We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.

. Real-time systems operate in "real," continuous time and state changes may occur at any real-numbered time point. Yet many verification methods are based on the assumption that states are observed at integer time points only. What can we conclude if a real-time system has been shown "correct" for integral observations? Integer time verification techniques suffice if the problem of whether all real-numbered behaviors of a system satisfy a property can be reduced to the question of whether the integral observations satisfy a (possibly modified) property. We show that this reduction is possible for a large and important class of systems and properties: the class of systems includes all systems that can be modeled as timed transition systems; the class of properties includes time-bounded invariance and time-bounded response. 1 Introduction Over the past few years, we have seen a proliferation of formal methodologies for software and hardware design that emphasize the treatm...

. This paper surveys the work of many researchers on rewriting logic since it was first introduced in 1990. The main emphasis is on the use of rewriting logic as a semantic framework for concurrency. The goal in this regard is to express as faithfully as possible a very wide range of concurrency models, each on its own terms, avoiding any encodings or translations. Bringing very different models under a common semantic framework makes easier to understand what different models have in common and how they differ, to find deep connections between them, and to reason across their different formalisms. It becomes also much easier to achieve in a rigorous way the integration and interoperation of different models and languages whose combination offers attractive advantages. The logic and model theory of rewriting logic are also summarized, a number of current research directions are surveyed, and some concluding remarks about future directions are made. Table of Contents 1 In...

A general automaton model for timing-based systems is presented and is used as the context for developing a variety of simulation proof techniques for such systems. These techniques include (1) refinements, (2) forward and backward simulations, (3) hybrid forward-backward and backward-forward simulations, and (4) history and prophecy relations. Relationships between the different types of simulations, as well as soundness and completeness results, are stated and proved. These results are (with one exception) analogous to the results for untimed systems in Part I of this paper. In fact, many of the results for the timed case are obtained as consequences of the analogous results for the untimed case.

Introduction The paper presents a model for hybrid systems, that is, systems that combine discrete and continuous components. Such systems are usually reactive real-time systems used to control an environment evolving over time. A main assumption is that a run of a hybrid system is a sequence of two-phase steps. The first phase of a step corresponds to a continuous state transformation usually described in terms of some parameter representing the time elapsed during this phase. In the second phase the state is submitted to a discrete change taking zero time. To illustrate this assumption, consider a temperature regulator commanding a heater so as to maintain the temperature ` of a room between two given bounds ` min and ` max . A run of such a system is a sequence of steps determined by the alternating state changes of the heater from ON to OFF<F26.

) Thomas Wilke Christian-Albrechts-Universitat zu Kiel, Institut fur Informatik und Praktische Mathematik, D-24098 Kiel, Germany ? Abstract. A monadic second-order language, denoted by Ld, is introduced for the specification of sets of timed state sequences. A fragment of Ld, denoted by L $ d, is proved to be expressively complete for timed automata (Alur and Dill), i. e., every timed regular language is definable by a L $ d-formula and every L $ d-formula defines a timed regular language. As a consequence the satisfiability problem for L $ d is decidable. Timed temporal logics are shown to be effectively embeddable into L $ d and hence turn out to have a decidable theory. This applies to TL \Gamma (Manna and Pnueli) and EMITLp , which is obtained by extending the logic MITLp (Alur and Henzinger) by automata operators (Sistla, Vardi, and Wolper). For every positive natural number k the full monadic second-order logic Ld and L $ d are equally expressive modulo the set of timed...

We extend the specification language of temporal logic, the corresponding verification framework, and the underlying computational model to deal with real-time properties of reactive systems. The abstract notion of timed transition systems generalizes traditional transition systems conservatively: qualitative fairness requirements are replaced (and superseded) by quantitative lower-bound and upper-bound timing constraints on transitions. This framework can model realtime systems that communicate either through shared variables or by message passing and real-time issues such as timeouts, process priorities (interrupts), and process scheduling. We exhibit two styles for the specification of real-time systems. While the first approach uses time-bounded versions of the temporal operators, the second approach allows explicit references to time through a special clock variable. Corresponding to the two styles of specification, we present and compare two different proof methodologies for t...

In this paper we discuss the practical difficulty of analyzing the behavior of timed automata and report some results obtained using an experimental bdd-based extension of kronos. We have treated examples originating from timing analysis of asynchronous boolean networks and CMOS circuits with delay uncertainties and the results outperform those obtained by previous implementations of timed automata verification tools.

We present an approach to the verification of the real-time behavior of concurrent programs and describe its mechanization using the PVS proof checker. Our approach to real-time behavior extends previous verification techniques for concurrent programs by proposing a simple model for real-time computation and introducing a new operator for reasoning about absolute time. This model is formalized and mechanized within the higher-order logic of PVS. The interactive proof checker of PVS is used to develop the proofs of two illustrative examples: Fischer's real-time mutual exclusion protocol and a railroad crossing controller. This work was supported by National Aeronautics and Space Administration Langley Research Center and the US Naval Research Laboratory under contract NAS1-18969 and by the US Naval Research Laboratory contract N00015-92-C-2177. Connie Heitmeyer (NRL) suggested the railroad crossing example. Sam Owre (SRI) assisted with the use of PVS. The helpful comments of John Rush...

We propose a formal framework for designing hybrid systems by stepwise refinement. Starting with a specification in hybrid temporal logic, we make successively more transitions explicit until we obtain an executable system.