A Logical Approach for the Schedulability Analysis of CCSL by Zhang, Yuanrui et al.
HAL Id: hal-02402976
https://hal.inria.fr/hal-02402976
Submitted on 6 Jan 2020
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
A Logical Approach for the Schedulability Analysis of
CCSL
Yuanrui Zhang, Frédéric Mallet, Huibiao Zhu, Yixiang Chen
To cite this version:
Yuanrui Zhang, Frédéric Mallet, Huibiao Zhu, Yixiang Chen. A Logical Approach for the Schedulabil-
ity Analysis of CCSL. TASE 2019 - 13th International Symposium on Theoretical Aspects of Software
Engineering, Jul 2019, Guilin, China. pp.25-32, ￿10.1109/TASE.2019.00-23￿. ￿hal-02402976￿
A Logical Approach for the Schedulability Analysis
of CCSL
Yuanrui Zhang∗§, Frédéric Mallet†, Huibiao Zhu‡, Yixiang Chen∗¶
∗MoE Engineering Research Center for Software/Hardware Co-design, East China Normal University
†I3S Laboratory, UMR 7271 CNRS, INRIA, Université Nice Sophia Antipolis
‡Shanghai Key Laboratory of Trustworthy Computing, East China Normal University
Email: §zhangyrmath@126.com ¶yxchen@sei.ecnu.edu.cn (corresponding author)
Abstract—The Clock Constraint Specification Language (CC-
SL) is a clock-based formalism for formal specification and
analysis of real-time embedded systems. Previous approaches for
the schedulability analysis of CCSL specifications are mainly
based on model checking or SMT-checking. In this paper we
propose a logical approach mainly based on theorem proving.
We build a dynamic logic called ‘clock-based dynamic logic’
(cDL) to capture the CCSL specifications and build a proof
calculus to analyze the schedule problem of the specifications.
Comparing with previous approaches, our method benefits from
the dynamic logic that provides a natural way of capturing the
dynamic behaviour of CCSL and a divide-and-conquer way for
‘decomposing’ a complex formula into simple ones for an SMT-
checking procedure. Based on cDL, we outline a method for the
schedulability analysis of CCSL. We illustrate our theory through
one example.
Index Terms—CCSL, dynamic logic, schedulability analysis
I. INTRODUCTION
The clock constraint specification language (CCSL) [1] is
a formal specification language for specifying the behaviour
of real-time embedded systems (RETSs) at high-level. It
was firstly defined as an annex of UML/MARTE [2], but
later developed as an independent language equipped with
a formal semantics [3]. CCSL gives a concrete syntax to
deal with logical clocks, made popular by Leslie Lamport [4]
and synchronous languages (such as Esterel [5]). CCSL han-
dles ‘clocks’ as first-class citizens for capturing discrete-time
events and logical/chronometrical constraints between events.
CCSL is a specification language and not a programming
language, it describes a set of possible behaviours and does not
attempt to provide a single operational deterministic execution.
All the values are ignored to focus only on clock issues.
CCSL has been widely used in the specification and analysis
of different RTESs, e.g. [6]–[8].
One important aspect in the formal analysis of CCSL is the
schedulability analysis of CCSL specifications, whose major
goal is to answer whether ‘there exists a schedule for a given
CCSL specification’. Though the decidability of this problem
still remains open [9], previous approaches have been proposed
to give a partial solution of this problem [9]–[12]. They either
rely on an incomplete transformation into finite automata or
an encoding into expensive logic formulae. In this paper, we
propose a logical approach for the formal analysis of the
Identify applicable funding agency here. If none, delete this.
schedule problem in CCSL. We propose a variation of dynamic
logic called ‘clock-based dynamic logic’ (cDL) and a modular
proof calculus of it. cDL enriches first-order dynamic logic
(FODL) [13] with clocks as primitives and inherits a fragment
of dynamic formulae from differential temporal logic2 (dTL2)
[14]. cDL provides a natural way for modelling both the
dynamic clock behaviour and the static clock relations of a
CCSL specification in a single formalism, and it provides a
divide-and-conquer way for analyzing the schedule problem
in the form of theorem proving.
In cDL, a CCSL specification SP can be captured as a
cDL dynamic formula ϕSP . The schedule problem of the
specification SP is then reduced to the problem of proving
the formula ϕSP . In the proof calculus of cDL, formula ϕSP
is modularly transformed into a set of qunntifier-free linear
integer arithmetic (QF-LIA) logic formulae, which prove to
be decidable and can be efficiently handled via an SMT-
checking procedure [15]. On the other hand, the derivation
paths during the proof of ϕSP can be analyzed to generate a
possible bounded schedule of SP .
The contributions of this paper are mainly twofold:
(i) We construct the cDL and its proof calculus.
(ii) We outline a method for the schedulability analysis of
CCSL specifications based on cDL. We focus on the
encoding from CCSL specifications into cDL formulae,
and how the schedule problem can be solved through the
derivation of cDL.
Related Work Previous approaches for solving the schedule
problem are mainly based on model checking and SMT-
checking techniques. The former technique [10], [11] proposes
encoding CCSL specification into a finite transition system
where the reachability analysis is made. When a specification
corresponds to an infinite transition system (also called ‘un-
safe’ CCSL specification in [16]), a bound needs to be set
to make an approximate analysis. The latter technique [9],
[12] tackles the problem of expressing ‘unsafe’ specification.
It proposes encoding the CCSL specification into a first-order
logic (FOL) formula, which can then be checked through an
SMT-checking procedure. However, the FOL formulae there
contain quantifiers and so-called undefined functions, which
are undecidable and may be very costly for an SMT-solver to
solve.
Comparing with previous approaches, the advantage of our
approach is that cDL calculus offers a nice formalism to
capture the dynamic behaviour of CCSL specifications, while
providing a ‘deduction’ approach for reducing a dynamic cDL
formula into QF-LIA logic formulae which are decidable and
easy to solve for an SMT-solver.
cDL is partially based on the ‘CCSL dynamic logic’ (CDL)
[17], which can capture and verify a simple CCSL specifi-
cation Rel of a given system p in the form ‘[p]Rel’ (which
means ‘all execution traces of p satisfy a clock relation Rel’).
However CDL fails in handling the schedule problem of CCSL
in the form of ‘〈p〉ϕ’ (introduced in Sect. IV), whose verifi-
cation must rely on a different proof calculus that contains the
dynamic formula 〈p〉φuϕ from dTL2. The rest of this paper
is organized as follows: Sect. II introduces the preliminaries
for CCSL. Sect. III gives an example which will be used
throughout the paper to explain our viewpoints. Sect. IV
defines the syntax and semantics of cDL. In Sect. V, we
propose the proof calculus of cDL and analyze its soundness,
completeness and automaticity. Sect. VI proposes a method
for the schedulability analysis of CCSL in cDL. Sect. VII
concludes this paper and discusses possible future works.
II. PRELIMINARIES OF CCSL
The CCSL presented here is based on [9], [18].
