Tool support for the rapid composition, analysis and implementation of reactive services

Model checking is well known to be a computer-aided method for verifying concurrent systems. Temporal logics and their Kripke-style semantics have been widely used in model checking. Falsification-aware Kripke-style semantics for temporal logics have been required for the theoretical basis of model checking because falsification plays a critical role in obtaining counterexample traces for the underlying object specifications in model checking. However, a useful falsification-aware Kripke-style semantics has yet to be developed for standard temporal logics. Hence, this study introduces two types of falsification-aware Kripke-style semantics for standard temporal logics that have been typically used in model checking. The equivalences among the proposed falsification-aware and standard Kripke-style semantics for standard temporal logics are proved. Furthermore, some inconsistency-tolerant subsystems of standard temporal logics are semantically obtained from the proposed falsification-aware Kripke-style semantics for standard temporal logics by deleting a characteristic condition on the labeling function of the semantics. The proposed semantic framework for standard and inconsistency-tolerant temporal logics is regarded as a unified framework for generalizing and combining the existing standard, inconsistency-tolerant, and many-valued semantic frameworks. This unified semantic framework is useful for obtaining a theoretical basis for generalized (inconsistency-tolerant) model checking, referred to here as falsification-aware model checking.

CHAPTER 16 - Temporal and Modal Logic

Motion planning and control of complex systems have in recent times gained a lot of attention in fields such as robotics. Usually, such problems are formulated as temporal logic specifications over a discrete representation of the given system. Despite the expressivity of conventional logic such as Linear Temporal Logic (LTL), Metric Temporal Logic (MTL), Signal Temporal logic (STL), etc., they cannot be used to formalize complex requirements such as side-channel timing, opacity, service-level agreements, etc., which are examples of hyperproperties. Hyperproperties generalize trace properties to enable reasoning about multiple computation traces that conventional logic cannot. In this dissertation, we introduce a new formalism, HyperTWTL, which extends the compact semantics of Time Window Temporal Logic (TWTL), a domain-specific formal specification language for robotics, by allowing explicit and simultaneous quantification over multiple execution traces. This work also proposes and evaluates methods and algorithms for synthesizing and verifying complex control policies formalized using HyperTWTL. The first part of this dissertation investigates a novel domain-specific formal specification language for specifying important timed hyperproperties such as information flow security policies, service level agreements, etc. Specifically, a new formal security specification language for robotic motion planning, HyperTWTL, will be introduced for TWTL (HyperTWTL) by extending the classical time window temporal logic (TWTL). The drawbacks of already existing hyper-temporal logic, specifically HyperLTL, HyperSTL, and HyperMTL, will be analyzed to enhance the feasibility and practicality of HyperTWTL. We will subsequently demonstrate the application of HyperTWTL to express timed hyperproperties in robotic applications. The second part of the dissertation discusses the proposal of efficient techniques for verification, specifically using automata-based and satisfiability modulo theory (SMT)-based model checking methods under HyperTWTL specifications. This is because most existing model-checking verification techniques based on both automata and SMT are limited to the analysis of individual trace executions and, as such, may not be applicable for the same purpose when using HyperTWTL. Recent works show the effectiveness and prospect of Hyperproperties, specifically Hyperproperties for Linear Temporal Logic (HyperLTL), in optimality-, robustness-, and privacy-aware robotic motion planning. However, despite their rich expressiveness, HyperLTL cannot express tasks with time constraints. In the third part of this dissertation, we demonstrate that HyperTWTL can be used to formalize complex robotic planning objectives. Given HyperTWTL specifications, we also propose a symbolic approach for synthesizing optimality-, robustness-, and privacy-aware strategies by reducing the planning problem to a first-order logic satisfiability problem. The planning problem was then solved using two industrial-strength SMT solvers. The feasibility of HyperTWTL and the efficiency and scalability of the proposed strategy synthesis approach are demonstrated by formalizing important motion planning objectives of a surveillance mission case study and synthesizing the respective strategies using Z3 and CVC4 SMT solvers. Traditionally, most temporal logic specifications have been verified using an automata-based model checking framework. Model checking is indeed an unavoidable part of designing safety-critical systems. However, verification of important properties of a given system using model checking does not guarantee that the system will behave as expected during the runtime operation, which falls under the scope of runtime verification (RV). The fourth part of this dissertation investigates efficient algorithms for runtime monitoring of HyperTWTL specifications. Reinforcement learning (RL) is a sequential decision-making process in which an agent continuously interacts with and learns from an unknown environment. This approach has been used with various temporal logics to solve motion planning problems. In the fifth part of this dissertation, we study the problem of learning to satisfy complex tasks assigned to robotic agents in environments that may exhibit probabilistic behavior. We investigate a Reinforcement Learning (RL) approach to maximizing the expected sum of rewards subject to constraints formalized as HyperTWTL during learning optimal policies for autonomous systems in unknown environments. The final part of the dissertation concludes this work and discusses future works.

