableau.
T(~)
for the formula
@ is that
path through
T(~)
versa. This implies
along which
a finite-model
@ is a directed
of Closure*(+),
and which
graph
contains
in Closure*(0),
consistency
The significance
every model of
all eventualities
property
for
of all temporal
and real-time
of the (finite)
# corresponds
initial
tableau
to an infinite
are satisfied
in time, and vice
TPTL,
in the sense that every
satisfiable
TPTL-formula
@ is satisfied by a model whose state part,
by the time-difference
propositions
Preva, is eventually
periodic.
To be precise, an infinite
path
through
(1)
(2)
a tableau
Initiality.
Fairness.
all
is a +-path
if it satisfies
~ = ~,.
All eventualities
missing
invariance
violated
z. ❑ ~ = Closure*(~)
and i >0,
j>
i with i3=Z,<~~~i3@K.
Progress.
t5@,>0 for infinitely
(3)
Every
~-path
eventually
following
in the
z. ❑ $ 6Z 0,
many
for
~
a ~-path
OF @PATHS).
consists
of m
implies
time;
Z.+6
or, equivalently,
that
is, for
@ @j for
all
some
i >0.
@ can be reduced
to a +-path
Suppose that the initial tableau T(~)
vertices. If T(~)
contains
a @path,
that
is
OF
for the
then it
of the form
for 1 s (2nk + l)m, where n is the number
product of all constants that occur in ~.
PROOF
@ in time
@ in
conditions:
of TPTL.
3 (LENGTH
TPTL-formula
contains
tableau
along
along
three
extended
periodic.
Moreover,
the length
of the period
is bounded
by the
lemma. This will prove to be important
for obtaining
an upper bound
on the complexity
LEMMA
initial
the following
are satisfied
are
WhOSe
an edge
LEMMA
3.
Consider
the
of temporal
infinite
operators
+-path
@ =
in + and k is the
@o@ ~ “”. ,
and
choose i to be the smallest j such that 0, occurs infinitely
often in cD. There
are no more than nk invariance
in Closure *( ~); hence O, lacks at most nk
invariance
z. R *I, each one of which is violated
by some vertex
~~ of the
infinite
suffix
0,0,+1
““. of @. Let @o = @O .“” ~,, @z~-l = @, ‘“” ~~~ and
~zl = lpl . . . 0,, for all 1 s 1< nk, be finite
segments of @ that contain
no
other (i.e., inner) occurrences
o! 0,. Delete all loops in every segment @J, thus
obtaining
the finite sequences O], O s j s 2nk, each of length at most m + 1.
It is not hard to see that the result of deleting
duplicated
vertices (i.e., @,) from
is a @-path of the desired
form.
❑
192
R. ALUR AND T. A. HENZINGER
3.1.5.
decision
The
Tableau Decision
Procedure.
procedure
for TPTL:
to determine
able, construct
LEMMA
(1)
the initial
4 (INITIAL
tableau
TABLEAU
[Correctness].
If the initial
T(@)
FOR
4.
The
progress
~, that
follows
suggests
a
~ is satisfi-
if it contains
any @paths.
tableau
T(~)
for the TPTL-formula
@ contains
proof
model,
makes
then T(~)
essential
through
contcuns
use of both
the initial
tableau
a
a ~-path.
directions
T( ~),
of
define
state sequence
p = (o-, ~) such that, for all i ~ O, p = o, iff
~ satisfies
the
and ~, = ~,_l + 8.,. Note that the time sequence
condition
because
@ does. We show, by induction
for all i >0 and 4 ● Closure*,
that p is a model of ~.
For a proposition
p’ % z.p. Let
*be
0,,
lemma
TPTL)
Lemma
1. Let % be any environment.
(1) Given a ~-path
@ = @O@, ““
the timed
z.p e 0,,
main
if the TPTL-formula
and check
+-path, then ~ is satisfiable.
(2) [Completeness].
If 4 has a A-bounded
PROOF OF LEMMA
following
By the induction
the case iff
of
@ = @O, it
of 0,, z.( +1 ~
hypothesis,
p’ R Z.(Z N z + c). This completes
#z) G @, iff either
this is the case iff either
that is, iff p’ != Z.(l/J1 - ~z).
Now assume that z. O+ e Closure*(~)
-r, -t- 8. Then
on the structure
p’ + *. Since
z.p = Closure*( ~), we have z.p 60,
iff p c m,
one of<,>,
- ~, or its negation.
By the consistency
Z.(z - z + c) E @, iff O * c iff
cases.
By the consistency
(~)~ G @l iff
z. O ~ ● 0,
p’+ 1 & Z.+a.
iff
and
let
the base
z. VI E @l or z.~z
G @t.
p’ k Z. 41
Z. h;
8 = tire,,;
z. +s = 0,+ ~. By the induction
By Lemma
iff
of
1, this is the case iff
or
that
P’ *
is, ~,+ ~ =
hypothesis,
this
p’+ 1 %&[Z = ,,1 r;
is
that
is, iff p’ 1= z.0~.
For the case that z. ❑ @ G Closure”( q5), we first prove that z. ❑ ~ = @, iff
Z.@ ’j–’I = 0, for all ]“ > i. Let 8, = ~, — ~1 and note that 8, = ~l<~~,~o~
by
our choice
of ~,
We use induction
j z i. Suppose that
0,,
also
z. O ❑ ~ a e 0,
consistency
On
some
By
j > i.
the
j >
the
By
on j to show that z. ❑ * = 0, implies
z. ❑ @‘ = 0, for all
❑ # a E cD, for an arbitrary
j > i. By the consistency
of
Z.
and
of @,, we conclude
therefore
that
z. ❑ ~ a+’ G 0,+ ~. Invoking
z. # $ E 0,
again
the
for all j > i.
other hand, suppose that z. ❑ ~ @ 0,. Since @ is a +-path,
there is
i such that z.* $ @ ~,.
induction
hypothesis,
It follows that z. ❑ ~ G @, iff p~ 1= z. ~‘
for all
Lemma
1, this is the case iff p] R&[z = ,,1 v for all j > i; that is, iff
p’i==z. n~.
