Supporting verification-driven incremental distributed design of components by Menghi, Claudio et al.
Supporting verification-driven incremental distributed design of
components
Downloaded from: https://research.chalmers.se, 2019-05-11 18:08 UTC
Citation for the original published paper (version of record):
Menghi, C., Spoletini, P., Chechik, M. et al (2018)
Supporting verification-driven incremental distributed design of components
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and
N.B. When citing this work, cite the original published paper.
research.chalmers.se offers the possibility of retrieving research publications produced at Chalmers University of Technology.
It covers all kind of research output: articles, dissertations, conference papers, reports etc. since 2004.
research.chalmers.se is administrated and maintained by Chalmers Library
(article starts on next page)
Supporting Verification-Driven
Incremental Distributed Design
of Components
Claudio Menghi1(B) , Paola Spoletini2 , Marsha Chechik3 ,
and Carlo Ghezzi4
1 Chalmers | University of Gothenburg, Gothenburg, Sweden
claudio.menghi@gu.se
2 Kennesaw State University, Marietta, USA
pspoleti@kennesaw.edu
3 University of Toronto, Toronto, Canada
chechik@cs.toronto.edu
4 Politecnico di Milano, Milan, Italy
carlo.ghezzi@polimi.it
Abstract. Software systems are usually formed by multiple components
which interact with one another. In large systems, components them-
selves can be complex systems that need to be decomposed into multiple
sub-components. Hence, system design must follow a systematic app-
roach, based on a recursive decomposition strategy. This paper proposes
a comprehensive veriﬁcation-driven framework which provides support
for designers during development. The framework supports hierarchi-
cal decomposition of components into sub-components through formal
speciﬁcation in terms of pre- and post-conditions as well as independent
development, reuse and veriﬁcation of sub-components.
1 Introduction
Software is usually not a monolithic product: it is often comprised of multiple
components that interact with each other to provide the desired functional-
ity. Components themselves can be complex, requiring their own decomposition
into sub-components. Hence, system design, must follow a systematic approach,
based on a recursive decomposition strategy that yields a modular structure.
A good decomposition and a careful speciﬁcation should allow components and
sub-components to be developed in isolation by diﬀerent development teams,
delegated to third parties [32], or reused oﬀ-the-shelf.
In this context, guaranteeing correctness of the system under development
becomes particularly challenging because of the intrinsic tension between two
main requirements. On the one hand, to handle complexity, we need to enable
development of sub-components where only a partial view of the system is avail-
able [28]. On the other hand, we must ensure that independently developed and
veriﬁed (sub-)components can be composed to guarantee global correctness of
c© The Author(s) 2018
A. Russo and A. Schu¨rr (Eds.): FASE 2018, LNCS 10802, pp. 169–188, 2018.
https://doi.org/10.1007/978-3-319-89363-1_10
170 C. Menghi et al.
The p&d running example. The p&d system supports furniture purchase and delivery. It uses
two existing web services, which implement furniture-sale and delivery, as well as a component
that implements the user interface. These are modeled by the labeled transition systems shown
in Fig. 1a-1c. The p&d component under design is responsible for interaction with these com-
ponents, which form its execution environment. The overall system must ensure satisfaction of
the properties informally described in Fig. 1d.
1
2
3
pro
dIn
foR
eq infoRcvdprodCancel
prodReq
(a) Furniture-sale.
1
2
3
shi
pIn
foR
eq costAndTimeshipCancel
shipReq
(b) Shipping.
1 4
5
2
3
userReq
offerRcvd
userNack
userAckrespOk
reqCanc
(c) User.
P1: ship and product info are provided only if a request has been received.
P2: when user requests are processed, offers are considered only after users received information about the desired product.
P3: the furniture service is activated only if the user has decided to purchase.
P4: when a user request is cancelled by the p&d system, no user ack precedes the cancellation.
(d) Properties of the p&d system.
Fig. 1. The p&d running example.
the resulting system. Thus, we believe that component development should be
supported by a process that (1) is intrinsically iterative; (2) supports decentral-
ized development; and (3) guarantees correctness at each development stage.
The need for supporting incremental development of components has been
widely recognized. Some approaches [15,37] synthesize a partial model of com-
ponents from properties and scenarios and facilitate an iterative development of
this model through reﬁnement. Others [7,8,10,26,27] provide support for check-
ing and reﬁning partial models, with the goal of preserving correctness when
such systems get reﬁned. However, while these techniques guarantee correctness
at each development stage, they do not address the problem of decentralized
development.
In this paper, we describe a uniﬁed framework called FIDDle (a Framework
for Iterative and Distributed Design of components) which supports decentral-
ized top-down development. FIDDle supports a formal speciﬁcation of global
properties, a decomposition process and speciﬁcation of component interfaces
by providing a set of tools to guarantee correctness of the diﬀerent artifacts
produced during the process. The main contribution of the paper is a method
for supporting an iterative and distributed veriﬁcation-driven component devel-
opment process through a coherent set of tools. Speciﬁc novel contributions
are (1) a new formalism, called Interface Partial Labelled Transition System
(IPLTS), for specifying components through a decomposition that encapsulates
sub-components into unspeciﬁed black-box states; (2) an approach to specify the
expected behavior of black-box states via pre- and post-conditions expressed in
Fluent Linear Time Temporal Logic; and (3) a notion of component correctness
Supporting Veriﬁcation-Driven Incremental Distributed Design 171
Design Component 
Design Environment
Design Properties
Check Realizability 
Check Well-Formedness
Check Model
Check
Design Sub-Component 
Environment
Properties
Check Well-Formedness
Check Substitutability Fix
Distribute
Integrate
Fix
Check
Environment
Properties
Synthesize 
Sub-Component
Environment
Properties
Re-use Existing 
Sub-Component
Compare
& CheckSynthesize
D
is
tri
bu
te
1
3
Integration
Final Component
Development 
phase
Designer
 activity
Legend
Output Automatic support
Contract 
distribution
Component
2
Component 
reuse
Fig. 2. Overview of the application of FIDDle for developing a component. Thick-
bordered components are implemented in FIDDle. Thick-dashed bordered components
are currently supported by the theory presented in this paper, but they are still not
fully implemented. Thin-dashed bordered components are not discussed in this work.
and a local veriﬁcation procedure that guarantees preservation of global properties
once the components are composed.
We illustrate FIDDle using a simple example: the purchase&delivery (p&d)
example [14,29] – see Fig. 1. We evaluate FIDDle on a realistic case study
obtained by reverse-engineering the executive module of the Mars Rover devel-
oped at NASA [12,17,18]. Scalability is evaluated by considering randomly-
generated examples.
Organization. Sect. 2 provides an overview of FIDDle. Section 3 gives the
necessary background. Section 4 presents Interface Partial Labelled Transition
Systems (IPLTS). Section 5 deﬁnes a set of algorithms for reasoning on par-
tial components and describes their implementation. Section 6 reports on an
evaluation of the proposed approach. Section 7 compares FIDDle with related
approaches, and Sect. 8 concludes. Proofs for the theorems in the paper can
be found in the Appendix available at http://ksuweb.kennesaw.edu/∼pspoleti/
fase-appendix.pdf; source code and video of the tool and a complete replication
package can be found at https://github.com/claudiomenghi/FIDDLE.
