Specification and validation of dynamic systems using temporal logic

(1)

Specification and validation of dynamic systems using temporal logic

S.M.Cho, H.H.Kim, S.D.Cha and D.H.Bae

Abstract: A specification and validation technique for dynamic systems is proposed. In particular, a new temporal logic, called HDTL, is presented and the tableau method revised for automatic analysis. Using a freeze quantifier, HDTL with the revised tableau method makes it possible to specify the correctness requirements of dynamic systems and validate them. The proposed logic is rather generic, i.e. it has only a few assumptions on operational language. The authors introducc a simple dynamic modelling language and illustrate its experiment. The experiment shows that HDTL is suitable for specifying dynamic properties and the analysis technique is promising.

1 Introduction

Formal specification has become important in software development, because the formality of specification increases confidence in the correctness of systems by allowing rigorous validation. For example, formal require- ment specification can prevent many errors from being introduced to the system by removing ambiguity. In general, specification languages can be classified into two categories: one for the specification of behaviours, the other for the specification of properties. There exist many behavioural specification languages based on various formalisms, including automata [ 11, Petri-nets [2], and process algebra [3] theories. Their goal is to describe precisely how a system changes.

On the other hand, the goal of property specification languages is to capture what the system should fulfill in a declarative style. Because of their higher abstraction, it is common practice to validate whether a behavioural model or implementation of a system is consistent with its property specification. For example, most model checking technologies, such as SPIN [4] and SMV [ 5 ] , employ property-specification languages to validate their behavioural models.

Propositional temporal logic [6] is one of the most widely used languages for property Specification. It uses temporal operators to specify the ordering of events in a system. For example, temporal logic allows one to specify a temporal property such as ‘the warning must be raised after the elevator door opens’.

Unfortunately, to use propositional temporal logics for specifying dynamic systems [7], we must address some problems: during run-time, dynamic systems create and/or remove their constituents that are instantiated from pre- defined templates, which are called types or classes. Thcir

0 IEE, 2001

IEE Proceedings online no. 20010558 DOI: 10.1049/ip-scn:20010558

Paper first received 5th June 2000 and in revised form 22nd May 2001 The authors are with thc Department of Computer Science and AITrc, KAIST, 373.1, Kusong-dong, Yusong-gu Taejon, Korea

E-mail: {seung, hhkim, cha, bae}@salmosa.kaist.ac.!u IEE Proc-Sofi., Vol. 148, No. 4, August 2001

behaviours are defined as the interaction of instances. This causes a problem because propositional temporal logics cannot properly handle the notion of instances. That is, they only allow one to specify properties of systems consisting of distinct constituents. Therefore, when using propositional temporal logics, the analysis usually does not distinguish instances of the same type. Consider, for example, a simple library system. In this system, it is an important property that when a patron borrows a copy of a book, he/she must return that copy. In this case, the system must be able to distinguish each instance, say a copy, of the book.

Even though it seems possible to overcome this limita- tion by annotating each instance with an unique identifier, this strategy does not resolve the problem entirely. For example, the model checker SPIN assigns each instance an identifier, called (pid), in order of creation. This allows us to treat each instance as a distinct constituent because it is possible to identify each instance with a type combined with the p i d . However, it should be noted that, when specifying properties, we cannot determine which instances are participating events, because process instantiation arises dynamically at runtime. In the library example, we cannot tell which copy a patron is supposed to return until he/she actually borrows it. That is, it is infeasible to know the exact unique identifiers of copies and patrons before actual creations occur, although their identifiers are required to specify the above property.

First-order temporal logic is an intuitive solution to these problems. Indeed, we can specify the properties of dynamic systems properly with first-order temporal logic. However, we encounter difficulties when we analyse the properties specified using first-order temporal logic. There are few techniques for automatic analysis of first-order temporal logic. We strongly believe that classical first-order quantifiers, such as V and 3, are sources of complexity that make it difficult to deal with formalism algorithmically: the semantics of classical quantifiers are defined in terms of sets for characterising the meanings of variables. In general, we cannot characterise fixed sets for the valuation of the variables when specifying properties, because the configuration of system components evolves over time.