Finally,
consider the case that z.-x. ~ = Closure*(~).
iff z. ~[.x := z] G 0,. By the induction
hypothesis,
z.~[x
:= z]; that is, iff p’ R Z.X. V.
In this case, Z.X. ~ G @l
this is the case iff p’ R
(2) Let P = (o, ~) be a A-bounded
model of ~. The subsets
Closure*(~)
are defined
as follows:
Preu,, _,, _, = ~,, and
@ ● Closure”(
~), iff
p’ i= (j. We show that
@ = O.O,
the initial
tableau
T( ~).
By inspecting
the consistency
rules, it is evident
To prove that @ is an infinite
path through
T(~),
for all i >0,
there
Closure*(~)
and let
is an edge from
0, to
8 = r,+, – ~l. Then
z.0+
0,, for i >0,
~ = 0,, for
. . . is a +-path
of
all
through
that every @, is consistent.
we also have to show that,
0,.
~. Suppose
c 0,
iff
that
p’ + z.0*
z. 0+
iff
=
p’+l
A Really
Temporal
Lo@”c
+ ~[z = ,,] ~. By Lemma
@1+1. Since
193
1, this
is the case iff
also PreL]8 E Q,. ~, the initial
p’+’
tableau
I= z.~a;
for
that
is, iff
@ contains
z.~’
●
an edge from
m, to @t+l.
We
now
show
progress
condition
observe
that
that
the
infinite
because
p
is
a model
eventualities
in @ are satisfied
z. ❑ * @ 0,;
that
j >i.
which
time
of
@ is indeed
sequence
@. It
in time.
p’ ~ z.O 1 *
remains
After
constructing
path
1984]. The
follows
that
tableau
the
@ c @O,
established
that
p] >%[Z .7,1 m +
Then
T(+)
be
It satisfies
see that
all
z. ❑ Y = Closure*(~)
that
therefore
To
p] kz.~a
for the formula
and
for
some
by Lemma
1,
@, we delete
all
are not on a @-path. This can be achieved by a straightforward
of the standard techniques
for marking
all vertices of a graph that
lie on an infinite
Wolper,
the initial
to
Suppose
and
a ~-path.
~ does.
Let 8= ~~ – ~,; thus 8= z,<~<jd~,.
implies that z.+ a @ @,.
❑
-
vertices that
modification
along
which
remaining
tableau,
the final
contains
n – 1 is the number
graph
are satisfied
is called
@ has a A-bounded
for finding
which
all eventualities
state
a TPTL-formula
not empty.
The procedure
initial
is,
path
the
O(A
of operators
tableau
the final
model
in
iff its final
is polynomial
. 2nh ) vertices,
@ and
[Manna
tableau
each
and
for
~. It
tableau
is
in the size of the
of size O(nk),
k is the product
where
of all constants
that occur in ~. Thus, provided
that A is dominated
by 2nk, the initial tableau
T(~)
can be constructed
and checked
for +-paths
in deterministic
time
exponential
in nk. We show next that A can indeed be bounded
by k.
3.1.6. Bounding
determine
the
the
bound
Size of
Time
A on the
Steps.
time
Given
increase
a formula
between
two
~,
such that the satisfiability
of @ is not affected;
that is, we choose
A = N such that @ is satisfiable
iff it has a A-bounded
model.
Let
c be the largest
constant
in ~ that
x<y+(c–l)orx+(c–1)
ence predicates
greater
<y,
that
in
~. If the time
increase
states
the constant
in a subformula
=C, ,.. .,=C
finally
of the form
be all the congru-
8 ~etween
two states
is
than
modulo
correctly.
or equal to c, it obviously
suffices
to know the residues
of 8
to update,
in a tableau,
all timing
constraints
cl, ..., cm in order
Indeed, for checking the satisfiability
of ~, the arbitrary
step-width
8
can be bounded
many congruence
LEMMA
by taking
classes.
5 (BOUNDED
and k is the product
model.
PROOF
occur
occurs
and let
we
successive
OF LEMMA
for the least common
the smallest
TIME
INCREASE).
of all constants
5.
We
multiple
can,
representative
for
each of the finitely
If the TPTL-formula
that
occur
in fact,
derive
k‘ of all cl, 1<
in ~, then
the
tighter
~ is satisfiable
~ has a k-bounded
bound
i < rn. Given
c + k‘
a model
s k,
p = (o, r)
of @, let the time
sequence ~‘ be such that, for all i >0, ~, = ~~_ ~ + (t-, – 7,-~)
otherwise,
choose
~~ to be the smallest
8> t-~ + c with
if 7-, – 71_l <c;
8 -k, I-l. It is easy to see that p’ = (u, ~’) is also a model of ~.
❑
Combining
this result
with
the tableau
method
developed
the conclusion
that the satisfiability
of the TPTL-formula
deterministic
time exponential
in nk. Moreover,
Lemma
satisfiable
mentioned
formula
@ is satisfiable
in
above, exponential
in nk.
a model
whose
above, we arrive
at
@ is decidable
in
3 implies
that every
size
is, in
the
sense
194
R. ALUR
Remember
that
we have
absolute
time
references.
3.1.7.
Until
Operators.
restricted
First,
operators.
We take the closure
under the operation
and add the following
let
the fairness
us
formulas
~ with
until
requirement
either
z. ~z
on a @-path
HENZINGER
operators
assumptions
on the consistency
@ iff
T. A.
no until
both
address
of a formula
condition
formulas:
z.( ~l??~z)
is in
z. O(*l?Z@z)
are in @.
Finally,
~ to contain
We now show that
AND
and no
can be relaxed.
that
include
operators
until
to be closed
of a set @ c Closure”(~)
is
in
@, or
both
of
z. ~1
and
@O@l@z . . . is generalized
to
the condition
that z.( *I 7Z4Z) = O, implies
that, for all i >0,
z. $: G @, for
some j>
i with S= Z,<L ~ ~8.,. It is not hard to check that the Lemmas
2, 3,
4, and 5 allow the addition
of until operators
in this way.
