# Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Save this PDF as:

Size: px
Start display at page:

Download "http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86"

## Transcription

1 Atlantic Electronic Journal of Mathematics Volume 1, Number 1, Summer 2006 pp AUTOMATED RECOGNITION OF STUTTER INVARIANCE OF LTL FORMULAS Jeffrey Dallien 1 and Wendy MacCaull 2 Department of Mathematics, Statistics and Computer Science St. Francis Xavier University Antigonish, N.S. B2G 2W5 Abstract. Formal verification is the growing field of formalizing and verifying specifications for hardware and software systems. One such technique, known as model checking, can exhaustively check a software model for properties written in a specification language, such as Linear Temporal Logic (LTL). For large systems, memory reduction techniques are often used to complete a verification with the available hardware. One reduction technique, that of partial order reduction, has proven useful in aiding verifications, but it limits the expressiveness of LTL specifications. Due to the phenomenon of stuttered states in the model s reduced state graph representation, the LTL next operator is not guaranteed to produce correct results when partial order reduction is used. As more casual users begin using model checking, it is important to provide them with a convenient method of writing specifications that are known to be safe to use in the presence of partial order reduction. A description of how stuttered states are introduced and of a system of patterns for LTL formulas that are safe to use, despite the fact that they use the next operator, are given. To automatically determine if a formula matches one of the safe patterns, a Prolog based LTL recognizer which we developed is discussed. A listing of the patterns of formulas recognized is given as an appendix. 1. Introduction Model Checking. Formal verification is a growing field aimed at formalizing specifications for software and hardware systems. This is accomplished using methods to automatically verify that these systems satisfy their specifications. The ultimate goal of formal verification is to exhaustively verify that every behaviour of a software or hardware system is in accordance with the intended behaviours of the programmers or engineers designing the system. One method of formal verification, known as model checking, uses an abstract model of the system to check if a property holds. Automated tools, known as model checkers are used to generate all execution paths (behaviours) in the modeled system, in order to verify that all reachable paths comply with the properties specified Mathematics Subject Classification. Primary: 68Q60, 68Q45; Secondary: 03B44, 68Q85. Key words and phrases. formal methods, verification, model checking, Linear Temporal Logic, automated pattern matching. 1 Support from an NSERC Research Capacity Development Graduate Fellowship is gratefully acknowledged. 2 Support from Science and Engineering Research Council of Canada is gratefully acknowledged. 69

2 70 J. DALLIEN AND W. MACCAULL Counter-examples are provided for a property if a behaviour violates it, allowing the system s operation to be corrected. Many model checkers have been developed, employing different combinations of strategies and features for the purpose of verifying hardware and software. One such model checker for Linear Temporal Logic (LTL), known as Spin, has been developed and maintained by Gerard Holzmann at Bell Labs over the past two decades [5, 6]. Originally designed to verify communication protocols, its ability to model and verify properties on asynchronous processes has resulted in it being successfully applied to a wide range of systems Temporal Logics. Often when specifying properties of software systems, it is necessary to express some concept of time, such as that one condition becomes true after another, or some condition will always become true in the future. Propositional and predicate logic cannot express such relationships over time; temporal logics were developed to provide a means of expressing these types of properties. One such logic is Linear Temporal Logic (LTL). LTL is used to specify properties pertaining to an execution path of a model. LTL model checker software will generate all the execution paths of a model, checking that a given LTL property holds on each. The Spin model checker accepts model properties written in LTL. Linear Temporal Logic provides four temporal operators for use in logic expressions:, always;, eventually; U, until; and X, next. This paper focuses on the infrequently used next operator. The reasons for its lack of use with Spin and a description of when LTL formulas are safe to use with Spin are discussed. As more casual users begin using model checking tools, it is important to provide a simple means of identifying formulas which are safe to use, even for those users who are not very familiar with logic. With this goal in mind, we implement a recognizer to determine if a given formula matches one known to be safe. More details of the results reported here may be found in [2]. 2. Basic Definitions and Theorems. Before describing concepts and theorems in this paper, some basic definitions are necessary. More complex and specific definitions will be provided in the relevant sections of this paper, as they are needed Model and LTL Definitions. Definition 1. Let AP be a set of atomic propositions. A Kripke structure, M over AP is a four tuple, M = (S, S 0, R, L) [1], where 1. S is a finite set of states. 2. S 0 S is the set of initial states. 3. R S S is a transition relation that must be total, that is, for every state s S there is a state s S such that R(s, s ). 4. L : S 2 AP is a function that labels each state with the set of atomic propositions true in that state. Models of systems may be represented by Kripke structures and are often referred to as Kripke models. The description of a state consists of the values of the variables in the system; a change in a value means change in state. The set of initial states of M indentifies the states from which processing can begin. A transition is a pair (s, s ) from the relation R indicating a possible change in state from s to s.

3 RECOGNITION OF LTL STUTTER INVARIANCE 71 Figure 1. An example Kripke model, M 1 A path, p, in the structure M from a state s is an infinite sequence p of states s 0, s 1, s 2,... such that s 0 = s and R(s i, s i+1 ) holds for all i 0. We denote by p i the suffix s i, s i+1... of the path p LTL Syntax and Semantics. We first give the syntax of LTL in BNF form: φ := a φ φ φ φ φ φ φ φ φ X φ φuφ where a is a propositional variable. As usual, φ ψ is shorthand for φ ψ and φ ψ is shorthand for ( φ ψ). The unary operators,,,, X, bind most closely, followed by,, and U. The subset of LTL formulas not containing the X operator is denoted as LTL x. Next, the semantics of LTL are defined with respect to a Kripke model. Let M be a Kripke model, let p = s 0, s 1... be a path in the model M, let F 1 and F 2 be LTL formulas, and let a be a propositional variable. The notation M, p F 1 will be used to mean that formula F 1 holds or is satisfied along the path p in the model M. The satisfaction relation,, is formally defined inductively as follows: M, p a a L(s 0 ) M, p F M, p F M, p F 1 F 2 M, p F 1 and M, p F 2 M, p X F 1 M, p 1 F 1 M, p F 1 i 0 M, p i F 1 M, p F 1 i 0 M, p i F 1 M, p F 1 UF 2 k 0 M, p k F 2 and j 0 j < k M, p j F 1 Some basic equivalences of LTL operators are: F F (2.1) F F (2.2) F ( U F ) (2.3) F U F (2.4) X F X F (2.5) We say that M, s F iff M, p F for every path p with s as its first state. An LTL Formula F is true in a model M, written M F, iff for all paths p starting at initial points M, p F. Example 2.1. To illustrate some of the concepts of Kripke models and LTL, an example Kripke model, M 1, is given in Figure 1. Each state is represented by a circle and the letters inside each circle indicate which propositional variables are true at that state. The transitions, defined by the R relation, are shown as arrows between states. There is one initial state, s 0, and two possible paths, p 1 = s 0, s 1, s 2 and p 2 = s 0, s 1, s 3, in this model. The model M 1 and path p 1 satisfy the LTL formula x, read always x, because the variable x is true in every state of the path. The model M 1 and the initial state s 0 satisfy the LTL formula y, read eventually y, because y eventually becomes true along both paths beginning from s 0. The model M 1 and the initial state s 0 do not satisfy the LTL formula x U z because x must remain true until z becomes true but this does not happen on path p 2.