Logical clock A logical clock actually models a sequence of
occurrences of an event in RTESs over a discrete time model.
A clock c : N+ → {0, 1} is defined as an infinite sequence,
where each c(i) (i ∈ N+) can be ‘tick’ (represented as 1) or
‘idle’ (represented as 0). We use C to denote a finite set of
clocks.
Schedule A schedule σ : N → (C → {0, 1}) is an infinite
sequence that captures the state of all clocks η : C → {0, 1} at
each instant. N ::= N+ ∪ {0}. We also denote η by the set of
ticked clocks αη ::= {c | η(c) = 1} since they are one-to-one
correspondent. If α = {c}, simply write it as c. We stipulate
that σ(0) = ∅, indicating at the beginning, no clock ticks.
Configuration A configuration Hσ : N → (C → N) keeps
track of the number of times each clock has ticked h : C → N




0, if i = 0
Hσ(i− 1, c) + 1, if i > 0, c ∈ σ(i)
Hσ(i− 1, c), if i > 0, c /∈ σ(i)
.
Clock Constraint Clock relations describe binary relation-
ships between clocks, whose syntax is defined by:
Rel ::= c1 ≺ c2 | c1  c2 | c1 ⊆ c2 | c1#c2,
where c1, c2 are arbitrary clocks. The semantics of clock
relations σ ccsl Rel is defined in Fig. 2. ‘Precedence’ means
that c1 always ticks faster than c2; ‘Causality’ expresses that
c1 ticks not slower than c2; ‘Subclock’ says that c1 can only
tick if c2 ticks; ‘Exclusion’ means that c1, c2 can not tick at
the same instant.
Clock definition defines new clock behaviour by composing









(b) c , c′$n (n = 5)
Fig. 1. A possible schedule of CCSL constraints
form: Cdf ::= c , E where E is a clock expression defined
by the following grammar:
E ::= c1 + c2 | c$n | c1 ∨ c2 | ...,
where c1, c2 are arbitary clocks, n ≥ 1. Above we only list
3 clock expressions used in this paper, for other clock ex-
pressions refer to [9], [18]. The semantics of clock definitions
σ ccsl Cdf are defined in Fig. 2. ‘Union’ defines the clock
that ticks iff either c1 or c2 ticks; ‘Delay’ defines the clock that
ticks when c′ ticks but is delayed for n ticks of c′; ‘Supremum’
defines the fastest clock that is slower than both c1 and c2.
Precedence: σ ccsl c1 ≺ c2 iff ∀i ∈ N+.
¨
(Hσ(i, c1) = 0 ∧Hσ(i, c2) = 0)∨
Hσ(i, c1) > Hσ(i, c2)
«
Causality: σ ccsl c1  c2 iff ∀i ∈ N+.{Hσ(i, c1) ≥ Hσ(i, c2)}
Subclock: σ ccsl c1 ⊆ c2 iff ∀i ∈ N+.{c1 ∈ σ(i)→ c2 ∈ σ(i)}
Exclusion: σ ccsl c1#c2 iff ∀i ∈ N+.{c1 /∈ σ(i) ∨ c2 /∈ σ(i)}
Union: σ ccsl c , c1 + c2 iff ∀i ∈ N+.
¨
c ∈ σ(i)↔ (c1 ∈ σ(i)∨
c2 ∈ σ(i))
«
Delay: σ ccsl c , c′$n iff ∀i ∈ N+.{Hσ(i, c) = max(Hσ(i, c′)− n, 0)}
Supremum: σ ccsl c , c1 ∨ c2 iff ∀i ∈ N+.{Hσ(i, c) = min(Hσ(i, c1), Hσ(i, c2))}
Fig. 2. Semantics of CCSL
Example Fig. 1 (a) illustrates the clock relation c1 ≺
c2, where clock b is used as a ‘base clock’ that ticks at
every time instant. b = 111111111111.... C = {c1, c2}.
c1 = 101100100100..., c2 = 010100110010.... The schedule
σ = ∅{c1}{c2}{c1}{c1, c2}∅∅{c1, c2}{c2}∅{c1}{c2}∅.... The
configuration Hσ satisfies that Hσ(0, c1) = 0, Hσ(1, c1) = 1,
Hσ(2, c1) = 1, Hσ(3, c1) = 2. Fig. 1 (b) illustrates the clock
definition c , c′$n (when n = 5).
Clock Specification & Free Clock Given a set of clock con-
straints C, σ ccsl C is defined s.t. σ ccsl cn for all cn ∈ C.
A CCSL specification is a triple SP ::= 〈ÞCdf,gRel,F〉, whereÞCdf is a set of clock definitions, gRel is a set of clock relations.
A ‘free clock’ does not appear on the left side of any clock
definitions c , E. F is the set of all free clocks appeared
in ÞCdf ∪gRel. σ ccsl SP is defined s.t. σ ccsl gRel and
σ ccsl ÞCdf . We use C(SP) to note all clocks appeared in
SP .
Schedule Problem Given a CCSL specification SP =
〈ÞCdf,gRel,F〉, the schedule problem is to ask whether
‘there exists a schedule σ of C(SP) s.t. σ ccsl SP ’.
In a CCSL specification, there always exists a schedule if we
allow the absence of all clocks (i.e., ∅) at any instant (e.g., an
empty schedule σ = ∅∅∅... satisfies any CCSL specification).
So in the schedule problem, we always talk about schedules
σ that satisfy σ(i) 6= ∅ for any i > 0.
Clock-labeled Transition System (cLTS) The clock be-
haviour can be captured as a special type of finite transition
systems: cLTS [18]. A cLTS is a tuple A = 〈L, T, l0, C〉
where L is a set of locations, l0 is the initial location.
T ⊆ L × (G × (C → {0, 1})) × L is a set of transitions,
with (l, g?α, l′) ∈ T (also denoted as l g?α−−→ l′) means
that transition from l to l′ is fired when guard g is true
and all clocks in α ⊆ C tick. Guard g is of the form
g ::= h(c1, c2)4k, where k ∈ Z, 4 ∈ {<,≤, >,≥,=}.
h(c1, c2) ::= h(c1) − h(c2). A schedule σ = α1α2...αi... is
accepted by a cLTS iff from the initial location l0 there is a
path l0
g1?α1−−−−→ l1
g2?α2−−−−→ ... gi?αi−−−→ li... in this cLTS, where gi
is any satisfiable guard of αi (if there is). We use Sch(A) to
denote the set of schedules accepted by A.
