Duration Calculus

Duration Calculus 

A formal approach to real-time systems 

Lecture 1: Introduction 

Michael R. Hansen 

mrh@imm.dtu.dk 

Informatics and Mathematical Modelling 

Technical University of Denmark 

Tallinn, November 17- 21, Michael R. Hansen – p.1/29

Plan for this week 

Monday: Introduction to Interval Logic and Duration Calculus. 

Overview. 

Tuesday: Duration Calculus: Discrete and Continuous time. 

Decidability and undecidability results. Modelchecking. 

Wednesday: Deadline-Driven Scheduling. 

Modelling and Correctness. 

Thursday: Neighbourhood Logic. 

Security Protocols. Availability. 


Overview: Today 

• Basic Duration Calculus 

• Extensions 

• An Application: Security 




• Background 

• Introduction 

• Decidability, Undecidability, Model-checking 







• Mean Value Calculus 

• Real-state model 

• Super-dense computations 

• Expanding modalities 







• Availability 

• Multi-threaded servers 

• Security Protocols 


Background 

• Provable Correct Systems (ProCoS, ESPRIT BRA 3104) 

Bjørner Langmaack Hoare Olderog 

• Project case study: Gas Burner Sørensen Ravn Rischel 


Background 




Intervals properties 

Timed Automata, Real-time Logic, Metric Temporal Logic, 

Explicit Clock Temporal, . . ., Alur, Dill, Jahanian, Mok, 

Koymans, Harel, Lichtenstein, Pnueli, . . . 


Background 








Duration of states 

Duration Calculus Zhou Hoare Ravn 91 


Background 










— an Interval Temporal Logic Halpern Moszkowski Manna 


Background 










— an Interval Temporal Logic Halpern Moszkowski Manna 

• Logical Calculi, Applications, Mechanical Support 

• Duration Calculus: A formal approach to real-time systems 

Zhou Chaochen and Michael R. Hansen 

Springer. To appear one of these days 


Gas Burner example 

State variables G, F : Time → {0, 1} state expression L = G ∧ ¬F 

Requirement Gas must at most be leaking 1/20 of the elabsed time 

Design decisions 

(e − b) ≥ 60 s ⇒ 20 e L(t)dt ≤ (e − b) 

b 

Leaks are detectable and stoppable within 1s: 

∀c, d : b ≤ c < d ≤ e.(L[c, d] ⇒ (d − c) ≤ 1 s) 

At least 30s between leaks: 

∀c, d, r, s : b ≤ c < r < s < d ≤ e. 

(L[c, r] ∧ ¬L[r, s] ∧ L[s, d]) ⇒ (s − r) ≥ 30 s 

where P [c, d] = d P (t) = (d − c) > 0 “P holds throughout [c, d]” 

c 


Interval Logic [Halpern Moszkowski Manna 83] 

Terms: θ ::= x | v | θ1 + θn | . . . Temporal Variable 

Formulas: φ ::= θ1 = θn | ¬φ | φ ∨ ψ | φ ⌢ ψ | (∃x)φ | . . . chop 




v : Intv → R 


φ : Intv → {tt,ff} 






Chop: 

φ ⌢ ψ 

 

b m e 

 

φ 

 

ψ 


for some m : b ≤ m ≤ e 






Chop: 

φ ⌢ ψ 

 

b m e 

 

φ 

 

ψ 


for some m : b ≤ m ≤ e 

In DC: Intv = { [a, b] | a, b ∈ R ∧ a ≤ b} 


Duration Calculus [Zhou Hoare Ravn 91] 

State variables P : Time → {0, 1} Finite Variablilty 

State expressions S ::= 0 | 1 | P | ¬S | S1 ∨ S2 





S : Time → {0, 1} pointwise defined from P 





S : Time → {0, 1} pointwise defined from P 

Durations S : Intv → R defined on [b, e] by 

e 

b 

S(t)dt 

– Temporal variables with a structure 


Example: Gas Burner 

Requirement 


ℓ ≥ 60 ⇒ 20 L ≤ ℓ 

( ⌈L ⌉ ⇒ ℓ ≤ 1) 

