CHAPTER 2 ANALYSIS AND VERIFICATION OF NON-REAL-TIME SYSTEMS A great collection of techniques and tools are available for the reasoning, analysis, and verification of non-real-time systems. This chapter explores the basic founda- tions of these techniques that include symbolic logic, automata, formal languages, and state transition systems. Many analysis and verification techniques for real-time systems are based on these untimed approaches, as we will see in later chapters. Here, we give a condensed introduction to some of these untimed approaches without pro- viding mathematically involved proofs, and describe their applications to untimed versions of several simple real-time systems. 2.1 SYMBOLIC LOGIC Symbolic logic is a collection of languages that use symbols to represent facts, events, and actions, and provide rules to symbolize reasoning. Given the specifi- cation of a system and a collection of desirable properties, both written in logic formulas, we can attempt to prove that these desirable properties are logical con- sequences of the specification. In this section, we introduce the propositional logic (also called propositional calculus, zero-order logic, digital logic,orBoolean logic, the most simple symbolic logic), the predicate logic (also called predicate calculus or first-order logic), and several proof techniques. 2.1.1 Propositional Logic Using propositional logic, we can write declarative sentences called propositions that can be either true (denoted by T) or false (denoted by F) but not both. We use an uppercase letter or a string of uppercase letters to denote a proposition. 10 Real-Time Systems: Scheduling, Analysis, and Verification. Albert M. K. Cheng Copyright ¶ 2002 John Wiley & Sons, Inc. ISBN: 0-471-18406-3 SYMBOLIC LOGIC 11 Example P denotes “car brake pedal is pressed” Q denotes “car stops within five seconds” R denotes “car avoids a collision” These symbols P, Q,andR, used to represent propositions, are called atomic for- mulas, or simply atoms. To express more complex propositions such as the following compound proposition, we use logical connectives such as → (if-then or imply): “if car brake pedal is pressed, then car stops within five seconds.” This compound proposition is expressed in propositional logic as: P → Q Similarly, the following statement “if car stops within five seconds, then car avoids a collision” is expressed as: Q → R Given these two propositions, we can easily show that P → R, that is, “if car brake pedal is pressed, then car avoids a collision.” We can combine propositions and logical connectives to form complicated formulas. A well-formed formula is either a proposition or a compound proposition formed accoding to the following rules. Well-Formed Formulas: Well-formed formulas in propositional logic are defined recursively as follows: 1. An atom is a formula. 2. If F is a formula, then (¬F) is a formula, where ¬ is the not operator. 3. If F and G are formulas, then (F ∧ G), (F ∨ G), (F → G),and(F ↔ G) are formulas. (∧ is the and operator, ∨ is the or operator, ↔ stands for if and only if or iff.) 4. All formulas are generated using the above rules. Some parentheses in a formula can be omitted for conciseness if there is no am- biguity. 12 ANALYSIS AND VERIFICATION OF NON-REAL-TIME SYSTEMS PQP→ Q FF T FT T TF F TT T Figure 2.1 Truth table of P → R. PQ¬PP∨ QP∧ QP→ QP↔ Q FF T F F T T FT T T F T F TF F T F F F TT F T T T T Figure 2.2 Truth table for simple formulas. Interpretation: An interpretation of a propositional formula G is an assignment of truth values to the atoms A 1 , ,A n in G in which every A i is assigned either T or F, but not both. Then a formula G is said to be true in an interpretation iff G is evaluated to be true in the interpretation; otherwise, G is said to be false in the interpretation. A truth table displays the the truth values of a formula G for all possible interpretations of G.For a formula G with n distinct atoms, there will be 2 n distinct interpretations for G. Figure 2.1 shows the truth table for P → R. Figure 2.2 shows the truth table for several simple formulas. A formula