Efficient Verification and Optimization of Real-Time Logic-Specified Systems

Efficient Verification and Optimization ofReal-Time Logic-Specified Systems

Stefan Andrei, Member, IEEE, and Albert Mo Kim Cheng, Senior Member, IEEE

Abstract—Embedded and real-time systems are increasingly common and complex, requiring formal specification and verification in

order to guarantee their satisfaction of desirable safety and timing requirements. Real-Time Logic (RTL) has been used to capture both

the specification (denoted by SP ) of a real-time system and the desirable safety assertions (denoted by SA) with respect to this system

specification. A verification procedure then determines whether the safety assertions hold with respect to the system specification.

However, the satisfiability problem for RTL (i.e., “Can SP ! SA hold?”), as well as for other first order logics, is undecidable.

Consequently, efforts have been focused on identifying nontrivial classes of formulas sufficiently practical for describing industrial real-

time systems for which the verification and debugging can be done via efficient heuristics. One such class of formulas is the so-called

path RTL. The first contribution of this paper is to extend the existing path RTL class without sacrificing the time complexity of the

traditional path RTL heuristic for verification. This implies that we can specify and verify real-time systems, which we were unable to do

using the existing path RTL, in the extended path RTL. For real-time systems with large specifications, there is a lot of room for

improvement in the algorithms used for verification and debugging. The second contribution of this paper is an efficient method to

perform verification and debugging of real-time systems specifications using decomposition techniques. Our idea is to decompose the

constraint graph, used in existing approaches, into independent subgraphs so that it is no longer necessary to analyze the entire

specification at once, but rather its individual and smaller components. However, none of the above heuristics necessarily finds an

“optimal implication.” After verifying SP ! SA and deploying the system implementing SP , performance changes as a result of power

saving, faulty components, and cost saving in the processing platform for the tasks specified in SP affect the computation times of the

specified tasks. This leads to a different but related SP , which would violate the original SP ! SA theorem if SA remains the same. It

is desirable, therefore, to determine an optimal SP with the slowest possible computation times for its tasks such that the SA is still

guaranteed. This is clearly a fundamental issue in the design and implementation of highly dependable real-time/embedded systems.

The third contribution of this paper tackles this fundamental issue by describing a new method for relaxing SP and tightening SA such

that SP ! SA is still a theorem. We have implemented this method in the Java-based DEVO-RTL tool and tested it on several

industrial real-time systems. Experimental results show that only about 10 percent of the running time of the heuristic for the verification

of SP ! SA is needed to find an optimal theorem.

Index Terms—Real-time system, system development tool, automatic debugging, timing constraint, counting SAT problem,

incremental computation, optimization.

Ç

1 INTRODUCTION

REAL-TIME systems can be defined by either a structuralspecification (how their components work) or a

behavioral specification (showing the reaction of eachcomponent in response to an internal or external event). Abehavioral specification often suffices for verifying thetiming properties of the system. Given the behavioralspecification of a system (denoted by SP ) and a safetyassertion (denoted by SA) to be analyzed, the verificationgoal is to relate a given safety assertion with the systemspecification [3], [4]. One such logic for describing thespecification and the safety assertion is Real-Time Logic(RTL). However, the satisfiability problem for RTL, as well

as for other first order logics, is undecidable [5]. In an effortto find nontrivial subclasses of RTL with efficient heuristicsfor verification problem, the path real-time logic (path RTL)was described in [4], [5], [6]. A typical timing constraintexpressed in path RTL is a disjunction of inequalities like8i @ðe1; iÞ � @ðe2; iÞ � k, which has the meaning: the differ-ence between the time of the ith occurrence of event e1 andthe time of the ith occurrence of event e2 is at most k, wherei and k are the positive integers. Heuristics that deal withverification of SP ! SA were described in [4] and morerecently in [7]. The class of path RTL formulas wassuccessfully used to specify standard academic or industrialreal-time systems, e.g., railroad crossing [4], [6], [8], themoveable control rods in a reactor [4], the Boeing 777Integrated Airplane Information Management System [9],and the X_38, an autonomous spacecraft designed and builtby NASA as a prototype of the International Space StationCrew Return Vehicle [8], [10].

However, the path RTL subclass has some limitations. Toillustrate this, let us consider the specification of an airportradar station. As described in [8], an airport radar stationspecification has two parts: the sensing part and thetracking/computation part. Let us consider here as amotivating example of path RTL limitation (the other partbeing specified in Section 3) the specification of the sensing

1640 IEEE TRANSACTIONS ON COMPUTERS, VOL. 58, NO. 12, DECEMBER 2009

. S. Andrei is with the Computer Science Department, Lamar University,211 Red Bird Lane, Box 10056, Beaumont, TX 77710.E-mail: [email protected].

. A.M.K. Cheng is with the Department of Computer Science, University ofHouston, 534 Philip G. Hoffman (PGH), Houston, TX 77204-3010.E-mail: [email protected].

Manuscript received 24 May 2007; revised 6 Jan. 2009; accepted 12 Mar.2009; published online 29 May 2009.Recommended for acceptance by J. Antonio.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TC-2007-05-0183.Digital Object Identifier no. 10.1109/TC.2009.79.

0018-9340/09/$25.00 � 2009 IEEE Published by the IEEE Computer Society

part of the radar station (adapted from [8]): “Suppose there isa radar station having two radar sensors for detecting actions. Theradar station is turned on at time 0. In order to allow time for theinitialization routine, the sum of times when both sensors initiallystart sensing must be at least 5 seconds. If the first sensor startsearly, the second sensor must start later, and vice versa. Bothsensors may start at the same time but only after 5 seconds.Moreover, at most 11 seconds may elapse between the starts ofboth sensors.” We get the following RTL specification:

8i @ðRadarSensor1; iÞ þ @ðRadarSensor2; iÞ � 5

^ @ðRadarSensor1; iÞ � @ðRadarSensor2; iÞ � 10

^ @ðRadarSensor2; iÞ � @ðRadarSensor1; iÞ � 10:

This specification involves inequalities that cannot beexpressed in the path RTL. To check that let us consider theabstracted version of the above specification, i.e., f1ðxÞ þf2ðxÞ � 5 ^ f1ðxÞ � f2ðxÞ � 10 ^ f2ðxÞ � f1ðxÞ � 10. One canthink that we can do some transformations and still reduceit to the path RTL. Any direct transformation would fail asthe above inequalities contain both “þ” and “�” operators.In the following sections of this paper, we shall present anextension of the path RTL class by allowing inequalitieslike f1ðxÞ þ f2ðxÞ � k and f1ðxÞ þ f2ðxÞ � k to be part of thespecification. Then, a new and fast algorithm based on atranslation to an extended constraint graph is described.

To describe the second contribution of this paper, werecall that the important key point in verification of asafety assertion with respect to the specification of a real-time system is the constraint graph [4]. This is anintermediate data structure useful for the translation ofthe negation of the formula SP ! SA to a propositionalformula PF . If PF is unsatisfiable, then SP ! SA is atheorem. In case that SP ! SA is not yet a theorem, thedebugging problem is obviously an important task, that is,to identify some changes in the specification such that thenew SP ! SA becomes a theorem. There exist alreadyefforts dealing with the debugging problem for some RTLsubclasses, in a manual way [7] and a systematic way [11].However, for real-time systems having large specifica-tions, the algorithms used for verification and debuggingcan be further improved. This is because the intermediateconstraint graph may have a large size, so the satisfiabilityof the corresponding propositional formula may need animpractical amount of time to be established. All knownreal-time systems specified in path RTL have more thanone (independent) subcomponent, so the divide-and-conquer strategy can be successfully applied. Amongthem, X_38 represents the real-time system having thelargest RTL specification (i.e., the case study of Section 4).As mentioned in [10], the constraint graph for the X_38specification of the negation of SP ! SA has 26 nodesand 74 arcs. This leads to a propositional formula whichtakes a long time to check for satisfiability. In general,industrial examples have many components that are nottime-related or are loosely time-related. For example, thetiming constraints of the braking component of a car arenot necessarily related to the front headlights componentof a car. Similarly, the flight-critical loop of the X_38 is nottime-related with the nonflight-critical loop of the X_38. Byexploiting this issue, we provide an efficient method tosolve the verification and debugging of large real-timesystems specifications using decomposition techniques.

We describe a way to decompose the constraint graph intoindependent subgraphs so that it does not have to analyzethe entire specification at once, but only the smallercomponents.

Usually, the verification of the specification of a real-timesystem against the safety assertion is the main objective,that is, to check whether SP ! SA is a tautology or not. Thefirst algorithm to do this was based on propositionalformulas written in the disjunctive normal form [4]. Anincremental approach was recently described in [7] as a wayto do the verification only of a newly added specification.All these approaches are focused on the verification and/ordebugging of SP ! SA, and not the optimization of thistautology. However, it may happen that SP contains overly“strong” timing constraints or SA can be improved by“stronger” timing constraints. These issues lead us to thechallenging question: “Can we provide a most relaxedspecification SP and/or a most tight safety assertion SAsuch that SP ! SA is a theorem?” This question representsan optimization problem, which is the subject of this paper.

Consider the following motivation for addressing thisproblem. Following the verification of SP ! SA and thedeployment of the system implementing SP , performancechanges in the processing platform for the tasks specified inSP affect the computation times of the specified tasks. Thisleads to a different but related SP , which could violate theoriginal SP ! SA theorem if SA remains the same. Forinstance, a slower processing platform leads to longer tasks’computation times. Performance changes in the processingplatform can be the result of power saving (a voltage-scalableCPU running at a slower speed), faulty components (one oftwo motors moving a railroad crossing gate malfunctions),cost saving (a subset of the water pumps in a process controlsystem is shutdown), and other unexpected reasons. Deriv-ing optimal theorems (or quantifying tolerances), therefore,will allow the system designer to determine how far theperformance of the processing platform can drift from thenorm without violating the SA. This is clearly a fundamentalissue in the design and implementation of highly depend-able real-time/embedded systems.

The processing platform (PP ) for the tasks specified inSP is the collection of processors or executors whichactually perform these specified tasks. For example, aspecified task for execution on a processor (CPU) operatingat 2 GHz clock speed requires 5 ms of computation time. Tosave power at runtime because the processor runs on aportable battery, the processor reduces its clock speed to1 GHz. This would increase the computation time of thistask to 10 ms. Although the SA remains the same, the SP ofthe implemented system changes as a result of thisperformance change in the processing platform (CPU). Asanother example, consider a railroad crossing system. Inresponse to a sensor detecting the approach of a train to acrossing, SP states that the gate is lowered in 10 seconds.The processing platform for this task consists of two motors.If one motor malfunctions, then the processing time for thistask is increased to 20 seconds, which may violate SA.

