Synthesizing Distinguishing Formulae for Real Time Systems
advertisement
Synthesizing Distinguishing Formulae for
Real Time Systems {Extended Abstract ?
Jens Chr. Godskesen1 and Kim G. Larsen2
1
2
Tele Danmark Research, Lyngs Alle 2, DK-2970 Hrsholm, Denmark.
BRICS, Aalborg Univ., Fr. Bajers Vej 7, DK-9220 Aalborg, Denmark.
1 Introduction
Research in the area of process algebras has created interest in behavioural relations as a tool for verifying correctness of processes [14, 12, 2]. In this approach,
specications as well as implementations are formalized as process algebraic expressions, and verication consists of establishing a suitable behavioural relationship between an implementation and its specication. A number of equivalences
has been proposed and several tools support verication for nite-state systems
based on such equivalences (e.g. [13, 6, 9]). However, for a tool to be of real
assistance it is crucial that diagnostic information is oered in case of erroneous
design. For a variety of bisimulation equivalences [14] the theoretical basis for
generation of such diagnostic information is given in terms of a logical characterization of the equivalence: two systems are equivalent exactly when they satisfy
the same formulae in a particular modal logic [11]. Thus when two systems are
found to be inequivalent, one may explain why by a formula satised by one but
not the other. Algorithms for generating distinguishing formulae for nite-state
systems has been described in [5, 3] and implemented in at least two tools [9, 6].
During the last few years a number of real-time process algebras has been introduced [7, 16, 1]. Due to the use of the non-negative reals as time domain, even the
simplest processes describe innite state systems. Thus, decidability of bisimilarity cannot be achieved using the standard techniques for nite-state systems.
However, decidability of bisimulation equivalence between networks of timed
regular processes has recently been established [15]. The underlying algorithmic
techniques has later been implemented in the verication tool Epsilon [4]. Our
goal in this paper is to describe the method used in Epsilon for generating diagnostic information for the bisimulation equivalence. The method may be seen
as an extension of the algorithm in [15] to which information of time-quantities
has been added sucient for generating distinguishing formulae. The full version
of this paper can be found in [8].
2 Timed Processes
Our language for timed processes is based on the real{time calculus TCCS [16].
In order to explain our algorithmic ideas most clearly we have made certain
?
This work has been supported by the Danish Basic Research Foundation project
BRICS and the ESPRIT Basic Research Action 7166, CONCUR2.
simplications in comparison to TCCS. However, the algorithmic ideas extend
to the full calculus of TCCS and moreover it generalizes easily to the modal
extension of TCCS, TMS, dened in [4] in which a variety of equivalences and
preorders is considered [10].
2.1 Syntax and Semantics Let A be a xed set of actions ranged over by
a; b; c; : : :. We denote by R>0 the set of positive reals ranged over by d. Similarly,
R0 denotes the set of non{negative reals ranged over by e. Nat denotes the set
of natural numbers (including 0), and nally, D denotes the set f(d) j d 2 R>0 g.
We use to range over elements of the set A [ D. Assume a nite set of process
variables V and for each process variable X a dening equation of the following
(normal) form:
n
X
=
def
X
( )
(1)
ei :ai :Xi
i=1
where ei 2 Nat and Xi 2 V . We denote by the set of recursive denitions.3
Intuitively, the denition of X in (1) describes a behaviour which after a
delay of d will \oer" to its environment all actions ai for which ei d; if
the environment \accepts" the oered action, X may evolve to the behaviour
determined by Xi . Formally, the behaviour of a regular process described by is given in terms of a transition system with transitions labelled
P by actions (A)
or delays (D). First, let for d 2 R>0 , X d denote the term ni=1 (ei ? d):ai :Xi
assuming that X is dened as in (1).4 Also, we let X 0 = X . Then the labelled
transition system hX; A [ D; ?!i is induced where X = fX e j X 2 V ; e 2 R0 g
and ?! X (A [ D) X is dened by the two axioms below assuming (1) is
the dening equation for X . We shall use P; Q; : : : to range over X.
e a
e (d)
e+d
X ?! Xi when ei e
X ?! X
i
Example 1. Consider 5 Z def
= (1):a:Zb + (1):b:Za + b:X ,
def
X = (1):a. The semantics yields:
Za
= a,
def
Zb
= b, and
def
b
?!
