Μ-calculus Formulas Research Articles

Control of Non-Deterministic Systems With $\mu$-Calculus Specifications Using Quotienting

The supervisory control problem for discrete event system (DES) under control involves identifying the supervisor, if one exists, which, when synchronously composed with the DES, results in a system that conforms to the control specification. In this context, we consider a non-deterministic DES under complete observation and control specification expressed in action-based propositional μ-calculus. The key to our solution is the process of quotienting the control specification against the plan resulting in a new μ-calculus formula such that a model for the formula is the supervisor. Thus the task of control synthesis is reduced a problem of μ-calculus satisfiability. In contrast to the existing μ-calculus quotienting-based techniques that are developed in deterministic setting, our quotienting rules can handle nondeterminism in the plant models. Another distinguishing feature of our technique is that while existing techniques use a separate μ-calculus formula to describe the controllability constraint (that uncontrollable events of plants are never disabled by a supervisor), we absorb this constraint as part of quotienting which allows us to directly capture more general state-dependent controllability constraints. Finally, we develop a tableau-based technique for verifying satisfiability of quotiented formula and model generation. The runtime for the technique is exponential in terms of the size of the plan and the control specification. A better complexity result that is polynomial to plant size and exponential to specification size is obtained when the controllability property is state-independent. A prototype implementation in a tabled logic programming language as well as some experimental results are presented.

Łukasiewicz μ-calculus

The paper explores properties of the Łukasiewicz μ-calculus, or Łμ for short, an extension of Łukasiewicz logic with scalar multiplication and least and greatest fixed-point operators (for monotone formulas). We observe that Łμ terms, with n variables, define monotone piece-wise linear functions fr om [0, 1]n to [0, 1]. Two effective procedures for calculating the output of Łμ terms on rational inputs are presented. We then consider the Łukasiewicz modal μ-calculus, which is obtained by adding box and diamond modalities to Łμ. Alternatively, it can be viewed as a generalization of Kozen’s modal μ-calculus adapted to probabilistic nondeterministic transition systems (PNTS’s). We show how properties expressible in the well-known logic PCTL can be encoded as Łukasiewicz modal μ-calculus formulas. We also show that the algorithms for computing values of Łukasiewicz μ-calculus terms provide automatic (albeit impractical) methods for verifying Łukasiewicz modal μ-calculus properties of finite rational PNTS’s.

Tools and Methods for RTCP-Nets Modeling and Verification

Abstract RTCP-nets are high level Petri nets similar to timed colored Petri nets, but with different time model and some structural restrictions. The paper deals with practical aspects of using RTCP-nets for modeling and verification of real-time systems. It contains a survey of software tools developed to support RTCP-nets. Verification of RTCP-nets is based on coverability graphs which represent the set of reachable states in the form of directed graph. Two approaches to verification of RTCP-nets are considered in the paper. The former one is oriented towards states and is based on translation of a coverability graph into nuXmv (NuSMV) finite state model. The later approach is oriented towards transitions and uses the CADP toolkit to check whether requirements given as μ-calculus formulae hold for a given coverability graph. All presented concepts are discussed using illustrative examples

Executable Semantics for the Formal Specification and Verification of E-agents

Background: Software agents are expected to work autonomously and deal with unfamiliar situations astutely. Achieving cent percent test case coverage for these agents has always been a problem due to limited resources. Also a high degree of dependability is expected from autonomous software agents. Formal verification of these systems can be done by specifying the possible actions of the agents to increase the confidence in the correctness of such systems. Methods: We have used social approach of agent communication where actions of the agents are described as social obligation between the participants. Formal specification of e-agents was done using μ-calculus as it is more expressive than Linear Temporal Logic (LTL). An algorithm has been given for syntactic conversion of μ-calculus formulas to TAPA model checker environment. Results: Using converstion algorithm syntactically modified μ-calculus formulas will be executed on TAPA model checker to verify the system being modelled for the specified properties. Application: The study will help to provide future directions for formal modelling of e-agents for their correct functioning.