4 72 J. DALLIEN AND W. MACCAULL Figure 2. Two stutter equivalent paths 2.3. Stuttering and Stutter Equivalence. Definition 2. Stuttering occurs in a path p of states when a state occurs two or more times consecutively; that is, for p = s 0, s 1, s 2,... if there is some i N such that s i = s i+1 so that p = s 0, s 1,...s i, s i, s i+2,... Definition 3. Two infinite paths p = s 0, s 1,... and p = r 0, r 1,... are stutter equivalent, written as p st p, if there are two infinite sequences of positive integers 0 = i 0 < i 1 < i 2 <... and 0 = j 0 < j 1 < j 2 <... such that for every k 0, L(s ik ) = L(s ik +1) =... = L(s ik+1 1) = L(r jk ) = L(r jk +1)... = L(r jk+1 1). Figure 2 will help the reader understand this definition. Two paths are stutter equivalent if they can be partitioned into blocks such that the states in the k th block are labeled the same in both paths. Note that the blocks can be of different sizes. Stuttered states can occur normally and without problem when loops occur in a system s Kripke model. Problems can arise from apparent stuttered states caused by variable abstraction, which will be detailed further in the next section. The definition of stutter equivalence can be extended to structures. The structures M and M are stutter equivalent if and only if: M and M have the same set of initial states; for each path p of M that starts from an initial state s of M, there exists a path p of M from the same initial state s such that p st p ; for each path p of M that starts from an initial state s of M, there exists a path p of M from the same initial state s such that p st p. Corollary 1. Let M and M be two stutter equivalent structures. Then, for every LTL x property F, and every initial state s S 0, M, s F if and only if M, s F. We denote the set of natural numbers as N; and use,, (, ) as boolean (infinitary boolean) operations. Definition 4. The interpretation of an LTL formula F on a path p denoted as F p, is its truth value on that path; ie. F p = iff p = F. From the definition of satisfaction we see that for all LTL formulas A, a p = if a L(s 0 ) A p = A p A B p = A p B p X A p = A p1 A p = i N A pi A p = i N A pi AUB p = ( i N B pi ( i 1 ) ) A pj j=0

5 RECOGNITION OF LTL STUTTER INVARIANCE Partial Order Reduction. Model checking of systems with asynchronous processes is very difficult. In order to verify that all possible behaviours of the system do not violate a property, all the possible combinations of states and transitions over all the asynchronous processes must be considered. Interleaving is a way to represent the result of asynchronous processes because any of a variety of sequences of states may result in any execution. The combination of states and transitions creates an interleaving of the asynchronous state graphs into a single larger state graph. In an effort to reduce the number of paths explored and the number of states that must be stored during verification, a technique known as partial order reduction, first developed by Holzmann and Peled [7], is often used. The algorithm takes its name from its early versions that were based on the partial order model of program execution [1]. This reduction technique takes advantage of the fact that for a given property, the order in which states occur in a given interleaving sequence may have the same result as a different sequence of the same states. Partial order reduction groups sequences in the set of all interleaved sequences into equivalence classes: sequences of states that have the same effect for the given property are grouped together. Only one representative for a given equivalence class needs to be checked and stored, greatly reducing the number of paths and states in memory, which then allows larger models to be verified. The reduction algorithm used by Holzmann and Peled in [7] can identify instances where ignoring an interleaving of states will not result in a different verification result [1]. We may view the system states as consisting of only the variables which affect a property being checked. As we detail in the following paragraph, partial order reduction can provide a state graph that has paths which are stutter equivalent to the paths of the full state graph in terms of this property. Since a state is simply a listing of the values of the variables, ignoring some variables can produce execution paths where some state stutters. Some states may stutter more times in the reduced graph than in the full state graph, but there will be fewer sequences to check. An example state graph will be used to illustrate how the partial order reduction algorithm in [7] introduces stuttering in its reduced state graphs. A transition is considered invisible if it does not change the values of the propositional variables in a correctness property. Consider a correctness claim based on the variables x and y on the state graph in Figure 3. All transitions labelled a are invisible, that is, they do not change the value of either x or y. The transitions labelled b 1, b 2, b 3 do change the variables x and y and are therefore not invisible. The state graph shows many possible execution sequences, though many are equivalent. An example of one of the many paths in the unreduced state graph is seen in Figure 4. By executing the transitions based on the rules of the partial order reduction algorithm, we get the state graph with a single path seen in Figure 5. In terms of the claim being verified, which relates solely to the x and y variables, the order of unique states is the same. However, the reduced state graph stutters a different state than the unreduced path depending on when the invisible transition, a, is executed. As indicated by the dashed vertical lines, the two paths can be partitioned into blocks such that the k th block contains states with the same labels in both paths, as per the definition of stutter equivalence.

6 74 J. DALLIEN AND W. MACCAULL Figure 3. A reducible state graph with invisible transitions The advantage is that instead of checking all four possible execution paths in the full state graph, the model checker will only need to consider a single path by using the reduced graph. If any of the paths satisfy the claim, they all do. Controlling state space explosion is a primary concern in most verification tasks being performed today. In practice, the partial order reduction algorithm has been shown to significantly decrease the size of the state space generated when verifying properties in the best cases, and to not significantly increase the problem in the worst cases [7]. The reduction has proved useful enough to be implemented in a widely used model checker, Spin [5, 6], and its use there has taken precedence over the use of the LTL next operator in specifying correctness properties. 4. Stutter Invariance and LTL Patterns. Formulas involving the next operator are problematic if partial order reduction is used, due to stuttering. Also, documentation for the Spin model checker implies that stuttering can be introduced when the model source code is converted to intermediate code [4]. Stuttering has no adverse effects on formulas containing any of the LTL operators except for next, because the other temporal operators, (always), (eventually), and U (until), do not imply any specific number of states to which their temporal properties apply. The (always) operator indicates that in every state some proposition must be true: a repeated state will not affect the truth value of a formula quantified with always. The (eventually) operator indicates that at some point in the future some proposition must hold. Any number of states, including repeated states, can occur first without affecting the interpretation of the formula. The U (until) operator requires that one proposition hold until another one does. A repeated state could delay the second proposition of an until formula from becoming true, but could not change whether it eventually becomes true or not. Clearly then, formulas using only these operators are stutter invariant because they are not affected by repeating states. Conversely, the X (next) operator indicates that in whatever state occurs after a single transition, some proposition must hold. If a state is stuttered after partial order reduction (or otherwise), the next operator could be evaluated on the repeated state and not the actual next state in the system. Thus not all formulas using the next operator are safe to use, since the use of formulas affected by stuttering could lead to incorrect verification. The benefits of partial order reduction in saving states, combined with the uncertainty of the possible introduction of stuttering by the model checker, have led to the general sentiment that the next operator should not be used at all when writing LTL properties for model checking. This is unfortunate because the next operator can be used for specifying many useful properties, such as those involving events [10]. We wish to have the convenience of expressing LTL properties using the next operator, without the risk of misinterpretation that stuttering introduces. This leads us to the following definition Stutter Invariance.