3.1.8.
time
Absolute
references.
Time
References.
Instead
of generalizing
Secondly,
let
the tableau
us accommodate
absolute
method
to constant terms,
which contain
no variable,
we can use a simple observation.
test the formula
~ for satisfiability.
Let x be a variable
that
Suppose that we
does not occur in
@ and replace
every variable-free
term
c in @ with the term
obtaining
the new formula
@R (which may contain free occurrences
following
lemma
satisfiability
allows
problem
us to reduce
for the formula
the
satisfiability
x. O ~‘,
which
problem
contains
x + c, thus
of x). The
for
@ to the
no absolute
time
references.
LEMMA
6 (ABSOLUTE
iff the formula
PROOF OF LEMMA
(1)
TIME
REFERENCES).
x. O+ R is satisfiable,
A TPTL-formula
where x does not occur
~ is satisfiable
in ~.
6
Let p = (m, ~) be a timed
state sequence.
We define
the timed
state
sequence
p‘ = (m’, ~’) such that ~~ = O, and o-,~l = o-l and ~~+1 = ~, for
all i >0. Clearly, if p > ~, then p’ != x.0+.
(2) Let
p = (m, ~) be a timed
state sequence.
We define
the timed
state
sequence
p‘ = (u’, T’) such that
o,’ = 0,+1 and ~~ = ~,+1 – To for all
i >0. Clearly, if p i= x. O@, then p’ + ~.
❑
Note
operators
theorem
that
the transformation
from
@ to @R does not increase
the number
of
in ~ nor the product
of all constants
that occur in ~. The following
summarizes
our results about the tableau method.
THEOREM
1 (DECIDING
TPTL).
The [wlidip
problem
for a (closed)
TPTL-formula ~ can be decided in detemtinistic
time exponential
in nk, where n – 1 is the
number of boolean, temporal,
and freeze operators in ~, and k is the product of all
constants
Note
that occur
that
in ~.
the length
1 of any formula
logarithmic
(e.g., binary)
Thus, we have a decision
encoding,
procedure
~ whose
constants
are presented
in a
is within
a constant
factor
of n + log k.
for TPTL
that is doubly exponential
in 1
part and, therefore,
(although
only singly exponential
in n, the “untimed”
singly exponential
for PTL). The algorithm
we have outlined
can, of course, be
improved
in many ways. In particular,
we may avoid the construction
of the
A Real~
Temporal
Logic
195
entire initial
tableau
by starting
with the initial
state, which contains
successively adding new states only when needed [Manna
and Wolper,
This
stepwise
procedure,
deterministic-time
problem
for TPTL
We
also
point
sequences
on timed
however,
does
not
lower
the
bound; as we show in the following
is EXPSPACE-hard.
out
that
is essential
the
morzotoni.city
the tableau
state sequences
3.2. COMPLEXIm
while
for
(and
method
~-paths)
OF TPTL.
The
doubly
exponential
subsection,
condition
to work,
~, and
1984].
the decision
on
timed
the progress
state
condition
can be omitted.
following
theorem
establishes
TPTL
as
being exponentially
harder to decide than its untimed
base PTL, which has a
PSPACE-complete
decision problem
[Sistla and Clarke, 1985]. The extra exponential
is caused by the succinct representation
of time constants
in TPTL and
is typical
for
many
real-time
specification
languages
[Alur
and
Henzinger,
1990].
THEOREM
2
(COMPLEXITY
EXPSPACE-complete
PROOF OF THEOREM
TPTL
OF
(with
2.
The proof
is in EXPSPACE,
The
TPTL).
ualidi~
respect to polynomial-time
and then
proceeds
that
problem
for
TPTL
is
reduction).
in two parts;
we first
it is EXPSPACE-hard.
show that
The
first
part
follows the argument
that PTL is in PSPACE,
which builds on a nondeterministic version
of the tableau-based
decision
procedure
[Manna
and Wolper,
1984]; the hardness part is patterned
after a proof that the universality
problem
for regular expressions with exponentiation
is EXPSPACE-hard
[Hopcroft
and
Unman,
1979].
[EXPSPACE].
It
checking
the
PSPACE
and, hence,
In particular,
if the initial
trying
suffices
satisfiability
to
of
show
by Savitch’s
theorem,
it can be checked
tableau
to construct
T(+)
such
that
the
complementary
a TPTL-formula
contains
a @-path
is in
in (deterministic)
in nondeterministic
a @path
singly
of the form
nondeterminstically,
problem
of
nondeterministic
EX-
EXPSPACE.
exponential
stated
space
in Lemma
at each stage,
3. In
only
the
current
retained
vertex,
the “loop-back”
vertex,
and a vertex
counter
have to be
in order to construct
a successor vertex, loop back, or, if the vertex
counter
exceeds
each vertex
respectively,
that
the
maximal
length
of the
loop,
and the length
of the loop have,
(singly) exponential
representations
this nondeterministic
procedure
requires
fail.
Since
both
the
size of
by Lemma
2 and Lemma
3,
in the length of ~, it follows
only
exponential
space.
[EXPSPACE-hardness].
Consider
a deterministic
2“-space-bounded
Turing
machine
M. For each input X of length
n, we construct
a TPTL-formula
Ox
of length
O(n
. log n) that
is valid
iff
M accepts
X. By a standard
complexity-
theoretic
argument,
using the hierarchy
theorem
for space, it follows that there
is a constant
c >0
such that every Turing
machine
that solves the validity
problem
for formulas
@ of length 1 takes space S(l) z 2c~110g1 infinitely
often.
Thus,
it suffices
to construct,
given
the initial
tape contents
(1) a sufficiently
X,
succinct formula
+x that describes the (unique)
of M on X as an infinite
sequence of propositions,
and
(2) a sufficiently
succinct formula
of M on X as accepting.
