t- 21,.25 zohar manna · final techt-nical report sponisored by defense advanced research projects...
TRANSCRIPT
Form Approved
REPORTDOCL AD-A236 001 oM NO. 7oo0o88
"on I nfollmalio li Il U l m ln Ci vewng gntuooo. (3418 s.cs.gathernq and maintaimnng tme iata neeced. And cnorroe frain thi buden estmate or any other asoect of tn$scollectio t of :ntormatlon, nctualng uggeiton -or reat -fnfOrmvation Ooerat On$ and P ior, T21s etfersonOavls HIII.wav. S u,te 1204 At rigton. , A2 2202-4302. a eCt 0704-0188). VaSthngtcn. --,C 20503
1. AGENCY USE ONLY (Leave blank) 2 REPORT DATE 3. REPORT TYPE AND DATES COVEREDFeb. 1991 Final Scientific Report; 11/10/88-12/31 9
4. TITLE AND SUBTITLE S. FUNDING NUMBERS
Deductive Programming Synthesis C: N00039-84-C-0211
6. AUTHOR(S) T- 21,.25
Zohar Manna ' ,...0.
7. PERFORMING ORGANIZATION NAME(S) AND ADDR* ) __ 8. PERFORMING ORGANIZATION" ' ' ' REPORT NUMBER
Computer Science Department RStanford UniversityStanford, CA 94305
9. SPONSORING. MONITORING AGENCY NAME(S) AND ADDRESSiES) 10. SPONSORING, MONITORING
sponsoring agency: monitoring agency: AGENCY REPORT NUMBER
SPAWAR 3241C2 ONR Resident Representati eSpace & Naval Warfare Systems Mr. Paul Biddle f_
Command Stanford Univ., 202 McCul oughWashington, D.C. 20363-5100 Stanford, CA 94305 ,11. SUPPLEMENTARY NOTES
12a. OISTRIBUTION AVAILABILITY STATEMENT 12b. DISTRIBUTION CODEApproved for public release: distribution unlimited
113. ABSTRACT ,0aximum ,20wora
See page 1 of report. .
Dis t ri:* jr~A-Nllnbklty CoesT
14 ;UBJECT ERMS 15. NUMBER OF PAGES
SCODE
17. SECURITY CLASSIFICATION 18. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 20. LIMITATION OF ABSTRACT '
OF REPORT OF THIS PAGE OF ABSTRACT
T UL U UL
9 A9
FINAL TECHT-NICAL REPORT
Sponisored byDefense Advanced Research Projects Ageiicv, DoD
1400 Wilson BoulevardArlington. Virgirnia 22209-2389
"Deductive Prograni-ming S-,.n thesis*'DARPA Order No. 6177
Issued by Space and Naval W-arfaeyt-emCo anUnder Contract # NOO039-84-C-0O21 I
Task 21: 11/10/38 - 2/23/90Task 25: 3/11/90 -12/31/90
Zohar -Manna. ProfessorComputer Science Department
Stanford Univer'sitvStanford. C'alifornia 04305-2140
M4AR 28 199,
Tlevieiwc and coliciusions contained In this document are those of theauthors and should not be interpreted as representing the official poli-cies, either expressed or implied, of the Defenlse Adv-anced ResearchProjects Agency or the U.S. Governmnt."j
FINAL TECHNICAL REPORT
Sponsored byDefense Advanced Research Projects Agencv (DoD)
1400 Wilson BoulevardArlington. Virginia 22209-2389
"Deductive Programming Synthesis"DARPA Order No. 6177
Issued by Space and Naval Warfare Systems CommandUnder Contract # N00039-84-C-0211
Task 21: 11/10/88 - 2/28/90
Task 25: 3/1/90 - 12/31/90
Zohar Manna, ProfessorComputer Science Department
Stanford UniversityStanford, California 94305-2140
'The views ano conclusions contained in this document are those of the
authors and should not be interpreted as representing the official poli-cies, either expressed or implied, of the Defense Advanced ResearchProjects Agency or the U.S. Goverl111,'t."