Linear Temporal Logic (LTL) Model Checking (MC) has been applied to many fields. However, the state explosion problem and the exponentially computational complexity restrict the further applications of LTL model checking. A lot of approaches have been presented to address these problems. And they work well. However, the essential issue has not been resolved due to the limitation of inherent complexity of the problem. As a result, the running time of LTL model checking algorithms will be inacceptable if a LTL formula is too long. To this end, this study tries to seek an acceptable approximate solution for LTL model checking by introducing the Machine Learning (ML) technique. And a method for predicting LTL model checking results is proposed, using the several ML algorithms including Boosted Tree (BT), Random Forest (RF), Decision tree (DT) or Logistic Regression (LR), respectively. First, for a number of Kripke structures and LTL formulas, a data set A containing model checking results is obtained, using one of the existing LTL model checking algorithm. Second, the LTL model checking problem can be induced to a binary classification problem of machine learning. In other words, some records in A form a training set for the given machine learning algorithm, where formulas and kripke structures are the two features, and model checking results are the one label. On the basis of it, a ML model M is obtained to predict the results of LTL model checking. As a result, an approximate LTL model checking technique occurs. The experiments show that the new method has the similar max accuracy with the state of the art algorithm in the classical LTL model checking technique, while the average efficiency of the former method is at most 6.3 million times higher than that of the latter algorithms, if the length of each of LTL formulas equals to 500. These results indicate that the new method can quickly and accurately determine LTL model checking result for a given Kripke structure and a given long LTL formula, since the new method avoids the famous state explosion problem.

The process of model checking generally involves: models construction, properties specifications, and using tools or algorithms for model checking. Unfortunately, in practice research, there are problems in every step of the model checking, such as the well-known state explosion problem. In order to summarize the experience and lessons in the practice of model checking, this paper selects open source flight control software MWC as the research object, and analyzes the problems encountered in the process of model checking: (1) modeling object selection, (2) state explosion, (3) model abstraction, (4) properties identification and specification, and corresponding solutions are given. The empirical study verified the ability of the model checking technology, and carried out the model checking on the MWC open source flight control software, and successfully detected the important errors.

Summary Model checking, a generic and formal paradigm stemming from computer science based on temporal logics, has been proposed for the study of biological properties that emerge from the labeling of the states defined over the phylogenetic tree. This strategy allows us to use generic software tools already present in the industry. However, the performance of traditional model checking is penalized when scaling the system for large phylogenies. To this end, two strategies are presented here. The first one consists of partitioning the phylogenetic tree into a set of subgraphs each one representing a subproblem to be verified so as to speed up the computation time and distribute the memory consumption. The second strategy is based on uncoupling the information associated to each state of the phylogenetic tree (mainly, the DNA sequence) and exporting it to an external tool for the management of large information systems. The integration of all these approaches outperforms the results of monolithic model checking and helps us to execute the verification of properties in a real phylogenetic tree.