@*ccEP~ that
characterizes
computation
the computation
196
R. ALUR
Then
iff the machine
M accepts
use a proposition
machine
symbol “blank”
for formulas:
HENZINGER
r-state. The computation
two conditions:
(1) it starts
with
conjuncts,
of ~
position
the initial
conditions
from
to
s A
-+ Oy.(y
Here
P,
Q,
and
P, Q, R) refers
R
each
range
to the transition
one by a move
of M.
of ❑ x. Oy. y
@Y to consist
and
the
following
two
(1) and (2), respectively:
~o),
+1
OQA
(PA
by the following
y.(y=x+~+~Y,)A
=x+2”
=x
i and
to the
use the following
determined
counter,
<x+2”+
❑x.(s~Oy.(y
Q, RUX.
symbol
❑
” Ax.~1<,5,1
x. Dy. (x+n<y
AP,
tape
of Lf. We
Take
a state
to the requirements
Or,y,,
every
and qO correspond
and
in TPTL.
resemble
correspond
4hf0vE:
state
the previous
can be expressed
I#INITIAL:
p.
by @state sequences of length 2“ that are
of the read–write
head is marked
by an
configuration,
follows
time
which
q, for
of M on X is completely
(2) every configuration
= x + 1, forcing
X.
In particular,
and the initial
We represent
configurations
separated
by s-states; the
Both
the input
p, and a proposition
state j of M, respectively.
special tape
abbreviations
&(
T. A.
the implication
is valid
We
AND
As))
00R
+ 2“ + 2 A~~(P,
over
the
function
A
Q, R))).
proposition
~1, r, ,, and
of M. For instance,
s, and
if M writes,
in
state j on input i‘, the symbol k onto the tape, moves to the right, and enters
state j’, then &,(~,,
r,,,j,~l)
=~~ and ~.(r,,,.,,~l,,
~,)
= r,,,,.
The computation
of M on X is accepting
lff it contains
the accepting
state
F, which
The
is expressible
lengths
of
in TPTL
@INITI~~,
by the formula
@MOVE,
and
@Acc~pT
are
0(1), respectively
(recall that constants
are represented
ing the desired 0( n . log n )-bound for +x.
EI
~(n
“ log
n),
in binary),
O(n),
and
thus imply-
3.3. REAL-TIME
VERIFICATION.
Researchers
have proposed
a variety
of
different
languages
for defining
real-time
systems [Alur and Henzinger,
1992].
Instead
of siding with a particular
syntax, we represent
finite-state
real-time
systems by abstract
state graphs with timing
information.
Typically,
it is not
difficult
to compile
a given concrete
syntax into timed state graphs (consult,
A Really
Temporal
e.g., [Henzinger,
Logic
1991] for the translation
state graphs).
Model
checking
temporal-logic
system.
197
is an algorithmic
specification
Suppose
that
runs
certain
conditions.
given
fairness
as a formula
of
as a finite
paths
suppose
temporal
that
a state-graph
to infinite
Furthermore,
systems into
technique
against
S is represented
S correspond
@ of a linear
transition
verification
of a system
a system
is, all possible
of timed
logic.
that
problem
for the negated
[Liechtenstein
specification
and Pnueli,
~ ~ captures
compares
description
Ty; that
T~ that
the specification
The verification
meet
of S is
problem
@
used
1984]. The initial
precisely
the
of the
state graph
through
if all possible runs of the system S satisfy the specification
In the case of PTL, the tableau
construction
can be
verification
timed
to
solve
tableau
the models
asks
the
T( ~ ~)
of the formula
= ~. Hence, the system S meets the specification
@ iff there is no infinite
path
that is common
to both finite
state graphs, T$ and T( - ~), and that corresponds both to a possible
run of S and a model
of 7 ~. This question
is
answered
by constructing
and checking
the product
if it contains
an infinite
of the two state
graphs
T~ and
path
certain
fairness
that
meets
T( -
~)
condi-
tions.
We
generalize
the
PTL-algorithm
TPTL-specification.
We then
mula
by all paths
c) is satisfied
and thus, in general,
equally
to check
show that
in a given
hard
if a timed
the problem
structure
as deciding
state
graph
of checking
meets
a
if a TPTL-for-
is EXPSPACE-complete,
if c) is satisfied
by all timed
state
sequences. The practitioner
will note that the complexity
of the model checking problem
is doubly
exponential
only in the size of the formula,
which is
typically
much smaller than the size of the structure.
3.3.1.
finite,
Timed
State
Graphs.
directed
state
graphs
labeled
with
Definition
consists
proposition
from
unspecified,
represent
sets of propositions.
time-difference
difference
We
(Kripke
the
Each
Prev8
or
predecessor
finite-state
structures)
location
is
vertices
is labeled
Prev > ~, which
location
real-time
whose
either
with
indicates
exactly
systems
by
(locations)
a state
that
are
and a
the
8 time
time
units
or
respectively.
4 (Timed
state graph).
A timed
state
graph
2p that labels
every
T = (L,
p, v, LO, Z)
of
—a finite set L of locations;
—a state labeling
function
V: L state pl Q P;
—a time labeling
function
v that labels
ference proposition
Vl, which is either
—a set LO c L of initial
location
1
●
L with
a
every location
1 G L with a time-difPreua for some ?3E N, or Preu ~ ~;
locations;
—a set Y g L2 of transitions.
A timed
state sequence
p = (U, ~) is a computation
of the timed
state graph
T such that for all i >0,
T if there is an infinite
path 10IIIZ .”” through
U, = pl and if vl = Preua, then I-t = ~,_ ~ + 8.
A TPTL-formula
@ is satisfied ( ~~alid) in the timed state graph T if some
(all) computations
of T are models of +. The problem
determine
if a formula
is valid in a timed state graph.
3.3.2. Model
formula
+. Let
Checking.
