# Paritosh K. Pandya

13.04

· Ph.D.About

106

Research items

2,723

Reads

1,786

Citations

Introduction

Paritosh K. Pandya currently works at the School of Technology and Computer Science, Tata Institute of Fundamental Research. Paritosh does research in Real time automata, logics and formal methods. He is also interested in programming langauges for embedded systems and component based design.

Network

Cited

Cited By

Followers

Following

Projects

Projects (13)

Project

Research

Research Items (106)

This paper investigates Kamp-like and B\"uchi-like theorems for 1-clock Alternating Timed Automata (1-ATA) and its natural subclasses. A notion of 1-ATA with loop-free-resets is defined. This automaton class is shown to be expressively equivalent to the temporal logic $\regmtl$ which is $\mathsf{MTL[F_I]}$ extended with a regular expression guarded modality. Moreover, a subclass of future timed MSO with k-variable-connectivity property is introduced as logic $\qkmso$. In a Kamp-like result, it is shown that $\regmtl$ is expressively equivalent to $\qkmso$. As our second result, we define a notion of conjunctive-disjunctive 1-clock ATA ($\wf$ 1-ATA). We show that $\wf$ 1-ATA with loop-free-resets are expressively equivalent to the sublogic $\F\regmtl$ of $\regmtl$. Moreover $\F\regmtl$ is expressively equivalent to $\qtwomso$, the two-variable connected fragment of $\qkmso$. The full class of 1-ATA is shown to be expressively equivalent to $\regmtl$ extended with fixed point operators.

DCSYNTH is a tool for the synthesis of controllers from safety and bounded liveness requirements given in interval temporal logic QDDC. It investigates the role of soft requirements (with priorities) in obtaining high quality controllers. A QDDC formula specifies past time properties. In DCSYNTH synthesis, hard requirements must be invariantly satisfied whereas soft requirements may be satisfied "as much as possible" in a best effort manner by the controller. Soft requirements provide an invaluable ability to guide the controller synthesis. In the paper, using DCSYNTH, we show the application of soft requirements in obtaining robust controllers with various specifiable notions of robustness. We also show the use of soft requirements to specify and synthesize efficient runtime enforcement shields which can correct burst errors. Finally, we discuss the use of soft requirements in improving the latency of controlled system.

- May 2017
- International Conference on Software Engineering and Formal Methods

Several temporal logics have been proposed to formalise timing diagram requirements over hardware and embedded controllers. These include LTL, discrete time MTL and the recent industry standard PSL. However, succintness and visual structure of a timing diagram are not adequately captured by their formulae. Interval temporal logic QDDC is a highly succint and visual notation for specifying patterns of behaviours. In this paper, we propose a practically useful notation called SeCeCntnl which enhances negation free fragment of QDDC with features of nominals and limited liveness. We show that timing diagrams can be naturally (compositionally) and succintly formalized in SeCeCntnl as compared with PSL and MTL. We give a linear time translation from timing diagrams to SeCeCntnl. As our second main result, we propose a linear time translation of SeCeCntnl into QDDC. This allows QDDC tools such as DCVALID and DCSynth to be used for checking consistency of timing diagram requirements as well as for automatic synthesis of property monitors and controllers. We give examples of a minepump controller and a bus arbiter to illustrate our tools. Giving a theoretical analysis, we show that for the proposed SeCeCntnl, the satisfiability and model checking have elementary complexity as compared to the non-elementary complexity for the full logic QDDC.

We study an extension of $\mtl$ in pointwise time with rational expression guarded modality $\reg_I(\re)$ where $\re$ is a rational expression over subformulae. We study the decidability and expressiveness of this extension ($\mtl$+$\varphi \ureg_{I, \re} \varphi$+$\reg_{I,\re}\varphi$), called $\regmtl$, as well as its fragment $\sfmtl$ where only star-free rational expressions are allowed. Using the technique of temporal projections, we show that $\regmtl$ has decidable satisfiability by giving an equisatisfiable reduction to $\mtl$. We also identify a subclass $\mitl+\ureg$ of $\regmtl$ for which our equi-satisfiable reduction gives rise to formulae of $\mitl$, yielding elementary decidability. As our second main result, we show a tight automaton-logic connection between $\sfmtl$ and partially ordered (or very weak) 1-clock alternating timed automata.

In temporal logics, a central question is about the choice of modalities and their relative expressive power, in comparison to the complexity of decision problems such as satisfiability. In this tutorial, we will illustrate the study of such questions over finite word models, first with logics for Unambiguous Starfree Regular Languages (UL), originally defined by Schutzenberger, and then for extensions with constraints, which appear in interval logics. We present Deterministic temporal logics, with diverse sets of modalities, which also characterize UL. The tools and techniques used go under the name of "Turtle Programs" or "Rankers". These are simple kinds of automata. We use properties such as Ranker Directionality and Ranker Convexity to show that all these logics have NP satisfiability. A recursive extension of some of these modalities gives us the full power of first-order logic over finite linear orders. We also discuss Interval Constraint modalities extending Deterministic temporal logics, with intermediate expressiveness. These allow counting or simple algebraic operations on paths. The complexity of these extended logics is PSpace, as of full temporal logic (and ExpSpace when using binary notation).

- Jul 2016
- the 31st Annual ACM/IEEE Symposium

We study an extension of FO2[<], first-order logic interpreted in finite words, in which formulas are restricted to use only two variables. We adjoin to this language two-variable atomic formulas that say, 'the letter a appears between positions x and y'. This is, in a sense, the simplest property that is not expressible using only two variables.
We present several logics, both first-order and temporal, that have the same expressive power, and find matching lower and upper bounds for the complexity of satisfiability for each of these formulations. We also give an effective necessary condition, in terms of the syntactic monoid of a regular language, for a property to be expressible in this logic. We show that this condition is also sufficient for words over a two-letter alphabet. This algebraic analysis allows us us to prove, among other things, that our new logic has strictly less expressive power than full first-order logic FO[<].

- Apr 2016
- International Conference on Foundations of Software Science and Computation Structures

Ability to count number of occurrences of events within a specified time interval is very useful in specification of resource bounded real time computation.

We study an extension of FO^2[<], first-order logic interpreted in finite words, in which formulas are restricted to use only two variables. We adjoin to this language two-variable atomic formulas that say, `the letter a appears between positions x and y'. This is, in a sense, the simplest property that is not expressible using only two variables. We present several logics, both first-order and temporal, that have the same expressive power, and find matching lower and upper bounds for the complexity of satisfiability for each of these formulations. We also give an effective necessary condition, in terms of the syntactic monoid of a regular language, for a property to be expressible in this logic. We show that this condition is also sufficient for words over a two-letter alphabet. This algebraic analysis allows us us to prove, among other things, that our new logic has strictly less expressive power than full first-order logic FO[<].