91 91 2 20 024
SUMMARY OF COMPLETED PROJECT
Prograin synthesis is the systematic drivation of a computer prograin to meet a given speci-fication. h'lie specification is a general description of the purpose of the desired program, while theprogram is a detailed description of a met hod for achieving that purpose.
Fhe iet hod is based on a deductive ;ipproach. in which the problem of deiving a programis regarded as me of proving a mathematical theorem. The theorem expresses the existence of anobject ineetiuii the specified conditions. The proof is restricted to be sufficiently constructive toindicate a me thod foi finding the desired output. That method becomes the basis for a program.which is extracted from the proof.
[he oiiliasis of the work has been on automatinig as much as possible of the program derivationprocess. 'ieorem-proving methods particularly well-suited to the program synthesis applicationhavo beeni (ew0)ped. An interactive program-derivation system has been implemented. Applica-tions to database management and plann ing have been investigated.
Reactive programs are programs whose role is to maintain an on-going interaction with theirenvi ronment , rather than to produce a coinl)Lut ational final result on termination. Programs belong-ing to this clas are usually described by some of tie attributes: concurrent. distributed, real-time.and tYpical examples of such programs are: embedded programs. communication networks, controlprogranis of nijndustrial plants, operating systems, real-time programs, etc. Clearly, the correct andrelliible construct ion of such programs is ne of the most challenging programming tasks existingtoda.v.
Due to tlie special character of these prograis. the formal approach to their specification andlevelopment in .t be based on the study of their bdrtvior, rather than on the function or relationtey coiipite, an approach which is adequate for computational and sequential programs.
IForuial methiods were developed for the specification, verification and development of reactivepro2raiis. based oik the formalism of temporal logic that has been specifically designed to reason
Ahomit beliaviors of reactive programs.
TECHNICAL INFORMATION
REACTIVE SYSTEMS
Temporal Proof Methodology for Reactive Systems ([MP2],[MP5],[MP6])
n ,;iolied in, detail the proof metliodologies for verifying temporal properties of concurrentpjrorais. ('orre-ponding to the main classi fication c'f toeporal prop,-rties into the crasses of saj" ty,Mui Ib,,,...... pioperties. appropriate proof principles were presented for each of the classes.
We devoloped proof principles for the establishiniet of safety properties. We showed that,..i, r ially t here is only one such principle for safety proofs. the invariance principle, which is a
generalization of the method of intermediate asserlioii-. We also indicated special cases under
whici tlhmse as,'rtiowi can be found algoritlhmicalll.
Trhe proof principle that we developed for pi'~~sIroperties is based on the notion of well-fotuded descent of ranking functions. However, because of thle niondeterminancv inherent iin conicur-rent ('ouputations, the well-founided principle muiist be miodified lin a way that is strongly dependentonl thle uotion of fairness that Is assuiuned ii the coin pittat ioui. Consequently, thireo versions of t hewell-founded principle were preseuted. each correspoudinig to a different definition of fairness.
We illustrate the applicatiou of these rules on several Oxamples. We suggest concise presenita-tionls of coinplex proofs uising tHie dlevices of transition tabh(. and proof diagramns.
*Formal Approaches to the Construction of Correct Reactive Programs ([MP-ij)
Ue'active prograins are p)rograis wlio.,e role is to niaintaini an oni-going interaction with theireni rouii nt. rat her than to produice a coiputational finial result onl termination. Programs belong-iug to this class are usualtv (described bY somie of the attributes: concurrent. distributed. real-time.aud( I vli)ical exa inilles of such p~rograms are: emibedded pro-ra ins, comm iuni cation nietworks, controlproura iis of mudumstrial p laniits. operatingy systeniis. real-time l)rogramns, etc. Clearly, the correct anidreliable construction of suich Iprograis is oime of the miost chlenging programming tasks existing-,t o(I a.-
IOii to the special character of these programns, the formnal approach t~o their specification and(levelolpiieiit miust, be based ont the study of their behavior. rather than on the function or relationhe.% coiimpite. ali approach wiIch is adequate for comiputational and sequential programis.
