LTL Model Checking with Logic Based Petri Nets

Save this PDF as:

Size: px
Start display at page:

Transcription

1 LTL Model Checking with Logic Based Petri Nets Tristan M. Behrens and Jürgen Dix IfI Technical Report Series IfI-07-04

2 Impressum Publisher: Institut für Informatik, Technische Universität Clausthal Julius-Albert Str. 4, Clausthal-Zellerfeld, Germany Editor of the series: Jürgen Dix Technical editor: Wojciech Jamroga Contact: URL: ISSN: The IfI Review Board Prof. Dr. Jürgen Dix (Theoretical Computer Science/Computational Intelligence) Prof. Dr. Klaus Ecker (Applied Computer Science) Prof. Dr. Barbara Hammer (Theoretical Foundations of Computer Science) Prof. Dr. Kai Hormann (Computer Graphics) Prof. Dr. Gerhard R. Joubert (Practical Computer Science) apl. Prof. Dr. Günter Kemnitz (Hardware and Robotics) Prof. Dr. Ingbert Kupka (Theoretical Computer Science) Prof. Dr. Wilfried Lex (Mathematical Foundations of Computer Science) Prof. Dr. Jörg Müller (Economical Computer Science) Prof. Dr. Niels Pinkwart (Economical Computer Science) Prof. Dr. Andreas Rausch (Software Systems Engineering) apl. Prof. Dr. Matthias Reuter (Modeling and Simulation) Prof. Dr. Harald Richter (Technical Computer Science) Prof. Dr. Gabriel Zachmann (Computer Graphics)

3 LTL Model Checking with Logic Based Petri Nets Tristan M. Behrens and Jürgen Dix Department of Informatics, Clausthal University of Technology Julius-Albert-Straße 4, Clausthal, Germany Abstract In this paper we consider unbounded model checking for systems that can be specified in Linear Time Logic. More precisely, we consider the model checking problem N = α, where N is a generalized Petri net (SLPN) (which we have introduced in previous work), and α is an LTL formula. We solve this problem by using results about the equivalence of LTL formulae and Büchi automata. 1 Introduction Model checking [2] is the problem to decide M = α: Is the system M a model of a logical formula α or not? Model checking together with theorem proving are two major techniques for design validation at compile time. Whereas systems based on theorem provers often rely heavily on user interaction, model checkers are fully automatic and deliver in addition a counter-example if an invalid execution or state of a system is detected. Systems M are usually represented as Kripke structures. When dealing with concurrent systems formulæ are often expressed in Computational Tree Logic (CTL) or Linear Time Logic (LTL) [4]. Established model checkers rely on different theoretical foundations. For example automata theory has been investigated in the past and the model checking problem has been reduced to certain algorithms from graph theory. Concurrent systems M can be described very nicely with Petri nets. Petri nets are mathematical structures based on simple syntax and semantics. They have been applied to model and visualize parallelism, concurrency, synchronization and resource-sharing. Different Petri net formalisms share several basic principles so that many theoretical results can be transferred between them [3]. In previous work [1] the authors have introduced a new type of Petri nets, Simple Logic Petri Nets (SLPN), to model concurrent systems that are based on logical atoms (e.g. multiagent systems specified in AgentSpeak). In this paper we firstly recall the classical results about model checking and Büchi automata (Section 2). Our own work starts with Section 3, where we recall the class SLPN of Simple Logic Petri nets introduced in [1]. Then we show how to construct a 1

4 LTL and Büchi Automata Büchi automaton from an SLPN (Section 4), via a Kripke structure. In Section 5 we use the results from Sections 2 4 to solve the model checking problem. Finally, Section 6 discusses related and future work. We conclude with Section 7. 2 LTL and Büchi Automata Linear time logic (LTL) is a propositional logic with an additional operator for time. There is a very useful equivalence between LTL formula and Büchi automata automata that operate on infinite words a relationship that is crucial for model checking. DEFINITION 1 (LTL Syntax [4]). Let AP be a set of atomic propositions. The language LT L AP is constructed as follows: AP LT L AP and, LT L AP, if α LT L AP then α LT L AP, if α, β LT L AP then α β LT L AP and α β LT L AP, if α, β LT L AP then α LT L AP, [αuβ] LT L AP and [αrβ] LT L AP. DEFINITION 2 (Semantics of LTL). Let π : s 0, s 1, s 2,... be an (infinite) sequence of states of a system, generally π i shall represent the sequence s i, s i+1, s i+2,.... Furthermore let pa be an atomic proposition and α and β LTL-formulæ. Then: π = ap iff ap is true in s 0 and π = α iff not π = α π = α β iff π = α and π = β; π = α β iff π = α or π = β π = α iff π 1 = α π = [αuβ] iff i 0 : π i = β and j, 0 j i : π j = α π = [αrβ] iff π = [ αu β] The unary temporal operator α denotes that the formula α is true in the next state, whereas the binary temporal operator αu β (until) denotes that the formula α holds until β becomes true and αrβ denotes that a α holds until it is released by β. We can express other modalities as follows: α (finally, a formula will be true in the future) is equivalent to [ Uα] and α (globally, a formula is true in all time moments from now on) is equivalent to [ Uα]. Büchi automata are finite automata that read infinite words. Infinite words are suitable when dealing with nonterminating systems (operating systems, agents). DEFINITION 3 (Büchi Automaton [9]). The tuple B = {Σ, Q,, Q 0, A} with Σ a finite alphabet, DEPARTMENT OF INFORMATICS 2