This guide accompanies the following article(s): Meghan Sullivan, ‘Problems with Temporary Existence in Tense Logic’. Philosophy Compass 7/1 (2012): 43–57. doi: 10.1111/j.1747‐9991.2011.00457.x Author’s Introduction Over the past century, there has been considerable debate over whether and how anything changes with respect to existence. Most A‐theorists of time (presentists, growing block theorists, and branch theorists) think things come to exist or cease to exist. B‐theorists of time (four‐dimensionalists, in particular) think objects do not change with respect to existence. In my Compass article, I outline a serious difficulty that A‐theorists face in trying to reason about temporary existents. The most straightforward logics for time and existence entail that nothing exists merely temporarily. The problem arises from a set of theorems of the simplest temporal logic – the converse Barcan formulas. But attempts to fix the logic to get rid of the Barcan formulas pressure A‐theorists to abandon an intuitive and widespread assumption about existence. I survey the logical and metaphysical options for solving the problem. Author Recommends Burgess, John P. Philosophical Logic. Princeton: Princeton University Press, 2009. An introductory textbook in philosophical logic. Chapter 2 focuses on temporal logic and motivates a logic‐based response to problems with the temporal Barcan schemas. Prior, A. N. Past, Present, and Future . Oxford: Oxford University Press, 1967. The first attempt to rigorously formulate propositional and quantified tense logic. Chapter 8 especially provides philosophical insight into problems with change in existence. Prior uses Polish notation for his proofs and formalism, which requires a bit of background to translate. Sider, Theodore. Four‐Dimensionalism. Oxford: Oxford University Press, 2001. Provides a useful background on the debates in the philosophy of time. The first three chapters that precisely define the different theories are especially relevant. Sider, Theodore. Logic for Philosophy. Oxford: Oxford University Press, 2010. A useful guide to the semantics and proof theory of modal and temporal logics. van Inwagen, Peter. ‘Meta‐Ontology.’ Erkenntnis 48 (1998):233–50. Gives an explanation and defense of neo‐Quinean assumptions. Williamson, Timothy. ‘Bare Possibilia.’ Erkenntnis 48 (1998):257–73. Provides a logic‐based argument for necessary, permanent existence and gives an A‐theory‐friendly model for explaining change on such an ontology. Zimmerman, Dean W. ‘Temporary Intrinsics and Presentism.’ Metaphysics: The Big Questions. Eds. Peter van Inwagen and Dean W. Zimmerman. Oxford: Blackwell, 1998. Surveys a problem in formulating presentist theories of change and motivates the need for tense operators. Sample Syllabus: Here is a sample syllabus for a course on time in metaphysics and logic: Week I: Introduction: A‐Theories and B‐Theories We will consider precise ways of differentiating A‐theories of time and B‐theories of time, looking in particular at how A‐theorists and B‐theorists think of intrinsic properties. Reading: Chap 4.2., Lewis, David. On the Plurality of Worlds . Oxford: Blackwell, 1986. Zimmerman, Dean W. ‘Temporary Intrinsics and Presentism.’ Metaphysics: The Big Questions. Eds. Peter van Inwagen and Dean W. Zimmerman. Oxford: Blackwell, 1998. Chap 2, Sider, Theodore. Four‐Dimensionalism. Oxford: Oxford University Press, 2001. Week II: The Bug: Temporary Existence in Tense Logic We will consider why A‐theorists use tense logics to express their views, and we will look at the difficulties A‐theorists have expressing temporary existence in tense logic. Reading: Sullivan, Meghan. ‘Problems for Temporary Existence in Tense Logic.’ Philosophy Compass. Chap 8, Prior, A. N. Past, Present, and Future . Oxford: Oxford University Press, 1967. Week III: Option 1: Rewire Tense Logic? We will learn about Kripke’s solution to the parallel problem in modal logic, consider how it might be applied to tense logic, and then consider philosophical difficulties for the proposal. Reading: Chap 2, Burgess, John P. Philosophical Logic. Princeton: Princeton University Press. 2009. Kripke, Saul. ‘Semantical Considerations in Modal Logic.’ Reference and Modality. Ed. Bernard Linsky. Oxford: Oxford University Press, 1971. Optional: Chap 10, Sider, Theodore. Logic for Philosophy. Oxford: Oxford University Press, 2010. Week IV: Option 2: Believe in Permanent Existence?