7 RECOGNITION OF LTL STUTTER INVARIANCE 75 Figure 4. An example path from the unreduced state graph Figure 5. Reduced state graph after partial order reduction Definition 5. An LTL formula F is stutter invariant with respect to a Kripke structure M if and only if for each pair of paths p and p, such that p st p, p F if and only if p F. The set of stutter invariant LTL formulas will be denoted by I. Proposition 1. The following are some closure properties of I: If a is a variable then a I (4.1) If A I then A I (4.2) If A I and B I then (A B) I (4.3) If A I then A I (4.4) If A I then A I (4.5) If A I and B I then (AUB) I (4.6) Proof. If a is a variable then a I. By the semantics of LTL, a path p = s 0, s 1,... satisfies a propositional variable, a, if a L(s 0 ). Only the first state is relevant in the satisfaction of a, so subsequent states, stuttered or not, will have no effect on the satisfaction of a on that path, or equivalently, will not change the interpretation of a on that path. Thus, a is stutter invariant. The other properties can be shown similarly; see [9] or [2]. Remark. 4.6 is espeically important because with the exception of X, all other LTL temporal operators can be expressed in terms of U. Corollary 2. If A I and B I then (A B) I where is any of,,, or. Proof. As seen in (4.2) and (4.3), stutter invariance is closed under negation and conjunction. The result follows because conjunction and negation form an adequate set for Boolean connectives. Corollary 3. If A LT L x then A I. Stutter invariant formulas are not subject to misinterpretation due to stuttering and thus are safe to use with partial order reduction and with Spin s intermediate code. It has been shown that if a formula containing the next operator is stutter invariant then it may be translated to a formula without next to which it is equivalent in meaning [11]. However, an efficient means of performing this translation is not available for any given LTL formula. Also, the translation process may add states to the state graph generated from the formula, which in turn makes verification more difficult, something we are trying to avoid. In addition, as model checking tools become more popular, more casual users who are less familiar with the inner workings of the tools will start to use them. An automated way of detecting stutter

8 76 J. DALLIEN AND W. MACCAULL invariance for LTL formulas will be much easier for these users than requiring a complex translation to another formula with an equivalent meaning. Some formulas that contain the next operator are stutter invariant. Determining whether a formula is stutter invariant for a Kripke structure that accepts infinite sequences of states has been shown to be PSPACE-complete [12]. However, patterns of useful formulas which are stutter invariant have been determined [10]. Currently Spin does not implement any method of checking for stutter invariance; when running the model checker, only a warning is printed that stutter invariance is required for LTL properties when using partial order reduction. First a discussion on how the next operator can be used safely by using these patterns is given, then an LTL recognizer which will attempt to match a given LTL formula with a known stutter invariant pattern will be presented to help make the next operator easier to use when specifying properties for model checking Edges. To create formulas that are stutter invariant even with the next operator, the concept of edges is used [10]. An edge in temporal logic refers to a change in a variable, which guarantees that a change in state has occurred and that the same state has not simply been repeated. For example, consider the LTL formula A X A. This says that the variable A is not true in the current state but is true in the next state. If A represented whether a robotic arm is holding an item, A X A would represent going from not holding to holding, or the event of picking up the item. Similarly, A X A would represent the event of releasing the item. This change in value involves two consecutive transitions in the system and is called an edge. Definition 6. The following notation [10] will be used for edges: A = A X A A = A X A up or rising edge down or falling edge A rising edge occurs when the variable is false in one state and true in the next. Conversely, a falling edge occurs when the variable is true in one state and false in the next Properties of Edges and Stutter Invariant Formulas. Consider the formula X B where B I. This formula is not stutter invariant: if s X B and if the first state of s is stuttered to produce s, then possibly s X B. Stuttering any state other than the first does not affect the interpretation of X B. To create a stutter invariant formula from X B, we may add two things: the first is an edge of a stutter invariant formula, A. We now have a new formula, A X B, or, A X A X B. The second is the temporal quantifier,. The quantifier is needed to say that eventually our formula will be true, allowing the interpretation of the formula to apply after any stuttered initial state. The resulting formula, ( A X A X B) is stutter invariant; any repeated state in a path will not affect the interpretation of this formula. We have proved the following: Theorem 1. If A I and B I then ( A X A X B) I. This theorem forms the basis for using edges in more complex formulas that are also stutter invariant. One such complex formula is found in the following theorem.

9 RECOGNITION OF LTL STUTTER INVARIANCE 77 Theorem 2. If A, B, C, D, E, F I then ( A X B C)U( D X E F ) I. Proof. The proof of this theorem is based on the fact that AUB is stutter invariant when A and B are, by Proposition 1. It remains to show that if A, B, C, D, E, F I, then A X B C I and D X E F I. Let A, B, C I and p be a path: then from Definitions 4 and 6: A X B C p = A X A X B C p = A X A X B C p = A X A X B C p. Therefore A X B C I iff (A X A) (X B C) I. The formula A X A is stutter invariant when only the first state in a path is stuttered. This is easy to see because it says either A is true in the first state or false in the next; if both the first state and the next state are the same, one of these must be true. X B C is stutter invariant when any state besides the first is stuttered. This is also easy to see because the formula is only evaluated on the first state of a path. A stuttered state after the first does not change its interpretation. The interpretation of the entire formula is true as long as one part is true and together the two parts cover any instance of stuttering that could occur on a path. We have shown the formula A X B C to be stutter invariant. Let D, E, F I. Then, E I and F I. By the above, we can conclude: by (4.2), by simplifying, D X E F I ( D X E F ) I D X E F I D X E F I D X E F I. Finally, combining these two formulas in the form AUB yields our result. The complete proof of this theorem was given in [9]. Similarly, any up edge in the proof could be replaced with a down edge and stutter invariance would be preserved, as no step in the proof requires that the edge being used is an up edge. For simplicity up edges will be used exclusively from now on, though any of these could be replaced with a down edge for equivalently stutter invariant formulas. Note also the following: Property 1. If A I and B I and C I then ( A X B C) I. Proof of property 1 is analogous to that of Theorem 1. Simplified versions such as ( A X B) express a simple existence property. The event represented by the up edge A must occur and then B holds. Property 2. If A I and B I and C I then ( A X B C) I.

10 78 J. DALLIEN AND W. MACCAULL This is logically equivalent to Property 1. The simplified versions of this property, such as ( A X B) express a simple universality property, that whenever the event represented by the edge A occurs, B will hold LTL Patterns. A classification of commonly used LTL formulas was made by Dwyer and colleagues. In a survey of LTL formulas used in practice, most fit into a small group of patterns, which were named and described in [3]. The goal of the pattern system is to allow reuse of formulas and show methods of constructing LTL specifications based on the characteristics being tested. Patterns can be especially useful for assisting casual users of model checking who may not be as familiar with temporal logics as many of model checking s original users. Due to the simplicity of their use and their ability to express a wide range of properties, the patterns form the basis for the formulas recognized by the LTL recognizer discussed in the next section. Chechik and Păun [10] have extended the pattern system started by Dwyer to include edges, resulting in useful patterns of LTL formulas which are stutter invariant despite the fact that they contain the next operator. A listing of these patterns is given as an appendix. The original pattern classifications included a category and a scope for each formula to help describe what type of property each describes. The categories considered by Chechik and Păun are: Absence - A condition, P, does not occur within a scope Existence - A condition, P, must occur within a scope Universality - A condition, P, occurs throughout a scope Response - A condition, P, must always be followed by another, S, within a scope Precedence - A condition, P, must always be preceded by another, S, within a scope Each of the categories is associated with a scope, the region of an execution sequence on which the formula is evaluated. The five main kind of scopes used by Dwyer [3] are: Global - The entire state space Before R - The state sequence up to condition R After Q - The state sequence after condition Q Between Q and R - The part of the state sequence after condition Q and before condition R After Q Until R - Similar to between, though Q may continue to be true even if R condition does not become true. States Q and R are used to mark the start and end of the scope for a formula. Combining the required pattern formula from the categories with the required scope formula results in an LTL formula expressing the desired property over a section of the state space. As an example, consider the property: The elevator door must open after stopping on a floor. It could be expressed using the Existence category with a condition, P, and the After Q scope. Let P be the elevator door is open and Q be the elevator is not moving. This property can be formalized in the LTL formula Q (Q P ), a stutter invariant formula. These original patterns were state based only, meaning the conditions P and S in the categories and Q and R in the scopes were only represented as states where a