Instead of first-order quantifiers, we adopt the freeze quantifier proposed in TPTL (timed propositional temporal

135

(2)

logic) [8]: the freeze quantifier is defined in terms of traccs only. That is, the semantic definition of the freeze quantifier permits evaluation of a temporal formula including variables over a single trace, without the notion of sets.

Using the freeze quantifier, we design a new temporal logic, half-order dynamic temporal logic (HDTL) to specify the properties of dynamic systems. Then we revise the tableau method [9] for verification of HDTL, and suggest a dynamic-analysis (Note 1) technique.

To illustrate the proposed approach, we use a conference system model as an example. Then, we specify properties for the model, such as ‘a participant cannot join two sessions at the same time’, and validate them using the proposed technique. This shows that HDTL is suitable for specifying dynamic properties and the analysis technique is promising.

HDTL has only one assumption regarding operational languages: the behaviour of systems can be defined in terms of sequences of messages by which instances interact with each othcr. Note that the conference example employs a small operational language satisfying the assumption. It implies that the assumption is weak enough, and HDTL is applicable to various operational languages.

2 Background

2.1 Propositional temporal logic and the tableau method

Teniporal logic, suggested by Pnueli in his pioneering work [lo], has been one of the most widely used formalisms for the specification of concurrent and/or reactive systems.

Because of their declarative style of specification, they are rcgarded as especially suitable for property specification.

Frequently used temporal operators are:

0 O p : p will be true at next instant

Op: p will be true at next instant, or the current instant is the final one

0 0,: p will eventually bccome true sometime in the future

0 U p : y is always truc from now on

0 p

U

q: From now. p remains true until q becomes true

0 p

P

q: p always precedes q (defined mainly to provide the dual operator of

U)

wherep and q represent the propositions that have the truth values true or false depending on the state of systems. The name PTL (propositional temporal logic) indicates that it is based semantically on propositional logic.

The tableau method [9] plays an important role in algorithmic analysis of temporal logic. The key idea behind the tableau method is that any temporal formula can be split into two conditions: a non-temporal condition on the current state and a temporal condition on the next states, called a present condition and a future condition, respectively. For example, a formula O f c a n be split intof on the current state and O O f o n next states. There are a set of such splitting rules for each temporal operator [9].

Since, given a PTL formula, the number of conditions generated in this way is finite, we can construct a finite structure, called the initial tableau. It is an automaton that accepts precisely the set of strings satisfying the PTL formula.

Note 1: An analysis is said to be dynamic when it is conducted with actual execution of a systcm. Examples include testing and run-time monitoring.

136

2.2 Freeze quantifier

There are several temporal logics for specification of real- time systems. Most of them employ first-order logic. They include a state variable representing time and the first-order quantifiers, such as V and 3, to quantify the time variable.

Alur and Henzinger [SI suggested another form of quantification, called freeze quantification, in which every variable is bound to the time of a particular state.

For instance, the typical time-bounded response require- ment that every request p be followed by a response q within 10 time units, can be asserted by the formula

ax.(,

+ oy.(q A y I x

+

¹⁰⁾⁾

(read ‘whenever there is a request p , and the variable x is frozen to the current time, the request is followed by a response q, at time y, such that y is at most x

+

^{10’). The}

freeze quantifier allows automatic analysis of real-time properties by binding every variable with the time of a particular state.

Our work is based on the observation that there exists a similarity between real-time and dynamic systems. Both of them require the notion of variables to represent the requirements specification; a variable representing time, and variables representing the communicating components, i.e. the process identities for the sender and the receiver of messages. The variables, in both cases, may range over an infinite domain. The problem is to determine the proper quantification that is readable and allows the algorithmic analysis.

We found that freeze quantification also is suitable for the specification of dynamic systems. We adopt the notation of freeze quantification and suggest an analysis technique that is able to deal with dynamicism.

3 Half-order dynamic temporal logic

3. I

To define a property specification language precisely, we develop the formal definition of the behaviour of systems.

We view the behaviour of a system under analysis as a set of sequences of events, called traces, where each event denotes the occurrence of a message. Assume that there are an infinite set 0 and a finite set L for participating components and labels of messages, respectively. Note that the number of components is infinite, because of dynamic instantiation. Formally, an event e ^EE is a triple (sender,receiver,label) where label E L is the label of the occurred message, denoted by label(e), and sender E 0 and receiver E 0 are its sender and receiver, denoted by snd(e), and rcv(e), respectively.

