Emmanuel Paviot-Adet,Denis Poitrenaud,Etienne Renault,Yann Thierry-Mieg

DOI: https://doi.org/10.48550/arXiv.2111.03342

2021-11-05

Computation and Language

Abstract:Verification of properties expressed as-regular languages such as LTL can benefit hugely from stutter-insensitivity, using a diverse set of reduction strategies. However properties that are not stutter-insensitive, for instance due to the use of the neXt operator of LTL or to some form of counting in the logic, are not covered by these techniques in general. We propose in this paper to study a weaker property than stutter-insensitivity. In a stutter insensitive language both adding and removing stutter to a word does not change its acceptance, any stuttering can be abstracted away; by decomposing this equivalence relation into two implications we obtain weaker conditions. We define a shortening insensitive language where any word that stutters less than a word in the language must also belong to the language. A lengthening insensitive language has the dual property. A semi-decision procedure is then introduced to reliably prove shortening insensitive properties or deny lengthening insensitive properties while working with a reduction of a system. A reduction has the property that it can only shorten runs. Lipton's transaction reductions or Petri net agglomerations are examples of eligible structural reduction strategies. An implementation and experimental evidence is provided showing most nonrandom properties sensitive to stutter are actually shortening or lengthening insensitive. Performance of experiments on a large (random) benchmark from the model-checking competition indicate that despite being a semi-decision procedure, the approach can still improve state of the art verification tools.

Emmanuel Paviot-Adet,Denis Poitrenaud,Etienne Renault,Yann Thierry-Mieg

2024-02-27

Abstract:Verification of properties expressed as $\omega$-regular languages such as LTL can benefit hugely from stutter insensitivity, using a diverse set of reduction strategies. However properties that are not stutter invariant, for instance due to the use of the neXt operator of LTL or to some form of counting in the logic, are not covered by these techniques in general. We propose in this paper to study a weaker property than stutter insensitivity. In a stutter insensitive language both adding and removing stutter to a word does not change its acceptance, any stuttering can be abstracted away; by decomposing this equivalence relation into two implications we obtain weaker conditions. We define a shortening insensitive language where any word that stutters less than a word in the language must also belong to the language. A lengthening insensitive language has the dual property. A semi-decision procedure is then introduced to reliably prove shortening insensitive properties or deny lengthening insensitive properties while working with a \emph{reduction} of a system. A reduction has the property that it can only shorten runs. Lipton's transaction reductions or Petri net agglomerations are examples of eligible structural reduction strategies. We also present an approach that can reason using a partition of a property language into its stutter insensitive, shortening insensitive, lengthening insensitive and length sensitive parts to still use structural reductions even when working with arbitrary properties. An implementation and experimental evidence is provided showing most non-random properties sensitive to stutter are actually shortening or lengthening insensitive.

Formal Languages and Automata Theory

Yong Li,Lei Song,Yuan Feng,Lijun Zhang

DOI: https://doi.org/10.1109/time.2016.12

2016-01-01

Abstract:This paper deals with model checking problems with respect to LTL properties under fairness assumptions. We first present an efficient algorithm to deal with a fragment of fairness assumptions and then extend the algorithm to handle arbitrary ones. Notably, by making use of some syntactic transformations, our algorithm avoids constructing corresponding Büchi automata for the whole fairness assumptions, which can be very large in practice. We implement our algorithm in NuSMV and consider a large selection of formulas. Our experiments show that in many cases our approach exceeds the automata-theoretic approach up to several orders of magnitude, in both time and memory.

Zhou Conghua,Chen Zhenyu,Ju Shiguang

2008-01-01

Journal of Computer Research and Development

Abstract:For concurrent software systems, linear temporal logic SE-LTL is a specification language with high expressive power and the ability to reason about both states and events. Until now, the SE-LTL model checking algorithm is still explicit, and the state explosion is the primary verification difficulty. A bounded model checking procedure is introduced for SE-LTL which reduces model checking to propositional satisfiability. This new technique avoids the space blow up of BDDs, and sometimes speeds up the verification. For SE-LTL-X the procedure and stuttering equivalent technique is further integrated. The experiment result shows that the integration can reduce the verification time very much.

Damian Kurpiewski,Witold Pazderski,Wojciech Jamroga,Yan Kim

DOI: https://doi.org/10.5555/3463952.3464232

2023-10-28

Abstract:We present a substantially expanded version of our tool STV for strategy synthesis and verification of strategic abilities. The new version adds user-definable models and support for model reduction through partial order reduction and checking for bisimulation.