W\e developed fornial miethods for the specification. verification and developmient of reactiveprorains, based onl the forinalsimi of tinporal logic that lias been specifically developed to reasona bout b~ehaviors of reactive lprogranis.
Ammmg thle topics we inetgtdare:
* \ odel hgreactive lprogra inls as faii, t ra usit ionl svstellis.
* Iie aiiiige of te-iiporal logic anid its usalge for thme specification of programn propertiesamid~ sYstemn requiiroemenlts.
* classificat ion of specifications into thle classes of' *afetiy properties, -c-sponsiven~ss p~rop-it 1 '5 (s.eI c.
* liliodologies for- forial verification of the safety p~rop~erties of a reactive program,. anuldevlopiimit approaches derived fromn themi.
" Nli liodologies for formial verification ofzlhe respoiisivoeSS, properties of a. reactive program.i,11d derived developmient al1)lproac les.
" I ie case of finite-state programns and automiatic verification tools for this case.
0 Tools and Ruiles for the Practicing Verifier ([\1P3].[NMP4])
We~ developed a iii nial proof thleorv which is adequia te for provinig thle niaiin imiportant tenipo-ral j'roprrtios of' reactive programs. The properties wve consider consist of the classes of invariance,rf yi,. aiii pre(-Kh itce properties. For each of' these classes we present a smiall set of rules tma~tis (compljete for verifying Properties belonging to this (-lass. We illustrate the application of these1.1lc, b)Y auizi i h a tid veii fyi ug the p~ropert ies of a mew a Igori thin for rn utual exclusion.
AUTOMATED DEDUCTION
*TABLEAU, An Interactive Graphic Deductive System (r13.IW])
'Xe liave Collab~oralted with a. team In developing an Interactive t lieorein prover. TABL1EAUI,based onl the deductive-t ablean framiework. Inmplementedl on anl Apple Maci itosli comput or. thesy stem exploit., the gra p ilcal interface of that iiacihie Ii communicating w ith thle uiser. Ratherthan rel,%in- on -he kc: hoard. the user nay , select with a miouse whiichi step i hie proof to attemptnext. Although direct hg-Y the proof is the responiility, of the user, the s,,stemi Intervenes if the
use aten)tsam lleal t ep. Tlie ;vstoin can Construct proofs in propositionail and predicate logic,in theories of t lie lominegative Integers. trees. anid tuiples. and in new thieories introduiced bY theuiser.
'lie svsrei ia. a~ cobliihiia tioni of featutres lacking elsewlhere. In pa rticul Iat.
" It call Ililtde Ic llmjils wit Ii both universa I and existenitial quantifiers.
" It Cani produice prol f, by miat iemiatical induct ion, including well- fou nded iductionl
" It hias special prm iiouis for reasoning about equalty. Furthermore, the convenient Interfaceof the -syvstem jiake., It far easier to use in constructing a detailed proof than it is to provethle sanie eltl IbY hia id. a. featutre unfortunately, not shared with many sy~vstems.
T lie yte Ila.-, bevmi a liiliinientedl iii several directions:
" 111it de I 1ew lp ih of addxnfg niew deuh niles. TIs* would fatclii ate the applica-tlii of t lie v to n I)iew t ieories.
" Introduce al facilitY 1v 1 extracting inforniatioii fron proofs. This information could be a
progiail. a lilaii ()I a (databiase transaction.
" .\ ilow% ilie _,radilaI a ito011at ion of lie sYstemi. In p~articular. we would like to aim tornatecert a i roi ie d 4 repet itiye aspects of thle proof process.
We ar il alo III 11wn process of developing aii interactive program sviitlhesis systemi, based on oui(Icdlictiye ec i le iir p)roaiaiii synthiesis.
A Resolution Approach to Temporal Proofs ([jA.%21)
.\ ovel proof st ''lIll for temporal logic was dleveloped. The systemi is based onl the classi-Call lion- cla li i re'sol litluoll mletl110(1 an In1 volves a special treatment of q iianmt ifiers anmd telimiporal
epra tor ;.