Throughout this paper, given a trace ^CJ= (o0, G , , . . . ,.

on), G,) denotes the first element of the trace CT and CJ‘

denotes the trace that results from G by deleting the first i elements. The juxtaposition c r d of two traces means cr followed successively by CJ’.

It is interesting to compare our definition of the behaviour of dynamic systems with that of other models, such as [ 111. They build a precise execution model of object- oriented systems, with explicit consideration for the dynamic creation and removal of objects. However, their final definition of the language of a system (section 2.8, p. 15, in [ll]) does not include information about the instances. Only the class names and the message names constitute the alphabet of the language. We think this simplification is inevitable, because their goal is to check whether there exists an inheritance relation between two classes. Including information about instances certainly

Dynamic systems and their behaviour

IEE Pmc.-Sojm., kl. 148, Nn. 4, August 2001

(3)

increases the complcxity of the algorithm. However, at the same time, it is also clear that the lost information may be valuable in some applications. In particular, dynamic analyses can benefit by it. Some properties can be specified only when we take information about instances into account.

3.2 Syntax and semantics of HDTL

Assume that there is a set V for variables x, y, z , . . .

.

The formulas of HDTL are built from proposition symbols by boolean connectives, temporal operators, and freeze quantifiers.

De$nition I (Syntax of HDTL): Term n and formula q5 of HDTL are inductively defined as follows:

0 n := snd(x)

I

vcv(x)

I

lube@)

I

0

4 : = n 1

= n 2 ~ f a l L ~ e ~ q h l +

where x E Vand 1 E L.

-4

⁼

4

+false and

04

=true U

4.

to the given event in which x.4 is evaluated.

4 2

lo4

IO4

I4P42

I4lU42IX.4

Additional operators are defined as usual. For example, In

x.4,

the variable x is bound by the freeze quantifier x.

For example, consider an HDTL formula as follows:

f i : x.(lubel(x) = m s g , )

A trace a satisfies this assertion if the first event 00 is of the form (so, y o , lo), and lo = m s g l . The variable x is bound to the current event, and referred in the remaining formula.

We can extend this formula by adding a temporal operator:

f2

: Vx.(labeZ(x) = m s g , )

Then,fi is the formula asserting that the formulafl should hold in the future, i.e. it requires that the trace should include an event ai = (si, T i , l J , such that li = m s g l .

The meanings of the other operators are as usual.

Appendix A provides the formal semantics definition of HDTL.

Note that the meaning of a freeze quantifier is defincd in terms of a trace only. Thus, when a formula is closed, i.e.

all occurrences of variables are within the scopes of corresponding freeze quantifiers, its truth value is comple- tely determined by a trace.

4 Dynamic analysis

In Section 2.1, we briefly introduced the tableau method for propositional temporal logic. The automatic validation procedure suggested here is a revised version of the tableau method [9]. The most notable difference between our method and the original one is that the tableau is incrementally constructed during the analysis. The tableau for a propositional temporal logic formula is statically generated using splitting rules [9]. However, tableaux for HDTL formulas cannot be defined solely by the formulas, because a trace is required to resolve freeze quantifiers. To overcome this problcm, we decided to adopt a dynamic strategy, i.e. constructing the tableau incrementally.

Table 1 shows the splitting rules we use for HDTL. We interpret a set of formulas ({

. . .

}) as a conjunction of them, and a list of sets (({ . . . }, . . . , { . . . })) as a disjunction of conjunctions. For example, the rule [ r U] says that a formula of the form O f is satisfied at current state iff is satisfied now, and O f is satisfied at the next instant (i.e.

OOJ'evaluates true at current state). The subject of the rules is the pair of a formula f and a set of bindings,f&,

IEE Proc -SoJtw, Vol. 148. No. 4, Augirst 2001

Table 1: Splitting rules for tableau construction

called an environment. The role of environments is to keep the bindings for the variables in a formula. It should be noted that only thc rule [rfrz] for freeze quantifiers changes the environment: it requires an event C T ~ to discharge a quantifier because the binding to the variable depends on the value of the current event. This motivates us to design a deferred representation, called a flow tree.

Formally, a flow tree G with respect to an HDTL formula q is a labelled tree with the following components:

0 Locations: An infinite set

C

of locations.

