Verification of Branching-Time and Alternating-Time Properties for Exogenous Coordination Models by Klüppelholz, Sascha
Verification of Branching-Time and
Alternating-Time Properties for Exogenous
Coordination Models
Dissertation
zur Erlangung des akademischen Grades
Doktoringenieur (Dr.-Ing.)
vorgelegt an der
Technischen Universität Dresden
Fakultät Informatik
eingereicht von
Sascha Klüppelholz
geboren am 21.10.1976 in Haan
Gutachter:
Prof. Dr. rer. nat. Christel Baier
Technische Universität Dresden
Prof. Dr. Farhad Arbab
Universität Leiden, Niederlande
Tag der Verteidigung: 19. März 2012

Abstract
Information and communication systems enter an increasing number of areas of daily lives.
Our reliance and dependence on the functioning of such systems is rapidly growing together
with the costs and the impact of system failures. At the same time the complexity of hard-
ware and software systems extends to new limits as modern hardware architectures become
more and more parallel, dynamic and heterogenous. These trends demand for a closer in-
tegration of formal methods and system engineering to show the correctness of complex
systems within the design phase of large projects.
The goal of this thesis is to introduce a formal holistic approach for modeling, analysis
and synthesis of parallel systems that potentially addresses complex system behavior at
any layer of the hardware/software stack. Due to the complexity of modern hardware and
software systems, we aim to have a hierarchical modeling framework that allows to specify
the behavior of a parallel system at various levels of abstraction and that facilitates designing
complex systems in an iterative refinement procedure, in which more detailed behavior is
added successively to the system description. In this context, the major challenge is to
provide modeling formalisms that are expressive enough to address all of the above issues
and are at the same time amenable to the application of formal methods for proving that
the system behavior conforms to its specification. Our focus in this thesis will be on model
checking which yields an algorithmic approach to show the correctness of a system with
respect to its specification. For the modeling, we are interested in specification formalisms
that allow to apply formal verification techniques such that the underlying model checking
problems are still decidable within reasonable time and space bounds.
The presented work relies on an exogenous modeling approach that allows a clear separa-
tion of coordination and computation and provides an operational semantic model where
formal methods such as model checking are well suited and applicable. The channel-based
exogenous coordination language Reo is used as modeling formalism as it supports hier-
archical modeling in an iterative top-down refinement procedure. It facilitates reusability,
exchangeability, and heterogeneity of components and forms the basis to apply formal ver-
ification methods. At the same time Reo has a clear formal semantics based on automata,
which serve as foundation to apply formal methods such as model checking.
In this thesis new modeling languages are presented that allow specifying complex systems
in terms of Reo and automata models which yield the basis for a holistic approach on mod-
eling, verification and synthesis of parallel systems. The second main contribution of this
thesis consists of tailored branching-time and alternating time temporal logics as well as
corresponding model checking algorithms. The thesis includes results on the theoretical
complexity of the underlying model checking problems as well as practical results. For
the latter the presented approach has been implemented in the symbolic verification tool
set Vereofy. The implementation within Vereofy and evaluation of the branching-time and
alternating-time model checker comprise the third main contribution of this thesis.
i
ii
Acknowledgements
First and foremost I want to thank my advisor Christel Baier for giving me the opportunity
to be a member of her group for many years. I am very thankful for all her encouragement
and contributions of ideas, time and funding which made my PhD experience a wonderful,
productive and stimulating time. It is only due to her geniality, ingenuity and guidance that
I was able to successfully complete my PhD. I want to thank her from the bottom of my
heart.
I also want to thank my parents and their new marriage partners, Monika and Peter Pietzsch,
Klaus and Urszula Klüppelholz, my grandparents Katharina and Paul Wahler and the whole
family for proving me any imaginable kind of support. I owe special gratitude to my caring
mother Monika who worked hard and provided continuous and unconditional support.
I wish to thank my girlfriend Claudia Engler for her love, devotion and unstinting support
after all those busy weekends and evenings. I also want to thank the Engler family for
warmly welcoming me. I would also like to express my warm thanks to my extremely-long-
standing friends together with their family members who have always been there when I
needed them the most, as there are Bettina and Christian Wunner, Christoph Münch, David
Calaminus, Frank Birkenbeil, Nora Timmerbeil and Ricarda Essrich as well as long and
outstanding friends from Bonn like Andreas Niers and his family, Arthur Glogowski, Jan
Tietjen and family, Kristina and Sebastian Lützeler-Gerhards, Kristina Judith, and many
many more. I also want to thank all the wonderful people from Villigst and especially
André Koch who also finished his PhD recently. Thank you for all your love and support
and thank you Ricarda and Bettina for all the proofreading of my thesis.
It was a pleasure to share doctoral studies and life in Dresden and Bonn with wonderful
people like Tobias Blechmann, Frank Ciesinski, Marcus Größer and Joachim Klein, who
shared this exiting adventure starting from the early days in Bonn. In the final phase of this
thesis I very much appreciated the help of Joachim Klein who constantly gave very helpful
comments, reviewed many things with me at the whiteboard, implemented some nifty helper
scripts for efficiently running the case studies and kept poking me to work thoroughly on
the remaining parts.
I was also very lucky to meet and get to know some delightful and knowledgeable colleagues
in Dresden like Manuela Berg, Clemens Dubslaff, Markus Daum, Steffen Märcker, Michael
Ummels, and all the others who joined (and left) our group in the recent years and of course
all the other nice people I met at the institute for theoretical computer science and the
faculty of computer science. A very special thanks I want to express to Kerstin Achtruth
for just everything that she did for us. I would also like to thank the professors forming the
committee of the doctoral examination procedure. Prof. Uwe Assmann and Prof. Hermann
Härtig for forming and leading the committee, Prof. Christel Baier for supervising and
reviewing the thesis, Prof. Farhad Arbab for all his effort he spent on reviewing the thesis
as well as for the traveling, and Prof. Heiko Vogler for giving very helpful comments in
preparation of the defense.
iii
In the context of a collaboration within the former EU project CREDO and the bilateral
DFG/NWO project SYANCO I had the opportunity to travel a lot, see different places
and meet wonderful people. Working with them has been a great pleasure and beyond
the project scope I still feel grateful to people like Bernhard Aichernig, Farhad Arbab,
Frank de Boer, David Clarke, David Costa, Immo Grabe, Andreas Griesmayer, Mahdi
Jaghouri, Einar Broch Johnsen, Stephanie Kemper, Jetty Kleijn, Christian Krause, Marcel
Kyas, Wolfgang Leister, Xuedong Liang, Bjarte Østvold, Olaf Owe, Jose Proenca, Willem-
Paul de Roever, Jan Rutten, Alfons Salden, Rudolph Schlatte, Andries Stam, Martin Steffen,
Simon Tschirner, and Wang Yi.
Unfortunately, some of my closest people cannot witness the end of this experience. I feel
very certain that my late father Klaus Klüppelholz and his wife Urszula Klüppelholz, who
died just six days after him, would be very proud seeing this. We all miss Tobias Blechmann
our dear colleague and friend who passed away much too early. Some of the work presented
in this thesis has been created in collaboration with him within endless working sessions on
the whiteboard. Just to mention two of his contributions: some important language features
and the name of our modeling language CARML were originally proposed by him and the
bisimulation engine he created is still part of our model checking tool set Vereofy. We
should have pushed this much further – together. Lastly, and most importantly, I want to
thank a very special person. My grandfather Paul Wahler was and is one of my major role
models from whom I learned a lot for life. I dedicate this thesis to him.
iv
Contents
CHAPTER 1 Introduction 1
CHAPTER 2 Constraint automata 9
2.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Symbolic representation of constraint automata . . . . . . . . . . . . . . . 16
2.3. Data types and polarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
CHAPTER 3 Modeling formalism and languages 23
3.1. The coordination language Reo . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2. The modeling languages RSL and CARML . . . . . . . . . . . . . . . . . 34
3.2.1. Reo scripting language (RSL) . . . . . . . . . . . . . . . . . . . . 35
3.2.2. Constraint automata reactive module language (CARML) . . . . . 46
CHAPTER 4 Alternating-time stream logic 53
4.1. Constraint automata as multi-player games . . . . . . . . . . . . . . . . . . 53
4.2. Syntax and semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.3. Branching-time and alternating-time model checking . . . . . . . . . . . . 66
4.3.1. BTSL model checking . . . . . . . . . . . . . . . . . . . . . . . . 67
4.3.2. ASL model checking . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.4. Complexity of the ASL model-checking problem . . . . . . . . . . . . . . 88
4.5. ASL with fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
CHAPTER 5 Implementation 99
5.1. The model-checking tool Vereofy . . . . . . . . . . . . . . . . . . . . . . 99
5.2. BDD-based model checking . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.3. Tool evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.3.1. Tic-Tac-Toe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.3.2. Other game examples . . . . . . . . . . . . . . . . . . . . . . . . . 130
5.3.3. A dining philosophers example . . . . . . . . . . . . . . . . . . . 130
v
5.3.4. Other protocol examples . . . . . . . . . . . . . . . . . . . . . . . 138
5.3.5. The ASK communication system . . . . . . . . . . . . . . . . . . 138
CHAPTER 6 Conclusion 147
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
vi
List of Figures
2.1. Constraint automaton for a component or connector . . . . . . . . . . . . . 11
2.2. Product automaton of two FIFO channels with capacity one and Data = {0} 14
2.3. Hiding variants applied to the constraint automaton from Example 2.1.9 . . 15
2.4. Constraint automaton for a component or connector (IOC-syntax) . . . . . 17
2.5. Constraint automaton with memory for a component or connector . . . . . 18
3.1. Basic set of Reo channels . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2. Constraint automata for Reo channels . . . . . . . . . . . . . . . . . . . . 27
3.3. Reo nodes: a) sink node, b) source node, and c) mixed Reo node . . . . . . 28
3.4. Replacement of a Reo node N by a component CN . . . . . . . . . . . . . 29
3.5. Constraint automata for a standard Reo node N . . . . . . . . . . . . . . . 29
3.6. Constraint automata for a Reo route node N . . . . . . . . . . . . . . . . . 30
3.7. Reo join for two FIFO channels . . . . . . . . . . . . . . . . . . . . . . . 30
3.8. Automata for two FIFO1 channels, the standard Reo node and their product 31
3.9. Reo component connector for data-dependent routing . . . . . . . . . . . . 32
3.10. A writer and two readers connected by a data-dependent router . . . . . . . 32
3.11. Constraint automaton (after hiding the internals) for a data-dependent router 33
3.12. Schema of an RSL circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.13. Two RSL scripts composing the same connector . . . . . . . . . . . . . . 40
3.14. An RSL main program to compose the Reo network of Example 3.1.5 . . . 41
3.15. Schema for RSL scripts with dynamic reconfiguration . . . . . . . . . . . 42
3.16. A dynamic router used in a simple Reo network . . . . . . . . . . . . . . . 43
3.17. Schema of a CARML module . . . . . . . . . . . . . . . . . . . . . . . . 47
3.18. CARML module for a FIFO1 channel with initial value init value . . . . . 50
3.19. Induced constraint automaton for the CARML module of Figure 3.18 . . . 51
3.20. CARML module for a stack with capacity cap . . . . . . . . . . . . . . . . 51
4.1. Constraint automaton and a finite-memory N -strategy . . . . . . . . . . . . 57
4.2. Two components connected via a FIFO channel . . . . . . . . . . . . . . . 62
vii
LIST OF FIGURES LIST OF FIGURES
4.3. Network (left) and constraint automaton (right) . . . . . . . . . . . . . . . 63
4.4. Network with three components and its constraint automaton . . . . . . . . 64
4.5. Constraint automaton A and NFA Z with L(Z) = (c(A) = 1)∗ . . . . . . 70
4.6. Product automaton A⊗Z . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.7. Schema for the treatment of EN 〈Z〉Φ . . . . . . . . . . . . . . . . . . . . 77
4.8. Schema for the treatment of EN [[Z]]Φ . . . . . . . . . . . . . . . . . . . . 85
5.1. Main elements of the Vereofy tool set . . . . . . . . . . . . . . . . . . . . 100
5.2. Component model for a two-player game . . . . . . . . . . . . . . . . . . 109
5.3. RSL declarations for the Tic-Tac-Toe game . . . . . . . . . . . . . . . . . 111
5.4. CARML module for the rules of the Tic-Tac-Toe game . . . . . . . . . . . 111
5.5. CARML module for the game arena of the Tic-Tac-Toe game . . . . . . . . 112
5.6. RSL circuit composing the Tic-Tac-Toe game . . . . . . . . . . . . . . . . 113
5.7. Executing Vereofy for the Tic-Tac-Toe game and formula Φ4 . . . . . . . . 116
5.8. Tic-Tac-Toe draw configuration as reached in the witness path in Figure 5.7 117
5.9. BDD nodes during fixpoint computation for Tic-Tac-Toe 3×3 (gcd=default) 124
5.10. BDD nodes during fixpoint computation for Tic-Tac-Toe 4×4 (gcd=default) 125
5.11. BDD nodes during fixpoint computation for Tic-Tac-Toe 4×4 (gcd=inf) . . 126
5.12. BDD nodes during fixpoint computation for Tic-Tac-Toe 4×4 (gcd=0) . . . 127
5.13. BDD nodes during fixpoint computation for Tic-Tac-Toe 3×3 (gcd=0) . . . 128
5.14. Time needed for fixpoint computation in Tic-Tac-Toe (gcd=inf) . . . . . . 129
5.15. Component model for the dining philosophers . . . . . . . . . . . . . . . . 131
5.16. Constraint automata for the dining philosophers components . . . . . . . . 131
5.17. Alternative component model for the dining philosophers without deadlock 132
5.18. Composition time in seconds for the dining philosophers protocol . . . . . 134
5.19. BDD nodes: precomputing reachable states of the dining philosophers . . . 135
5.20. ASK core overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5.21. Abstraction levels in the ASK model and components contained in the level 140
5.22. Reo network for the ASK core . . . . . . . . . . . . . . . . . . . . . . . . 141
5.23. Reo network for the scheduler process . . . . . . . . . . . . . . . . . . . . 142
5.24. Time and memory usage for the scheduler process . . . . . . . . . . . . . . 144
5.25. Time and memory usage for the reception process . . . . . . . . . . . . . . 146
viii
1 Introduction
In our everyday life we observe that information and communication systems enter an in-
creasing number of areas. Our reliance and dependence on the functioning of such systems
are rapidly growing, and so are the costs and the impact of system failures. At the same,
time the complexity of hardware and software systems extends to new limits. In the last
decades the performance of hardware systems was mainly improved by integrating more
transistors on an integrated circuit and increasing the processor frequency.