5 PETRI NET LTL MODEL CHECKING q 1 ap q 0 q 2 ap ap q 3 ap Figure 1: The Büchi automaton B ap derived from the formula ap. Q a finite set of states, Q Σ Q a transition relation, Q 0 Q a set of initial states, A Q a set of accepting states, is called Büchi automaton. It accepts an infinite word w if in the course of parsing it at least one accepting state is visited infinitely often. Büchi automata are well suited for LTL: THEOREM 1 (Gerth et al. ([5])). For each LTL formula α there exists a Büchi automaton B α that generates exactly those infinite sequences Π of states for which α holds. The proof is by Gerth s algorithm [5] which takes an LTL formula in positive normal form and generates an equivalent Büchi automaton. This is but one of many algorithms for deriving Büchi automata from LTL-formulæ [10]. It has two main advantages: the automaton can be generated simultaneously with the generation of a model and the algorithm proved to have a good average case complexity. EXAMPLE 1 (A Simple Büchi Automaton). Figure 1 shows the Büchi automaton generated from the LTL formula ap [ Uap]. 3 Technical Report IfI-07-04

6 Simple Logic Petri Nets 3 Simple Logic Petri Nets In this section we introduce the class SLPN of Simple Logic Petri Nets. Let VAR be a finite set of variables, CONST be a finite set of constants, FUNC be a finite set of function-symbols, TERM be the (infinite) set of terms constructed from terms, constants and atoms. Let PRED be a set of predicate symbols, A + be the set of positive atoms and A be the set of negative atoms constructed using predicates and terms. Let L = A + A be the set of literals, X grnd be the set of all ground atoms in each subset X L. Finally, let var-of : 2 L 2 VAR be the function that selects all variables that are contained in a given set of literals. Petri nets are often referred to as token games and are usually defined by first providing the topology and then the semantics. The topology is a net structure, i.e. a bipartite digraph consisting of places and transitions. Defining the semantics means (1) defining what a state is, (2) defining when a transition is enabled and, finally, (3) to define how tokens are consumed/created/moved in the net. We refer to the notion that tokens are consumed and created by firing transitions moving is made possible by consuming and creating. Our most basic definition is as follows: DEFINITION 4 (Simple Logic Petri Net). The tuple N = P, T, F, C with P = {p 1,..., p m } the set of places, T = {t 1,..., t n } the set of transitions, F (P T ) (T P ) the inhibition relation, C : F 2 L the capacity function, is called a Simple Logic Petri Net (SLPN). EXAMPLE 2 (Running example). Figure 2 shows an SLPN in two states of execution. Places are depicted as circles, transitions as boxes, arcs as arrows. Enabled transitions are grey, black otherwise. Our main notion is that of a valid net. To this end we introduce DEFINITION 5 (Preset, Postset). For each p P and each t T we define the preset and postset of p and t as follows p = {t T (t, p) F } p = {t T (p, t) F } t = {p P (p, t) F } t = {p P (t, p) F } We assume the following two properties: Firstly, if a variable occurs in the label of an outgoing arc from a transition, then this variable must also occur in an ingoing arc to this transition. Secondly, we do not allow negative atoms as labels of arcs between transitions and places. Otherwise parts of the net would not be executable or would make no sense at all. DEPARTMENT OF INFORMATICS 4

7 PETRI NET LTL MODEL CHECKING a(x), a(3) t 1 b(x + 1) a(x), a(3) t 1 b(x + 1) p 1 t 2 a(3) a(1) b(1) p 2 p 1 t 2 a(3) b(1) b(2) p 2 t 3 t 3 a(x) b(x) a(x) b(x) Figure 2: A Simple Logic Petri Net (SLPN) N. On the left is the initial state, t 1 is enabled. The right side shows the state after t 1 has fired. Now t 3 is enabled. This SLPN is deadlock-free. DEFINITION 6 (Valid Net). A SLPN N = P, T, F, C is valid iff the following hold: ( ) ( ) t T : var-of C(t, p) var-of C(p, t) (1) p t p t (t, p) F : C(p, t) A + (2) This means that all variables that are in the labels of arcs between each transition and its postset are also in the labels of the arcs between each transition and its preset. Otherwise we would have uninitialized variables. Now we have places and transitions and the arcs between them, together with a function which labels each arc with a literal. We would like to have ground atoms inside the places and the ability to move them through the net. Thus we define the state of the net: DEFINITION 7 (State). A state is a function s : P 2 A+ grnd. We denote the initial state by s 0. A state s can be written as a vector as s = [ s(p1 )... s(p P ) ] t whereas we might leave out the parentheses of the sets s(pi ) iff the representation is clear. Before describing the transition between states we need the notion of an enabled transition. In each state a Petri net might have none, one or several enabled transitions. This holds for our SLPN s as well as for Petri nets in general: DEFINITION 8 (Enabling of Transitions, Bindings). A transition t T is enabled if there is B VAR CONST : 5 Technical Report IfI-07-04