(( ⌈L ⌉ ⌢ ⌈¬L ⌉ ⌢ ⌈L ⌉) ⇒ ℓ ≥ 30) 

where ℓ denotes the length of the interval, and 

♦φ = true ⌢ φ ⌢ true “for some sub-interval: φ” 

φ = ¬♦¬φ “for all sub-intervals: φ” 

⌈P ⌉ = P = ℓ ∧ ℓ > 0 “P holds throughout a non-point interval” 


Example: Gas Burner 

Requirement 


ℓ ≥ 60 ⇒ 20 L ≤ ℓ 

( ⌈L ⌉ ⇒ ℓ ≤ 1) 

(( ⌈L ⌉ ⌢ ⌈¬L ⌉ ⌢ ⌈L ⌉) ⇒ ℓ ≥ 30) 

where ℓ denotes the length of the interval, and 

♦φ = true ⌢ φ ⌢ true “for some sub-interval: φ” 

φ = ¬♦¬φ “for all sub-intervals: φ” 

⌈P ⌉ = P = ℓ ∧ ℓ > 0 “P holds throughout a non-point interval” 

succinct formulation — no interval endpoints 


Interval Logic: Proof System 1 [Dutertre 1995] 

The axioms of IL are: 

A0 ℓ ≥ 0 

A1 ((φ ⌢ ψ) ∧ ¬(φ ⌢ ϕ)) ⇒ (φ ⌢ (ψ ∧ ¬ϕ)) 

A2 ((φ ⌢ ψ) ⌢ ϕ) ⇐⇒ (φ ⌢ (ψ ⌢ ϕ)) 

R (φ ⌢ ψ) ⇒ φ if φ is a rigid formula 

E (∃x.φ ⌢ ψ) ⇒ ∃x.(φ ⌢ ψ) if x is not free in ψ. 

L1 ((ℓ = x) ⌢ φ) ⇒ ¬((ℓ = x) ⌢ ¬φ) 

L2 (x ≥ 0 ∧ y ≥ 0) ⇒ ((ℓ = x + y) ⇐⇒ ((ℓ = x) ⌢ (ℓ = y))) 

L3 φ ⇒ (φ ⌢ (ℓ = 0)) 



The inference rules of IL are: 

MP if φ and φ ⇒ ψ then ψ modus ponens 

G if φ then (∀x)φ generalisation 

N 

M 

if φ then ¬(¬φ ⌢ ψ) 

if φ then ¬(ψ ⌢ ¬φ) 

if φ ⇒ ψ then (φ ⌢ ϕ) ⇒ (ψ ⌢ ϕ) 

if φ ⇒ ψ then (ϕ ⌢ φ) ⇒ (ϕ ⌢ ψ) 

Necessity 

Monotonicity 



The inference rules of IL are: 

MP if φ and φ ⇒ ψ then ψ modus ponens 

G if φ then (∀x)φ generalisation 

N 

M 

if φ then ¬(¬φ ⌢ ψ) 

if φ then ¬(ψ ⌢ ¬φ) 

if φ ⇒ ψ then (φ ⌢ ϕ) ⇒ (ψ ⌢ ϕ) 

if φ ⇒ ψ then (ϕ ⌢ φ) ⇒ (ϕ ⌢ ψ) 

Complete wrt abstract value and time domain 

Necessity 

Monotonicity 


Duration Calculus: Proof System [ZHR 1991] 

Axioms reflecting the structure of temporal variables: 

DCA1 

DCA2 

DCA3 

DCA4 

 

0 = 0 

 

1 = ℓ 

 

S ≥ 0 

 

S1 + S2 = (S1 ∨ S2) + (S1 ∧ S2) 

DCA5 (( S = x) ⌢ ( S = y)) ⇒ ( S = x + y) 

DCA6 

S1 = S2 if S1 ⇐⇒ S2 in propositional logic 


Duration Calculus: Induction Rules 

Formalize Finite Variability of States 

IR1 If H( ⌈ ⌉) and H(X) ⇒ H(X ∨ n 

i=1 (X ⌢ ⌈Si ⌉)) 

then H(true) 