Briefly, the general idea is to start with an SP ! SAtautology and to relax SP and/or tighten SA as long asSP ! SA remains a tautology. For instance, considering the(abstract) example of SP ¼ fxþ 10 � y; y� 20 � zg andSA ¼ fx� 15 � zg, it is obvious that SP ! SA is a

ANDREI AND CHENG: EFFICIENT VERIFICATION AND OPTIMIZATION OF REAL-TIME LOGIC-SPECIFIED SYSTEMS 1641

tautology. If we relax SP to fxþ 5 � y; y� 20 � zg, thenSP ! SA is still a tautology (details in Section 5).

The contribution of this paper is three-fold:

1. rigorous proofs for a nontrivial extension of theexisting path RTL by allowing inequalities likef1ðxÞ þ f2ðyÞ � k and f1ðxÞ þ f2ðyÞ � k to be alsopart of the specification and safety assertion;

2. rigorous proofs for an efficient divide-and-conquermethod to solve the verification and debuggingproblem of large real-time systems specificationsusing decomposition techniques;

3. rigorous proofs for optimizing the implicationSP ! SA, without repeating the verification anddebugging steps.

Experimental results show that our method of automaticmodular verification and debugging of real-time systemsspecification is very practical, as we evaluated it on severalexisting industrial-based applications. Only about 10 percentof the running time of the heuristic for the verification ofSP ! SA is needed to find an optimal theorem.

The structure of this paper. Section 2 presents thebackground of real-time logic (adapted from [3], [4], [5], [6],[7], [8], [11]). Section 3 describes the extended path RTL, as anew and larger class of formulas that can be used to specifynew real-time systems (e.g., airport radar station). Section 4presents a motivating example specified in path RTL,namely, the X_38 spacecraft, and our decompositiontechnique. Section 5 describes our technique to optimizethe SP ! SA theorem. Section 7 demonstrates how experi-mental results were applied for several existing industrial-based applications. The last two sections present relatedwork and conclusions.

2 THE REAL-TIME LOGIC BACKGROUND

RTL, which is based on a first order logic with restrictedfeatures, was introduced in [3] to capture the timingrequirements of real-time systems. Real-time logic providesa uniform way to specify the relative and uniform timing ofevents. It is an extension of integer arithmetic withoutmultiplication between variables (Presburger arithmetic)that adds a single uninterpreted binary occurrence function,denoted by @, to represent the relationship between events ofa system and their times of occurrence. The equation@ðe; iÞ ¼ t states that the time of the ith occurrence of evente is t. Let us denote with ZZ; IN and INþ the set of integers,positive integers, and strictly positive integers, respectively.The time occurrence function is a mapping @: E � INþ ! IN,where E is a domain of events, and such that @ is strictlymonotonically increasing in its second argument, i.e.,@ðE; iÞ < @ðE; iþ 1Þ, for any i 2 INþ. There are no eventvariables, or uninterpreted predicate symbols. So, RTLformulas are Boolean combinations of equality and inequal-ity predicates of standard integer arithmetic, where thearguments of the relations are integer-valued expressionsinvolving variables, constants, and applications of thefunction symbol @. Usually, there are four classes of events,namely: stop and start events (" A and # A denote the startand stop events of the action A), transition events, andexternal events. The correctness of a real-time systemspecification can be achieved by computing the satisfiabilityof an associated propositional formula. A particular subclass

of practical RTL formulas (i.e., efficient heuristics exist forthis) is the so-called path RTL [4], [5] and it has tworestrictions.

1. Each arithmetic inequality may involve only twoterms and an integer constant, where a term is eithera variable or a function.

2. No arithmetic expressions with a function may takean instance of itself as an argument.

Despite their restrictions, the satisfiability of path RTL isundecidable [5]. This fact makes the automatic debuggingof timing constraints an extremely hard problem. The pathRTL formulas exploit efficiently the constraint-graphtechnique in integer programming (also called refutation bypositive cycles) [4]. Moreover, in [5], it is proved that therefutation by positive cycles is incomplete for path RTL(that is, even if the constraint graph attached to the formulahas no cycles, it may happen that the formula is stillunsatisfiable). Despite this, Wang and Mok mentioned thatthe refutation by positive cycles method is a naturalreasoning technique.

Let LP be the propositional logic over the finite set of atomicformulas (variables) V ¼ fA1; . . . ; Ang. A literal L is an atomicformula A (positive literal) or its negation :A (negativeliteral), that is, VðLÞ ¼ Vð:LÞ ¼ A, where V : V [ :V ! V isthe variable extractor (:V is the set of negative literalscorresponding to set V ). Any function S : V ! f0; 1g is anassignment that can be uniquely extended in LP to apropositional formula F . The binary vector ðy1; . . . ; ynÞ is atruth assignment for F over V ¼ fA1; . . . ; Ang if and only ifSðF Þ ¼ 1 such that SðAiÞ ¼ yi; 8i 2 f1; . . . ; ng. A formula Fis called satisfiable if and only if there exists an assignment Sfor which SðF Þ ¼ 1; otherwise, F is called unsatisfiable. Anyfinite disjunction of literals is a clause. The set of atomicformulas whose literals belong to clause C and formula Fare denoted by VðCÞ and VðF Þ, respectively. Any proposi-tional formula F 2 LP having l clauses can be translatedinto the conjunctive normal form (CNF): F ¼ ðL1;1 _ . . . _L1;n1Þ ^ . . . ^ ðLl;1 _ . . . _ Ll;nlÞ; where Li;js are the literals.

We can denote the above F using the set representationF ¼ ffL1;1; . . . ; L1;n1

g; . . . ; fLl;1; . . . ; Ll;nlgg, or simply F ¼fC1; . . . ; Clg, where Ci ¼ fLi;1; . . . ; Li;nig. We denote theempty clause, the one without any literal, by ut. A clause Cis called positive (or negative) if and only if C contains onlypositive (or negative) literals.

In [7], the notion of determinant was introduced.Let C1; . . . ; Cs be clauses over V (s � 1). We denotemV ðC1; . . . ; CsÞ ¼ jV j � jVðC1 [ . . . [ CsÞgj and difV ðC1; . . . ;CsÞ ¼ 0 if either (9i; j 2 f1; . . . ; sg; i 6¼ j; such that 9L 2 Ciand :L 2 Cj) or (9i 2 f1; . . . ; sg; such that Ci ¼ ut); Other-wise, difV ðC1; . . . ; CsÞ ¼ 2mV ðC1;...;CsÞ. Given a set of clausesF ¼ fC1; . . . ; Csg, its determinant is detV ðF Þ ¼ detV ðC1; . . . ;CsÞ ¼ 2jV j �

Psj¼1ð�1Þjþ1 �

P1�i1<��<ij�s difV ðCi1 ; . . . ; CijÞ. The

determinant is a positive integer representing the number oftruth assignments of the given clausal formula [7]. A usefulimplication of this fact is that detV ðF Þ ¼ 0 if and only if F isunsatisfiable. GivenF1 ¼ ffp; q; rg; f:p;:qg; f:q; rg; fp;:rggover V ¼ fp; q; rg; we get detV ðF1Þ ¼ 23 � ð1þ 2þ 2þ 2Þ þ1 ¼ 2; that is, F1 has two truth assignments over V . Anefficient incremental algorithm for computing the determi-nant was presented in [7].

The main approach for timing constraints verification of areal-time system specification is to express the specification


and safety assertion in terms of path RTL. Then, in order totranslate these into an equivalent Presburger arithmeticformula, each @ðE; iÞ is replaced by a function fEðiÞ. Thistranslation is denoted by Presb(). For converting an RTLformula to a propositional formula, an intermediate datastructure is needed, that is, the constraint graph. We say thatG ¼ ðV; E;WÞ is a cost graph if V is a nonempty set of nodes,W is a nonempty set of weights, and E is a nonempty set ofarcs over V, that is, E � V � V �W . An arc e from v to v0 ofcost w is denoted as e ¼ ðv; v0; wÞ or equivalently e ¼ v!w v0.Thus, an arc e can be denoted as e ¼ ðv; v0Þ or e ¼ v! v0. Apath of length n in G from v to v0 is a word p 2 En, that is,p ¼ e1 e2 . . . en; n � 1, w h e r e e1 ¼v0 !

w1v1, e2 ¼ v1 !

w2v2,

. . . ,en ¼ vn�1 !wnvn. If v0 ¼ vn, then the above path is called

a cycle. The number w1 þ � � � þ wn is called the total weight ofthe cycle. We say that G0 ¼ ðV0; E0Þ is a subgraph of G ¼ðV; EÞ if and only if V0 � V and E0 � E. A strongly connectedcomponent, denoted as SCC, is a set of nodes such that anytwo nodes v and v0 of SCC are connected through a pathfrom v to v0, as well as a path from v0 to v. Every finite graphcan be decomposed into a finite number of stronglyconnected components. Traditionally, the constraint graphis a cost graph constructed as follows [4]: for each inequalityv1 � v2 � I, two nodes labeled with v1 and v2 are linked byan arc ðv1; v2Þ of weight I. The nodes should be joint togetherif a substitution can bind them, e.g., given the inequalitiesfðxÞ � gðxÞ � 10 and gðT Þ � hðUÞ � 3, then gðxÞ and gðT Þwill be viewed as a single node (because of the substitutionof variable x by constant T ). A set of inequalities representedby the constraint graph is unsatisfiable if and only if a cycleis present in the graph with a positive total weight on it [4].

A variation of Herbrand’s Theorem for this approachwas presented in [4]. Considering Xi;1,Xi;2,. . . ,Xi;ni as theith positive cycle, the formula Pi ¼ Xi;1 ^Xi;2 ^ � � � ^Xi;ni isunsatisfiable (so, :Pi is a tautology). Therefore, PF issatisfiable if and only if PF ^ f:Pi j for all positive cycle igis satisfiable. The mapping PosCycle() returns the set ofnegative clauses corresponding to the positive cycles of theconstraint graph. The clausal formula PF contains onlypositive clauses corresponding to (disjunctions of) timingconstraints, and only negative clauses corresponding to apositive cycle. In order to get unsatisfiability for PF , it isnecessary that each of the literals from a disjunctioncorresponds to a different positive cycle.