0 Transitions: An infinite set 7 of transitions.

0 Labelling function: A function M that maps each location and transition to the set of pairs of a formula and an environment. M ^:(C U 7 ) + 2(c'('p) ^E7i")

0 Flow relation: A relation 3 representing the edges of the flow tree. 3

c

(C ^x7 ) U (7 x C)

0 Initial locations: A set Z of initial locations. Z

C

C Final locations: A set A of accepting locations. A

5

C where Env is the set of all possible binding environments for the variables, and d ( q ) is the set of all subformulas of 4" and their negations. Subformulas of q are inductively obtained through its syntactic structure. For a location I E L , let Out(l) and h ( l ) denote the set of outgoing and incoming transitions, respectively. We say that for 1 E

C,

( t ,

P)

is a branch of 1 when t E Out(Z) and 3 ( t , 1').

It is worth noting that locations and transitions in G correspond to nodes and edges, respectively, in the PTL tableau explained in Section 2.1. Similarly, a flow tree is constructed by applying the splitting rules in Table 1.

For all t E 7 , formulas of M ( t ) havc no temporal operators, i.e. they represent present conditions. For 1 E

C,

M ( I ) denotes a set of

(,h

E } pairs that are expected to hold in all desccndants of 1. This expectation can be checked inductively: M ( I ) holds over (ao, al,. . . , a,) when there is at least one branch ( t , 1') of I such that M ( t ) is evaluated true with uo, and when M(1') holds over

( 0 1 , . . ., a,).

We proceed to define this notion formally. Let 1 and I' be locations of G, t a transition of G, and e an event in E. We say that e enables t if for each pair

(,h, Ei)

E M ( t ) ,

( e ) l=&,J evaluates true. And we say that ( I , e, t,

P)

is a move of G, and write l(Z$ 1'. A move

1's'

1' is said to be legal iff t E Out(1) n h ( 1 ' ) and e enables t.

Suppose C T = (oO, C T , ,. . . , E E " is a trace with length n. Then ^CThas a run of G, a sequence of locations , 1,) with length n

+

1, when there is a transition

ti such that 1 (?$) l i t is legal for 0 5 i 5 n. We say that the flow trec G accepts the trace a iff there is a run ( l o , 1 1 , . . . , 1,) of G on a such that lo ^E

Z

and 1, E A. An HDTL fomiula

4

is consistent with respect to a trace a iff there exists a flow tree G which accepts CT.

Now we develop a validation technique using the defined flow tree. As opposed to the usual tableau method, we construct a flow tree dynamically, since its size may be

137

(4)

infinite. The main idea behind the deferred representation of flow trees is that it is enough to keep the leaf locations only: when an event, say oi, is given, it is possible to determine whether or not each branch of the current leaf locations is legal with respect to gi. At this point, we expand all branches of the current leaf locations and prune back illegal branches. Note that previous locations and transitions are unnecessary for determining the acceptance of the remaining trace. Thus, we can safely remove them and only maintain thc new leaf locations.

Let Bi be a set of leaf locations for processing the event cri. Then B i = { b i , l , bi,2,. . . hi,m} where M(b,,,)=

( ( . f i , E l ) , ( J z , .E2)$. . . } represents the label of each leaf location. The meaning of bj,j is characterised by the conjunction of its elements. Analogously, the meaning of Bj is characterised by the disjunction of meanings of its elements.

We design a function monitor that implements the deferred representation explained above (Fig. 1 ) . We use some functions, informally defined as

0 apply-rules: applies the splitting rules in Table 1.

0 atomic-parts: extracts the atomic formulas, i.e. ones whose truth value is determined by the current event.

0 next-parts: extracts the next formulas, i.e. ones with outermost next temporal operators (0, 0).

remove-next: removes thc outermost next operators.

0 evaluate: evaluates an atomic formula using an event.

The input of monitor is the pair of an event oi and Bi constructed with current leaf locations. When oi and Bi are given, monitor generates all branches of B using the rules in Table 1, prunes back illegal branches with respect to crir and outputs the new set of leaf locations Bj+

Then the consistency of the HDTL specification with respect to the trace monitored so far is defined in terms of Bi-, ^Iand the set A as follows:

I . B j + = @. This means that the current event ^{m i}enables no transitions, and thus thc failure of validation. The analysis tool reports the occurrence of the inconsistency between the specification and the execution trace.