( ):a:Zb + ( ):b:Za + b:X ?! X ?! ( ):a
A network (over and V ) is a term of the form (X1 j : : : j Xn ) where Xi 2 V .
The set of n{ary networks
induces a labelled transition system
Nn = hNetn ; A[
D; ?!i, where Netn = (X1e j : : : j Xne ) j Xi 2 V ; ei 2 R0 and ?! Netn (A [ D) Netn is dened by the following axiom and inference rule:
d
(X e d j : : : j Xne d)
(X e j : : : j Xne ) ?!
a
e
0
Xi ?! Xi
a
e
e
e
(X j : : : j Xi j : : : j Xn ) ?! (X e j : : : j Xi0 j : : : j Xne )
Thus, in a network, the regular components synchronize on delay transitions
and interleave on action transitions. We shall use P; Q; : : : to range over Netn .
Z
1
(2
)
1
2
1
)
(2
1
2
n
1
1
n
1
1
2
( )
1
1+
n+
i
1
1
i
n
1
1
n
In (1) we restrict to integer delays. However, the semantic time domain is that of the
positive reals, thus derivatives of processes will not in general contain integral delay.
4 ? denotes monus on R0 . That is for e; f 2 R0 , e? f = maxfe ? f; 0g.
5
nil is the the empty sum. We use a:P for (0):a:P , and a for a:nil.
3
Example 2. Consider
yields:
X
= (1):a and
def
Y
= b. Applying the operational semantics
def
b
a
(( ):a j nil) ?! (a j nil) ?!
j ?!
(( ):a j b) ?!
(nil j nil)
X Y
(1
)
2
1
2
1
2
1
(2
)
2.2 Distinguishing Formulae As networks semantically constitute labelled
transition systems we may compare them with respect to a number of behavioural relations such as bisimilarity [14].
Denition 1. Let T = hS; A; ?!i be a labelled transition system. A simulation
a p0
S is a binary
relation on S such that whenever pS q and a 2 A then if p ?!
a
0
0
0
0
also q ?! q for some q with p S q . A binary relation B is a bisimulation if B
and B? are simulations. We say that p and q are bisimilar and write p q if
pBq for some bisimulation B.
1
6
Example 3. Consider the union of the equation systems from Examples 1 and 2. Then
the executions demonstrated in the two examples clearly prove that X j Y 6 Z .
The above example illustrates two non-bisimilar networks. Ideally, an automatic verication tool should not only report this fact but also provide explanations as to why there is a lack of bisimilarity. The well known Hennessy{Milner
Logic [11] provides the key to such explanations. The formulas of Hennessy{
Milner Logic, M, are given by the following abstract syntax:
F ::= tt j F ^ G j :F j hiF
We interpret Hennessy{Milner Logic relative to the labelled transition system
Nn . I.e. we dene a satisfaction relation j= between networks (Netn ) and formulae (M). For propositional constructs the denition is straightforward, and
for the modality, we dene:
P 0 ^ P 0 j= F
P j= hiF , 9P 0 :P ?!
Now let M(P ) be the set of properties satised by P . Then the following characterization result [11] shows that Hennessy{Milner Logic can be applied for
explanations:
Theorem 2. P Q if and only if M(P ) = M(Q).
Example 4. Consider X j Y and Z from Example 3. That X j Y 6 Z is \explained" by
the formula h( 12 )ihbih( 21 )ihaitt, which is satised by X j Y but not by Z .
6
B? = f(q; p) j (p; q) 2 Bg.
