Incremental Veriﬁcation of Timing Constraints for Real-Time Systems S ¸ tefan ANDREI 1 , Wei-Ngan CHIN 1 , and Martin RINARD 2 1 National University of Singapore, 2 Massachusetts Institute of Technology Singapore-MIT Alliance E4-04-10, 4 Engineering Drive 3, Singapore 117576 Abstract—Testing constraints for real-time systems are usually veriﬁed through the satisﬁability of propositional formulae. In this paper, we propose an alternative where the veriﬁcation of timing constraints can be done by counting the number of truth assignments instead of boolean satisﬁability. This number can also tell us how “far away” is a given speciﬁcation from satisfying its safety assertion. Furthermore, speciﬁcations and safety assertions are often modiﬁed in an incremental fashion, where problematic bugs are ﬁxed one at a time. To support this development, we propose an incremental algorithm for counting satisﬁability. Our proposed incremental algorithm is optimal as no unnecessary nodes are created during each counting. This works for the class of path RTL ( [1], [5]). To illustrate this application, we show how incremental satisﬁability counting can be applied to a well-known rail-road crossing example, particularly when its speciﬁcation is still being reﬁned. Index Terms— Real-time infrastructure and development, tim- ing constraint, #SAT problem, incremental computation I. I NTRODUCTION Real-time systems can be deﬁned either by a structural speciﬁcation (how its components work) or by a behavioral speciﬁcation (showing the response of each component in response of an internal or external event). A behavioral speci- ﬁcation often sufﬁces for verifying the timing properties of the system. Given the behavioral speciﬁcation of a system (denoted by SP ) and a safety assertion (denoted by SA) to be analysed, the goal is to relate a given safety assertion with the system speciﬁcation [1]. If SA is a theorem derivable from SP , then the system is safe. If SA is unsatisﬁable, then the system is inherently unsafe. If ¬SA is satisﬁable under certain conditions, additional constraints may be added to ensure its safety. Our work is targetted to this scenario where we introduce an incremental approach to obtain a modiﬁed safety assertion as theorem, as outlined in Algorithm A below. Input: SP , SA such that ¬SA is satisﬁable; Output: SP new , SA new such that the system is safe; Method: This paper represents an updated and corrected version of the paper Incremental Satisﬁability Counting for Real-Time Systems. IEEE Real-Time and Embedded Technology and Applications Symposium, 25-28 of May, 2004 S ¸ tefan ANDREI is with Singapore-MIT Alliance, National University of Singapore, CS Programme, Singapore, 117543; e-mail: andrei@comp.nus.edu.sg Wei-Ngan CHIN is with National University of Singapore, School of Computing, Department of Computer Science, Singapore, 117543; e-mail: chinwn@comp.nus.edu.sg Martin RINARD is with MIT Computer Science and Artiﬁcial Intelligence Laboratory, Cambridge, MA 02139; e-mail: rinard@lcs.mit.edu. 1. k = 1; SP 1 = SP ; SA 1 = SA; 2. while (SP k → SA k is not a tautology){ 3. let SP new and SA new be new constraints; 4. SP k+1 = SP k ⊕ SP new ; 5. SA k+1 = SA k ⊕ SA new ; 6. k = k +1;} 7. SP new = SP k ; SA new = SA k ; The satisﬁability of the formula SP k+1 → SA k+1 can be expressed incrementally from the satisﬁability of SP k → SA k . The total cost of the new method can be more efﬁciently achieved through computing the satisﬁability of the newly added or subtracted clauses, according to the operator ⊕, when compared to the old formula, and not from the satisﬁability of the entire new formula. Our method requires the debugging of the real-time system at step 3. We correlate this with the incremental computation for the satisﬁability of SP k → SA k . Our approach does not require us to re-compile the whole system, as we could incorporate the new constraints by re-using most of the older formula. In general, automatic debugging is hard. To assist in this direction, we will provide a systematic way of debugging with the help of incremental counting satisﬁability. We illustrate this with the well-known railroad crossing example, used in [2], [3], as case study. Real-time logic (RTL), which is based on a ﬁrst-order logic with restricted features, was introduced in [4] to capture the timing requirements of real-time systems. The problem of proving the safety assertion from its speciﬁcation is in general undecidable for the full set of RTL formulas based on the Presburger Arithmetic. The correctness of a real-time system can be achieved by computing the satisﬁability of an associated propositional formula. We shall consider an RTL class of formulas (invented in [1]), with the following restrictions: a) each arithmetic inequalities may involve only two terms and an integer constant, where a term is either a variable or a function and b) no arithmetic expressions that have a function taking an instance of itself as an argument. This subclass of RTL formulas (also called path RTL, [5]) exploits an efﬁcient constraint-graph technique in integer programming [1]. Despite these restrictions, this constraint graph technique (also called refutation by positive cycles) is still undecidable [5]. Moreover, in [5], it is proved that the refutation by positive cycles is incomplete for path RTL (that is, even if the constraints graph attached to the formula has no cycles, it may happen that the formula is still unsatisﬁable).