2. Biil

n

A

# 0.

This means that there exist the accepting locations in Bi+

,

^.We can conclude that the trace so far conforms to the specification.

3. n A =

0.

This means that the remaining trace should include some events to satisfy the specification, Thus, in the current position, the trace does not conform to the specification,

This classification is related to the characteristics of the formulas we analyse. We can identify two disjoint classes of properties: safety and liveness [12]. Informally, a safety property claims that ‘something bad’ does not happen, and

function monitor(o: event, B : location) begin

reduced : = 0;

forall b, t B begin

end;

forall disjunct E reduced begin a : = atomic-part(disjunctj;

n := next-pafl(disjunctj;

if evaluate(a, a) then B’ := 8’ U remove-next(n);

8’ := 0 ;

reduced := reduced U apply-rules(b,, a)

end;

return 8’

end

Fig. 1 Dynamic analysis algoiithm 138

a liveness property claims that ‘something good’ eventually happens. The formal definitions of the classes of property can be described as follows [ 121.

0

4

is a safety formula iff any sequence CJ violating (i, contains a finite prefix cr[O..k], all of whose infinite exten- sions violate

4.

0

4

is a liveness formula iff any arbitrary finite sequence so, . . , , sk can be extended to an infinite sequence satisfying

4.

This shows that liveness properties are not so useful for dynamic analyses. We observe up-to-now execution of a system and determine whether the execution conforms to the specification, We cannot determine whether a finite execution trace i s consistent with a liveness property. Thus, it might be more reasonable to restrict the specifications to the safety formulas. However, given a temporal logic formula, it is hard to tell which class it belongs to [13].

Now, we can explain the relationship between the formula and the cases above. Case I represents the viola- tion of a safety formula. Case 2 represents conformance to a safety or liveness formula. Case 3 represents the fact that we need to monitor more events to assure the conformance to a liveness formula.

Let us give the concrete visualisation of the flow tree with an example.

fb

= Ox.(label(x) = m s g l +

Oy.(labelQ = m s g , A rcv(x) = s n d b ) ) ) (1) The above formula states that whenever a component sends a message m s g l to another component, the message m s g 2 should be returned eventually from the receiver of msg, . The flow tree of level 1 is initially generated as shown in Fig. 2. Locations are shown as ellipses and transitions are denoted by rectangles. Double ellipses designatc the final locations.

Then the function monitor reads the value of the first event o0 from the environment. It determines the leaf nodes that can be pruned out. If the label of the first event no is msg, (i.e. /abel(mo)=msg,), then only the condition assigned in the transition 7’3 is evaluated true. The locations L1 and L2 are pruned off, and the analysis proceeds with the location L3, whose result is shown in Fig. 3.

Then, again, the second event g1 is used to expand the flow trec. Ifthe label of U , i s also m s g l , the tree is pruned

LO := L1 := L2 := {(fo,

er)}

L3 := {VO, 0), ( f p I x H a o } H

:= {(fo, 0), (Oy.(/abe/Q = msg2 A rcv(x) = snd(y)), {x H oo})}

71 : = {(/abe/(x) # msgl, {xi+ oo})}

T2 : = {(/abe/(x) = msg2 A rcv(x) = snd(x), {x H oo})}

T3 : = {(true, 0 ) }

Fig. 2 Flow tree of level I /or formula I

IEE Proc.-Sofiw., Vol. 148, No. 4, August 2001

(5)

L9 := {(fo, 0),

(Oy.(/abe/(y) = msg2 A ~ C V ( X ) = sndQ, { ~ H o , } ) , (Oy.(/abe/(v) = msg2 A rcv(x) = snd(y), { x cf oo}))

Fig. 3 Flow tree of level 2 forformula 1

back as in Fig. 3. We can see at L9 that, to satisfy the specification, there should be two more distinct events whose labels are the same (msg2), but whose senders are different.

In this way, the analysis proceeds with the evolution of the flow tree. We emphasise again that the whole nodes of the trees need not to be stored during the analysis. Only the set of leaf nodes are kept during the analysis.