Som mlness, an com (~ipleteniess issuies of resolution and other related systemis were inivestigate([.W'A l hi io Ol eo livv p roo m1liet 110(1 for temiporal logic Cani he comnplete. we established tlha~t a smloxteilsioil of t lle ie'oluiol l .stein is as p~owerfuil as Peano Arithmetic.
'Achav ilvctiglfdth us ofthesytemforveIfyng concurrent programls. We also provideda milogous ('501 lit loll *~~'Ills, f0r othler utseful modal logics. such as certain mio(al logics of knowledgeall be(1l~ief.
31
e Logic: The Calculus of Computer Science (~W~
The research papers in which we have Jpresented tile deduictive a pproach to program svnithleishas been addressed to the usual academic reader" oftihe scoal oin .In anI effort to mnake r hiswvork accessible to a wider audience. incidiig coipuiter q-ieiico miider,,rad tiatvs and programmersIl".we have developed a more Plemnentary' treatment Ii the forin of al book. The Loqical Basis forComnputer Proyrmming. Addison i-WesleY.
This hook requires no coiputer prograi iing aii ii1 o mat heiimatics other than anl iitt iiv e
understanding of sets, relations. finiciions, and~ nnniiber.-;t ilie level ofA exposition is elemlent ari.N1evertheless, the text presents somie novel research result,. includinig
" theories of strings, trees. lists. fittlit sets andl bags. whlich are lparticnilarlv well sitedl totheorem-i-proving and progra iii-sv iiille is a pplica tions:
" formializations of parsiiig,. liifii lute -- yWIies. expressions. stthst ittutions. and unification:
* a 1oniclausal versionl of oeniatin
" a t reatment of mathematical iicili on i thle (leduct ive-tablea ii framiework.
DEDUCTIVE SYNTHESIS
o The Deductive Synthesis of Computer Program-s ([NL1Wtfl
Program sYnthesis is the sYsteniat ic derivation of a comiputer program to meet a given spec-ification. 1-lere the specification is a geiicral descriptioni of the puripose of the desired progra in.whlille the programi is a ([etailedl descri p1ioni of a [uet hoid for achieving that purpose. The partictilarem phasis of tis project is oil t lie dlevelopmiienit of' deduictilve techiqu~es. i.e., techniques based -onheorem proving, for programn synthlesis. Thiese techiqut(tes are amenable to automatic impleiiucita-ioni. btit miay lbe uised interact ivl or Ihr thle lprvcise coin itinilcatioii of dlerivations discovered by
ha ild
S~ome ac hievements of the p~roject are ais follows:
" Svnotliesis of a class of recursi v miific;oi o al!goritlitiis algorithmis for finding a commnoninistanice of two expressioins).
" I )rvelopnuen t of a sittiatioiia I logic fo r I lie -sv itlies"is of' nlonapplicative programs (programsw~ith side effects).
Si trod uict ionl of (ledl ctionl rulles giving-. acceleratedl performance for relations of special in1-portami (' to progra in -sviithesis ( 511(11&a, eqiialit v aitul ordering rela tioins)
" 's v nhesis of' a class of rca I-n till n er a Igori t Ii ins erit loviiig the binar-y-search technique (suichas bnarysea r hsquare- rool algorit Ii iii.
* ( oiiiplet ionl of a surlvey sitilliiiiariziii-, mi a Jpopu.i vii the deduictive approach t~o program
REAL-TIME SYSTEMS
* Real-Time Reasoning in Temporal Logic ([AH 1])
We introduce a real-time temporal logic for the specification of reactive systems. The novelfeature of our logic, TPTL (Time Propositional Temporal Logic), is the adoption of temporaloperators as quantifiers over time variables: every modality b inds a variable to the time(s) it refersto.
TPTL is demonstrated to be both a natural specification language as well as a suitable for-malism for verification and synthesis. We present a tableau-based decision procedure aud niodel-checking algorithm for TPTL. Several generalizations of 'l'l,TI are shown to be highly undecidable.