• H( ⌈ ⌉) – the base case 

• H(X) – the induction hypothesis 

• S1, S2, ..., Sn — a complete collection of state expressions 

( 

n 

i=1 

Si) ⇐⇒ 1 


Duration Calculus: Induction Rules 

Formalize Finite Variability of States 

IR1 If H( ⌈ ⌉) and H(X) ⇒ H(X ∨ n 

i=1 (X ⌢ ⌈Si ⌉)) 

then H(true) 

• H( ⌈ ⌉) – the base case 

• H(X) – the induction hypothesis 

• S1, S2, ..., Sn — a complete collection of state expressions 

( 

n 

i=1 

Si) ⇐⇒ 1 

DC is relative complete wrt Interval Logic [Hansen Zhou 92] 

DC is complete wrt abstract domain [Guelev 98] 


Induction rule: Intuition 

• H( ⌈ ⌉) H holds on point intervals 




• H( ⌈ ⌉ ∨ n 

i=1 ⌈Si ⌉) 

H holds on intervals with at most 0 state changes 




• H( ⌈ ⌉ ∨ n 

i=1 ⌈Si ⌉) 

• H( ⌈ ⌉ ∨ n 

i=1 ⌈Si ⌉ ∨ n 

i=1 


n 

j=1 ⌈Si ⌉ ⌢ ⌈Sj ⌉) 

H holds on intervals with at most 1 state change 




• H( ⌈ ⌉ ∨ n 

i=1 ⌈Si ⌉) 

• H( ⌈ ⌉ ∨ n 

i=1 ⌈Si ⌉ ∨ n 

i=1 


n 

j=1 ⌈Si ⌉ ⌢ ⌈Sj ⌉) 


• ... H holds on intervals with at most n state change 




• H( ⌈ ⌉ ∨ n 

i=1 ⌈Si ⌉) 

• H( ⌈ ⌉ ∨ n 

i=1 ⌈Si ⌉ ∨ n 

i=1 


n 

j=1 ⌈Si ⌉ ⌢ ⌈Sj ⌉) 



H(true) H holds on any interval 




• H( ⌈ ⌉ ∨ n 

i=1 ⌈Si ⌉) 

• H( ⌈ ⌉ ∨ n 

i=1 ⌈Si ⌉ ∨ n 

i=1 


n 

j=1 ⌈Si ⌉ ⌢ ⌈Sj ⌉) 



H(true) H holds on any interval 

S 

 

rejects Zeno behaviour like: 

¬S 

 

S 

¬S 

 

0 4 6 7 8 


Decidability [Zhou Hansen Sestoft 93] 

Restricted Duration Calculus : 

• ⌈S ⌉ 

• ¬φ, φ ∨ ψ, φ ⌢ ψ 




• ⌈S ⌉ 

• ¬φ, φ ∨ ψ, φ ⌢ ψ 

Satisfiability is reduced to emptiness of regular languages 

Idea: a ∈ Σ describes a piece of an interpretation, e.g. P1 ∧ ¬P2 ∧ P3 




• ⌈S ⌉ 

• ¬φ, φ ∨ ψ, φ ⌢ ψ 



Discrete time — one letter corresponds to one time unit 

L( ⌈S ⌉) = (DNF (S)) + 

L(ϕ ∨ ψ) = L(ϕ) ∪ L(ψ) 

L(¬ϕ) = Σ ∗ \ L(ϕ) 

L(ϕ ⌢ ψ) = L(ϕ) L(ψ) 




• ⌈S ⌉ 

• ¬φ, φ ∨ ψ, φ ⌢ ψ 




L( ⌈S ⌉) = (DNF (S)) + 

L(ϕ ∨ ψ) = L(ϕ) ∪ L(ψ) 

L(¬ϕ) = Σ ∗ \ L(ϕ) 

L(ϕ ⌢ ψ) = L(ϕ) L(ψ) 