11 RECOGNITION OF LTL STUTTER INVARIANCE 79 variable is true. Chechik and Păun introduced edges to the patterns in the following ways: the conditions P and S in the categories and conditions Q and R in the scope boundaries each can be either state or edge based. This allows for inclusion of events; for instance in the example above, P could express the event The elevator door changes from a closed state to an open state and Q could express the event The elevator changes from a moving state to a non-moving state. Using edges in this way can better express the property in the example than a specification based only on states Example Formulas Generated From Patterns. Some more example pattern formulas with English interpretations are given below. For each example, the name of the category and scope are given, along with the meaning of each variable or edge. Example 4.1. The laser will not turn on while the CD tray is ejected. P laser is on P laser turns on Q CD tray is open Q CD tray opens R = Q R CD tray closes Pattern: Absence category with Between Q and R scope. (( Q R) ( P U R)) 4.6. Proof Example of Pattern Stutter Invariance. As pointed out by Chechik and Păun, using edges in patterns is only a useful concept if the resulting formulas can be shown to be stutter invariant, as they use the next operator in them. An example proof of stutter invariance of a pattern formula is given below. This formula is a combination of the Existence category and the between Q and R scope. Theorem 3. If P, Q, R I then ( Q R X ( RUP ) R) I Proof. First, to show that R is stutter invariant, the only states which we are concerned with are the two states in which the edge R X R occurs. By case analysis we can show that: R I by (4.5) and Property 1, by (2.2), by Theorem 1, by Property 1, by Property 2, ( Q R R) I ( Q R R) I RUP I and ( Q R R) I R I and RUP I and ( Q R R) I ( Q R X ( RUP )) I and ( Q R R) I

12 80 J. DALLIEN AND W. MACCAULL by (4.3), finally, ( Q R X ( RUP )) ( Q R R) I ( Q R X ( RUP ) R) I can be concluded by the definition of satisfaction for and. These new patterns give us a system of creating and identifying stutter invariant formulas that use the next operator. No automated way to recognize these formulas was thus far available. We present an implementation of an automated way of recognizing these formulas. Full details may be found in [2]. 5. LTL Recognizer Description. As seen in the previous sections, determining if an LTL formula is stutter invariant either requires time consuming analysis that would not be feasible for those not very familiar with temporal logic, or requires comparision with many different patterns to find a matching one. To make it easier and faster for users looking to verify properties using a model checker, a recognizer program was developed which recognizes the patterns of stutter invariant formulas we have discussed. The recognizer recognizes all the patterns identified by Chechik and Păun. Tables of these patterns are given as an appendix. To create a program to detect certain stutter invariant formulas, Prolog was used to create the LTL recognizer. The program uses Definite Clause Grammars [8] to identify patterns that are known to be stutter invariant, in particular, those not containing the next operator, and those based on patterns and edges which have been discussed in the previous sections. The version of Prolog used was SWI-Prolog By providing Prolog with the details of what constitutes a subset of stutter invariant LTL formulas, then posing queries containing the formulas we are interested about, Prolog can report whether it follows from the rules in the program that an LTL formula is stutter invariant. Prolog s ability to determine if a query satisfies a set of rules eliminates a lot of programming that would be required to implement a similar program in an imperative programming language. It is easy to view the formulas we are working with as strings from the LTL language. Thus it makes sense to represent the strings of the language we are interested in as a grammar. Another reason for selecting Prolog for this task is that it has a convenient method for representing grammars in its code. Definition 7. A difference list is a list in Prolog that represents the difference between two other lists. Difference lists can be used to represent grammars by saying that the empty list is the difference between a list coded in a program (representing the grammar rules) and the list of symbols given in a query. Prolog consumes matching symbols from the head of the lists to calculate the difference. If the difference between the user s list and the coded lists is the empty list, then all symbols matched and the user s list in the query matches some rule from the grammar difference lists. Definition 8. A Definite Clause Grammar (DCG) is an alternate method of representing a grammar in Prolog knowledge bases. The Prolog interpreter internally translates a DCG to the corresponding difference lists. The DCG method provides a more convenient and logical method of representing grammars.

13 RECOGNITION OF LTL STUTTER INVARIANCE LTL Pattern Grammar Design. The definite clause grammar used by the LTL recognizer consists of smaller grammars, connected as a single large grammar called invariant. This is our Prolog predicate used for posing queries about formulas to check if the formula matches a pattern. The main grammar connects one smaller grammar for each of the categories of formulas recognized and one to match formulas in the LTL x subset of LTL formulas. As discussed earlier, LTL formulas not containing the next operator (LTL x) are stutter invariant regardless of form. Thus, the LTL x grammar simply checks whether a formula contains the next operator and reports that the formula is stutter invariant if it does not. Small grammars for each scope type are connected under the grammars for each category type. Together these grammars form the subset of formulas recognized by the program. The program visits each category grammar checking to see if the formula falls within a scope. When the recognizer makes a pattern match in one of the grammars, a short message is output on the screen to indicate that the formula is stutter invariant, and which category/scope pattern was matched, or that the formula is in the LTL x subset. If the recognizer does not find a match, the output is the standard Prolog message, No. This means that the formula does not match a stutter invariant formula the recognizer knows. The formula still could be stutter invariant. A GUI front end to the recognizer could easily translate this to Unable to determine if formula is stutter invariant or a similar message Programming Issues. Despite the convenience of using Prolog DCGs for pattern matching, it presented some problems when writing the code to parse the formulas. Both Prolog and LTL use basic logic operators, some of which are typically represented with the exact same characters. Also, some LTL operators conflicted with Prolog s syntax. Examples of these operators are implication (->), and (&&), or ( ) and LTL s always ([]) and eventually (<>) operators. To avoid problems with Prolog trying to interpret rules with LTL operators as its own code, some LTL operators were replaced with other characters which have no special meaning to Prolog. A front end program to the Prolog pattern matching program easily translates the LTL formulas to and from the alternate character strings when queries are posed. Thus, the end user does not need to see the implementation details for resolving this problem. Another challenge was ensuring that variables, particularly those used in edges, matched when they occurred more than once in the same formula. Prolog s natural variable instantiation allowed single variables in a pattern to be matched easily. Edges, however, use grammar rules separate from the main pattern rules and Prolog does not provide a simple method of maintaining the variable names from one occurrance of the rule to another inside the same pattern. This is because Prolog variable values do not persist from one call to a grammar to another. For example, the pattern formula Q ( P U Q) must match only if two edges of Q are used in the correct locations. Two edges of different variables should not match the pattern. Prolog normally does not have persistent variables, so to remember the value, the flag/3 predicate was used to store data in Prolog s database, a collection of persistent key-based values. The first time an edge grammar rule is used, the name of the variable used in the edge is stored. The next time the same rule is used, the variable name is recalled from the database and a match can be verified. A

14 82 J. DALLIEN AND W. MACCAULL reset/0 predicate included in the recognizer resets the persistent values for the next matching attempt Example LTL Recognizer Queries. Below are some example LTL formula queries and their resulting output from the LTL recognizer. The following is given for each example: the LTL formula in normal notation, the formula expressed in a Prolog-formatted query with the replacements mentioned in the previous section, and the recognizer output after running the query. It is clear when viewing the Prolog queries that a GUI front end would be the preferable method of entering queries, due to the complex method Prolog requires for input. For this reason, a front end was written; the source code is available. Example 5.1. Pattern: Existence category with Between Q and R scope. Prolog query: (( Q R) (X ( R U P ) R)) invariant([^,"(","(",!,q,&&,o,q,&&,"<>",!,r,&&,o,r,")",\$,"(", o,"(",!,!,r,&&,o,r,u,p,")",&&,!,!,r,&&, o,r,")",")"],[]). Program output: Matches between Q and R existence pattern. Yes Example 5.2. This formula contains the next operator but does not match a pattern. Prolog query: R (T X P ) invariant(["<>",r,\$,"(",t,&&,o,p,")"],[]). Program output: No 6. Conclusion and Future Work. The Prolog-based LTL formula recognizer presented in this paper provides a means of identifying a subset of the set of stutter invariant formulas in an automated way, where no automated way existed previously. The recognizer will output yes for all of the patterns identified by Chechik and Păun to be stutter invariant. Due to the complexity of computing whether any given formula is stutter invariant, a recognizer is a feasible method of providing run-time checking of formulas using the past efforts of others to identify formulas in this subset. Rewriting can be employed to expand the subset of formulas identified as stutter invariant. By adding Prolog code to make small, relatively easily computed rewrites of equivalences in a query formula, a stutter invariant equivalence to a formula may be found. Future work on the recognizer is planned to incorporate rewriting. The source code of the recognizer and front end can be downloaded from jeff/recognizer/. Acknowledgements: The authors would like to thank Dr. Marsha Chechik for suggesting this problem. The authors would also like to thank the referees, whose comments and suggestions improved the presentation.