1
3 Symbolic Processes
It is obvious that the standard semantics of networks is innitary; thus decidability of bisimilarity between networks is beyond the standard techniques for
nite state systems. However, in [15] an algorithm for deciding bisimilarity for
networks was presented. In the following we shall give a simplied presentation
of the algorithm. Then in the next section we show how to extend the algorithm
in order that distinguishing formulae may be generated.
3.1 Symbolic States Given two networks (X1 j : : : j Xm) and (Y1 j : : : j Yn)
their bisimilarity will be reduced to deciding a suitable property of an induced
joint nite-state symbolic transition system, in which states represent sets of
pairs of networks.
A symbolic state (of arity (m; n)) is a nite list = [(M1 ; N1); : : : ; (Mk ; Nk )]
where Mi and Ni are multisets of fX l j X 2 V ; l 2 Natg with j ]i Mi j = m and
j ]i Ni j = n, and with Mi ] Ni 6= ; for i > 1. is said to be interior in case
M1 ] N1 = ; and boundary otherwise. represents a whole family of pairs of
networks. More precisely, all pairs of the form:
((M1v j : : : j Mkv ) ; (N1v j : : : j Nkv ))
(2)
where 0 = v1 < v2 < < vk < 1, and for a multiset M = fX1; : : : Xj g, M e =
(X1e j : : : j Xje ). Now, call v = (v1 ; : : : ; vk ) 2 Rk0 well-ordered and fractional (W )
if 0 = v1 < v2 < < vk < 1. Then for = [(M1 ; N1); : : : ; (Mk ; Nk )] a symbolic
state and v = (v1 ; : : : ; vk ) 2 W , (v ) = (1 (v ); 2 (v)) denotes the pair in (2).
Thus, the set of pairs represented by is kk = f(v ) j v 2 W g.
1
k
1
k
Example 5. Consider once more the union of the equation systems from Examples 1 and
2. The symbolic state [(fX; Y g; fZ g)] represents the single pair (X jY; Z ). The symbolic
state [(;; ;); (fX; Y g; fZ g)] represents all pairs of the form ((1 ? d):ajb; (1 ? d):a:Zb +
(1 ? d):b:Za + b:X ), where 0 < d < 1.
We let SSm;n denote the set of symbolic states (of arity (m; n)). It may be
concluded that the set of symbolic states SSm;n is nite.
3.2 Symbolic Semantics In order to determine which symbolic states represent bisimilar pairs we provide a symbolic semantics for SSm;n . Thus, let
= [(M1 ; N1 ); : : : ; (Mk ; Nk )] be a symbolic state (of arity (m; n)), then the
symbolic action transitions 7?!1 , 7?!2 and the symbolic delay transition 7?w!
are dened by the rules in Table 1 where hh: : :ii denotes the list resulting from
a
a
removing all pairs (;; ;) from the original list; we denote by ,!
1 and ,!2 the
two transition relations which are dened using the rules for 7?a!1 and 7?a!2 except that pairs of empty sets are not removed in the resulting \symbolic" state;
nally, for M a multiset and d 2 R>0 , M ?d = fX n+d j X n 2 M g.
Example 6. Recall Examples 1 and 2. Figure 1 illustrates (part of) the symbolic transition system for the initial symbolic state induced by the pair (X j Y; Z ). Symbolic
states are indicated by boxes with symbolic state tuples occurring just below their associated box. For additional information we have indicated inside the boxes the families
of network pairs represented by the symbolic state.
X
a
0
?!
X
7?!1 hh(fX 0 g ] M1 0 ; N1 ); : : : ; (Mk 0 ; Nk )ii
a
0
Y ?! Y
a
0
0
7?!2 hh(M1 ; fY 0 g ] N1 ); : : : ; (Mk ; Nk )ii
a
= Mi 0 ] fX g
= Mj 0 (i 6= j )
Ni = Ni 0 ] fY g
0
Nj = Nj (i 6= j )
Mi
Mj
?7 w! [(;; ;); (M ; N ); : : : ; (Mk ; Nk )] is boundary
w
?