8 SLPNs and Büchi Automata p t a( t) C(p, t) A + : a( t) [B] s(p) and p t a( t) C(p, t) A : a( t) [B] s(p) B is a (possibly empty) set of variable substitutions. We denote wlog by Subs(t) = {B 1,..., B n } with n N the set of all sets of such variable substitutions with respect to the transition t for which the above holds. This means that a transition t is enabled if (1) all positive literals that are labels of arcs between t and its preset t are unifiable with the literals in the respective places, and (2) that there is no unification for all the negative literals that are labels of arcs between the transition and its preset. Note that we need a in the second formula, because the places never contain negative atoms (closed world assumption). We are now ready to define transitions of states. Firing transitions absorb certain atoms from the places in the preset and put new atoms into the places in the postset using the variable substitutions: DEFINITION 9 (State Transition). ( p P : s (p) = s(p) \ t p,tfires [Bind(t)]) ( C(p, t) t p,tfires [Bind(t)]) C(t, p) Thus each place receives ground literals from each firing transition in its preset and ground literals are absorbed by all the firing transitions in the postset, thus leading to a new state of the whole system. EXAMPLE 3 (Running example cont d). The initial state is s 0 = [a(1) ] t After firing t 1 we have the state s 1 = [ b(2)] t. 4 SLPNs and Büchi Automata Theorem 1 states that LTL formulæ are equivalent to Büchi automata. How can we construct a Büchi automaton from a SLPN? We construct the Kripke structure representing the state-space of the SLPN. DEFINITION 10 (Kripke Structure K). The tuple K = S,, S 0, L with S = {s 1,..., s n } the set of states, S 0 S the set of initial states, S S the transition-relation with s S s S : (s, s ), L : S 2 AP the labeling-function, where AP = {a p a A + grnd, p P } is the set of atomic propositions over SLPN is called a Kripke structure. DEPARTMENT OF INFORMATICS 6

9 PETRI NET LTL MODEL CHECKING For each SLPN we can generate a respective Kripke structure by exhaustive enumeration of the state-space of the net. The derived Kripke structure is similar to the reachability graph of the SLPN: ALGORITHM 1. KSfromSLPN(N ) S := {q 1 }; S 0 := {q 1 }; := ; L := {(q 1, s 0 )}; queue := {q 1 }; while queue do q := removef irst(queue); T := getenabledt ransitions(n, L(q)); for all S T, S do s := firet ransitions(n, s, T ); if q S with L(q ) = s then := {(q, q )}; else q = newnode(); S := S {q }; := {(q, q )}; L := L {(q, s )}; queue := addlast(queue, a ); end if end for end while return S, S 0,, L ; LEMMA 1 (K N ). Algorithm 1 generates for each SLPN N a Kripke structure K N. This algorithm is not guaranteed to terminate. EXAMPLE 4 (Running example cont d.). Figure 3 shows the Kripke structure generated from N using our algorithm. The structure is as follows: S = {s 1, s 2, s 3, s 4, s 5, s 6 } S 0 = {s 1 } = {(s i, s j ) j i + 1 mod 6} L(s 1 ) = [a(1) ] t, L(s 2 ) = [ b(2)] t, L(s 3 ) = [a(2) ] t, L(s 4 ) = [ b(3)] t, L(s 5 ) = [a(3) ] t, L(s 6 ) = [ b(1)] t Kripke structures can be easily transformed into Büchi automata: 7 Technical Report IfI-07-04

10 Model Checking SLPNs [ q 2 b(2) ] q 3 [ a(2) ] q 1 [ a(1) ] [ b(3) ] q 4 [ q 6 b(1) ] q 5 [ a(3) ] Figure 3: Kripke structure for the SLPN in Fig. 2. THEOREM 2 (Büchi automaton B K ). For each Kripke structure K there exists a Büchi automaton B K that generates exactly those infinite sequences that are equivalent to the possible paths in the Kripke structure. sketch. Transforming a Kripke structure into a Büchi automaton is straightforward. Firstly the states and the arcs of the Kripke structure constitute the states and arcs of the Büchi automaton. Secondly introduce the initial state and connect it to the states that were initial states in the Kripke structure. Finally put the labels of the states to the incoming arcs and declare all states accepting states. EXAMPLE 5 (Running example cont d). Figure 4 shows the Büchi automaton B N generated from the SLPN N in Fig. 2. We are only interested in the truth value of the atomic proposition b(3) p 2 which we denote by ap and respectively. 5 Model Checking SLPNs We reduce model checking to the emptiness check of a Büchi automaton. THEOREM 3 (Reducing Model Checking to Büchi Automata). The model checking problem N = α for a SLPN N and an LTL formula α is equivalent to the emptiness problem of the intersection automaton B N B α. DEPARTMENT OF INFORMATICS 8

11 PETRI NET LTL MODEL CHECKING s 2 s 3 ap s 0 s 1 s 4 s 6 s 5 Figure 4: Büchi automaton for the SLPN in Fig. 2 with filtered alphabet: the atomic proposition ap represents b(3) p 2. Note that the automaton is filtered: other atoms in p 2 are ignored as well as p 1 is ignored completely. Proof. Since B N generates all possible states of N (Lemma 1 and Theorem 2) and B α generates all sequences in which α does not hold, the intersection automaton generates all states in which the formula does not hold. If the generated language is empty α holds in all states. LEMMA 2 (Folklore). Solving the emptiness problem of a Büchi automaton is equivalent to finding a strongly connected component of the automaton-graph that contains at least one initial and one final state. Putting our lemmas and theorems together, we get the following ALGORITHM 2. Given an LTL-formula α and an SLPN N the model checking problem N = α can be solved as follows: 1. generate the Büchi-Automaton B N from the SLPN by considering the Kripke structure representing the state-space of N 2. generate the Büchi-Automaton B α from the formula α using Gerth s algorithm 3. solve the emptiness problem for the Büchi-Automaton B N B α by searching a strongly connected component that contains an initial state and a final state. If a strongly connected component of the intersection-automaton is found it can serve as a counterexample. A powerful feature of the above algorithm is that it works on the fly: the parts of the automata B N and B α need to be generated on demand only. Thus a strongly connected component can be found without complete generation of the automata by expanding them in parallel. 9 Technical Report IfI-07-04