In cLTS we use a ‘compositional transition’ [l, g1?α1 ⊕
...⊕ gn?αn, l′] as a shorthand to express the set of transitions
(l, g1?α1, l














(a) (b1) (b2) (c) (d)
g1 = h(v1, u1) < 4, g2 = h(v1, u1) = 4
p1 = ∅ ⊕ v1 ⊕ v3 ⊕ {v1, v3}, p2 = ∅ ⊕ g1?v1 ⊕ g1?{v1, v3}
p3 = ∅ ⊕ g2?v1 ⊕ g2?{v1, v3}, p4 = ∅ ⊕ {v1, u1} ⊕ {v1, u1, v3}
Fig. 3. An example of cLTSs
The synchronous product of A1,...,An is denoted by
A1 ‖ ... ‖ An. Intuitively, n cLTSs synchronize only
on their common clocks when they all agree on whether
the common clocks tick or not. Formally, let Ai =
〈Li, Ti, l0,i, Ci〉 (1 ≤ i ≤ n), then A1 ‖ ... ‖ An is
defined as a tuple 〈L, T, l0, C〉 where (1) L = L1 × ... ×




i=1 αi, 〈l′1, ..., l′n〉) ∈ T iff
〈li, gi?αi, l′i〉 ∈ Ti for 1 ≤ i ≤ n and αj ∩ Ck = αk ∩ Cj for
any 1 ≤ j ≤ k ≤ n; (3) l0 = 〈l0,1, ..., l0,n〉; (4) C =
Sn
i=1 Ci.
Refer to [18] for more explicit explanations.
Example Fig. 3 (a) shows the cLTS of constraint u1 ,
v1$5, where L = {l1, l2}, the initial location is l1,
C = {u1, v1}. There are 5 transitions in T : (l1, ∅, l1),
(l1, g1?v1, l1), (l1, g2?v1, l2), (l2, {v1, u1}, l2), (l2, ∅, l2). Let
σ = v1v1v1v1{v1, u1}{v1, u1}..., then σ ∈ Sch(A). Fig. 3
(c) shows a synchronous product Ab1 ‖ Ab2 where Ab1, Ab2
(Fig. 3 (b1), (b2)) are cLTSs of free clocks v1, v3. The dashed
arrow represents a compositional transition [l0, p1, l0].
Proposition 2.1: Given a specification SP = 〈ÞCdf,gRel,F〉,
let A be the synchronous product of all clock behaviours (i.e.,
all definitions in ÞCdf and all free clocks in F), then for any
schedule σ of C(SP), σ ccsl ÞCdf iff σ ∈ Sch(A).
III. AN ILLUSTRATIVE EXAMPLE
In this section we consider an illustrative example from [18]
which will be used through out this paper. As Fig. 4 shows, a
component of a practical application contains two inputs in1,
in2, three computations step1, step2, step3, two buffers and
an output out. step1, step2 and step3 are three independent
modules that run concurrently. step1 (resp. step2) needs the
input from in1 (resp. in2) for computation and produces a
result in the buffer. step3 needs the intermediate results from
both step1 and step2 for computation and returns the result to
the output out. The component continuously receives inputs













Fig. 4. A component of an application
By assigning each action with a clock, CCSL can be used
to capture a high-level specification of this application. As a
simple case, consider two basic specifications SP1, SP2 in
the following table:
ÞCdf gRel F
SP1 u1 , v1$5 v1 ≺ v3, v3  u1 v1, v3
SP2 u1 , v1$5, u2 , v1 ∨ v2
v1 ≺ v3, v3  u1, i1  v1,
i2  v2, u2 ≺ v3, v3  o
i1, i2, v1,
v2, v3, o
where SP1 specifies a basic relation between step1 and step3:
step3 must occur later than step1 (v1 ≺ v3), but before the
buffer reaches its maximum capacity, which is 5 outputs of
step1 (v3 ≺ u1). Clock u1 is newly defined which is delayed
by clock v1 with 5 ticks (u1 , v1$5). SP2 defines a more
refined specification by adding more clock constraints in setÞCdf , gRel. It declares all dependent relationships between all
actions. Refer to [18] for more complex specifications of this
example.
In this paper, we will show how our proposed logic frame-
work can capture and analyze the schedule problem of SP1.
IV. SYNTAX AND SEMANTICS OF CDL
A. The Syntax of cDL
In order to capture the behaviour model of CCSL clocks
(cLTS) in logic, we introduce a program model called ‘clock
program model’ (CPM) based on the regular program model
of FODL [13], [19].
Definition 4.1 (Syntax of CPM): The syntax of CPM is
defined in BNF form as follows:
p ::= α | g?α | ε | p; p | p⊕ p | p∗ | pω.
The intuitive meaning of each sentence is as follows:
(1) α is the set of ticked clocks, g is the guard defined in
cLTS (Sect. II). We also call α an ‘event’ in CPM. Each
event consumes a unit of time. g?α means ‘at current
time, if g is true, then α executes, else the program halts’.
The judgement of g does not consume any time.
(2) ε represents an ‘empty program’, it neither does any-
thing nor consumes time. ; ,⊕, ∗ are the sequence, non-
deterministic choice and finite loop operators that are
directly inherited from FODL. p; q means the program
first executes p, and after p terminates, it executes q. p⊕q
means the program either executes p, or executes q, it is a
non-deterministic choice. p∗ means the program executes
p for a finite number of times. ω is the infinite loop
operator. pω means that program p executes for infinite
number of times and never terminates.
cDL extends FODL with CPM as its program model and
borrows the dynamic formula of the form 〈p〉φ u φ from
dTL2 [14] in order to express the schedule problem of CCSL.
Definition 4.2 (Syntax of cDL Formula): The cDL formula
φ is defined in BNF form as follows:
φ ::= tt | e ≤ e | d | ¬φ | φ ∧ φ | ∀x.φ
where
e ::= x | h(c) | η(c) | k | e+ e | e · e,
d ::= 〈p〉φ uφ | ¬d | 〈p〉d.
tt is the boolean true. e is an integer arithmetic expression.
x is a general variable in the domain Z. Use Var to denote a
set of general variables. h, η are defined in Sect. II. Because
clock itself does not appear in the cDL formula alone, we
can see h(c), η(c) as special variables related to clock c ∈ C.
Use Var(C) to denote the set of all ‘clock-related variables’
h(c), η(c) in C. k ∈ Z is a constant. d is a dynamic formula.
〈p〉d describes a ‘state property’ of a clock program, meaning
‘after some execution of p, d holds’. φuϕ describes a ‘state
& temporal’ property of a clock program. It consists of a state
formula φ and a temporal formula φ, with a conjunction
operator u linking the both. 〈p〉φuϕ means that there exists
some execution trace of p that satisfies ϕ, and after the trace
terminates (if it can), φ also holds. For non-terminating traces,
φ uϕ just means ϕ.
Example 4.1: The behaviour of clocks u1, v1, v3 in SP1
(whose cLTS corresponds to Fig. 3 (d)) can be captured as
a CPM psp1 = p∗2; (ε ⊕ p3; (p∗4; ε ⊕ pω4 )) ⊕ pω2 , the schedule
problem of SP1 can then be captured as a dynamic formula
Isp1 → 〈psp1 〉ff u (ϕsp1 ∧ ϕ∅), which means ‘under the
initial condition Isp1 , there exists an infinite trace of psp1
satisfying (ϕsp1∧ϕ∅). More details will be given in Sect. VI.