This process has reached its physical limitations for current CMOS-based technology. Con-
tinuing Moore’s Law in the future demands for new designs and technologies [BC11]. Cur-
rent hardware multi- and many-core architectures are providing more and more resources
available for parallel and asynchronous computing. Instead of synchronizing on a single
global clock whose frequency is increased to gain more performance, modern architectures
tend to be more and more asynchronous. Given the fact that local hardware components still
work in a synchronized way it is rather natural to design systems following GALS paradigm
[Cha84] (globally asynchronous and (only) locally synchronous). Better performance can
now potentially be achieved by increasing the number of cores. Together with the growing
number of cores, future hardware becomes more flexible with respect to dynamic recon-
figuration and runtime adaptations. Notable improvements can be achieved when changing
the communication from classical bus- or crossbar-based interconnects to network-on-chip
(NoC) communication which is more eligible for flexible adaptations at runtime. Hence,
reconfigurable hardware has the chance of achieving a better performance at a lower energy
consumption. The latter has become a very important issue not only for mobile devices and
large server farms. Another important aspect results from the development of promising
alternative material such as silicon nanowires. Current hardware architectures are heteroge-
nous only in the sense that they may for example use graphics processing units (GPUs)
for computations instead of the CPU. In the future we expect more heterogenous hardware
systems that may contain special-purpose hardware based on alternative materials. This
makes future hardware platforms even more flexible and provides another opportunity for
improving the overall computing performance. Despite the fact that the performance of
future hardware increases by providing more flexible parallel and heterogenous hardware
resources, the overall performance of a system will not benefit from these developments
automatically. We see already today that our static sequential programs do not profit in full
from CPUs with four or even more cores. An integrated approach is needed that covers
the hardware, the operating system, programming languages and compilers, libraries and
middle-ware as well as aspects of the application layer.
1
Chapter 1. Introduction
These developments show that future hardware and hence the software will be even more
complex and error-prone. It will become more difficult to build systems that behave cor-
rectly with respect to their specification. This demands for a closer integration of systems
engineering and formal methods, i.e., applied mathematics for modeling and analyzing in-
formation and communication systems, to show the correctness of complex systems within
the early design phase of large projects.
The goal of this thesis is to present a holistic approach for the modeling, analysis and synthe-
sis of complex current and future hardware and software systems. The proposed approach
should be applicable at any layer of the hardware/software stack (and even across layers)
and support heterogeneity. Moreover, the proposed approach should be compositional and
support hierarchical modeling of parallel systems by means of a stepwise refinement proce-
dure that facilitates reusability, interchangeability, and system maintenance. To achieve this
goal, we plan to inspect well-known concepts, methods, and techniques from the literature
and combine them into a holistic framework. To obtain efficiency in this framework, this
surely involves some nontrivial adaptions and modification. The main challenge in devel-
oping such a holistic approach is to find a reasonable balance between different aspects.
We demand for modeling languages that are comprehensive and expressive and at the same
time simple, elegant, intuitive and easy to learn. The underlying semantics of the modeling
formalisms needs to capture all the relevant aspects and details of the system. Also the for-
mal methods that are applied to show the correctness of a parallel system model should be
powerful enough to address all relevant aspects, e.g., functionality, costs, time, utility and
various types of system properties from the safety-liveness spectrum. On the other hand,
the proposed combination of languages, their operational semantics, and formal methods
should still be eligible for systematic verification and synthesis supported by tools, and the
algorithmic problems should still be efficiently decidable.
In this respect, component-based modeling is a promising approach facilitating the vision
of “correctness by construction” [Hal02, HC02, Hal05, GS05]. In the component-based
modeling approach the basic principle is (as in software engineering) to divide a complex
system into logical entities. These entities are called components. In principle, components
are abstract entities that have a well-defined interface consisting of (input and output) ports
which they use for communication and interaction. At each layer of the hardware/software
stack components can stand for different parts of the system. E.g., at the hardware level,
the components of a component-based system model could stand for different parts of hard-
ware such as the CPU or the memory. At the programming language layer, components
could model the behavior of objects or method calls. Hence, the component-based view
can in principle be applied at any layer or even across layers of the hardware/software
stack. Component-based modeling also allows and facilitates a systematic hierarchical sys-
tem design, as modeling complex systems can be done in an iterative top-down refinement
procedure. Starting from a rather abstract, purely structural component-model, one can suc-
cessively provide details of the concrete implementation for each of the components. On the
other hand, starting with fully specified (and verified) components, one can compositionally
build complex systems in a bottom-up manner.
2
Chapter 1. Introduction
A multitude of component-based modeling formalisms have been proposed in the literature.
They are based on different formalisms to describe the components themselves and a variety
of paradigms for interaction and communication of the components. One of the most simple
types of synchronization relies on the principle of synchronized parallelism that has been
suggested by Milner [Mil83], and is used, e.g., to model the communication between transi-
tion systems [Arn94]. Famous examples of communication paradigms are based on shared
variables which were originally proposed by Dijkstra [Dij65] in 1965 or handshake commu-
nication as it is the case in process algebras such as CSP (Communicating Sequential Pro-
cesses) [Hoa78, Hoa85], CCS (Calculus of Communicating Systems) [Mil89, Mil99], ACP
(Algebra of Communicating Processes) [BK85], π-Calculus [MPW92], etc., where parallel
processes communicate over synchronous and asynchronous channels. While process al-
gebras are very expressive, their view is action-based and focuses on algebraic reasoning
about equivalence, simulation, bisimulation, or trace-based refinement relations. Coordi-
nation languages have a different focus which is on the glue code that coordinates and
orchestrates the components. Coordination languages aim for a clear separation between
coordination and computation. Moreover, coordination languages potentially allow for the
application of iterative and hierarchical refinement procedures as needed when modeling
complex parallel software and hardware systems and they align perfectly with refinement
procedures known from the software engineering and hence do facilitate reusability and
exchangeability of components (and the orchestrating structures as well).
A variety of coordination models and languages have been introduced. In general they can
be categorized by the following two aspects. Coordination languages are either control-
oriented or data-oriented. Whereas control-oriented languages have a data-abstract per-
spective and tend to center around the control-flow between components (only), the data-
oriented languages tend to manage the dataflow of communicating components. The second
aspect is exogenous vs. endogenous coordination. Endogenous coordination languages re-
quire to incorporate coordination primitives within the code that specifies the behavior of the
components. A typical example is the data-oriented and endogenous coordination language
Linda [GCCC85] where components are described in a computational language extended
by operators to store or retrieve data objects from a global tuple space. A cleaner separa-
tion of computation and coordination is provided by exogenous coordination models where
the components do not need to be aware of each other. Instead, they are controlled from
“outside” via their interfaces.
Several approaches for exogenous coordination have been suggested, e.g., an aspect-oriented
approach [KLM+97, CSZ04], a variant of the π-calculus with anonymous peer-to-peer
communication [GSAdBB05, GS07], glue code provided by scripting languages [SLN01,
ALSN01], and formalism that rely on the construction of component connectors, such as in-
teraction systems [GS03, MCM08] or the declarative channel-based language Reo [Arb04].
In this thesis we will use the exogenous coordination language Reo for specifying the com-
munication, synchronization and interaction of components. Reo is based on the ideal
worker ideal manager (IWIM) model [Arb96], extending classical models such as Kahn
networks and dataflow languages. Reo allows any kind of peer-to-peer communication,
hierarchical modeling and provides support for dynamic reconfiguration. Reo is more ex-
pressive than, e.g., dataflow models, workflow models, and Petri nets [Pet77, Pet81]. In par-
ticular, standard CCS-like handshaking via synchronous channels can be modeled in Reo.
3
Chapter 1. Introduction
The interface behavior of the components as well as the behavior of the basic Reo channels
are described in terms of automata models. Constraint automata [BSAR06] serve for both,
as an operational semantics for Reo which supports composition of channels and at the same
time constraint automata are used to describe the interface behavior of components. This
approach is fully compositional and yields the basis for analyzing the components in isola-
tion (which carry out the computation), the orchestrating Reo network in isolation (which is
responsible for communication and interaction between components), or the entire system
model. The underlying operational semantics for components and their interactions is now
based on an automata model that yields the perfect basis for applying formal methods to
show the correctness of a system with respect to its specification.
In general there are different ways to validate the correctness of a designed system. With
testing and simulation one can find many types of failures and errors within existing systems
and system models respectively. However, testing and simulation come with the drawback
of incompleteness as neither of the two methods formally proves the absence of system
errors. In contrast theorem proving and model checking are complementary verification
methods that are complete in the sense that properties which have been proven to hold, do
hold for all possible system behavior. Whereas theorem proving is a semi-automatic de-
ductive technique which requires expert knowledge to operate, model checking is a fully
automatic and algorithmic approach. Theorem proving, model checking, testing and sim-
ulation form a useful toolbox of complementary methods that can be used to validate the
correctness of future hardware and software systems. In this thesis we will consider model
checking techniques which target towards a closer integration in the system design phase of
complex parallel (and distributed) systems.
The term model checking was introduced [CE81] in 1981 and about the same time a similar
technique was suggested in [QS82]. In model checking the operational behavior of a system
is given in terms of an automata-based model and we check the specification, which is
usually given in terms of a temporal logic formula. In the early days, model checking was
mostly applied for verifying hardware circuits and protocols where exhaustive testing is
not feasible due to the huge number of test cases. Later, model checking has also been
successfully applied to software systems, e.g. [Hol93]. An introduction to model checking
can be found, e.g., in [CK96, CS00, CW96, Mer01, Wol95]. Extensive knowledge about
model checking can be found in the early books [Hol90, McM93, Kur94], the 1999 book
Model Checking [CGP99], which serves as a standard reference, and other books [HR99,
Sch04a, BBF+01] as well as the book [BK08] from 2008.
The major challenge in the classical model checking approach arises from the fact that the
corresponding algorithms work on the representation of the entire systems, whose size be-
comes huge and reaches (or even extends) the memory limitations of modern computer
systems very quickly. This challenge is known as the state-explosion problem and de-
mands for additional techniques to handle gigantically large state spaces, see e.g. [AK86].
Many techniques have been proposed to overcome the state-space-explosion problem such
as partial order reduction [Val92, God96, Pel93], symmetry reduction [CEFJ96], slicing for
concurrent programs [Wei84, Kri03], (learning-based) assume-guarantee reasoning [Pnu85,
HQR98, CCF+10], bounded and unbounded SAT-based model checking as in [BCCZ99]
and [WBCG00], iterative (and counterexample-guided) abstraction-refinement algorithms
4
Chapter 1. Introduction
[GS97, CGJ+00], as well as symbolic model checking based on binary decision diagrams
(BDDs) [BCM+92].
Many instances of model checking have been studied in the literature. They vary in the way
the behavior of the system is specified, the underlying operational model and the type of
properties that can be checked. One of the most prominent candidates to formally describe
the behavior of systems are variants of transition systems [Kel76], which do serve as a
semantic model for formalisms such as process algebras [Hoa85, Mil89, Mil99, BPe01],
Petri nets [Pet77, Pet81], UML [RJB99], statecharts [Har87], finite-state Mealy and Moore
automata [Kro99], program graphs [MP92], etc. Transition systems form the basis for most
model checkers.
Over the years, a large number of model checkers have been developed in academia and
industry1. We now look at some of the most prominent formalisms and model checkers
in more detail. SPIN [Hol97] is a tool for protocol design and validation that targets on
efficient software verification, not hardware verification. SPIN supports LTL (linear tem-
poral logic) [Pnu77] model checking [VW86, Var96] by an on-the-fly exploration of the
state space. The input language of SPIN is Promela – a nondeterministic guarded command
language. The communication between components is limited to simple synchronous and
asynchronous channels. Hence, Promela and SPIN hardly support hierarchical top-down or
bottom-up modeling. SMV (symbolic model verifier) [McM93] was the first BDD-based
CTL (computation tree logic) model checker. SMV is designed for hardware verification
and its capability of handling complex data structures is limited. A recent variant of SMV is
the model checker NuSMV [CCGR00] which now also supports LTL. Modeling complex
software systems with NuSMV leads to rather artificial models which are not close to the
real system. MOCHA [AHM+98] supports alternating-time symbolic model checking, e.g.,
ATL [AHK02] model checking of reactive modules [AH99].