is valid iff it is true under all its interpretations. A formula is invalid iff it is not valid. A formula is unsatisfiable (inconsistent) iff it is false under all its interpretations. A formula is satisfiable (consistent) iff it is not unsatisfiable. A literal is an atomic formula or the negation of an atomic formula. A formula is in conjunctive normal form (CNF) if it is a conjunction of disjunction of literals and can be written as (∧ n i=1 (∨ m i j=1 L i, j )) where n ≥ 1; m 1 , ,m n ≥ 1; and each L i, j is a literal. A formula is in disjunctive normal form (DNF) if it is a disjunction of conjunction of literals and can be written as (∨ n i=1 (∧ m i j=1 L i, j )) where n ≥ 1; m 1 , ,m n ≥ 1; and each L i, j is a literal. These two normal forms make it easier for proof procedures to manipulate and analyze logic formulas. Fig- SYMBOLIC LOGIC 13 Idempotency (P ∨ P) = P (P ∧ P) = P Implication P → Q =¬P ∨ Q Commutativity (P ∨ Q) = (Q ∨ P) (P ∧ Q) = (Q ∧ P) (P ↔ Q) = (Q ↔ P) Associativity ((P ∨ Q) ∨ R) = ( P ∨ (Q ∨ R)) ((P ∧ Q) ∧ R) = ( P ∧ (Q ∧ R)) Absorption (P ∨ (P ∧ Q)) = P (P ∧ (P ∨ Q)) = P Distributivity (P ∨ (Q ∧ R)) = (( P ∨ Q) ∧ (P ∨ R)) (P ∧ (Q ∨ R)) = (( P ∧ Q) ∨ (P ∧ R)) Double Negation ¬¬P = P DeMorgan ¬(P ∨ Q) = (¬ P ∧¬Q) ¬(P ∧ Q) = (¬ P ∨¬Q) Tautology (P ∨ Q) = P if P is a tautology (true) (P ∧ Q) = Q if P is a tautology (true) Unsatisfiability (P ∨ Q) = Q if P is unsatisfiable (false) (P ∧ Q) = P if P is unsatisfiable (false) Figure 2.3 Equivalent formulas. ure 2.3 lists the laws stating which formulas are equivalent. These laws are useful for transforming and manipulating formulas. To show that a statement logically follows from another statement, we first define the meaning of logical consequence. A formula G is a logical consequence of for- mulas F 1 , ,F n (i.e., (F 1 ∧ ∧ F n → G)) iff for every interpretation in which F 1 ∧ ∧ F n is true, G is also true. Then (F 1 ∧ ∧ F n → G) is a valid formula. We can use the resolution principle to establish logical consequences and this principle can be stated as follows. First, we define a clause as a finite set, possibly empty, of literals. A clause can also be defined as a finite disjunction of zero or more literals. The empty clause is indicated by a .Aclause set is a set of clauses. A unit clause contains one literal. Resolution Principle: For any two clauses C 1 and C 2 , if there is a literal L 1 in C 1 and there is a literal L 2 in C 2 such that L 1 ∧ L 2 is false, then the resolvent of C 1 and C 2 is the clause consisting of the disjunction of the remaining clauses in C 1 and C 2 after removing L 1 and L 2 from C 1 and C 2 , respectively. It can be easily proved that a resolvent of two clauses is a logical consequence of these two clauses. 14 ANALYSIS AND VERIFICATION OF NON-REAL-TIME SYSTEMS Example. Suppose we have two clauses C 1 and C 2 : C 1 : P ∨ C 2 :¬Q ∨ R ∨¬S Because literal Q in C 1 and ¬Q in C 2 are complementary (their conjunction is false), we remove these two literals from their respective clauses and construct the resolvent by forming the disjunction of the remaining clauses: P ∨ R ∨¬S. The resolvent, if it exists, of two unit clauses is the empty clause .IfasetS of clauses is unsatisfiable, then we can use the resolution principle to generate from S. Example. Consider the following simplified automatic climate control (air condi- tioning and heating system. The room temperature can be in one of the following three ranges: comfortable: thermostat sensor detects the room temperature is within the comfort range, that is, between 68 and 78 degrees F. hot: thermostat sensor detects the room temperature is above 78 degrees F. cold: thermostat sensor detects the room temperature is below 68 degrees F. Let H = the room temperature is hot C = the room temperature is cold M = the room temperature is comfortable A = the air conditioner is on G = the heater is on. We now specify the climate control system in English. If the room temperature is hot, then the air conditioner is on. If the room temperature is cold, then the heater is on. If the room temperature is neither hot nor cold, then