Formula ‘[p]...’ is the dual formula of ‘〈p〉...’, which means
‘all execution traces of p satisfy ...’. φ t ♦ϕ is the dual of
formula φuϕ, in which t is a disjunction operator. [p]φt♦ϕ
means for each trace of p, it either satisfies ♦ϕ, or terminates
and satisfies φ. [p]φt♦ϕ can be expressed as ¬〈p〉¬φuϕ.
Other logical connectives and terms such as ff (falsehood),
φ1 ∨ φ2, φ1 → φ2, ∃x.φ, e1 − e2, e1/e2, e1 = e2, e1 < e2,...
can be expressed as the formulae in Def. 4.2.
In cDL, we call a variable X ‘bounded’ if (1) X ∈ Var and
X is in the scope of some quantifier ∀X , or (2) X ∈ Var(C).
A substitution φ[e/X] replaces every non-bounded X of φ
with expression e. An ‘admissible substitution’ guarantees the
meaning of a formula does not change. φ[e/X] is ‘admissible’
iff there exists no variable Y s.t. (1) Y is in e; and (2)
Y is bounded in φ[e/X]. Unless specially mentioned, all
substitutions in this paper are admissible.
B. The Semantics of cDL
Kripke Frame & Trace The semantics of cDL is based on
the Kripke frame (S, val) [19], where S is a set of states,
val interprets a program as a set of traces on S and a logic
formula as a subset of S. A trace tr is a finite or infinite
sequence of states. Given a finite trace tr1 = s1s2...sn and
a (possibly infinite) trace tr2 = u1u2...un..., we define: tr1 ·
tr2 ::= s1s2...snu2u3... provided that sn = u1. Given any
tr1, tr2, we define tr1◦tr2 ::=
§
tr1 · tr2, if tr1 is finite
tr1, otherwise
.
Given two sets of traces S1, S2, S1 ◦ S2 is defined as: {tr1 ◦
tr2 | tr1 ∈ S1, tr2 ∈ S2}. tr(i) denotes the ith element of
trace tr, i ≥ 0. trb denotes the first element of trace tr, trb =
tr(0). tre denotes the last element of trace tr, provided that
tr is finite.
Definition 4.3 (State and Evaluation in cDL): Given a set of
clocks C and a set of variables Var , a state s in cDL is defined
as a total function as follows: (i) s maps each variable h(c) ∈
Var(C) to a value in domain N. (ii) s maps each variable
η(c) ∈ Var(C) to a value in domain {0, 1}. (iii) s maps each
variable x ∈ Var to a value in domain Z. Given an expression
e and a state s, an evaluation Evals(e) is defined as: (1) If
e = a, where a ∈ {x, h(c), η(c)}, then Evals(a) ::= s(a).
(2) If e = k, then Evals(k) ::= k. (3) If e = e14e2, where
4 ∈ {+, ·}, then Evals(e) ::= Evals(e1)4Evals(e2).
According to Def. 4.3, we can see that there exists a natural
correspondence between traces in cDL and schedules in CCSL.
Proposition 4.1 (Relation between traces and schedules):
Given a C and a Var , each schedule σ of C corresponds to
a set of infinite traces Trσ , in which each element tr ∈ Trσ
satisfies that for all clock c ∈ C and i ∈ N+, there is:
(i) tr(i)(η(c)) = 1 iff c ∈ σ;
(ii) tr(i)(h(c)) = Hσ(i, c).
For each infinite trace tr, there must be a σ s.t. tr ∈ Trσ .
Intuitively, except for σ(0), variable h(c), η(c) at each state
of a trace tr ∈ Trσ exactly record the information of schedule
σ at each instant i > 0.
Definition 4.4 (Semantics of CPM): Given a C and a Var ,
for any CPM p, the semantics is given as a Kripke frame
(S, val) defined as follows:
(i) val(ε) := S.
(ii) val(α) := {ss′ | s, s′ ∈ S; for any c ∈ α, s′(h(c)) =
s(h(c))+1∧s′(η(c)) = 1; for any d ∈ C−α, s′(h(d)) =
s(h(d)) ∧ s′(η(d)) = 0; for any x ∈ V ar, s′(x) = s(x)}.
(iii) val(g?α) ::= {ss′ | s ∈ val(g), ss′ ∈ val(α)}.
(iv) val(p; q) ::= val(p) ◦ val(q).
(v) val(p⊕ q) ::= val(p) ∪ val(q).
(vi) val(p∗) ::= val(ε) ∪
S
n≥1 val(p) ◦ ... ◦ val(p)| {z }
n
.
(vii) val(pω) ::= val(p) ◦ val(p) ◦ ...| {z }
∞
.
We use ‘≡’ to represent the semantical equivalence between
two programs, i.e., p ≡ q iff val(p) = val(q). The semantics
of each CPM corresponds to a set of traces. ε defines the set
of all traces with length 1. Event α defines a transition from
a state s to a state s′. Intuitively, at current instant, if clock
c ticks (c ∈ α), the variable h(c) is increased by 1 and the
variable η(c) is set to 1; if clock c does not tick (c /∈ α),
h(c) does not change, and η(c) is set to 0. Other variables
in both s and s′ are kept the same. Traces satisfying g?α are
exactly those traces satisfying α adding that their beginning
states must satisfy g. val(g) will be given below in Def. 4.5.
Each trace of p; q is formed by concatenating a trace of p and
a trace of q. Each trace of p⊕q is either a trace of p or a trace
of q. The traces of program p∗ are defined as all finite traces
of the form s, or tr1 ◦ tr2 ◦ ...◦ trn where n ≥ 1, tri ∈ val(p)
is finite (i ∈ N+). The traces of pω consists of all infinite
traces of the form tr1 ◦ tr2... where each tri ∈ val(p) is finite
(i ∈ N+), or of the form tr1 ◦ tr2 ◦ ... ◦ trn where n ≥ 1,
tr1, ..., trn−1 ∈ val(p) is finite, but trn ∈ val(p) is infinite.
Definition 4.5 (Semantics of cDL Formula): Given a C and
a Var , the semantics of cDL formula is given as a Kripke
frame (S, val) defined as follows:
(i) val(tt) ::= S.
(ii) val(e1 ≤ e2) ::= {s | Evals(e1) ≤ Evals(e2)}.
(iii) val(〈p〉φ u ϕ) ::= {s | there is a tr ∈ val(p) s.t. s =
trb, tr  ϕ and tre ∈ val(φ) if tre exists}.
(iv) val(¬φ) ::= {s | s /∈ val(φ)}.
(v) val(φ ∧ ϕ) ::= val(φ) ∩ val(ϕ).
(vi) val(∀x.φ) ::= {s | for any v0 ∈ Z, s ∈ val(φ[v0/x])}.
The semantics of each cDL formula corresponds to a set
of states. (iii), (iv) are similar to the definition in dTL2 [14].