2 Overview
FIDDle is a veriﬁcation-driven environment supporting incremental and dis-
tributed component development. A high-level view of FIDDle is shown in Fig. 2.
FIDDle allows incrementally developing a component through a set of develop-
ment phases in which the human insight and experience are exploited (rounded
boxes labeled with a designer icon or a recycle symbol, to indicate design or reuse,
172 C. Menghi et al.
respectively) and phases in which automated support is provided (squared boxes
labeled with a pair of gearwheels). Automatic support allows verifying the cur-
rent state of the design, synthesizing parts of the partial component, or checking
whether the designed sub-component can correctly ﬁt into the original design.
FIDDle development phases are described below.
Creating an Initial Component Design. This phase is identiﬁed in Fig. 2
with the symbol 1 . The development team formalizes the properties that this
component has to guarantee and designs an initial, high-level structure of the
component. Designers also formulate properties that the component needs to
ensure. The initial component design is created using a state-based formalism
that can clearly identify parts (called “sub-components” in this paper), rep-
resented as black-box states, whose internal design is delayed to a later stage
or split apart for distributed development by other parties. In the following, we
refer to other states as “regular”. Black-box states are enriched with an interface
that provides information on the universe of events relevant to the black-box.
They are also decorated with via pre- and post-conditions that allow distributed
teams to develop sub-components without the need to know about the rest of
the system. The contract of a black box state consists of its interface and pre-
and post-conditions.
In the p&d example, the environment (assumed as given) in which the
p&d component will be deployed is composed by the furniture-sale component
(Fig. 1a), the shipping component (Fig. 1b) and the user (Fig. 1c). A possible
initial design for the p&d component is shown in Fig. 3c. It contains the regular
states 1 and 3 and black-box states 2 and 4. The initial state is state 1. Whenever
a userReq event is detected, the component moves from the initial state 1 into
the black-box state 2, which represents a sub-component in charge of managing
the user request. An event oﬀerRcvd which indicates that an oﬀer is provided
to the user labels the transition to state 3. The pre- and post- conditions for
black-box states 2 and 4 are shown in Fig. 3b. Events prodInfoReq, infoRcvd,
shipInfoReq and costAndTime can occur while the component is in the black-
box state 2. The pre-condition requires that there is a user request that has not
yet been handled, while the post-condition ensures that the furniture-sale and
the shipping services provided info on the product and on delivery cost and time.
FIDDle supports the developer in checking properties of the initial component
design.
The realizability checker conﬁrms the existence of an integration that com-
pletes the partially speciﬁed component and ensures the satisfaction of the prop-
erties of interest. If such a component does not exist, the designer needs to
redesign the partially-speciﬁed component. The well-formedness checker veriﬁes
that both the pre- and the post-conditions of black-box states are satisﬁable.
Finally, the model checker veriﬁes whether the (partial) component (together
with its contract) guarantees satisfaction of the properties of interest.
In the p&d example, the model checker identiﬁes a problem with the partial
solution sketched in Fig. 3c. No matter how the black-box state 2 is to be deﬁned,
the p&d component cannot satisfy property P4 since every time reqCanc occurs
Supporting Veriﬁcation-Driven Incremental Distributed Design 173
P1 =(¬((¬F_UserReq)U(F_ShipInfoReq ∨ F_ProdInfoReq)))
P2 = (F_UserReq →(¬((¬F_InfoRcvd)U F_OfferRcvd)))
P3 = (F_UsrReq →((¬((¬F_UserAck)W F_ShipReq))
P4 = ((F_UsrReq ∧ ((¬F_UsrReq)U F_ReqCanc))→((¬F_UserAck)U F_ReqCanc))
(a) FLTL formulation of the p&d properties.
State 2
interface { prodInfoReq, infoRcvd, shipInfoReq, costAndTime }
pre (F_UserReq ∧ ¬ (F_RespOk ∨ F_ReqCanc))
post ( F_InfoRcvd)∧( F_CostAndTime)
State 4
interface { prodReq, shipReq }
pre (F_UserReq → F_InfoRcvd)
post ( (F_ProdReq)∧ (F_ShipReq))
State 5
interface { prodCancel, shipCancel }
pre (F_UserReq → F_InfoRcvd)
post ( (F_ProdCancel)∧ (F_ShipCancel))
(b) Contracts for black-box states of Figs. 3c-3g.
1 4
2
3
us
erR
eq offerRcvd
usrAck
respOk
reqCanc
(c) Partial p&d.
1 4 3
5
2
userReq
offerRcvd
usrAckrespOk
usr
Nac
kreqCanc
(d) Another partial p&d component.
1 2 3 4 5
shipInfoReq costAndTime prodInfoReq infoRcvd
(e) A sub-component for black-box state 2.
1 2 3 4
shipInfoReq costAndTime prodInfoReq
(f) Another sub-component for black-box
state 2.
1 2.1 2.2 2.3 2.4 2.543
5
userReq shipInfoReq costAndTime prodInfoReq infoRcvd
offerRcvd
usrAck respOk
usr
Nac
k reqCanc
(g) Integration of the sub-component of Fig. 3e and the component of Fig. 3d.
Fig. 3. The p&d running example: artifacts produced by FIDDle.
it is preceded by usrAck. This suggests a re-design of the p&d component, which
may lead to a new model, shown in Fig. 3d. This model includes two regular
states: state 1, in which the component waits for a new user request, and state
3, in which the component has provided the user with an oﬀer and is waiting
for an answer. The user might accept (userAck) or reject (userNack) an oﬀer
and, depending on this choice, either state 4 or 5 is entered. States 2, 4 and
5 are black-box states, to be reﬁned later. The designer also provides pre- and
post-conditions for the black-box states. Pre- and post-conditions of the black-
box state 2 specify that there is a pending user request, and that cost, time and
product information are collected. Pre- and post-conditions of the black-box
state 4 specify that infoRcvd has occurred after the user request, and both a
174 C. Menghi et al.
product and shipping requests are performed. Finally, pre- and post-conditions
of the black-box state 5 specify that infoRcvd has occurred after the user request
and before entering the state, and both the product and the shipping requests
are cancelled when leaving the state. This model is checked using the provided
tools; since it passes all the checks, it can be used in the next phase of the
development.
The design team may choose to reﬁne the component or distribute the devel-
opment of unspeciﬁed sub-components (represented by black box states) to other
(internal or external) development teams. In both cases, the sub-component can
be designed by only considering the contract of the corresponding black-box
state. Each team can develop the assigned sub-component or reuse existing com-
ponents.