We
k be the product
are given
a timed
of all constants
state
of model
graph
checking
is to
T~ and a TPTL-
in ~, and recall
that
k is the
R. ALUR AND
198
largest
constant
time-difference
We define
8
for
be a finite,
directed
vertices. Each vertex
of T(~)
which
the
initial
proposition
PreL18.
the Product T = T~ x T(~)
tableau
T(~)
for
HENZINGER
@ contains
of the two structures
a
Ts and T(~)
to
graph whose vertices are pairs of T~-vertices
and T( O)(1, @) of T consists of a location
1 of T~ and a vertex @
such that
—The state information
for all propositions
p
in 1 and @ is compatible;
P.
that
●
—The
in 1 and @ is compatible;
that
time
information
or vl = 60, or 80 = Preuk and
The
T. A.
product
T contains
iff T~ contains
02.
an edge from
an edge from
projection
through
is a +-path
the
through
T(~)
is clearly
k‘
z.p
vl = Prel’ .,],
(1,, @,) to the vertex
linear
(lZ, Oz )
an edge from
in the product
~-path
@ ~ to
of the sizes
is a @path
T( +); it is an initialized
= @
> k.
contains
Ts X T(~)
product
is, either
for some
the vertex
11 to lZ and
Ts x T(~)
The size of the product
of T~ and T(~).
An infinite
path
vl = Preuk,
is, p G W[ iff
if its second
if, in addition,
it
starts at a vertex whose first projection
is an initial vertex of Ts. The following
lemma, which follows immediately
from Lemma 4 and the proof of Theorem
1,
confirms
that
LEMMA
forrnula
This
our product
7 (TABLEAU
construction
PRODUCT).
~ iff the product
lemma
finite-state
state graph
T~ satisfies
contains
an initialized
@path.
a model-checking
system
S satisfy
algorithm.
To
a TPTL-formula
Construct
Construct
(3)
(4)
Construct
the tableau product
T = T~ x T( ~ ~).
Check if T cont~ins
an initialized
~ ~-path.
The
specification
@ ifi this is not the case.
According
untimed
timed
notions
state
case [Liechtenstein
Since a structure
time
state graph Ts for S.
tableau
T( T ~) for the negated
to different
through
of the model
of system
graphs
and Pnueli,
can be checked
checking
fairness,
can be defined,
see if all
runs
of a
formula
~ ~.
system
various
S meets
variants
and checked
the
of compu-
for,
as in the
1985].
for +-paths
algorithm
the TPTL -
~:
(1)
(2)
tations
the timed
the initial
effect.
The timed
Ts X T(~)
suggests
real-time
has the intended
in polynomial
is determined
product
T, which contains
O(lT~ 1. IT( ~)1) vertices.
exponentially
larger than the description
of S itself
seen that the size of T(~) can be two exponential
time,
the running
by the size of the tableau
The size of Ts typically
is
[Henzinger,
1991], we have
larger than o.
THEOREM
3 (MODEL
CHECKING).
The problem
if a TPTL-fomuda
~ is ualid
in a timed state grapil T can be decided in deterministic
time linear in the size of the
T and doubly exponential
in the length of+.
3.3.3. Complexip
THEOREM
4 (COMPLEXITY
a TPTL-formula
PROOF
satisfies
of Model
OF
is valid
THEOREM
the TPTL-formula
Checking
OF MODEL
in a timed
4.
CHECKING).
state graph
[EXPSPACE].
@ iff the product
T)ie problem
of decidi~lg
f
is EXPSPACE-complete.
The
given
timed
state
T x T( T ~) contains
graph
an initial-
T
A Real~
ized
Temporal
n @-path.
Logic
199
It is easy to see that
nondeterministic
singly
exponential
space
suffices to check for the desired
1 ~ path. The EXPSPACE
bound follows.
[EXPSPACE-hardness].
To reduce the validity problem
for TPTL to model
checking,
it suffices
formula
@ is valid
to give a timed
iff @ is valid
state
graph
in T. Simply
T of constant
choose
to be the complete
graph over all subsets of P, and label
time-difference
proposition
Prel) >
El
—~.
4. Undecidable
At
last,
let
Real-Time
us justify
size such
that
T = (2P, K, v, 2P, 2P X 2P)
all locations
with
the
Properties
our
decisions
to restrict
the
semantics
of TPTL
to the
discrete time domain
N and to restrict
the syntax of the timing
constraints
to
successor, ordering,
and congruence
operations.
Indeed,
both decisions
seem
overly
limiting
addition
for
of time
quent p-states
both restrictions
We consider
addition
over
real-time
values
specification
the property
languages.
that
“the
time
For
example,
difference
without
between
subse-
increases forever”
cannot be defined.
We show, however,
that
are necessa~
to obtain verification
algorithms.
two natural
extensions
of TPTL,
a syntactic
one (allowing
time)
and
a semantic
one
(interpreting
TPTL-formulas
over
a
dense time domain).
Both extensions
ing a S ~-hard problem
of 2-counter
are shown to be 11~-complete,
by reducmachines
to the respective
satisfiability
problems.
It follows
even be (recursively)
exposition
of the analytical
4.1. A
they cannot
z ~-COMPLETE
consists
may increment
upon
one
of
instruction,
M
the
hierarchy
C and
proceeds
[Rogers,
one of the counters,
being
zero.
After
nondeterministically
the configurations
n, c > 0, and d > 0 are the current
counters
defined
C and D, respectively.
in the obvious way. A
related
configurations,
starting
axiomatized
(for
an
1967]).
A nondetemtinistic
2-counter
machine
M
and a sequence of n instructions,
each of
D,
or decrement
counters
We represent
consult
PROBLEM.
of two counters
which
tions.
that
the
to one of two
of M
values
by triples
the
a nonjump
specified
counter
instrucO s i <
and the two
relation
on configurations
M is an infinite
sequence
initial
computation
is recum”rzg if it contains
infinitely
value of the location
counter being O.
The problem
of deciding
if a nondeterministic
conditionally
of
(i, c, d), where
of the location
The consecution
computation
of
with
or jump,
execution
configuration
many
(O, O, O).
configurations
Turing
machine
is
of
The
with
the
has, over the
empty tape, a computation
in which the starting state is visited infinitely
often,
has been shown ~~-complete
[Harel
et al., 1983]. Along
the same lines, we
obtain
the following
result.
LEMMA
8 (COMPLEXIm
if a giuen
nondeterministic
OF 2-COUNTER
2-counter
MACHINES).
machine
The problem
has a recurring
of deciding
computation,
is
Z;-hard.