12 Related and Future Work a(x) p 1 t 1 a(1) a(x + 1) a(x) p 2 t 2 p 3 b(x) a(1) a(x + 1) Figure 5: Two SLPN s with infinite Kripke structures. The left side shows how an SLPN N 1 that enumerates the natural numbers. The right side shows an even worse scenario: the cardinality of s(p 3 ) of N 2 increases in each step and is unbounded. Unfortunately Algorithm 1 has a drawback: some SLPN s have infinite Kripke structures. Figure 5 shows two such SLPN s. This leads to semi-decidability of our modelchecking algorithms. Only in the case when a counterexample exists does the algorithm terminate. 6 Related and Future Work As this is an important area of research, there are many competing approaches. Among the most well-known model checkers, there is SPIN: An efficient verification system for models of distributed software systems [6, 7]. The core is the specification language PROMELA quite similar to structural programming languages which is to be used to specify concurrent systems. This specification is translated into an automaton together with the correctness claims expressed in LTL. In contrast to our approach SPIN generates an automaton for each asynchronous process in the system and then generates a new automaton for each possible interleaving of the execution of the processes, whereas we generate the interleavings on the fly. Thus our algorithm might find a counterexample without checking all possible interleavings. Recently we have made use of the Petri net infrastructure Petri Net Kernel [8] (PNK). It is very useful for developers and scientists, because it allows a powerful architecture for basic Petri net tools like editors and simulators and it also permits the extension by versatile plugins. We use PNK for designing Petri nets and because it comes along with the standardized data exchange format Petri Net Markup Language (PNML) based on XML. We have implemented an SLPN-to-smodels-converter which takes an SLPN and generates a logic program, whose answer sets represent all possible bounded executions of the net. With it we are able to detect deadlocks [1]. We are working on an AgentSpeak (F)-to-SLPN-converter with which we will test our model-checking-framework. DEPARTMENT OF INFORMATICS 10

13 PETRI NET LTL MODEL CHECKING We plan to examine the relationship between SLPN and the Petri-net-classes P/T nets and Colored Petri nets as well as the operational semantics of SLPN. 7 Conclusion SLPN is a class of specialized Petri nets with logical atoms as tokens and logical literals as labels. It is well suited to describe agent languages based on logical atoms (like the family of AgentSpeak languages). We gave a short summary on LTL model checking with automata: LTL formulæ as well as Kripke structures can be transformed into Büchi automata, finding a final state that is reachable from an initial state and from itself solves the model checking problem. Finally we showed how to generate a Büchi automaton from a given SLPN and concluded with how to perform LTL model checking on SLPN s. References [1] Tristan Behrens and Jürgen Dix. Model checking with logic based petri nets. Technical Report IfI-07-02, Clausthal University of Technology, Dept of Computer Science, May [2] Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. The MIT Press, ISBN [3] Rene David and Hassane Alla. Discrete, Continuous, and Hybrid Petri Nets. Springer Verlag, ISBN [4] E. Allen Emerson. Temporal and modal logic. In Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics (B), pages [5] Rob Gerth, Doron Peled, Moshe Y. Vardi, and Pierre Wolper. Simple on-the-fly automatic verification of linear temporal logic. In Protocol Specification Testing and Verification, pages 3 18, Warsaw, Poland, Chapman & Hall. [6] Gerard J. Holzmann. The SPIN Model Checker. Addison-Wesley, ISBN [7] Gerard J. Holzmann. Software model checking with spin. Advances in Computers, 65:78 109, [8] Ekkart Kindler and Michael Weber. The petri net kernel - an infrastructure for building petri net tools. International Journal on Software Tools for Technology Transfer, 3(4): , [9] Wolfgang Thomas. Automata on infinite objects. In Van Leeuwen, editor, Handbook of Theoretical Computer Science, pages , Technical Report IfI-07-04

14 References [10] Moshe Y. Vardi and Pierre Wolper. An automata-theoretic approach to automatic program verification (preliminary report). In LICS, pages IEEE Computer Society, DEPARTMENT OF INFORMATICS 12

Formal Verification by Model Checking

Formal Verification by Model Checking Natasha Sharygina Carnegie Mellon University Guest Lectures at the Analysis of Software Artifacts Class, Spring 2005 1 Outline Lecture 1: Overview of Model Checking

A Logic Approach for LTL System Modification

A Logic Approach for LTL System Modification Yulin Ding and Yan Zhang School of Computing & Information Technology University of Western Sydney Kingswood, N.S.W. 1797, Australia email: {yding,yan}@cit.uws.edu.au

http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86

Atlantic Electronic http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86 AUTOMATED RECOGNITION OF STUTTER INVARIANCE OF LTL FORMULAS Jeffrey Dallien 1 and Wendy

Testing LTL Formula Translation into Büchi Automata

Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland

Algorithmic Software Verification

Algorithmic Software Verification (LTL Model Checking) Azadeh Farzan What is Verification Anyway? Proving (in a formal way) that program satisfies a specification written in a logical language. Formal

The Model Checker SPIN

The Model Checker SPIN Author: Gerard J. Holzmann Presented By: Maulik Patel Outline Introduction Structure Foundation Algorithms Memory management Example/Demo SPIN-Introduction Introduction SPIN (Simple(

Model Checking: An Introduction

Announcements Model Checking: An Introduction Meeting 2 Office hours M 1:30pm-2:30pm W 5:30pm-6:30pm (after class) and by appointment ECOT 621 Moodle problems? Fundamentals of Programming Languages CSCI