the room temperature is comfortable. Can we prove the following? If neither the air conditioner nor the heater is on, then the room temperature is comfortable. This English specification of the climate control system and the requirement to be proved can be expressed in propositional logic formulas as follows. F 1 = H → A F 2 = C → G F 3 =¬(H ∨ C) → M Prove: F 4 =¬(A ∨ G) → M. We first prove this proposition with the truth-table technique, shown in Figure 2.4. This technique exhaustively checks every interpretation of the formula F 4 to de- SYMBOLIC LOGIC 15 HACGMF 1 F 2 F 3 F 4 (F 1 ∧ F 2 ∧ F 3 ) → F 4 FFFFF T T F F T FFFFT T T F F T FFFTF T T F F T FFFTT T T F F T FFFFF T T F F T FFFFT T T F F T FFFTF T T F F T FFFTT T T F F T FTFFF T T F F T FTFFT T T F F T FTFTF T T F F T FTFTT T T F F T FTFFF T T F F T FTFFT T T F F T FTFTF T T F F T FTFTT T T F F T TFFFF T T F F T TFFFT T T F F T TFFTF T T F F T TFFTT T T F F T TFTF F T T F F T TFTFT T T F F T TFTTF T T F F T TFTTT T T F F T TTFFF T T F F T TTFFT T T F F T TTFTF T T F F T TTFTT T T F F T TTTFF T T F F T TTTFT T T F F T TTTT F T T F F T TTTTT T T F F T Figure 2.4 Truth table for proving F 4 . 16 ANALYSIS AND VERIFICATION OF NON-REAL-TIME SYSTEMS termine if it evaluates to T. The truth table shows that every interpretation of F 4 evaluates to T, thus F 4 is valid. Next we prove this proposition using the equivalency laws. Prove: ¬( A ∨ G) → M. The premise is F 1 ∧ F 2 ∧ F 3 , which is (H → A) ∧ (C → G) ∧ (¬(H ∨ C) → M) = (¬H ∨ A) ∧ (¬C ∨ G) ∧ (¬¬(H ∨ C) ∨ M) (Implication) = (¬H ∨ A) ∧ (¬C ∨ G) ∧ ((H ∨ C) ∨ M) (Double negation) = A ∨ G ∨ M (Resolution twice) = (A ∨ G) ∨ M (Associativity) =¬(A ∨ G) → M (Implication) Therefore, we have shown that the following is valid: If neither the air conditioner nor the heater is on, then the room temperature is comfortable. However, we cannot conclude the following from the specification: If the room temperature is comfort- able, then neither the air conditioner nor the heater is on, that is, M →¬(A ∨ G). Proving Satisfiability Using the Resolution Procedure Now we describe in detail the approach using the resolution principle to establish validity. Once a propositional formula is transformed into conjunctive normal form, the order of the subformulas joined by ∧ and ∨ can be changed without altering the meaning of the formula. Two clause sets are equivalent if any truth-value assignment assigns the same truth value to both. Let S be a clause set. We define R(S) = S ∪{T : T is a resolvent of two clauses in S}. The procedure using resolution to determine the satisfiability of individual proposi- tional formulas consists of the steps shown in Figure 2.5. This algorithm is an exhaustive approach to resolution since it forms all possible resolvents even though only a subset of these resolvents is needed to derive the empty Resolution procedure: (1) Transform the given formula into conjunctive normal form (CNF). (2) Write this CNF formula in clausal form: a set S of clauses each of which is a disjunc- tion of literals. (3) Compute R(S), R 2 (S), . . . until R i (S) = R i+1 (S) for some i . (4) If ∈ R i (S),thenS is unsatisfiable; else S is satisfiable. Figure 2.5 Resolution procedure for propositional logic. SYMBOLIC LOGIC 17 clause. Hence, its complexity is exponential in the size of the original size of the clause set S. To attempt to form only the needed resolvents, we define the concept of deduction. Given a clause set S,adeduction from S consists of a sequence of clauses C 1 , ,C n where either each C i ∈ S or for some a, b < i , C i is a resolvent of C a and C b . Resolution Theorem: A clause set S is unsatisfiable iff there is a deduction of the empty clause from S. Example. Consider again the simplified automatic climate control example. Now we prove (F 1 ∧ F 2 ∧ F 3 ) → F 4 using this resolution theorem. We show that the negation of this formula is unsatisfiable. The negated formula is ¬((F 1 ∧ F 2 ∧ F 3 ) → F 4 ) =¬(¬(F 1 ∧ F 2 ∧ F 3 ) ∨ F 4 ) = (F 1 ∧ F 2 ∧ F 3 ) ∧¬F 4 . Replacing F 1 , F 2 , F 3 , F 4 with the original symbols, we convert this formula into CNF: (¬H ∨ A) ∧ (¬C ∨ G) ∧ (H ∨ C ∨ M) ∧¬A ∧¬G ∧¬M. Then we convert this CNF formula into clausal form: S = {{¬H, A}, {¬C, G}, {H, C, M}, {¬A}, {¬G}, {¬M}}. We are ready to derive a deduction of from S: C 1 ={¬H, A} member of S C 2 ={¬C, G} member of S C 3 ={H, C, M} member of S C 4 ={¬A} member of S C 5 ={¬G} member of S C 6 ={¬M} member of S C 7 ={¬H } resolvent of C 1 and C 2 C 8 ={¬C} resolvent of C 3 and C 4 C 9 ={H, C} resolvent of C 5 and C 6 C 10 ={H } resolvent of C 8 and C 9 C 11 = resolvent of C 7 and C 10 . 