Rewriting the formula in clausal form yields the following three clauses:

f (T ) + 45 ≤ h(U )

h(U ) − 59 ≤ f (T ) (which is equivalent to h(U ) < f (T ) + 60)

h(U ) + 1 ≤ g2(T ) g2(T ) + 46 ≤ h(U )

Next we construct the constraint graph corresponding to the formulas in clausal form.

6.4.1 Graph Construction

For each literal v1 ± I ≤ v2, we construct a node labeled v1, a node labeled v2, and an edge v1, v2 with weight ± I from node v1 to node v2. The outline of the algorithm [Jahanian and Mok, 1987] to construct the constraint graph is as follows.

Algorithm Build Graph: Initially, the graph G is empty.

For each clause Ci , for each literal in Ci : v1 ± I ≤ v2:

1.Find the cluster with the function symbol of term v1. If not found, create a new cluster.

2.Search the cluster found or created in step 1 for a node labeled vi . If not found, add the node labeled v1 to the cluster. (Note that if the cluster has just been created in step 1, the search is not necessary as the cluster is empty.)

3.Repeat steps 1 and 2 for the term v2.

4.Create a directed edge v1, v2 with weight ± I from node v1 to node v2.

Figure 6.1 shows the construction of the constraint graph corresponding to the above example specification and negation of the safety assertion.

6.5 CHECKING FOR UNSATISFIABILITY

We can use the constructed constraint graph G representing F to determine whether F is unsatisfiable by identifying cycles with positive weights in G. To do so, we first define unification and then redefine the concepts of a path and a cycle for this type of graph.

Unification: We say there is a unification of vi and v i if a substitution S (which replaces a term by another term) exists such that vi S = v i S where vi S and v i S denote the terms after applying S to vi and v i , respectively.

Chapter 2 contains a discussion of unification as well as related concepts, and provides examples.

156 REAL-TIME LOGIC, GRAPH-THEORETIC ANALYSIS, AND MODECHART

0

a. f(x) g1(x)

30

0

b. f(x) g1(x) g2(x)

30

45

h(U)

30

45

h(U)

30

Figure 6.1 Constructing the constraint graph corresponding to example.

Path: We say there is a path from node v0 to node vn in a graph G if there is a sequence of edges v0, v1 , v 1, v2 , v 2, v3 , . . . , v n−2, vn−1 , v n−1, vn and a substitution S such that there is pairwise unification of vi and v i for all 1 ≤ i < n. Note that each pair of vi and v i , 1 ≤ i < n − 1, must be either the same or in the same cluster.

Cycle: A cycle exists in a graph G if there is a sequence of edges v0, v1 , v 1, v2 ,v 2, v3 , . . . , v n−2, vn−1 , v n−1, vn and a substitution S such that there is a path from v0 to vn , and v0 and vn can be unified with the substitution S. Again, note that v0 and vn must be either the same or in the same cluster. The weight of a path or cycle is defined as the sum of the weights of the edges in the path or cycle.

Now we are ready to show that if there is a cycle with positive weight in the graph G corresponding to formula F , then the formula consisting of the conjunction of literals (inequalities) corresponding to the edges in the cycle is unsatisfiable. We apply the substitution S to each inequality Li in the cycle.

v0S + I0 ≤ v1S

v 1S + I1 ≤ v2S

v 2S + I2 ≤ v3S

.

.

.

v n−1S + In−1 ≤ vn S

Then we add these inequalities, yielding

I0 + I1 + · · · + In−1 ≤ 0,

which is clearly unsatisfiable, meaning that the original RTL inequalities corresponding to these edges are unsatisfiable.

6.6 EFFICIENT UNSATISFIABILITY CHECK

We have shown that if every edge in a positive cycle corresponds to a literal that belongs to a unit clause, then the formula F must be unsatisfiable, and hence the safety assertion SA is derivable from the specification SP. However, if an edge in the cycle corresponds to a literal that belongs to a non-unit clause, then we have to show that each of the remaining literals in this clause corresponds to an edge in a different positive cycle. The intuitive reason behind this is that the clause is disjunctive. Therefore, to show that the entire clause is unsatisfiable (false), each of its disjuncts must be shown to be unsatisfiable (false). In our example, the negation

158 REAL-TIME LOGIC, GRAPH-THEORETIC ANALYSIS, AND MODECHART

of the safety assertion contains the clause

h(U ) + 1 ≤ g2(T ) g2(T ) + 46 ≤ h(U ).

If an edge in a positive cycle that corresponds to h(U ) + 1 ≤ g2(T ) is identified, then we also have to show that another positive cycle exists with an edge corresponding to the second literal g2(T ) + 46 ≤ h(U ).

Obviously, as the number of edges in positive cycles that correspond to literals belonging to non-unit clauses increases, the number of different positive cycles that must be identified increases combinatorially. In fact, the problem of determining the unsatisfiability of F is NP-complete. Considering the difficulty of the problem, a more efficient, but still exponential-run-time, algorithm is developed in [Jahanian and Mok, 1987] to check for unsatisfiability.

The algorithm makes use of the following observations. Recall that the formula F is a conjunction of n clauses

C1 C2 · · · Cn , where each Ck is a disjunctive clause

Lk,1 Lk,2 · · · Lk,mk .

Note that the literals in different clauses need not be distinct. We use the following notations to denote the inequalities corresponding to the edges in the ith positive cycle found:

Xi,1, Xi,2, . . . , Xi,ni ,

where Xi, j is the literal corresponding to the jth edge in the ith positive cycle found, and each Xi, j is in at least one of the Ck s. Suppose

Pi = Xi,1 Xi,2 · · · Xi,ni .

We know from the above discussion that Pi is unsatisfiable. Therefore, F is satisfiable iff F ¬Pi is satisfiable. As a result, the existence of the positive cycle is equivalent to adding the clause

¬Pi = ¬Xi,1 ¬Xi,2 · · · ¬Xi,ni

to F , making it possible to use ¬Pi to show that F is unsatisfiable.

Example. We use capital letters to denote the literals in the set S1 of clauses of F :

A= f (x) ≤ g1(x)

B= g2(x) − 30 ≤ f (x)

C = g1(y) + 15 ≤ g2(y)