Automata-based Verification - I

CS3172: Advanced Algorithms Automata-based Verification - I Howard Barringer Room KB2.20: email: howard.barringer@manchester.ac.uk March 2006 Supporting and Background Material Copies of key slides (already

Software Modeling and Verification

Software Modeling and Verification Alessandro Aldini DiSBeF - Sezione STI University of Urbino Carlo Bo Italy 3-4 February 2015 Algorithmic verification Correctness problem Is the software/hardware system

T-79.186 Reactive Systems: Introduction and Finite State Automata

T-79.186 Reactive Systems: Introduction and Finite State Automata Timo Latvala 14.1.2004 Reactive Systems: Introduction and Finite State Automata 1-1 Reactive Systems Reactive systems are a class of software

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

5. LTL, CTL Last part: Alloy logic language, static/dynamic models SAT solvers Today: Temporal Logic (LTL, CTL) Verified Software Systems 1 Overview How can we model check of a program or system? Modeling

Formal Verification of Software

Formal Verification of Software Sabine Broda Department of Computer Science/FCUP 12 de Novembro de 2014 Sabine Broda (DCC-FCUP) Formal Verification of Software 12 de Novembro de 2014 1 / 26 Formal Verification

Developing a power supply solution for a mobile robot

Developing a power supply solution for a mobile robot Carsten Giesemann, Günter Kemnitz IfI Technical Report Series IfI-10-03 Impressum Publisher: Institut für Informatik, Technische Universität Clausthal

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Today s Agenda Quiz 4 Temporal Logic Formal Methods in Software Engineering 1 Automata and Logic Introduction Buchi Automata Linear Time Logic Summary Formal Methods in Software Engineering 2 1 Buchi Automata

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems 29 August 2011 What are workflows to us? Plans or schedules that map users or resources to tasks Such mappings may

Introduction to Software Verification

Introduction to Software Verification Orna Grumberg Lectures Material winter 2013-14 Lecture 4 5.11.13 Model Checking Automated formal verification: A different approach to formal verification Model Checking

Model Checking II Temporal Logic Model Checking

1/32 Model Checking II Temporal Logic Model Checking Edmund M Clarke, Jr School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 2/32 Temporal Logic Model Checking Specification Language:

Formal Verification and Linear-time Model Checking

Formal Verification and Linear-time Model Checking Paul Jackson University of Edinburgh Automated Reasoning 21st and 24th October 2013 Why Automated Reasoning? Intellectually stimulating and challenging

Static Program Transformations for Efficient Software Model Checking

Static Program Transformations for Efficient Software Model Checking Shobha Vasudevan Jacob Abraham The University of Texas at Austin Dependable Systems Large and complex systems Software faults are major

Development of dynamically evolving and self-adaptive software. 1. Background

Development of dynamically evolving and self-adaptive software 1. Background LASER 2013 Isola d Elba, September 2013 Carlo Ghezzi Politecnico di Milano Deep-SE Group @ DEIB 1 Requirements Functional requirements

Temporal Logics. Computation Tree Logic

Temporal Logics CTL: definition, relationship between operators, adequate sets, specifying properties, safety/liveness/fairness Modeling: sequential, concurrent systems; maximum parallelism/interleaving

Defining Domain Specific Operational Semantics for Activity Diagrams

Defining Domain Specific Operational Semantics for Activity Diagrams Christoph Knieke, Björn Schindler, Ursula Goltz and Andreas Rausch IfI Technical Report Series IfI-12-04 Impressum Publisher: Institut

Fundamentals of Software Engineering

Fundamentals of Software Engineering Model Checking with Temporal Logic Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner

Software Engineering using Formal Methods

Software Engineering using Formal Methods Model Checking with Temporal Logic Wolfgang Ahrendt 24th September 2013 SEFM: Model Checking with Temporal Logic /GU 130924 1 / 33 Model Checking with Spin model

From Workflow Design Patterns to Logical Specifications

AUTOMATYKA/ AUTOMATICS 2013 Vol. 17 No. 1 http://dx.doi.org/10.7494/automat.2013.17.1.59 Rados³aw Klimek* From Workflow Design Patterns to Logical Specifications 1. Introduction Formal methods in software

INF5140: Specification and Verification of Parallel Systems

INF5140: Specification and Verification of Parallel Systems Lecture 7 LTL into Automata and Introduction to Promela Gerardo Schneider Department of Informatics University of Oslo INF5140, Spring 2007 Gerardo

Neural Gas for Surface Reconstruction

Neural Gas for Surface Reconstruction Markus Melato, Barbara Hammer, Kai Hormann IfI Technical Report Series IfI-07-08 Impressum Publisher: Institut für Informatik, Technische Universität Clausthal Julius-Albert

Constructing Automata from Temporal Logic Formulas : A Tutorial

Constructing Automata from Temporal Logic Formulas : A Tutorial Pierre Wolper Université de Liège, Institut Montefiore, B28, 4000 Liège, Belgium pw@montefiore.ulg.ac.be, http://www.montefiore.ulg.ac.be/~pw/

Model Checking of Software

Model Checking of Software Patrice Godefroid Bell Laboratories, Lucent Technologies SpecNCheck Page 1 August 2001 A Brief History of Model Checking Prehistory: transformational programs and theorem proving

Toward Model-Based Verification of Adaptive Allocation Managers

Toward Model-Based Verification of Adaptive Allocation Managers William Leal, Frank Drews, Chang Liu, Lonnie Welch Ohio University { leal@cs.ohiou.edu, drews@ohiou.edu, changliu@cs.ohiou.edu, welch@ohio.edu

Formal Specification and Verification

Formal Specification and Verification Stefan Ratschan Katedra číslicového návrhu Fakulta informačních technologíı České vysoké učení technické v Praze 2. 5. 2011 Stefan Ratschan (FIT ČVUT) PI-PSC 4 2.