The above model checkers, SPIN, NuSMV, and MOCHA, are very limited in communi-
cation and coordination between components directly and none of them treats exogenous
coordination as a first class citizen. Hence, the compositional and hierarchical modeling ap-
proach is hardly supported by any of the above model checkers. In contrast, there are other
formalisms like classical process algebras and corresponding tools that in principle would
provide this support. E.g, CADP [GLMS11] is a powerful set of tools to design commu-
nication protocols and distributed systems. It is connected to various complementary tools
and widely used in (industrial) projects. CADP uses the process algebra LOTOS (Language
of Temporal Ordering Specification) [BB87] as the modeling language, which then is trans-
lated into a simplified process algebra called SUBLOTOS. From that an intermediate Petri
Net model [Pet77, Pet81] is generated and in the end the labeled transition system (LTS) is
produced by performing a reachability analysis on the Petri net. The LTS are stored in an
explicit manner and CADP uses XTL (eXecutable Temporal Language), a functional-like
programming language designed for the implementation of user defined temporal logics.
FDR2 (Failures-Divergence Refinement Tool) is a refinement checker, whose modeling for-
malism is based on Hoare’s process algebra CSP. It is used primarily for checking security
properties.
1An incomplete overview is given e.g. at http://anna.fi.muni.cz/yahoda/
5
Chapter 1. Introduction
There are many more tools from the process algebra community like the concurrency work
bench (CWB) [Ste97, CPS89] based on Milner’s CCS for bisimulation checking and µ-
calculus model checking, and µCRL [DG95, Wou01, vdP01, KKdV12] for µ-calculus
model checking of process algebras, but none of them treats coordination as first class ob-
ject in the first place. Although it is possible to specify coordination within by means of
special operators, the specification becomes rather complex and artificial. In contrast, the
declarative nature of Reo promotes specifying the coordination glue code in a very intuitive
and flexible manner. The goal of this thesis is to introduce a model checker that directly
supports the constructs of Reo and hence allows to link back counter examples and other
properties to the original model effectively.
Goal of the thesis. The major goal of this thesis is to introduce a holistic approach for
the modeling, analysis, and synthesis of component-based system models with exogenous
coordination, which includes input languages that are expressive and simple, allow a clear
separation of computation and coordination, support compositional and hierarchical mod-
eling, allow specifying systems at any layer of the hardware/software stack, have clear
formal semantics eligible to formal methods as well as temporal logics and model checking
algorithms that treat exogenous coordination in component-based systems as a first class
citizen, allow reasoning about aspects of coordination and dataflow, allow reasoning about
alternating-time aspects such as controllability, and are decidable within reasonable time
and space bounds. It is intended to evaluate the introduced techniques and methods for
modeling, analysis, and synthesis within a newly implemented tool set.
Contribution. In this thesis we will introduce the syntax and formal semantics of two
modeling languages CARML and RSL. CARML (Constraint Automata Reactive Module
Language) is a guarded command language [Dij76] which is inspired by reactive modules
[AH99] and serves for the specification of the interface behavior of components and Reo
channels. RSL (Reo scripting language) is a scripting language that allows to create new
instances of Reo channels and components specified in CARML and compositionally build
larger networks and systems. Combining the two languages yields a compositional and hi-
erarchical modeling framework. The combination of guarded command languages together
with synchronous and asynchronous channel-based communication is also used in Promela
[Hol93], the input language of the model checker SPIN [Hol97, Hol03], but Reo facilities a
clear distinction between coordination and computation.
In this thesis we will present a branching-time and an alternating-time temporal logic tai-
lored to our modeling framework based on Reo and constraint automata [BSAR06]. The
branching-time logic BTSL combines standard features known from CTL [CE81, CGP99]
with modalities from propositional dynamic logics like PDL [FL79] and the timed data
stream logic (TDSL) [ABdBR04, CCA04] for reasoning about the observable dataflow at
interface ports of Reo channels and components. The presented alternating-time logic ASL
is inspired by classical alternating-time logics such as ATL [AHK02]. In this thesis a two-
player game-based interpretation of constraint automata is proposed that allows reasoning
about strategies in the Reo and constraint automata framework. Furthermore, we present the
algorithms for the corresponding model checking problems and analyze them with respect
to their theoretical complexity. For a practical evaluation of the model checking algorithms
we implemented them within the model checking tool set Vereofy.
6
Chapter 1. Introduction
Vereofy is a tool set developed in our group at the TU Dresden that uses CARML and RSL
as input languages and supports the introduced branching-time and alternating-time model
checking as well as linear-time model checking and equivalence checking using bisimula-
tion. To overcome the state-space explosion problem, Vereofy uses BDDs as data structures
to represent constraint automata compactly. Also, the implementation of the model check-
ing algorithms is based on BDDs. In this thesis we present the relevant implementation
details of Vereofy as well as practical results achieved in a number of case studies.
Outline. Chapter 2 will give an overview on constraint automata and basic notations used
throughout this thesis. In Chapter 3 we introduce our modeling framework based on Reo and
constraint automata as well as syntax and semantics of our modeling languages CARML
and RSL. The main contribution of this thesis can be found in Chapter 4 where syntax
and semantics of our branching-time logic BTSL and the alternating-time logic ASL are
presented. In this chapter we provide the model checking algorithms together with results
on the complexity of the model checking problems. In Chapter 5 the details on the symbolic
implementation within our verification tool set Vereofy are given. In this chapter we provide
examples and case studies that have been carried out with Vereofy and present practical
results. Chapter 6 concludes this thesis and presents ideas for future work.
7
Chapter 1. Introduction
8
2 Constraint automata
Constraint automata [BSAR06] provide a generic operational model to formalize the behav-
ioral interfaces of the components, the network (i.e., the glue code or connector) that coor-
dinates a set of components, and a composite system consisting of components and the glue
code. Constraint automata are variants of labeled transition systems (LTS) where the labels
of the transitions represent the (possibly data-dependent) I/O-operations of the components
and the network. Constraint automata are adequate to represent any kind of synchronous
and asynchronous peer-to-peer communication. The states of a constraint automaton rep-
resent the local states of components and/or configurations of a connector. The transition
labels characterize the possible I/O-activities at the dataflow locations where I/O-operations
can take place, such as the interface ports of components, nodes in the connector network,
etc. Constraint automata will also serve as a formal semantics for our input languages RSL
and CARML [BBKK09a, BKK12] as introduced in Section 3.2.
Organization. Section 2.1 provides the basic notation of constraint automata, executions,
paths and operators used for composition. In Section 2.2 we present an alternative syntax
for constraint automata. This symbolic characterization is closer to what is used in the
implementation and allows a more compact (graphical) representation. In Section 2.3 the
concept of constraint automata will be enriched with polarity and type information.
2.1. Introduction
To formalize the I/O-activity, constraint automata use a finite set N of names for dataflow
locations. Dataflow locations are points in the network where dataflow is observable, e.g.,
the I/O-ports of components or nodes of the network that serve as a router. We assume here
that the data domain Data is a fixed and finite set of data items that can be observed at the
dataflow locations.
For the syntax of constraint automata we slightly depart from the original one presented
in [BSAR06]. Instead of having guard conditions on the possible dataflow as transition
labels, the observable dataflow in a constraint automaton is in the first place formalized
by means of concurrent I/O-operations (CIOs). CIOs can be understood as the possible
actions of a component, a connector, or as interactions between several components and the
connector in a composite system. The meaning of a transition instance q c−→ p is that in
configuration q, the concurrent I/O-operation c is enabled and state p is a possible successor
configuration of q executing c. A concurrent I/O-operation specifies the dataflow locations,
where at some specific time instance dataflow can be observed simultaneously.
9
2.1. Introduction Chapter 2. Constraint automata
Definition 2.1.1 (Concurrent I/O-operations). LetN be a finite, nonempty set of names for
dataflow locations. We define a concurrent I/O-operation as a function
c : N → Data ∪ {⊥},
where the symbol ⊥ means that there is no dataflow at the corresponding dataflow location.
We write active(c) for the set of names of dataflow locations A ∈ N such that c(A) ∈
Data, where Data is the data domain. For technical reasons, we also allow the empty
concurrent I/O-operation c∅ with active(c∅) = ∅. It represents either an internal step of
some component, or an unobservable step of a connector, where dataflow appears at some
hidden (invisible) dataflow locations only. We refer to CIO as the set of all concurrent
I/O-operations (including c∅). As we suppose N and Data to be finite, the set CIO of
concurrent I/O-operations is finite as well. When reasoning about finite behavior we will
also need a special symbol
√
that indicates that dataflow has stopped. The set CIO√ stands
for CIO ∪ {√}.
Definition 2.1.2 (Constraint automata [BSAR06]). A constraint automaton is a tuple
A = 〈Q,N ,−→, Q0,Q,AP , L〉,
where Q is a finite and nonempty set of states, N a finite set of port names, and −→ is a
subset of Q× CIO×Q called the transition relation of A. We will write q c−→ p instead of
〈q, c, p〉 ∈ −→. The setQ0 ⊆ Q is a nonempty set of initial states, AP a finite set of atomic
propositions, L : Q → 2AP a labeling function, and Q ⊆ Q a set of so called quiescent
states such that {q ∈ Q | there is no transition q c−→ q′} ⊆ Q.
The set Q of quiescent states characterizes those states q ∈ Q where dataflow can stop
completely (although there might be outgoing transitions).
Example 2.1.3 (Constraint automata). Figure 2.1 shows an example of a constraint au-
tomaton providing the interface behavior of a component or a connector with two dataflow
locations. The constraint automaton consists of the three states Q = {q0, q1, q2}, the set
N = {A,B} of names for the dataflow locations, and the depicted transition relation. The
set of starting states Q0 = {q0} is a singleton and contains the state q0 only. As all states
q ∈ Q have outgoing transitions we can assume here, that the set of quiescent states is
empty, i.e., Q def= ∅.
Assuming that A is an input port and B is an output port, the given behavior agrees with
the behavior of a FIFO channel with capacity one which can store the two values of the data
domain Data = {0, 1}.
For the atomic propositions we define the set
AP = {empty, full, contains0, contains1}
and the labeling function as follows:
L(q0) = {empty}
L(q1) = {full, contains0}
L(q2) = {full, contains1}.
10
Chapter 2. Constraint automata 2.1. Introduction
c1 : [A! 0, B ! ?]
c4 : [A! 1, B ! ?]
c2 : [A! ?, B ! 0]
c3 : [A! ?, B ! 1]
q0
q1
q2
Figure 2.1: Constraint automaton for a component or connector
Definition 2.1.4 (Enabledness). Let A = 〈Q,N ,−→, Q0,Q,AP , L〉 be a constraint au-
tomaton as in Definition 2.1.2, q ∈ Q a state, and c ∈ CIO a concurrent I/O-operation. We
call c to be enabled in q iff c can take place in q and define the set of all I/O-operations
enabled in q as
CIO(q) def=
{
c ∈ CIO : q c−→ p for some p ∈ Q
}
.
State q is called terminal iff CIO(q) = ∅.
Definition 2.1.5 (Execution, completeness of executions). LetA be a constraint automaton.
An execution in A is a finite or infinite sequence built of consecutive transitions:
η = q0
c1−−→ q1 c2−−→ . . .
where q0, q1, . . . ∈ Q, c1, c2, . . . ∈ CIO, and qi
ci+1−−−→ qi+1 for all i ≥ 0. An execution is
said to be complete if it is either infinite or it is finite and ends in a quiescent state qn ∈ Q.
The notion of complete executions serves to reason about “maximal” behaviors of constraint
automata, called paths. A path of A is either an infinite execution or arises from a finite
complete execution by adding a special transition symbol
√
to denote termination.
Definition 2.1.6 (Path). Each infinite execution of A is called an infinite path. Finite paths
in A have the form
π = q0
c1−−→ . . . cn−−→ qn
√
−−→ qn
where qn is a quiescent state.
11
2.1. Introduction Chapter 2. Constraint automata
In the sequel, we shall use the symbol η for executions and the symbol π to range over
paths. We write Paths(q) to denote the set of all paths starting in q and Execfin(q) for the
set of all finite executions starting in q. The length |π| of a path π is the total number of
transitions taken in π (including the pseudo-transition with label
√
). Thus, the length of an
infinite path is∞, while the length of a finite path π as in Definition 2.1.6 is n+1.
Let π = q0
c1−−→ q1 c2−−→ . . . be a path and 0 ≤ n < |π|. Then π ↓ n denotes the prefix of
path π with length n. Thus,
π ↓ n def= q0 c1−−→ . . . cn−−→ qn
is an execution. For finite paths of length n, the n-th prefix is defined to be π. In particular,
if n = |π| then π ↓ n = π is a path.
The I/O-stream ios(η) of a finite execution η is the finite word over CIO that is obtained by
taking the projection to the labels of the transitions. Similarly, for finite paths the I/O-stream
is a finite word over CIO√.
Definition 2.1.7 (I/O-stream (IOS)). If η = q0
c1−−→ . . . cn−−→ qn is a finite execution then
ios(η) def= c1 . . . cn ∈ CIO∗. The associated I/O-stream for a finite path
π = q0
c1−−→ . . . cn−−→ qn
√
−−→ qn
is defined by ios(π) def= c1 . . . cn
√ ∈ CIO∗√. The set of all I/O-streams is denoted by
IOS def= CIO∗ ∪ CIO∗√. The associated I/O-stream for an infinite execution or path
π′ = q0
c1−−→ q1 c2−−→ . . . is defined by ios(π′) def= c1c2 . . . ∈ CIOω.
Composition. Constraint automata provide a compositional semantics which is based on
a parallel operator that allows synchronous and asynchronous I/O-activity. We present here
a basic version of the product for arbitrary constraint automata. In the later chapters we
will use a refined version of product that allows the product operator to be applied for
composable constraint automata A1 and A2 only. The formal definition of composability
will be given at the end of this section.