Model checking adaptive service compositions

We present a logic-based verification framework for multilevel security and transactional correctness of service oriented architectures. The framework is targeted at the analysis of data confidentiality, enforced by non-interference, and of service responsiveness, captured by a notion of compliance that implies deadlock and livelock freedom. We isolate a class of modal μ-calculus formulae, interpreted over service configurations, that characterise configurations satisfying the properties of interest. We then investigate an adaptation technique based on the use of coercion filters to block any action that might potentially break security or transactional correctness. Based on the above, we devise a model checking algorithm for adaptive service compositions which automatically synthesises the maximal (most expressive/permissive) filter enforcing the desired security and correctness properties.

Some results on complexity of μ-calculus evaluation in the black-box model

We consider μ-calculus formulas in a normal form: after a prefix of fixed-point quantifiers follows a quantifier-free expression. We are interested in the problem of evaluating (model checking) such formulas in a powerset lattice. We assume that the quantifier-free part of the expression can be any monotone function given by a black-box – we may only ask for its value for given arguments. As a first result we prove that when the lattice is fixed, the problem becomes polynomial (the assumption about the quantifier-free part strengthens this result). As a second result we show that any algorithm solving the problem has to ask at least about n2 (namely Ω(n2/log n)) queries to the function, even when the expression consists of one μ and one ν (the assumption about the quantifier-free part weakens this result).

A saturation method for the modal μ-calculus over pushdown systems

We present an algorithm for computing directly the denotation of a μ-calculus formula χ over the configuration graph of a pushdown system. Our method gives the first extension of the saturation technique to the full μ-calculus. Finite word automata are used to represent sets of pushdown configurations. Starting from an initial automaton, we perform a series of automaton manipulations which compute the denotation by recursion over the structure of the formula. We introduce notions of under-approximation (soundness) and over-approximation (completeness) that apply to automaton transitions rather than runs. Our algorithm is relatively simple and direct, and avoids an immediate exponential blow up. Finally, we show experimentally that the direct algorithm is more efficient than via a reduction to parity games.

COMPLETE SAT-BASED MODEL CHECKING FOR CONTEXT-FREE PROCESSES

A complete SAT-based model checking algorithm for context-free processes is presented. We reduce proof search in local model checking to Boolean satisfiability. Bounded proof search can therefore be performed by SAT solvers. Moreover, the completeness of proof search is reduced to Boolean unsatisfiability and hence can be checked by SAT solvers. By encoding the local model checking algorithm in [13], SAT solvers are able to verify properties in the universal fragment of alternation-free µ-calculus formulae on context-free processes. Since software programs can be modeled by context-free processes, our result demonstrates that a purely SAT-based algorithm for software verification is indeed possible.

Pre- and Post-Conditions Expressed in Variants of the Modal .MU.-Calculus

Properties of Kripke structures can be expressed by formulas of the modal µ-calculus. Despite its strong expressive power, the validity problem of the modal µ-calculus is decidable, and so are some of its variants enriched by inverse programs, graded modalities, and nominals. In this study, we show that the pre- and post-conditions of transformations of Kripke structures, such as addition/deletion of states and edges, can be expressed using variants of the modal µ-calculus. Combined with decision procedures we have developed for those variants, the properties of sequences of transformations on Kripke structures can be deduced. We show that these techniques can be used to verify the properties of pointer-manipulating programs.

Modeling and verification of the SDL-specified communication protocols using high-level Petri nets

To simplify modeling and verification of communication protocols presented in the SDL language, the so-called hierarchical typed timed Petri nets (HTT nets), which are substantial modifications of colored Petri nets, are introduced. A method of translation of the SDL language into HTT nets is described. A program complex SPV (SDL Protocol Verifier), which includes a translator from SDL into HTT nets and means for editing, simulation, visualization, and verification of these net models, is presented. For the verification, a model checking method for properties presented by μ-calculus formulas is used. Experiments on application of the SPV complex for modeling and verifying two ring protocols (RE and ATMR protocols), an optimized version of the sliding window protocol (i-protocol), and a dynamic version of the InRes protocol are described