If SA is a theorem derivable from SP , then the system issafe. If SA is unsatisfiable, then the system is inherentlyunsafe. If :SA is satisfiable under certain conditions,additional constraints may be added to SA and/or SP toensure its safety. A systematic incremental approach waspresented in [11] to obtain a modified SA and/or SP so thatSP ! SA is a theorem. This is outlined in Procedure A, ageneral scheme for systematic and automatic debugging(the verification problem can be viewed as a particular caseof the debugging problem, that is, when there are noincorrect constraints). Procedure A is, in fact, equivalentwith the following compact mathematical equation:

AðSP; SAÞ ¼ ðSP; SAÞ; if SP ! SA is a tautology;AðSP 0; SA0Þ; otherwise:

�

Procedure A is expressed below in more details.

Procedure A:

Input: SP; SA such that :SA is satisfiable;

Output: SP 0; SA0 such that the system is safe;

Method:

1. k ¼ 1;SP1 ¼ SP ;SA1 ¼ SA;

2. while (SPk ! SAk is not a tautology) {

3. let SP 0 and SA0 be new constraints;

4. SPkþ1 ¼ SPk � SP 0;5. SAkþ1 ¼ SAk � SA0;6. k ¼ kþ 1; }

7. SP 0 ¼ SPk; SA0 ¼ SAk;

The technique expressed in Procedure A is known in the

literature [4] as the fixed-point approach. This uses an

induction on the number of corrections until a fixed point is

reached. An improvement to the above technique was

described in [7], using a foundation of incremental counting

satisfiability for the verification of timing constraints of a

real-time system. In other words, the satisfiability of the

formula SPkþ1 ! SAkþ1 was expressed incrementally from

the satisfiability of SPk ! SAk. The total cost of each new

method can be more efficiently achieved through comput-

ing the satisfiability of the newly added or subtracted

clauses, according to the operator � (that denotes an

operation on sets similar to the ordinary union). So, there

is no need to consider the satisfiability of the entire new

formula (step 3 of Procedure A). Briefly, the key point in that

technique was computing the determinant of that proposi-

tional formula, instead of traditional Boolean satisfiability

[4]. The determinant can tell us how “far away” is a given

specification from satisfying its safety assertion. In this

paper, we describe two improvements built on top of this

technique [7], namely, an extension of the specification and

a decomposition of the constraint graph.The test condition of the while loop of Procedure A can

be described by putting altogether all the above facts as

follows:

1. consider Fk ¼ :ðSPk ! SAkÞ;2. get the Presburger formula: Fk

Presb ¼ PresbðFkÞ;3. get the Skolem formula: Fk

CNF ¼ SkolemðFkPresbÞ;

4. get the positive clauses: Fkpos ¼ posðFk

CNF Þ;5. construct the constraint graph: CG ¼ graphðFk

CNF Þ;6. get the negative clauses: Fk

neg ¼ PosCycleðCG;FkCNF Þ;

7. get the propositional formula: PFk ¼ Fkpos [ Fk

neq

8. if detðPFkÞ ¼¼ 0, then PFk is unsatisfiable, so SPk !SAk is a tautology.

Due to the Skolemization of the Presburger formula, FkCNF

may become a second order formula. However, converting

FkCNF to a propositional formula is a sound technique [4], but

incomplete [5]. In case when the condition of step 8 above is

evaluated to false, then the while loop of Procedure A has

to be executed. This can be done efficiently by using the #SAT

problem above. That is, detðPFkþ1Þ will be computed by

reusing detðPFkÞ [7].The next section presents our extended path RTL class

of formulas as well as a conversion to the extended

constraint graph.


3 EXTENDED PATH REAL-TIME LOGIC

Similar to the constraint graph construction, the extendedconstraint graph, defined as ECG ¼ ðEN;EA;EWÞ, can begiven. Let � be the set of literals that appear in SP and SA.The set of extended nodes is denoted as EN ¼ fvþ;v� j v 2 �g. We say that a timing difference constraint isin the normal form if it has one of the following formsvi � vj � c; vi þ vj � c;�vi � vj � c; vi � c, and vi � c, wherevi and vj may be the variables or functional symbols of oneargument (e.g., fðxÞ) and c an integer constant. For eachinequality expressed in normal form, we construct the set ofarcs EA such as:

1. for any vi � vj � c; i 6¼ j: add arcs ðv�i ; v�j ;�cÞ and

ðvþj ; vþi ;�cÞ to EA;

2. for any vi þ vj � c; i 6¼ j: add arcs ðv�i ; vþj ;�cÞ and

ðv�j ; vþi ;�cÞ to EA;

3. for any �vi � vj � c; i 6¼ j: add arcs ðvþi ; v�j ;�cÞ and

ðvþj ; v�i ;�cÞ to EA;

4. for any vi � c: add arc ðv�i ; vþi ;�2 � cÞ to EA;5. for any vi � c: add arc ðvþi ; v�i ; 2 � cÞ to EA.

The idea of considering the negative and positive “faces”of vertex v is motivated by the need to unify all the timingconstraints from the normal form. For example, the timingconstraint vi � c can be equivalently written as vi þvi � 2 � c, which corresponds to the arc ðv�i ; vþi ;�2 � cÞ toEA (case 4 above). We generalize the path RTL to theextended path RTL by simply allowing a timing constraint tohave any of the above five forms described in the normalform. Unlike the traditional construction of the constraintgraph where one inequality generates two nodes and onearc, in the case of the extended constraint graph, aninequality will generate four nodes and two arcs (e.g., theabove first three cases). This implies that the propositionalformula corresponding to real-time systems specified inextended path RTL tends to have twice as many proposi-tional variables and clauses as the propositional formula ofthe same system specified in traditional path RTL. Equalitieslike vi þ vj ¼ c may also be part of the extended path RTLspecification, as they can be easily converted into the twoextended path-RTL normal form inequalities: vi þ vj � cand �vi � vj � �c.

The following result establishes the soundness of ourtechnique, namely, how the extended constraint graph canbe used for checking satisfiability of an extended pathRTL formula.

Theorem 3.1. Let ECG be the extended constraint graphconstructed from a Presburger formula F 0 using the abovealgorithm. If a cycle with strictly positive weight exists inECG; the propositional formula PF consisting of theconjunction of literals corresponding to the arcs involved inthe cycle is unsatisfiable.

Proof. Let the following sequence of arcs denote a positivecycle in ECG: ðv0; v1; c1Þ; ðv01; v2; c2Þ; . . . ; ðv0n�2; vn�1; cn�1Þ;ðv0n�1; vn; cnÞ. Of course, we know that c1 þ c2 þ � � �þ cn > 0. We suppose that the propositional formulainvolved in the cycle is satisfiable. From the cycledefinition, there is a substitution � such that vi� ¼v0i�; 8i 2 f1; . . . ; n� 1g and v0� ¼ vn�. The inverse

correspondence from ECG to all the above five kindsof inequalities can be unified like this (according to thefive types of constraints from normal form):

1. for the arc ðv�i ; v�j ; cÞ or ðvþj ; vþi ; cÞ; i 6¼ j, thereexists the inequality vi � vj � �c;

2. for the arc ðv�i ; vþj ; cÞ or ðv�j ; vþi ; cÞ; i 6¼ j, thereexists the inequality vi þ vj � �c;

3. for the arc ðvþi ; v�j ; cÞ or ðvþj ; v�i ; cÞ; i 6¼ j, thereexists the inequality �vi � vj � �c;

4. for the arc ðv�i ; vþi ; cÞ, there exists the inequalityvi � �c=2; or equivalently vi þ vi � �c;

5. for the arc ðvþi ; v�i ; cÞ, there exists the inequalityvi � c=2; or equivalently �vi � vi � �c.

The key point of the above five cases is that foreach arc, there exists a corresponding inequality withtwo variables, say vi�þvj� � �cj. One can con-struct an instance of the conjunction of Lis by applying� to each Li : v0�� v1� � �c1; v

01�� v2� � �c2; . . . ;

v0n�1�� vn� � �cn. By summing all the above inequal-ities, we get the inequality 0 � �ðc1 þ � � � þ cnÞ, contra-dicting the fact that the cycle above has a strictlypositive weight. We proved that an instance of theconjunction of the inequalities corresponding to thepositive cycle is unsatisfiable; thus, we conclude thatthe original set of inequalities is unsatisfiable. tu

We have presented in Section 1 a small part of thesensing part specification of an airport radar station. In thefollowing, we describe the tracking/computation partspecification of the radar station (adapted from [8]): “A

radar system searches objects of interest in the desired coverage

area by repeatedly executing the following steps: 1) scanning/

radio signal processing; 2) tracking; and 3) data association/

classification. Here, we specify a simplified version of the

specification of the tracking step for four objects. The safety

assertion states that the computing resources (2 CPUs) can

feasibly schedule the four object-tracking tasks, each tracking a

distinct object of interest. Each task is fully parallelizable, and

thus, can execute on two CPUs if needed to speed up its

execution by a factor of 2. Tasks T1; T2; T3, and T4 have,

respectively, computation times c1; c2; c3, and c4, all with the

same period of p.” In order to translate the above naturallanguage specification to an extended path RTL formula,we denote by Tj CPUk the fact that task j is executing inCPUk. For any j 2 f1; . . . ; 4g and k 2 f1; 2g, we denote by@ð" Tj CPUk; iÞ and @ð# Tj CPUk; iÞ the ith occurrence ofthe starting and the ending time of task Tj CPUk,respectively. For simplicity, we describe only the specifica-tion for single instance tasks executed in the first period.The general case can be extended by considering anarbitrary period and the number of instances of the tasksset. The above specification can be written in the extendedpath RTL as SP :

@ð# T1 CPU1; iÞ þ @ð# T1 CPU2; iÞ � c1 þ c2 þ c3 þ c4;

@ð# T2 CPU1; iÞ þ @ð# T2 CPU2; iÞ � c2 þ c3 þ c4;

@ð# T3 CPU1; iÞ þ @ð# T3 CPU2; iÞ � c3 þ c4;

@ð# T4 CPU1; iÞ þ @ð# T4 CPU2; iÞ � c4:


The next eight identities express that the computationtime of each task equals the difference between the endingtime point and the starting time point:

8j 2 f1; . . . ; 4g; ½@ð# Tj CPU1; iÞ � @ð" Tj CPU1; iÞþ½@ð# Tj CPU2; iÞ � @ð" Tj CPU2; iÞ ¼ cj:

Note that task Tj may or may not execute on bothCPU’s. There exists a task priorities sequence: the task T4

is the highest and T1 is the lowest. This implies theextended path RTL formulas: 8j 2 f1; 2; 3g and k 2f1; 2g; @ð" Tj CPUk; iÞ > @ð" Tjþ1 CPUk; iÞ, where the mar-gin cases are @ð" T1 CPUk; iÞ < p and @ð" T4 CPUk; iÞ � 0.