A first step towards modeling semistructured data in hybrid multimodal logic

A first step towards modeling semistructured data in hybrid multimodal logic Nicole Bidoit * Serenella Cerrito ** Virginie Thion * * LRI UMR CNRS 8623, Université Paris 11, Centre d Orsay. ** LaMI UMR

Model Checking based Software Verification

Model Checking based Software Verification 18.5-2006 Keijo Heljanko Keijo.Heljanko@tkk.fi Department of Computer Science and Engineering Helsinki University of Technology http://www.tcs.tkk.fi/~kepa/ 1/24

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

System modeling Business process modeling how to do it right Partially based on Process Anti-Patterns: How to Avoid the Common Traps of Business Process Modeling, J Koehler, J Vanhatalo, IBM Zürich, 2007.

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund RIACS Technical Report 01.21 August 2001 Presented at the 16 th IEEE International Conference

tutorial: hardware and software model checking

tutorial: hardware and software model checking gerard holzmann and anuj puri { gerard anuj } @research.bell-labs.com Bell Labs, USA outline introduction (15 mins) theory and algorithms system modeling

CHAPTER 7 GENERAL PROOF SYSTEMS

CHAPTER 7 GENERAL PROOF SYSTEMS 1 Introduction Proof systems are built to prove statements. They can be thought as an inference machine with special statements, called provable statements, or sometimes

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Model checking test models Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl February 14, 2014 Abstract This thesis is about model checking testing models. These testing

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

University of Texas at El Paso DigitalCommons@UTEP Departmental Technical Reports (CS) Department of Computer Science 8-1-2007 Using Patterns and Composite Propositions to Automate the Generation of Complex

Model-Checking Verification for Reliable Web Service

Model-Checking Verification for Reliable Web Service Shin NAKAJIMA Hosei University and PRESTO, JST nkjm@i.hosei.ac.jp Abstract Model-checking is a promising technique for the verification and validation

Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation

Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation Franco Raimondi Alessio Lomuscio Department of Computer Science King s College London London

On the (Un-)Decidability of Model Checking Resource-Bounded Agents

On the (Un-)Decidability of Model Checking Resource-Bounded Agents Nils Bulling 1 and Berndt Farwer 2 IfI Technical Report Series IfI-10-05 Impressum Publisher: Institut für Informatik, Technische Universität

Automata-Based Verification of Temporal Properties on Running Programs

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou (RIACS) and Klaus Havelund (Kestrel Technologies) Automated Software Engineering Group NASA Ames Research Center,

Formal Verification Problems in a Bigdata World: Towards a Mighty Synergy

Dept. of Computer Science Formal Verification Problems in a Bigdata World: Towards a Mighty Synergy Matteo Camilli matteo.camilli@unimi.it http://camilli.di.unimi.it ICSE 2014 Hyderabad, India June 3,

The Course. http://www.cse.unsw.edu.au/~cs3153/

The Course http://www.cse.unsw.edu.au/~cs3153/ Lecturers Dr Peter Höfner NICTA L5 building Prof Rob van Glabbeek NICTA L5 building Dr Ralf Huuck NICTA ATP building 2 Plan/Schedule (1) Where and When Tuesday,

Institut für Parallele und Verteilte Systeme. Abteilung Anwendersoftware. Universität Stuttgart Universitätsstraße 38 D-70569 Stuttgart

Institut für Parallele und Verteilte Systeme Abteilung Anwendersoftware Universität Stuttgart Universitätsstraße 38 D-70569 Stuttgart Diplomarbeit Nr. 3243 Development and Evaluation of a Framework for

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications Sayantan Das Prasenjit Basu Ansuman Banerjee Pallab Dasgupta P.P. Chakrabarti Department of Computer Science & Engineering

Supervised Median Clustering

Supervised Median Clustering Barbara Hammer 1, Alexander Hasenfuss 1, Frank-Michael Schleif 2, and Thomas Villmann 3 IfI Technical Report Series IfI-06-09 Impressum Publisher: Institut für Informatik,

Bounded LTL Model Checking with Stable Models

Under consideration for publication in Theory and Practice of Logic Programming 1 Bounded LTL Model Checking with Stable Models KEIJO HELJANKO and ILKKA NIEMELÄ Helsinki University of Technology Department

A Declarative Approach for Flexible Business Processes Management

A Declarative Approach for Flexible Business Processes Management M. Pesic and W.M.P. van der Aalst Department of Technology Management, Eindhoven University of Technology, P.O.Box 513, NL-5600 MB, Eindhoven,

Software Model Checking: Theory and Practice

Software Model Checking: Theory and Practice Lecture: Secification Checking - Temoral Logic Coyright 2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are coyrighted

Formal verification of contracts for synchronous software components using NuSMV

Formal verification of contracts for synchronous software components using NuSMV Tobias Polzer Lehrstuhl für Informatik 8 Bachelorarbeit 13.05.2014 1 / 19 Problem description and goals Problem description

Combining Software and Hardware Verification Techniques

Formal Methods in System Design, 21, 251 280, 2002 c 2002 Kluwer Academic Publishers. Manufactured in The Netherlands. Combining Software and Hardware Verification Techniques ROBERT P. KURSHAN VLADIMIR

A computational model for MapReduce job flow

A computational model for MapReduce job flow Tommaso Di Noia, Marina Mongiello, Eugenio Di Sciascio Dipartimento di Ingegneria Elettrica e Dell informazione Politecnico di Bari Via E. Orabona, 4 70125