Logic in Computer Science,Multiagent Systems

Litao Zhou,Jianxing Qin,Qinshi Wang,Andrew W. Appel,Qinxiang Cao

2023-10-26

Abstract:Program verifiers for imperative languages such as C may be annotation-based, in which assertions and invariants are put into source files and then checked, or tactic-based, where proof scripts separate from programs are interactively developed in a proof assistant such as Coq. Annotation verifiers have been more automated and convenient, but some interactive verifiers have richer assertion languages and formal proofs of soundness. We present VST-A, an annotation verifier that uses the rich assertion language of VST, leverages the formal soundness proof of VST, but allows users to describe functional correctness proofs intuitively by inserting assertions. VST-A analyzes control flow graphs, decomposes every C function into control flow paths between assertions, and reduces program verification problems into corresponding straightline Hoare triples. Compared to existing foundational program verification tools like VST and Iris, in VST-A, such decompositions and reductions are allowed to be nonstructural, which makes VST-A more flexible to use. VST-A's decomposition and reduction is defined in Coq, proved sound in Coq, and computed in a call-by-value way in Coq. The soundness proof for reduction is totally logical, independent of the complicated semantic model (and soundness proof) of VST's Hoare triple. Because of the rich assertion language, not all reduced proof goals can be automatically checked, but the system allows users to prove residual proof goals using the full power of the Coq proof assistant.

Programming Languages

Yann Thierry-Mieg

DOI: https://doi.org/10.48550/arXiv.2005.12911

2021-12-18

Abstract:Brute-force model-checking consists in exhaustive exploration of the state-space of a Petri net, and meets the dreaded state-space explosion problem. In contrast, this paper shows how to solve model-checking problems using a combination of techniques that stay in complexity proportional to the size of the net structure rather than to the state-space size. We combine an SMT based over-approximation to prove that some behaviors are unfeasible, an under-approximation using memory-less sampling of runs to find witness traces or counter-examples, and a set of structural reduction rules that can simplify both the system and the property. This approach was able to win by a clear margin the model-checking contest 2020 for reachability queries as well as deadlock detection, thus demonstrating the practical effectiveness and general applicability of the system of rules presented in this paper.

Distributed, Parallel, and Cluster Computing,Formal Languages and Automata Theory,Logic in Computer Science

Suguman Bansal,Yong Li,Lucas Martinelli Tabajara,Moshe Y. Vardi,Andrew Wells

DOI: https://doi.org/10.48550/arXiv.2305.08319

2023-07-31

Abstract:The innovations in reactive synthesis from {\em Linear Temporal Logics over finite traces} (LTLf) will be amplified by the ability to verify the correctness of the strategies generated by LTLf synthesis tools. This motivates our work on {\em LTLf model checking}. LTLf model checking, however, is not straightforward. The strategies generated by LTLf synthesis may be represented using {\em terminating} transducers or {\em non-terminating} transducers where executions are of finite-but-unbounded length or infinite length, respectively. For synthesis, there is no evidence that one type of transducer is better than the other since they both demonstrate the same complexity and similar algorithms. In this work, we show that for model checking, the two types of transducers are fundamentally different. Our central result is that LTLf model checking of non-terminating transducers is \emph{exponentially harder} than that of terminating transducers. We show that the problems are EXPSPACE-complete and PSPACE-complete, respectively. Hence, considering the feasibility of verification, LTLf synthesis tools should synthesize terminating transducers. This is, to the best of our knowledge, the \emph{first} evidence to use one transducer over the other in LTLf synthesis.

Formal Languages and Automata Theory,Artificial Intelligence,Logic in Computer Science

Sota Sato,Jie An,Zhenya Zhang,Ichiro Hasuo

2024-08-13

Abstract:We present a bounded model checking algorithm for signal temporal logic (STL) that exploits mixed-integer linear programming (MILP). A key technical element is our novel MILP encoding of the STL semantics; it follows the idea of stable partitioning from the recent work on SMT-based STL model checking. Assuming that our (continuous-time) system models can be encoded to MILP -- typical examples are rectangular hybrid automata (precisely) and hybrid dynamics with closed-form solutions (approximately) -- our MILP encoding yields an optimization-based model checking algorithm that is scalable, is anytime/interruptible, and accommodates parameter mining. Experimental evaluation shows our algorithm's performance advantages especially for complex STL formulas, demonstrating its practical relevance e.g. in the automotive domain.