The above SP can be checked now for feasibility (i.e.,there exists a schedule for all tasks in each period) by thefollowing extended path RTL formula, denoted with SA(stands here for the “scheduling assertion”): 8j 2 f1; . . . ; 4g;k 2 f1; 2g; @ð# Tj CPUk; iÞ � p.

Note that the above specification is using the extendedpath RTL formulas. Since it makes use of both arithmeticoperators “þ” and “�”, the specification cannot be doneusing only the traditional path RTL formulas.

The above specification and scheduling assertion con-tain constants c1; c2; c3; c4, and p. To illustrate the verifica-tion and debugging of SA in the context of SP , weconsider a specific system configuration by assigningvalues for the constants that occur in SP . Let these bec1 ¼ 32; c2 ¼ 8; c3 ¼ 28; c4 ¼ 12, and the period p ¼ 40. As inthe traditional approach of [4], we reduce the aboveextended path RTL to a Presburger arithmetic formula. Forsimplicity, we omit the argument i; so we associate to eachtime occurrence function a functional symbol of arity 0,such as: @ð" Tj CPUk; iÞ will be denoted as sj;k (where “s”stands for “start”) and @ð# Tj CPUk; iÞ will be denoted asej;k (where “e” stands for “end”). After substitutingconstants and reducing the formula to its normal form,we get:

Task 1 Task 2 Task 3e1;1 þ e1;2 � 80 e2;1 þ e2;2 � 48 e3;1 þ e3;2 � 40e1;1 � s1;1 � 32 e2;1 � s2;1 � 8 e3;1 � s3;1 � 28s1;1 � e1;1 � �32 s2;1 � e2;1 � �8 s3;1 � e3;1 � �28e1;2 � s1;2 � 32 e2;2 � s2;2 � 8 e3;2 � s3;2 � 28s1;2 � e1;2 � �32 s2;2 � e2;2 � �8 s3;2 � e3;2 � �28s1;1 � 41 s1;2 � 41

Task 4 Start CPU1 Start CPU2

e4;1 þ e4;2 � 12 s2;1 � s1;1 � �1 s2;2 � s1;2 � �1e4;1 � s4;1 � 12 s3;1 � s2;1 � �1 s3;2 � s2;2 � �1s4;1 � e4;1 � �12 s4;1 � s3;1 � �1 s4;2 � s3;2 � �1e4;2 � s4;2 � 12 s4;1 � 0 s4;2 � 0s4;2 � e4;2 � �12

The scheduling assertion SA to be checked is:Vi;j ei;j � 40; 8i 2 f1; . . . ; 4g; j 2 f1; 2g. Thus, the negation

of the scheduling assertion isWi;j ei;j � 41. The extended

constraint graph corresponding to SP ^ :SA is givenbelow. Because of its large size, we split it into fourcomponents, one for each task, and their interconnections.In fact, we limit the extended constraint graph only todescribe the behavior of task 1 (Fig. 1), the rest beingsimilar. The variables si;j and ei;j correspond to the nodes of

the extended constraint graph s�i;j; sþi;j, and e�i;j; e

þi;j. The arcs

are generated according to the steps described at thebeginning of this section. Moreover, there exist 12 morearcs that correspond to the starting times of both CPU1 andCPU2. These arcs link some of the internal nodes of theabove four tasks’ extended constraint graphs, namely,ðs�i;j; s�i�1;j; 1Þ and ðsþi;j; sþi�1;j; 1Þ; 8i 2 f2; 3; 4g; j 2 f1; 2g.

The next step in doing the verification of unsatisfiability

of SP ^ :SA is to construct the corresponding propositional

formula using the above extended constraint graph. As

mentioned in [4] and recalled in Section 2, for each new arc,

there exists a new propositional variable (that may appear in

disjunctions), and for each positive cycle, there exists a

negative clause. The corresponding propositional formula

for the whole extended path RTL formula has 60 variables

and 72 clauses. For example, the arc ðe�1;2; eþ1;1;�80Þcorresponds to a propositional variable denoted as ee�þ1;2;1;1.

There are seven distinct cycles in the extended graph of

Fig. 1, but only three of them are positive. For example, the

positive cycle given by the arcs ðe�1;2; eþ1;1;�80Þ; ðeþ1;1; e�1;1; 82Þ;ðe�1;1; eþ1;2;�80Þ; ðeþ1;2; e1

1;2; 82Þ leads to the negative clause

:ee�þ1;2;1;1 _ :eeþ�1;1;1;1 _ :ee�þ1;1;1;2 _ :eeþ�1;2;1;2. When computing

the determinant of the propositional formula, we get the

value 0, which means that SP ^ :SA is unsatisfiable. This

implies that SP ! SA is a theorem, so the airport radar

station is feasible.We have seen that the above extended constraint graph

may be quite large, so its propositional formula is too. Thenext section shows an efficient decomposition technique todeal with large specifications.

4 OUR DECOMPOSITION TECHNIQUE

In order to motivate the decomposition technique, wepresent in this section the X_38 as a useful case study. Thecomplete specification can be found in [10], [8]. Forsimplicity, the presentation will follow the notations ofthe constraint graph, but all the results may be applied tothe extended constraint graph, too. The X_38 is a family ofvehicles built as incremental development prototypes forthe Crew Return Vehicle (CRV) of the International SpaceStation (ISS). Its mission is to automatically and safely bringto earth a crew of seven passengers in the event of anemergency ISS evacuation. The CRV vehicle is designed toautonomously perform all the guidance, navigation, andcontrol functions, the deorbit burn, a parafoil-assisted glidethrough the atmosphere, and to land horizontally at one ofseveral predetermined landing sites.


Fig. 1. The task 1’s extended constraint graph.

The analysis and verification of the X_38 timing propertiesusing RTL was done in [10]. The RTL specification of the X_38avionic system captures the two X_38 flight-critical controlloops, as well as one nonflight-critical control loop and theassociated safety assertion. The task name syntax is such thatthe first three characters define the processor, the nextcharacter designates I-input, P -process, or O-output; thenumber identifies the speed of the process in Hertz or cyclesper second, next is the criticality such as flight critical (FC) ornonflight critical (NFC), and last is any other necessaryinformation such as data type. The variable i represents theloop count or iteration number. For example, the set ofconstraints in the flight-critical 50-Hz control loop are the fivelisted below [10]:

8 i @ð# ICP I50FC SSR; iÞ � @ð" ICP I50FC SSR; iÞ � 2;

8 i @ð# FCP I50FC; iÞ � @ð" FCP I50FC; iÞ � 1;

8 i @ð# FCP P50FC; iÞ � @ð" FCP P50FC; iÞ � 5;

8 i @ð# FCP O50FC; iÞ � @ð" FCP O50FC; iÞ � 1;

8 i @ð# ICP I50FC CMD; iÞ�@ð" ICP I50FC CMD; iÞ � 1:

The workload for the first task, designated “Instrumenta-tion Control Processor (ICP) Input (I) of 50 Hz FC SensorData,” is a maximum of 2 ms. The above group of tasks isrepresentative of the ICP reading all 50 Hz flight-criticalsensors such as flap, rudder positions, and Global Position-ing System (GPS) data; passing that data to the Flight-Critical Processor (FCP) as input, having the guidanceapplication process that data and formulate commandoutput, passing that output to the ICP, and having the ICPactuate the command. This list is the first of two flight-critical timing loops, requiring completion within 10 ms forsafe vehicle control. The 10 Hz flight-critical control loop issimilar, but a loop completion time of 50 ms, rather than10 ms, is required. This completion requirement is repre-sented in the safety assertion formula. The nonflight-criticaltasks receive only sensor input and produce no commandoutput, and are included as a representation of the manynonflight-critical tasks which run in the background butwhose execution is not considered safety-critical.

The safety assertion states that each of the flight-criticalcontrol loops, the 50 and the 10 Hz, from initial sensor readthrough command activation, must execute within 10 and50 ms, respectively [10]:

8 i @ðð# ICP I50FC CMD; iÞ � @ð" ICP I50FC SSR; iÞ�10

^ @ð# ICP I10FC CMD; iÞ � @ð" ICP I10FC SSR; iÞ � 50Þ:

In order to verify the satisfaction of the safety assertion,the formulas are represented using the constraint graphtechnique. The system specification alone produces a graphwith no positive cycles. Negation of the safety assertion,however, yields arcs which produce positive cycles betweenclusters. As mentioned in [10], the constraint graph for theX_38 specification of the negation of SP ! SA has 26 nodesand 74 arcs. This leads to a propositional formula whichtakes quite a long time to check for satisfiability. A practicalidea would be to find a way to decompose the constraintgraph into independent subgraphs so that it does not have toanalyze the entire specification at once, but only the smallercomponents. Next, we introduce a general efficient methodto individually verify and debug each strongly connectedcomponent of the constraint graph. The satisfiability of one

or all strongly connected component(s) can be used todetermine the satisfiability of the entire specification. Weshow how our algorithm uses decomposition techniques tobreak the constraint graph into independent subgraphs sothat it does not have to analyze the entire specification atonce. Given the negation of the path RTL specification F , wedenote by CGF the constraints graph associated with F .Given the constraints subgraph CG0F � CGF , we denote byPFG0 the propositional formula obtained from F byconsidering only the nodes and arcs of CG0F .

Definition 4.1. Let F be the negation of a path RTL specificationformula, CGF its corresponding constraint graph, and PF bethe corresponding propositional formula. Let us also considerthat SCC1; . . . ; SCCn are the strongly connected componentsof CGF and PFSCC1

; . . . ; PFSCCn are their correspondingpropositional formulas. For any i 2 f1; . . . ; ng; we get:

1. SCCi is globally independent if and only if there is noarc ðu; vÞ 2 EðCGF Þ for which (u 2 V ðSCCiÞ andv 62 V ðSCCiÞ) or (u 62 V ðSCCiÞ and v 2 V ðSCCiÞ).

2. SCCi is locally independent from SCCj, where j 6¼ i;if and only if 8u 2 V ðSCCiÞ; 8v 2 V ðSCCjÞ, thecorresponding literal in PFSCCi of the arc ðu; vÞ doesnot appear in a disjunction of other arcs of SCCi.

3. SCCi is locally neighbors-independent if and only ifSCCi is locally independent from SCCj, for allj 2 f1; . . . ; ng; j 6¼ i.