15 RECOGNITION OF LTL STUTTER INVARIANCE 83 REFERENCES [1] Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking, Chapter 10. MIT Press, Cambridge, Massachusetts, [2] Jeffrey Dallien. Automated checking for stutter invariance of LTL formulas. Undergraduate Honours Thesis, Department of Mathematics, Statistics and Computer Science, St. Francis Xavier University, Antigonish, Nova Scotia, [3] Matthew B. Dwyer, George S. Avrunin, and James C. Corbett. Property specification patterns for finite-state verification. In Proceedings of the second workshop on Formal methods in software practice, pages ACM Press, [4] Rob Gerth. Concise promela reference. Website, August Available: [5] G.J. Holzmann. Design and Validation of Computer Protocols. Prentice-Hall, Englewood Cliffs, New Jersey, [6] G.J. Holzmann. The Spin Model Checker, Primer and Reference Manual. Addison-Wesley, Reading, Massachusetts, [7] G.J. Holzmann and Doron Peled. An improvement in formal verification. In Proc. Formal Description Techniques, FORTE94, pages , Berne, Switzerland, October Chapman & Hall. [8] Johan Bos, Patrick Blackburn and Kristina Striegnitz. Learn prolog now! Website, February Available: [9] Dimitrie O. Păun. Closure under stuttering in temporal formulas. Master s thesis, University of Toronto, Toronto, Ontario, [10] Dimitrie O. Păun and Marsha Chechik. Events in linear-time properties. In Proceedings of the 4th IEEE International Symposium on Requirements Engineering, pages IEEE Computer Society, [11] Doron Peled and Thomas Wilke. Stutter-invariant temporal properties are expressible without the next-time operator. Inf. Process. Lett., 63(5): , [12] Doron Peled, Thomas Wilke, and Pierre Wolper. An algorithmic approach for checking closure properties of ω-regular languages. In Proceedings of the 7th International Conference on Concurrency Theory (CONCUR 96), volume 1119, pages , Pisa, Italy, Springer.

16 84 J. DALLIEN AND W. MACCAULL Appendix A. Tables of Recognized LTL Patterns. Under each scope, formulas are numbered depending on which combination of states and edges are used. The combinations are: 0 P, S - states, Q, R - states 1 P, S - states, Q, R - edges 2 P, S - edges, Q, R - states 3 P, S - edges, Q, R - edges To conserve space in this listing, the following equivalences are used: A W B A (A U B) (weak until) A P B ( A U B) (precedes) if A then B else C (A B) ( A C) The recognizer uses the expanded forms as Spin does not use these equivalences. These tables were originally given in [9]. Absence Pattern Globally Before R 0 P 0 R ( P U R) 1 P 1 R ( R P P ) 2 P 2 R ( P U R) 3 P 3 R ( P U R) After Q Between Q and R 0 (Q P ) 0 ((Q R) ( P U R)) 1 ( Q X P ) 1 (( Q R R) X ( R P P )) 2 (Q P ) 2 ((Q R) ( P U R)) 3 ( Q P ) 3 (( Q R) ( P U R)) After Q until R 0 ((Q P ) ( P U R)) 1 (( Q R X P ) X( R P P )) 2 (Q ( P W R)) 3 ( Q ( P W R))

17 RECOGNITION OF LTL STUTTER INVARIANCE 85 Existence Pattern Globally Before R 0 P 0 R (P P R) 1 P 1 R ( R U P ) 2 P 2 R ( P P R) 3 P 3 R ( P P R) After Q Between Q and R 0 Q (Q P ) 0 ((Q R) ((P P R) R)) 1 Q ( Q X P ) 1 (( Q R) (X ( R U P ) R)) 2 Q (Q P ) 2 ((Q R) (( P P R) R)) 3 Q ( Q P ) 3 (( Q R) (( P P R) R)) After Q Until R 0 (Q (if R then ((P P R) R) else P )) 1 ( Q X ( R U P ) R) 2 (Q (if R then (( P P R) R) else P )) 3 ( Q (if R then(( P P R) R) else P )) Precedence Pattern Globally Before R 0 P S P P 0 R ( P U ((S P ) R)) 1 P S P P 1 R (( R U P ) (S P P )) 2 P S P P 2 R ( P U (( S P ) R)) 3 P S P P 3 R (( P P R) ( S P P )) After Q 0 Q (Q ( P (S P P ))) 1 Q ( Q X ( P (S P P ))) 2 Q (Q ( P ( S P P ))) 3 Q ( Q ( P ( S P P ))) Between Q and R 0 ((Q R) ( P U ((S P ) R))) 1 (( Q R X R) X (( R U P ) (S P P ))) 2 ((Q R) ( P U (( S P ) R))) 3 (( Q R X R) X (( P P R) ( S P P ))) After Q until R 0 (Q ( P P U ((S P ) R))) 1 ( Q X ( P (( R U P ) (S P P )))) 2 (Q ( P P U (( S P ) R))) 3 ( Q X ( P (( P P R) ( S P P ))))

18 86 J. DALLIEN AND W. MACCAULL Response Pattern Globally Before R 0 (P S) 0 R (P ( R U S)) U R 1 (P S) 1 R ((P ( R U S)) R) U ( R (P Q)) 2 ( P S) 2 R ( P ( R U S)) U R 3 ( P S) 3 R (( P ( R U S)) U R) After Q 0 (Q (P S)) 1 ( Q X (P S)) 2 (Q ( P S)) 3 ( Q ( P S)) Between Q and R 0 ((Q R) ((P ( R U S)) U R)) 1 (( Q R R) X (((P ( R U S)) R) U ( R (P Q)))) 2 ((Q R) (( P ( R U S)) U R)) 3 (( Q R) (( P ( R U S)) U R)) After Q until R 0 (Q (P ( R U S)) W R) 1 ( Q X (((P ( R U S)) R) W ( R (P Q)))) 2 ( Q ( P ( R U S)) W R) 3 ( Q ( P ( R U S)) W R) Universal Pattern (Note: P cannot be an edge because the resulting formula is always false.) Globally Before R 0 P 0 R (P U R) 1 P 1 R ( R P P ) After Q Between Q and R 0 (Q P ) 0 ((Q R) (P U R)) 1 ( Q X P ) 1 ((Q R R) X ( R P P )) After Q Until R 0 (Q P W R) 1 ( Q (if R then (X ( R P P )) else P )) Received November address:

### A Logic Approach for LTL System Modification

A Logic Approach for LTL System Modification Yulin Ding and Yan Zhang School of Computing & Information Technology University of Western Sydney Kingswood, N.S.W. 1797, Australia email: {yding,yan}@cit.uws.edu.au

### Testing LTL Formula Translation into Büchi Automata

Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland

### The Model Checker SPIN

The Model Checker SPIN Author: Gerard J. Holzmann Presented By: Maulik Patel Outline Introduction Structure Foundation Algorithms Memory management Example/Demo SPIN-Introduction Introduction SPIN (Simple(