Definition 2.1.8 (Constraint automata product [BSAR06]). The product automaton of two
constraint automata Ai = 〈Qi,Ni,−→i, Q0,i,Qi,AP i, Li〉 for i ∈ {1, 2} is
A1 ./A2 = 〈Q1 ×Q2,N1 ∪N2,−→, Q0,1 ×Q0,2,Q,AP1 ∪AP2, L〉,
where −→ is defined by the following two rules for the asynchronous behavior
q
c−→1 q′ ∧ active(c) ∩N2 = ∅
〈q, p〉 c−→ 〈q′, p〉
p
c−→2 p′ ∧ active(c) ∩N1 = ∅
〈q, p〉 c−→ 〈q, p′〉
(2.1)
12
Chapter 2. Constraint automata 2.1. Introduction
and one synchronization rule
q
c1−−→1 q′ ∧ p c2−−→2 p′ with c1|N1∩N2 = c2|N1∩N2
〈q, p〉 c1⊕c2−−−−−−→ 〈q′, p′〉
(2.2)
where
c|N (A) def=
{
c(A) for all A ∈ N
⊥ else
and c1 ⊕ c2 is the unique concurrent I/O-operation with
active(c1 ⊕ c2) = active(c1) ∪ active(c2) and (c1 ⊕ c2)|Ni = ci.
The set of quiescent states in the product is defined as follows
Q def= Q1 ×Q2 ∪ {〈q, p〉 ∈ Q1 ×Q2 | CIO(〈q, p〉) = ∅}
and the labeling function L of the product automaton is given by
L(〈p, q〉) def= L1(p) ∪ L2(q).
The constraint automaton product operator is commutative and associative.
Example 2.1.9 (Product automaton). On the left of Figure 2.2 the two constraint automata
(without labels) of two FIFO channels with capacity one are depicted. Both automata are
similar to the automaton shown in Example 2.1.3, but now for the singleton data domain
Data = {0}. Here, we assume that the two automata share and synchronize on dataflow
location B. The product of these two automata shown on the right of Figure 2.2 can be
interpreted as a FIFO channel with capacity two.
The concurrent I/O-operations of the product automaton are defined as follows:
cin = [ A→ 0, B → ⊥, C → ⊥ ]
ctrans = [ A→ ⊥, B → 0, C → ⊥ ]
cout = [ A→ ⊥, B → ⊥, C → 0 ]
cboth = [ A→ 0, B → ⊥, C → 0 ]
where cin stands for the concurrent I/O-operation when the data item will be written to the
first FIFO (via port A), ctrans describes the transfer of the data item from the first to the
second FIFO via their shared dataflow location B and cout stands for a read operation from
the second FIFO (via port C). The remaining cboth ∈ CIO stands for the possibility that the
read from the second FIFO and the write to the first FIFO can happen in the same time step.
13
2.1. Introduction Chapter 2. Constraint automata
empty full
empty empty
cout
full
empty
full
full
cin
ctrans
cin
cout
empty full
[A! 0, B ! ?]
[B ! 0, C ! ?]
empty full
[B ! ?, C ! 0]
cboth
[A! ?, B ! 0]
Figure 2.2: Product automaton of two FIFO channels with capacity one and Data = {0}
Hiding. The hide operator for constraint automata provides a means to declare certain
dataflow locations as local and non-observable from outside. This can, e.g., be used to ab-
stract from internal behavior of a component connector or coordinating network or remove
information about the channel-ends.
For the hiding there are two important variants. The first one is the structure-preserving
hide which simply removes all names for dataflow locations N ⊆ N which should be
hidden from the transition labels. The hiding in constraint automata is achieved by applying
a projection c|N\N on all transitions.
Definition 2.1.10 (Structure-preserving hide). Let A = 〈Q,N ,−→, Q0,Q,AP , L〉 be a
constraint automaton. The result of hiding some dataflow locations N ⊆ N from A is the
constraint automaton
A\N = 〈Q,N \N,−→\ , Q0,Q\ ,AP , L〉,
where the transition relation−→\ is given by q
c−→ q′ iff q c|N\N−−−−−→\ q′. The set of quiescent
states Q is defined as
Q\
def
= Q \ {q ∈ Q | there exists some q c−→ q′ with ∅ 6= active(c) ⊆ N}.
Hence, dataflow must not stop in states with newly introduced c∅-transitions.
Note that, for transitions in A of the form q c−→ q′ with active(c) ⊆ N , the structure-
preserving hide will produce transitions of the form q
c∅−−→\ q′, but the structure of the
constraint automaton remains unchanged. Although there are other variants of hiding, the
structure-preserving hide will be the most relevant in the context of this thesis as it preserves
the structure and hence the branching behavior of the underlying constraint automaton.
14
Chapter 2. Constraint automata 2.1. Introduction
Another important variant of hiding, called aggregating hide also uses the projection c|N\N ,
but it removes newly introduced c∅-transitions. Let A = 〈Q,N ,−→, Q0,Q,AP , L〉 be a
constraint automaton. The result of hiding some dataflow locations N ⊆ N from A is the
constraint automaton
A×N = 〈Q,N \N,−→× , Q0,Q× ,AP , L〉,
where the transition relation −→× is given by:
−→×
def
=
⋃
i∈N
R(i),
where the R(i) are defined as follows
R(0)
def
=
{
〈q, c|N\N , p〉 | there exists a transition q c−→ q′
}
and
R(i+1)
def
=
{
〈q, c2, q′〉 | there exists q c1∈CION−−−−−−−−→ p and 〈p, c2, q′〉 ∈ R(i)
}
∪{
〈q, c1, q′〉 | there exists p c2∈CION−−−−−−−−→ q′ and 〈q, c1, p〉 ∈ R(i)
}
.
Here, CION denotes the set of all concurrent I/O-operations c ∈ CIO with active(c) ⊆ N .
The set of quiescent states Q is defined as for the structure-preserving hide:
Q\
def
= Q \ {q ∈ Q | there exists some q c−→ q′ with ∅ 6= active(c) ⊆ N}.
Note that applying the aggregating hide operator may change the branching behavior of the
underlying constraint automaton.
Example 2.1.11 (Hiding variants). Figure 2.3 a) shows the constraint automaton A for a
FIFO channel with capacity two as considered in Example 2.1.9.
c;
empty full
empty empty
cout
full
empty
full
full
cin
ctrans
cin
cout
cboth
empty full
empty empty
cout
full
empty
full
full
cin
cin
cout
cboth
a) before hide b) preserving hide
empty full
empty empty
cout
full
empty
full
full
cincin
cout
cboth
cin
cboth
cboth
cout
cout
cin
c) aggregating hide
Figure 2.3: Hiding variants applied to the constraint automaton from Example 2.1.9
15
2.2. Symbolic representation of constraint automata Chapter 2. Constraint automata
The transition labels are as before:
cin = [ A→ 0, B → ⊥, C → ⊥ ]
ctrans = [ A→ ⊥, B → 0, C → ⊥ ]
cout = [ A→ ⊥, B → ⊥, C → 0 ]
cboth = [ A→ 0, B → ⊥, C → 0 ]
Figure 2.3 b) shows the constraint automaton A\N for the port-set N = {B}. Hence, port
B will be removed from all transitions q c−→ q′ with c(B) 6= ⊥. For the given constraint
automaton A this affects the ctrans transition only.
Figure 2.3 c) depicts the constraint automaton A×N for the same port-set N = {B}. The
newly added transitions q c−→× q′ result from combining “regular transitions” in A (where
c 6= c∅) with c∅-transitions, either of the form q c−→ p
c∅−−→ q′ or q c∅−−→ p c−→ q′ with c 6= c∅.
2.2. Symbolic representation of constraint automata
Sometimes it is advantageous to use a symbolic representation of the transition relation by
combining transitions with the same starting and target state (e.g., in our implementation
of the model checker). For this purpose, we deal with I/O-constraints, i.e., propositional
formulas in positive normal form that stand for sets of concurrent I/O-operations. The
I/O-constraints may impose conditions on the dataflow locations that may or may not be
involved and on the data items written on or read from them.
Definition 2.2.1 (I/O-constraints (IOC)). The abstract syntax of I/O-constraints is given by
the grammar:
ioc ::= tt
∣∣ ff ∣∣ A ∣∣ ¬A ∣∣ (dA1 , . . . , dAk) ∈ D ∣∣ ioc1 ∧ ioc2 ∣∣ ioc1 ∨ ioc2
where A ∈ N , A1, . . . , Ak are pairwise distinct dataflow locations in N and D ⊆ Datak.
The meaning of an I/O-constraint ioc is a subset dioce of CIO defined in the expected way.
We define dtte def= CIO, dffe def= ∅, and for the literals A ∈ N and their negations ¬A:
dAe def=
{
c ∈ CIO : A ∈ active(c)
}
d¬Ae def=
{
c ∈ CIO : A 6∈ active(c)
}
The I/O-constraints (dA1 , . . . , dAk) ∈ D impose conditions for the written and read data
items. That is, d(dA1 , . . . , dAk) ∈ De agrees with the set{
c ∈ CIO : {A1, . . . , Ak} ⊆ active(c) and (c(A1), . . . , c(Ak)) ∈ D
}
.
Conjunction and disjunction have their standard meaning, i.e.,
dioc1 ∧ ioc2e def= dioc1e ∩ dioc2e
dioc1 ∨ ioc2e def= dioc1e ∪ dioc2e
16
Chapter 2. Constraint automata 2.2. Symbolic representation of constraint automata
We often use simplified notations for the IOC of the form (dA1 , . . . , dAk) ∈ D. E.g., the
notation dA = dB is a shorthand for (dA, dB) ∈ {(d1, d2) ∈ Data2 : d1 = d2}, while
A ∧ (dB ∈ D) stands for the set {c ∈ CIO : {A,B} ⊆ active(c) ∧ c(B) ∈ D}. The
notation {A,B} is used as a shorthand for the set {c ∈ CIO : active(c) = {A,B}}. Let
IOC denote the set of IO-constraints.
Definition 2.2.2 (Constraint automata (IOC-syntax)). A constraint automaton in IOC-syntax
is a tuple A = 〈Q,N ,−→, Q0,Q,AP , L〉, where Q is a finite and nonempty set of states,
N a finite set of port names, −→ is a subset of Q × IOC ×Q called the transition relation
of A, Q0 ⊆ Q a nonempty set of initial states, AP a finite set of atomic propositions, and
L : Q→ 2AP a labeling function. We write q g−→ p instead of 〈q, g, p〉 ∈ −→.
Example 2.2.3 (Constraint automata (IOC-syntax)). As an example we revisit the constraint
automaton from Example 2.1.3 and present it using the IOC-syntax (cf. Figure 2.4).
{A}   dA = 0
{A}   dA = 1
{B}   dB = 0
{B}   dB = 1
q0
q1
q2
Figure 2.4: Constraint automaton for a component or connector (IOC-syntax)
The IOC-syntax equates to the original syntax of constraint automata as introduced in
[BSAR06]. The use of this alternative syntax allows a (graphical) representation of con-
straint automata which is more compact and independent from a specific data domain. The
same idea can be applied to states rather than on transition labels. By adding variables to
states we can avoid the explicit enumeration of states for different data values. Figure 2.5
depicts a parameterized version of the constraint automata from Example 2.2.3 in IOC-
syntax.
Here, the state q1〈d〉 is equipped with memory. The variable d ∈ Data is holding the
value of the buffer. Incoming and outgoing transitions of state q1〈d〉 can refer to the actual
value of d whereas the value is irrelevant for other states. This idea allows prototype defini-
tions of components and connectors for arbitrary data domains. Our specification language
CARML, which will be introduced in Subsection 3.2.2, makes use of this feature. E.g.,
FIFO1 channels can be defined to store arbitrary values without knowing the data domain
in advance.
17
2.3. Data types and polarity Chapter 2. Constraint automata
dA = d
dB = d
q0 q1hdi
Figure 2.5: Constraint automaton with memory for a component or connector
The IOC-syntax uses I/O-constraints rather than concurrent I/O-operations for the transition
labels, i.e., the labels are now Boolean conditions on active ports and the dataflow, which
serve as guards. The I/O-constraints can immediately be translated into a symbolic repre-
sentation as it is used in our implementation of the model checker (cf. Section 5.2). For this
thesis we will similarly use both notions when adequate as they are equally expressive.
The basic definition of constraint automata as presented by now lacks some important in-
formation which will be added to the concept of constraint automata in the next section. We
will add the concepts of polarity, as the direction in which data flows plays a crucial role
for the composition in Reo. The second information added to constraint automata are data
types which play an important role for defining the state space of a constraint automaton as
well for specifying the domain for the observable data at dataflow locations.
2.3. Data types and polarity
Data types will play an important role for the syntax and semantics of our modeling lan-
guages RSL and CARML as they support variables, messages and ports that may have
different types. We will now provide the basic terminology for data types and related no-
tions that will be used throughout this thesis. First we will look at the set DT of data types
with a fixed semantics. When using our modeling languages RSL and CARML the set DT
consists of Booleans, finite integer ranges, enumerations, and structured data types such as
arrays and unions. For the concepts introduced throughout this section the precise definition
of the data types in DT is not required.
Data types with fixed semantics. Let DT denote a set of data types covering standard data
types, such as Booleans or finite integer ranges, or user-defined data types with a fixed se-
mantics, such as arrays and unions over elements of a predefined data type or enumeration
types. Let Op denote a set of operators on the data types in DT such as conjunction, dis-
junction, negation for Booleans and arithmetic operations like addition and multiplication
for integers. Furthermore, Pred denotes a set of predicates, such as the standard binary
comparison predicates =, <, ≤, and so on.