Ability to count number of occurrences of events within a specified time
interval is very useful in specification of resource bounded real time
computation. In this paper, we study an extension of Metric Temporal Logic
($\mathsf{MTL}$) with two different counting modalities called $\mathsf{C}$ and
$\mathsf{UT}$ (until with threshold), which enhance the expressive power of
$\mathsf{MTL}$ in orthogonal fashion. We confine ourselves only to the future
fragment of $\mathsf{MTL}$ interpreted in a pointwise manner over finite timed
words. We provide a comprehensive study of the expressive power of logic
$\mathsf{CTMTL}$ and its fragments using the technique of EF games extended
with suitable counting moves. Finally, as our main result, we establish the
decidability of $\mathsf{CTMTL}$ by giving an equisatisfiable reduction from
$\mathsf{CTMTL}$ to $\mathsf{MTL}$. The reduction provides one more example of
the use of temporal projections with oversampling introduced earlier for
proving decidability. Our reduction also implies that $\mathsf{MITL}$ extended
with $\mathsf{C}$ and $\mathsf{UT}$ modalities is elementarily decidable.

- Sep 2014
- International Colloquium on Theoretical Aspects of Computing

Real time logics such as Metric Temporal Logic, MTL and Timed Propositional Temporal Logic (TPTL) exhibit considerable diversity in expressiveness and decidability properties based on the permitted set of modalities, the nature of time interval constraints and restriction on models. We study the expressiveness and decidability properties of various unary fragments of MTL incorporating strict as well as non-strict modalities. We show that, from the point of view of expressive power, MTL[\(\Diamond_I\)] \(\subsetneq\)
MTL
\([\Diamond^s_I] \subsetneq\)
MTL
\([\Diamond_I,\bigcirc] \equiv\)
MTL
\([\Diamond^s_I,\bigcirc] \subsetneq\)
MTL
\([\mathsf{U}^s_I]\), in pointwise semantics. We also sharpen the decidability results by showing that, in the pointwise semantics, MTL
\([\Diamond_I]\) (which is the least expressive amongst the unary fragments considered) already has non-primitive-recursive complexity and is \({\bf F}_{\omega^\omega}\)-hard for satisfiability checking over finite timed words, and that MTL [\(\Diamond_I\),
I
] is undecidable and \(\Sigma_1^0\)-hard. Next we explore, in the pointwise models, the decidability of TPTL
\([\Diamond_I]\) (unary TPTL) and show that 2-variables unary TPTL has undecidable satisfiability, while the single variable fragment TPTL[U
s
] incorporating even the most expressive operator U
s
operator is decidable over finite timed words. We provide a comprehensive picture of the decidability and expressiveness properties of unary fragments of TPTL and MTL over pointwise time.

Metric Temporal Logic $\mathsf{MTL}[\until_I,\since_I]$ is one of the most
studied real time logics. It exhibits considerable diversity in expressiveness
and decidability properties based on the permitted set of modalities and the
nature of time interval constraints $I$. Henzinger et al., in their seminal
paper showed that the non-punctual fragment of $\mathsf{MTL}$ called
$\mathsf{MITL}$ is decidable. In this paper, we sharpen this decidability
result by showing that the partially punctual fragment of $\mathsf{MTL}$
(denoted $\mathsf{PMTL}$) is decidable over strictly monotonic finite point
wise time. In this fragment, we allow either punctual future modalities, or
punctual past modalities, but never both together. We give two satisfiability
preserving reductions from $\mathsf{PMTL}$ to the decidable logic
$\mathsf{MTL}[\until_I]$. The first reduction uses simple projections, while
the second reduction uses a novel technique of temporal projections with
oversampling. We study the trade-off between the two reductions: while the
second reduction allows the introduction of extra action points in the
underlying model, the equisatisfiable $\mathsf{MTL}[\until_I]$ formula obtained
is exponentially succinct than the one obtained via the first reduction, where
no oversampling of the underlying model is needed. We also show that
$\mathsf{PMTL}$ is strictly more expressive than the fragments
$\mathsf{MTL}[\until_I,\since]$ and $\mathsf{MTL}[\until,\since_I]$.

- Jan 2014
- International Colloquium on Theoretical Aspects of Computing

The class of Unambiguous Star-Free Regular Languages (UL) has been widely studied and variously characterized by logics such as TL[X
a
,Y
a
],UITL,TL[F,P], FO
2[ < ], the variety DA and partially-ordered two-way DFA. However, explicit reductions from logics to automata are missing. In this paper, we introduce the concept of Deterministic Logics for UL. The formulas of deterministic logics uniquely parse a word in order to evaluate satisfaction. We consider three such deterministic logics with varied modalities, namely TL[X
a
,Y
a
],TL[Ũ,S̃] and UITL
±. Using effective reductions between them and to po2dfa, we show that they all characterize UL, and have NP-complete satisfiability. The reductions rely on features of deterministic logic such as unique parsability and ranker-directionality.

Metric Temporal Logic, $\mtlfull$ is amongst the most studied real-time
logics. It exhibits considerable diversity in expressiveness and decidability
properties based on the permitted set of modalities and the nature of time
interval constraints $I$. \oomit{The classical results of Alur and Henzinger
showed that $\mtlfull$ is undecidable where as $\mitl$ which uses only
non-singular intervals $NS$ is decidable. In a surprizing result, Ouaknine and
Worrell showed that the satisfiability of $\mtl$ is decidable over finite
pointwise models, albeit with NPR decision complexity, whereas it remains
undecidable for infinite pointwise models or for continuous time.} In this
paper, we sharpen the decidability results by showing that the satisfiability
of $\mtlsns$ (where $NS$ denotes non-singular intervals) is also decidable over
finite pointwise strictly monotonic time. We give a satisfiability preserving
reduction from the logic $\mtlsns$ to decidable logic $\mtl$ of Ouaknine and
Worrell using the technique of temporal projections. We also investigate the
decidability of unary fragment $\mtlfullunary$ (a question posed by A.
Rabinovich) and show that $\mtlfut$ over continuous time as well as
$\mtlfullunary$ over finite pointwise time are both undecidable. Moreover,
$\mathsf{MTL}^{pw}[\fut_I]$ over finite pointwise models already has NPR lower
bound for satisfiability checking. We also compare the expressive powers of
some of these fragments using the technique of EF games for $\mathsf{MTL}$.

- May 2013
- Proceedings of the 10th international conference on Automated Technology for Verification and Analysis

We study two unary fragments of the well-known metric interval temporal logic
MITL[U_I,S_I] that was originally proposed by Alur and Henzinger, and we pin
down their expressiveness as well as satisfaction complexities. We show that
MITL[F_\inf,P_\inf] which has unary modalities with only lower-bound
constraints is (surprisingly) expressively complete for Partially Ordered 2-Way
Deterministic Timed Automata (po2DTA) and the reduction from logic to automaton
gives us its NP-complete satisfiability. We also show that the fragment
MITL[F_b,P_b] having unary modalities with only bounded intervals has
\nexptime-complete satisfiability. But strangely, MITL[F_b,P_b] is strictly
less expressive than MITL[F_\inf,P_\inf]. We provide a comprehensive picture of
the decidability and expressiveness of various unary fragments of MITL.