18 ANALYSIS AND VERIFICATION OF NON-REAL-TIME SYSTEMS AG HC H A H C M M H C G H C Figure 2.6 Deduction tree 1. { H, A} {H} { C} {H, C} { M}{ G} { H} { A} { C, G} {H, C, M} Figure 2.7 Deduction tree 2. Therefore, the clause set is unsatisfiable. Hence the original (unnegated) formula is valid. Figures 2.6 and 2.7 show two versions of a deduction tree corresponding to this deduction. This resolution theorem forms the basis of most software tools for determining satisfiability of propositional logic formulas. However, the complexity of these tools remains exponential in the original size of the clause set. Chapter 4 presents more efficient representations of boolean formulas using binary decision diagrams (BDDs) that allow faster manipulation of formulas in a number of practical cases. Chapter 6 discusses heuristics for reordering clauses in the decision tree to reduce the search time for determining unsatisfiability. 2.1.2 Predicate Logic Propositional logic can express simple ideas with no quantitative notions or qualifica- tions, and is also good enough for describing digital logic circuits. For more complex ideas, propositional logic is not sufficient, as shown in the following example. SYMBOLIC LOGIC 19 Example. Consider the following statements: Every time the car brake pedal is pressed by the driver of the car, the car stops within 8 seconds. Because Mercedes Benz E320 is a car, whenever the driver of the Mercedes Benz E320 presses its brake pedal, the Mercedes Benz E320 stops within 8 seconds. P denotes “Every time the car brake pedal is pressed by the driver of the car, the car stops within 8 seconds.” Q denotes “Mercedes Benz E320 is a car.” R denotes “Whenever the driver of the Mercedes Benz E320 presses its brake pedal, the Mercedes Benz E320 stops within 8 seconds.” However, R is not a logical consequence of P and Q in the framework of propo- sitional logic. To handle these statements, we introduce predicate logic, which has the concepts of terms, predicates,andquantifiers. First, we define functions and terms. Function: A function is a mapping from a list of constants to a constant. Terms: Terms are defined inductively as follows: 1. Every constant or variable is a term. 2. If f is an n-place function symbol and x 1 , ,x n are terms, then f (x 1 , ,x n ) is a term. 3. All terms are generated using the above rules. Next, we define predicates and atoms. Predicate: A predicate is a mapping from a list of constants to either T or F. Atoms or Atomic Formulas: If P is an n-place predicate symbol and x 1 , ,x n are terms, then P(x 1 , ,x n ) is an atom or atomic formula. The special symbol ∀ is the universal quantifier, and the special symbol ∃ is the existential quantifier.Ifx is a variable, then ∀x means “for all x,” (or “for every x ”) and ∃x means “there exists an x.” We also need to define the notions of bound and free variables and variable occurrences. Bound and Free Variable Occurrences: Given a formula, an occurrence of a vari- able x is a bound occurrence iff the occurrence is within the scope of a quantifier over this variable or the occurrence immediately follows this quantifier, that is, x ap- pears in a subformula of the form (∀x)F or (∃x)F. Given a formula, an occurrence of a variable is a free occurrence iff this occurrence is not bound. [...]