On model checking multiple hybrid views

Abstract

Many applications, for instance the MS .NET Global Assembly Cache (GAC), are naturally expressed as 3-valued models where an additional third truth value models uncertainty or under-specification. An example of under-specification is that a component in a GAC may or may not have a main method. Models described in this manner can then be analyzed to refute or verify properties about the concrete systems they intend to model. This approach to system validation traditionally considers only one model at a time, even though this model may evolve if subjected to analysis. Many applications, however, benefit from or require the simultaneous consideration of multiple models of systems. We mention here requirements from different stake holders, and data drawn from federated databases. This paper therefore builds the mathematical foundations for property verification and refutation as applied to finitely many 3-valued models, where each model is endowed with states — possibly named by nominals, also known as hybrid constraints — labelled transitions, and atomic propositions. Specifically, we show that deciding whether a finite set of models has a common concrete system (consistency) is typically in PTIME, and that deciding whether a common concrete system satisfies a formula of the hybrid mu-calculus (satisfiability), and its dual (validity), are EXPTIME-complete. We propose sound and efficient approximations of these EXPTIME-complete checks by synthesizing and checking “summary” models. These approximations are optimal if all models are deterministic. Finally, we point out that such optimality of summary models is unattainable whenever not all summarized models are deterministic.