PROOF
the
OF LEMMA
8.
Every
=~.(~(0)
for
~~-formula
is equivalent
to
a ~~-formula
x
of
form
a recursive
construct
putation
predicate
a nondeterministic
iff
x
is true.
=
g
1 A Vx.g(~(x),
[Harel
2-counter
et
al.,
~(x
1983].
machine
+
l))),
For
A4 that
any
such
has
a recurring
X,
we
can
com-
200
R. ALUR
Let
M
start
ministically
and ~(x
by computing
guessing
+ 1) satisfy
the desired
infinite
p for
sets
of
characterizing
numbers
by nondeter-
to instruction
jlx)
O. Such an
being
universal,
compute
the
O infinitely
often iff a function
OF 2-COUNTER
MACHINES.
We
show
that
problem
for several extensions
of TPTL is ~~-complete.
First,
the satisfiability
of a formula
@ can, in all cases, be phrased as
asserting
the existence
of a model
for @. Any timed
state
a Zi-sentence,
sequence
indefinitely,
HENZINGER
❑
exists.
COMPUTATIONS
T. A.
of ~. At each stage, M checks whether
2-counter
machines
can,
g. It executes the instruction
properties
4.2. ENCODING
the satisfiability
we observe that
= 1, and proceed,
g, and if (and only if) so, it jumps
M exists, because
recursive predicate
~ with
~(0)
the next value
AND
@ can be encoded,
in first-order
arithmetic,
natural
say,
each
the
numbers;
states
in which
and associated
times.
one
p holds,
for
and
It is a routine
by finitely
proposition
one to encode
matter
to express,
many
p
pairs
in
as a first-order
predicate,
that @ holds in p. We conclude
that satisfiability
is in Z}.
To show that the satisfiability
problem
of a logic is X ~-hard, it suffices,
a nondeterministic
2-counter
machine
M, to construct
a formula
0,, is satisfiable
iff M has a recurring
computation.
technique
of encoding
recurring
computations
of M
monotonici~
constraint
THEOREM
on time
5 (NONMONOTONIC
is necessary
TIME).
time sequences renders the satisfiability
OF THEOREM
~ such that,
=
n
+
k
for
of TPTL.
the monotonicity
for
TPTL
condition.
~~, that
recurring
configuration,
computation
of M. First,
specify
of m next
❑ -conjunct
instance,
1 that
instruction
nondeterministically,
the initial
to either
operators
by 0’”).
Then,
~, for every instruction
increments
instruction
c),:
❑
the
= 2 Vy
A 0y.04z.
z ‘y
condition
C
a
by
ensure proper
i of M. For
and
proceeds,
the conjunct
= 3)
+ 1
‘y
\ A03y.04z.z=y
can be expressed
4RECLJR:
Clearly, the conjunction
recurring
computation.
~ encodes
x.
A02y.04z.z
recurrence
counter
2 or 3, contributes
Oqy.(y
The
for
= O A Ox. x = n A Ozx. x = n A 03 X.X = n
x.x
(we abbreviate
a sequence
consecution
by adding
a
the
condition
Z ~-complete.
fies the progress condition,
but not the nlonotonicity
It is not difficult
to express, by a TPTL-formula
@INIT:
the
the
5.
We encode
a computation
r of M by the “time”
fOr all k > 0, r~k = i, ~~k+ 1 = n + c, 74A+? =n+d,
and
the k th configuration
(i, c, d) of r. The sequence
~ satis-
PROOF
sequence
74L+3
Relaxing
problem
given
~fif such that
We demonstrate
by showing
that
for the decidability
~,
of state
~~
❑
of these
❑ lox.x
i
+
11
by a ❑ O-formula:
=
o.
n + 2 formulas
is satisfiable
iff
M
has a
A Really
Note
Temporal
that
first-order
Logic
this
proof
temporal
numbers
does not
logic
with
is II ~-complete,
least successor
of
the
Consequently,
TPTL
THEOREM
the
We
timing
with
show
addition
OF THEOREM
...,
The
initial
underlying
that
To
language
time
to
extremely
a highly
problem
encode
modest
configuration
logic
expressed
to specify
computations
real-time
the consecution
of M,
temporal
can be used
(pO)
becomes
is the
logics,
for
With
as the
crucial
relation
ability
of
~,
is extended
we
that
the
use
the
to allow
allows
are associated
with
the set of
of r-states.
a state
of multiplication
of a computation
( ❑ OpO)
a temporal
and thus
number
proposi-
hence we
of M is
condition
that
an arbitrary
availability
configuration
recurrence
property
of configurations,
to copy
the times
copying.
able to have the kth
The
logic.
X ~-complete.
computations
as well
in PTL.
relax-
is undecidable.
P., rl, and rz ~Precisely one of which is true in any state;
may identify
states with propositions.
The configuration
(i, c, d)
represented
by the finite sequence p, r~r~ of states.
can be easily
the
has at
undecidable
If the syntax of TPTL
TPTL).
6.
that
over the natural
assertion
a certain
leads
over
by 2, the satisjiability
tionspl,
It follows
ranging
as a primitive.
constraints
6 (PRESBURGER
multiplication
PROOF
of
any propositions.
state variable
to equality)
TPTL.
syntax
require
a single
provided
(in addition
4.3. PRESBURGER
ation
201
In
sequence
by 2, we are
correspond,
for all k >0,
to the finite sequence of states that is mapped to the time interval
[2~, 2~ + l).
First, we force the time to increase
by a strictly
positive
amount
between
successive
able
by
states ( ❑ x. O y. y > x), to ensure
its
time.
Then,
one-to-one
correspondence
there
enough
are
time
we
can
copy
of r~-states (j
gaps
to
to either
+1:
Oz.(z
+2:
❑yl.0y2.(y2
+3(r):
tly.(y
+4:
❑yl.0y2.(y2
The
first
specified
= 2X A (Pz
conjunct
#1
correspondence
between
Ozl.(zl
identifi-
establishing
a
t and time 2t; clearly,
additional
the counter
r~-state
when
C and proceeds,
2 or 3, can be expressed
-+
ensures
Ozl.(zl
the
3; the
states
= 2yl
A Ozz.zz
=
proper
second
in successive
2y1
A Orl
as follows:
= 2yQ)),
A 00z2.zZ
progression
one
*Z
intervals
to
one
establishes
representing
tions, while
the formula
~~(r) copies
r-states.