5 Example

As an example, we apply the proposed technique to the analysis of a conference modcl originally suggested in [14]. The system consists of five kinds of objects, representing the conference chair, the conference, thc sessions, the session chairs, and the participants. The typical scenar- ios of the system can be listed as follows:

0 A conference chair manages the global procedure of the conference events, for example, the opening and closing of the conference.

A participant registers for a conference, and joins one of the currently progressing sessions. After the session is over, all of the participants will leave it.

A session chair initiates a session, and thcn allows the speakers to make their presentations in order. After each presentation is over, the chair allows the participants to discuss the presentation. When the chair observes the end of the discussion, it initiates the next presentation or finishes the session.

(creation)

J I

1

^idle

7

?conference.kick-off

registered ---+ (removal)

I -A

?session.

end-session

1 , 1 !session.join-session

1

session

U

Fig. 4

IEE Pmc.-Sojhv., Vol. 143, No. 4. August 2001 Stale diagram ,for confiwnce participant

In the initial setting, the system consists of only one conference chair object. It initiates a conference object, and the conference object initiates the session chair objects. They then initiate the session objects. New participant objects are dynamically created and register for the conference during the system runs.

Wc made the model ofthe system using the synchronous communication model like CSP [3]. Using our notation, the state diagram for a participant can be depicted as Fig. 4.

The commands of the form !object.messuge denote the outputs, and the ones of the form Yobjectmessuge mean the inputs. The first parameter object represents the type of the communicating partner, and the second parameter message represents the type of message transmitted [Note 21. Actual code is written in LISP.

When executed, the program generates a trace of the messages transmitted among the objects. Because of the concurrency of the model, the system exhibits nondeter- minism. Then the trace is input to our analysis tool, and it checks whether the trace is consistent with an HDTL specification.

Some of the properties that can be specified in HDTL and analysed by our tool include:

End of conference

- No more sessions are opened after the closing announce of the conference

- O(x.(/uhel(x)=end-conference)+ -Oy.(lubel ( y ) = o p e n - s e s s ion))

0 Limit o f joining

~ A participant may not participate in multiple sessions simultaneously.

- Clx.(/abe/(x) = j o i n - session + O(-y.(lnhel(y) = join-session n s n d ( y )

= snd(x))

= rcv(x))>)

Uz.(label(z) = close- session A rcv(z)

Note 2: This is a generalisation of CSP semantics because the name of thc partner needs not be explicitly specified. The commands correspond to the establishment of a rendezvous with any entities of the specified type.

I39

(6)

Discussion

-- Once a discussion begins, a new presentation cannot start until the discussion is over.

- D.(label(x) ⁼start-discussion -+

0

-y.(label(y) = start -presentation

A rcvo/) = snd(x))

Uz.(lahel(z) = end- discussion A snd(z)

= snd(x)))

Note that we cannot specify thesc properties with the traditional temporal logic. For example, the property limit of joining asserts that, once an event join-session happens, it cannot occur again until the event close- session happens. In traditional (propositional) linear temporal logic, they might be expressed as U( j oin -

s e s s i o n + O ( - . j o i n - s e s s i o n 1A close- s e s s ion).

However, in the case of dynamic systems, we should also take instance information into account. The require- ment prohibits the second occurring of join- session, only when the instance sending thc signal is the same one that has sent the signal join-session. HDTL, incor- porating variables and the freeze quantifier, makes the specification and the analysis of these properties possible.

As proved in several researches (e.g. [15]), preserving consistency during dynamic configuration is sometimes very difficult. Thus we have experienced many errors when designing the behaviour of this model. In doing so, the analysis technique we have suggested was very helpful to us.

6 Conclusion

Currently, most research about dynamic systems focus on the implementation or the behavioural specification. We believe that the property specification of dynamic systems is also important because it constitutes an inevitable part of the various analyses.

To tackle this problem, we propose HDTL to specify the general properties of dynamic systems. We adopted the freeze quantifier, originally introduced to represent and reason the real-time element, to deal with the specification of dynamic systems. We think this has resulted in a reasonable property specification language for dynamic systems.

For the analysis, we tuned the existing tableau method to handle the dynamic features of HDTL. We implemented a prototype tool for this method and conducted an experiment.

There are some issues that are worth further research.

We believe that there are possibilities of tuning up the analysis algorithm for efficiency. An aid to the process of writing down the specification will bc helpful. For that purpose, we are investigating how HDTL can be integrated with sequence diagrams in UML.