In cDL, tr  ϕ is defined as: every state s in tr (s 6= trb)
satisfies s ∈ val(ϕ). The dual formula ♦ϕ of ϕ is defined as:
tr  ♦ϕ iff there exists a state s in tr (s 6= trb) that satisfies
s ∈ val(ϕ). Different from dTL2, in cDL a trace tr satisfying
a temporal formula is from the second state of the trace. This
stipulation is more nature for expressing clock constraints (see
Example 6.2) since a schedule σ satisfying a clock constraints
is from the second element of σ (Fig. 2). For a state property
φ, we only consider its truth for terminating traces. (v), (vi)
are similar to the definition in FODL [19], except that the
semantics of CPM is based on traces.
V. PROOF CALCULUS OF CDL
Sequent Calculus & Rule We use Gentzen’s sequent [20]
as the logical argumentation for the proof calculus of cDL. A





Γ,∆ are two finite multi-sets of logic formulae. A sequent
Γ⇒ ∆ means that ‘every formula in Γ holds can conclude that
at least one of formulae in ∆ holds’. When Γ or ∆ is empty,
we use · to denote it. A rule in sequent calculus is of the form:
Γ1 ⇒ ∆1 ... Γn ⇒ ∆n
Γ⇒ ∆ , which means that if Γ1 ⇒ ∆1,
..., Γn ⇒ ∆n are all valid, so is Γ⇒ ∆. Each Γi ⇒ ∆i in the
upper part is called a ‘premise’, while Γ⇒ ∆ in the lower part
is called ‘conclusion’. We use
Γ′ ⇒ ϕ⇒ ∆′
Γ⇒ φ⇒ ∆ to represent
a pair of sequent rules:
Γ′, ϕ⇒ ∆′
Γ, φ⇒ ∆ and
Γ′ ⇒ ϕ,∆′
Γ⇒ φ,∆ , i.e.,





Γ⇒ φ⇒ ∆ (when Γ,∆ are kept
unchanged). We call Γ,∆ the ‘context’ of formula φ in sequent
Γ⇒ φ,∆ or Γ, φ⇒ ∆.
Node & Proof Tree The derivation of a sequent forms
a ‘proof tree’, where each sequent is a node, denoted by
ζ = 〈ν, τ〉, where ζ is the node name, ν is a vector of
the child nodes of ζ, τ is a rule name. In a proof tree,
a node ζ = 〈(ζ1, ..., ζn),‘(r)’〉 is defined iff there is a
derivation
ζ1 : Γ1 ⇒ ∆1 ... ζn : Γn ⇒ ∆n
ζ : Γ⇒ ∆
(r), where (r)
is the name of the rule, ζ1, ..., ζn is in sequence from left
to right. We call node 〈ν, τ〉 a ‘leave node’ if ν = ∅. If a
leave node is obtained from a termination rule (rule (o), (ax),





Our main contribution for the proof calculus of cDL is rules
for special primitives (α, g?α, ε, pω) in cDL (Fig. 5 (a)). Other
rules in cDL are either directly inherited or can be derived
from the proof system of FODL [19], dTL2 [14] and FOL
(Fig. 5 (b) (c)).
In Fig. 5 (a), rule (α) says that to prove that under any
context Γ,∆, some trace of α satisfies φuϕ, iff to prove φ∧ϕ
holds under the context after the execution of α. Variables in
V are updated with new values according to α, while their old
values are stored in V ′. α = {c1, ..., cn}, C−α = {d1, ..., dm}.
V = (h(c1), ..., h(cn), η(c1), ..., η(cn), η(d1), ..., η(dm)) is a
set of variables whose values change as the execution of α.
V ′ = (x1, ..., xn, y1, ..., yn, z1, ..., zm) is a set of new variables
(w.r.t. Γ, 〈α〉φuϕ, ∆) corresponding to V . Γ[V/V ′] repre-
sents the context obtained by doing the substitution φ[V/V ′]
for each formula φ in Γ, where φ[V/V ′] is the shorthand of
φ[h(c1)/x1]...[h(cn)/xn][η(c1)/y1]...[η(dm)/zm]. The vector
equation (x1, ..., xn) = (e1, ..., en) means x1 = e1, ..., xn =
en.
Example 5.1: Consider sequent h(c1) = 0, η(c1) =
0, h(c2) = 0, η(c2) = 0 ⇒ 〈c1〉h(c1) ≥ h(c2), by applying
rule (α), we obtain the derivation:¨
x1 = 0, y1 = 0,
z1 = 0,
«
h(c1) = x1 + 1, η(c1) = 1,
η(c2) = 0
⇒ h(c1) ≥ h(c2)
h(c1) = 0, η(c1) = 0, h(c2) = 0, η(c2) = 0⇒ 〈c1〉h(c1) ≥ h(c2)
(α)
,
where x1, y1, z1 keep the old values of h(c1), η(c1), η(c2)
respectively.
Rule (〈ε〉u) holds because we stipulate that the first element
of any trace is unrelated to the temporal formula ϕ in the
definition of tr  ϕ. Rule (g?) moves the guard g outside of
the dynamic part ‘g?α’ as a static formula g. In rule (〈ω〉u)
and ([ω]t), the state property φ never works since an infinite
loop program never terminates. Rule (〈ω〉u) says that the
conclusion holds if we can find an invariant Inv s.t.: (1) Inv
holds under the current context Γ,∆; (2) under any context,
if Inv holds, then there exists a trace of p satisfying ϕ and
(a) Rules for special primitives in cDL
Γ[V ′/V ], (h(c1), ..., h(cn)) = (x1 + 1, ..., xn + 1),
(η(c1), ..., η(cn)) = (1, ..., 1),
(η(d1), ..., η(dm)) = (0, ..., 0)⇒ φ ∧ ϕ⇒ ∆[V ′/V ]





ζ1 : Γ⇒ Inv ,∆ ζ2 : · ⇒ Inv → 〈p〉Inv uϕ
ζ : Γ⇒ 〈pω〉φ uϕ,∆
(〈ω〉u)
g ∧ 〈α〉φ uϕ
〈g?α〉φ uϕ
(g?)
Γ⇒ ∃x.Inv(k),∆ · ⇒ ∀x > 0.(Inv(x)→ [p]Inv(x− 1) t ♦ϕ)
· ⇒ (∃x ≤ 0.Inv(x))→ [p]♦ϕ
Γ⇒ [pω]φ t ♦ϕ,∆
([ω]t)
(b) Rules mainly inherited from FODL and dTL2






φ ∨ 〈p; p∗〉(φ uϕ)
〈p∗〉(φ uϕ)
(〈∗n〉)
Γ⇒ Inv ,∆ · ⇒ Inv → [p]Inv t ♦ϕ · ⇒ Inv → φ
Γ⇒ [p∗]φ t ♦ϕ,∆
([∗]t)
ζ1 : Γ⇒ ∃x.Inv(x) ∧ ϕ,∆ ζ2 : · ⇒ ∀x > 0.(Inv(x)→ 〈p〉Inv(x− 1) uϕ) ζ3 : · ⇒ (∃x ≤ 0.Inv(x))→ φ
ζ : Γ⇒ 〈p∗〉φ uϕ,∆
(〈∗〉u)



















Γ⇒ φ,∆ Γ⇒ ϕ,∆
Γ⇒ φ ∧ ϕ,∆
(∧r)
Γ, φ, ϕ⇒ ∆








Fig. 5. Proof Calculus of cDL
after p terminates, Inv holds. Rule ([ω]t) is similar to (〈ω〉u),
where x indicates the number of repetitions of p before every
trace of p satisfying ♦ϕ.