Sub-component Development. This phase is identiﬁed in Fig. 2 with the
symbol 2 . Each team can design the assigned sub-component using any avail-
able technique, including manual design (left side), reusing of existing sub-
components (right side) or synthesizing new ones from the provided speciﬁ-
cations (center). The only constraints are (1) given the stated pre-condition,
the sub-component has to satisfy its post-condition, and (2) the sub-component
should operate in the same environment as the overall partially speciﬁed compo-
nent. Sub-component development can itself be an iterative process, but neither
the model of the environment nor the overall properties of the system can be
changed during this process. Otherwise, the resulting sub-component cannot be
automatically integrated into the overall system.
In the p&d example, development of the sub-component for the black-box
state 2 is delegated to an external contractor. Candidate sub-components are
shown in Fig. 3e–f. In the former case, the component requests shipping info
details and waits until the shipping service provides the shipment cost and time.
Then it queries the furniture-sale service to obtain the product info. In the latter
case, the shipping and the furniture services are queried, but the sub-component
does not wait for an answer from the furniture-sale. Since these candidates are
fully deﬁned, the well-formedness check is not needed. Yet, the substitutability
checking conﬁrms that of these, only the sub-component in Fig. 3e satisﬁes the
post-condition in Fig. 3b.
Sub-component Integration. This phase is identiﬁed in Fig. 2 with the sym-
bol 3 . FIDDle guarantees that if each sub-component is developed correctly
w.r.t. the contract of the corresponding black-box state, the component obtained
by integrating the sub-components is also correct. In the p&d example, the sub-
component in Fig. 3e passes the substitutability check and can be a valid imple-
mentation of the black-box state 2 in Fig. 3d. Their integration is showed in
Fig. 3g.
3 Preliminaries
The model of the environment and the properties of interest are expressed using
Labelled Transition Systems and Fluent Linear Time Temporal Logic.
Supporting Veriﬁcation-Driven Incremental Distributed Design 175
Model of the Environment. Let Act be the universal set of observable events
and let Actτ = Act∪{τ}, where τ denotes an unobservable local event. A Labeled
Transition System (LTS) [20] is a tuple A = 〈Q, q0, αA,Δ〉, where Q is the set
of states, q0 ∈ Q is the initial state, αA ⊆ Act is a ﬁnite set of events, and
Δ ⊆ Q × αA ∪ {τ} × Q is the transition relation. The parallel composition
operation is deﬁned as usual (see for example [14]).
Properties. A ﬂuent [33] Fl is a tuple 〈IFl, TFl, InitFl〉, where IFl ⊂ Act, TFl ⊂
Act, IFl ∩ TFl = ∅ and InitFl ∈ {true, false}. A ﬂuent may be true or false. A
ﬂuent is true if it has been initialized by an event i ∈ IFl at an earlier time point
(or if it was initially true, that is, InitFl = true) and has not yet been terminated
by another event t ∈ TFl; otherwise, it is false. For example, consider the LTS
in Fig. 1c and the ﬂuent F ReqPend=〈{userReq}, {respOk, reqCanc}, false 〉.
F ReqPend holds in a trace of the LTS from the moment at which userReq
occurs and until a transition labeled with respOk or reqCanc is ﬁred. In the
following, we use the notation F Event to indicate a ﬂuent that is true when the
event with label event occurs.
An FLTL formula is obtained by composing ﬂuents with standard LTL
operators: (next), (eventually), (always), U (until) and (weak until).
For example, FLTL encodings of the properties P1, P2, P3 and P4 are shown
in Fig. 3a.
Satisfaction of FLTL formulae can be evaluated over ﬁnite and inﬁnite traces,
by ﬁrst constructing and FLTL interpretation of the inﬁnite and ﬁnite trace
and then by evaluating the FLTL formulae over this interpretation The FLTL
interpretation of a ﬁnite trace is obtained by slightly changing the interpretation
of inﬁnite traces. The evaluation of the FLTL formulae on the ﬁnite trace is
obtained by considering the standard interpretation of LTL operator over ﬁnite
traces (see [13]). In the following, we assume that Deﬁnitions 5 and 4 (available in
the Appendix) are considered to evaluate whether an FLTL formula is satisﬁed
on ﬁnite and inﬁnite traces, respectively.
4 Modeling and Refining Components
This section introduces a novel formalism for modeling and reﬁning components.
We deﬁne the notion of a partial LTS and then extend it with pre- and post-
conditions.
Partial LTS. A partial LTS is an LTS where some states are “regular” and
others are “black-box”. Black-box states model portions of the component whose
behavior still has to be speciﬁed. Each black-box state is augmented with an
interface that speciﬁes the universe of events that can occur in the black-box. A
Partial LTS (PLTS) is a structure P = 〈A,R,B, σ〉, where: A = 〈Q, q0, αA,Δ〉
is an LTS; Q is the set of states, s.t. Q = R ∪ B and R ∩ B = ∅; R is the set
of regular states; B is the set of black-box states; σ : B → 2αA is the interface.
An LTS is a PLTS where the set of black-box states is empty. The PLTS in
Fig. 3d is deﬁned over the regular states 1 and 3, and the black-box states 2,
176 C. Menghi et al.
4 and 5. The interface speciﬁes that events prodInfoReq, infoRcvd, shipInfoReq
and costAndTime can occur in the black-box state 2.
Deﬁnition 1. Given a PLTS P = 〈A,R,B, σ〉 deﬁned over the LTS A =
〈QA, qA0 , αA,ΔA〉 and an LTS D = 〈QD, qD0 , αD,ΔD〉, the parallel composition
P ‖ D is an LTS S = 〈QS , qS0 , αS,ΔS〉 such that QS = QA×QD; qS0 = (qA0 , qD0 );
αS = αA ∪ αD; and the set of transitions ΔS is deﬁned as follows:
– (s,l,s
′)∈ΔA
(〈s,t〉,l,〈s′,t〉)∈ΔS , and l ∈ αA \ αD or l = τ ;
– (t,l,t
′)∈ΔD
(〈s,t〉,l,〈s,t′〉)∈ΔS , and one of the following is satisﬁed: (1) l ∈ αD \ αA, (2)
l = τ , or (3) (s ∈ B and l ∈ σ(s));
– (s,l,s
′)∈ΔA,(t,l,t′)∈ΔD
(〈s,t〉,l,〈s′,t′〉)∈ΔS and l ∈ αA ∩ αD, l = τ.
Given P , A, D deﬁned above, the system S = P ‖ D and a state q
of P , we say that a ﬁnite trace l0, l1, . . . ln of S reaches q if there exists a
sequence 〈s0, t0〉, l0, 〈s1, t1〉, . . . ln, 〈q, tn+1〉, where for every 0 ≤ i ≤ n, we have
(〈si, ti〉, li, 〈si+1, ti+1〉) ∈ ΔS . For example, considering the PLTS in Fig. 3d and
the LTS in Fig. 1c, the ﬁnite trace obtained by performing a userReq event
reaches the black-box state 2 of the PLTS.