Because it is generally impossible to gather every traces of a system, the analysis cannot guarantee the correctness of the system. Therefore, another important challenge is to construct the deductive framework integrating HDTL and

other operational languages, which will enable the proof of correctness. Various formal modelling languages for dynamic systems lack the verification methodology.

Research into agent systems and mobile systems may benefit from this study.

7

1 2 3 4 5 6

7 8 9

References

HAREL, D.: ‘On visual formalism’, Comm. ACM, 1988, pp. 514-530 PETERSON, J.: ‘Petri-net theoiy and the modeling of systems’ (Prentice HOARE, C A R . : ‘Comniunicating sequential processes’ (Prenticc Hall, 1985)

HOLZMANN. G.: ‘The model checker SPIN’. IEEE Trans. Sufht Enp..

Hall, 1981)

., ^Y^_ 1997, 23, (9, pp. 279-295

McMILLAN, K.L.: ‘Symbolic modcl chccking’ (Kluwcr Academic Publishers, 1993)

EMERSON, E.A.: ‘Temporal and model logic’ in VAN LEHUWEN, .I.

(Ed.): ‘Handbook of theoretical computer science’ (Elsevier Science Publishers, 1990), Chap. 16

LUCKHAM, D.C., and VERA, J.: ‘An event-based architecture definition lanmaee’. IEEE Trans. Sofm. Enc.. 1995. 21. (9). nn. 717-734 ALUR,k.,&d HENZINGER,’T.A.: ‘i’really ‘temporalLl&c’, J: ACM,

1994,41, pp. 181-204

DILLON, L.K., and RAMAKRISHNA, Y.S.: ’Generating oracles from your favorite temporal logic specifications’. 4th ACM SIGSOFT Symp.

Foundations of Software Engineering. October 1996, San Francisco, USA, pp. 106 ,117

I O PNUELI, A.: ‘The temporal logic of programs’. 1 Xth [EEE Symposium on Foundation of Computer Science, 1977

1 I HAREL, D., and KUPFERMAN, 0.: ‘On the inheritance of state-based object-behavior’. TR. MCS99-12, Faculty of Mathematics and Compu- ter Science, The Weizmann Institute of Scicnce, June 1999

12 MANNA, Z., and PNUELI, A.: ‘The temporal logic of reactive and concurrent systems~~Specification’ (Springer-Verlag, 1992) 13 SISTLA, A.P.: ‘Safety, liveness and fairness in temporal logic’, Form.

Asp. Conipuf., 1994, 6, pp. 495-511

14 LEE, J.S., MIN, S.Y., and BAE. D.H.: ‘Aspect-oriented design (AOD) technique for developing distributed object-oriented systems over the intemet’. 5th lntemational Computer Science Confercnce, 1999 15 KRAMER, J., and MAGEE, J.: ‘The evolving philosophers problem:

dynamic change management’, IEEE Fans. S q f i Eng., 1990.16, (1 I), pp. 1293-1306

8 Appendix: Semantic definition of HDTL Let 0 be a trace and E: V-+ E an environment for variables.

The pair (0, E ) satisfies the HDTL formula q’~ if and only if o

I=

E

4,

where the satisfaction relation

I=

is inductively defined as follows:

0 0

kE

⁷⁷¹⁼⁷⁷²

8

&(771) = E(772)

0

kE

^{4 1}⁺^{4 2}

iff

⁰F E *1 -+ 0

kE

^{4 2}

V t = E 0 * 8 “ 101 > I + + & * 0kEOd)iff ICTI > t A O ’ F E * 0 F E * I W 2

iff

0 CT

F E

false

- oi ch2 for some i 2 0, and CTJ

FE 4 ,

for all j , s.t., O s j < i

0 t=E * I W 2

47

- rrj

FE 4 ,

for all j

>

0, or

- CT‘ i$2 for ,some i 2 0, and wi

FE 4,

f o r all j , ^xt., O i j i i

rJ

kE

x.*

8.

⁰!=E[x:=oo]

4

where ECf(x)) =f(E(x)), € ( I ) = I and E[x := g i ] denotes the environment that maps x to CT; and the others to the same values as E.

140 IEE Proc.-Sojhv.. Vol. 148, Nu. 4, August 2001