Modal Expressiveness of Graph Properties

Graphs are among the most frequently used structures in Computer Science. In this work, we analyze how we can express some important graph properties such as connectivity, acyclicity and the Eulerian and Hamiltonian properties in a modal logic. First, we show that these graph properties are not definable in a basic modal language. Second, we discuss an extension of the basic modal language with fix-point operators, the modal μ-calculus. Unfortunately, even with all its expressive power, the μ-calculus fails to express these properties. This happens because μ-calculus formulas are invariant under bisimulations. Third, we show that it is possible to express some of the above properties in a basic hybrid logic. Fourth, we propose an extension of CTL* with nominals, that we call hybrid-CTL*, and then show that it can express the Hamiltonian property in a better way than the basic hybrid logic. Finally, we introduce a promising way of expressing properties related to edges and use it to express the Eulerian property.

On-the-Fly Data Flow Analysis Based on Verification Technology

The combination of static and dynamic software analysis, such as data flow analysis (Dfa) and model checking, provides benefits for both disciplines. On the one hand, the information extracted by Dfas about program data may be utilized by model checkers to optimize the state space representation. On the other hand, the expressiveness of logic formulas allows us to consider model checkers as generic data flow analyzers. Following this second approach, we propose in this paper an algorithm to calculate Dfas using on-the-fly resolution of boolean equation systems (Bess). The overall framework includes the abstraction of the input program into an implicit labeled transition system (Lts), independent of the program specification language. Moreover, using Bess as an intermediate representation allowed us to reformulate classical Dfas encountered in the literature, which were previously encoded in terms of μ-calculus formulas with forward and backward modalities. Our work was implemented and integrated into the widespread verification platform Cadp, and experimented on real examples.

From linear time to branching time

Model checking is a method for the verification of systems with respect to their specifications. Symbolic model-checking, which enables the verification of large systems, proceeds by calculating fixed-point expressions over the system's set of states. The μ-calculus is a branching-time temporal logic with fixed-point operators. As such, it is a convenient logic for symbolic model-checking tools. In particular, the alternation-free fragment of μ-calculus has a restricted syntax, making the symbolic evaluation of its formulas computationally easy. Formally, it takes time that is linear in the size of the system. On the other hand, specifiers find the μ-calculus inconvenient. In addition, specifiers often prefer to use linear-time formalisms. Such formalisms, however, cannot in general be translated to the alternation-free μ-calculus, and their symbolic evaluation involves nesting of fixed-points, resulting in time complexity that is quadratic in the size of the system. In this article, we characterize linear-time properties that can be specified in the alternation-free μ-calculus. We show that a linear-time property can be specified in the alternation-free μ-calculus iff it can be recognized by a deterministic Büchi automaton. We study the problem of deciding whether a linear-time property, specified by either an automaton or an LTL formula, can be translated to an alternation-free μ-calculus formula, and describe the translation, when possible.

Logical Specification and Analysis of Fault Tolerant Systems Through Partial Model Checking

This paper presents a framework for a logical characterization of fault tolerance and its formal analysis based on partial model checking techniques. The framework requires a fault tolerant system to be modeled using a formal calculus, here the CCS process algebra. To this aim we propose a uniform modeling scheme in which to specify a formal model of the system, its failing behaviour and possibly its fault-recovering procedures. Once a formal model is provided into our scheme, fault tolerance - with respect to a given property - can be formalized as an equational μ-calculus formula. This formula expresses, in a logic formalism, all the fault scenarios satisfying that fault tolerance property. Such a characterization understands the analysis of fault tolerance as a form of analysis of open systems and, thank to partial model checking strategies, it can be made independent from any particular fault assumption. Moreover this logical characterization makes possible the fault-tolerance verification problem be expressed as a general μ-calculus validation problem, for solving which many theorem proof techniques and tools are available. We present several analysis methods showing the flexibility of our approach.