Given a ﬁnite trace π = l0, l1, . . . ln (or an inﬁnite trace l0, l1, . . .) of S, we
say that its sub-trace li, li+1 . . . lk is inside the black-box state b if one of the
sub-sequences associated with π is in the form 〈b, ti〉, li, 〈b, ti+1〉, . . . , lk, 〈b, tk〉,
where li, li+1, . . . , lk ∈ σ(b). Note that a sub-trace is a ﬁnite trace. For example,
considering the parallel composition of the PLTS in Fig. 3d and the LTSs in
Fig. 1c and b, and the ﬁnite trace associated with events userReq, shipInfoReq,
oﬀerRcvd, the sub-trace associated with shipInfoReq is inside the black-box state
2. This means that shipInfoReq must occur in the sub-component replacing the
black-box state 2.
Adding Pre- and Post-conditions. The intended behavior of a sub-
component reﬁning a black-box state can be captured using pre- and post-
conditions. The contract for the sub-component associated with a box con-
sists of the box interface and its pre- and post-conditions. Given the univer-
sal set FLTL of the FLTL formulae, an Interface PLTS (IPLTS) I is a struc-
ture 〈A,R,B, σ, pre, post〉, where 〈A,R,B, σ〉 is a PLTS, pre : B → FLTL and
post : B → FLTL.
For each black-box state b, the function pre speciﬁes a constraint that must be
satisﬁed by all ﬁnite traces of P that reach b. For example, the FLTL-expressed
pre-condition for the black-box state 4 of the IPLTS in Fig. 3d requires that
any trace of the composition between the IPLTS and an LTS that reaches the
black-box state 4 provides info on the product to the user after his/her request.
For each black-box state b, the function post speciﬁes a post-condition that
constrains the behavior of the system in any sub-trace performed inside b. For
example, the post-condition of the black-box state 4 of the IPLTS in Fig. 3d
ensures that whenever this IPLTS is composed with an LTS, a product request
and a shipping request are performed by the furniture-sale service while the
system is inside the black-box state.
Supporting Veriﬁcation-Driven Incremental Distributed Design 177
Given an IPLTS I and an LTS D, the parallel composition S between I
and D is obtained by considering the PLTS P associated with I and the LTS
D as speciﬁed in Deﬁnition 1. Given an IPLTS I, an LTS D and the parallel
composition S between I and D, trace π of S is valid iﬀ it is inﬁnite and for
every black-box state b, the post-condition post(b) holds in any sub-trace of π
performed inside b.
Deﬁnition 2. Given an LTS D, an IPLTS I is well-formed (over D) iﬀ every
valid trace of S = I ‖ D satisﬁes all the pre-conditions of black-box states of I.
We say that S = I ‖ D satisﬁes an FLTL property φ if and only if φ is satisﬁed
by every valid trace of S. In the p&d example, the post-condition (F ProdReq)
∧ (F ShipReq) of the black-box 4 ensures that the parallel composition of the
component in Fig. 3d and its environment satisﬁes P3.
Sub-components and Their Integration. Integration aims to replace black-
box states of a given IPLTS with the corresponding sub-components. Given an
IPLTS I, one of its black-box states b and its interface σ(b), a sub-component for
b is an IPLTS R deﬁned over the set of events σ(b). One state qRf of R is deﬁned as
the ﬁnal state of R. Given a sub-component R, an LTS of its environment E, and
a trace in the form πi;πe such that πi = l0, l1 . . . ln and πe = ln+1, ln+2, . . . lk,
we say that πi;πe is a trace of the parallel composition between R and E if
and only if (1) there exists a sequence q0, l0, q1, l1 . . . ln, qn in the environment
such that for all i, where 0 ≤ i < n, (qi, li, qi+1) is a transition of E; (2) πe
is obtained by R ‖ E considering qn as the initial state for the environment,
(3) πe reaches qRf . A sub-component is valid if it ensures that the traces of the
parallel composition satisfy its post-conditions. Intuitively, a trace of the parallel
composition between a sub-component R and the environment E is obtained by
concatenating two sub-traces: πi and πe. The sub-trace πi corresponds to a set of
transitions performed by the environment before the sub-component is activated,
while πe is a trace the system generates while it is in the sub-component R.
Deﬁnition 3. Given an IPLTS I with a black-box state b, the environment E
and a sub-component R for b, R is a substitutable sub-component iﬀ every trace
πi;πe of the parallel composition between R and E is such that if πi satisﬁes
pre(b) then πe guarantees post(b).
Intuitively, whenever the sub-component is entered and the pre-condition pre(b)
is satisﬁed (i.e., the trace πi satisﬁes pre(b)), then a trace of the parallel com-
position between the sub-component and the environment that reaches the ﬁnal
state of the sub-component must satisfy the post-condition post(b).
A black-box state of an IPLTS C can be replaced by a substitutable sub-
component R though an integration procedure. The resulting IPLTS C ′ is called
integration. Intuitively, the integration procedure connects every incoming and
outgoing transition of the considered black-box state to the initial and ﬁnal
state of the substitutable sub-component R, respectively. Integrating the sub-
component R for black-box state 2 in Fig. 3e into the component in Fig. 3d
produces the IPLTS in Fig. 3g. The preﬁx “2.” is used to identify the states
178 C. Menghi et al.
obtained from R. The contracts of black-box states 4 and 5 are the same as
those in Fig. 3b.
Theorem 1. Given a well-formed IPLTS C and a substitutable sub-component
R for a black-box state b of C, if C satisﬁes an FLTL property φ, then the
integration C ′ obtained by substituting b with R also satisﬁes φ.
The sub-component R from Fig. 3e is substitutable; thus, integrating it into
the partial component C shown in Fig. 3g ensures that the resulting integrated
component C ′ preserves properties P1 -P4.
5 Verification Algorithms
In this section, we describe the algorithms for the analysis of partial components,
which we have implemented on top of LTSA [25].
Checking Realizability. Realizability of a property φ is checked via the fol-
lowing procedure. Let E be the environment of the partial component C, and
CB be the LTS resulting from removing all black-box states and their incoming
and outgoing transitions from C. Check CB ‖ E |= φ. If φ is not satisﬁed,
the component is not realizable: no matter how the black-box states are speci-
ﬁed, there will be a behavior of the system that does not satisfy φ. Otherwise,
compute C ‖ E (as speciﬁed in Deﬁnition 1) and model-check it against ¬φ.
If the property ¬φ is satisﬁed, the component is not realizable. Indeed, all the
behaviors of C ‖ E satisfy ¬φ, i.e., there is no behavior that the component can
exhibit to satisfy φ. Otherwise, the component may be realizable. For example,
the realizability checker shows that it is possible to realize a component reﬁning
the one shown in Fig. 3c while satisfying property P2. Speciﬁcally, it returns a
trace that ensures that after a userReq event, the oﬀer is provided to the user
(the event oﬀerRcvd) only if the furniture service has conﬁrmed the availability
of the requested product (the event inforRcvd).