In Fig. 5 (b), rule (⊕) expresses that some trace of p ⊕ q
satisfies ρ iff some trace of p or some trace of q satisfies ρ.
Rule (〈; 〉u) means that some trace of p; q satisfies φuϕ iff
some trace of p satisfies ϕ, and if it terminates, there is some
following trace of q satisfies φuϕ. Rule (〈∗n〉) unwinds the
loop program into a sequential one. Rule ([∗]t) and (〈∗〉u)
proceed the proof by eliminating the loop operator ∗. They are
similar to rule (〈ω〉u) and ([ω]t), but contain the terminating
conditions (e.g. ζ3 in rule (〈∗〉u)) for the state property φ. Inv
is the loop invariant. In rule (〈∗〉u), a number x is need to
indicate the number of repetitions of p before p terminates.
In Fig. 5 (c), rule (o) is an ‘oracle’ rule indicating the
termination of the proof, where all formulae in Γ,∆ must
be QF-LIA logic formulae. Rule (o) means that to prove the
validity of the conclusion, we check the validity of the QF-
LIA logic formula in the premise. This process can be handled
through an SMT-checking procedure, which is independent
from the cDL proof calculus. (ax) is another termination rule.
We omit the details of other traditional FOL rules.
B. Soundness, Completeness and Automaticity of cDL
The soundness of rules in Fig. 5 (b) (c) is directly from the
proof calculus of FODL [19] and dTL2 [14]. The soundness of
rules in Fig. 5 (a) can be obtained directly from the semantics
of cDL. Here we omit the detailed discussion of them.
Generally, like FODL, cDL is not complete due to Gödel’s
incompleteness theorem [21]. A sub-logic of cDL without
operator ω is relatively complete to arithmetic FOL due to the
relative completeness of dTL2 [14]. However, it still remains
open whether cDL is relatively complete to arithmetic FOL.
The main reason is that for rule (〈ω〉u) and ([ω]t), we still
do not know that for each CPM p, if there exists an invariant
Inv s.t. the falsehood of the premise implies the falsehood
of the conclusion, which is the key for proving the relative
completeness of cDL.
FODL and dTL2 is generally semi-automatic because loop
invariant is undecidable in a program model that includes Pres-
burger arithmetic theory. However, CPM only contains very
simple arithmetic expressions (clock event α) and conditions
(clock guard g). It is still not clear for us whether the invariant
in cDL is generally decidable or not.
VI. A METHOD FOR SCHEDULABILITY ANALYSIS OF
CCSL IN CDL
In this section we discuss how to describe and analyze the
CCSL schedule problem in cDL calculus built in previous
sections.
A. Encoding CCSL Specifications into cDL
The encoding of a CCSL specification SP = 〈ÞCdf,gRel,F〉
can be accomplished in two steps:
i. Modeling the dynamic behaviour of all clocks C(SP) as a
CPM psp. This can be done by encoding the synchronous
product of all clock definitions in ÞCdf and all free clocks
in F ;
ii. Encoding all static clock relations in gRel as a temporal
formula ϕsp.
In step i, the encoding from cLTS into CPM turns out to be
a standard process by Brzozowski [22] for translating a type
of transition system into the language that expresses it, where
cLTS is expressed as an set of algebraic equations, and the
latter is then solved by applying Arden’s rule [23].
Proposition 6.1 (Arden’s rule in CPM): Given any CPMs
p, q (where q 6≡ ε), X ≡ q∗; p ⊕ qω is a solution of X ≡
p⊕ q;X in CPM.
Prop. 6.1 is straightforward since CPM can be seen as an
omega algebra [24]. Here we omit the proof of it.
Algo. 1 gives the main idea of the encoding from cLTS to
CPM. Each compositional transition in cLTS corresponds to
Algorithm 1 Encoding cLTS into CPM
1: procedure CLTS 2 CPM(A = 〈L, T, l0, C〉)
2: Build a set of equations from A:
l1 ≡ ε⊕ p11; l1 ⊕ a12; l2 ⊕ ...⊕ p1n; ln (1)
l2 ≡ ε⊕ p21; l1 ⊕ a22; l2 ⊕ ...⊕ p2n; ln (2)
...
ln ≡ ε⊕ pn1; l1 ⊕ an2; l2 ⊕ ...⊕ pnn; ln (n)
where pij (1 ≤ i ≤ j ≤ n) is of the form a1 ⊕ ... ⊕ ao, with ak
(1 ≤ k ≤ o) in the form α or g?α. In each equation, l ≡ ...⊕p; l′⊕ ...
iff there exists a compositional transition [l, p, l′] ⊆ T .
3: for each k, k = n, n− 1, ..., 2, 1 do
4: substitute lk+1, ..., ln in equation (k).
5: transform equation (k) into the form lk ≡ p⊕ q; lk .
6: By Prop. 6.1, obtain lk ≡ q∗; p⊕ qω from lk ≡ p⊕ q; lk .
7: return l1
a relation l ≡ p; l′ in the equations. All such transitions from
a state are linked by choice operator ⊕. Each equation (k)
contains an empty program ε corresponds to that the state lk
is an accepting state for any schedules that pass by it.
Example 6.1: In SP1, the behaviour of all clocks: Asp1
(Fig. 3 (d)), is the synchronous product of u1 , v1$5 (Fig. 3
(a)) and free clocks v1, v3 (Fig. 3 (b1), (b2)). In Algo.1, from
Asp1 , we can build equations:
l1 ≡ ε⊕ p2; l1 ⊕ p3; l2 (1)
l2 ≡ ε⊕ p4; l2 (2)
In (2) by Prop. 6.1 we obtain l2 ≡ p∗4; ε⊕ pω4 . Substitute l2 in
(1) and by Prop.6.1 we obtain
psp1 = l1 ≡ p∗2; (ε⊕ p3; (p∗4; ε⊕ pω4 ))⊕ pω2 .
According to Algo. 1, Prop. 6.1 and Prop. 4.1, it is easy to
see that there is a natural connection between the semantics
of a cLTS and its corresponding CPM.
Proposition 6.2 (Relation between cLTS and CPM): Let A
be a cLTS and pA be its corresponding CPM obtained from
Algo. 1, then {tr | there is a σ ∈ Sch(A) s.t. tr ∈ Trσ} is
the set of all infinite traces accepted by pA.