Systems and Control

Elaheh Ghassabani,Mohammad Abdollahi Azgomi

DOI: https://doi.org/10.48550/arXiv.1603.03535

2016-03-11

Abstract:Verification of large and complicated concurrent programs is an important issue in the software world. Stateless model checking is an appropriate method for systematically and automatically testing of large programs, which has proved its power in verifying code of large programs. Another well-known method in this area is runtime verification. Both stateless model checking and runtime verification are similar in some ways. One common approach in runtime verification is to construct runtime monitors for properties expressed in linear temporal logic. Currently, there are some semantics to check linear temporal logic formulae on finite paths proposed in the field of runtime verification, which can also be applied to stateless model checking. However, existing stateless model checkers do not support LTL formulae. In some settings, it is more advantageous to make use of stateless model checking instead of runtime verification. This paper proposes a novel encoding of one of the recent LTL semantics on finite paths into an actor-based system. We take a truly parallel approach without saving any program states or traces, which not only addresses important problems in runtime verification, but can also be applied to stateless model checking.

Programming Languages

Rubén Rubio,Narciso Martí-Oliet,Isabel Pita,Alberto Verdejo

DOI: https://doi.org/10.1016/j.jlamp.2021.100700

2024-01-15

Abstract:Rewriting logic and its implementation Maude are a natural and expressive framework for the specification of concurrent systems and logics. Its nondeterministic local transformations are described by rewriting rules, which can be controlled at a higher level using a builtin strategy language added to Maude~3. This specification resource would not be of much interest without tools to analyze their models, so in a previous work, we extended the Maude LTL model checker to verify strategy-controlled systems. In this paper, CTL* and $\mu$-calculus are added to the repertoire of supported logics, after discussing which adaptations are needed for branching-time properties. The new extension relies on some external model checkers that are exposed the Maude models through general and efficient connections, profitable for future extensions and further applications. The performance of these model checkers is compared.

Logic in Computer Science

Tomáš Babiak,Mojmír Křetínský,Vojtěch Řehák,Jan Strejček

DOI: https://doi.org/10.48550/arXiv.1011.4214

2010-11-18

Logic in Computer Science

Abstract:We identify a subtle error in LTL formulas reduction method used as one optimization step in an LTL to B\"uchi automata translation. The error led to some incorrect answers of the established model checker DiVinE. This paper should help authors of other model checkers to avoid this error.

Igor Konnov,Markus Kuppe,Stephan Merz

DOI: https://doi.org/10.48550/arXiv.2211.07216

2022-11-14

Logic in Computer Science

Abstract:Using an algorithm due to Safra for distributed termination detection as a running example, we present the main tools for verifying specifications written in TLA+. Examining their complementary strengths and weaknesses, we suggest a workflow that supports different types of analysis and that can be adapted to the desired degree of confidence.

Antonia Lechner,Richard Mayr,Joël Ouaknine,Amaury Pouly,James Worrell

DOI: https://doi.org/10.23638/LMCS-14%284%3A20%292018

2018-12-06

Abstract:Freeze LTL is a temporal logic with registers that is suitable for specifying properties of data words. In this paper we study the model checking problem for Freeze LTL on one-counter automata. This problem is known to be undecidable in general and PSPACE-complete for the special case of deterministic one-counter automata. Several years ago, Demri and Sangnier investigated the model checking problem for the flat fragment of Freeze LTL on several classes of counter automata and posed the decidability of model checking flat Freeze LTL on one-counter automata as an open problem. In this paper we resolve this problem positively, utilising a known reduction to a reachability problem on one-counter automata with parameterised equality and disequality tests. Our main technical contribution is to show decidability of the latter problem by translation to Presburger arithmetic.

Logic in Computer Science,Formal Languages and Automata Theory

Rubén Rubio,Narciso Martí-Oliet,Isabel Pita,Alberto Verdejo

DOI: https://doi.org/10.1007/s10515-021-00307-9

2024-01-15

Abstract:Rewriting logic and its implementation Maude are an expressive framework for the formal specification and verification of software and other kinds of systems. Concurrency is naturally represented by nondeterministic local transformations produced by the application of rewriting rules over algebraic terms in an equational theory. Some aspects of the global behavior of the systems or additional constraints sometimes require restricting this nondeterminism. Rewriting strategies are used as a higher-level and modular resource to cleanly capture these requirements, which can be easily expressed in Maude with an integrated strategy language. However, strategy-aware specifications cannot be verified with the builtin LTL model checker, making strategies less useful and attractive.