?
7?! hh(Mk ; Nk ); (M ; N ); : : : ; (Mk? ; Nk? )ii is interior
1
1
1
1
1
Table 1.
1
1
1
Rules for symbolic transitions.
j
X Y
Z
?
[(fX; Y g; fZ g)]
?
?
[(;; ;); (fX; Y g; fZ g)]
?
[(fnilg; fX g); (fX g; f;g)]
w
0<d<1
(1 ? d):a j b
(1 ? d):a:Zb + (1 ? d):b:Za + b:X
b
1
b
2
(1 ? d):a
X
w
(1 ? d):a
(1 ? e):a
?
w
a
(1 ? e):a
?
?
a
0<d<1
0<e<d<1
[(;; ;); (fnilg; fX g); (fX g; f;g)]
0<e<1
[(fag; f;g); (fnilg; fX g)]
1
..
.....
.....
a
2
Fig. 1.
Part of the symbolic transition system induced by X j Y and Z .
The close relationship between the semantics of a symbolic state and the
(standard) semantics of the (pairs of) networks it represents are as below. Obviously, Lemma 3 1 and 2 may be dualised with 7?!2 replacing 7?!1 .
Lemma3 (Correspondence).
0
0
a
0
1. 7?a!1 0 and (P ; Q) 2 kk implies 9P 0 : P ?!
P such that (P ; Q) 2 k k;
0
0
a
a
0
0
0
2. (P ; Q) 2 kk and P ?! P implies 9 : 7?!1 with (P ; Q) 2 k k;
3. ?
7 w! 0 and (P ; Q) 2 kk implies 9d 2 R>0 . (P d ; Qd ) 2 k0 k;7
4. (P ; Q) 2 kk implies 8d 90 : (7?w! ) 0 with (P d ; Qd ) 2 k0 k;
3.3 Symbolic Bisimulation
Denition 4. B SSm;n is a symbolic bisimulation if whenever 2 B and
a 2 A the following holds:
1. Whenever 7?aa! 0 then 0 7?aa! 00 for some 00 with 00 2 B,
2. Whenever 7?w! 0 then 0 7?! 00 for some 00 with 00 2 B
3. Whenever 7?! 0 then 0 2 B
We write 2 s whenever is contained in some symbolic bisimulation.
1
2
2
1
As SSm;n is nite-state and s is a maximal xedpoint of a simple monotonic function on sets of symbolic states it follows from standard techniques
that questions of the form 2 s are decidable. Moreover, using Lemma 3 the
following close relationships between (ordinary) bisimulation and the symbolic
counterparts may be easily established:
Theorem 5. Let (P; Q) 2 kk. Then P Q if and only if 2 s.
It follows that in order to decide whether two networks (X j : : : j Xm ) and
(Y j : : : j Yn ) are bisimilar we may alternatively decide whether the initial symbolic state [(fX ; : : : ; Xm g; fY ; : : : ; Yn g)] is a member of the symbolic bisimulation. For instance, using the denition of symbolic bisimilarity it follows clearly
from Figure 1 and Theorem 5 that X j Y 6 Z .
1
1
1
1
4 Pointed Symbolic Processes
Section 3 provides a nite symbolic semantics based on which bisimilarity between networks can be decided. However, the semantics has abstracted away
from time-quantities, and it is not possible to synthesize distinguishing formulae
based on this semantics. Therefore, we provide in this section a more informative yet still (suciently) nitary pointed symbolic semantics with explicit time
information. We show that this semantics provides the basis for an algorithm
constructing distinguishing formulae.
4.1 Pointed Semantics A pointed symbolic state is a pair h; vi, where
is a symbolic state and v is a (corresponding) well-ordered fractional. We
7
(d)
d
Here P d denotes the unique network such that P ?!