Informally, Definition 4.1 states that SCCi is globallyindependent if SCCi is completely isolated from the otherstrongly connected components ofCGF . BothCGF andPF inDefinition 4.1 are according to the eight steps of conversiondescribed in Section 2. The “corresponding literal” in item 2 isthe associated literal of the arc ðu; vÞ, the one added to theconstraint graph to capture a timing constraint u� v � I(details in Section 2). So, item 2 refers to two stronglyconnected components linked by arcs that do not appear informula disjunctions. The rest of the items of Definition 4.1deal with situations when SCCi can be unidirectionallyconnected with the rest of the graphs. Figs. 2 and 5 are locallyneighbor-independent decompositions.

In case, SCCi and SCCj are linked by an arc ðu; vÞ thatappears in a disjunction of SP ^ :SA, then SCCi and SCCjcannot be independent. So, SCCi and SCCj should beanalyzed together. The next theorem motivates the splittingof the initial formula into subformulas, by targeting thesatisfiability of the initial formula using the satisfiability ofits subformulas. In this way, any subformula can decideindependently or together the unsatisfiability of the initialformula. In other words, it is likely that not all stronglyconnected components are necessary to be checked to do


Fig. 2. The structure of the X_38 constraint graph.

the verification and debugging of the entire real-timesystem.

Theorem 4.1 (modular satisfiability). Let F be the negation ofa path RTL specification formula, CGF its correspondingconstraint graph, and PF be the corresponding propositionalformula. Let us also consider SCC1; . . . ; SCCn the stronglyconnected components of CGF and PFSCC1

; . . . ; PFSCCn theircorresponding propositional formula. Then, the following hold:

1. if there exists an i 2 f1; . . . ; ng such that SCCi isglobally or locally neighbors-independent and PFSCCiis unsatisfiable, then F and PF are unsatisfiable, too.

2. if all SCC1; . . . ; SCCn are globally independent andPFSCC1

; . . . ; PFSCCn are all satisfiable, then PF issatisfiable, too.

Proof.

1. If SCCi is globally independent, then PFSCCi is aproper subformula of PF . Since PFSCCi is unsa-tisfiable, it follows that PF is unsatisfiable, too.

If SCCi is locally neighbors-independent, thenSCCi is locally independent from SCCj, for allj 2 f1; . . . ; ng; j 6¼ i. This implies that all corre-sponding literals of arcs ðu; vÞ from SCCi to SCCjdo not appear in disjunctions of FSCCi . No matterthe assignments of the literals corresponding toðu; vÞ, the satisfiability of FSCCi is done only bychecking its internal arcs. Since FSCCi is a propersubformula of PF , the unsatisfiability of FSCCiimplies the unsatisfiability of PF . According to[4], it follows that F is unsatisfiable.

2. If SCC1; . . . ; SCCn are globally independent,then F does not have disjunctions with literalsfrom more than one of PFSCC1

; . . . ; PFSCCn .Moreover, there are no in-arcs or out-arcs forall SCCi; 8i 2 f1; . . . ; ng. So, if all these subfor-mulas are satisfiable, it is obvious that PF issatisfiable, too. tu

Coming back to our case study, we have identified forthe X_38 constraint graph three different strongly connectedcomponents, i.e., two referring to 50 and 10 Hz flight-criticalloops (denoted as SCC1 and SCC2, respectively) and thethird one referring to the nonflight-critical loop (denoted asSCC3). The complete list of constraints appearing inSCC1; SCC2 and SCC3 can be found in [10]. The timingdependencies of these components are illustrated in Fig. 2.

According to Definition 4.1, SCC1; SCC2, and SCC3 arelocally neighbor-independent because the arcs correspond-ing to the constraints @ð# FCP I50FC; iÞ � @ð" FCPI10FC; iÞ � 0 and @ð#FCP I50FC; iÞ � @ð"FCP I50NFC;iÞ � 0 are the only ones from SCC1 to SCC2 and from SCC1

to SCC3, respectively. Moreover, these arcs are not involvedin any disjunction of the specification. By Theorem 4.1, theunsatisfiability of the whole formula (namely, correspond-ing to the complete constraint graph) can be done using theunsatisfiability of all strongly connected components.Section 7 demonstrates that this decomposition techniqueis very efficient, because the time necessary to verify anddebug a given strongly connected component is muchsmaller than the time spent to verify and debug thecomplete specification. We showed in this section how to

deal with the decomposition of the constraint graph. Next

section presents the optimality of timing constraints.

5 OPTIMAL TIMING CONSTRAINTS

First, we define the ground of timing constraints.

Definition 5.1. Given IN a set of timing constraints, we denote

by groundðINÞ the set fðx; yÞ j xþ I � y 2 IN; where

I 2 ZZg.

For instance, considering IN1 ¼ fx1 þ 3 < x2; x2 � 7 <

x3g and IN2 ¼ fx1 � 2 < x2; x2 þ 1 < x3g, we get that

groundðIN1Þ ¼ groundðIN2Þ ¼ fðx1; x2Þ; ðx2; x3Þg.Definition 5.2. We say that the timing constraint xþ I � y is

(strictly) stronger than xþ I � J � y if and only if (J > 0)

J � 0. Given two sets of timing constraints used in the

specifications SP1 and SP2 of a real-time system, we say that

SP1 is stronger than SP2 (we denoted this as SP1 � SP2) if

and only if for any timing constraint of SP2, there exists a

stronger timing constraint of SP1. If there exists at least one

timing constraint of SP1 that is strictly stronger than one

timing constraint of SP2, then SP1 is strictly stronger than

SP2 (we denoted this as SP1 � SP2).

For example, xþ 7 < y is a stronger timing constraint than

xþ 5 < y. Considering sets of constraints, we may have, for

instance, fxþ 7 < y; x� 3 < zg � fxþ 5 < y; x� 4 < zg. We

know that SP ! SA is a tautology if and only if whenever

SP holds then SA holds, too. In fact, the meaning of (strictly)

“strong” refers to the implication over the set of timing

constraints. The next result establishes the formal relation-

ship between “strong”-ness and implication.

Theorem 5.1. Given S1 and S2 two sets of timing constraints

such that S1 � S2, then S1 ! S2 is a tautology.

Proof. Let us take an arbitrary timing constraint of S2; that is,

xþ I � y. Since S1 � S2, then there exists a stronger

timing constraint of S1; say xþ I þ J � y, where J � 0.

Suppose now that S1 holds, i.e., all the timing constraints

of S1 are true. Obviously, xþ I � xþ I þ J , for any J � 0.

Since xþ I þ J � y belongs to S1, it means xþ I � y; so

any arbitrary timing constraint of S2 is true. Hence, S1 !S2 is a tautology. tu

For instance, since fx1 þ 4 < x2; x2 � 5 < x3g � fx1 þ3 < x2; x2 � 7 < x3g, by applying Theorem 5.1, we get

that fx1 þ 4 < x2; x2 � 5 < x3g ! fx1 þ 3 < x2; x2 � 7 < x3gis a tautology.

Definition 5.3. We say that SP ! SA is an optimal tautology

if there are no other SP 0 and SA0, where groundðSP Þ ¼groundðSP 0Þ; groundðSAÞ ¼ groundðSA0Þ; SP � SP 0 or

SA0 � SA, such that SP 0 ! SA0 is a tautology.

Let us consider SP ¼ fxþ 10 � y; y� 20 � zg and SA ¼fx� 15 � zg. Obviously, SP ! SA is a tautology, but it isnot an optimal one in the sense of Definition 5.3. Here aresome optimal tautologies:


SP1 ¼ fxþ 10 � y; y� 20 � zg; SA1 ¼ fx� 10 � zg;SP2 ¼ fxþ 5 � y; y� 20 � zg; SA2 ¼ fx� 15 � zg;SP3 ¼ fxþ 8 � y; y� 20 � zg; SA3 ¼ fx� 12 � zg:

Obviously, SP1 ! SA1; SP2 ! SA2, and SP3 ! SA3 aretautologies. Furthermore, we observe that

groundðSP Þ ¼ groundðSP1Þ ¼ groundðSP2Þ ¼ groundðSP3Þ¼ fðx; yÞ; ðy; zÞg

and

groundðSAÞ ¼ groundðSA1Þ ¼ groundðSA2Þ ¼ groundðSA3Þ¼ fðx; zÞg:

Moreover, the first two tautologies keep either the specifica-tion or the safety assertion unchanged. On the contrary, thethird case changes both the specification and the safetyassertion, i.e., SP � SP3 and SA3 � SA. The fact that theabove tautologies are optimal is also not difficult to checksince the variables and constants can take only integervalues. For example, SP1 ! SA1 is an optimal tautologybecause SP1 cannot imply a stronger set of timingconstraints, such as fx� I � z j I � 9g. In terms of real-time systems specifications, by considering an action x withthe starting time startx and ending time endx, the timingconstraint startx þ c � endx is “optimal” if and only if c isthe largest integer such that the considered timing constraintholds. If so, this formula allows the slowest processingplatform regarding x.

By putting the above results altogether, we designAlgorithm B below to compute an optimal tautology. Like-wise Procedure A, Algorithm B can be expressed as a compactmathematical equation:

BðSP; SAÞ ¼ðSP; SAÞ; if SP ! SA is a tautology:BðSP 0; SA0Þ; if SP � SP 0; SA0 � SA;

otherwise:

8<:

Algorithm B is expressed below in more details.

Input: SP; SA such that SP ! SA is a tautology;Output: SP 0; SA0 such that SP 0 ! SA0 is an optimal

tautology;

Method:

1. k ¼ 1; SP1 ¼ SP ; SA1 ¼ SA;

2. while (true) {

3. if (9SPkþ1 and 9SAkþ1 such that ðSPk � SPkþ1

and SAkþ1 � SAkÞ or ðSPk � SPkþ1 and

SAkþ1 � SAkÞ) then4. if (SPkþ1 ! SAkþ1 is a tautology) then kþþ;

5. else { k��; EXIT_WHILE; }

6. else EXIT_WHILE; }

7. SP 0 ¼ SPk; SA0 ¼ SAk;

The while loop of Algorithm B is terminating whenthere are no changes to be done for SPk and SAk (i.e., lines 5and 6). Moreover, the case when both SPkþ1 and SAkþ1 areequal to SPk and SAk, respectively, is excluded due to theif statement from line 3. This ensures that SPk ! SAk is anoptimal tautology. Line 3 offers the chance to change eitherSPk; SAk, or both of them. The challenging issue inAlgorithm B is which SPkþ1 and SAkþ1 to choose such thatthe condition from the if statement (line 4) is evaluated to

true. In other words, we want to avoid the verification ofSPkþ1 ! SAkþ1 by reusing the previous SPk ! SAk thatwas already proved to be a tautology (details are shown inthe next section). In order to efficiently solve this issue, letus consider the constraint graph, as explained in Section 2.The key idea of our approach is to preserve PF1 (generatedby Procedure A) and change only some weights of arcsfrom positive cycles of CG1. So, we can get a more relaxedspecification and a more tightened safety assertion. Thesechanges will be, of course, reflected back into the originalSP and SA. Since PF1 is unchanged, there is no need torepeat the verification of SP ! SA.