Games for synthesis of controllers with partial observation

The synthesis of controllers for discrete event systems, as introduced by Ramadge and Wonham, amounts to computing winning strategies in parity games. We show that in this framework it is possible to extend the specifications of the supervised systems as well as the constraints on the controllers by expressing them in the modal μ-calculus. In order to express unobservability constraints, we propose an extension of the modal μ-calculus in which one can specify whether an edge of a graph is a loop. This extended μ-calculus still has the interesting properties of the classical one. In particular it is equivalent to automata with loop testing. The problems such as emptiness testing and elimination of alternation are solvable for such automata. The method proposed in this paper to solve a control problem consists in transforming this problem into a problem of satisfiability of a μ-calculus formula so that the set of models of this formula is exactly the set of controllers that solve the problem. This transformation relies on a simple construction of the quotient of automata with loop testing by a deterministic transition system. This is enough to deal with centralized control problems. The solution of decentralized control problems uses a more involved construction of the quotient of two automata. This work extends the framework of Ramadge and Wonham in two directions. We consider infinite behaviours and arbitrary regular specifications, while the standard framework deals only with specifications on the set of finite paths of processes. We also allow dynamic changes of the sets of observable and controllable events.

Predicate Abstraction for Dense Real-Time Systems

We propose predicate abstraction as a means for verifying a rich class of safety and liveness properties for dense real-time systems. First, we define a restricted semantics of timed systems which is observationally equivalent to the standard semantics in that it validates the same set of μ-calculus formulas without a next-step operator. Then, we recast the model checking problem S ⊨ ϕ for a timed automaton S and a μ-calculus formula ϕ in terms of predicate abstraction. Whenever a set of abstraction predicates forms a so-called basis, the resulting abstraction is strongly preserving in the sense that S validates ϕ iff the corresponding finite abstraction validates this formula ϕ. Now, the abstracted system can be checked using familiar μ-calculus model checking. Like the region graph construction for timed automata, the predicate abstraction algorithm for timed automata usually is prohibitively expensive. In many cases it suffices to compute an approximation of a finite bisimulation by using only a subset of the basis of abstraction predicates. Starting with some coarse abstraction, we define a finite sequence of refined abstractions that converges to a strongly preserving abstraction. In each step, new abstraction predicates are selected nondeterministically from a finite basis. Counterexamples from failed μ-calculus model checking attempts can be used to heuristically choose a small set of new abstraction predicates for refining the abstraction.

Can American Checkers be Solved by Means of Symbolic Model Checking?

Symbolic model checking has become a successful technique for verifying large finite state systems up to more than 1020 states. The key idea of this method is that extremely large sets can often be efficiently represented with propositional formulas. Most tools implement these formulas by means of binary decision diagrams (BDDs), which have therefore become a key data structure in modern VLSI CAD systems.Some board games like American checkers have a state space whose size is well within the range of state space sizes that have been tackled by symbolic model checking. Moreover, the question whether there is a winning strategy in these games can be reduced to two simple μcalculus formulas. Hence, the entire problem to solve such games can be reduced to simple μcalculus model checking problems.In this paper, we show how to model American checkers as a finite state system by means of BDDs. We moreover specify the existence of winning strategies for both players by simple μ-calculus formulas. Further still, we report on our experimental results with our own model checking tool, and we describe some powerful improvements that we have found in trying to solve the game.

On model checking for the μ-calculus and its fragments

In this paper, we consider the model checking problem for the μ-calculus and show that it is succinctly equivalent to the non-emptiness problem of finite-state automata on infinite binary trees with the parity acceptance condition. We also present efficient model checking algorithms for two rich subclasses of the μ-calculus formulas and relate their expressive power to well-known extensions of branching time temporal logics.

Reasoning about efficiency within a probabilistic μ-calculus

Expectation-based probabilistic predicate transformers [15] provide a logic for probabilistic sequential programs, giving access to expressions such as ‘the probability that predicate A is achieved finally’. Using expectations more generally however, we can express μ-calculus formulae for the expected path-length of a computation tree. Moreover within an expectation-based μ-calculus such efficiency measures and more conventional (but probabilistic) temporal operators [14] can be related.