Continuous time — Closure property 




• ⌈S ⌉ 

• ¬φ, φ ∨ ψ, φ ⌢ ψ 




L( ⌈S ⌉) = (DNF (S)) + 

L(ϕ ∨ ψ) = L(ϕ) ∪ L(ψ) 

L(¬ϕ) = Σ ∗ \ L(ϕ) 

L(ϕ ⌢ ψ) = L(ϕ) L(ψ) 

Continuous time — Closure property 

Skakkebæk Sestoft 94, Pandya 01, Fränzle 02, Gomez Bowman 03 


Undecidability 

Even small extensions give undecidable subsets 

RDC1 cont. time RDC2 RDC3 

• ℓ = r, ⌈S ⌉ 

• ¬φ, φ∨ψ, φ ⌢ ψ 

• S1 = S2 

• ¬φ, φ∨ψ, φ ⌢ ψ 

• ℓ = x, ⌈S ⌉ 

• ¬φ, φ∨ψ, φ ⌢ ψ, (∃x)φ 

Reduce halting problem (2-counter machines) to satisfiability 





• ℓ = r, ⌈S ⌉ 

• ¬φ, φ∨ψ, φ ⌢ ψ 

• S1 = S2 

• ¬φ, φ∨ψ, φ ⌢ ψ 

• ℓ = x, ⌈S ⌉ 

• ¬φ, φ∨ψ, φ ⌢ ψ, (∃x)φ 


RDC 2: c1 encoded by C + 1 − C − 1 , where C+ 1 , C − 1 : Time → {0, 1} 

In qi decrement c1 (if c1 > 0) and go to qj: 





• ℓ = r, ⌈S ⌉ 

• ¬φ, φ∨ψ, φ ⌢ ψ 

• S1 = S2 

• ¬φ, φ∨ψ, φ ⌢ ψ 

• ℓ = x, ⌈S ⌉ 

• ¬φ, φ∨ψ, φ ⌢ ψ, (∃x)φ 




current state qi 

true ⌢ ⌈qi ⌉ 





• ℓ = r, ⌈S ⌉ 

• ¬φ, φ∨ψ, φ ⌢ ψ 

• S1 = S2 

• ¬φ, φ∨ψ, φ ⌢ ψ 

• ℓ = x, ⌈S ⌉ 

• ¬φ, φ∨ψ, φ ⌢ ψ, (∃x)φ 




current state qi 

c1 > 0 

true ⌢ ⌈qi ⌉ 

C + 1 = C − 1 





• ℓ = r, ⌈S ⌉ 

• ¬φ, φ∨ψ, φ ⌢ ψ 

• S1 = S2 

• ¬φ, φ∨ψ, φ ⌢ ψ 

• ℓ = x, ⌈S ⌉ 

• ¬φ, φ∨ψ, φ ⌢ ψ, (∃x)φ 




current state qi true ⌢ ⌈qi ⌉ ⌢ true 

c1 > 0 ∧ C + 1 = C − 1 ⌢ true 

next state qj, decrement c1 ⇒ true ⌢ ⌈qj ∧ C − 1 ⌉ 


Model-checking [Zhou Zhang Lu Li 94] 

Linear Duration Invariants cmin ≤ ℓ ⇒ n i=1 ci 

 

Pi ≤ c 

are checked with respect to real-time automata. 

Gas Burner requirement 60 ≤ ℓ ⇒ (19 Leak − NonLeak) ≤ 0 

Gas Burner design 

f 

[30, ∞) 

NonLeak Leak 

❨ 

[0, 1] 

r 

❥ 


Model-checking 2 

• Each run is reduced to a linear programming problem. 

Constraints for run: f r f (t1 NonLeak, t2 Leak, t3 NonLeak) 

t1 ≥ 30, 0 ≤ t2 ≤ 1, t3 ≥ 30 and (t1 + t2 + t3) ≥ 60 

Objective function: 19t2 − (t1 + t3) 

The linear duration invariant is satisfied 

iff the maximal value of the objective function is ≤ 0. 


Model-checking 2 

• Each run is reduced to a linear programming problem. 