Formally, the elements of DT are fixed finite non-empty sets and each operator op ∈ Op is
a function
op : T1 × . . .× Tk → T
where (T1, . . . , Tk, T ) ∈ DTk+1 and k ∈ N. The tuple 〈T1, . . . , Tk, T 〉 is called the type of
18
Chapter 2. Constraint automata 2.3. Data types and polarity
op, denoted type(op). Each predicate pr ∈ Pred is a subset of T1 × . . .× Tk where k ≥ 1
and T1, . . . , Tk ∈ DT. We write type(pr) for the tuple 〈T1, . . . , Tk〉.
Definition 2.3.1 (Signature). A signature is a tuple Sig = 〈DT,Op,Pred,Var〉 where
DT ⊆ DT, Op ⊆ Op, Pred ⊆ Pred and Var is a set of typed variables, i.e., for each
variable V ∈ Var its type, which is denoted by type(V ), is an element of DT.
Terms and atomic propositions. Terms over Sig are built by variables, constants, and
operator symbols in a type-consistent manner. Formally, terms over Sig are defined recur-
sively according to the following statements:
(1) Each variable V ∈ Var is a term of type type(V ) and each constant op ∈ Op (i.e.,
0-ary operator in Op) is a term of type type(op).
(2) If t1, . . . , tk are terms such that the type of ti is Ti and op ∈ Op with type(op) =
(T1, . . . , Tk, T ) then op(t1, . . . , tk) is a term of type T .
Atomic propositions over Sig are type-consistent expressions stating that a certain tuple of
terms is an element of a predicate in Pred.
Formally, if pr ∈ Pred with type(pr) = (T1, . . . , Tk) and t1, . . . , tk are terms over Sig
such that ti is of type Ti then pr(t1, . . . , tk) is called an atomic proposition over Sig.
Interpretations of signatures. For the semantics of terms and atomic propositions over a
signature, we have to consider an interpretation I that provides type-consistent meanings
for the uninterpreted data types T ∈ DT \ DT, operator symbols op ∈ Op \ Op, predicate
symbols pr ∈ Pred \ Pred, and the variables V ∈ Var. That is, I assigns a finite set
T I 6= ∅ to each data type symbol T , an element of V I ∈ T I to each variable of type T , a
function opI : T I1 × . . . × T Ik → T I to each operator symbol op of type (T1, . . . , Tk, T )
and a predicate prI ⊆ T I1 × . . .× T Ik to each predicate symbol pr of type (T1, . . . , Tk).
We treat I as an interpretation for all symbols of Sig by putting SI = S for all predefined
symbols S ∈ DT ∪ Op ∪ Pred. The semantics tI ∈ T I of a term of type T and the truth
value pr(t1, . . . , tk)I ∈ {true, false} for an interpretation I and an atomic proposition
pr(t1, . . . , tk) are defined in the obvious way.
Apart from the type information, we require to add information about the polarity of the
dataflow locations, i.e., whether the dataflow locations serve for input or output. For this,
we will add the setsN src andN snk which are disjoint subsets ofN . Intuitively,N src stands
for the set of input ports (so called sources) and N snk for the set of output ports (called
sinks). With the help of dataflow vocabulary we may add type and polarity information to
the concept of constraint automata.
19
2.3. Data types and polarity Chapter 2. Constraint automata
Definition 2.3.2 (Dataflow vocabulary). A dataflow vocabulary over a signature Sig is a
tuple Voc = 〈N ,N src,N snk, λ〉 where N src ∪ N snk ⊆ N is a set of dataflow locations
containing all source and sink locations such that N src ∩ N snk = ∅ and λ : N → DT is
a function that assigns to each dataflow location A its message-type λ(A), i.e., the type of
data items that can be passed via dataflow location A.
Definition 2.3.3 (Extended constraint automaton). An extended constraint automaton is
a tuple 〈A,Voc〉 where A = 〈Q,N ,−→, Q0,Q,AP , L〉 is a constraint automaton and
Voc = 〈N ,N src,N snk, λ〉 its associated dataflow vocabulary. Then, adding type informa-
tion to ports of A imposes some obvious side conditions on the possible transitions. That
is, any concurrent I/O-operation c that appears in a transition q c−→ q′ maps some A ∈ N to
an element of its type λ(A), i.e.,
if c(A) = d 6= ⊥ then d ∈ λ(A) for all A ∈ N .
A concurrent I/O-operation c ∈ CIO is called type-safe with respect to Voc if it satisfies
the above condition. For an extended constraint automaton 〈A,Voc〉 where A is specified
in IOC-syntax this means that for a given transition q
g−→ q′ in A we allow only type-safe
concurrent IO-operations to fire when reasoning about runs in A, i.e., q c−→ q′ if c ∈ dge
and c is type-safe.
Definition 2.3.4 (Composability). Let 〈Ai,Voci〉, i ∈ {1, 2} be two extended constraint
automata with constraint automata Ai = 〈Qi,Ni,−→i, Q0,i,Qi,AP i, Li〉 and associated
dataflow vocabularies Voci = 〈Ni,N srci ,N snki , λi〉. The two extended constraint automata
〈A1,Voc1〉 and 〈A2,Voc2〉 are called composable if the following conditions hold for all
dataflow locations A ∈ N1 ∩N2:
i) AP1 ∩AP2 = ∅
ii) A ∈ N src1 ∩N snk2 or A ∈ N src2 ∩N snk1
iii) λ1(A) = λ2(A)
Please note, that here we require strict type consistency in the third condition to simplify
the presentation throughout the next chapters. In the implementation that is presented in
Chapter 5 we support some implicit casts for simple data types.
20
Chapter 2. Constraint automata 2.3. Data types and polarity
Definition 2.3.5 (Extended product). Let 〈Ai,Voci〉, i ∈ {1, 2} be two composable ex-
tended constraint automata as in Definition 2.3.4. The extended product automaton is de-
fined as 〈A1 ./A2,Voc〉, where Voc = 〈N ,N src,N snk, λ〉 is the associated dataflow vo-
cabulary with
N def= N1 ∪N2,
N src def= (N src1 ∪N src2 ) \ (N1 ∩N2),
N snk def= (N snk1 ∪N snk2 ) \ (N1 ∩N2), and
λ(A)
def
=
{
λ1(A) if A ∈ N \ N2
λ2(A) else
In the next chapter we will look at the modeling formalism and languages used throughout
this thesis. To keep notations simple we will identify extended constraint automata 〈A,Voc〉
with A whenever possible. Furthermore, we assume that 〈A1,Voc1〉 and 〈A2,Voc2〉 are
composable (with respect to Definition 2.3.4) whenever applying the constraint automata
product to A1 and A2.
21
22
3 Modeling formalism and languages
Reo [Arb04] is a declarative modeling language for specifying the glue code for coordi-
nating components from outside. In this exogenous approach, the components do not need
to be aware of the presence of each other. The components communicate by sending and
receiving their data via a network of channels.
The Reo scripting language (RSL) [BBKK09a, BKK12] is inspired by Reo and yields an
elegant declarative framework for the compositional construction of connectors by creating
instances of components and channels and then glueing their channels-ends, the I/O-ports
of components, or sub-connectors together. This is done via join operations, resulting in a
network called Reo circuit. RSL mainly serves as a specification language for Reo compo-
nent connectors and networks. The formal semantics of RSL is (and Reo itself) based on
constraint automata [BBKK09a], which can be constructed in a compositional way by pro-
viding constraint automata models for each channel and component and mimicking Reo’s
operators by corresponding operators for constraint automata [BSAR06].
The interface behavior of components, channels, and connectors instantiated and composed
by RSL scripts can be specified within our second modeling language CARML (constraint
automata reactive module language). CARML uses features of reactive modules [AH99]
and together with RSL the two languages form a hybrid modeling approach. As the two
languages are based on the same operational semantic model, this hybrid modeling approach
allows to either specify the interface behavior of any entity of a component-based system
by providing a CARML module or by providing an RSL script composing the entity from
smaller building blocks.
Organization. Section 3.1 summarizes the syntax, semantics and main concepts of the
coordination language Reo as introduced in [Arb04]. Section 3.2 we will introduce syntax
and semantics of our modeling languages RSL and CARML.
The work presented in the latter section has partially been published in [BBKK09a, BKK12].
3.1. The coordination language Reo
In this section we give a brief introduction the channel-based coordination language Reo
as introduced in [Arb04]. The primitives in Reo are channels. A Reo channel consists of
exactly two channel-ends which are either declared to be source-end if they permit writing
of data or sink-end if they allow the reading of data.
23
3.1. The coordination language Reo Chapter 3. Modeling formalism and languages
Primitives. Reo suggests a set of basic channels. This set can be extended with user-
defined channels by providing a behavioral description for each channel. The graphical
representation for the set of basic channels that is used throughout this thesis is shown in
Figure 3.1.
P
Sync FIFO1 LossySync
SyncDrain ASyncDrain LossyFIFO1
SyncSpout ASyncSpout FilterhP i
synchronous asynchronous
channels channels
Figure 3.1: Basic set of Reo channels
Channels working in a completely synchronous manner, i.e., both channel-ends are always
active at the same time, are called synchronous channels. Channels working in a complete
asynchronous fashion are called asynchronous channels. The behavior of channels may de-
pend on any combination of their current configuration, the available data to be transmitted,
on a (purely) nondeterministic choice and the context in which they are deployed.
The intuitive behavior of the primitive channels depicted in Figure 3.1 is as follows. The
synchronous channel (Sync) accepts data at its source-end and simultaneously writes it to
the sink-end. Another very useful channel for the design of complex coordination principles
in Reo is the synchronous drain channel (SyncDrain). It has two source-ends (but no sink-
end). A data item has to be written on both ends simultaneously and both get destroyed. A
synchronous spout (SyncSpout) produces unspecified data and writes it simultaneously on
both of its sink-ends. The SyncDrain and the SyncSpout can be used to synchronize read
and write operations respectively. The asynchronous drain (ASyncDrain) and asynchronous
spout (ASyncSpout) act as their synchronous counterparts, except that their channel-ends
fire mutually exclusive rather than simultaneously. The FIFO channel (FIFO1) is also an
asynchronous channel, but in contrast to the previous channels it has memory. The FIFO1
has a buffer cell where the buffer is initially empty. Writing a data item at the source-end
is enabled as long as the buffer is empty. The effect of writing a data item d ∈ Data is that
d will be stored in the buffer. Reading data at the sink-end is enabled if the buffer is filled,
in which case the data item is taken off the channel. The third column of Figure 3.1 depicts
24
Chapter 3. Modeling formalism and languages 3.1. The coordination language Reo
some channels that are neither synchronous nor asynchronous. The first one is a nonde-
terministic lossy synchronous channel (LossySync) which acts as the Sync, but it may also
loose the data. In the original work of [Arb04] a lossy synchronous channel was proposed
that loses the data if and only if there is no reader at the sink-end ready to take the data.
Throughout this thesis we will use a nondeterministic variant of this channel as it is suffi-
cient in the context where it will be applied. The lossy FIFO channel (LossyFIFO1) is a
lossy variant of the FIFO1. The losing of data depends on the configuration of the buffer. A
write on the source-end will succeed in any case and the data will be lost if and only if the
buffer is full. The P -filter channel (Filter〈P 〉) with filter condition P ⊆ Data is a variant of
the LossySync. In this case losing depends on the data value written on the source-end of a
filter. The data values d ∈ P can pass whereas a d′ ∈ Data \ P will be lost.
Remark 3.1.1. As Reo channels are intended to work with any type of data, we assume here
that Data is a data type that serves as a placeholder for any data that may flow through a Reo
network. Before building a concrete Reo network concrete decisions for the message-types
of all ports have to be made.
Reo semantics. Several alternative semantics have been proposed for Reo. Some impor-
tant candidates are enumerated below.
1. The basic semantic model is that of timed-data streams (TDS) [AR02]. This coalge-
braic model of a stream calculus formally describes the timed dataflow through chan-
nels and connectors as sequences of discrete events. The TDS semantics captures
best the linear-time behavior and is too abstract for branching-time model checking.
2. The connector coloring (CC) [CCA07, Cos10] describes the behavior of a Reo net-
work in terms of the detailed dataflow behavior of all its constituent channels and
nodes. The semantics of a Reo network is the set of all of its dataflow alternatives
in each static configuration. Each such alternative is a consistent composition of the
dataflow alternatives of each of its constituent channels and nodes, expressed in terms
of two colors that represent the basic flow and no-flow alternatives. A more sophisti-
cated model using three colors is necessary to capture the context sensitive behavior
of primitives such as the LossySync channel. The CC semantics captures the possible
interactions for individual configurations rather then the operational behavior [JA11].
3. In [CPLA11] the view changed from a graphical representation of Reo channels,
whose overall behavior is sometimes difficult to grasp, to constraint based perspec-
tive. This constraint-based semantics (CBS) of Reo is expressed in terms of behav-
ioral constraints imposed by the primitive channels which are propagated by the com-
position. As the CC semantics does, the CBS semantics captures the possible inter-
actions for each individual configurations rather then the operational behavior.
25
3.1. The coordination language Reo Chapter 3. Modeling formalism and languages
4. An alternative semantics is based on constraint automata (CA) [BSAR06], which
is consistent with the TDS semantics. Constraint automata are variants of labeled
transition systems where the labels of the transitions represent the (possibly data-
dependent) I/O-operations of the components and the network. The intuitive mean-
ing of constraint automaton as an operational model for Reo connectors is similar to
the interpretation of labeled transition systems as formal models for reactive systems.
A Constraint automaton contains a set of port names, which holds the names of the
dataflow locations. The states represent the configurations of the connector, the tran-
sitions the possible one-step behavior. For details on the relationship of constraint
automata and the connector coloring semantics as well as their expressiveness we
refer to [JA11].