- Jul 2012
- Modern Applications of Automata Theory. IISc research Monographs Series

Discrete Duration Calculus is a succinct and expressive logic for specifying quantitative timing properties of discrete timed behaviors. We present a conditional equational theory for proving equality and implications between DDC* formulae. We also investigate the complexities of several decision problems for DDC*. We introduce a new variant of extended regular expressions called extended chop expressions with tests (ECET) for specifying ε-free regular languages. Language preserving reductions between DDC* and ECET giving only linear blowup in size can be formulated. Moreover, ECET satisfy the axioms of Boolean Algebras as well as Kleene algebras with tests; these can now be applied to DDC*. We investigate the complexities of decision problems such as membership, non-emptiness and non-equivalence for extended chop expressions and its subclasses. The algorithmic complexity of synthesis of NFA from extended chop expressions and its subclasses is also investigated. Finally, we formulate the reductions between extended regular expressions and extended chop expressions. Surprisingly, the extended chop expressions are difficult to reduce to extended regular expressions.

- Jul 2012

Timed automata have emerged as a prominent model for representation and analysis of real-time systems. The study of closure properties and decision problems for timed automata provides key insights into their computational power. The resulting algorithms have influenced the development of automatic analysis tools for model checking real-time systems. In this chapter we provide an introduction to the theory of timed automata.

- Sep 2011
- Proceedings of the 9th international conference on Formal modeling and analysis of timed systems

Construction of automata for Metric Temporal Logics has been an active but challenging area of research. We consider here
the continuous time Metric temporal logic MTL[UI,SI]\mathsf{MTL}[\:\mathcal{U}_I,\:\mathcal{S}_I] as well as corresponding signal automata. In previous works by Maler, Nickovic and Pnueli, the signal automaton synthesis
has mainly addressed MTL under an assumption of bounded variability. In this paper, we propose a novel technique of “Temporal Projections” that allows
easy synthesis of safety signal automata for continuous time MITL[UI,SI]\mathsf{MITL}[\:\mathcal{U}_I,\:\mathcal{S}_I] over finite signals without assuming bounded variability. Using the same technique, we also give synthesis of safety signal
automata for MITL[UI,SI]\mathsf{MITL}[\:\mathcal{U}_I,\:\mathcal{S}_I] with bounded future operators over infinite signals. For finite signals, the Temporal Projections allow us to syntactically
transform an MITL formula φ(Q) over a set of propositions Q to a pure past time MITL formula ψ(P,Q) with extended set of propositions (P,Q) which is language equivalent “modulo temporal projection”, i.e.
L(f) = L($P. \boxdot y)L(\phi) = L(\exists P. \boxdot \psi). A similar such transformation over infinite signals is also formulated for MITL[UI,SI]\mathsf{MITL}[\:\mathcal{U}_I,\:\mathcal{S}_I] restricted to Bounded Future formlae where the Until operators use only bounded (i.e.non-infinite) intervals. It is straightforward
to construct safety-signal-automaton for the transformed formula. We give complexity bounds for the resulting automaton. Our
temporal projections are inspired by the use of projections by D’Souza et al for eliminating past in MTL.

- Feb 2011
- Proceedings of the 22nd international conference on Concurrency theory

Timed temporal logics exhibit a bewildering diversity of operators and the
resulting decidability and expressiveness properties also vary considerably. We
study the expressive power of timed logics TPTL[U,S] and MTL[U,S] as well as of
their several fragments. Extending the LTL EF games of Etessami and Wilke, we
define MTL Ehrenfeucht-Fraisse games on a pair of timed words. Using the
associated EF theorem, we show that, expressively, the timed logics
BoundedMTL[U,S], MTL[F,P] and MITL[U,S] (respectively incorporating the
restrictions of boundedness, unary modalities and non-punctuality), are all
pairwise incomparable. As our first main result, we show that MTL[U,S] is
strictly contained within the freeze logic TPTL[U,S] for both weakly and
strictly monotonic timed words, thereby extending the result of Bouyer et al
and completing the proof of the original conjecture of Alur and Henziger from
1990. We also relate the expressiveness of a recently proposed deterministic
freeze logic TTL[X,Y] (with NP-complete satisfiability) to MTL. As our second
main result, we show by an explicit reduction that TTL[X,Y] lies strictly
within the unary, non-punctual logic MITL[F,P]. This shows that deterministic
freezing with punctuality is expressible in the non-punctual MITL[F,P].

- Jan 2011
- Formal Modeling and Analysis of Timed Systems - 9th International Conference, FORMATS 2011, Aalborg, Denmark, September 21-23, 2011. Proceedings
- International Conference on Formal Modeling and Analysis of Timed Systems

- Dec 2010

Model based design methodology is increasingly being used in the development of software for embedded controllers for safety class applications. SCADE Suite is a set of tools that support model based design of software for embedded systems. The model validation activity in SCADE involves model simulation guided by set of test cases that are based on system requirements (Functional or blackbox) and structural coverage criteria like MC/DC (Whitebox). However, systematically devising a test case based on such criterion is not easy and often the designer is required to analyze the model to design a test sequence, which will meet the required criteria. In this paper, we demonstrate the use of a technique based on model checking to automate the generation of such test cases for SCADE models. For automatic test case generation, the tool SAL-ATG was used that can generate the test cases for the models developed in SAL specification language. MCIDC coverage criterion was adopted for generating the test goals to be covered by generated test cases.

- Sep 2010
- Formal Modeling and Analysis of Timed Systems - 8th International Conference, FORMATS 2010, Klosterneuburg, Austria, September 8-10, 2010. Proceedings
- International Conference on Formal Modeling and Analysis of Timed Systems

Unambiguous languages (UL), originally defined by Schutzenberger using unambiguous polynomials, are a robust subclass of regular languages. They have many diverse characterizations: they are recognized by partially-ordered two-way deterministic automata (po2dfa), they are definable by Unary Temporal Logic (UTL) as also by the two variable first-order logic over words ( FO
2[<]).
In this paper, we consider the timed version of unambiguous languages. A subclass of the two-way deterministic timed automata ( 2DTA) of Alur and Henzinger, called partially-ordered two-way deterministic automata (po2DTA) are examined and we call the languages accepted by these as Timed Unambiguous Languages (TUL). This class has some interesting properties: we show that po2DTA are boolean closed and their non-emptiness is NP-Complete. We propose a deterministic and unary variant of MTL called DUMTL and show that DUMTL formulae can be reduced to language equivalent po2DTA in polynomial time, giving NP-complete satisfiability for the logic. Moreover, DUMTL is shown to be expressively complete for po2DTA. Finally, we consider the unary fragments of well known logics MTL and MITL and we show that neither of these are expressively equivalent to po2DTA. Contrast this with the untimed case where unary temporal logic is equivalent to po2dfa.