Abstraction for Model Checking Modular Interpreted Systems over ATL

Abstraction for Model Checking Modular Interpreted Systems over ATL Michael Köster and Peter Lohmann IfI Technical Report Series IfI-10-13 Impressum Publisher: Institut für Informatik, Technische Universität

Safety verification of software using structured Petri nets

Safety verification of software using structured Petri nets Krzysztof Sacha Warsaw University of Technology, Institute of Control and Computation Engineering, ul. Nowowiejska 15/19, 00-665 Warszawa, Poland

Process Modelling from Insurance Event Log

Process Modelling from Insurance Event Log P.V. Kumaraguru Research scholar, Dr.M.G.R Educational and Research Institute University Chennai- 600 095 India Dr. S.P. Rajagopalan Professor Emeritus, Dr. M.G.R

Collaborative Virtual Environments - Hype or Hope for CSCW?

Collaborative Virtual Environments - Hype or Hope for CSCW? Hannes Olivier; Niels Pinkwart IfI Technical Report Series IfI-07-14 Impressum Publisher: Institut für Informatik, Technische Universität Clausthal

Foundational Proof Certificates

An application of proof theory to computer science INRIA-Saclay & LIX, École Polytechnique CUSO Winter School, Proof and Computation 30 January 2013 Can we standardize, communicate, and trust formal proofs?

Path Querying on Graph Databases

Path Querying on Graph Databases Jelle Hellings Hasselt University and transnational University of Limburg 1/38 Overview Graph Databases Motivation Walk Logic Relations with FO and MSO Relations with CTL

Validated Templates for Specification of Complex LTL Formulas

Validated Templates for Specification of Complex LTL Formulas Salamah Salamah Department of Electrical, computer, Software, and Systems Engineering Embry Riddle Aeronautical University 600 S. Clyde Morris

ML for the Working Programmer

ML for the Working Programmer 2nd edition Lawrence C. Paulson University of Cambridge CAMBRIDGE UNIVERSITY PRESS CONTENTS Preface to the Second Edition Preface xiii xv 1 Standard ML 1 Functional Programming

Applications of Methods of Proof

CHAPTER 4 Applications of Methods of Proof 1. Set Operations 1.1. Set Operations. The set-theoretic operations, intersection, union, and complementation, defined in Chapter 1.1 Introduction to Sets are

DiPro - A Tool for Probabilistic Counterexample Generation

DiPro - A Tool for Probabilistic Counterexample Generation Husain Aljazzar, Florian Leitner-Fischer, Stefan Leue, and Dimitar Simeonov University of Konstanz, Germany Abstract. The computation of counterexamples

Slides based in part on previous lectures by Mahesh Vishwanathan, and by Gul Agha January 21, 2014 1

Contact Information CS477 Formal Software Development Methods Elsa L Gunter 2112 SC, UIUC egunter@illinois.edu http://courses.engr.illinois.edu/cs477 Office: 2112 SC Office Hours: Wednesdays 11:00am -

Feature Specification and Automated Conflict Detection

Feature Specification and Automated Conflict Detection AMY P. FELTY University of Ottawa and KEDAR S. NAMJOSHI Bell Laboratories Large software systems, especially in the telecommunications field, are

Master Thesis Embedded Systems

Master Thesis Embedded Systems Title: Student: Protocol Based Workflow Management System G.T. van t Klooster Department: Mathematics and Computer Science E-mail: g.t.v.t.klooster@student.tue.nl Student#:

A Classification of Model Checking-based Verification Approaches for Software Models

A Classification of Model Checking-based Verification Approaches for Software Models Petra Brosch, Sebastian Gabmeyer, Martina Seidl Sebastian Gabmeyer Business Informatics Group Institute of Software

Lecture 16 : Relations and Functions DRAFT

CS/Math 240: Introduction to Discrete Mathematics 3/29/2011 Lecture 16 : Relations and Functions Instructor: Dieter van Melkebeek Scribe: Dalibor Zelený DRAFT In Lecture 3, we described a correspondence

Specification and Analysis of Contracts Lecture 1 Introduction

Specification and Analysis of Contracts Lecture 1 Introduction Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov.

Bounded Treewidth in Knowledge Representation and Reasoning 1

Bounded Treewidth in Knowledge Representation and Reasoning 1 Reinhard Pichler Institut für Informationssysteme Arbeitsbereich DBAI Technische Universität Wien Luminy, October 2010 1 Joint work with G.

µz An Efficient Engine for Fixed points with Constraints

µz An Efficient Engine for Fixed points with Constraints Kryštof Hoder, Nikolaj Bjørner, and Leonardo de Moura Manchester University and Microsoft Research Abstract. The µz tool is a scalable, efficient

A Test Case Generator for the Validation of High-Level Petri Nets

A Test Case Generator for the Validation of High-Level Petri Nets Jörg Desel Institut AIFB Universität Karlsruhe D 76128 Karlsruhe Germany E-mail: desel@aifb.uni-karlsruhe.de Andreas Oberweis, Torsten

Reading 13 : Finite State Automata and Regular Expressions

CS/Math 24: Introduction to Discrete Mathematics Fall 25 Reading 3 : Finite State Automata and Regular Expressions Instructors: Beck Hasti, Gautam Prakriya In this reading we study a mathematical model

The ProB Animator and Model Checker for B

The ProB Animator and Model Checker for B A Tool Description Michael Leuschel and Michael Butler Department of Electronics and Computer Science University of Southampton Highfield, Southampton, SO17 1BJ,

The Model Checker SPIN

IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 23, NO. 5, MAY 1997 1 The Model Checker SPIN Gerard J. Holzmann Abstract SPIN is an efficient verification system for models of distributed software systems.