Logic in Computer Science

Junyan Qian,Baowen Xu

2007-01-01

Journal of Computational Information Systems

Abstract:Model checking is one of the most practical techniques for automatic formal verification to ensure the correctness of design specifications. Statecharts that extends the finite state machine is a visual language for specifying the behavior of complex reactive system. Model checking whether Statecharts model satisfies the required properties has become an important issue. The usual way to model checking Statecharts is to flat it and apply a model checking tool to verify the resulting model, but it exists state space explosion problem. In order to avoid the problem, we present an approach to model checking directly Statecharts without the flattening, a straightforward way to verify Statecharts. Based on the automata theory of model checking and the Statecharts operational semantics used labeled transition system, an algorithm for verifying LTL properties of the system, whose complexity is polynomial in the size of the Statecharts, was developed.

Thomas Brihaye,Morgane Estiévenart,Gilles Geeraerts

DOI: https://doi.org/10.48550/arXiv.1406.4395

2014-06-17

Abstract:One clock alternating timed automata (OCATA) have been introduced as natural extension of (one clock) timed automata to express the semantics of MTL. In this paper, we consider the application of OCATA to the problems of model-checking and satisfiability for MITL (a syntactic fragment of MTL), interpreted over infinite words. Our approach is based on the interval semantics (recently introduced in [BEG13] in the case of finite words) extended to infinite words. We propose region-based and zone-based algorithms, based on this semantics, for MITL model-checking and satisfiability. We report on the performance of a prototype tool implementing those algorithms.

Logic in Computer Science,Logic

Zhi-Hong Tao,Cong-Hua Zhou,Zhong Chen,Li-Fu Wang

DOI: https://doi.org/10.1007/s11390-007-9004-z

IF: 1.871

2007-01-01

Journal of Computer Science and Technology

Abstract:Bounded Model Checking has been recently introduced as an efficient verification method for reactive systems. This technique reduces model checking of linear temporal logic to propositional satisfiability. In this paper we first present how quantified Boolean decision procedures can replace BDDs. We introduce a bounded model checking procedure for temporal logic CTL* which reduces model checking to the satisfiability of quantified Boolean formulas. Our new technique avoids the space blow up of BDDs, and extends the concept of bounded model checking.

Tzanis Anevlavis,Matthew Philippe,Daniel Neider,Paulo Tabuada

DOI: https://doi.org/10.1145/3491216

2022-04-30

ACM Transactions on Computational Logic

Abstract:While most approaches in formal methods address system correctness, ensuring robustness has remained a challenge. In this article, we present and study the logic rLTL, which provides a means to formally reason about both correctness and robustness in system design. Furthermore, we identify a large fragment of rLTL for which the verification problem can be efficiently solved, i.e., verification can be done by using an automaton, recognizing the behaviors described by the rLTL formula φ, of size at most O(3 |φ |), where |φ | is the length of φ. This result improves upon the previously known bound of O(5|φ |) for rLTL verification and is closer to the LTL bound of O(2|φ |). The usefulness of this fragment is demonstrated by a number of case studies showing its practical significance in terms of expressiveness, the ability to describe robustness, and the fine-grained information that rLTL brings to the process of system verification. Moreover, these advantages come at a low computational overhead with respect to LTL verification.

computer science, theory & methods,logic

S. Akshay,Paul Gastin,R. Govind,B. Srivathsan

2024-07-11

Abstract:The translation of Metric Interval Temporal Logic (MITL) to timed automata is a topic that has been extensively studied. A key challenge here is the conversion of future modalities into equivalent automata. Typical conversions equip the automata with a guess-and-check mechanism to ascertain the truth of future modalities. Guess-and-check can be naturally implemented via alternation. However, since timed automata tools do not handle alternation, existing methods perform an additional step of converting the alternating timed automata into timed automata. This de-alternation step proceeds by an intricate finite abstraction of the space of configurations of the alternating automaton. Recently, a model of generalized timed automata (GTA) has been proposed. The model comes with several powerful additional features, and yet, the best known zone-based reachability algorithms for timed automata have been extended to the GTA model, with the same complexity for all the zone operations. We provide a new concise translation from MITL to GTA. In particular, for the timed until modality, our translation offers an exponential improvement w.r.t. the state-of-the-art. Thanks to this conversion, MITL model checking reduces to checking liveness for GTAs. However, no liveness algorithm is known for GTAs. Due to the presence of future clocks, there is no finite time-abstract bisimulation (region equivalence) for GTAs, whereas liveness algorithms for timed automata crucially rely on the presence of the finite region equivalence. As our second contribution, we provide a new zone-based algorithm for checking Buchi non-emptiness in GTAs, which circumvents this fundamental challenge.

Formal Languages and Automata Theory