- Aug 2010
- Developments in Language Theory, 14th International Conference, DLT 2010, London, ON, Canada, August 17-20, 2010. Proceedings

It is known that the languages definable by formulae of the logics \(FO^{2}[<,S], \Delta_{2}[<,S], LTL[F,P,X,Y]\) are exactly the variety DA*D. Automata for this class are not known, nor is its precise placement within the dot-depth hierarchy of starfree languages. It is easy to argue that Δ2[ < ,S] is included in Δ3[ < ]; in this paper we show that it is incomparable with B(Σ2)[ < ], the boolean combination of Σ2[ < ] formulae. Using ideas from Straubing’s “delay theorem”, we extend our earlier work [LPS08] to propose partially-ordered two-way deterministic finite automata with look-around (po2dla) and a new interval temporal logic called LITL and show that they also characterize the variety DA*D. We give effective reductions from LITL to equivalent po2dla and from po2dla to equivalent FO
2[ < ,S]. The po2dla automata admit efficient operations of boolean closure and the language non-emptiness of po2dla is NP-complete. Using this, we show that satisfiability of LITL remains NP-complete assuming a fixed look-around length. (Recall that for LTL[F,X], it is Pspace-hard.)

- Apr 2009
- Language and Automata Theory and Applications, Third International Conference, LATA 2009, Tarragona, Spain, April 2-8, 2009. Proceedings

ε-IRTA are a subclass of timed automata with ε moves (ε-TA). They are useful for modelling global sparse time base used in time-triggered architecture and distributed business processes. In a previous paper [1], the language inclusion problem \(L({\mathcal A}) \subseteq L(\mathcal B\) was shown to be decidable when \(\mathcal A\) is an ε-TA and \(\mathcal B\) is an ε-IRTA. In this paper, we address the determinization, complementation and ε-removal questions for ε-IRTA. We introduce a new variant of timed automata called GRTA. We show that for every ε-IRTA we can effectively construct a language equivalent 1-clock, deterministic GRTA with periodic time guards (but having no ε moves). The construction gives rise to at most a double exponential blowup in the number of locations. Finally, we show that every GRTA with periodic guards can be reduced to a language equivalent ε-IRTA with at most double the number of locations. Thus, ε-IRTA, periodic GRTA, and deterministic 1-clock periodic GRTA have the same expressive power and that they are all expressively complete with respect to the regular δ
\(\checkmark\)-languages. Equivalence of deterministic and nondeterministic automata also gives us that these automata are closed under the boolean operations.

- Sep 2008
- Formal Modeling and Analysis of Timed Systems, 6th International Conference, FORMATS 2008, Saint Malo, France, September 15-17, 2008. Proceedings
- International Conference on Formal Modeling and Analysis of Timed Systems

In this paper, we consider a syntactic subset of timed automata called integer reset timed automata (IRTA) where resets are restricted to occur at integral time points. We argue with examples that the notion of global sparse time base used in time triggered architecture and distributed web services can naturally be modelled/specified as IRTA. As our main result, we show that the language inclusion problem \(L(\mathcal A) \subseteq L(\mathcal{B})\) for a timed automaton \(\mathcal A\) and an IRTA \(\mathcal{B}\) is decidable with EXPSPACE complexity. The expressive power and the closure properties of IRTA are also summarized. In particular, the IRTA are (highly succinct but) expressively equivalent to 1-clock deterministic IRTA and they are closed under boolean operations.

Asynchronous systems consist of a set of transitions which are non-deterministically chosen and executed. We present a theory
of guiding symbolic reachability in such systems by scheduling clusters of transitions. A theory of reachability expressions
which specify the schedules is presented. This theory allows proving equivalence of different schedules which may have radically
different performance in BDD-based search. We present experimental evidence to show that optimized reachability expressions
give rise to significant performance advantages. The profiling is carried out in the NuSMV framework using examples from discrete timed automata and circuits with delays. A variant tool called NuSMVDP has been developed for interpreting reachability expressions to carry out the experiments.

- Jan 2008
- SYNASC 2008, 10th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, Timisoara, Romania, 26-29 September 2008

Various methodologies to model and analyze timed and hybrid systems using SAL are reported. We assume that the system is specified as a network of timed/hybrid automata with synchronized transitions and urgency. We show how to translate the system into a SAL model with the time domain being either discrete or dense, and the clocks being either saturated or unsaturated. Depending on these choices, various tools provided by SAL to model check reachability properties over the system are used to establish safety properties of timed systems. We profile the performance of these tools with a comparative study.

- Jan 2008
- Proceedings of the 45th Design Automation Conference, DAC 2008, Anaheim, CA, USA, June 8-13, 2008

End-to-end latency of messages is an important design parameter that needs to be within specified bounds for the correct functioning of distributed real-time control systems. In this paper we give a formal definition of end-to-end latency, and use this as the basis for checking whether a stipulated deadline is violated within a bounded time. For unbounded verification, we model the system as a set of communicating timed automata, and perform reachability analysis. The proposed method takes into account the drift of clocks which is shown to affect the latency appreciably. The method has been tested on a medium sized automotive example.

- Jan 2008
- Fifth IFIP International Conference On Theoretical Computer Science - TCS 2008, IFIP 20th World Computer Congress, TC 1, Foundations of Computer Science, September 7-10, 2008, Milano, Italy

Interval Temporal Logic (11, 13) is a highly expressive and succinct logic whose satisability over nite words is non-elementary in the number of alternations of chop and negation operators. All the sublogics of ITL with elementary decidabil- ity known to us restrict this alternation depth. In this paper, we dene a sublogic of Interval Temporal Logic by replacing chops with marked chops but without any restriction on the alternation depth. We show that the resulting logic admits unique parsing of a word matching a formula, with the consequence that membership is in LOGDCFL, and satisability is in PSPACE (and NP-complete for a x ed alphabet). As our rst result, we give an effective model-preserving reduction from UITL to the partially ordered two-way deterministic nite automata of Schwentick, Th· erien and Vollmer (14). We show that the size of the resulting automaton is quadratic in the size of the formula. We also have an exponential converse reduction from po2dfa to UITL. It follows from the work of Sch¤ utzenberger (12), Th· erien and Wilke (19) that this unambiguous ITL has same expressive power as the rst-order logic with two variables (10).

- Aug 2007
- Next Generation Design and Verification Methodologies for Distributed Embedded Control Systems

Duration Calculi are a family of real-time logics incorporating the measurement of duration of a proposition in an observation
interval. The original Duration Calculus (DC) was defined over continuous timed behaviours. But variants of DC with different notions of time such as sampled time or discrete time have been investigated and used. Yet another variation
is whether the time is taken to be weakly or strictly monotonic. The applicability, expressiveness and decidability of these
Duration Calculi vary based upon the underlying nature of time.
In this paper, we propose a generic Duration Calculus GWDC[M] which integrates various Duration Calculi. It has behaviours with continuous, weakly monotonic time but the logic is parameterised
by the set of observable time intervals within each behaviour. By suitably choosing the parameter M, we show that the different Duration Calculi can all be obtained as GWDC[M]. Such a common framework allows investigation of relationships and translations between various Duration Calculi. We provide
an overview of the sampling and digitization techniques for abstracting the undecidable continuous timed logics into decidable
discrete timed logics.