Throughout this thesis we will apply the constraint automata semantics, as a semantics
based on automata serve well for temporal logic model checking of branching-time and
alternating-time properties. Constraint automata capture the operational behavior of Reo.
At the same time we will use constraint automata as semantics for the connected compo-
nents to describe their stepwise I/O-behavior. Thus, constraint automata serve as a com-
mon formal semantics for the components, Reo channels, and consequently for component
connectors and the composite system. Moreover, constraint automata preserve the compo-
sitional nature of Reo, as constraint automata provide an product operator equivalent to the
Reo join, which is used for composition.
Remark 3.1.2 (Finiteness). For the concepts illustrated in this section our assumption of a
finite state space for constraint automata is not relevant. Indeed, we could provide constraint
automata with infinite state space, e.g., to model the behavior of a FIFO channel with infinite
capacity. Only in later chapters on model checking the assumption that the state space of a
constraint automaton is finite will be crucial.
We will now provide the operational behavior for each of these channels in terms of ex-
tended constraint automata specifications 〈A,Voc〉. Figure 3.2 shows the extended con-
straint automata for the Reo primitive channels.
Remark 3.1.3. We will still ignore the message-type information for the I/O-ports of the
constraint automata in the first place and assume that λ(A) = Data for all A ∈ N . Hence,
for their definition we will use the data type Data as a placeholder, and the effect is that
we can provide definitions for Reo channels that are able to deal with any kind of data.
This way the constraint automata for the individual parts of a Reo network are composable
(cf. Definition 2.3.4). The message-type of I/O-ports has to be declared when building
a constraint automaton for a concrete channel, as the message-type may affect the state
space Q (e.g., for a FIFO1) and also the transition relation −→ (e.g., in case of a Filter
channel). In what follows we assume that the message-type of the ports is resolved in a
way such that the constraint automata for the individual parts of a Reo network are still
composable.
26
Chapter 3. Modeling formalism and languages 3.1. The coordination language Reo
FIFO1 : N src = {A}, N snk = {B}
dA = d
dB = d
LossyFIFO1 : N src = {A}, N snk = {B}
empty fullhdi
dA = d
dB = d
empty fullhdi
{A}
Sync : N src = {A}, N snk = {B} LossySync : N src = {A}, N snk = {B}
SyncDrain : N src = {A, B}, N snk = ; ASyncDrain : N src = {A, B}, N snk = ;
SyncSpout : N src = ;, N snk = {A, B} ASyncSpout : N src = ;, N snk = {A, B}
FilterhP i : N src = {A}, N snk = {B}
dA = dB
dA = dB ^ dA 2 P{A} ^ dA 62 P
dA = dB{A}
dA = dB
dA = dB
{A} {B}
{A} {B}
L(empty) = {empty}
L(fullhdi) = {full, containsd}
L(empty) = {empty}
L(fullhdi) = {full, containsd}
Figure 3.2: Constraint automata for Reo channels
27
3.1. The coordination language Reo Chapter 3. Modeling formalism and languages
One can see that some of the channels are based on the same structure, i.e., they have
the same constraint automaton and differ on the associated dataflow vocabulary Voc =
〈N ,N src,N snk, λ〉 only. Here, the dataflow vocabulary (cf. Definition 2.3.2) provides the
polarity attribute (either sink or source) for each channel-end. Hence, a Sync channel can be
distinguished from a SyncDrain and a SyncSpout by the associated dataflow vocabularies.
In Figure 3.2 the two variants of the FIFO1 their “full” states are equipped with a vari-
able d ∈ Data holding the value of the buffer. Incoming and outgoing transitions of state
“full” can refer to the actual value of d whereas the value is irrelevant for other states. For
all channels except for the two FIFO1 channels the set of atomic propositions AP is irrel-
evant as the state spaces of their underlying constraint automata are singleton sets. For the
FIFO1 channels we provide the set AP def= {empty,full} ∪ {containsd | d ∈ Data} with the
illustrated labeling function.
For the quiescence of the constraint automata, we assume that all states are quiescent states
(i.e., Q = Q) in all constraint automata for the selected Reo channels. Hence, dataflow can
potentially stop at any time in execution.
From the set of individual channels a network can be composed. The composition of Reo
channels makes use of Reo nodes and the compositional semantics is based on the product
operator for constraint automata. Please note, that only sink ports will be joint with source
ports (of the same message-type), and thus the constraint automata for channels, Reo nodes,
and components are composable in the sense of Definition 2.3.4. We will now look at the
composition in more detail.
Composition. A Reo node is a nonempty set of dataflow locations, i.e. channel-ends and
I/O-ports of components which is either source, sink or mixed, which are classified into
source, sink and mixed nodes. Depending on whether all channel-ends that coincide on a
node N are source-ends (then N is a source node), sink-ends (then N is a sink node), or a
mixture of sink and source-ends (thenN is a mixed node). The mixed nodes serve as routers
where data items are transmitted through the network. The join operator of Reo takes a set
of channel-ends and creates a Reo node. Figure 3.3 illustrated the different types of Reo
nodes to be generated.
Figure 3.3: Reo nodes: a) sink node, b) source node, and c) mixed Reo node
28
Chapter 3. Modeling formalism and languages 3.1. The coordination language Reo
The operational semantics of Reo nodes is also based on constraint automata. In general we
may support any behavior inside a Reo node as long as we do provide a constraint automaton
describing its behavior. Hence, any Reo nodeN could be replaced by a componentCN with
an appropriate number of input and output ports (cf. Figure 3.4) having the same routing
behavior as the Reo node. The component CN plays now the role of the Reo node.
N
CN
Figure 3.4: Replacement of a Reo node N by a component CN
Throughout this thesis, we use two variants of nodes, the standard Reo nodes and Reo route
nodes. In what follows we will look at these two variants in more detail and assume that the
set of source-ends associated with the Reo node N is given by N src = {A1, . . . , Ak} and
the sink-ends by N snk = {B1, . . . , B`}. The port-set N of the constraint automaton for a
Reo node N is then given by
N def= N src ∪N snk ∪ {N}
as we add a fresh name N to the port-set.
The standard Reo node (depicted as ) has a merge-and-replicate-semantics, where simul-
taneously a datum is taken from one of the sink-ends (chosen nondeterministically) and a
copy of that datum is sent to all source-ends. Figure 3.5 shows the behavior of a standard
Reo node N in terms of constraint automata.
dN = dA1 = dB1 = . . . = dB`
dN = dAk = dB1 = . . . = dB 
...
Figure 3.5: Constraint automata for a standard Reo node N
The Reo route node (depicted as ) has a merge-and-route-semantics, as a datum is si-
multaneously taken from one of the sink-ends and forwarded to exactly one of the of the
source-ends. The choice of the two ends is completely nondeterministic. Figure 3.6 depicts
the constraint automaton of a Reo route node N .
It is worth mentioning that for these two types for Reo nodes the polarity of the channel-
ends, i.e., whether the channel-ends are source or sink-ends, is important, as source and
sink-ends are being treated differently.
29
3.1. The coordination language Reo Chapter 3. Modeling formalism and languages
. . .
dN = dA1 = dB1
dN = dAk = dB  dN = dA2 = dB1
Figure 3.6: Constraint automata for a Reo route node N
The compositional semantics of Reo is based on the product operator ( ./ ) of constraint
automata. When composing a network of channels the compositional behavior arises from
applying the constraint automaton product operator to the constraint automata for the chan-
nels, and the Reo nodes, and the connected components.
Example 3.1.4 (Composition of two FIFO1 channels). We start with two FIFO1 channels
as depicted in Figure 3.7. The result of joining B1 with B2 will be a new standard Reo
node B. The overall result of the composition will be a FIFO channel with capacity two.
A
B
C
A
B1
C
B2
B := join(B1, B2)
Figure 3.7: Reo join for two FIFO channels
The behavior of the FIFO channel with capacity two arises from building the product au-
tomaton of the automata A1 (with port-set N1 = {A,B1}, where A ∈ N src1 and B1 ∈
N snk1 ) and A2 (with port-set N2 = {B2, C} where B2 ∈ N src1 and C ∈ N snk1 ) for
the channels and the automaton AB for newly created Reo node B. The latter has port-
set NB = {B1, B2, B} where B1 ∈ N src and B2 ∈ N snk. For the composition we will
have to fix the message-type of all I/O-ports (instead of using Data as a placeholder for
all message-types). To simplify the presentation we choose λ(A′) = T = {0} for all
A′ ∈ N1 ∪ N2 ∪ NB . On the left of Figure 3.8 the three automata are shown. The product
automaton A = A1 ./A2 ./AB with port-set N = N1 ∪N2 ∪NB is depicted on the right
of Figure 3.8.
30
Chapter 3. Modeling formalism and languages 3.1. The coordination language Reo
empty full
empty empty
cout
full
empty
full
full
cin
ctrans
cin
cout
cboth
empty full
[A! 0, B1 ! ?]
[B2 ! 0, C ! ?]
empty full
[B2 ! ?, C ! 0]
[A! ?, B1 ! 0]
[B ! 0, B1 ! 0, B2 ! 0]
A1
A2
AB A = A1 ./ A2 ./ AB
Figure 3.8: Automata for two FIFO1 channels, the standard Reo node and their product
The concurrent I/O-operations of the product automaton are as follows:
cin = [ A→ 0, B → ⊥, B1 → ⊥, B2 → ⊥, C → ⊥ ]
ctrans = [ A→ ⊥, B → 0, B1 → 0, B2 → 0, C → ⊥ ]
cout = [ A→ ⊥, B → ⊥, B1 → ⊥, B2 → ⊥, C → 0 ]
cboth = [ A→ 0, B → ⊥, B1 → ⊥, B2 → ⊥, C → 0 ]
The product automaton A agrees with the automaton presented in Example 2.1.9 except
that we identified B1 and B2 with B.
A Reo component connector consists of a nonempty set of Reo channels and a set of Reo
nodes. The I/O-ports form the interface of the connector, where other components may
connect to. When components are connected, channel-ends and I/O-ports of components are
joined in a Reo node. The degree of a connector is the number of I/O-ports. Reo’s primitive
channels are the most simple form of Reo connector. Connectors can have memory which
is formed by buffer cells, e.g., FIFO1 channels. The buffer cells can either be empty or full.
In connectors without memory data items may either be produced, pass through or get lost
within the connector.
Example 3.1.5 (Reo component connector). Figure 3.9 depicts a simple Reo component
connector, which accepts data items at its interface port A1 and forwards the data to either
port B1 or B2.
31
3.1. The coordination language Reo Chapter 3. Modeling formalism and languages
{1}
{0}
A1
B1
B2
Figure 3.9: Reo component connector for data-dependent routing
The data items are stored and then routed according to their value with the help of the two
filter channels. Hence, all data with value 0 will be routed to port B1 and data with value 1
will be routed to B2. All other data items will be lost. Here we make the assumption that
λ(A) = TA ⊆ {0, 1} for all dataflow locations A. From now on we will call this connector
a data-dependent router.
Example 3.1.6 (Reo component connector). Components can be connected with the help
of connectors to form a Reo network. A Reo network consists of a set of components, Reo
connectors, and Reo nodes. We assume that at most one component will be connected per
I/O-port of a connector.
Writer
Reader1
Reader2
{1}
{0}
Figure 3.10: A writer and two readers connected by a data-dependent router
In the Reo network shown in Figure 3.10 the Reader1 component will receive all data with
value 0 sent by the Writer component whereas the Reader2 component receives the ones
with value 1. The specification for the readers and the writer can be provided in terms of
constraint automata as well.
32
Chapter 3. Modeling formalism and languages 3.1. The coordination language Reo
What can be seen in this example is, that the connector depicted in Figure 3.9 with its
interface ports A1, B1, and B2 forms a simple coordination pattern (or connector) which
can be applied in various situations, e.g. to distribute data (or job messages) among readers
(or workers, respectively).
Hiding. Another important Reo operator realizes the concept of hiding. The intuitive idea
of hide is to hide the internal details at the end of the composition phase. Hidden Reo nodes
or channel-ends must not be accessed for further composition. In general the mixed nodes
of a Reo network will be hidden such that only the behavior at the interface ports of a con-
nector remains visible at the end of the composition. The semantics of hide is based on the
structure-preserving hide operator for constraint automata (cf. Definition 2.1.10).
Example 3.1.7 (Reo hide operator). As an example we revise the data-dependent router
presented in Example 3.1.5 (cf. Figure 3.9). LetA be the constraint automaton representing
the behavior of the Reo component connector. AsA arises from building the product of the
constraint automata for the FIFO1, the two Filter, the two Sync, and the Reo nodes, the
constraint automaton A contains all internal details of the Reo component connector. Its
port-set N contains names for all dataflow locations, i.e., all channel-ends and Reo nodes.
As we are interested in the I/O-behavior of the component connector at its interface ports
A1,B1, andB2 we will apply the structure-preserving hide operator for constraint automata
with the set N = N \ {A1, B1, B2}. The constraint automaton A\N for Data = {0, 1} is
depicted in Figure 3.11.
{A1}   dA1 = 0
{A1}   dA1 = 1
{B1}   dB1 = 0
{B2}   dB2 = 1
Figure 3.11: Constraint automaton (after hiding the internals) for a data-dependent router
Other Reo operators. There are more operations offered by Reo like the split which may
abolish the effect of previous join operations. For this thesis we will not consider these op-
erators as any static network structure which can be constructed by the complete list of Reo
operations can also be obtained by a sequence of instantiations, join, and hide operations.
33
3.2. The modeling languages RSL and CARML Chapter 3. Modeling formalism and languages
For specifying dynamic changes in the network topology at runtime Reo supports other op-
erators. As in general those operators lead to infinite state automaton representations we
will restrict ourselves to dynamic changes of network structures which can we represented
by enumerating a finite set of network structures having the same interface. Thus we omit
explanations of additional Reo operations.