### Model Checking: An Introduction

Announcements Model Checking: An Introduction Meeting 2 Office hours M 1:30pm-2:30pm W 5:30pm-6:30pm (after class) and by appointment ECOT 621 Moodle problems? Fundamentals of Programming Languages CSCI

### Formal Verification by Model Checking

Formal Verification by Model Checking Natasha Sharygina Carnegie Mellon University Guest Lectures at the Analysis of Software Artifacts Class, Spring 2005 1 Outline Lecture 1: Overview of Model Checking

### Formal Verification and Linear-time Model Checking

Formal Verification and Linear-time Model Checking Paul Jackson University of Edinburgh Automated Reasoning 21st and 24th October 2013 Why Automated Reasoning? Intellectually stimulating and challenging

### Algorithmic Software Verification

Algorithmic Software Verification (LTL Model Checking) Azadeh Farzan What is Verification Anyway? Proving (in a formal way) that program satisfies a specification written in a logical language. Formal

### Model Checking II Temporal Logic Model Checking

1/32 Model Checking II Temporal Logic Model Checking Edmund M Clarke, Jr School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 2/32 Temporal Logic Model Checking Specification Language:

### Temporal Logics. Computation Tree Logic

Temporal Logics CTL: definition, relationship between operators, adequate sets, specifying properties, safety/liveness/fairness Modeling: sequential, concurrent systems; maximum parallelism/interleaving

### logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

5. LTL, CTL Last part: Alloy logic language, static/dynamic models SAT solvers Today: Temporal Logic (LTL, CTL) Verified Software Systems 1 Overview How can we model check of a program or system? Modeling

### Software Modeling and Verification

Software Modeling and Verification Alessandro Aldini DiSBeF - Sezione STI University of Urbino Carlo Bo Italy 3-4 February 2015 Algorithmic verification Correctness problem Is the software/hardware system

### Development of dynamically evolving and self-adaptive software. 1. Background

Development of dynamically evolving and self-adaptive software 1. Background LASER 2013 Isola d Elba, September 2013 Carlo Ghezzi Politecnico di Milano Deep-SE Group @ DEIB 1 Requirements Functional requirements

### Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

University of Texas at El Paso DigitalCommons@UTEP Departmental Technical Reports (CS) Department of Computer Science 8-1-2007 Using Patterns and Composite Propositions to Automate the Generation of Complex

### Introduction to Software Verification

Introduction to Software Verification Orna Grumberg Lectures Material winter 2013-14 Lecture 4 5.11.13 Model Checking Automated formal verification: A different approach to formal verification Model Checking

### Static Program Transformations for Efficient Software Model Checking

Static Program Transformations for Efficient Software Model Checking Shobha Vasudevan Jacob Abraham The University of Texas at Austin Dependable Systems Large and complex systems Software faults are major

### Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Today s Agenda Quiz 4 Temporal Logic Formal Methods in Software Engineering 1 Automata and Logic Introduction Buchi Automata Linear Time Logic Summary Formal Methods in Software Engineering 2 1 Buchi Automata

### LTL Model Checking with Logic Based Petri Nets

LTL Model Checking with Logic Based Petri Nets Tristan M. Behrens and Jürgen Dix IfI Technical Report Series IfI-07-04 Impressum Publisher: Institut für Informatik, Technische Universität Clausthal Julius-Albert

### T-79.186 Reactive Systems: Introduction and Finite State Automata

T-79.186 Reactive Systems: Introduction and Finite State Automata Timo Latvala 14.1.2004 Reactive Systems: Introduction and Finite State Automata 1-1 Reactive Systems Reactive systems are a class of software

### Validated Templates for Specification of Complex LTL Formulas

Validated Templates for Specification of Complex LTL Formulas Salamah Salamah Department of Electrical, computer, Software, and Systems Engineering Embry Riddle Aeronautical University 600 S. Clyde Morris

### On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems 29 August 2011 What are workflows to us? Plans or schedules that map users or resources to tasks Such mappings may

### Combining Software and Hardware Verification Techniques

Formal Methods in System Design, 21, 251 280, 2002 c 2002 Kluwer Academic Publishers. Manufactured in The Netherlands. Combining Software and Hardware Verification Techniques ROBERT P. KURSHAN VLADIMIR

### Automata-based Verification - I

CS3172: Advanced Algorithms Automata-based Verification - I Howard Barringer Room KB2.20: email: howard.barringer@manchester.ac.uk March 2006 Supporting and Background Material Copies of key slides (already

### Toward Model-Based Verification of Adaptive Allocation Managers

Toward Model-Based Verification of Adaptive Allocation Managers William Leal, Frank Drews, Chang Liu, Lonnie Welch Ohio University { leal@cs.ohiou.edu, drews@ohiou.edu, changliu@cs.ohiou.edu, welch@ohio.edu

### CHAPTER 7 GENERAL PROOF SYSTEMS

CHAPTER 7 GENERAL PROOF SYSTEMS 1 Introduction Proof systems are built to prove statements. They can be thought as an inference machine with special statements, called provable statements, or sometimes

### Firewall Verification and Redundancy Checking are Equivalent

Firewall Verification and Redundancy Checking are Equivalent H. B. Acharya University of Texas at Austin acharya@cs.utexas.edu M. G. Gouda National Science Foundation University of Texas at Austin mgouda@nsf.gov

### A computational model for MapReduce job flow

A computational model for MapReduce job flow Tommaso Di Noia, Marina Mongiello, Eugenio Di Sciascio Dipartimento di Ingegneria Elettrica e Dell informazione Politecnico di Bari Via E. Orabona, 4 70125

### Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund RIACS Technical Report 01.21 August 2001 Presented at the 16 th IEEE International Conference

### Fixed-Point Logics and Computation

1 Fixed-Point Logics and Computation Symposium on the Unusual Effectiveness of Logic in Computer Science University of Cambridge 2 Mathematical Logic Mathematical logic seeks to formalise the process of

### Formal Verification of Software

Formal Verification of Software Sabine Broda Department of Computer Science/FCUP 12 de Novembro de 2014 Sabine Broda (DCC-FCUP) Formal Verification of Software 12 de Novembro de 2014 1 / 26 Formal Verification

### Quick Start Guide. June 3, 2012

The ERIGONE Model Checker Quick Start Guide Mordechai (Moti) Ben-Ari Department of Science Teaching Weizmann Institute of Science Rehovot 76100 Israel http://stwww.weizmann.ac.il/g-cs/benari/ June 3, 2012

### Formal Languages and Automata Theory - Regular Expressions and Finite Automata -

Formal Languages and Automata Theory - Regular Expressions and Finite Automata - Samarjit Chakraborty Computer Engineering and Networks Laboratory Swiss Federal Institute of Technology (ETH) Zürich March

### HECTOR a software model checker with cooperating analysis plugins. Nathaniel Charlton and Michael Huth Imperial College London

HECTOR a software model checker with cooperating analysis plugins Nathaniel Charlton and Michael Huth Imperial College London Introduction HECTOR targets imperative heap-manipulating programs uses abstraction

### Mathematics for Computer Science/Software Engineering. Notes for the course MSM1F3 Dr. R. A. Wilson

Mathematics for Computer Science/Software Engineering Notes for the course MSM1F3 Dr. R. A. Wilson October 1996 Chapter 1 Logic Lecture no. 1. We introduce the concept of a proposition, which is a statement

Computing and Informatics, Vol. 20, 2001,????, V 2006-Nov-6 UPDATES OF LOGIC PROGRAMS Ján Šefránek Department of Applied Informatics, Faculty of Mathematics, Physics and Informatics, Comenius University,