Prop. 6.2 says that the behaviour of a cLTS exactly corre-
sponds to the ‘infinite behaviour’ of its corresponding CPM
obtained from Algo. 1. So if we can find an infinite trace of
a CPM, we then find a schedule of its corresponding cLTS.
For step ii, the following proposition declares the relation
between clock relations and temporal formulae in cDL.
Proposition 6.3 (Encoding clock relations as temporal for-
mulae): Given a set of clock relations gRel, we can build a
temporal formula as: ϕÝRel ::= V ~(Rel) s.t. σ ccsl gRel iff
tr  ϕÝRel for any σ and each tr ∈ Trσ . ~(Rel) is defined as:
Rel ~(Rel) Rel ~(Rel)
c1 ≺ c2
(h(c1) = 0 ∧ h(c2) = 0)∨
(h(c1) > h(c2))
c1  c2 h(c1) ≥ h(c2)
c1 ⊆ c2 η(c1) = 1→ η(c2) = 1 c1#c2 η(c1) = 0 ∨ η(c2) = 0
Prop. 6.3 can be directly proved by Prop. 4.1, Def. 4.5 and
the semantics of CCSL relations (Fig. 2).
Example 6.2: The clock relations {v1 ≺ v3, v3  u1} of
SP1 can be expressed as
ϕsp1 = (~(v1 ≺ v3) ∧ ~(v3  u1)).
B. Solving the Schedule Problem
The next proposition states that the schedule problem stated
in Sect. II can be verified by proving a cDL formula.
Proposition 6.4 (Schedule problem in cDL): Given a CCSL
specification SP = 〈ÞCdf,gRel,F〉, the schedule problem of
SP (stated in Sect. II) holds iff the cDL formula
φSP = I → 〈psp〉(ff u(ϕsp ∧ ϕ∅))
is valid, where psp, ϕsp are obtained from SP through step
(i), (ii) in Sect. VI-A, I =
V
c∈C(SP)(h(c) = 0 ∧ η(c) = 0),
ϕ∅ =
W
c∈C(SP) η(c) = 1.
Prop. 6.4 is direct from Prop. 4.1, Def. 4.4, 4.5, Prop. 6.2,
6.3 and Prop. 2.1. I represents the initial environment of clock-
related variables. The function of the falsehood ff in φSP is
to filter all finite traces in psp, since the schedules we consider
only correspond to infinite traces. Formula ϕ∅ means ‘at least
one clock ticks at an instant’, which is used to avoid the

































(1) · ⇒ Isp1 → 〈(p∗2; q)⊕ pω2 〉ϕ, (2) Isp1 ⇒ 〈p∗2〉(〈q〉ϕ uϕ), 〈pω2 〉ϕ,
(3) ∃k.Inv1(k), (4) · ⇒ ∀k > 0.(Inv1(k)→ 〈p2〉Inv1(k − 1) uϕ)
(5) · ⇒ (∃k ≤ 0.Inv1(k))→ 〈q〉ϕ
(6) k > 0, Inv1(k)⇒ 〈g1?v1〉Inv1(k − 1) uϕ,∆1
(7) Inv1(0)⇒ 〈g2?{v1, v3}〉(〈q′〉ϕ uϕ),∆2, (8) Inv1(0)⇒ g2,∆2
(9) Γ1 ⇒ 〈pω4 〉ϕ,∆3, (10) Γ1 ⇒ ϕ,∆4, (11) Γ1 ⇒ Inv2,∆3
(12) · ⇒ Inv2 → 〈p4〉Inv2 uϕ,∆3, (13) Inv2 ⇒ 〈{v1, v3, u1}〉Inv2 uϕ,∆5
q = ε⊕ p3; (p∗4; ε⊕ pω4 ), q′ = p∗4; ε⊕ pω4 , ϕ = ff u (ϕsp1 ∧ ϕ∅)
Inv1(k) = (h(v1, u1) = 4− k) ∧ h(v1, v3) ≥ 0 ∧ h(v3, u1) ≥ 0
Inv2 = (h(v1, u1) = 5− k) ∧ h(v1, v3) ≥ 0 ∧ h(v3, u1) ≥ 0
Fig. 6. Derivation of formula Isp1 → 〈psp1 〉ff u (ϕsp1 ∧ ϕ∅)
If φSP is valid, the derivation of φSP actually provides a
‘hint’ of what the schedules of SP may ‘look like’. Essentially,
the successful proof tree (where each leave node is a valid
node
√
) of φSP itself can be seen as a special ‘transition
system’ that captures the behaviour of all schedules of SP .
By analyzing this proof tree, one can generate a ‘bounded
schedule’, i.e., a finite prefix of a schedule of SP .
The generating procedure is illustrated as a coarse algorithm
in Algo. 2, where ζ0 is a successful proof tree, n is a bound for
schedule. In Algo. 2, we use ‘:=’ to mean assignment and ‘=’
to represent logical equality. Several commands are separated
by the semicolon ‘;’ in a single line. Starting from the root
node ζ0, procedure Gen Sch traverses each node of the tree
and continuously updates the bounded schedule σ according
to the rule at each node. Only 4 rules need to be considered:
(g?), (α), (〈∗〉u) and (〈ω〉u). At line 7, we say ‘g is a target
of rule (g?)’ if the event being dealt with is of the form g?α.
Line 10 is similar. At line 11, node ζ1, ζ2, ζ3 correspond to
the child nodes of rule (〈∗〉u) respectively (see rule (〈∗〉u)
in Fig. 5 (b)). Similar for line 16. |σ| is the length of σ as a
finite sequence.
Algorithm 2 Generating a bounded schedule from proof tree
1: procedure GEN SCH(ζ0 = 〈ν0, τ0〉, σ, n)
2: Ξ := {ζ0} /*nodes remained to be analyzed*/
3: while Ξ 6= ∅ ∧ |σ| ≤ n do
4: take a ζ = 〈ν, τ〉 out of Ξ
5: if ν = ∅ then continue /*a leave node*/
6: if τ =‘(g?)’∧σ 6 g then /*stop in analysis of this branch*/
7: continue /*g is the ‘target’ of rule (g?)*/
8: else if τ =‘(α)’ then
9: put all nodes of ν in Ξ; σ := σα;
10: continue /*α is the ‘target’ of rule (α)*/
11: else if τ =‘(〈∗〉u)’ then /*set ν = (ζ1, ζ2, ζ3)*/
12: put ζ3 in Ξ;
13: while k 6= 0 ∧ |σ| ≤ n do /*k is a witness of ‘∃x.Inv(x)’
in ζ1*/
14: σ′ := GEN SCH(ζ2, σ); σ := σσ′; k := k − 1
15: continue
16: else if τ =‘(〈ω〉u)’ then /*set ν = (ζ1, ζ2)*/
17: while |σ| ≤ n do
18: σ′ := GEN SCH(ζ2, σ); σ := σσ′
19: continue
20: else put all nodes of ν in Ξ; continue
21: return σ
Example 6.3: We consider the schedule problem of SP1.