5.1 Why Avoiding the Verification Is Difficult

Algorithm B from the previous section relaxes the specifica-tion at step k; i.e., SPk, by finding a (new) specificationSPkþ1 such that SPk � SPkþ1. Moreover, Algorithm B istightening the safety assertion at step k; i.e., SAk, by lookingfor a (new) safety assertion SAkþ1 such that SAkþ1 � SAk.However, both relaxing and tightening above should becarefully done by preserving the fact that SPkþ1 ! SAkþ1 isstill a tautology. The key point is that we want to do thesechanges in such a way that there is no need to check whetherSPkþ1 ! SAkþ1 is a tautology. This is definitely a challen-ging issue and will be solved by Algorithm C (Section 6). Bysimply changing the direction of the above “narrowings”and “widenings,” we obtain a result that represents the“reverse” implication of Algorithm B. Theorem 5.2 can beused to double check that knowing that SPkþ1 ! SAkþ1 is atautology, then SP ! SA is a tautology, too.

Theorem 5.2. Let SP; SA and SP 0; SA0 be two pairs ofspecifications and safety assertions such that SP 0 �SP; SA � SA0, and SP ! SA is a tautology. Then, SP 0 !SA0 is a tautology.

Proof. By Theorem 5.1, since SP 0 � SP; SA � SA0, we getthat SP 0 ! SP and SA! SA0 are tautologies. Bytransitivity, we get SP 0 ! SP ! SA! SA0. Hence,SP 0 ! SA0 is a tautology. tu

Theorem 5.2 is, in fact, the key point to obtain optimaltautologies (Fig. 3).

Fig. 3 shows that given a tautology SP ! SA, we canlook for more relaxed specification SP 0 (SP 0 � SP ) and/or stronger safety assertions SA0 (SA � SA0) such thatSP 0 ! SA0 is an (optimal) tautology. In this way, thetautology SP ! SA can be replaced with the optimaltautology SP 0 ! SA0 (via the above three implications).

6 MOTIVATING EXAMPLE IN RTL

To illustrate our technique, we choose as our case study thewell-known “railroad crossing” problem. Its behavioralspecification (SP ) is described in natural language [4], [7],[8] as follows: “When the train approaches the sensor, a signalwill initiate the lowering of the gate,” and “Gate is moved to the


Fig. 3. Relaxing SP and restricting SA.

down position within 30s from being detected by the sensor,” and

“The gate needs at least 15s to lower itself to the down position.”The goal of this real-time system is described by the

following safety assertions (SA): “If the train needs at least45 s to travel from the sensor to the railroad crossing” and “thetrain crossing is completed within 60 s from being detected by thesensor,” then “we are assured that at the start of the traincrossing, the gate has moved down and that the train leaves therailroad crossing within 45 s from the time the gate has completedmoving down.”

Now, we evaluate the test condition of the while loopof Procedure A, in order to verify this real-time systemspecification against the safety assertion. We express SP

in terms of path RTL, as follows:

8xð@ðTrainApproach; xÞ � @ð" DownGate; xÞ ^@ð# DownGate; xÞ � @ðTrainApproach; xÞ þ 30Þ ^8yð@ð" DownGate; yÞ þ 15 � @ð# DownGate; yÞ Þ:

SA is

8t8uð@ðTrainApproach; tÞ þ 45 � @ð" TrainCrossing; uÞ^ @ð# TrainCrossing; uÞ < @ðTrainApproach; tÞ þ 60!@ð" TrainCrossing; uÞ � @ð# DownGate; tÞ^ @ð# TrainCrossing; uÞ � @ð# DownGate; tÞ þ 45Þ:

In order to translate this into an equivalent Presburgerarithmetic formula, we use the following notations:@ðTrainApproach; xÞ will be fðxÞ; @ð" DownGate; xÞ will beg1ðxÞ; @ð# DownGate; xÞ will be g2ðxÞ; @ð" TrainCrossing; uÞwill be h1ðuÞ; @ð# TrainCrossing; uÞwill be h2ðuÞ; and so on.The complete translation into the Presburger arithmeticformula is

SP : 8xðfðxÞ � g1ðxÞ ^ g2ðxÞ � fðxÞ þ 30Þ^8yðg1ðyÞ þ 15 � g2ðyÞÞ;

SA : 8t 8uðfðtÞ þ 45 � h1ðuÞ ^ h2ðuÞ < fðtÞ þ 60!g2ðtÞ � h1ðuÞ ^ h2ðuÞ � g2ðtÞ þ 45Þ:

The equivalent CNF after skolemising (the substitution½T=t½U=u corresponds to the :SA part, where T and U aretwo new constants) is

SP : 8x 8yðfðxÞ � g1ðxÞ ^ g2ðxÞ � 30 � fðxÞ^g1ðyÞ þ 15 � g2ðyÞÞ;

:SA : fðT Þ þ 45 � h1ðUÞ ^ h2ðUÞ � 59 � fðT Þ^ðh1ðUÞ þ 1 � g2ðT Þ _ g2ðT Þ þ 46 � h2ðUÞÞ:

Next, the constraint graph is constructed (Fig. 4).

We use following notations for the literals:

A1 ¼ fðxÞ � g1ðxÞ; A2 ¼ g2ðxÞ � 30 � fðxÞ;A3 ¼ g1ðyÞ þ 15 � g2ðyÞ; A4 ¼fðT Þ þ 45�h1ðUÞ;A5 ¼ h2ðUÞ � 59�fðT Þ; A6 ¼ h1ðUÞ þ 1 �g2ðT Þ;A7 ¼ g2ðT Þ þ 46 � h2ðUÞ:

So, PF1 has the positive clauses: fA1g, fA2g, fA3g, fA4g,fA5g, fA6; A7g. Three positive cycles in the constraint graph

were identified (Fig. 4), so PF1 has the negative clauses:

fA2; A4; A6g, fA4; A5; A6; A7g, fA1; A3; A5; A7g. Of course,

the nodes labeled with fðxÞ and fðT Þ are considered as one

using the substitution ½T=x. We obtain that PF1 is

unsatisfiable, so SP ^ :SA is too. Thus, SP ! SA is a

tautology, i.e., the real-time system is safe.Let us illustrate now the execution of Algorithm B on our

case study. Obviously, the positive literals A1; A2; . . . ; A7

correspond to either SP; SA, or :SA. Some of the original

timing constraints may remain the same, whereas others

have to be negated. For example, A1 appears identical in

SA, whereas A6 appears as in :SA, which, in turn, is the

negation of SA. We denote by :ðxþ I � yÞ the constraint

y� I þ 1 � x. This notation can be easily extended to a set

of timing constraints S, by denoting with :S the set of

timing constraints obtained after doing the negation of all

timing constraints of S.

Lemma 6.1. Given S1 and S2 two sets of constraints such that

S1 � S2, then :S2 � :S1.

Proof. Without loss of generality, we suppose that

groundðS1Þ ¼ groundðS2Þ. Let us consider two arbitrary

constraints xþ I � J � y of S2 and xþ I � y of S1, where

J � 0. It is easy to check that fy� I þ J þ 1 � xg �fy� I þ 1 � xg. This implies that :S2 � :S1. tu

As mentioned in [4], the unsatisfiability of SP ^ :SA is

obtained by considering the positive cycles of CG1. The key

point of our approach in identifying the relaxation of SP

and the tightening of SA is to make the positive cycles to

have the weight equal to 1. We denote by wðCÞ the weight

of cycle C. Given the constraint graph CG; we say that a

positive cycle C is independent if and only if C has at least an

arc which does not appear in other positive cycles of CG.

We say that CG is an optimal constraint graph if and only if:

. all independent positive cycles C have weight 1;

. for any nonindependent positive cycle, if an arcdecreases its weight, then at least an independentpositive cycle will change its weight to 0 or to anegative integer. As such, we can rewrite Algo-rithm B into Algorithm C in an equivalent formthat uses the constraint graph as a necessary datastructure. Likewise Procedure A and Algorithm B,Algorithm C can be expressed as a compactmathematical equation:


Fig. 4. Railroad crossing constraint graph.

CðSP; SAÞ ¼

ðSP; SAÞ; if CG has no independent

cycle C such that wðCÞ > 1;

CðSP 0; SA0Þ; if SP 0 and SA0 are

obtained from SP and SA;

otherwise:

8>>>>>><>>>>>>:

Algorithm C is expressed below in more details.

Input: SP; SA such that SP ! SA is a tautology, and CG1

the original constraint graph;

Output: SP 0; SA0 such that SP 0 ! SA0 is an optimal

tautology;

Method:

1. k ¼ 1; SP1 ¼ SP ; SA1 ¼ SA;2. while (there is an independent positive cycle C of CGk

such that wðCÞ > 1) {

3. identify the arc ðv1; v2Þ of weight I of cycle C that does

not occur in other positive cycle of CGk;

4. decrease the weight of ðv1; v2Þ such that wðCÞ ¼ 1 and

denote the new constraint graph CGkþ1;

5. change SPk and SAk according to the new weight;

6. k ¼ kþ 1; }7. SP 0 ¼ SPk; SA0 ¼ SAk;

As mentioned above, CG1 has three positive cyclesdenoted as C1 ¼ ðA2; A4; A6Þ; C2 ¼ ðA4; A6; A7; A5Þ; andC3 ¼ ðA1; A3; A7; A5Þ. Obviously, C1 and C3 are indepen-dent cycles as they contain the arcs A2 and A3 that do notoccur in other positive cycles. But C2 is a nonindependentcycle as its arcs appear in C1 and C3. Algorithm B will firstidentify C1 as an independent positive cycle and willdecrease the weight of A2 from �30 to �45 becausewðC1Þ ¼ 16. So, the new weight of C1 is 1. Next,Algorithm B identifies either A1 or A3 as a potential arcfor which the weights can be decreased. Since wðC3Þ ¼ 2;we can decrease the weight of A3 from 15 to 14; so the newweight of C3 will be 1. The while loop of Algorithm B willterminate and display the new optimal specification:

SP 0 : 8x 8yðfðxÞ � g1ðxÞ ^ g2ðxÞ � 45 � fðxÞ^g1ðyÞ þ 14 � g2ðyÞÞ:

Note that SA0 is the same as SA. Lemma 6.1 helps toidentify the proper timing constraint that has to be updated(line 4 of Algorithm B). Since SP � SP 0; we remark thatSP 0 is the most relaxed specification starting from SP thatimplies SA.