Explicit-State Model Checking is a well-studied technique for the verification of concurrent programs. Due to exponential costs associated with model checking, researchers often focus on applying model checking to software units rather than whole programs. Recently, we have introduced a framework that allows developers to specify and model check rich properties of Java software units using the Java Modeling Language (JML). An often overlooked problem in research on model checking software units is the problem of environment generation: how does one develop code for a test harness (representing the behaviors of contexts in which a unit may eventually be deployed) for the purpose of driving the unit being checked along relevant execution paths?In this paper, we build on previous work in the testing community and we focus on the use of coverage information to assess the appropriateness of environments and to guide the design/modification of environments for model checking software units. A novel aspect of our work is the inclusion of specification coverage of JML specifications in addition to code coverage in an approach for assessing the quality of both environments and specifications. To study these ideas, we have built a framework called MAnTA on top of the Bogor Software Model Checking Framework that allows the integration of a variety of coverage analyses with the model checking process. We show how we have used this framework to add two different types of coverage analysis to our model checker (Bogor) and how it helped us find coverage holes in several examples. We make an initial effort to describe a methodology for using code and specification coverage to aid in the development of appropriate environments and JML specifications for model checking Java units.KeywordsModel CheckCoverage AnalysisCoverage InformationJava Modeling LanguageCoverage MetricsThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Two approaches for achieving correctness of code are verification and synthesis from specification. Evidently, it is easier to check a given program for correctness (although not a trivial task by itself) than to generate algorithmically correct-by-construction code. However, formal verification may give quite limited information about how to correct the code. Genetic programming repeatedly generates mutations of code, and then selects the mutations that remain for the next stage based on a fitness function, which assists in converging into a correct program. We use a model checking procedure to provide the fitness value in every stage. As an example, we generate algorithms for mutual exclusion, using this combination of genetic programming and model checking. The main challenge is to select a fitness function that will allow constructing correct solutions with minimal effort. We present our considerations behind the selection of a fitness function based not only on the classical outcome of model checking, i.e., the existence of an error trace, but on the complete graph constructed during the model checking process.

Model checking is a powerful technique for verifying the correctness of a systempsilas specification. But even when the specification has been verified to be correct, there is still the question of whether the specification covers all the expected behaviors. One of the most important issues for verification is the sufficiency of verification items. In model checking, specification-level properties such as reachability are well-studied, but the sufficiency of a specification against the preceding requirements still remains a challenge.In this paper, we propose a model-checking process with goal oriented requirements analysis, in which goal descriptions in a natural language are systematically refined into linear temporal logic formulae. Furthermore, the coverage of the verification result can be evaluated against the goal model. We developed a tool that supports the process, and applied it to an example. This process lowers the technical barriers to model checking and improves the sufficiency of system verification.

Programmable logic controllers (PLCs) are heavily used in industrial control systems, because of their high capacity of simultaneous input/output processing capabilities. Characteristically, PLC systems are used in mission critical systems, and PLC software needs to conform real-time constraints in order to work properly. Since PLC programming requires mastering low-level instructions or assembly like languages, an important step in PLC software production is modelling using a formal approach like Petri nets or automata. Afterward, PLC software is produced semiautomatically from the model and refined iteratively. Model checking, on the other hand, is a well-known software verification approach, where typically a set of timed properties are verified by exploring the transition system produced from the software model at hand. Naturally, model checking is applied in a variety of ways to verify the correctness of PLC-based software. In this paper, we provide a broad view about the difficulties that are encountered during the model checking process applied at the verification phase of PLC software production. We classify the approaches from two different perspectives: first, the model checking approach/tool used in the verification process, and second, the software model/source code and its transformation to model checker's specification language. In a nutshell, we have mainly examined SPIN, SMV, and UPPAAL-based model checking activities and model construction using Instruction Lists (and alike), Function Block Diagrams, and Petri nets/automata-based model construction activities. As a result of our studies, we provide a comparison among the studies in the literature regarding various aspects like their application areas, performance considerations, and model checking processes. Our survey can be used to provide guidance for the scholars and practitioners planning to integrate model checking to PLC-based software verification activities.