Theorem 2. Given a component speciﬁed using an IPLTS C, its environment
E, and a property of interest φ, the realizability checker returns “not realizable”
if there is no component C ′ obtained from C by integrating sub-components, s.t.
(C ′ ‖ E) |= φ.
Checking Well-Formedness. Given a partial component C with a black-box
state b annotated with a pre-condition pre(b) and its environment E, the well-
formedness checks whether pre(b) is satisﬁed in C as follows.
(1) Transform post-conditions into LTSs. Transform every FLTL post-condition
post(bi) of every black-box state bi of C, including b, into an FLTL for-
mula post(bi)′ as speciﬁed in [13]. This transformation ensures that the
inﬁnite traces that satisfy post(bi)′ have the form π, {end}ω, where π satis-
ﬁes post(bi). For each black-box state bi, the corresponding post-condition
Supporting Veriﬁcation-Driven Incremental Distributed Design 179
post(bi)′ is transformed into an equivalent LTS, called LTSbi , using the pro-
cedure in [37]. Since LTSbi has traces in the form π, {end}ω, it has a state
s with an end -labelled self-loop. This self-loop is removed, and s is consid-
ered as ﬁnal state of LTSbi . All other end -labeled transitions are replaced
by τ -transitions. Each automaton LTSbi contains all the traces that do not
violate the corresponding post-condition.
(2) Integrate the LTSs of all the black-box states bi = b. For every black-box
state bi = b, eliminate bi and add LTSbi to C by replacing every incoming
transition of bi with a transition whose destination is the initial state of
LTSbi , and every outgoing transition of bi with a transition whose source
is the ﬁnal state of LTSbi . This step creates an LTS which encodes all the
traces of the component that do not violate any post-conditions of its black-
box states.
(3) Integrate the LTS of the black-box state b. Integrate LTSb into C together
with two additional states, q1 and q2, calling the resulting model C ′. Replace
every incoming transition of b by a transition with destination q1. Replace
every outgoing transition of b by a transition whose source is the ﬁnal state
of LTSb. Add a transition labeled with τ from q1 to the initial state of LTSb.
Add a self-loop labeled with an event end to q2. Add a τ -transition from q1
to q2. The obtained LTS C ′ encodes all the valid traces of the system. When
a valid trace reaches the black-box state b, C ′ can enter state q2 from which
only the end -labelled self-loop is available.
(4) Verify. Recall that the precondition pre(b) of b is deﬁned over ﬁnite traces,
i.e., those that reach the initial state of the sub-component to be substituted
for b. To use standard veriﬁcation procedures, we transform pre(b) into an
equivalent formula, pre(b)′, over inﬁnite traces. This transformation, speci-
ﬁed in [13], ensures that every trace of the form π, {end}ω satisﬁes pre(b)′
iﬀ π satisﬁes pre(b). By construction in step 3 above, C ′ ‖ E has a valid
trace of this form which is generated when C ‖ E reaches the initial state
of the LTS LTSb associated with the black-box state b of C. To check the
pre-condition, we verify whether C ′ ‖ E |= pre(b)′ using traditional model
checking.
In the p&d example, if we remove the clause F InfoRcvd from the post-
condition of the black-box state 2, the p&d component is not well-formed since
the pre-condition of state 4 is violated. The counterexample shows a trace that
reaches the black-box state 4 in which an event userReq is not followed by infoR-
cvd. Adding F InfoRcvd to the post-condition of state 2 solves the problem.
Theorem 3. Given a partial component C with a black-box state b annotated
with a pre-condition pre(b) and its environment E, the well-formedness procedure
returns true iﬀ the valid traces of C satisfy the pre-condition pre(b).
Model Checking. To check whether C ‖ E satisﬁes φ, we ﬁrst construct an LTS
C ′ that generates only valid traces, by plugging into C the LTSs corresponding to
all of its black-box states (as done in steps 1 and 2 of the well-formedness check)
and use a classical FLTL model-checker to verify C ′ ‖ E |= φ. If we consider the
180 C. Menghi et al.
design of Fig. 3d and assume that the black-box state 2 is not associated with
any post-condition, the model checker returns the counterexample userReq,τ ,
oﬀerRcvd for property P2, since the sub-component that will replace the black-
box state 2 is not forced to ask to book the furniture service. Adding the post-
condition in Fig. 3b solves the problem.
Theorem 4. The model checking procedure returns true iﬀ every valid trace of
C ‖ E satisﬁes φ.
Checking Substitutability. Given the environment E, a component C with
a black-box state b and pre- and post-conditions pre(b) and post(b), and a sub-
component R, this procedure checks whether R can be used in C in place of b.
We ﬁrst present a procedure assuming that R has no black-box states.
(1) Transform the pre-condition pre(b) into an LTS, called LTSb , using Step (1)
of the well-formedness procedure.
(2) Compute the sequential composition (LTSb.R) between the LTSb and R.
This is done by connecting the ﬁnal state q1 of LTSb with the initial state
of R by a transition labelled with a fresh event init. Then, the ﬁnal state
of R is connected to an additional state q2 through a τ -labeled transition.
A self-loop labeled with a fresh event end is added to q2. Performing these
steps ensures that the preﬁx π of every inﬁnite trace in the form π, {end}ω
is comprised of two parts: π = π1;π2, where π1 satisﬁes pre(b) and π2 is
generated by the LTS R.
(3) Verify the result. The formula must hold on any trace
that reaches the ﬁnal state of R, e.g., on any trace of the form π; {end}ω,
where λ′ is the result of applying the ﬁnite- to inﬁnite-trace FLTL transfor-
mation [13] to λ. This transformation ensures that π satisﬁes λ iﬀ a trace of
the form π; {end}ω satisﬁes λ′. And that, in turn, can be veriﬁed by checking
((LTSb.R) ‖ E) |= λ′ using a classical model-checker.
If R contains black-box states, checking R requires performing Steps (1) and
(2) of the well-formedness check before running the substitutability procedure.
In the p&d example, the substitutability checker does not return any coun-
terexample for the sub-component in Fig. 3e. Thus, the post-condition is satisﬁed
and the sub-component can be integrated in place of the black-box state 2.
Theorem 5. Let a component C with a black-box state b, its pre- and post-
conditions pre(b) and post(b), a sub-component R, and C’s environment E be
given. The substitutability checker returns true, indicating that R can be used in
C in place of b, iﬀ for every trace π = πi;πe of R ‖ E, if πi is the ﬁnite preﬁx
of E satisfying pre(b) and πe is obtained by R ‖ E considering the ﬁnal state of
πi as the initial state of the environment, then πe satisﬁes post(b).
6 Evaluation
We aim to answer two questions: RQ.1: How eﬀective is FIDDle w.r.t. support-
ing an iterative, distributed development of correct components? (Sect. 6.1) and
RQ.2: How scalable is the automated part of the proposed approach? (Sect. 6.2).
Supporting Veriﬁcation-Driven Incremental Distributed Design 181
6.1 Assessing Eﬀectiveness
We simulated development of a complex component and analyzed FIDDle-
provided support along the steps described in Sect. 2.