P .
denote by PSSm;n the set of all pointed symbolic states (of arity (m; n)). Observe
that PSSm;n in contrast to SSm;n is innite. A pointed symbolic state h; v i
represents both the family of network pairs represented by , i.e. kk, as well as
the particular network pair pointed out by v , i.e. (v ).
The symbolic semantics of PSSm;n renes that of SSm;n in that symbolic
wait transitions are parameterized with time-quantities in order to capture the
corresponding delay transition between the represented networks. Before giving
the symbolic semantics of PSSm;n we need some notation: for v = (v1 ; : : : ; vk ) 2
W we dene v = (1?vk ), nextB (v) = (0; v1 +( v2 ); : : : ; vk +( v2 )) and nextI (v) =
(0; v1 + v ; : : : ; vk?1 + v ). Now let h; v i 2 PSSm;n. Then the =)1 , =)2 and
w(d)
=) transition relations are dened by the rules below:
a
w
0
0
7?! ,!1 is boundary
a
h; vi =)1 hh0 ; vii
h; vi w(=v)=2) h0 ; nextB (v)i
a
w
0
0
7?! ,!2 is interior
a
v )
h; vi =)2 hh0 ; vii
h; vi w=()
h0 ; nextI (v)i
where hh; v ii denotes the pointed symbolic state resulting from removing all
pairs (;; ;) from and at the same time removing the corresponding component
vi from v.
Example 7. Figure 2 is the pointed version of Figure 1.
Though PSSm;n is an innite set the above symbolic semantics is nitary in
the following important sense: the total set of immediate =) {derivatives of any
pointed symbolic state h; vi is nite! 8
The following Correspondence Lemma shows that the pointed symbolic semantics indeed is an extension of the symbolic semantics from the previous
section. Obviously, clause 1 and 2 have analogous counterparts for =)2 .
Lemma 6 (Correspondence).
0
0
a
a
0 0
0 0
P implies h; v i =)1 h ; v i and (P ; Q) = (v ) for
1. (P ; Q) = (v) and P ?!
0
0
some and v .
a
0 0
0 0
1 (v ) and 2 (v ) = 2 (v ).
2. h; vi =a)1 h0 ; v0 i implies 1 (v) ?!
w(d)
w
0
0
0
0
3. 7?! implies for all v, h; vi =) h ; v i for some v and d.
d)
(d) 0
(d) 0
w
0
0
0
4. h; vi w=()
h0 ; v0 i implies 1 (v) ?!
1 (v ), 2 (v ) ?! 2 (v ) and 7?! .
4.2 Pointed Symbolic Bisimulation
Denition 7. B PSSm;n is a pointed symbolic bisimulation if whenever h; vi 2
B, a 2 A and d 2 R> the following holds:
0
1. h; vi =a)1 h0 ; v0 i implies 900 ; v00 : h0 ; v0 i =a)2 h00 ; v00 i with h00 ; v00 i 2 B,
8
The set of derivatives of h; vi is the union of the sets fh0 ; v0 i j 9a:9i:h; vi =a)i
h0 ; v0 ig and fh0 ; v0 i j 9d 2 R>0 :h; vi w=()d) h0; v0 ig.
j
X Y
Z
... ...
.....
...
w
( 12 ) [(f
X; Y
g; fZ g)]
(0)
d= 2
(1 ? d):a j b
(1 ? d):a:Zb + (1 ? d):b:Za + b:X
1
... ..
......
...
1
[(;; ;); (fX; Y g; fZ g)] (0; 2 )
b
1
... ...
.....
...
b
2
d = 21
(1 ? d):a
X
... ...
.....
...
w
( 14 ) [(f
(1 ? d):a
(1 ? e):a
w
a
(1 ? e):a
a
... ..
......
. 1
....
....
....
1
(0; 2 )
e = 41 d = 34
... ..
......
