The graphical user interface with a counterexample model. The proof in Fig. 1 is modiied so that the upper bound of 2.0 secs in premise P2 is replaced by 3.0 secs. The attempted proof is invalid, and this counterexample is generated. Note that the interval from glide to :glide without an intervening land is at most 3.0 secs and the interval from :glide to abort is at most 3.0 secs. Thus, the interval from glide to land _ abort is at most 6.0 secs, which is greater than the 5.0 secs in theorem T. If an attempted proof of a theorem is valid, the proof dependency le is updated with information about the premises of the proof and the time at which the proof was performed. To connrm that a proof is up-to-date, the proof manager checks that neither the theorem nor any of the premises has been modiied since the time of the proof. It also detects circularities in a proof and ensures that the proof dependency graph is acyclic. 6 Conclusion Our experience in using the RTGIL tools has shown that these tools and the graphical representation of the logic are very helpful for specifying and verifying properties of concurrent real-time systems. In addition to the aircraft example, we have used these tools to specify and verify properties of a railroad crossing system, a robot, an alarm system, and a four-phase handshaking protocol. The RTGIL tools are implemented in Lucid Common Lisp and also in Franz Allegro Common Lisp, and require at least 32 MBytes of main memory and 64 Mbytes of swap space. The graphical editor was implemented using the Garnet graphics toolkit 3], which runs within the X window system. The RTGIL tools and related papers are publicly available, and can be obtained by anonymous ftp from alpha.ece.ucsb.edu in directory /pub/RTGIL. References 1. R. Alur and D. Dill, \Automata for modelling real-time systems," Proceedings of 17th In-The RTGIL theorem prover is a satissability checker based on a decision procedure, rather than a Gentzen-style theorem prover based on inference rules. The decision procedure for RTGIL is given as an automata-theoretic method in 4]. The implementation , however, is a tableau-theoretic method that achieves better time and space eeciency, on average, than the automata-theoretic method. It employs the notion of timed tableau, the analogue of the timed automaton of Alur and Dill 1]. The user, working in the …
[1]
Louise E. Moser,et al.
A real-time interval logic and its decision procedure
,
1993,
FSTTCS.
[2]
Roger B. Dannenberg,et al.
Garnet: comprehensive support for graphical, highly interactive user interfaces
,
1990,
Computer.
[3]
R. Alur,et al.
Automata For Modeling Real-Time Systems
,
1990,
ICALP.
[4]
David L. Dill,et al.
Timing Assumptions and Verification of Finite-State Concurrent Systems
,
1989,
Automatic Verification Methods for Finite State Systems.