Experimental Setup. We chose the executive module of the K9 Mars Rover
developed at NASA Ames [12,17,18] and speciﬁed using LTSs. The overall size of
the LTS is ∼107 states. The executive module was made by several components:
Executive, ExecCondChecker, ActionExecution and Database. ExecCondChecker
was further decomposed into db-monitor and internal. Each of these components
was associated with a shared variable (exec, conditionList, action and db, respec-
tively) used to communicate with the other components, e.g., the exec variable
was used by ExecCondChecker to communicate with Executive. The access of
each shared variable was regulated through a condition variable and a lock. The
complete model of the Executive component comprised of 11 states, each fur-
ther decomposed as an LTS. The ﬁnal model of the Executive component was
obtained by replacing these states with the corresponding LTSs. This model had
about 100 states which is a realistic component of a medium size [5,6,24].
We considered two properties: (P1 ): Executive performed an action only
after a new plan was read from Database; (P2 ): Executive got the lock over the
condList variable only after obtaining the exec lock.
Creating an Initial Component Design. We considered the existing model (D3 )
of the Executive and abstracted portions of the complete model into black-box
states to create two partial components D1 and D2 representing partial designs.
To generate D2 we encapsulated three states that receive plans and prepare for
plan execution into the black-box state Read Plans. To generate D1, we also set
one of the 10 states of the Executive whose corresponding LTS is in charge of
executing a plan, i.e., state ExecuteTaskAction, as a black-box state. By following
this procedure, D3 and D2 can be obtained from D2 and D1, respectively, by
integrating the abstracted sub-components.
We considered the (partial) components D1, D2 and D3 and used FIDDle to
iteratively develop and check their contracts. For D1, the steps were as follows:
(1) The realizability checker conﬁrmed the existence of a model that reﬁned
D1 and satisﬁed the properties of interest. (2) The model checker returned
a counterexample for both properties of interest. For P1, the model checker
returned a counterexample in which no plan was read and yet an action was
performed. For P2, the counterexample was where Executive got the condList
lock without possessing the exec lock. To guarantee the satisfaction of P1, we
speciﬁed a post-condition to the black-box state Read Plans that ensures that
a plan was read. We also added a pre-condition requiring that an action was
not under execution when the black-box state Read Plans was entered. (3) The
well-formedness checker returned a counterexample trace that reached the black-
box state Read Plans while an action was under execution. (4) To ensure well-
formedness, we added a postcondition to the black-box state ExecuteTaskAction
ensuring that an action was not under execution when the system exited the
black-box state. (5) The model checker conﬁrmed that P1 held. (6) To guar-
182 C. Menghi et al.
antee the satisfaction of P2, we added a post-condition to the black-box state
Read Plans ensuring that when the control left the black-box, P2 remained true
and the Executive had the exec lock.
For design D2, the steps were as follows: (1) The realizability checker con-
ﬁrmed the existence of a model that reﬁned D2 and satisﬁed the properties
of interest. (2) We ran the model checker that returned a counterexample for
both properties of interest. (3) We added to the black-box state Read Plans
the same pre- and post-conditions of as those developed for design D1 and ran
the well-formedness and the model checker. (4) The well-formedness checker
conﬁrmed that D2 satisﬁed the pre-condition of the black-box Read Plans; the
model checker certiﬁed the satisfaction of P1 and P2.
Since the model of Executive was complete, we ran only the model checker
to check D3. Properties P1 and P2 were satisﬁed.
Sub-component Development. We simulated a reﬁnement process in which pre-
and post-conditions were given to third parties for sub-component development.
We considered the sub-components SUB1 and SUB2 containing the portion of
the Executive component abstracted by the black-box states ExecuteTaskAction
and Read Plans, respectively. We run the substitutability checker to verify, aﬃr-
matively, whether SUB1 and SUB2 ensured the post-condition of the black-box
states ExecuteTaskAction and Read Plans given their pre-conditions.
Sub-component Integration. We then plugged in the designed sub-components
into their corresponding black-box states. We integrated each sub-component
into design D1 and used the model checker to verify the resulting (partial)
components w.r.t. properties P1 -P2. The properties were satisﬁed, as intended.
Results. FIDDle was eﬀective in analyzing partial components and helping
change their design to ensure the satisfaction of the properties of interest.
The experiment conﬁrmed the possibility of distributing the design of sub-
components for the black-box states. As expected, no rework at the integra-
tion level was required, i.e., integration produced components that satisﬁed the
properties of interest. This conﬁrmed that FIDDle supports veriﬁcation-driven
iterative and distributed development of components.
Threats to Validity. A threat to construct validity concerns the (manual) con-
struction of intermediate model produced during development by abstracting an
existing component model and the design of the properties to be considered.
However, the intermediate partial designs and the selected properties were based
on original developer comments present in the model. A threat to internal valid-
ity concerns the design of the contracts (pre- and post- conditions and interfaces)
for the black-box states chosen along the process. However, pre- and post- con-
ditions were chosen and designed by consulting property speciﬁcation patterns
proposed in literature [16]. The fact that a single example has been considered is
a threat to external validity. However, the considered example is a medium-size
complex real case study [6,22,35].
Supporting Veriﬁcation-Driven Incremental Distributed Design 183
Table 1. Results of experiments E1 and E2.
#CompStates
E1 : (Tw)/(Tm) E2 : (Ts)/(Tm)
#EnvStates 10 50 100 250 500 750 1000 10 50 100 250 500 750 1000
10 1.45 1.26 1.51 1.29 1.42 1.43 1.31 2.20 4.37 2.18 1.50 2.19 1.62 1.62
100 1.15 1.25 1.50 1.08 0.88 1.02 2.33 3.51 4.66 3.61 2.80 3.18 1.96 2.73
1000 1.39 1.23 0.60 1.44 4.90 1.00 2.83 13.98 8.12 3.84 2.64 2.83 2.91 2.00
6.2 Assessing Scalability
We set up two experiments (E1 and E2 ) comparing performance of the well-
formedness and the substitutability checkers w.r.t. classical model checking as
the size of the partial components under development and their environments
grew. Our experiments were based on a set of randomly-generated models.
E1. To evaluate the well-formedness checker, we generated an LTS model of the
environment and a complete model for the component. We checked the parallel
composition between the component and the environment w.r.t. a property of
interest using a standard model checker. Then, we generated a partial component
by marking one of the states of the complete component as a black-box, deﬁning
pre- and post- conditions for it and ran the well-formedness checker, comparing
performance of the two.
E2. To evaluate the substitutability checker, we generated a complete component
as in the previous experiment. Then, we extracted a sub-component by selecting
half of the component states and the transitions between them. States q0 and
qf were added to the sub-component as the initial and ﬁnal state, respectively.