The last
finally, an rl-state
at the end of the successor configuration,
increment
operation.
❑
We can modify
x + 1), and letting
states. Thus, the
by
= 2y A r)),
Oz.(z
2X
2 or
r-states
VPS)),
< 2x A r -
instructions,
of
an
increments
instruction
< 2x ~
=
every state is uniquely
= 1,2) at time
accommodate
required
by an increment
instruction.
For instance, the instruction
1 that
nondeterministically,
that
groups
= 2Y2)).
of
the
two
a one-to-one
configura-
conjunct
*4 adds,
as required
by the
this proof by reducing
time to a state counter
( ❑ x. O y. y =
all propositions
be false in the resulting
additional
(padding)
satisfiability
problem
for TPTL
with multiplication
by 2 is
202
R. ALUR
AND
T. A.
HENZINGER
Z;-hard
even if time is replaced by a state counter. As a corollary,
we infer that
the first-order
theory of the natural
numbers with < , multiplication
by 2, and
monadic
predicates
is H ~-complete.
A similar
result has has been obtained
independently
in [Halpern,
becomes II ~-complete
The proof technique
applied
to many
[Jahanian
MTL
is
renders
TPTL.
to
specification
any
the
two
given
logic
THEOREM
them
An
relax
resulting
alternative
points
highly
Presburger
including
arithmetic
the
of
r-states.
can be
logics
RTL
7.
The
of M correspond,
that
to the time
arbitrarily
every state
correspondence
This proof
dense linear
is inte~reted
point.
We
(j
goes through
power
of
that
is,
show
that
are
oiler the ratiotlal
once
more,
to have
able
on
the
sequence
dense time
t and time
= 1, 2) at time
of multiplication
computations
for any time
and S is a unary
to
of
of states
allows
us to
1. Again,
we
a one-to-one
t + 1.In fact, we may
by 2 in the Presburger-TPTL
of M, by a successor operation,
formula
domain
function
ability
the k th configuration
[k, k + 1), because
dense-TPTL
tlurnbers
z~-complete.
depends,
we
interval
the desired
order,
two first-order
time
domain;
many states into every interval
of length
with a unique
time, and can then establish
of r,-states
to obtain
expressive
time
for all k > 0, to the finite
simply replace all occurrences
formula
encoding
the recurring
in order
is another
becomes
proof
time,
a computation
is mapped
there
the
a dense
1990]).
undecidable.
problem
This
and Henzinger,
of extending
adopting
[f TPTL
TPTL).
OF THEOREM
[Alur
way
by
in time
is, again,
7 (DENSE
groups
squeeze
identify
languages,
undecidable
semantics
T = Q), the satisfiability
PROOF
copy
that
unary predicate.
TPTL undecidable
19861, GCTL [Harel,
19881, RTTL
[Ostroff,
1990], and
1990]. All of these formalisms
admit addition
over time as a
which
between
(i.e.,
real-time
[Koymans,
4.4. DENSE
the
it is shown
and Md,
primitive,
TPTL
1991], where
with the addition
of a single
we used to show Presburger
❑
+~.
(T, <,
S) such that
over T that
satisfies
(T, + ) is a
the following
axioms:
V.x..x < s(x),
Vx, y.(x
To show that,
for
arbitrary
<y
dense
+
s(x)
time
in Z;, a standard
Lowenheim–Skolem
existence of countable
models.
ACKNOWLEDGMENTS
.
for
their
Moshe
for
refining
guidance.
~~-completeness
our
We
thank
Zohar
Vardi
and
undecidability
of
a problem
domains,
the satisfiability
argument
is necessary
Manna,
Joe
results;
on
+ s(y)).
Turing
Halpern
in particular,
Amir
Pnueli,
gave
they
problem
to
and
infer
David
us very
helpful
pointed
out
is
the
Dill
advice
to us the
machines.
REFERENCES
ABADI, M., AND LAMPORT, L. 1992. An old-fashioned
recipe for real time. In Real Tzme: Theo~
m l%c~zce. J. W. de Bakker, K. Huizing,
W.-P. de Roever, and G. Rozenberg, eds, Lecture
Notes in Computer Science, vol. 600. Springer-Verlag,
New York, pp. 1–27.
ALUR, R., COURCOUBETIS, C., AND DILL, D. L. 1990. Model checking for real-time systems. In
Proceedings
of the 5th Annual
Symposzum on Logtc in Computer
Science, IEEE Computer Society
Press, New York, pp. 414-425.
A Really
Temporal
Logic
203
ALUR, R., FEDER, T., AND HENZINGER,
Proceedings
of the IOth AnnLla[
T. A. 1991.
Symposium
The benefits
on Principles
of relaxing
of Distributed
punctuality.
In
(Montreal,
Computing,
Que., Canada, Aug. 19-21). ACM, New York, pp. 139-152.
T. A. 1989. A really temporal logic. In Proceedings of the 30th
ALUR, R., AND HENZINGER,
Annual Symposium on Fozmdattons of Computer Science. IEEE Computer Society Press, New
York, pp. 164-169.
ALUR,
R.,
AND HENZINGER, T. A. 1990.
Proceedings
of the 5th Annual
Real-time
Symposium
on Logic
logics:
Complexity
in Computer
Science.
and expressiveness.
In
IEEE Computer Society
Press, New York, pp. 390-401.
ALUR, R., AND HENZINGER, T. A., 1992. Logics and models of real time: A survey. In Real Time:
Theory in Practice.
J. W. de Bakker, K. Huizing, W.-P. de Roever, and G. Rozenberg, eds.
Lecture Notes in Computer Science, vol. 600. Springer-Verlag,
New York, pp. 74-106.
BEN-ARI,
M., MANNA,
Z., AND PNUELI, A. 1981.