### Model Checking based Software Verification

Model Checking based Software Verification 18.5-2006 Keijo Heljanko Keijo.Heljanko@tkk.fi Department of Computer Science and Engineering Helsinki University of Technology http://www.tcs.tkk.fi/~kepa/ 1/24

### Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications Sayantan Das Prasenjit Basu Ansuman Banerjee Pallab Dasgupta P.P. Chakrabarti Department of Computer Science & Engineering

### Reading 13 : Finite State Automata and Regular Expressions

CS/Math 24: Introduction to Discrete Mathematics Fall 25 Reading 3 : Finite State Automata and Regular Expressions Instructors: Beck Hasti, Gautam Prakriya In this reading we study a mathematical model

### Lecture 7: NP-Complete Problems

IAS/PCMI Summer Session 2000 Clay Mathematics Undergraduate Program Basic Course on Computational Complexity Lecture 7: NP-Complete Problems David Mix Barrington and Alexis Maciel July 25, 2000 1. Circuit

### Introduction to Logic in Computer Science: Autumn 2006

Introduction to Logic in Computer Science: Autumn 2006 Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Plan for Today Now that we have a basic understanding

### Software Engineering using Formal Methods

Software Engineering using Formal Methods Model Checking with Temporal Logic Wolfgang Ahrendt 24th September 2013 SEFM: Model Checking with Temporal Logic /GU 130924 1 / 33 Model Checking with Spin model

### On the Relationship between Classes P and NP

Journal of Computer Science 8 (7): 1036-1040, 2012 ISSN 1549-3636 2012 Science Publications On the Relationship between Classes P and NP Anatoly D. Plotnikov Department of Computer Systems and Networks,

### CS510 Software Engineering

CS510 Software Engineering Propositional Logic Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Scott A. Carr Slides inspired by Xiangyu Zhang http://nebelwelt.net/teaching/15-cs510-se

### Rigorous Software Development CSCI-GA 3033-009

Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 11 Semantics of Programming Languages Denotational Semantics Meaning of a program is defined as the mathematical

### The Classes P and NP

The Classes P and NP We now shift gears slightly and restrict our attention to the examination of two families of problems which are very important to computer scientists. These families constitute the

### THE TURING DEGREES AND THEIR LACK OF LINEAR ORDER

THE TURING DEGREES AND THEIR LACK OF LINEAR ORDER JASPER DEANTONIO Abstract. This paper is a study of the Turing Degrees, which are levels of incomputability naturally arising from sets of natural numbers.

### [Refer Slide Time: 05:10]

Principles of Programming Languages Prof: S. Arun Kumar Department of Computer Science and Engineering Indian Institute of Technology Delhi Lecture no 7 Lecture Title: Syntactic Classes Welcome to lecture

### Formal Specification and Verification

Formal Specification and Verification Stefan Ratschan Katedra číslicového návrhu Fakulta informačních technologíı České vysoké učení technické v Praze 2. 5. 2011 Stefan Ratschan (FIT ČVUT) PI-PSC 4 2.

### INF5140: Specification and Verification of Parallel Systems

INF5140: Specification and Verification of Parallel Systems Lecture 7 LTL into Automata and Introduction to Promela Gerardo Schneider Department of Informatics University of Oslo INF5140, Spring 2007 Gerardo

### Model Checking of Software

Model Checking of Software Patrice Godefroid Bell Laboratories, Lucent Technologies SpecNCheck Page 1 August 2001 A Brief History of Model Checking Prehistory: transformational programs and theorem proving

### Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Model checking test models Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl February 14, 2014 Abstract This thesis is about model checking testing models. These testing

### Feature Specification and Automated Conflict Detection

Feature Specification and Automated Conflict Detection AMY P. FELTY University of Ottawa and KEDAR S. NAMJOSHI Bell Laboratories Large software systems, especially in the telecommunications field, are

### (LMCS, p. 317) V.1. First Order Logic. This is the most powerful, most expressive logic that we will examine.

(LMCS, p. 317) V.1 First Order Logic This is the most powerful, most expressive logic that we will examine. Our version of first-order logic will use the following symbols: variables connectives (,,,,

### Specification and Analysis of Contracts Lecture 1 Introduction

Specification and Analysis of Contracts Lecture 1 Introduction Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov.

### A Propositional Dynamic Logic for CCS Programs

A Propositional Dynamic Logic for CCS Programs Mario R. F. Benevides and L. Menasché Schechter {mario,luis}@cos.ufrj.br Abstract This work presents a Propositional Dynamic Logic in which the programs are

### each college c i C has a capacity q i - the maximum number of students it will admit

n colleges in a set C, m applicants in a set A, where m is much larger than n. each college c i C has a capacity q i - the maximum number of students it will admit each college c i has a strict order i

### Introducing Formal Methods. Software Engineering and Formal Methods

Introducing Formal Methods Formal Methods for Software Specification and Analysis: An Overview 1 Software Engineering and Formal Methods Every Software engineering methodology is based on a recommended

### A first step towards modeling semistructured data in hybrid multimodal logic

A first step towards modeling semistructured data in hybrid multimodal logic Nicole Bidoit * Serenella Cerrito ** Virginie Thion * * LRI UMR CNRS 8623, Université Paris 11, Centre d Orsay. ** LaMI UMR

### Automata-Based Verification of Temporal Properties on Running Programs

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou (RIACS) and Klaus Havelund (Kestrel Technologies) Automated Software Engineering Group NASA Ames Research Center,

### Determination of the normalization level of database schemas through equivalence classes of attributes

Computer Science Journal of Moldova, vol.17, no.2(50), 2009 Determination of the normalization level of database schemas through equivalence classes of attributes Cotelea Vitalie Abstract In this paper,

### Fundamentals of Software Engineering

Fundamentals of Software Engineering Model Checking with Temporal Logic Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner

### Induction. Margaret M. Fleck. 10 October These notes cover mathematical induction and recursive definition

Induction Margaret M. Fleck 10 October 011 These notes cover mathematical induction and recursive definition 1 Introduction to induction At the start of the term, we saw the following formula for computing

### 136 CHAPTER 4. INDUCTION, GRAPHS AND TREES

136 TER 4. INDUCTION, GRHS ND TREES 4.3 Graphs In this chapter we introduce a fundamental structural idea of discrete mathematics, that of a graph. Many situations in the applications of discrete mathematics

Test Case Generation for Ultimately Periodic Paths Joint work with Saddek Bensalem Hongyang Qu Stavros Tripakis Lenore Zuck Accepted to HVC 2007 How to find the condition to execute a path? (weakest precondition

### Constructing Automata from Temporal Logic Formulas : A Tutorial

Constructing Automata from Temporal Logic Formulas : A Tutorial Pierre Wolper Université de Liège, Institut Montefiore, B28, 4000 Liège, Belgium pw@montefiore.ulg.ac.be, http://www.montefiore.ulg.ac.be/~pw/

### Monitoring Metric First-order Temporal Properties

Monitoring Metric First-order Temporal Properties DAVID BASIN, FELIX KLAEDTKE, SAMUEL MÜLLER, and EUGEN ZĂLINESCU, ETH Zurich Runtime monitoring is a general approach to verifying system properties at

### An Approach to Model Checking Ada Programs

An Approach to Model Checking Ada Programs José Miguel Faria 1,2, João Martins 1, and Jorge Sousa Pinto 1 1 Departamento de Informática / CCTC, Universidade do Minho, Braga, Portugal 2 Critical Software,

### Tr ends in Software Verification

Tr ends in Software Verification Gerard J. Holzmann JPL Laboratory for Reliable Software California Institute of Technology 4800 Oak Grove Drive Pasadena, CA 91006 gerard.j.holzmann@jpl.nasa.gov Abstract.