- Mar 2007
- Tools and Algorithms for the Construction and Analysis of Systems, 13th International Conference, TACAS 2007, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2007 Braga, Portugal, March 24 - April 1, 2007, Proceedings

Duration Calculus (DC) is a real-time logic with measure- ment of duration of propositions in observation intervals. It is a highly expressive logic with continuous time behaviours (also called signals) as its models. Validity checking of DC is undecidable. We propose a method for validity checking of Duration Calculus by reduction to a sampled time version of this logic called well sampled Interval Duration Logic (WSIDL). This reduction relies on representing a continuous time be- haviour by a well-sampled behaviour with 1-oversampling. We provide weak and strong reductions (abstractions) of logic DC to logic WSIDL which respectively preserve the validity and the counter examples. By combining these reductions with previous work on deciding IDL, we im- plement a tool for validity checking of Duration Calculus. This provides a partial but practical method for validity checking of Duration Calcu- lus. We present some preliminary experimental results to measure the success of this approach.

- Sep 2006
- Formal Modeling and Analysis of Timed Systems, 4th International Conference, FORMATS 2006, Paris, France, September 25-27, 2006, Proceedings
- International Conference on Formal Modeling and Analysis of Timed Systems

We consider interval measurement logic IML, a sublogic of Zhou and Hansen’s interval logic, with measurement functions which provide real-valued measurement of some aspect of system behaviour in a given time interval. We interpret IML over a variety of time domains (continuous, sampled, integer) and show that it can provide a unified treatment of many diverse temporal logics including duration calculus (DC), interval duration logic (IDL) and metric temporal logic (MTL). We introduce a fragment GIML with restricted measurement modalities which subsumes most of the decidable timed logics considered in the literature.
Next, we introduce a guarded first-order logic with measurements MGF. As a generalisation of Kamp’s theorem, we show that over arbitrary time domains, the measurement logic GIML is expressively complete for it. We also show that MGF has the 3-variable property.
In addition, we have a preliminary result showing the decidability of a subset of GIML when interpreted over timed words.

Duration Calculus (or DC in short) presents a formal notation to specify properties of real-time systems and a calculus to
formally prove such properties. Decidability is the underlying foundation to automated reasoning. But, excepting some of its
simple fragments, DC has been shown to be undecidable.
DC takes the set of real numbers to represent time. The main reason of undecidability comes from the assumption that, in a
real-time system, state changes can occur at any time point. But an implementation of a specification (for a class of applications)
is ultimately executed on a computer, and there states change according to a system clock. Under such an assumption, it has
been shown that the decidability results can be extended to cover relatively richer subsets of DC. In this paper, we extend
such decidability results to still richer subsets of DC.

- May 2006
- Availability, Reliability and Security, 2006. ARES 2006. The First International Conference on

In this paper we present an approach for modelling and analyzing time-related properties of Web service compositions defined as a set of BPEL4WS processes. We introduce a formalism, called Web service timed state transition systems (WSTTS), to capture the timed behavior of the composite Web services. We also exploit an interval temporal logic to express complex timed assumptions and requirements on the system's behavior. Building upon of this formalization, we provide techniques and tools for model checking BPEL4WS compositions against time-related requirements. We perform a preliminary experimental evaluation of our approach and tools with the help of the e-government case study.

- Apr 2006

The paper presents a practical verification tool that helps in the development of provably correct compilers. The tool is based on the approach of proving termination of PROLOG-like programs using term-rewriting techniques and a technique of testing whether a given PROLOG program can be soundly executed on PROLOG interpreters without the Occur-check test. The tool has been built on top of the theorem prover, RRL (Rewrite Rule Laboratory). The tool is effective for compilers developed using Hoare's refinement algebra approach. The utility of the tool is illustrated through a case study on correctness of a prototype compiler of the ProCoS level 0 language PL0.

- Mar 2006
- Proceedings of the 12th international conference on Tools and Algorithms for the Construction and Analysis of Systems

Asynchronous systems consist of a set of transitions which are non-deterministically chosen and executed. We present a theory
of guiding symbolic reachability in such systems by scheduling clusters of transitions. A theory of reachability expressions
which specify the schedules is presented. This theory allows proving equivalence of different schedules which may have radically
different performance in BDD-based search. We present experimental evidence to show that optimized reachability expressions
give rise to significant performance advantages. The profiling is carried out in the NuSMV framework using examples from discrete timed automata and circuits with delays. A variant tool called NuSMV-DP has been developed for interpreting reachability expressions to carry out the experiments.

- Jan 2006
- 2006 IEEE International Conference on Web Services (ICWS 2006), 18-22 September 2006, Chicago, Illinois, USA

In this paper we address the problem of qualitative and quantitative analysis of timing aspects of Web service compositions defined as a set of BPEL4WS processes. We introduce a formalism, called Web service timed state transition systems (WSTTS), to capture the timed behavior of the composite Web services. We also exploit an interval temporal logic to express complex timed assumptions and requirements on the system's behavior. Building on top of this formalization, we provide techniques and tools for model-checking BPEL4WS compositions against time-related requirements. We also present a symbolic algorithm that can be used to compute duration bounds of behavioral intervals that satisfy such requirements. We perform a preliminary experimental evaluation of our approach and tools with the help of an e-Government case study

- Dec 2005
- FSTTCS 2005: Foundations of Software Technology and Theoretical Computer Science, 25th International Conference, Hyderabad, India, December 15-18, 2005, Proceedings

QDDC is a logic for specifying quantitative timing properties of reactive systems. An automata theoretic decision procedure
for QDDC reduces each formula to a finite state automaton accepting precisely the models of the formula. This construction
has been implemented into a validity/model checking tool for QDDC called DCVALID. Unfortunately, the size of the final automaton
as well as the intermediate automata which are encountered in the construction can some times be prohibitively large. In this
paper, we present some validity preserving transformations to QDDC formulae which result into more efficient construction
of the formula automaton and hence reduce the validity checking time. The transformations can be computed in linear time.
We provide a theoretical as well as an experimental analysis of the improvements in the formula automaton size and validity
checking time due to our transformations.

QDDC is a logic for specifying quantitative timing aspects of synchronous pro- grams. Properties such as worst-case response time and latency (when known) can be specified elegantly in this logic and model checked. However, computing these values require finding by trial and error the least/greatest value of a parameter k making a formula D(k) valid for a program. In this paper, we discuss how an au- tomata theoretic decision procedure for QDDC together with symbolic search for shortest/longest path can be used to compute the lengths of extremal (least/greatest length) models of a formula D. These techniques have been implemented into the DCVALID verifier for QDDC formulae. We illustrate the use of this technique by efficiently computing response and dead times of some synchronous bus arbiter circuits.

- Apr 2005
- Tools and Algorithms for the Construction and Analysis of Systems, 11th International Conference, TACAS 2005, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2005, Edinburgh, UK, April 4-8, 2005, Proceedings

A rich dense-time logic called Interval Duration Logic(IDL) is useful for specifying quantitative properties of timed systems. The logic is undecidable in general. However, several approaches can be used for checking validity (and model checking) of IDL formulae in practice. In this paper, we propose bounded validity checking of IDL formulae by polynomially reducing this to finding un-satisfying assignment of lin- sat formulae. We implement this technique and give some performance results obtained by solving the resulting lin-sat formulae using the ICS solver. We also experimentally compare several approaches for checking validity of IDL formulae including (a) digitization followed by automata theoretic analysis, (b) digitization followed by pure propositional SAT solving, and (c) lin-sat solving as proposed in this paper. The comparison uses a rich set of examples drawn from the Duration Calculus literature.