* Real-time Logics: Complexity and Expressiveness ([AH2])
The theory of the natural numbers with linear order ad ni monadic predicates underlies propo-sitional linear temporal logic. To study temporal logic- for real-time systems, we combine thisclassical theory of infinite state sequences with a theory o f time, via a monotonic function thatmaps everY" state to its time. The resulting theory of timed state sequences is shown to be decid-able. albeit nonelementary, and its expressive power is characterized by Omega-regular sets. Severalmore expressive variants are proved to be highly undecidable.
This framework dllovW us to classify a wide variety of real-time logics according to their com-plexity and expressiveness. In fact, it follows that most formalisms proposed in the literaturecannot be decided. We are, however, able to identify two elementary real-time temporal logicsas expressively complete fragments of the theory of timed state sequences. and give tableau-baseddecision procedures. Consequently. these two formalisms are well-suited for the specification andverification of real-time systems.
* Proving Properties of Real-Time Systems ([I1l])
We introduced a novel extension of propositional inodal logic that is interpreted over Iripkestructures in which a value is associated witi every po.,.ihle world. These values are. however.not treated as full first-order objects; they cai be ai(('ssd only bv a very restricted form of
(puantification: the 'freeze" quantifier binds a variale i, the value of the current world. Wepresent a complete proof system for this ("half-ord r") idal logic.
As a special case. we obtain the real-tiue temporal lhic TPTL of [AHI]: The models arerestricted to infinite sequences of states. whose values are nimootonicaly increasing natural in -
bers. The ordering relation between states is interpreted ; fTemporal precedence. while the value
associated with a state is interpreted as its *'real'" time. \Vc extend our proof system to be colpl, tfor TPTL, and demonstrate how it can l)e used to derive real-time l)roperties of reactive svstemls.
Other applications of the frefze rquantifier are in dviamiic logic and epistemic logics.
* Temporal Proof Methodologies for Real-time Systems ([HMP])
We extend t he specification language of temporai logic. lie verification framework. and the ii-
derlying computational niodel to deal with real-tinre piropen iis of concurrent and reactive systei.
A global, discrete, and asynchronous clock is i corporatd Iiw1o thle lnodel by defining the abstracl
notion of a real-time transition svsl.eni as a coxsrvative exl rion of traditional transition systeini:
qualitative fairness requirements are replaced (.iiud 'F,,r,'ddl) by quantitative lower-bound aui
upper-borid real-tinre requirements for trainsitioni.
We show how to model programs that communicate either through shared variables or byvmessage passing, and how to represent the important real-time construicts of priorities (iinterrlipt.s)scheduling, and timeouts in this framework.
Two sty' les for the specification of real-time properties are presenitedI. The first sty' lo uses
bounded versions of the temipirai operators: the real-time requiremnts expressed ili this styvle areclassified into bouinded- in varianTce and bounded- response properties. T li secouil( specification st vieallows exp~licit referentces to thle current time through a special clock va-rialble.
Correspondlinga to the two styles of specification. we present two very iliffere it proof niet hodlo-
,gies for the verification of real-time ploperties expressed in these sty*lves. For Ilie boiukd-opt rttors
style. wte provide proof rules to establish lower and upper real-time bounds for' response propertiesof real-timie transition systemus. For the explicit-clock style, we exploit the olh'ervat ioni that when
Pvenl access ito The clock, every real-time property can be refornmulat ed ats a safety property. andl
use the statidard temporal rules for establ-ishing safety properties.