... control system in prepositional logic formulas Automobile automatic cruise sys- 40 ANALYSIS AND VERIFICATION OF NON-REAL-TIME SYSTEMS tem: If the “auto-cruise on” button is lighted, the automatic cruise system is turned on; otherwise, it is turned off Pressing the “auto-cruise on” button once turns its light on Pressing the “auto-cruise off” button once turns the “autocruise on” button’s light off If the... rate-monotonic scheduler” and E(x) represents “task x is schedulable by the earliest-deadline scheduler.” Specify the following English statements in predicate logic formulas: (a) Every task schedulable by the rate-monotonic scheduler is schedulable by the earliest-deadline scheduler (b) Not every task is schedulable by the earliest-deadline scheduler (c) Some tasks not schedulable by the rate-monotonic... every n-place predicate in S H-Interpretation: An H -interpretation of a set S of clauses is one that satisfies the following conditions: 1 Every constant in S maps to itself 2 Each n-place function symbol f is assigned a function mapping an element of H n to an element in H , that is, a mapping from (h 1 , , h n ) to f (h 1 , , h n ) Let the atom set A of S be {A1 , , An , } An H -interpretation... of a clause C is any clause obtained from C by a one-to-one replacement of variables specified by the substitution θ In other words, a variant C can be either C itself or C with its variables renamed Example Continuing the above example, let C = (¬(R(x) ∧ O(y)) ∨ D(x, y)) Then Cθ1 = ¬(R(x) ∧ O(a)) ∨ D(x, a) 26 ANALYSIS AND VERIFICATION OF NON-REAL-TIME SYSTEMS Unification Algorithm: (1) i := 0, ρi :=... form f n (x1 , , xn ), each x j ∈ Hi , for all n-place functions f n in S Hi is the i-level constant set of S, and H∞ is the Herbrand universe of S Example S = {P(x) ∨ Q(x), ¬R(y) ∨ T (y) ∨ ¬T (y)} Since there is no constant in S, H0 = {a} Since there is no function symbol in S, H = H0 = H1 = · · · = {a} 24 ANALYSIS AND VERIFICATION OF NON-REAL-TIME SYSTEMS Ground Instance: Given a set S of clauses,... OF NON-REAL-TIME SYSTEMS Often we omit the parentheses surrounding the quantifier and the quantified variable Bound and Free Variables: Given a formula, a variable is bound iff at least one occurrence of this variable is bound Given a formula, a variable is free iff at least one occurrence of this variable is free Now we are ready to define formulas in predicate logic Well-Formed Formulas: Well-formed... introducing the resolution principle Several refinements of resolution were introduced in the following years Slagle [Slagle, 1967] proposed semantic resolution, which unifies hyper-resolution, renamable resolution, and the set-of-support strategy Boyer [Boyer, 1971] introduced a very efficient lock resolution Loveland [Loveland, 1970] and Luckham [Luckham, 1970] independently developed linear resolution... foundations of symbolic logic, automata, formal languages, and state transition systems These concepts can be used to reason, analyze, and verify the correctness of non-real-time systems Many analysis and verification techniques for real-time systems are based on these untimed approaches Symbolic logic is a collection of languages that use symbols to represent facts, events, and actions, and provide rules... first-order logic formulas, we first convert these formulas to standard forms discussed next Prenex Normal Forms and Skolem Standard Forms We now present a standard form introduced in [Davis and Putnam, 1960] for first-order logic formulas using prenex normal form, conjunctive normal form, and Skolem functions This form will make it easier to mechanically manipulate and analyze logic formulas A first-order... states and transitions Hence, nondeterministic finite automata can often simplify the description of language recognizers 32 ANALYSIS AND VERIFICATION OF NON-REAL-TIME SYSTEMS Nondeterministic Finite Automaton: A nondeterministic finite automaton A is a 5-tuple , S, S0 , F, , in which is a finite alphabet, S is a finite set of states, S0 ∈ S is the initial state, F ⊆ S is the set of final states, and , the . VERIFICATION OF NON-REAL-TIME SYSTEMS A great collection of techniques and tools are available for the reasoning, analysis, and verification of non-real-time systems proposition. 10 Real-Time Systems: Scheduling, Analysis, and Verification. Albert M. K. Cheng Copyright ¶ 2002 John Wiley & Sons, Inc. ISBN: 0-4 7 1-1 840 6-3 SYMBOLIC