Efficient Model Checking for Duration Calculus Based on Branching-Time Approximations ∗ Martin Fr¨ anzle Department of Computing Science Carl von Ossietzky Universit¨ at Oldenburg D-26111 Oldenburg, Germany fraenzle@informatik.uni-oldenburg.de Michael R. Hansen DTU Informatics Technical University of Denmark DK-2800 Lyngby, Denmark mrh@imm.dtu.dk Abstract Duration Calculus (abbreviated to DC) is an interval- based, metric-time temporal logic designed for reasoning about embedded real-time systems at a high level of ab- straction. But the complexity of model checking any decid- able fragment featuring both negation and chop, DC’s only modality, is non-elementary and thus impractical. We here investigate a similar approximation as fre- quently employed in model checking situation-based tem- poral logics, where linear-time problems are safely approx- imated by branching-time counterparts amenable to more efficient model-checking algorithms. Mimicking the role that a situation has in (A)CTL as origin of a set of linear traces, we define a branching-time counterpart to interval- based temporal logics building on situation pairs spanning sets of intervals. While this branching-time interval seman- tics yields the desired reduction in complexity of the model- checking problem, from non-elementary to linear in the size of the formula and cubic in the size of the model, the ap- proximation is too coarse to be practical. We therefore re- fine the semantics by an occurrence count for crucial states (e.g., cuts of loops) in the model, arriving at a 4-fold expo- nential model-checking problem sufficiently accurately ap- proximating the original one. 1. Introduction Duration Calculus (DC), as introduced by Zhou, Hoare, and Ravn [19] and thoroughly analyzed in [8, 9], is a metric- time temporal logic designed for reasoning about embed- ded real-time systems at a high level of abstraction, which * This work has been supported by SFB/TR 14 AVACS (German Re- search Council), Velux Fonden, ARTIST2 (IST-004527), MoDES (Danish Research Council 2106-05-0022) and DaNES (the Danish National Ad- vanced Technology Foundation). primarily is achieved by basing the semantics on intervals rather than just temporal snapshots. While the resulting ab- stractness is desirable for specification and analysis, it is a burden for automatic verification support. Checking dense- time models against DC requires certain properties of the model, like number of state changes being finitely bounded over finite intervals [5], unless the use of temporal operators or negation is seriously restricted [21, 3, 12, 6]. Otherwise, the model property turns out to be undecidable [8, 5]. Discrete-time DC, i.e. DC interpreted over the natural numbers instead of R ≥0 , has more favorable decidability properties, e.g. [20, 7], and there have been various attempts to build automatic verification support for discrete-time DC, e.g. [17, 18, 15]. But none of these systems has come to be routinely used for checking non-trivial formulae due to the extreme, non-elementary, complexity of deciding or model- checking DC formulas [8, 5, 2]. In [16] there is an inter- esting approach where QDDC, a discrete-time version of DC, is incorporated in CTL*. The result is a powerful logic capable of expressing liveness and branching properties as well as interval properties of the past. But model-checking remains non-elementary due to the DC fragment being in- terpreted over linear traces. In situation-based temporal logics, an approach towards enhancing model-checking techniques is to exploit the lin- ear time vs. branching time dichotomy: While require- ments are most naturally expressed in linear-time idioms, the actual verification is performed using safe branching- time approximations. Such an approach yields reliable cer- tificates while being considerably more efficient — linear- time rather than PSPACE in the size of the formula. We shall investigate similar approximations for interval- based logics. Mimicking the role a situation has in (A)CTL as origin of a set of linear traces, we define a branching- time counterpart to interval-based logics building on situa- tion pairs spanning sets of intervals. This branching-time interval semantics yields the desired reduction in complex- 2008 Sixth IEEE International Conference on Software Engineering and Formal Methods 978-0-7695-3437-4/08 $25.00 © 2008 IEEE DOI 10.1109/SEFM.2008.26 63 2008 Sixth IEEE International Conference on Software Engineering and Formal Methods 978-0-7695-3437-4/08 $25.00 © 2008 IEEE DOI 10.1109/SEFM.2008.26 63 2008 Sixth IEEE International Conference on Software Engineering and Formal Methods 978-0-7695-3437-4/08 $25.00 © 2008 IEEE DOI 10.1109/SEFM.2008.26 63