...
g fX g); (fX g; f;g)]
nil ;
( 14 )
3
[(;; ;); (fnilg; fX g); (fX g; f;g)] (0; 1
;
)
4 4
e = 21
1
[(fag; f;g); (fnilg; fX g)] (0; 2 )
a
... ..
......
. 2
Fig. 2.
Part of the pointed symbolic transition system induced by X j Y and Z .
2. h; vi =a)2 h0 ; v0 i implies 900 ; v00 : h0 ; v0 i =a)1 h00 ; v00 i with h00 ; v00 i 2 B
d)
3. h; vi w=()
h0 ; v0 i implies h0 ; v0 i 2 B
We write h; v i 2 ps if h; v i is contained in a pointed symbolic bisimulation.
For B SSm;n , let B" = fh; vi j 2 Bg. Dually, for B PSSm;n let
B# = f j h; v i 2 Bg.
Lemma8. If B is a symbolic bisimulation then B" is a pointed symbolic bisimulation. If B is a pointed symbolic bisimulation then B# is a symbolic bisimulation.
This leads directly to the following using the existing result of Theorem 5:
Theorem 9. h; vi 2 ps if and only if (v) (v).
Thus, two networks (X j : : : j Xm ) and (Y j : : : j Yn ) are bisimilar just in case
the initial pointed symbolic state h[(fX ; : : : ; Xmg; fY ; : : : ; Yn g)]; (0)i is a mem1
1
2
1
1
1
ber of the pointed symbolic bisimulation. However, due to the innite nature of
PSSm;n this does not directly lead to an alternative algorithm for bisimilarity, a
problem we will deal with in the following subsection.
4.3 Computing Distinguishing Formulae In standard fashion we may
dene for n a natural number the n'th approximations of the various symbolic
relations s and ps . The 0'th approximate is simply the entire set of (pointed)
symbolic states, and the (n + 1)'th approximate is dened using the denition
schemas of Denitions 4 and 7 with the n'th approximate substituting B in the
(relevant) dening clauses. For one of the above relations the corresponding
n'th approximate will be denoted n. It is easy to see that in both cases n will
be decreasing in n. Also, in both cases n approximates in the sense that equals the intersection of all its approximations (i.e. = \n2! n).
As the set of symbolic states is nite, there exists a K (being simply the
number of symbolic states of the given arity) such that ns will be constant
when n exceeds K . This fact leads directly to an iterative algorithm for deciding
s and hence { due to Theorem 5 { for deciding . In contrast, the set of pointed
symbolic states is innite and there is therefore no a priori guarantee that the
decreasing sequence hnps in will converge at any nite stage. However, nite
convergence is ensured by the following Lemma relating symbolic and pointed
symbolic approximates:
Lemma 10. For all n, (nps )# = ns and (ns )" = nps .
Thus the pointed symbolic approximates converges at the same iteration as
the symbolic counterparts. Furthermore, as any pointed symbolic state has only
a nite (and computable) set of immediate derivatives, it follows that nps is
decidable for any n. Hence bisimilarity between networks may alternatively be
computed by deciding Kps -membership problems for a suciently large K .
In addition, the use of pointed symbolic bisimulation enables the generation
of distinguishing formulae in cases of non-bisimilarity as stated by the following
theorem. The proof given is constructive and constitutes the generation algorithm.
Theorem 11. Whenever h; vi 62 ps then 9F: (v) j= F and (v) 6j= F .