According to Prop. 6.4, it can be expressed as a cDL for-
mula: Isp1 → 〈psp1 〉ff u (ϕsp1 ∧ ϕ∅), where Isp1 =V
c∈{v1,v3,u1} h(c) = 0∧η(c) = 0, ϕ∅ =
W
c∈{v1,v3,u1} η(c) =
1. psp1 , ϕsp1 has been given in Example 6.1, 6.2.
Fig. 6 shows a rough derivation of this formula, where each
step abstractly represents one or more derivations, with the
rules being applied listed on the right. e.g., from node (1), by
applying rule (∨r), (¬r), (⊕) and rule (〈; 〉u) in sequence,
we obtain node (2). Except for the first step, we omit all FOL
rules in other steps. The derivation starts from the root (1),
and terminates if (i) all leave nodes are valid (
√
); (ii) one of
the leave nodes is not valid. We omit the detail of each branch
using (...). Fig. 6 (below part) shows the detail content of each
node. p1−p4 has already been given in Fig. 3. Due to the limit
of space, we omit the details of the contexts Γ1, ∆1 −∆5.
The proof succeeds with all branches finally terminate.
Let ζ0 = (1), σ = ∅, n = 7, by calling proce-
dure Gen Sch we can obtain a bounded schedule of SP1
as: v1v1v1v1{v1, v3}{v1, v3, u1}{v1, v3, u1}. The red path in
Fig. 6 shows the process of running Algo. 2. In rule (〈∗〉u),
k = 4 is a witness of ‘∃k.Inv1(k)’ at node (3). Node (6), (7)
and (13) are 3 crucial nodes where the sets of ticked clocks
v1, {v1, v3}, {v1, v3, u1} are generated respectively.
VII. CONCLUSION AND FUTURE WORK
In this paper we proposed a logical method for the schedula-
bility analysis of CCSL specifications. We mainly focused on
the construction of a dynamic logic cDL and its proof calculus.
Based on cDL, we made a schedulability analysis of CCSL
and shown how the derivation works through an example.
The future work may focus on the implementation of our
cDL calculus in a theorem prover like Isabelle. We are also
interested in analyzing the relative completeness of cDL and
the decidability of the loop invariants in CPM.
REFERENCES
[1] F. Mallet, “Clock constraint specification language: specifying clock
constraints with UML/MARTE.” ISSE, vol. 4, no. 3, pp. 309–314, 2008.
[2] OMG, “UML profile for MARTE: Modeling and analysis of real-time
embedded systems,” OMG, Tech. Rep., June 2011, formal/11-06-02.
[3] C. André, “Syntax and Semantics of the Clock Constraint Specification
Language (CCSL),” INRIA, Research Report RR-6925, 2009.
[4] L. Lamport, “Time, clocks, and the ordering of events in a distributed
system,” Commun. ACM, vol. 21, no. 7, pp. 558–565, 1978.
[5] G. Berry and G. Gonthier, “The Esterel synchronous programming
language: design, semantics, implementation,” Sci. Comput. Program.,
vol. 19, no. 2, pp. 87–152, 1992.
[6] J. Peters, R. Wille, N. Przigoda, U. Khne, and R. Drechsler, “A generic
representation of ccsl time constraints for uml/marte models.” in DAC.
ACM, 2015, pp. 122:1–122:6.
[7] E.-Y. Kang and P.-Y. Schobbens, “Schedulability analysis support for
automotive systems: from requirement to implementation.” in SAC.
ACM, 2014, pp. 1080–1085.
[8] H. Yu, J.-P. Talpin, L. Besnard, T. Gautier, H. Marchand, and P. L.
Guernic, “Polychronous controller synthesis from marte ccsl timing
specifications.” in MEMOCODE. IEEE, 2011, pp. 21–30.
[9] M. Zhang, F. Mallet, and H. Zhu, “An SMT-based approach to the
formal analysis of MARTE/CCSL.” in ICFEM ’16. Springer, 2016,
pp. 433–449.
[10] L. Yin, J. Liu, Z. Ding, F. Mallet, and R. de Simone, “Schedulability
analysis with ccsl specifications.” in APSEC (1). IEEE Computer
Society, 2013, pp. 414–421, 978-1-4799-2143-0.
[11] M. Zhang, F. Dai, and F. Mallet, “Periodic scheduling for MARTE/CC-
SL: Theory and practice,” Sci. Comput. Program., vol. 154, pp. 42 – 60,
2018.
[12] M. Zhang and Y. Ying, “Towards SMT-based LTL model checking
of clock constraint specification language for real-time and embedded
systems.” in LCTES ’17. ACM, 2017, pp. 61–70.
[13] D. Harel, First-Order Dynamic Logic, ser. LNCS. Springer, 1979,
vol. 68.
[14] J.-B. Jeannin and A. Platzer, “dtl2: Differential temporal dynamic logic
with nested temporalities for hybrid systems.” in IJCAR, ser. Lecture
Notes in Computer Science, vol. 8562. Springer, 2014, pp. 292–306.
[15] C. Barrett, P. Fontaine, and C. Tinelli, “The SMT-LIB Standard: Version
2.6,” Department of Computer Science, The University of Iowa, Tech.
Rep., 2017, available at www.SMT-LIB.org.
[16] F. Mallet, J.-V. Millo, and R. de Simone, “Safe CCSL specifications and
marked graphs,” in 11th ACM/IEEE Int. Conf. on Formal Methods and
Models for Codesign. IEEE, 2013, pp. 157–166.
[17] Y. Zhang, H. Wu, Y. Chen, and F. Mallet, “Embedding CCSL into
Dynamic Logic: A Logical Approach for the Verification of CCSL
Specifications,” in FTSCS 2018, Gold Coast, Australia, Nov. 2018.
[18] F. Mallet and R. de Simone, “Correctness issues on MARTE/CCSL
constraints.” Sci. Comput. Program., vol. 106, pp. 78–92, 2015.
[19] D. Harel, D. Kozen, and J. Tiuryn, “Dynamic logic.” SIGACT News,
vol. 32, no. 1, pp. 66–69, 2001.
[20] G. Gentzen, “Untersuchungen über das logische schließen,” Ph.D. dis-
sertation, NA Göttingen, 1934.
[21] K. Gödel, “ber formal unentscheidbare sätze der principia mathemat-
ica und verwandter systeme,” Monatshefte fr Mathematik und Physik,
vol. 38, no. 1, pp. 173–198, 1931.
[22] J. A. Brzozowski, “Derivatives of regular expressions.” J. ACM, vol. 11,
no. 4, pp. 481–494, 1964.
[23] D. N. Arden, “Delayed-logic and finite-state machines,” in SWCT
(FOCS). IEEE Computer Society, 1961, pp. 133–151.
[24] M. R. Laurence and G. Struth, “Omega algebras and regular equation-
s.” in RAMICS, ser. Lecture Notes in Computer Science, vol. 6663.
Springer, 2011, pp. 248–263.