Theorem 6.1 (correctness of Algorithm C). Given SP andSA such that SP ! SA is a tautology as an input forAlgorithm C, then SP 0; SA0 are output for Algorithm C andSP 0 ! SA0 is an optimal tautology.

Proof. The number of iterations of the while loop ofAlgorithm C is finite. After all iterations of the while

loop are executed, all positive cycles have a weight of 1.According to the propositional formula construction, thereis an one-to-one correspondence between the positivecycles and the set of negative propositional clauses. SinceAlgorithm C does not add or remove positive cycles, thepropositional formula for :ðSP ! SAÞ is the same as for:ðSP 0 ! SA0Þ. This implies that SP 0 ! SA0 is a tautology.It remains to show thatSP 0 ! SA0 is an optimal tautology.By reduction ad absurdum, we suppose that SP 0 ! SA0 is

not an optimal tautology. According to Definition 5.3,there exist SP 00 and SA00, where groundðSP 0Þ ¼groundðSP 00Þ; groundðSA0Þ ¼ groundðSA00Þ; SP 0 � SP 00 orSA00 � SA0 such that SP 00 ! SA00 is a tautology.

1. Suppose SP 0 � SP 00. According to Definition 5.2,there exists a timing constraint of SP 0, say xþ I �y; that is strictly stronger than SP 00, say xþ I �J � y; where J > 0. Since SP 0 ! SA0 is a tautol-ogy, then xþ I � y corresponds to an arc in apositive cycle, say C, of the constraint graph suchthat wðCÞ ¼ 1. When constructing the constraintgraph for :ðSP 00 ! SA00Þ, the corresponding cycleto C, called now C0, will not be anymore strictpositive, that is, wðC0Þ ¼ 1� J � 0. That meansthe propositional formula corresponding to:ðSP 00 ! SA00Þ, say PF , does not contain thenegative clauses corresponding to the formerpositive cycles. This leads to detðPF Þ > 0; hence,there exist assignments for variables such thatSP 00 does not necessarily imply SA00. Thus,SP 00 ! SA00 is not a tautology, contradiction!Hence, SP 0 ! SA0 is an optimal tautology.

2. The case SA00 � SA0 can be treated like case 1. tu

7 EXPERIMENTAL RESULTS

This section is dedicated to experimental work for thetheoretical results presented in previous sections. First, wepresent the characteristics of our tool. Second, we show howto do the verification and debugging of formulas that arenot necessarily path RTL, but extended path RTL (e.g., theairport radar station). The benefits of our decompositiontechnique are also highlighted.

7.1 Characteristics of DEVO-RTL

In the following, we shall present the characteristics of theJava implementation of our automatic approach, calledDEVA-RTL (Decompositional Extended path RTL Verifier-debugger- Optimizer). DEVO-RTL is an extended tool of theSDRTL (Systematic Debugging for path Real-Time Logic,[11]), a Java implementation of our debugging algorithm (anheuristic of Procedure A from Section 2). SDRTL is able toidentify potential missing constraints and modify existingconstraints. The main difference between DEVO-RTL andSDRTL is that DEVO-RTL can do verification and debuggingfor extended path RTL specifications (Section 3) by applyingthe decomposition technique (Section 4). Another differencebetween the two tools is that DEVO-RTL identifies whichclass the input formula belongs to (e.g., path RTL orextended path RTL). For instance, the first three real-timesystems examples of Table 1 are expressed in path RTL,whereas the last example (radar station) is expressed inextended path RTL. As for SDRTL, the DEVO-RTL takes asinput an old specification, followed by the necessarychanges that are made to it, namely, the incrementalspecification and the removed specification. The oldspecification represents the set of formulas modeling theprevious instance. The incremental part refers to the new setof formulas that should be added to the old specification,while the removed part represents the set of subformulaswhich have to be removed from the old specification. All


these three input files of DEVO-RTL and SDRTL contain thePresburger arithmetic formula obtained after skolemizingthe real-time logic formula. DEVO-RTL and SDRTL give asoutputs the execution times details and the intermediatedebugging results for the new complete specification.

7.2 Experimental Results of DEVO-RTL

First, we discuss a comparison of the incremental automaticdebugging of real-time systems specified in the path RTL andsystems specified in extended path RTL. By automaticdebugging here, we mean the ability of DEVO-RTL toidentify potential missing constraints from the initialspecification. We demonstrate the below experiments byrandomly removing one, two, three, and four constraintsfrom a correct specification and check the execution timespent by DEVO-RTL. We ran DEVO-RTL on a Pentium IVcomputer system, with 2.4 GHz using 512 MB of mainmemory. Table 1 describes the output results obtained formore industrial real-time systems expressed in either thepath RTL or the extended path RTL. Table 1 shows that thedebugging times increase linearly as the number of missingconstraints increase.

Although the specification of the radar station examplelooks smaller than the X_38, the verification and debuggingfor it takes longer time (i.e., 13.94 seconds against 5.92 secondsto identify four missing constraints) because the correspond-ing propositional formula needs more variables and clauses.This is because the radar station is specified in the extendedpath RTL and the other three systems are still expressedin traditional path RTL, so the number of propositionalvariables is double that of a system expressed in path RTLonly (Theorem 3.1). However, Table 1 demonstrates that evenif the propositional formula of the radar station is much largerthan the previous systems, the execution times that DEVO-RTL spent to identify the missing one, two, three, and fourconstraints are reasonable.

In the second part of this section, we illustrate theefficiency of the decomposition technique. Let us considerthe X_38 specification (Section 4). The experimental results ofour verification and debugging technique are shown inTable 2. We have tested the ability of DEVO-RTL to identifypossible missing constraints from the X_38 specification. Theidentification of missing one, two, three, and four constraintshas been not done only for the complete X_38 specification,but also for each strongly connected componentSCC1,SCC2,and SCC3 (Fig. 2). Since the arcs from SCC1 to SCC2 andfrom SCC1 to SCC3 do not appear in any disjunction of theformula, it follows that all SCC1, SCC2, and SCC3 are locallyneighbor-independent components.

We ran DEVO-RTL on a similar computer system, andthe output results are shown in Table 2. This table showsthat the execution times for the verification and debuggingof each individual strongly connected component aresmaller than the verification and debugging of the entireX_38 specification. We denote by X 38 10FC, X 38 50FC,and X 38 50NFC the X_38 specification corresponding toeach SCC1, SCC2, and SCC3, respectively. The columns ofTable 2 (“cons.” stands for “constraints”) refer to the variousinstances of the debugging problem where one, two, three,or four constraints were missing. The time represents theaverage number of seconds until the DEVO-RTL identifiesthe missing constraints, updates the specification, andchecks the validity of the formula. This motivates theapplicability of item 1 of Theorem 4.1. That is, if one of thesestrongly connected components is unsatisfiable, then thecomplete formula is unsatisfiable, too. For example, if twomissing constraints are from X 38 10FC specification, thenDEVO-RTL needs only 0.58 seconds for their identification,and not searching the entire X 38 specification (which takes2.28 seconds).

In fact, the more strongly connected components theconstraint graph has, the better the performance of thedecomposition technique. To demonstrate that we extendedthe X_38 specification to three more X_38 flight-criticalcontrol loops, namely, for 40, 30, and 20 Hz. The newlyadded constraints are very similar to the flight-criticalcontrol loop specification of 10 Hz. The new X_38specification can be schematically drawn in Fig. 5, whereSCC1, SCC2, and SCC3 are the same as in Fig. 2, whereasSCC4, SCC5, and SCC6 correspond to the new componentsof 40, 30, and 20 Hz, respectively. These are denoted inTable 1 by X 38 40FC, X 38 30FC, and X 38 20FC.

The verification and debugging of the X_38, the extendedX_38 and all strongly connected components have beencaptured in the second half of Table 2. The execution timesnecessary for the verification and debugging of eachstrongly connected component are approximately the same.Compared with the whole extended X_38 specification, theverification and debugging of each strongly connectedcomponent is approximately six times faster. Supposingthat the missing constraint was from the component


TABLE 1The DEVO-RTL Experimental Results

TABLE 2Decomposition Technique Debugging Results

X 38 40FC, then our tool would be able to identify themissing constraint in 0.30 seconds rather than consideringthe entire specification which takes 2.12 seconds.

The third part of this section is dedicated to comparisonof the execution times of DEVO-RTL with SDRTL regardingthe optimization task. In our experiments, we consider thesame real-time systems benchmark as in [11], namely, therailroad crossing, the reactor, and the X-38. The obtainedresults are summarized in Table 3. Analyzing Table 3, westate that DEVO-RTL needs nearly the same execution timeto find an optimal solution as SDRTL verifies that SP ! SAis a theorem. The difference is due to the fact that DEVO-RTL performs the verification followed by the optimizationof SP ! SA. However, the overhead (i.e., this executiontime difference between SDRTL and DEVO-RTL) is not verysignificant since it is between 2 and 10 percent. The reasonfor only 10 percent more than SDRTL overhead is becausethe verification was done only once, at the beginning ofchecking whether SP ! SA is a theorem. The subsequenttask is responsible only for changing SP and/or SA suchthat SP ! SA becomes an optimal theorem. We showedthat our decomposition technique can be effectively appliedas a better alternative to previous works [11].

8 RELATED WORK

A number of efficient algorithms for obtaining the positivecycles in a constraint graph have been analyzed in [12]. Thedebugging task from there is opposite to our approach. InDasdan’s approach, a system is inconsistent if the constraintgraph has at least one positive cycle. On the contrary, in ourdebugging approach, we insert as many positive cycles asneeded until the real-time system becomes safe.

An incremental positive cycle detection algorithm hasbeen presented in [9] and an incremental algorithm formodel checking using transition systems in the alternation-free fragment of the modal �-calculus was presented in [13].Incremental algorithms using derivation graphs have beendesigned for safety analysis of recursive state machines [14].Our approach is incremental in another way, namely,referring to the Boolean formula computation.