- Jan 2004
- International Conference on Foundations of Software Technology and Theoretical Computer Science

The Mean-Value Calculus, MVC, of Zhou and Li [19] is extended with the least and the greatest fixed point operators. The resulting logic is called MVC. Timed behaviours with naturally recursive structure can be elegantly specified in this logic. Some examples of such usage are given. The expressive power of the logic is also studied. It is shown that the propositional fragment of the logic, even with discrete time, is powerful enough to encode the computations of nondeterministic turing machines. Hence, the satisfiability of propositional MVC over both dense and discrete times is undecidedable.

- Jul 2003
- Computer Aided Verification, 15th International Conference, CAV 2003, Boulder, CO, USA, July 8-12, 2003, Proceedings
- International Conference on Computer Aided Verification

In this paper, we study the verification of dense time properties by discrete time analysis. Interval Duration Logic, (IDL), is a highly expressive dense time logic for specifying properties of real-time systems. Validity checking of IDL formulae is in general undecidable. A corresponding discrete-time logic QDDC has decidable validity.
In this paper, we consider a reduction of IDL validity question to QDDC validity using notions of digitization. A new notion of Strong Closure under Inverse Digitization, SCID, is proposed. For all SCID formulae, the dense and the discrete-time validity coincide. Moreover, SCID has good algebraic properties which can be used to conveniently prove that many IDL formulae are SCID. We also give some approximation techniques to strengthen/weaken formulae to SCID form. For SCID formulae, the validity of dense-time IDL formulae can be checked using the validity checker for discrete-time logic QDDC.

Quantified Discrete-time Duration Calculus, (QDDC), is a form of interval temporal logic [14]. It is well suited to specify quantitative timing properties of synchronous systems. An automata theoretic decision procedure for QDDC allows converting a QDDC formula into a finite state automaton recognising precisely the models of the formula. The automaton can be used as a synchronous observer for model checking the property of a synchronous program. This theory has been implemented into a tool called DCVALID which permits model checking QDDC properties of synchronous programs written in Esterel, Verilog and SMV notations.In this paper, we consider two well-known synchronous bus arbiter circuits (programs) from the literature. We specify some complex quantitative properties of these arbiters, including their response time and loss time, using QDDC. We show how the tool DCVALID can be used to effectively model check these properties (with some surprising results).

We investigate a variant of dense-time Duration Calculus which permits model checking using timed/hybrid automata. We define a variant of the Duration Calculus, called Interval Duration Logic, (IDL), whose models are timed state sequences [1].A subset LIDL of IDL consisting only of located time constraints is presented. As our main result, we show that the models of an LIDL formula can be captured as timed state sequences accepted by an event-recording integrator automaton. A tool called IDLVALID for reducing LIDL formulae to integrator automata is briefly described. Finally, it is shown that LIDL has precisely the expressive power of event-recording integrator automata, and that a further subset LIDL- corresponds exactly to event-recording timed automata [2]. This gives us an automata-theoretic decision procedure for the satisfiability of LIDL– formulae.

The notion of timed state sequences has found widespread use for modelling behaviour of real-time systems [1]. In this paper, we define a variant of the Duration Calculus, called Interval Duration Logic, (IDL), whose models are timed state sequences. It is a dense-time interval logic where satisfiability of formulae is undecidable. A subset LIDL of IDL consisting only of located time constraints is presented. A large number of examples of interest from Duration Calculus literature can be expressed within LIDL. As our main result, we show that the models of an LIDL formula can be captured as words accepted by an event-recording integrator automaton. This gives us an automata theoretic decision procedure for the satis ability of LIDL. Finally, it is shown that LIDL has precisely the expressive power of event-recording automata. A validity checking tool for LIDL based on above decision procedure is briey described.

- Mar 2001
- Tools and Algorithms for the Construction and Analysis of Systems, 7th International Conference, TACAS 2001 Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2001 Genova, Italy, April 2-6, 2001, Proceedings

We define a logic called CTL*[DC] which extends CTL* with ability to specify past-time and quantitative timing properties
using the formulae of Quantified Discrete-time Duration Calculus (QDDC). Alternately, we can consider CTL*[DC] as extending
logic QDDC with branching and liveness.
As our main result, we show a reduction of CTL*[DC] model checking problem to model checking of CTL* formulae. The reduction
relies upon an automata-theoretic decision procedure for QDDC. Moreover, it preserves the subsets CTL and LTL of CTL*. The
reduction is of practical relevance as model checking of CTL* as well as its subsets CTL and LTL are well studied and even
implemented into a number of tools. We briefly discuss an implementation of a model checking tool for CTL[DC] called CTLDC,
based on the above theory. CTLDC can model check SMV, Verilog and Esterel designs using tools SMV, VIS and Xeve, respectively.

- Nov 2000

Quantified Discrete-time Duration Calculus (QDDC) is a logic for specifying properties of finite sequences of states. It provides novel interval based modalities to specify how a system evolves with time. In this note, we give the syntax and semantics of logic QDDC. We illustrate the ability of QDDC to model complex real-time requirements by an example of a mine pump. As our main result, we show that the class of models of a QDDC formula can be characterised by words accepted a finite state automaton which can be effectively constructed. Satisfiability (validity) of a QDDC formula can be established by searching for an accepting (rejecting) path within the (deterministic) automaton. Moreover, the automaton can be used as synchronous observer (or monitor) for model checking QDDC formulae. We briefly discuss our implementation of this decision procedure for QDDC into a tool called DCVALID. We report some experimental results obtained by using DCVALID.

- Oct 2000

We have recently proposed a simple extension of CTL to logic CTL[DC]. This logic extends CTL with the ability to specify the past of a node a computation tree as a QDDC formula. Many complex properties can be conveniently specified in the enhanced logic. We have shown a reduction of CTL[DC] model checking problem to CTL model checking problem by a systematic transformation of the system model [8]. This theory has been implemented into a tool called CTLDC. CTLDC enhances the original QDDC validity checker, DCVALID [6], with ability to model check CTL[DC] properties of SMV, Verilog (VIS) and Esterel designs. It also extends the functionality tools SMV, VIS and Xeve by adding ability to model check properties of the richer logic CTL[DC]. In this paper, we give an overview of the usage and the working of the tool CTLDC. We de ne the precise syntax of CTLDC specifications and outline its use in checking SMV, Verilog and Esterel designs by some examples.

. Duration Calculus (or DC in short) presents a formal notation to specify properties of real-time systems and a calculus to formally prove such properties. Decidability is the underlying foundation to automated reasoning. But, excepting some of its simple fragments, DC has been shown to be undecidable. DC takes the set of real numbers to represent time. The main reason of undecidability comes from the assumption that, in a real-time system, state changes can occur at any time point. But an implementation of a specification is ultimately executed on a computer, and there states change according to a system clock. Under such an assumption, it has been shown that the decidability results can be extended to cover relatively richer subsets of DC. In this paper, we extend such decidability results to still richer subsets of DC. 1 Introduction Duration Calculus (DC) [11] is a logic for reasoning about real-time systems. It presents a formal notation to specify properties of real-time system...