THEORY OF PROGRAMMING
* Logic Programming Semantics: Techniques and Applications ([II1-[1331)
[t is generally affreed that providing a precise formal semantics for a programming langiiage ishielpful itt fully understanding the language. This is especially trite in the case of logic-programiminlg-like languages For which the underlying logic provides a well-defined but instifficieuit semantic basis.Indeed. ili adlditiont to the usual model-theoretic semantics of the logic. proof-theoretir deduiction
plays, a crucial role inl mnderstanding logic programis. Moreover, for specific implementations of
logic prog-rammiling. ,g PRLoG.c, the notion of deduction statelgv 'is also imtportant.We provided semantics for two types of logic programming lantguages aii d11(evelolp applicationts
of these semiantics. First. we propose a semantics of PROLOG prograiiis thi we use as the basis of
a. proof inethod for termination properties of PROLOG programs. Secorid. we tuirn to the temporal
logic prograiiimiig language TEM PLOG of Abadi and Mvannia. (develop) its declaiitive semiantics. aitlhheni use this semiantics to prove a completeness result for- a fragmnent of I etti l1ral logic anmd to studly
[EM tPLO(_; exp~ressiventess.Itt our iP RoiOG semantics, a program is viewed as a fnnictioit iia ppiiiug a goal to a flitite or,
iinfitite sequenice of answer substitutions. The mea~iing of a programt Is Ilien given by the least
sohloito of a s , stein of functional equations associated with the progra iii. [These equtatiomis are
akenl as NIiolfis inl a Ii rst-order theory in which various progra in lprop)(riies. especId llv termuinationl
or noni-torniiination p~roperties, can be proved. The methodl extends to ri' U ( ) l programis withI
extral-logicalh features such as cut.
For tEMNIP LOG, we provide two equivalent fori-mnuatioris of the declarntlilve svilna ittics: Itl t erimis
of' i iiii nab temporal Herbrand model and ill terms of a lea-st fixpoii i. LI miig the least fixpoii
leoina ittics. we are able to prove that TENt PLOG is a fragutent. of tinlorth logic that, admits a
omit ete proof system. This semantics also enables us to study* TEMPLO(; s expressiveness. For
tis, wev lbcuis oil the propositional fragment of TEM PLOC; and prv hlal Ihie expressivettess of
prolpositota mint1 F\i Pi~c (LOGqeries essentially correspoi(15 to that of Finite ant nlia a.
Temporal Logic Programming ([AVt 1])
Temli vral log-ic is a. formalism for reasotning a bout a. chtangintg world. lleca use the concept of
itei is direct lv 61ilt i itto thle form11alism . tentporalI logic Itas been widly w d as a specificat ion
ban guma, go for p)rogramis where the notion of tlime is coiti a I. For the SiiOreason - it Is tia tni I
6
to write such programs directly in temporal logic. We developed a temporal logic programminglanguage, TEMPLOG, which extends classical iogic programming languages, such as PROLO(;. toinclude programs with temporal constructs. A PROLOG program is a collection of classical flor,lauses. A TEMPLOG program is a collection of temporal Horn clau.,es. that is, Horn clauses %%it hcertain temporal operators. Al efficient interpreter for PROLOG is based on SLD-resolutioti. Webase an interpeter for TEMPLOG on a restricted form of our temporal resolution system, tf mporal
qL D-resolution.
0 A Hierarchy of Temporal Properties (MPI)
We proposed a classification of temporal properties into a hierarchy which refines the known.afety-liienes.s classification of properties. The classification is based on the different ways a prop-,,rtv of finite computations can be extended into a property of infinite computations.
This hierarchy was studied from three different perspectives, which were shown to agree. Ie-,pectivelv. we examined the cases in which the finitary properties, and the infinitarv roperlies,xtending them, are unrestricted. spe.ifable by temporal logic, and specifiable bY predicat, al-iomata. The unrestricted view leads also to a topological characterization of the hierarchy as,,c'ipyin- the lowest two levels in the Borel hierarchy.
For properties that are expressible by temporal logic and predicate automata. we provide a . .vn-tact ic characterization of the formulae and automata that specify properties of the different classes.lie temporal logic characterization strongly relies on the use of the past temporal operators.
Cotresponding to each class of properties. we presented a proof principle that is adequate forproving tile validity of properties in that class.
PH.D. THESES
M The Temporal Specifications and Verifications of Real-Time Systems ;[H2])
We generalize the temporal-logic approach to the analysis of reactive svstenis to real-limevstemns. The complete methodology includes the following four components:
" an abstract comp./utational model for real-time systems. We add a global. discrete. and a.,v-chronous clock to the interleaving model of concurrency. Traditional transition systevti areextended to real-time transition systems by including lower-bound and u:pper-bound real-ii mecoi traints for transitions. We show how to model both communication by shared variahl's
and by message passing.