Constraints for run: f r f (t1 NonLeak, t2 Leak, t3 NonLeak) 

t1 ≥ 30, 0 ≤ t2 ≤ 1, t3 ≥ 30 and (t1 + t2 + t3) ≥ 60 

Objective function: 19t2 − (t1 + t3) 

The linear duration invariant is satisfied 

iff the maximal value of the objective function is ≤ 0. 

• An infinite set of runs can be reduced to a finite set 

– timing constraints and coefficients of durations 

Implemented by Li, Tao, Dang ... 


Some Extensions – a brief survey 

• Mean Value Calculus 

• Real State Model 

• Super-dense computations 

• Expanding Modalities 

• Some other work 


Mean Value Calculus [Zhou Li 94] 

Captures point properties 

Use mean values rather than durations 

where 

Extends DC 

P ([b, e]) = 

P : Intv → [0, 1] 

e P (t)dt/(e − b) b if e > b 

P (e) if e = b 

P = P · ℓ 


Real State Model [Zhou Ravn Hansen 93] 

Hybrid Systems: Discrete and continuous components 

Predicates like 

g, ˙ 

f : Time → R 

⌈P(g, ˙ 

f) ⌉ control law P holds on an interval 

e.f = v ⌢ b.g = v + 1 

Case studies 

Auto pilot, water level monitor, hydraulic actuator system, inverted 

pendulum, ... 

Ravn, Engel, Dang, Widjaja, He, Chen Zhou, ... 


Super-dense computations 

Program semantics: Time and Timeless actions 

. . . ; x:= 3 ; y := f(x,y) ; wait 7 ; . . . 

• Super-dense chop Zhou Hansen 96 

• Combination of Linear Time Temporal Logic and Interval Logic 

Barua, Qui, Zhou, Pandya, Dang, Liu, Ravn, Li 1998 

• Visible and invisible states Guelev Dang 02 

Generalizes of the projection operator of ITL Moszkowski 95 

• Temporal logic for ordered trees ? Endriss Gabbay 03 


Expanding Modalities 1 

To capture (abstract) liveness properties 

Venema’s propositional modal logic with modalities ⌢ , T and D 

φTψ 

 

 

b e c 

 

ψ 

φ 

 

 

φ 

φDψ 

a b e 

 

ψ 

for some c ≥ e 

for some a ≤ b 

Completeness, Venema 90 

Railway crossing, Skakkebæk 94 


Expanding Modalities 2 

Neighbourhood Logic Zhou Hansen 98 

A first order logic with two modalities 

φ 

♦lφ 

 

 

a b e 

♦rφ 

 

 

b e c 

φ 

for some a ≤ b 

for some c ≥ e 

Completeness Barua Roy Zhou 2000 


Signed Interval Logic [Engel Rischel 94] 

Intervals with a direction 

i 

φ ⌢ ψ 

> j 




i 

i 

φ ⌢ 

ψ 

 

> j 

 

φ 

 

> k for some k 

< 

ψ 




i 

i 

φ ⌢ 

ψ 

 

> j 

 

φ 

 

> k for some k 

< 

ψ 

Proof theory and Theorem Proving Rasmussen 02 

• Proof systems encoded in Isabelle/HOL 

• Encoding of Neighbourhood Logic (+ DC) 

• Example: Gas burner, Scheduling, Availability Pilegaard 02 


Some other work 

• Probabilistic Duration Calculus Liu Ravn Sørensen Zhou 93, 

Dang Zhou 99, Guelev 00 

• Circuits and controllers Hansen Zhou Staunstrup 92, 

Kääramees 95, Fränzle 96, Dierks 98 

• Program Semantics: SDL, OCCAM, Esterel, Constraint 

Diagrams, ... 

• Integration with other formalism: CSP [He], RAISE [He Li], CSP 

& Object Z [Hoenicke Olderog], ... 

• Refinement Ravn, Olderog, Schenke, ... 