. We extend Duration Calculus to a logic which allows description of Discrete Processes where several steps of computation can occur at the same time point. The resulting logic is called Duration Calculus of Weakly Monotonic Time (WDC). It allows effects such as true synchrony and digitisation to be modelled. As an example of this, we formulate a novel semantics of Timed CSP assuming that the communication and computation take no time. 1 Introduction Many real-time systems are designed and analysed under the assumption that computation and communication do not take time. This assumption has been called true synchrony hypothesis [5,2]. Thus, only the waiting for external synchronisation or explicit delay statements take time. Such an abstraction provides an essential simplification in understanding the behaviour of real-time systems. Logics for real-time system must be capable of handling such abstractions. One recent logic for real-time systems is the Duration Calculus (DC) [12]. The...

- Apr 1998

We extend Duration Calculus to a logic which allows description of Discrete Processes where several steps of computation can occur at the same time point. Moreover, the order of occurrence of these steps is relevant. The resulting logic is called Duration Calculus of Weakly Monotonic Time (WDC). It allows effects such as true synchrony and digitisation to be modelled. As an example, We formulate a new semantics of Timed CSP assuming that the communication and computation take no time. We also outline a semantics of shared variable concurrency under similar assumptions. We introduce a notion of deformation of time in WDC. We study the duration calculus properties which remain invariant under such deformation of time.

- Jan 1998
- Programming Concepts and Methods, IFIP TC2/WG2.2,2.3 International Conference on Programming Concepts and Methods (PROCOMET '98) 8-12 June 1998, Shelter Island, New York, USA

A theory of Sequential Hybrid Programs (SHP) is studied. SHP is a programming notation for representing hybrid systems. It contains a phase statement and the normal sequential programming constructs such as assignments, conditionals and iterations. Time dependent dynamical activities of the system are specified by phase statements. Intermixing of these two features leads to programs with a rich diversity of behaviours including super dense computations, infinite executions, finitely divergent executions and instantaneously divergent executions. Duration calculus is extended with super dense states, fixed point operators and infinite intervals to give a logic μSDCI. A compositional semantics of SHP programs is defined using the logic μSDCI. Several high level proof rules are derived for establishing specific kinds of properties of SHP programs such as total correctness and invariance. These high level proof rules provide a modular and syntax directed method for establishing the properties of SHP programs with the program structure guiding the proof of correctness.

- Jan 1998
- Foundations of Software Technology and Theoretical Computer Science, 18th Conference, Chennai, India, December 17-19, 1998, Proceedings

The paper presents a practical verification tool that helps in the development of provably correct compilers. The tool is based on the approach of proving termination of PROLOG-like programs using term-rewriting techniques and a technique of testing whether a given PROLOG program can be soundly executed on PROLOG interpreters without the Occur-check test. The tool has been built on top of the theorem prover, RRL (Rewrite Rule Laboratory). The tool is effective for compilers developed using Hoare's refinement algebra approach. The utility of the tool is illustrated through a case study on correctness of a prototype compiler of the ProCoS level 0 language PL0.

- Sep 1996
- Formal Techniques in Real-Time and Fault-Tolerant Systems, 4th International Symposium, FTRTFT'96, Uppsala, Sweden, September 9-13, 1996, Proceedings
- International Symposium on Formal Techniques in Real-Time and Fault-Tolerant

The Mean-Value Calculus of Zhou and Li [23, 7] is extended with outward looking modalities, D
1
D
2 and D
1
D
2. Liveness properties such as fairness and asymptotic stability can be captured in the extended logic MVC
–1. A large number of modalities of interest can be derived from these operators. We show that many existing formalisms for real-time systems such as the Metric Temporal Logic, MTL, the TPTL and the Timed Buchi Automata can be modelled within our logic MVC
–1.

- Sep 1995
- Computer Science Logic, 9th International Workshop, CSL '95, Annual Conference of the EACSL, Paderborn, Germany, September 22-29, 1995, Selected Papers

Two extensions to the propositional mean-value calculus of Zhou and Li [27] are given. The first enriches the logic with outward looking modalities D
1/D
2 and D
1/D
2, and the second allows quantification over state varaibles in formulae. The usefulness of these extensions is demonstrated by some examples. The expressive power and decidability of the resulting logics are analysed. This analysis is achieved by reducing the decidability/expressiveness questions to the corresponding questions in the monadic theory of order [19].

- Feb 1995

Real-time and hybrid systems have been studied so far under the assumption of finite variability. In this paper, we consider models in which systems exhibiting finite divergence can also be analysed. In such systems the state of the system can change infinitely often in a finite time. This kind of behaviour arises in many representations of hybrid systems, and also in theories of nonlinear systems. The aim, here, is to provide a theory where pathological behaviour such as finite divergence can be analysed — if only to prove that it does not occur in systems of interest.Finite divergence is studied using the framework of duration calculus. Axioms and proof rules are given. Patterns of occurrence of divergence are classified into dense divergence, accumulative divergence and discrete divergence by appropriate axioms. Induction rules are given for reasoning about discrete divergence.

- Dec 1994
- Foundations of Software Technology and Theoretical Computer Science, 14th Conference, Madras, India, December 15-17, 1994, Proceedings

Without Abstract

- Sep 1994
- Formal Techniques in Real-Time and Fault-Tolerant Systems, Third International Symposium Organized Jointly with the Working Group Provably Correct Systems - ProCoS, Lübeck, Germany, September 19-23, Proceedings

This paper addresses the problem of formally describing hybrid sampled data systems. Using the techniques proposed in Duration Calculus, we first develop a formal calculus, called Accumulation Calculus, for specifying real valued step functions of time. The key idea is that such functions are described using their integrals in bounded closed intervals. The semantics of Accumulation Calculus formulae as well as a relatively complete axiom system are presented.
Sampled data are a particular type of step functions which change at regular periods only. Suitable axioms are introduced to capture this. Special formulae and modalities are introduced to describe such data. Some proof rules are proposed for these modalities and shown to be sound. Resulting system is called a calculus for hybrid sampled data systems. Well established representations of sampled data systems from control theory such as difference equations can be directly translated into such formulae. At the same time the calculus allows reasoning about asynchronous events and their effect on sampled data. A detailed case study of a heating system is given to illustrate the applicability of the calculus to hybrid sampled data systems.

- Sep 1994
- Formal Techniques in Real-Time and Fault-Tolerant Systems, Third International Symposium Organized Jointly with the Working Group Provably Correct Systems - ProCoS, Lübeck, Germany, September 19-23, Proceedings

A hybrid system is a system containing both of time-evolving components and event-driven components. A formal approach is explored in this paper, based on Extended Duration Calculus (EDC), for the development of hybrid systems. A typical example of hybrid system from modern control theory, a two-level adaptive control system, is used for illustrating our approach. Its high level consists of an event-driven supervisor which reacts to the change of plant structure, and its time-evolving low level consists of adaptive controllers and other components. Firstly performance specifications and system specification of the case are formulated in EDC; then they are refined stepwise into specifications of the supervisor and the low level components. Our approach emphasizes the interface between the two kinds of components in the hybrid system.