3.2. The modeling languages RSL and CARML
In this sections we introduce the two new modeling languages CARML and RSL that are
part of the contribution of this thesis. CARML and RSL yield the basis for our hybrid
modeling approach based on Reo and constraint automata.
The scripting language (RSL) is an input language of our verification tool set Vereofy (cf.
Section 5.1). RSL provides a convenient way for specifying (dynamically changing) Reo
networks. It mainly serves for the specification of the system structure by creating and
composing instances of components and connectors. The components and connectors are
treated in the exact same way. In what follows, the notion module will be used as an um-
brella term for components, component connectors (and channels). Beyond instantiation of
modules and support of Reo’s join operator RSL includes the standard features of impera-
tive languages such as variables, arrays, conditional branching, and loops.
The behavior of modules can be defined in terms of RSL sub-scripts refining a module
description into smaller concepts or by providing a constraint automaton definition. For
the latter, our verification tool set Vereofy provides a guarded command language CARML
which mainly serves to specify the I/O-ports of components (or connectors) and their step-
wise “observable” behavior. For this section it is important to recognize that the behavioral
description for any CARML moduleM together with an interpretation I for uninterpreted
symbols (e.g., for data types, operators, etc.) will be provided in terms of a constraint
automaton AM,I . A detailed description of CARML will be given in Subsection 3.2.2.
As both, RSL scripts and CARML code, can be used to specify the interface behavior of a
module, they do serve as a (parameterized) prototype descriptor for modules. E.g., a FIFO
channel with capacity k can be specified in terms of a parameterized RSL script that com-
poses k instances of a FIFO1 with capacity one, or by providing a parameterized CARML
module implementing the FIFO behavior with the help of an array data structure of size k.
Here, k serves a parameter for the capacity of the FIFO. This hybrid modeling approach
with CARML and RSL allows nesting of the two specification languages, supports com-
positional and hierarchical design, modular verification and reusability of components and
component connectors.
The behavioral descriptions for Reo’s primitive channels are part of the predefined built-in
library of Vereofy which also contains some other very helpful components and connectors
for typical coordination tasks. User-defined modules can be collected in libraries as well.
34
Chapter 3. Modeling formalism and languages 3.2. The modeling languages RSL and CARML
3.2.1. Reo scripting language (RSL)
We will now look at the syntax and formal semantics of RSL in detail.
RSL program. On the top-level an RSL program is used to specify the structure and the
behavior of a system. An RSL program consists of the following four parts:
(1) a declaration part of an RSL program contains the declarations of global variables
and the definition of user-defined data types (like enumerations, arrays and unions
over predefined or previously user-defined data types) as well as constants, operators
of arity ≥ 1 and predicates,
(2) a list of include-instructions to access modules from a library,
(3) a list of the CARML modules and RSL scripts that might be instantiated in the main
system, and optionally
(4) an instantiation of an RSL script (or CARML module) that serves as the main system.
When omitting (4), an non-parameterized module called “main” is required to be contained
in (3).
Vereofy supports various data types for messages sent through the network (i.e., as data
domain), including finite integer ranges, enumerations and structured data types such as
structs and arrays. The ability to use these data types for the local variables of a CARML
module yields a convenient way of modeling complex behavior subject to guard conditions
on local states and messages.
Uninterpreted data types and signatures. Beside data types with fixed semantics, our lan-
guages also allow for uninterpreted symbols for data types, operators and predicates. These
can be used as parameters for RSL and CARML specifications which then serve as tem-
plates for components or connectors. In other words, the declarations in (3) of CARML
modules and RSL scripts may contain template parameters including the user-defined data
types, operators (or constants), predicates as declared in (1), and values of some variables.
We assume that all the relevant definitions are given in (1) and the value for the parameters
will be provided on instantiation. Hence, all dependencies can be resolved before instantia-
tion.
Let Sig = 〈DT,Op,Pred,Var〉 be a signature that consists of predefined and uninter-
preted symbols. Sig yields the basis for terms and atomic propositions that can be used in
the instructions of CARML or RSL code. The uninterpreted symbols for data type operators
and predicates are then given by the elements of
Θ = DT \ DT, Ω = Op \ Op and Π = Pred \ Pred,
35
3.2. The modeling languages RSL and CARML Chapter 3. Modeling formalism and languages
respectively. The data type symbols T ∈ Θ can be seen as placeholders for sets (data types).
The operator symbols op ∈ Ω and predicate symbols pr ∈ Π are associated with a type.
Recall that the type of an operator symbol op ∈ Ω is a tuple type(op) = (T1, . . . , Tk, T ) ∈
DTk+1 for some k ∈ N. It declares that op takes as arguments k elements v1, . . . , vk
where vi is of type Ti and returns an element of type T . That is, op stands for a function
op : T1 × . . .× Tk → T . The number k is called the arity of op.
Similarly, the type of a predicate symbol pr ∈ Π is a tuple type(pr) = (T1, . . . , Tk) ∈ DTk
for some k ≥ 1, denoting that pr has to be interpreted by a predicate consisting of tuples
(v1, . . . , vk) where vi is an element of data type Ti.
RSL scripts for networks with static topology. As mentioned in the previous section we
will provide limited support for dynamically changing network structures. First we will
explain the static fragment of RSL before giving a brief overview on how to specify dy-
namic connectors in RSL. The schema for the RSL script of a Reo circuit without dynamic
reconfiguration is shown in Figure 3.12. The shorthand notation
“type : Θ, op : Ω, pred : Π”
refers to a list where all uninterpreted symbols S ∈ Θ ∪ Ω ∪ Π are encountered together
with the corresponding keyword type, op or pred and their types in case of the operator and
predicate symbols. Similarly, the notation “var : Υ” stands short for an enumeration of all
variables in Υ together with the keyword var and their types. All variables in Υ are passed
according to the concept “call-by-value”.
CIRCUIT C〈type : Θ, op : Ω, pred : Π, var : Υ〉{
stmt; // stepwise construction of a Reo circuit
interface decl // declaration of the interface ports of the Reo circuit
}
Figure 3.12: Schema of an RSL circuit
The body of an RSL circuit consists of a statement that describes the stepwise construction
of a Reo circuit and an interface declaration where the exported I/O-ports are specified.
Statements. The statement in the body of an RSL circuit is build by basic operations and
control flow instructions (sequential composition, conditional branching and for-loops).
The abstract syntax for statements is given by the grammar
stmt ::= instantiation
∣∣ Reo operation ∣∣ assignment ∣∣ stmt ; stmt ∣∣
if (bexpr) {stmt} else {stmt}
∣∣ for (i = j, . . . , k) {stmt}
36
Chapter 3. Modeling formalism and languages 3.2. The modeling languages RSL and CARML
Instantiation. The instantiation of a module is performed via instructions of the form
new module template〈Θ′,Ω′,Π′,Υ′〉(A1, . . . , Ar;B1, . . . , Bs)
where Θ′,Ω′,Π′,Υ′ are lists of data types, operators, predicates and variables or constants
that provide meanings for the parameters in the CARML or RSL code for the module tem-
plate. The elements of Θ′,Ω′,Π′,Υ′ have to be contained in the signature of C (cf. Defini-
tion 2.3.1) which is given by SigC = 〈DT,Op,Pred,VarC〉 where
DT = DT ∪Θ, Op = Op ∪ Ω, Pred = Pred ∪Π
and VarC = Υ and the following obvious side-constraints.
1. If type : Θ stands for type : T1, . . . , type : Tn then Θ′ must be a list U1, . . . , Un
consisting of n elements of elements in DT.
2. If op : Ω encounters m operator symbols then Ω′ must be a list of m elements in Op,
and if the i-th element in op : Ω is op : (Ti1 , . . . , Tik , Tj) f then the i-th element of
Ω′ has to be an element f ′ ∈ Op of the type (Ui1 , . . . , Uik , Uj).
Analogous conditions are required for Π′ and Υ′.
Optionally, the list of meanings for the uninterpreted symbols in the template for some mod-
uleM is followed by a list (A1, . . . , Ar;B1, . . . , Bs) of names for the source and sink ports
ofM. Thus, Ai will serve as the name for the i-th source port of the generated instance of
the module, andBj as the name for the j-th sink port of that instance. The namesAi andBj
have to be pairwise distinct. They can be fresh names or can represent an existing location,
in which case consistency of the message-types is required. IfAi is an already existing loca-
tion then the message-types of Ai and the i-th source port ofM must agree, and from now
on location Ai is joined with the i-th source port of the created instance ofM. Hence, this
implicit join creates a new standard Reo node with merge-and-replicate-semantics. Analo-
gous conditions are required forB1, . . . , Bs and the sink ports of the created instance ofM.
The second type of instantiation is the explicit creation of a Reo node. The effect of an
instantiation of a standard Reo node via the instruction
NODE〈type : T 〉 N
is the creation of a fresh Reo node N without any channel-end or I/O-port associated. The
message-type of N is T ∈ DT which indicates that only data items of type T can flow
through N . Analogously a Reo route node of type T ∈ DT can be created by the statement
ROUTE NODE〈type : T 〉 N.
Reo operations. RSL supports Reo’s main operations for the composition of complex cir-
cuits. The join operation join(N1, . . . , Nn) in RSL takes a list N1, . . . , Nn of at least two
I/O-ports or Reo nodes of the same message-type T ∈ DT as arguments. Additionally we
37
3.2. The modeling languages RSL and CARML Chapter 3. Modeling formalism and languages
require that all Reo nodes Ni ∈ {N1, . . . , Nn} have the same routing behavior, i.e., either
all Reo nodes are Reo route nodes or Reo standard nodes.
The join creates a new Reo node N of message-type T where all I/O-ports and channel-
ends of N1, . . . , Nn are combined. If all Ni ∈ {N1, . . . , Nn} are channel-ends rather than
Reo nodes the created Reo node will have merge-and-replicate behavior. Otherwise N will
inherit the behavior of the Reo nodes which served as parameter of the join statement.
Script variables and assignments. For the sequential composition carried out by an RSL
script, the I/O-ports, Reo nodes created by a join operation as well as the result of an instan-
tiation (either a Reo node or module) can be stored into local script variables. Script vari-
ables can also be used to hold values of predefined data types (typically an integer value).
The script variables are “dynamically typed” and do not have to be declared in advance. An
assignment for a script variable sv has the syntax sv := V where
V ::= instantiation
∣∣ join(N1, . . . , Nn) ∣∣ expression ∣∣ script variable
and expression is a term over the signature induced by the predefined data types and the
variables V ∈ Υ (typically arithmetic expressions). Script variables are dynamically sized
arrays, with sv being shorthand for sv [0]. A script variable sv referring to an instantiated
moduleM provides access to the interface I/O-ports via sv .in [i] and sv .out [j]. An RSL
circuit can refer to its own source and sink ports via in[i] and out[j] (see the explanations
below). To hide dataflow locations they can be made anonymous by assigning the value
NULL to all script variables holding a reference to the dataflow location, i.e., sv := NULL.
The hiding of dataflow locations will be done automatically at the end of the composition
phase. The presented version of RSL does not contain an explicit hiding operator. Instead
hiding is inherent in the semantics of RSL circuits.
Control flow instructions. The control flow features (sequential composition, conditional
and repetitive commands) have the standard meaning. These and the script variables serve
for the stepwise construction of a Reo circuit, and should not be confused with the oper-
ational behavior of the network given by the constraint automaton for the Reo circuit that
results from executing the RSL script. The control flow statements make use of Boolean
expressions (bexpr) that impose conditions on the values of script variables and variables
in Υ. In the sloppy notation provided for the syntax of for-loops, we assume that i is an
integer script variable and j and k are either integer script values or constants.
Interface declaration. In the schema sketched in Figure 3.12, the body of an RSL circuit
ends with a definition of the nodes that are exported to the higher level as source and sink
ports. The syntax to specify that the i-th source port is Ai and the j-th sink port is Bj is the
following.
in: A1; . . . ; in: Ar; out: B1; . . . ; out: Bs
38
Chapter 3. Modeling formalism and languages 3.2. The modeling languages RSL and CARML
It is required that the Ai’s are sources and the Bj’s are sinks (I/O-ports or Reo nodes) that
have been defined in stmt via an assignment or module instantiation. Furthermore, the Ai’s
andBj’s are required to be pairwise distinct. Alternatively, one may depart from the schema
in Figure 3.12 and define the interface ports within stmt via the references in[i] and out[j],
either assignments:
in [i] := . . . and out [j] := . . .
or by instantiations:
new module template 〈. . .〉 ( . . . , in[i], . . . ; . . . , out[j] , . . . ).
The indices i and j for the exported source and sink ports have to be consecutive starting
with 0. If there are two or more assignments for, e.g., in [i] then the last one declares the
i-th source port.
Remark 3.2.1. Hiding will be applied automatically and recursively when executing an
RSL script. All internal Reo nodes, ports and channel-ends inside of modules that are
instantiated by an RSL main program will be hidden. For the dataflow locations on the
top most level the hiding depends on whether or not there exists a script variable holding a
reference to the dataflow location at the end of the RSL script. Reo nodes, ports and channel-
ends which no script variable holds a reference to are called anonymous. All anonymous
dataflow locations will automatically be hidden when the end of an RSL script is reached.
Example 3.2.2 (RSL script for a simple connector). The RSL scripts shown in Figure 3.13
both define a prototype for the component connector presented in Example 3.1.5. The
definitions are parameterized in the number k of output ports, Sync and filter channels
being created. For this the parameter k has to be an integer type T ∈ DT. For the data
domain we assume that {0, . . . , k} ⊆ Data.