" a formal specification language. We analyze and conpare the complexity and expressiveiie.,- oftbree extensions of temporal logic. GCTL refers to time through a special clock variable: l 1) 1.replaces the clock variable by the "freeze'" quantifier: MTL expresses timing conslraitw.- )yboun(led temporal operators. It is shown that while all three languages are equally expressivc.ornlY the latter two logics have elementary decision problems.
" a, m,,di-,hecking algorithm for the verification of finite-state systems. We give tableau-decikioiproceditres for both TPTL and MTL, and show how these algorithms can be used to veiil'v
properties of finite-state real-time transition systems. The automatic-verification prol)letm isshown to be unsolvable for more expressive specification languages.
" a (relative) complete proof system. The proof system for the deductive verification of real-i ilie
transition systems consists of two parts. In tile general part, we give a complete proof s \lit1
for t"PT L. In the program part, we present relative complete proof rules for the verilicati, 1
of bounded-invariance and bounded response properties of a given real-time transition system.Two distinct real-time verification styles are contrasted.
Temporal Reasoning for Real-Time Systems ([A])
Various temnporal logics and -- automata have been proposed and extensively studied for formal-pecification and reasoning ,0:out the behavior of reactive systems over time. However, most ofthese methods ar for qualitative temporal reasoning: there is a large class of systems, called reol-time systrins -- systems whose correctness depends on the actual timing of events, that cannotbe handled by these maethods. For example, the standard temporal logics cannot specify the hardreal-time requiriements such as. the systeni responds within 5 seconds. Also, while modeling asystem, there is no way to model the timing delays and constraints of the physical components.With the increa.;ing use of the ( omputers for real-time applications, there is a pressing need fordeveloping fornh. i methods for the analysis of time-dependent systems. In this thesis, we extendthe scope of the' temporal logic and automata based mothods to the real-time systems.
'We consider ways to generalize the -yntax and the semantics of the ti~nporal logics so asto allow expres. on of the real-time constraints. We address quc.tons such as what is the rightnotation. how to model time, and what type of timing constraints should be allowed. We studydifferent theoretical issues sucl, as complexity, and expressiveness, and whenever possible, givedecision proce(lures.
A particularl. interesting case is when time is modeled by a dense linear order. In this frame-work. we consi(ler how to model a real-time system as a finite-state automaton (augmented with amechanism to model delays). We formalize the real-time equivalent of the notion of regular tracesets, and study its language-theoretic properties useful in verification. We also develop model-checking algorit lmus based on oikr modet.
We believe !hat the results of this thesis provide a basis for the future attempts towardsthe formal verification of hard war,. couinninication protocols, control systems, and as.vachronousconcurrent systeims in general.
PUBLICATIONS
Research papers and Ph.D. these,~ partially supported by this contract.
INVITED PAPERS (CONFERENCES)
%I P1] Z. \I lw i and A. Pniieli. -~A hierarch 'y of temporal properties," 9th Syrnposiurn onPrincz pts of Distributed Comnputintg, Qu~bec, Canada. Aug. 1990.
flP21 Z. Nlanina and A. Puelh. -A. temporal proof methodology for reactive systems"' .5th.I'tI OflFin Conference on Inormation Technology, .Jerusalem. Oct. 1990, pp. 757-773.
INVITED PAPERS (SPECIAL EVENTS)
'.\L131 Z. %lannta and A. Piweli. -An exercise in the verification of mutlti-process programs"ini Beatifil i.s our bzv~lness (W.H.J. Feijen, A..] I. Van Gasteren. D. Gries. J. Misra, eds.),Springer- \e ilag. New York. 1990. pp. 289-:301.
.%I141 Z.. %aita, and A. Pniueli. --Tools and rules for the practicing verifier," Caurnegie Melloniui)?piltA vCc: 425-yar C'ommemzoratit'e. ACMI Press and Addison-Wesley, Septem-
ber 1990.