- Dec 1993
- Foundations of Software Technology and Theoretical Computer Science, 13th Conference, Bombay, India, December 15-17, 1993, Proceedings

A mathematical model for asynchronously communicating processes, called ICSP, is proposed in the style of the failures-divergences model for synchronously communicating processes. It improves on the ACSP model of Josephs, Hoare and He ([5]) by its ability to model infinitary processes while retaining the salient features of ACSP. The model is shown to be a c.p.o. under a natural determinism ordering. A host of operators are defined and proved to be continuous. We show that the ACSP model corresponds to the contextual equivalence on ICSP processes and that ICSP processes are essentially input buffered CSP processes which have only internal choice on output events. A category theoretic formulation of the results is also provided.

- May 1993

The theory of CSP is extended to include an infinitary parallel composition operator. The presence of such an operator allows us to write programs where infinitely many agents compute concurrently. We show that this operator can be modelled within the failures-divergences model of Brookes and Roscoe. The operator is continuous in each of its arguments, and in fact preserves the limits of almost all chains in the infinitary product c.p.o. We also demonstrate that this operator adds to the expressive power of CSP. A comparison of this operator with that defined by Barrett [1] is also provided.

- Jan 1993
- FME '93: Industrial-Strength Formal Methods, First International Symposium of Formal Methods Europe, Odense, Denmark, April 19-23, 1993, Proceedings

- Jun 1992

An algebraic technique for reasoning about recursive programs is proposed. The technique is based on Tarski's axioms of least fixed points of monotonic functions and the existence of weak-op-inverses. The algebraic style gives rise to elegant proofs, although the requirement of existence of weak-op-inverse may limit applicability. When such inverses do exist, the method can be used in presence of noncontinuous but monotonic operators occuring in languages containing unbounded nondeterminism, fairness constraints and specification statements.

- Jun 1991

This paper describes a compositional proof system called P-A logic for establishing weak total correctness and weak divergence correctness of CSP-like distributed programs with synchronous and asynchronous communication. Each process in a network is specified using logical assertions in terms of a presuppositionPre and an affirmationAff as a triple {Pre}S{Aff}. For purely sequential programs, these triples reduce to the familiar Hoare triples. In distributed programs, P-A triples allow the behaviour of a process to be specified in the context of assumptions about its communications with the other processes in the network. Safety properties of process communications, and progress properties such as finiteness and freedom from divergence can be proved. An extension of P-A logic allowing proof of deadlock freedom is outlined. Finally, proof rules for deriving some liveness properties of a program from its P-A logic specification are discussed; these properties have the form Q untilR, whereQ, R are assertions over communication traces. Other liveness properties may be derived from these properties using the rules of temporal logic.

A compiler is specified by a description of how each construct of the source language is translated into a sequence of object code instructions. The meaning of the object code can be defined by an interpreter written in the source language itself. A proof that the compiler is correct must show that interpretation of the object code is at least good (for any relevant purpose) as the corresponding source program. The proof is conducted using standard techniques of data refinement. All the calculations are based on algebraic laws governing the source language. The theorems are expressed in a form close to a logic program, which may used as a compiler prototype, or a check on the results of a particular compilation. A subset of the occam programming language and the transputer instruction set are used to illustrate the approach. An advantage of the method is that it is possible to add new programming constructs without affecting existing development work.

- Aug 1990
- Proceedings of the 2nd International Workshop on Programming Language Implementation and Logic Programming (PLILP '90)

A compiler may be specified as a set of theorems, each describing how a construct in the programming language is translated into a sequence of machine instructions. The machine may be specified as an interpreter written in the programming language itself. Using refinement algebra, it can then be verified that interpreting a compiled program is the same or better than executing the original source program. The compiling specification is very similar to a logic program and thus a prototype compiler (and interpreter) may easily be produced in a language such as Prolog. A subset of the occam programming language and the transputer instruction set are used to illustrate the approach. An advantage of the method is that new programming constructs can be added without necessarily affecting existing development work.

- Jan 1990
- Programming Research Group, Oxford University Computing Laboratory, Oxford

- May 1989
- Stepwise Refinement of Distributed Systems, Models, Formalisms, Correctness, REX Workshop, Mook, The Netherlands, May 29 - June 2, 1989, Proceedings

In this paper we investigate the use of assumption-commitment techniques for compositional proofs of safety and liveness properties of networks of processes. An inductive inference strategy to discharge mutually dependent assumptions is investigated. Some existing proof techniques are justified in terms of this framework.

- Jan 1988

Thesis (doctoral)--Tata Institute of Fundamental Research, 1988.

- Dec 1986

In 1977, S. Sokolowski gave a proof rule for the total correctness of recursive procedure calls. Unfortunately, even for simple programs his rule requires the use of complex predicates that encode information about the depth of recursion. Thus the rule can be very difficult to use for practical programs. In this paper we propose a new rule for this purpose. This rule makes use of the structure of the recursion which is discovered by carrying out an interval analysis of the procedure call graph in the proof. Proofs using this rule are simpler to carry out, and it is shown that Sokolowski's rule is in fact a special case of the new rule.

- Oct 1986

There are two major performance issues in a real-time system where a processor has a set of devices connected to it at different priority levels. The first is to prove whether, for a given assignment of devices to priority levels, the system can handle its peak processing load without losing any inputs from the devices. The second is to determine the response time for each device. There may be several ways of assigning the devices to priority levels so that the peak processing load is met, but only some (or perhaps none) of these ways will also meet the response-time requirements for the devices. In this paper, we define a condition that must be met to handle the peak processing load and describe how exact worst-case response times can then be found. When the condition cannot be met, we show how the addition of buffers for inputs can be useful. Finally, we discuss the use of multiple processors in systems for real-time applications.

- Jan 1986

The family of languages ℒ(k-E0S) generated by E0S systems under k-level fairness of derivations is defined and shown to be the same for all integers k≥1. ℒ(k-E0S) is proved to be equal to the family of languages generated by E0L systems.

In this paper, we describe the behaviour of esterel programs in a variant of durational calculus referred to as Mean Value Calculus (MVC). The formalization enables the axiomatization of the assumptions of the underlying model precisely. It provides a compositional denotational semantics of the esterel The algebraic rules of MVC can be used to prove properties of esterel statements and thus, provides a basis for the algebraic laws for esterel. In fact, the setting has enabled us to assess the \expressive" power of the operators in reactive languages. In particular, we show in this paper that the \expressive" power of esterel gets increased with the addition of the suspend operator.

Tanpura sound has rich harmonic structure leading to the perception of several perceived notes for which there are no corresponding tuned strings. We analyse the spectrogram of tanpura to find harmonic partials which correlate well with the perception of these "swayambhu" notes. From this analysis, we determine the exact shrutis of the perceived tanpura notes.

Abstract Techniques for modeling behavior of timed and hybrid systems using SAL are investigated. Input models consist of networks of timed (hybrid) automata,with location invariants as well as synchronized transitions and urgency. Several techniques for model checking the reachability properties of the resulting models are studied and compared. 3 . 4 Contents

Co-authors

**Top co-authors**

**All co-authors (50)**