State q0 (qf ) was connected with all the states of the sub-component that had, in
the original component, at least one incoming (resp., outgoing) transition from
(resp., to) a state that was not added to the sub-component. We deﬁned the pre-
and post-conditions for the sub-component and ran the substitutability checker
comparing its performance with model-checking.
Experimental Setup. We implemented a random model generator to create
LTSs with a speciﬁed number of states, transition density (transitions per state)
and number of events. We generated environments with an increasing number
of states: 10, 100 and 1000. We have chosen 10 as a ﬁxed value for the transition
density and 50 as the cardinality of the set of events. We considered components
with 10, 50, 100, 250, 500, 750 and 1000 states. The components were generated
using the same transition density and number of events as in the produced
environment. To produce the partial component, we considered one of the states
of the component obtained previously as a black-box, and randomly selected
25% of the events of the component as the interface of the partial component.
To produce the sub-component, we randomly extracted half of the component
states and the transitions between them.
184 C. Menghi et al.
Properties of Interest, Pre- and Post-conditions. We considered properties
, which corre-
spond to commonly used property patterns [16], and where Q and P are
appropriately deﬁned ﬂuents. We considered K1, K2 and K3 as pre- and post-
conditions for the black-box.
Methodology and Results. We ran each experiment 5 times on a 2 GHz Intel
Core i7, with 8 GB 1600 MHz DDR3 disk. For each combination of values of
the #EnvStates and #ContStates we computed the average between the time
required by the well-formedness checker (Tw) and by the model checker (Tm),
for the experiment E1, and the average between the time required by the sub-
stitutability checker (Ts) and by the model checker (Tm), for the experiment E2
(see Table 1). The results show that the well-formedness and the substitutability
checker scale as the classical model checker.
Threats to Validity. The procedure employed to randomly generate models is
a threat to construct validity. However, the transition density of the components
was chosen based on the Mars Rover example. Furthermore, the number of states
of the sub-component was chosen such that the ratio between the sizes of the
component and the sub-component was approximately the same of the Mars
Rover. The properties considered in the experiment are a threat to internal
validity. However, they were chosen by consulting property speciﬁcation patterns
proposed in literature [16]. Considering a single black-box state is a threat to
external validity. However, our goal was to evaluate how FIDDle scales with
respect to the component and the environment sizes and not w.r.t. the number
of black-box states and the size of the post-conditions. Considering multiple
black-box states reduces to the case of considering a single black-box with a
more complex post-condition.
7 Related Work
We discuss approaches for developing incrementally correct components.
Modeling Partiality. Modal Transition Systems [21], Partial Kripke Structures
[8], and LTS↑ [17] support the speciﬁcation of incomplete concurrent systems
and can be used in an iterative development process. Other formalisms, such as
Hierarchical State Machines (HSMs) [4], are used to model sequential processes
via a top-down development process but can only be analyzed when a fully-
speciﬁed model is available.
Checking Partial Models. Approaches to analyze partial models (e.g., [8,10])
are not applicable to the problem considered in this paper where missing sub-
components are speciﬁed using contracts and their development is distributed
across diﬀerent development teams. The assumption generation problem for
LTSs [17] is complementary to the one considered in this paper and concerns the
computation of an assumption that describes how the system model interacts
with the environment.
Supporting Veriﬁcation-Driven Incremental Distributed Design 185
Substitutability Checking. The goal of substitutability checking is to verify
whether a possibly partial sub-component can be plugged into a higher level
structure without aﬀecting its correctness. Problems such as “compositional
reasoning” [1,19,30], “component substitutability” [9], and “hierarchical model
checking” [4] are related to this part of our work. Our work diﬀers because we
ﬁrst guarantee that the properties of interest are satisﬁed in the initially-deﬁned
partial component and then check that the provided sub-components can be
plugged into the initial component.
Synthesis. Program synthesis [14,31] aims at computing a model of the system
that satisﬁes the properties of interest. Moreover, synthesis can be used to gen-
erate assumptions on a system’s environment to make its speciﬁcation relizable
(e.g., [23]). Sketch [36] supports programmers in describing an initial structure
of the program that can be completed using synthesis techniques, but does not
explicitly consider models. Many techniques for synthesizing components have
been proposed, e.g., [14,37], and a fully automated synthesis of highly non-
trivial components of over 2000 states big is becoming possible [11] for special
cases, by limiting the types of synthesizable goals and using heuristics. However,
such cases might not be applicable in general. Recent work has been done in
the direction of compositional [2,3] and distributed [34] synthesis. We do not
consider our approach to be an alternative to synthesis, but instead a way to
combine synthesis techniques with the human design.
8 Conclusion
We presented a veriﬁcation-driven methodology, called FIDDle, to support itera-
tive distributed development of components. It enables recursively decomposing
a component into a set of sub-components so that the correctness of the overall
component is ensured. Development of sub-components that satisfy their speci-
ﬁcations can then be done independently, via distributed development. We have
evaluated FIDDle on a realistic Mars Rover case study. Scalability was evaluated
using randomly generated examples.
Acknowledgments. Research partly supported from the EU H2020 Research and
Innovation Programme under GA No. 731869 (Co4Robots).
References
1. Alur, R., Henzinger, T.A.: Reactive modules. Formal Meth. Softw. Des. 15(1),
7–48 (1999)
2. Alur, R., Moarref, S., Topcu, U.: Pattern-Based Reﬁnement of Assume-Guarantee
Speciﬁcations in Reactive Synthesis. In: Baier, C., Tinelli, C. (eds.) TACAS 2015.
LNCS, vol. 9035, pp. 501–516. Springer, Heidelberg (2015). https://doi.org/10.
1007/978-3-662-46681-0 49
186 C. Menghi et al.
3. Alur, R., Moarref, S., Topcu, U.: Compositional synthesis of reactive controllers
for multi-agent systems. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS,
vol. 9780, pp. 251–269. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-
41540-6 14
4. Alur, R., Yannakakis, M.: Model checking of hierarchical state machines. ACM
SIGSOFT Softw. Eng. Notes 23(6), 175–188 (1998)
5. Amalﬁtano, D., Fasolino, A.R., Tramontana, P.: Reverse engineering ﬁnite state
machines from rich internet applications. In: Proceedings of the 15th Working
Conference on Reverse Engineering, pp. 69–73 (2008)
6. Bensalem, S., Bozga, M., Krichen, M., Tripakis, S.: Testing conformance of real-
time applications by automatic generation of observer. In: Proceedings of RV,
Electronic Notes in Theoretical Computer Science, pp. 23–43 (2004)
7. Bernasconi, A., Menghi, C., Spoletini, P., Zuck, L.D., Ghezzi, C.: From model
checking to a temporal proof for partial models. In: Cimatti, A., Sirjani, M. (eds.)
SEFM 2017. LNCS, vol. 10469, pp. 54–69. Springer, Cham (2017). https://doi.
org/10.1007/978-3-319-66197-1 4
8. Bruns, G., Godefroid, P.: Model checking partial state spaces with 3-valued tem-
poral logics. In: Halbwachs, N., Peled, D. (eds.) CAV 1999. LNCS, vol. 1633, pp.