Simulative Model Checking of Steady State and Time-Unbounded Temporal Operators

Simulative Model Checking of Steady State and Time-Unbounded Temporal Operators Christian Rohr Department of Computer Science Brandenburg University of Technology Cottbus June 25, 2012 Outline 1 Introduction

Fixed-Point Logics and Computation

1 Fixed-Point Logics and Computation Symposium on the Unusual Effectiveness of Logic in Computer Science University of Cambridge 2 Mathematical Logic Mathematical logic seeks to formalise the process of

Software Model Checking: Theory and Practice

Software Model Checking: Theory and Practice Lecture: Specification Checking - LTL Model Checking Copyright 2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are

Monitoring Metric First-order Temporal Properties

Monitoring Metric First-order Temporal Properties DAVID BASIN, FELIX KLAEDTKE, SAMUEL MÜLLER, and EUGEN ZĂLINESCU, ETH Zurich Runtime monitoring is a general approach to verifying system properties at

Tree Data Decision Diagrams

Jean-Michel COUVREUR, Duy-Tung NGUYEN LIFO (Laboratoire d Informatique Fondamentale d Orléans), University of Orleans, Léonard de Vinci street B.P. 6759, F-45067 ORLEANS Cedex 2 http://www.univ-orleans.fr/lifo/

Markov Algorithm. CHEN Yuanmi December 18, 2007

Markov Algorithm CHEN Yuanmi December 18, 2007 1 Abstract Markov Algorithm can be understood as a priority string rewriting system. In this short paper we give the definition of Markov algorithm and also

Software Verification and Testing. Lecture Notes: Temporal Logics

Software Verification and Testing Lecture Notes: Temporal Logics Motivation traditional programs (whether terminating or non-terminating) can be modelled as relations are analysed wrt their input/output

Process Mining Using BPMN: Relating Event Logs and Process Models

Noname manuscript No. (will be inserted by the editor) Process Mining Using BPMN: Relating Event Logs and Process Models Anna A. Kalenkova W. M. P. van der Aalst Irina A. Lomazova Vladimir A. Rubin Received:

8.5 PETRI NETS. Figure A computer program. Figure 8.5.2

8.5 PETRI NETS Consider the computer program shown in Figure 8.5.1. Normally, the instructions would be processed sequentially first, A = 1, then B = 2, and so on. However, notice that there is no logical

Model Checking LTL Properties over C Programs with Bounded Traces

Noname manuscript No. (will be inserted by the editor) Model Checking LTL Properties over C Programs with Bounded Traces Jeremy Morse 1, Lucas Cordeiro 2, Denis Nicole 1, Bernd Fischer 1,3 1 Electronics

Access Control Based on Dynamic Monitoring for Detecting Software Malicious Behaviours

Access Control Based on Dynamic Monitoring for Detecting Software Malicious Behaviours K. Adi, L. Sullivan & A. El Kabbal Computer Security Research Laboratory http://w3.uqo.ca/lrsi NCAC'05 1 Motivation

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection Martin Leucker Technische Universität München (joint work with Andreas Bauer, Christian Schallhart et. al) FLACOS

Software Verification: Infinite-State Model Checking and Static Program

Software Verification: Infinite-State Model Checking and Static Program Analysis Dagstuhl Seminar 06081 February 19 24, 2006 Parosh Abdulla 1, Ahmed Bouajjani 2, and Markus Müller-Olm 3 1 Uppsala Universitet,

Software Quality Exercise 1

Software Quality Exercise Model Checking Information. Dates Release: 7.0.0.5pm Deadline: 07.0.0.5pm Discussion:.0.0. Formalities While this exercise can be solved and handed in in groups of three, every

A Classification of Model Checking-Based Verification Approaches for Software Models

Volt Second Workshop on Verification Of Model Transformations, 2013, A Classification of Model Checking-Based Verification Approaches for Software Models Sebastian Gabmeyer a Petra Brosch a Martina Seidl

Professional Organization Checklist for the Computer Science Curriculum Updates. Association of Computing Machinery Computing Curricula 2008

Professional Organization Checklist for the Computer Science Curriculum Updates Association of Computing Machinery Computing Curricula 2008 The curriculum guidelines can be found in Appendix C of the report

Competitive Analysis of On line Randomized Call Control in Cellular Networks

Competitive Analysis of On line Randomized Call Control in Cellular Networks Ioannis Caragiannis Christos Kaklamanis Evi Papaioannou Abstract In this paper we address an important communication issue arising

Regular Languages and Finite Automata

Regular Languages and Finite Automata 1 Introduction Hing Leung Department of Computer Science New Mexico State University Sep 16, 2010 In 1943, McCulloch and Pitts [4] published a pioneering work on a

ω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear:

ω-automata ω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear: in verification, as encodings of non-terminating executions of a program. in arithmetic,

Language. Johann Eder. Universitat Klagenfurt. Institut fur Informatik. Universiatsstr. 65. A-9020 Klagenfurt / AUSTRIA

PLOP: A Polymorphic Logic Database Programming Language Johann Eder Universitat Klagenfurt Institut fur Informatik Universiatsstr. 65 A-9020 Klagenfurt / AUSTRIA February 12, 1993 Extended Abstract The

VeriTech - A Framework for Translating among Model Description Notations

Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) VeriTech - A Framework for Translating among Model Description Notations Orna Grumberg and Shmuel Katz Computer Science