Temporal logic and model checking algorithms are often used for checking system properties in various environments. The diversity of systems and environments implies a diversity of logics and algorithms. But there are no tools to aid the logician or practitioner in the experimentation with different varieties of temporal logics and model checkers. Such tools could give users the ability to modify and extend a temporal logic and model checker as their problem domain changes. We have developed a set of tools that provide these capabilities by placing the model checking problem in an algebraic framework. These tools provide a temporal logic test bed that allows for quick prototyping and easy extension to logics and model checkers. Here we discuss the usage of these tools to generate model checker algorithms as algebraic mappings (i.e., embeddings of one algebra into another algebra by derived operations) with the temporal logic as the source algebra and the sets of nodes of a model as the target algebra. We demonstrate these tools by extending CTL and its model checker by introducing formulas that quantify the paths over which the satisfaction of the temporal operators is defined. This is made possible by permitting propositions to label the edges as well as the nodes in the model. We use this logic and its model checker to analyze program process graphs during the parallelization phase of an algebraic compiler.KeywordsModel CheckerTemporal LogicGrammar RuleModel Check AlgorithmTemporal Logic FormulaThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

We discuss the problem of model checking temporal properties on partial Kripke structures, which were used in [BG99] to represent incomplete state spaces. We first extend the results of [BG99] by showing that the model-checking problem for any 3-valued temporal logic can be reduced to two model-checking problems for the corresponding 2-valued temporal logic. We then introduce a new semantics for 3-valued temporal logics that can give more definite answers than the previous one. With this semantics, the evaluation of a formula Φ on a partial Kripke structure M returns the third truth value ⊥ (read unknown) only if there exist Kripke structures M1 and M2 that both complete M and such that M1 satisfies Φ while M2 violates Φ, hence making the value of Φ on M truly unknown. The partial Kripke structure M can thus be viewed as a partial solution to the satisfiability problem which reduces the solution space to complete Kripke structures that are more complete than M with respect to a completeness preorder. This generalized model-checking problem is thus a generalization of both satisfiability (all Kripke structures are potential solutions) and model checking (a single Kripke structure needs to be checked). We present algorithms and complexity bounds for the generalized model-checking problem for various temporal logics.

Modeling and verification using UML Statecharts. By Doron Drusinsky. Published by Newnes Publishers, 2006. ISBN: 0‐7506‐7617‐5, 306 pages. Price £39.99. Hard Cover.

Recently, by defining suitable fuzzy temporal logics, temporal properties of dynamic systems are specified during model checking process, yet a few numbers of fuzzy temporal logics along with capable corresponding models are developed and used in system design phase, moreover in case of having a suitable model, it suffers from the lack of a capable model checking approach. Having to deal with uncertainty in model checking paradigm, this paper introduces a fuzzy Kripke model (FzKripke) and then provides a verification approach using a novel logic called Fuzzy Computation Tree Logic* (FzCTL*). Not only state space explosion is handled using well-known concepts like abstraction and bisimulation, but an approximation method is also devised as a novel technique to deal with this problem. Fuzzy program graph, a generalization of program graph and FzKripke, is also introduced in this paper in consideration of higher level abstraction in model construction. Eventually modeling, and verification of a multi-valued flip-flop is studied in order to demonstrate capabilities of the proposed models.