. We introduce a temporal logic for the specification of real-time systems. Our logic, TPTL, employs a novel quantifier construct for referencing time: the freeze quantifier binds a variable to the time of the local temporal context. TPTL is both a natural language for specification and a suitable formalism for verification. We present a tableau-based decision procedure and a model checking algorithm for TPTL. Several generalizations of TPTL are shown to be highly undecidable. 1 Introduction Linear temporal logic is a widely accepted language for specifying properties of reactive systems and their behavior over time [Pnu77, OL82, MP92]. The tableau-based satisfiability algorithm for its propositional version, PTL, forms the basis for the automatic verification and synthesis of finite-state systems [LP84, MW84]. PTL is interpreted over models that abstract away from the actual times at which events occur, retaining only temporal ordering information about the states of a system. The a...

The theory of the natural numbers with linear order and monadic predicates underlies propositional linear temporal logic. To study temporal logics that are suitable for reasoning about real-time systems, we combine this classical theory of in nite state sequences with a theory of discrete time, via a monotonic function that maps every state to its time. The resulting theory of timed state sequences is shown to be decidable, albeit nonelementary, and its expressive power is characterized by! -regular sets. Several more expressive variants are proved to be highly undecidable. This framework allows us to classify a wide variety of real-time logics according to their complexity and expressiveness. Indeed, it follows that most formalisms proposed in the literature cannot be decided. We are, however, able to identify two elementary real-time temporal logics as expressively complete fragments of the theory of timed state sequences, and we present tableau-based decision procedures for checking validity. Consequently, these two formalisms are well-suited for the speci cation and veri cation of real-time systems.

We survey logic-based and automata-based languages and techniques for the specification and verification of real-time systems. In particular, we discuss three syntactic extensions of temporal logic: time-bounded operators, freeze quantification, and time variables. We also discuss the extension of finite-state machines with clocks and the extension of transition systems with time bounds on the transitions. All of the resulting notations can be interpreted over a variety of different models of time and computation, including linear and branching time, interleaving and true concurrency, discrete and continuous time. For each choice of syntax and semantics, we summarize the results that are known about expressive power, algorithmic finite-state verification, and deductive verification.

We propose a framework for the formal speci cation and veri cation of timed and hybrid systems. For timed systems we propose a speci cation language that refers to time only through age functions which measure the length of the most recent timeinterval in which agiven formula has been continuously true. We then consider hybrid systems, which are systems consisting of a non-trivial mixture of discrete and continuous components, such as a digital controller that controls acontinuous environment. The proposed framework extends the temporal logic approach which has proven useful for the formal analysis of discrete systems such as reactive programs. The new framework consists of a semantic model for hybrid time, the notion of phase transition systems, which extends the formalism of discrete transition systems, an extended version of Statecharts for the speci cation of hybrid behaviors, and an extended version of temporal logic that enables reasoning about continuous change.

. Real-time systems operate in "real," continuous time and state changes may occur at any real-numbered time point. Yet many verification methods are based on the assumption that states are observed at integer time points only. What can we conclude if a real-time system has been shown "correct" for integral observations? Integer time verification techniques suffice if the problem of whether all real-numbered behaviors of a system satisfy a property can be reduced to the question of whether the integral observations satisfy a (possibly modified) property. We show that this reduction is possible for a large and important class of systems and properties: the class of systems includes all systems that can be modeled as timed transition systems; the class of properties includes time-bounded invariance and time-bounded response. 1 Introduction Over the past few years, we have seen a proliferation of formal methodologies for software and hardware design that emphasize the treatm...

We introduce a novel extension of propositional modal logic that is interpreted over Kripke structures in which a value is associated with every possible world. These values are, however, not treated as full first-order objects; they can be accessed only by a very restricted form of quantification: the "freeze" quantifier binds a variable to the value of the current world. We present a complete proof system for this ("half-order") modal logic. As a special case, we obtain the real-time temporal logic TPTL of [AH89]: the models are restricted to infinite sequences of states, whose values are monotonically increasing natural numbers. The ordering relation between states is interpreted as temporal precedence, while the value associated with a state is interpreted as its "real" time. We extend our proof system to be complete for TPTL, and demonstrate how it can be used to derive real-time properties.

Bounded fairness, a stronger notion than the usual fairness based on eventuality, can be used, for example, to relate the frequency of shared resource access of a particular process with regard to other processes that access the resource with mutual exclusion. We formalize bounded fairness byintroducing a new binary operator into temporal logic. One main di#erence between this logic and explicit-time logics, one whichwe consider to be an advantage in many cases, is that time does not appear explicitly as a parameter. The syntax and semantics for this new logic,kTL,aregiven. This logic is shown to be more powerful than temporal logic with the eventualityoperator and as powerful as the logic with the until operator. We argue that kTL can be used to specify bounded fairness requirements in a more natural manner than is possible with until; in particular, we show properties that can be expressed more succinctly in kTL. We also give a procedure for testing satis#abilityofkTL formulas. A...

There have been a number of successes in the past few years in use of formal methods for verification of real-time systems, and also in source-to-source transformation of these systems for improved analysis, performance, and schedulability. What has been lacking are formal proofs that these transformations preserve, or establish program properties. We have previously developed a set of compiler transformation rules for safe and pro table speculative execution in real-time systems. In this paper, we present formal proofs that our transformations preserve both the semantic and the timeliness properties of programs. Our approach uses temporal logic, enhanced with a denotational-semantics-like representation of program stores. While the paper focuses on the speculative execution transformations, the approach is applicable to other real-time compiler-based transformations and code optimization.