The temporal
logic of branching
time. In
Proceedings
of the 8th Annual Symposium
on Principles
of Programming
Languages
(Williamsburg,
Vs., Jan. 26-28). ACM, New York, pp. 164-176.
BERNSTEIN, A., AND HARTER, P. K., JR. 1981. Proving real-time properties
of programs with
of the 8th Annual
Symposium
on Operating
System Principles
temporal Ioglc. In Proceedings
(Pacific Grove, Calif., Dec. 14-16). ACM, New York, pp. 1-11.
EMERSON, E. A., MOK, A. K., SISTLA, A. P., AND SRINIVASAN, J. 1990. Quantitative
temporal
Verification.
E. M. Clarke and R. P. Kurshan, eds.
reasoning. In CA V 90: Cor?lputer-aided
Lecture Notes in Computer Science, vol. 531. Springer-Verlag,
New York, pp. 136-145.
GABBAY, D., PNUELI, A., SHELAII, S., AND STAVI, J. 1980. On the temporal analysis of fairness. In
Proceedings
of the 7th Annual
ACM
Symposium
on Principles
of Programming
Languages
(Las
Vegas, Nev., Jan 28-30). ACM, New York, pp. 163-173.
HALPERN, J. Y. 1991. Presburger arithmetic
with unary predicates is fI ~-complete. J. Symb.
Logic
56, 2, 637-642.
HAREL, E. 1988. Temporal
analysis of real-time
Institute of Science, Rehovot, Israel.
HAREL, E., LIECHTENSTEIN,O., AND PNUELI, A. 1990.
of the 5th Annual
Symposmm
on Log~c in Computer
York, pp. 402-413.
HAREL, D., PNUELI, A., AND STAVI) J. 1983.
Comput.
systems.
Master’s
Explicit-clock
Sc~ence. IEEE
Propositional
dynamic
thesis,
The
Weizmann
temporal logic. In Proceedings
Computer Society Press, New
logic of regular
programs.
J.
Syst. SCC., 26, 2, 222–243.
HENZINGER, T. A. 1990.
ings of the 19th Annual
Half-order
ACM
modal logic: How to prove real-time properties. In Proceedon Principles
of Distributed
Computmg
(Quebec City,
Symposium
Que., Canada, Aug. 22-24). ACM, New York, pp. 281-286.
HENZINGER, T. A. 1991. The Temporal
Specification
and Verification
of Real-time
Systems.
Ph.D. dissertation, Stanford Univ., Stanford, Calif.
HENZINGER, T. A., MANNA, Z., AND PNUELI, A. 1992. What good are digital clocks? In ICALP
92: Automata,
Languages,
and Programming.
W. Kuich, ed. Lecture Notes in Computer Science,
vol. 623. Springer-Verlag,
New York, pp. 545–558.
HOPCROFT, J. E., AND ULLMAN,
J. D. 1979. Introduction
to Automata
Theoiy,
Languages,
and
Computation.
Addison-Wesley,
Reading, Mass.
JAHANIAN, F., AND MOK, A. K. 1986. Safety analysis of timing properties
in real-time systems.
IEEE
Trans.
KOYMANS,
Sofiw.
R. 1990.
Eng.
SE-12,
9, 890-904.
Speci@ing real-time
properties
with metric temporal
logic. Real-time
Systems
2, 4, 255-299.
LIECHTENSTEIN, O., AND PNUELI, A. 1985.
Checking that finite state concurrent programs satisfy
of the 12th Annual ACM Symposium
on Prmcip[es
of’
In Proceedings
Programmmg
Languages
(New Orleans, La., Jan. 14-16). ACM, New York, pp. 97-107.
Logic
of Reactile
and Concurrent
Systems:
MANNA, Z., AND PNUELI, A. 1992. The Temporal
Specification.
Springer-Verlag,
New York.
MANNA, Z., AND WOLPER, P. 1984.
Synthesis of communicating
processes from temporal logic
specifications.
ACM Trans. Prog. Lang. Syst. 6, 1, 68–93.
OSTROFF, J. S. 1990.
Temporal
Logic of Real-Time
Systems. Research Studies Press, Taunton,
England.
OWtCKI, S., AND LAMPORT, L. 1982. Proving liveness properties of concurrent programs. ACM
their
Trans.
linear
Prog.
specification.
Lang.
PNUELF, A. 1977.
on Foundations
Syst. 4, 3, 455-495.
The temporal logic of programs. In Proceedings of the 18th xlnnaal Symposwm
of Computer Science. IEEE Computer Society Press, New York, pp. 46–57.
204
R. ALUR
AND
T.
A.
HENZINGER
A., AND HAREL, E. 1988. Applications
of temporal logic to the specification of real-time
and Fcudt-Tolerant
Systems. M. Joseph, ed Lecture
systems. In Formal Techruques m Real-Time
Notes m Computer Science, vol. 331. Springer-Verlag,
New York, pp. 84-93.
PRATT, V. R. 1980. A near-optimal
method for reasomng about action. J. Cornpat, Syst. SC[, 20,
PNUELI,
~, ~3~ _~54.
ROGERS,
H., JR. 1967.
Theoty
of Recursu,e
New York.
SISTLA, A. P., AND CLARKE, E. M. 1985.
J. ACM
SMULLYAN,
WANG,
F.,
FanctLon!
and
The complexity
Effectu,e
Compatabdw.
of propositional
linear
McGraw-Hill,
temporal
log]cs.
32, 3, 733-749.
R. M.
MOK,
In Proceedings
1968.
Fir~t-Order
of the 12th Intematcorud
RECEIVED JANUARY
1990:
J.,urndl
for Cornp”t,”g
of th. A.w.,.
LogLc.
Sprirrger-Verlag,
New York.
1992. Asynchronous
propositional
A. K., AND EMERSON, E. A.
{mn
Conference
of Software
REVISED SEPTEMBER 1992;
Mwh!ncry
\7d
41, No
Engmeenng.
ACCEPTED OCTOBER 1992
1 J,~nuIry
lYW
temporal
loglc.