• Theorem Provers: PVS [Skakkebæk], Isabelle [Heilmann] 

• Decision Procedures: DCVALID [Pandya], [Kersten PSY]] 

• Higher-order operators: State quantifiers, µ-operator [Guelev, 

Dang, Pandya, ...] 

• Case Studies: a huge amount 


Availability Pilegaard Hansen Sharp 02 

Clients C1, C2, . . . exchange messages with a server S 

C1 

. 

Cn 

. 

Ci → S : M 

S → Ci : M ′ 

• Good clients i ∈ γ requests δi of the server’s time 

• Bad clients j ∈ β waste the server’s time 

How to formalize requirements about the availability? 

S 


Availability Pilegaard Hansen Sharp 02 

Clients C1, C2, . . . exchange messages with a server S 

C1 

. 

Cn 

. 

Ci → S : M 

S → Ci : M ′ 

• Good clients i ∈ γ requests δi of the server’s time 

• Bad clients j ∈ β waste the server’s time 

How to formalize requirements about the availability? 

• E.g., Available for good clients x% of the time 

Under which assumptions are these requirements to be met? 

• strength of bad clients Operational cost model Meadows 01 

S 


Multi-threaded Server 

Rdy i : Time → {0, 1} 

Runi : Time → {0, 1} 

Only ready processes are running ⌈Runi ⌉ ⇒ ⌈Rdy i ⌉ 

At most one process is running ⌈Runi ⌉ ⇒ 

∧ ⌈Runi ⌉ 

∧ ♦r ⌈¬Runi ∧ Rdy i ⌉ 

i=j ⌈¬Runj ⌉ 

Round-Robin Scheduling with time slice τ 

⎛ 

⎜ 

⎝ 

♦l ⌈¬Runi ⌉ 

⎞ 

⎟ 

⎠ ⇒ ℓ = τ 

Hansen Zhou Ravn Rischel 92 

Yuhua Zhou 94 

Chan Dang 95 


Modelling Availability 

• Normal service for trusted clients x% of the time 

(ℓ > T ⇒ ( 

Runi) ≤ (1 − x) · ℓ) 

i∈γ 

• Request of ci completed within p · ci 

∀i ∈ γ.♦r(ℓ ≤ p · ci ⇒ Runi = ci) 

Assumptions about the strength of bad clients can be modelled 

using similar techniques 

Is availability guaranteed under the assumptions? 

(Scheduler ∧ Ass γ ∧ Assβ ∧ R(¯x)) ⇒ Availability 

a first attemp Hansen Sharp 03 


Events in security protocols A → B : M 

Use traces as functions of time Tr : Time → Event ∗ 

finite variability 

Ravn Rischel Hansen 93 

Occurrence of an event 

Occurs(e) = ℓ = 0 ∧ ∃h ∈ Event ∗ . 

 

♦l ⌈Tr = h ⌉ 

∧ ♦r ⌈Tr = h · e ⌉ 

Link between external actions and the server’s activity 

• Occurs(Ai → S : M) ⇒ ♦r ⌈Rdyi ⌉ 

 

Runi = ci 

• 

∧ true ⌢ 

⌈Rdyi ⌉ 

⇒ true ⌢ Occurs(S → Ai : Ms) 

 


Events in security protocols A → B : M 

Use traces as functions of time Tr : Time → Event ∗ 

finite variability 

Ravn Rischel Hansen 93 

Occurrence of an event 

Occurs(e) = ℓ = 0 ∧ ∃h ∈ Event ∗ . 

 

♦l ⌈Tr = h ⌉ 

∧ ♦r ⌈Tr = h · e ⌉ 

Link between external actions and the server’s activity 

• Occurs(Ai → S : M) ⇒ ♦r ⌈Rdyi ⌉ 

 

Runi = ci 

• 

∧ true ⌢ 

⌈Rdyi ⌉ 

⇒ true ⌢ Occurs(S → Ai : Ms) 

Verification in Isabelle/HOL Pilegaard 02 

— Separation of interval from timeless reasoning Tallinn, November 17- 21, Michael R. Hansen – p.29/29

Duration Calculus

Create successful ePaper yourself

Delete template?

Save as template?