### MetaGame: An Animation Tool for Model-Checking Games

MetaGame: An Animation Tool for Model-Checking Games Markus Müller-Olm 1 and Haiseung Yoo 2 1 FernUniversität in Hagen, Fachbereich Informatik, LG PI 5 Universitätsstr. 1, 58097 Hagen, Germany mmo@ls5.informatik.uni-dortmund.de

### On the k-path cover problem for cacti

On the k-path cover problem for cacti Zemin Jin and Xueliang Li Center for Combinatorics and LPMC Nankai University Tianjin 300071, P.R. China zeminjin@eyou.com, x.li@eyou.com Abstract In this paper we

### tutorial: hardware and software model checking

tutorial: hardware and software model checking gerard holzmann and anuj puri { gerard anuj } @research.bell-labs.com Bell Labs, USA outline introduction (15 mins) theory and algorithms system modeling

### AUTOMATIC PROTOCOL CREATION FOR INFORMATION SECURITY SYSTEM

AUTOMATIC PROTOCOL CREATION FOR INFORMATION SECURITY SYSTEM Mr. Arjun Kumar arjunsingh@abes.ac.in ABES Engineering College, Ghaziabad Master of Computer Application ABSTRACT Now a days, security is very

### ML for the Working Programmer

ML for the Working Programmer 2nd edition Lawrence C. Paulson University of Cambridge CAMBRIDGE UNIVERSITY PRESS CONTENTS Preface to the Second Edition Preface xiii xv 1 Standard ML 1 Functional Programming

### EFFICIENT KNOWLEDGE BASE MANAGEMENT IN DCSP

EFFICIENT KNOWLEDGE BASE MANAGEMENT IN DCSP Hong Jiang Mathematics & Computer Science Department, Benedict College, USA jiangh@benedict.edu ABSTRACT DCSP (Distributed Constraint Satisfaction Problem) has

### Logic in general. Inference rules and theorem proving

Logical Agents Knowledge-based agents Logic in general Propositional logic Inference rules and theorem proving First order logic Knowledge-based agents Inference engine Knowledge base Domain-independent

### Network (Tree) Topology Inference Based on Prüfer Sequence

Network (Tree) Topology Inference Based on Prüfer Sequence C. Vanniarajan and Kamala Krithivasan Department of Computer Science and Engineering Indian Institute of Technology Madras Chennai 600036 vanniarajanc@hcl.in,

### The ProB Animator and Model Checker for B

The ProB Animator and Model Checker for B A Tool Description Michael Leuschel and Michael Butler Department of Electronics and Computer Science University of Southampton Highfield, Southampton, SO17 1BJ,

### Introduction to Automata Theory. Reading: Chapter 1

Introduction to Automata Theory Reading: Chapter 1 1 What is Automata Theory? Study of abstract computing devices, or machines Automaton = an abstract computing device Note: A device need not even be a

### FIBRATION SEQUENCES AND PULLBACK SQUARES. Contents. 2. Connectivity and fiber sequences. 3

FIRTION SEQUENES ND PULLK SQURES RY MLKIEWIH bstract. We lay out some foundational facts about fibration sequences and pullback squares of topological spaces. We pay careful attention to connectivity ranges

### Software safety - DEF-STAN 00-55

Software safety - DEF-STAN 00-55 Where safety is dependent on the safety related software (SRS) fully meeting its requirements, demonstrating safety is equivalent to demonstrating correctness with respect

### The Course. http://www.cse.unsw.edu.au/~cs3153/

The Course http://www.cse.unsw.edu.au/~cs3153/ Lecturers Dr Peter Höfner NICTA L5 building Prof Rob van Glabbeek NICTA L5 building Dr Ralf Huuck NICTA ATP building 2 Plan/Schedule (1) Where and When Tuesday,

### Formal Verification Toolkit for Requirements and Early Design Stages

Formal Verification Toolkit for Requirements and Early Design Stages Julia M. Badger 1 and Sheena Judson Miller 2 1 NASA Johnson Space Center, Houston, TX 77058, USA 2 Barrios Technology, Houston, TX 77058,

### Logic in Computer Science: Logic Gates

Logic in Computer Science: Logic Gates Lila Kari The University of Western Ontario Logic in Computer Science: Logic Gates CS2209, Applied Logic for Computer Science 1 / 49 Logic and bit operations Computers

### Research Article Towards Support for Software Model Checking: Improving the Efficiency of Formal Specifications

Advances in Software Engineering Volume 2011, Article ID 869182, 13 pages doi:10.1155/2011/869182 Research Article Towards Support for Software Model Checking: Improving the Efficiency of Formal Specifications

### Handout #1: Mathematical Reasoning

Math 101 Rumbos Spring 2010 1 Handout #1: Mathematical Reasoning 1 Propositional Logic A proposition is a mathematical statement that it is either true or false; that is, a statement whose certainty or

### Software Verification and Testing. Lecture Notes: Temporal Logics

Software Verification and Testing Lecture Notes: Temporal Logics Motivation traditional programs (whether terminating or non-terminating) can be modelled as relations are analysed wrt their input/output

### Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder

Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder Matt Department of Computer Science and Engineering University of Minnesota staats@cs.umn.edu Abstract We present

### Artificial Intelligence

Artificial Intelligence ICS461 Fall 2010 1 Lecture #12B More Representations Outline Logics Rules Frames Nancy E. Reed nreed@hawaii.edu 2 Representation Agents deal with knowledge (data) Facts (believe

### Coverability for Parallel Programs

2015 http://excel.fit.vutbr.cz Coverability for Parallel Programs Lenka Turoňová* Abstract We improve existing method for the automatic verification of systems with parallel running processes. The technique

### Plan-Space Search. Searching for a Solution Plan in a Graph of Partial Plans

Plan-Space Search Searching for a Solution Plan in a Graph of Partial Plans Literature Malik Ghallab, Dana Nau, and Paolo Traverso. Automated Planning Theory and Practice, chapter 2 and 5. Elsevier/Morgan

### Predicate Logic Review

Predicate Logic Review UC Berkeley, Philosophy 142, Spring 2016 John MacFarlane 1 Grammar A term is an individual constant or a variable. An individual constant is a lowercase letter from the beginning

### Continued Fractions. Darren C. Collins

Continued Fractions Darren C Collins Abstract In this paper, we discuss continued fractions First, we discuss the definition and notation Second, we discuss the development of the subject throughout history

### C H A P T E R Regular Expressions regular expression

7 CHAPTER Regular Expressions Most programmers and other power-users of computer systems have used tools that match text patterns. You may have used a Web search engine with a pattern like travel cancun

### 9.2 Summation Notation

9. Summation Notation 66 9. Summation Notation In the previous section, we introduced sequences and now we shall present notation and theorems concerning the sum of terms of a sequence. We begin with a

### Lecture 9 verifying temporal logic

Basics of advanced software systems Lecture 9 verifying temporal logic formulae with SPIN 21/01/2013 1 Outline for today 1. Introduction: motivations for formal methods, use in industry 2. Developing models

### Regular Expressions with Nested Levels of Back Referencing Form a Hierarchy

Regular Expressions with Nested Levels of Back Referencing Form a Hierarchy Kim S. Larsen Odense University Abstract For many years, regular expressions with back referencing have been used in a variety

### The Relation between Two Present Value Formulae

James Ciecka, Gary Skoog, and Gerald Martin. 009. The Relation between Two Present Value Formulae. Journal of Legal Economics 15(): pp. 61-74. The Relation between Two Present Value Formulae James E. Ciecka,

### Why? A central concept in Computer Science. Algorithms are ubiquitous.

Analysis of Algorithms: A Brief Introduction Why? A central concept in Computer Science. Algorithms are ubiquitous. Using the Internet (sending email, transferring files, use of search engines, online

### Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation

Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation Franco Raimondi Alessio Lomuscio Department of Computer Science King s College London London