274–287. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48683-6 25
9. Chaki, S., Clarke, E.M., Sharygina, N., Sinha, N.: Veriﬁcation of evolving software
via component substitutability analysis. Formal Methods Softw. Des. 32(3), 235–
266 (2008)
10. Chechik, M., Devereux, B., Easterbrook, S., Gurﬁnkel, A.: Multi-valued symbolic
model-checking. ACM Trans. Softw. Eng. Methodol. 12(4), 371–408 (2003)
11. Ciolek, D., Braberman, V.A., D’Ippolito, N., Uchitel, S.: Technical Report:
Directed Controller Synthesis of Discrete Event Systems. CoRR, abs/1605.09772
(2016)
12. Cobleigh, J.M., Giannakopoulou, D., PA˘sA˘reanu, C.S.: Learning assumptions for
compositional veriﬁcation. In: Garavel, H., Hatcliﬀ, J. (eds.) TACAS 2003. LNCS,
vol. 2619, pp. 331–346. Springer, Heidelberg (2003). https://doi.org/10.1007/3-
540-36577-X 24
13. De Giacomo, G., De Masellis, R., Montali, M.: Reasoning on LTL on ﬁnite traces:
insensitivity to inﬁniteness. In: Proceedings of AAAI, pp. 1027–1033 (2014)
14. D’Ippolito, N., Braberman, V., Piterman, N., Uchitel, U.: Synthesising non-
anomalous event-based controllers for liveness goals. ACM Tran. Softw. Eng.
Methodol. 22, 9 (2013)
15. D’Ippolito, N., Braberman, V., Piterman, N., Uchitel, S.: Controllability in partial
and uncertain environments. In: Proceedings of ACSD, pp. 52–61. IEEE (2014)
16. Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Property speciﬁcation patterns for
ﬁnite-state veriﬁcation. In: Proceedings of FMSP, pp. 7–15. ACM (1998)
17. Giannakopoulou, D., Pasareanu, C.S., Barringer, H.: Assumption generation for
software component veriﬁcation. In: Proceedings of ASE, pp. 3–12. IEEE (2002)
18. Giannakopoulou, D., Pa˘sa˘reanu, C.S., Barringer, H.: Component veriﬁcation with
automatically generated assumptions. J. Autom. Softw. Eng. 12(3), 297–320 (2005)
19. Jones, C.B.: Tentative steps toward a development method for interfering pro-
grams. ACM Trans. Program. Lang. Syst. 5(4), 596–619 (1983)
20. Keller, R.M.: Formal veriﬁcation of parallel programs. Commun. ACM 19(7), 371–
384 (1976)
21. Larsen, K.G., Thomsen, B.: A modal process logic. In: Proceedings of LICS, pp.
203–210. IEEE (1988)
Supporting Veriﬁcation-Driven Incremental Distributed Design 187
22. Levy, L.S.: Taming the Tiger: Software Engineering and Software Economics.
Springer Books on Professional Computing Series. Springer-Verlag, New York
(1987). https://doi.org/10.1007/978-1-4612-4718-0
23. Li, W., Dworkin, L., Seshia, S.A.: Mining assumptions for synthesis. In: Proceed-
ings of ACM/IEEE MEMPCODE, pp. 43–50 (2011)
24. Lorenzoli, D., Mariani, L., Pezze`, M.: Automatic generation of software behavioral
models. In: Proceedings of ICSE, pp. 501–510 (2008)
25. Magee, J., Kramer, J.: State Models and Java Programs. Wiley, New York (1999)
26. Menghi, C., Spoletini, P., Ghezzi, C.: Dealing with incompleteness in automata-
based model checking. In: Fitzgerald, J., Heitmeyer, C., Gnesi, S., Philippou, A.
(eds.) FM 2016. LNCS, vol. 9995, pp. 531–550. Springer, Cham (2016). https://
doi.org/10.1007/978-3-319-48989-6 32
27. Menghi, C., Spoletini, P., Ghezzi, C.: Integrating goal model analysis with iterative
design. In: Gru¨nbacher, P., Perini, A. (eds.) REFSQ 2017. LNCS, vol. 10153, pp.
112–128. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54045-0 9
28. Nivoit, J.-B.: Issues in strategic management of large-scale software product line
development. Master’s thesis, MIT, USA (2013)
29. Pistore, M., Barbon, F., Bertoli, P., Shaparau, D., Traverso, P.: Planning and
monitoring web service composition. In: Bussler, C., Fensel, D. (eds.) AIMSA 2004.
LNCS (LNAI), vol. 3192, pp. 106–115. Springer, Heidelberg (2004). https://doi.
org/10.1007/978-3-540-30106-6 11
30. Pnueli, A.: In transition from global to modular temporal reasoning about pro-
grams. In: Apt, K.R. (ed.) Logics and Models of Concurrent Systems. NATO ASI
Series, pp. 123–144. Springer-Verlag, New York Inc (1985). https://doi.org/10.
1007/978-3-642-82453-1 5
31. Pnueli, A., Rosner, R.: On the synthesis of a reactive module. In: Proceedings of
POPL, pp. 179–190. ACM (1989)
32. Pretschner, A., Broy, M., Kruger, I.H., Stauner, T.: Software engineering for auto-
motive systems: a roadmap. In: Proceedings of FOSE, pp. 55–71. IEEE Computer
Society (2007)
33. Sandewall, E.: Features and Fluents (Vol. 1): The Representation of Knowledge
about Dynamical Systems. Oxford University Press Inc, New York (1995)
34. Sibay, G.E., Uchitel, S., Braberman, V., Kramer, J.: Distribution of modal tran-
sition systems. In: Giannakopoulou, D., Me´ry, D. (eds.) FM 2012. LNCS, vol.
7436, pp. 403–417. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-
642-32759-9 33
35. Software Measurement Services Ltd. “small project”, “medium-size project”, and
“large project”: What do these terms mean? (2004). http://www.totalmetrics.com/
function-points-downloads/Function-Point-Scale-Project-Size.pdf
36. Solar-Lezama, A.: Program synthesis by sketching. Ph.D. thesis. University of Cal-
ifornia, Berkeley (2008)
37. Uchitel, S., Brunet, G., Chechik, M.: Synthesis of partial behavior models from
properties and scenarios. IEEE Trans.Softw. Eng. 35(3), 384–406 (2009)
188 C. Menghi et al.
Open Access This chapter is licensed under the terms of the Creative Commons
Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/),
which permits use, sharing, adaptation, distribution and reproduction in any medium
or format, as long as you give appropriate credit to the original author(s) and the
source, provide a link to the Creative Commons license and indicate if changes were
made.
The images or other third party material in this chapter are included in the chapter’s
Creative Commons license, unless indicated otherwise in a credit line to the material. If
material is not included in the chapter’s Creative Commons license and your intended
use is not permitted by statutory regulation or exceeds the permitted use, you will
need to obtain permission directly from the copyright holder.