The decomposition techniques are known to be veryuseful for systems specification. Alur et al. [15] show atechnique for modular specification of interacting hybridsystems. Another example of a decomposition techniquewas described in [16] in order to develop a compositionalreal-time scheduling framework so that global system-leveltiming properties can be established by composing inde-pendently specified and analyzed local component-leveltiming properties. The decomposition techniques are usedfor component-based mechanical systems verification.Kulkarni et al. [17] showed that a decomposition of a

fault-tolerant program into its components is useful in itsmechanical verification. The technique uses the theoremprover PVS [18] to verify Dijkstra’s token ring program in acomponent-based manner.

Works on the optimization of embedded and real-timesystems have focused on different levels of abstraction, fromhigh-level component design to circuit and code-leveloptimizations. Hellestrand [19] overviews the high-levelarchitectural design issues of embedded systems, high-lighting the development of these systems driven by avariety of constraints such as market adaptivity and speed.Carchiolo et al. [20] describe the synthesis of formalspecifications of the hardware/software in the codesign ofembedded systems. By using T-LOTOS, they can specify asystem by observing the temporal ordering of the eventsfrom the outside of the system. Zhao et al. [21] introduce amethod to reposition code so that the worst-case executiontime (WCET) of the tasks can be tightened, and hence, thesetasks are more likely to meet their deadlines. Henzinger et al.[22] employ composability to efficiently generate embeddedcode in the distributed Giotto. Pop et al. [23] show how touse a frame packing technique driven by a schedulabilityanalysis to develop more efficient multicluster-distributedembedded systems.

Most of these works tackle specific aspects of em-bedded/real-time systems design and synthesis, makingthem less portable in general. Furthermore, they are oftentailored to particular models and architectures. It is,therefore, difficult to port these techniques to work ondifferent platforms. On the other hand, our approach isbased on the specification language path-RTL, which isbasically the standard first order logic augmented with theoccurrence function to denote an event occurrence time.This makes it general for specifying embedded/real-timesystems at different levels of abstraction. Our optimizationframework is also novel in that it is not tied to a particulararchitecture or model. Any system and safety assertions ofinterest that can be specified in path-RTL can be optimized,making our approach applicable in a variety of settings.Moreover, since our optimization is applied to RTLspecifications and safety assertions, it is also implementa-tion-language-independent if our target is code.

9 CONCLUSIONS AND FUTURE WORK

The contribution of this paper is three-fold. First, wepresented rigorous proofs for the extended path RTL classby allowing a larger variety of inequalities and equalities to


Fig. 5. Structure of extended X_38 constraint graph.

TABLE 3Execution Times of SDRTL and DEVO-RTL

be described. Second, we described rigorous proofs for an

efficient divide-and-conquer method to solve the verifica-

tion and debugging problem of large real-time systems

specifications using decomposition techniques. Third, we

showed rigorous proofs for optimizing the implication

SP ! SA, without repeating the verification and debug-

ging steps, and motivating why this is not an easy task.

Experimental results show that our method of automatic

modular verification and debugging of real-time systems

specification is very practical. Only about 10 percent of the

running time of the heuristic for the verification of SP !SA is needed to find an optimal theorem.

ACKNOWLEDGMENTS

The authors thank Professor Aloysius K. Mok for useful

comments on some past work and encouragements to

extend the path RTL class of formulas. Moreover, they

thank the anonymous reviewers of the 27th IEEE Real-Time

Systems Symposium and the 12th IEEE International

Conference on Embedded and Real-Time Computing

Systems for the useful comments which improved this

work. They also thank the IEEE Transactions on Computers’

Associate Editor and the anonymous reviewers for the

useful corrections and suggestions that improved this

paper. This work is supported in part for Dr. Andrei by

the Lamar Research Enhancement Grant No. CS1002 and

for Dr. Cheng by the US National Science Foundation under

Award No. 0720856, a 2006 grant from the Institute for

Space Systems Operations, and GEAR Grant No. I092831-

38963. This paper is an extended and revised version of

previous preliminary works [1], [2]. New significant results

(e.g., Theorems 3.1 and 4.1) and one more section (i.e., 5.1)

have been given. Moreover, a comprehensive implementa-

tion tool and more experimental results have been added.

REFERENCES

[1] S. Andrei and A.M.K. Cheng, “Faster Verification of rtl-SpecifiedSystems via Decomposition and Constraint Extension,” Proc. 27thIEEE Real-Time Systems Symp., pp. 67-76, 2006.

[2] S. Andrei and A.M.K. Cheng, “Optimization of Real-Time SystemsTiming Specifications,” Proc. 12th IEEE Int’l Conf. Embedded andReal-Time Computing Systems and Applications, pp. 68-74, 2006.

[3] F. Jahanian and A. Mok, “Safety Analysis of Timing Propertiesin Real-Time Systems,” IEEE Trans. Software Eng., vol. 12, no. 9,pp. 890-904, Sept. 1986.

[4] F. Jahanian and A. Mok, “A Graph-Theoretic Approach forTiming Analysis and Its Implementation,” IEEE Trans. Computers,vol. 36, no. 8, pp. 961-975, Aug. 1987.

[5] F. Wang and A.K. Mok, “RTL and Refutation by Positive Cycles,”Proc. Formal Methods Europe Symp., pp. 659-680, 1994.

[6] F. Jahanian and D.A. Stuart, “A Method for Verifying Propertiesof Modechart Specifications,” Proc. Ninth IEEE Real-Time SystemsSymp., pp. 12-21, 1988.

[7] S. Andrei and W.-N. Chin, “Incremental Satisfiability CountingFor Real-Time Systems,” Proc. 10th IEEE Real-Time and EmbeddedTechnology and Applications Symp., pp. 482-489, 2004.

[8] A.M.K. Cheng, Real-Time Systems. Scheduling, Analysis, andVerification. Wiley Interscience, 2002.

[9] A.K. Mok, D.-C. Tsou, and R.C.M. de Rooij, “The MSP.RTL Real-Time Scheduler Synthesis Tool,” Proc. 17th IEEE Real-Time SystemsSymp., pp. 118-128, 1996,

[10] L.E.P. Rice and A.M.K. Cheng, “Timing Analysis of the X-38 SpaceStation Crew Return Vehicle Avionics,” Proc. Fifth IEEE-CS Real-Time Technology and Applications Symp., pp. 255-264, 1999.

[11] S. Andrei, W.N. Chin, A.M.K. Cheng, and M. Lupu, “AutomaticDebugging of Real-Time Systems Based on Incremental Satisfia-bility Counting,” IEEE Trans. Computers, vol. 55, no. 7, pp. 830-842,July 2006.

[12] A. Dasdan, “Efficient Algorithms for Debugging Timing Con-straint Violations,” Proc. Eighth ACM/IEEE Int’l Workshop TimingIssues in the Specification and Synthesis of Digital Systems, pp. 50-56,2002.

[13] O. Sokolsky and S. Smolka, “Incremental Model Checking in theModal Mu-Calculus,” Proc. Int’l Conf. Computer-Aided Verification,1994.

[14] C.L. Conway, K.S. Namjoshi, D. Dams, and S.A. Edwards,“Incremental Algorithms for Inter-Procedural Analysis of SafetyProperties,” Computer Aided Verification, K. Etessami andS. Rajamani, eds., pp. 449-461, Springer-Verlag, 2005.

[15] R. Alur, R. Grosu, I. Lee, and O. Sokolsky, “CompositionalRefinement for Hierarchical Hybrid Systems,” Proc. Fourth Int’lWorkshop Hybrid Systems: Computation and Control, pp. 33-48, 2001.

[16] I. Shin and I. Lee, “Compositional Real-Time Scheduling Frame-work,” Proc. Real-Time Systems Symp., pp. 57-67, 2004.

[17] S.S. Kulkarni, J.M. Rushby, and N. Shankar, “A Case-Study inComponent-Based Mechanical Verification of Fault-TolerantPrograms,” Proc. IEEE Int’l Conf. Distributed Computing Systems(ICDCS) Workshop Self-Stabilizing Systems, pp. 33-40, 1999.

[18] S. Owre, J.M. Rushby, N. Shankar, and D.W.J. Stringer-Calvert,“PVS: An Experience Report,” Proc. Int’l Workshop Current Trendsin Applied Formal Methods—FM-Trends ’98, pp. 338-345, 1998.

[19] G.R. Hellestrand, “Systems Architecture: The Empirical Way:Abstract Architectures to ‘Optimal’ Systems,” Proc. Int’l Conf.Embedded Software, 147-158, 2005.

[20] V. Carchiolo, M. Malgeri, and G. Mangioni, “Hardware/SoftwareSynthesis of Formal Specifications in Codesign of EmbeddedSystems,” Design Automation of Electronic Systems, vol. 5, no. 3,pp. 399-432, 2000.

[21] W. Zhao, D. Whalley, C. Healy, and F. Mueller, “ImprovingWCET by Applying a WC Code Positioning Optimization,” ACMTrans. Architecture and Code Optimization, vol. 2, no. 4, pp. 335-365,2005.

[22] T.A. Henzinger, C.M. Kirsch, and S. Matic, “Composable CodeGeneration for Distributed Giotto,” ACM SIGPLAN Notices,vol. 40, no. 7, pp. 21-30, 2005.

[23] P. Pop, P. Eles, and Z. Peng, “Schedulability-Driven FramePacking for Multicluster Distributed Embedded Systems,”ACM Trans. Embedded Computing Systems, vol. 4, no. 1,pp. 112-140, 2005.

Stefan Andrei received the BSc and MScdegrees in computer science from Cuza Uni-versity of Iasi, Romania, and the PhD degree incomputer science from Hamburg University,Germany, in 2000. He is currently an assistantprofessor in the Department of ComputerScience, Lamar University, Texas. His researchinterests are in real-time embedded systemsand software engineering. He is a member of theIEEE. More details about Stefan are at his

webpage: http://galaxy.lamar.edu/~sandrei/

Albert Mo Kim Cheng received the BA degree(with Highest Honors) in computer science,graduating Phi Beta Kappa, the MS degree incomputer science with a minor in electricalengineering, and the PhD degree in computerscience from The University of Texas at Austin,where he held a GTE Foundation DoctoralFellowship. He directs the Real-Time SystemsLaboratory in the Computer Science Departmentat the University of Houston. He is a senior

member of the IEEE. More details about Albert are at his webpage:http://www2.cs.uh.edu/~acheng/acheng.html

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Efficient Verification and Optimization of Real-Time Logic-Specified Systems

Documents

Transcript of Efficient Verification and Optimization of Real-Time Logic-Specified Systems