Proof: The proof is by induction in n, where h; vi 62 nps . We only show the
induction step. Assume h; v i 62 nps . There are three cases to consider depending on which of the conditions for membership of nps that fails. We only show
two of the cases. Assume h; v i =a) h0 ; v0 i but whenever h0 ; v 0 i =a) hj ; vj i
(j = 1 : : : m) then hj ; v j i 62 nps . Now, using the Induction Hypothesis we
may conclude that there exists some formula Fj such that j (v j ) j= Fj but
j (vj ) 6j= Fj . Now, let F = hai(F ^ : : : ^ Fm ) then it follows easily using
d 0 0
Lemma 6 that (v ) j= F whereas (v ) 6j= F . Assume h; vi w=)
h ; v i but
h0 ; v0 i 62 nps . Now, using the Induction Hypothesis we may conclude that there
exists a formula F 0 such that 0 (v0 ) j= F 0 but 0 (v 0 ) 6j= F 0 . Now let F = h(d)iF 0 ,
ut
then it follows from the Lemma 6 that (v) j= F whereas (v) 6j= F .
1
2
+1
+1
1
2
1
1
2
1
( )
2
1
2
1
2
Applying the construction of the above Theorem 11 to the pointed symbolic
transition system induced by X j Y and Z (partially shown in Figure 2) we may
generate the formula h( 21 )ihbih( 14 )ih( 14 )ihaitt distinguishing X j Y and Z .
References
1. J.C.M. Baeten and J.A. Bergstra. Real time process algebra. Technical Report
P8916, University of Amsterdam, 1989.
2. J. A. Bergstra, J. Heering, and P. Klint. Algebra of communicating processes. In
CWI symposium on Mathematics and Computer Science. North{Holland, 1986.
3. U. Celikkan and R. Cleaveland. Diagnostic information for behavioral preorders.
In Proceedings of CAV'92, volume 663 of Lecture Notes In Computer Science,
Springer Verlag. Springer-Verlag, 1992.
4. K. C erans, J.C. Godskesen, and K.G. Larsen. Timed modal specications | theory and tools. In Proceedings of CAV'93, volume 697 of Lecture Notes In Computer
Science, pages 253{267. Springer-Verlag, 1993.
5. R. Cleaveland. On automatically distinguishing inequivalent processes. In Proceedings of CAV'90, volume 531 of Lecture Notes In Computer Science. SpringerVerlag, 1990.
6. R. Cleaveland, J. Parrow, and B. Steen. The concurrency workbench. Technical
Report ECS-LFCS-89-83, LFCS, University of Edinburgh, Scotland, 1989.
7. J. Davis and S. Schneider. An introduction to timed CSP. Technical Report
PRG{75, Oxford University Computing Laboratory, 1989.
8. J.C. Godskensen and K.G. Larsen. Synthesizing Distiniguishing Formulae for Real
Time Systems. BRICS Report Series RS-94-48, BRICS, Aalborg University, December 1994. Accessible via WWW: http://www.brics.aau.dk/BRICS.
9. J.C. Godskesen, K.G. Larsen, and M. Zeeberg. TAV { users manual. Technical
Report R 89-19, University of Aalborg, Denmark, 1989.
10. J.C. Godskesen. Timed Modal Specications {A Theory for Verication of RealTime Concurrent Systems. Phd. thesis, Aalborg University, Denmark, 1994.
11. M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concurrency.
Journal of the Association for Computing Machinery, pages 137{161, 1985.
12. C.A.R. Hoare. Communicating sequential processes. Communications of the ACM,
21(8):666{677, 1978.
13. V. Lecompte, E. Madelaine, and D. Vergamini. Auto: A verication system for
parallel and communicating processes. INRIA, Sophia{Antipolis, 1988.
14. R. Milner. Calculus of Communicating Systems, volume 92 of Lecture Notes In
Computer Science, Springer Verlag. Springer Verlag, 1980.
15. K. C erans. Decidability of bisimulation equivalences for processes with parallel
timers. In Proceedings of CAV'92, volume 663 of Lecture Notes In Computer Science, Springer Verlag. Springer-Verlag, 1992.
16. Y. Wang. Real{time behaviour of asynchronous agents. In Proceedings of CONCUR'90, volume 458 of Lecture Notes In Computer Science, Springer Verlag.
Springer-Verlag, 1990.
This article was processed using the LaTEX macro package with LLNCS style