[.\l l.71 Z. %Liniia and A. Pniieli. --The anchored version of the temiporal framework," in Linearflute. Hiiicling Timne. and( Partial Order in Logics and Models for Concurrency (J.W.
([v Bakker. W.P. de Roevei-. and G. Rozenberg, eds.), Lectuire Notes in Computer Sci-01l351. 'pr iiger-Verlag. 19S9, pp. 201-284.
[\Ik%'C Z. %Ianina and 1(. WValdinger, "Fundamentals of Deduictive Program S *ynthesis," inL.ogic. Algebra. and Com11putation. NATO ASI Series. Springer-Verlag, 1991.
JOURNAL ARTICLES
~.\NI[2 I.AIadi and Z. Mvannia. "Temnporal logic programining". Journal of Symbolic Comn-ttdtimJi. Vol. . No. 3 (Sept. 1989). pp. 2717-295.
'ANI21 I. Ahathi and Z. %Manna. "Nonclausal deduction in first-order temporal logic", JournalOflthe A(N.Vol. 37. No. 2 (April 1990), pp. 279-317.
ZN C7. lainna and A. Pimeli. '-Completing the temiporal picture". Theoretical Computerclvitcp Jonmal (in press).
PAPERS BY PH.D. STUDENTS
Sit pe'vi,;od bY Lohar \anina
[.\III I? .h -Air aid T.A. llenzinge-. "A RZeally Teniporal Logic", 13th IEEE Symposium onFot tiitiomi, of Coiputer Science. 1989, pp. 16.1-169.
iA\I[21 R. Mwt and T.A. 1iemmtinger. "Real-timenioi~ Coinplexity and Expressi veness,~V~f1 )f)Itttl 1[.gic ill olipiter Science. PhiktdIiphlti, PIA. Junme 1990.
[B11 M. Baudinet, "Proving Termination Properties of PROLOG Programs: A Semantic Ap-p)roach,. 3rd Annuai Symposium on Logi'c it? Computer Science, pp. 336-347. Edinburgh,Scotland, July 1988.
[B21 NM. Baudinet, '*Temporal Logic Programiir'ig is Complete and Expressive," 6th ACMI
Symposium on Principles of Programining Laiiyna es. Austin. Texas. January 1989.
[HMIP] T. lfenzinger. Z. Mlanna, and A. Pnuieli. --An interleaving model for real tim&'. .5th.Ier-usalern C'onference on [nformzation Techiiology, October 1990.
[HI] T. Henzinger, -'Half-order modal logic: How to prove real-time properties," 9th Symposiumon Principle of Distributed Computing, Qti~bec, Canada, August 1990.
SOFTWARE
Project Supervised by Zohiar Manna and Richard WValdinger
[BMW]V R. Burback. Z. Manna, S. A. Fra-ser. 11. McGuire, J. Smith, R. Waldinger, andM. Wiinst andley. Tableau Deductive System, in Macitosh Educational Software Collec-nton, distributed by Chariot Software Group. San Diego, 1990. (The User Manual, "Usingthe Deductive Tableau System," is enclosed.)
Ph.D. THESES
Supervised by Zohar Manna
[A] It. Alur. "Temporal Reasoning for Real-Timie S *ystems." Ph.D. Thesis, Computer ScienceDepartnient, Stanford University (to appear. 1991).
[133] M. l3anidinet, -'Logic Programming Semantics: Techniques and Applications," Ph.D.Thlesis. Computer Science Department, Staniford University (1989).
[112] T. Henzinger, -The Logic of Real-Time Sy' stemis." Phi.D. Thesis, Computer Science De-
p~artmnent. Stanford University (to appear, 1991).
TEXTBOOKS
Time researchi behind these books was partially suipported by this contract.
[%\1W2) Z. N/anna. and R. Waldinger, Logical Basis for ('omiputer Programming, Addison-k\esle' v Pub., Reading, NMA.Vol. 2: Deductive Systems (January 1.990).Trhe Concise Version (to appear, 1991).
[Ni PT] 1Z. \tanna and A. Pnueli. The Temporal Logic- of Reactive Progr-ams, Springer-Verlag,NY (to appear. 1991).