Basically, the two scripts depicted in Figure 3.13 are two variants to compose the same
component connector. The scrips consecutively create all channels and nodes when being
executed for a concrete value of k ∈ N. At the end of the scripts follows the interface dec-
laration. The parameter passed to the filter channels is denoted as a singleton set containing
the data value which is allowed to pass the filter channel. Formally, filter conditions can be
seen as user-defined unary predicates pr ∈ Π which evaluate to true for all the data values
that belong to the current set.
39
3.2. The modeling languages RSL and CARML Chapter 3. Modeling formalism and languages
CIRCUIT RouterA〈var : k〉{
new FIFO1(A1;F in);
NODE〈type : Data〉 F ;
join(F, F in);
for(i = 0, . . . , k−1){
NODE〈type : Data〉 Ni;
new FILTER〈{i}〉(F outi ;N ini );
join(F, F outi );
new SYNC(Nouti ;Bi+1);
join(Ni, N ini , N
out
i );
}
in[0] = A1;
for(i = 0, . . . , k−1){
out[i] = Bi+1;
}
}
CIRCUIT RouterB〈var : k〉{
new FIFO1(in[0];F );
for(i = 0, . . . , k−1){
new FILTER〈{i}〉(F ;Ni);
new SYNC(Ni; out[i]);
}
}
{k !
1}
{0}
A1
B1
Bk
...
...
Figure 3.13: Two RSL scripts composing the same connector
The script on the right of Figure 3.13 makes use of the fact that channel-ends or ports which
do appear more than once are joined implicitly and do automatically form a Reo node.
Thus, neither the explicit definition of the Reo nodes nor the join statements are required.
Moreover, the definition of the interface ports has moved from the interface decl part into
the stmt part (compared with the schema depicted in Figure 3.12).
Although the two circuits created by the scripts depicted in Figure 3.13 will have the same
interface behavior, they are not equivalent when instantiated at the top most level of an RSL
program, because the left script keeps references to all the channel-ends. Hence, these will
not be hidden.
Based on the definition of the data-dependent router above, we may now form an RSL main
program using the router as a connector for some reader and writer components.
Example 3.2.3 (RSL script for a simple connector). The RSL script shown in Figure 3.14
composes the Reo network consisting of a writer and two readers from the built-in library
of Vereofy and an instance of the router with size two.
40
Chapter 3. Modeling formalism and languages 3.2. The modeling languages RSL and CARML
include “builtin”
include “routers.rsl”
REPLACE(“SomeRouter”,“RouterB”);
CONST size = 2;
TYPE mytype t = int(0, . . . , 2 · size);
TYPE Data = mytype t;
CIRCUIT main{
TheWriter = new Writer;
TheRouter = new someRouter〈size〉;
new SYNC(TheWriter.out[0]; TheRouter.in[0]);
for(i = 0, . . . , size−1){
TheReader[i] = new Reader;
new SYNC(TheRouter.out[i]; TheReader[i].in[0]);
}
}
Figure 3.14: An RSL main program to compose the Reo network of Example 3.1.5
The above RSL main program illustrates some important language features of RSL:
(1) the include statements in the beginning of the main program loads the definitions from
built-in library as well as the user defined library containing the RSL circuit definitions for
the routers. (2) The replace statement can be used to exchange one prototype definition by
another at each instantiation. Here, the effect will be that all instances of “someRouter” will
be instances of “RouterB”. Replace statements can be used for abstraction and refinement as
specifications can be exchanged with others. The replacement requires the two prototypes
to have the same interface, i.e., they have the same number of input and output ports and the
type of the interface ports agrees as well. (3) The CONST statement defines the value of the
constant named “size” which will serve as a parameter for the size of the router structure. (4)
User-defined types can be specified by using the TYPE statement and (5) the data domain
Data can have any of the supported data types of Vereofy. In the above program the domain
will be of type “mytype t” which corresponds to the finite set {0, . . . , 2 · size}. (6) Beyond
simple arithmetic operators for unsigned integers, as it is used here to compute the size
of the data domain, Vereofy provides support for some built-in functions and additional
operators for Booleans and unsigned integers [BKK12]. (7) The names of I/O-ports are
optional when creating new instances of components. (8) Instead, RSL script variables can
be used to hold references to component or channel instances. (9) These references then
yield a way to access the interface ports of components via their in and out arrays. (10)
As all ports are connected, the circuit does not contain any interface definition and thus
the created network will be a closed system, to which neither other components nor the
environment can connect.
41
3.2. The modeling languages RSL and CARML Chapter 3. Modeling formalism and languages
Dynamic reconfiguration. RSL provides support for specifying component connectors
with multiple network topologies. The interface of a dynamic connector C contains a special
input port C.reconf, called reconfiguration port.
CIRCUIT C 〈type : Θ, op : Ω, pred : Π, var : Υ〉 {
stmt; // construction of a common sub-circuit
interface decl // declaration of the exported source/sink ports
TOPO(id1 ) = {stmt1} // additional sub-circuit for topology id1
...
TOPO(idt) = {stmtt} // additional sub-circuit for topology idt
}
Figure 3.15: Schema for RSL scripts with dynamic reconfiguration
The schema of RSL scripts with dynamic reconfigurations is shown in Figure 3.15. The
parameter list is the same as before. The body of a dynamic RSL circuit C consists of
statement stmt that specifies a common (static) sub-circuit Cstmt of all network topologies,
followed by the interface declaration and instructions of the form
TOPO(idi){stmti}
for i = 1, . . . , t. Here, idi denotes an identifier for the i-th network topology and stmti
is a statement. The network topology with an identifier idi is generated by the compos-
ite statement stmt ; stmti, resulting in the (static) Reo circuit C′i. The interface declaration
specifies the input and output ports of C, except for the reconfiguration port circ.reconf of
the instances of the circuit C in Figure 3.15. No special declaration is required for the re-
configuration port. The assignments in the interface declaration can only refer to the nodes
and ports that appear in stmt, but not to entities created in stmt1, . . . , stmtt. Any other RSL
circuit circ′ creating an instance circ of the circuit C (cf. Figure 3.15) can access the recon-
figuration port circ.reconf as any port in the interface of circ. Hence, any module that is
connected in circ′ to the reconfiguration port circ.reconf can serve as a driver and trigger
switches in the topology of circ by sending the identifier of the new topology.
Example 3.2.4 (Simple dynamic Reo network). Figure 3.16 depicts a Reo network consist-
ing of a writer and two readers which communicate via a dynamic router circuit as it could
be composed by the following RSL script.
CIRCUIT DynamicRouter〈var : k〉{
new FIFO1(in[0];F );
for(i = 1, . . . , k){
out[i−1] := NODE〈type : Data〉 Bi;
TOPO(idi) = {new SYNC(F ;Ni); new SYNC(Ni;Bi); }
}
}
42
Chapter 3. Modeling formalism and languages 3.2. The modeling languages RSL and CARML
Additionally, there can be a driver component connected at the reconfiguration port of the
connector triggering changes in the network topology. In case the reconfiguration port is
not connected with a driver, the composed system is assumed to be an open system where
nondeterministic writes on open ports can occur at any time.
Writer
Reader1
Reader2
TOPO(id1)
TOPO(id2)
Driver
reconf
Figure 3.16: A dynamic router used in a simple Reo network
The driver sends either id1 or id2 on the reconfiguration port of the dynamic router. The
router initially starts in the topology with identifier id1 and switches according to the re-
ceived reconfiguration signals. The result is that in the topology with identifier idi the
Readeri will receive all data stored in the buffer.
The above Reo network constitutes a perfect example for exogenous coordination, as the
communication medium has been exchanged in respect of Example 3.1.5 without changing
the specification of the reader and the writer.
We will now look at the semantics of RSL, which also relies on constraint automata.
Semantics of static RSL circuits. Let C be an RSL circuit with the parameters Θ, Ω, Π
and Υ as in Figure 3.12. To provide an operational semantics for circuit C, we will
1. fix an interpretation I for the symbols in the parameter list of C (which yields an
interpretation for the induced signature SigC) and then construct a Reo circuit RC,I
for C by means of the instructions given in stmt.
2. construct the extended constraint automata for all individual parts of RC,I either di-
rectly for Reo nodes, recursively in case the behavioral description of the entity is
given in terms of another RSL script, or by applying the machinery described in the
next section if the behavior is given as a CARML module.
The Reo circuitRC,I is obtained by executing the RSL script given by the instructions
in the body of C. When instantiating a module the meanings of the uninterpreted data
types, operator or predicate symbols are taken according to I.
43
3.2. The modeling languages RSL and CARML Chapter 3. Modeling formalism and languages
The instantiation of a CARML module M(Θ0,Ω0,Π0,Υ0) with n sources and m
sinks via the instruction
comp := newM〈Θ′,Ω′,Π′,Υ′〉(D1, . . . , Dn, E1, . . . , Em)
means binding an instance comp ofMwhere the i-th source of comp is identified with
the possibly already existing node Di and the j-th sink of comp with Ej . In the Reo
circuit RC,I , comp is viewed as a black-box component. However, by applying the
algorithm of [BSAR06] (extended to handle global variables) to construct a constraint
automaton from RC,I we use a constraint automaton Acomp,I as specification for the
behavioral interface of that instance comp ofM. AutomatonAcomp,I can be obtained
as follows:
Let I0 be the interpretation that arises from I by the substituting Θ0 with Θ′ (i.e., if
the i-th data type symbol in Θ0 is T and the i-th element of Θ′ is U then T I0 = UI)
and substituting Ω0 with Ω′, Π0 with Π′, and Υ0 with Υ′.
We now regard the constraint automaton AM,I0 and replace the i-th source port of
M with Di and the j-th sink port ofM with Ej in the dataflow vocabulary ofAM,I0
and the concurrent I/O-operations that appear as labels for the transitions of AM,I0 .
The resulting automaton is Acomp,I .
The meaning of an instantiation of another RSL script C′ via the instruction
comp := new C′〈Θ′,Ω′,Π′,Υ′〉(D1, . . . , Dn, E1, . . . , Em)
is analogous. It has the effect of including the Reo circuit associated with the gener-
ated instance of C′.
3. Finally, we apply the product operator for constraint automata to output one large
constraint automatonAC,I forRC,I with associated dataflow vocabulary VocC which
is defined according to the interface declaration, i.e.,
VocC = (NC ,N srcC ,N snkC , λC)
where N srcC = {A1, . . . , Ar} and N snkC = {B1, . . . , Bs} if the interface declaration
specifies A1, . . . , As as source ports and B1, . . . , Bs as sink ports. The function λC is
the obvious one and assigns the message-type of Ai to the i-th source port (in[i−1])
and the message-type of Bj to the j-th sink port (out[j−1]). The set of all observable
locations of C is
NC = N srcC ∪ N snkC ∪ N intC
where the set N intC holds the names for all internal dataflow locations that have not
been hidden during the composition. The setN intC will be empty if C is not on the top-
level of the RSL program as for those circuits all internals are hidden automatically.
The procedure above results in an extended constraint automaton 〈AC,I ,VocC〉, whereAC,I
arises from AC,I by applying the structure-preserving hide operator. Please notice that
applying the hide operator removes internal ports from the port-set and it may also effect
the set of quiescent states, as the hiding may introduce new c∅-transitions to some states
which were quiescent in AC,I and will hence not be quiescent in AC,I .
44
Chapter 3. Modeling formalism and languages 3.2. The modeling languages RSL and CARML
Please note that we provide the operational semantics for RSL circuits (static as well as
dynamic) in terms of constraint automata A = 〈Q,N ,−→, Q0,Q〉 without labeling, as the
a precise definition of the labeling of states is irrelevant for the semantic of RSL. Instead we
will assume that the set of atomic propositions of the constraint automatonAC,I contains all
quantifier-free formulas over signature SigC . Additional atomic propositions, which may
serve as shortcut notation, can be defined in CARML and will be lifted to the circuit level
via the constraint automaton product construction.
Semantics of dynamic RSL circuits. For dynamic RSL circuit the dataflow vocabulary
VocC is defined according to the interface declaration and internal dataflow locations which
have not been hidden, completed with the reconfiguration port C.reconf which is a source
port of message-type {id1, . . . , idt}. That is, the dataflow vocabulary
VocC = (NC ,N srcC ,N snkC , λC)
with NC = N srcC ∪ N snkC ∪ N intC is as for static circuits, but here
N srcC = {C.reconf, A1, . . . , Ar} with type(C.reconf) = {id1, . . . , idt}.
We use the aforementioned construction for each constraint automaton (without labeling)
A′i = Astmt;stmti,I =
〈
Q(i),N ,−→i, Q(i)0 ,Q(i)
〉
for the circuit C′i induced by the statement stmt ; stmti. The port-set N = NC \ {C.reconf}
consists of all interface ports of the circuit C except the reconfiguration port. The states in
Q(i) can be written in the form 〈q, q(i)〉where q stands for a state in the constraint automaton
Astmt,I for the (static) common sub-circuit Cstmt of all circuits C′1, . . . , C′t and q(i) a state of
constraint automaton Astmti,I for the sub-circuit induced by stmti. W.l.o.g. we can assume
that Q(i) ∩Q(j) = ∅ for 1 ≤ i < j ≤ t.
The constraint automaton (without labeling)AC,I = 〈Q,NC ,−→, Q0,Q〉 for the dynamic
connector C is then obtained by combining A′1, . . . ,A′t as follows:
• The state space Q ofAC,I is the disjoint union of the state spaces ofA′1, . . . ,A′t, that
is, Q = Q(1) ∪ . . . ∪Q(t).
• The set Q0 of initial states is the set of all states 〈q, q(i)〉 where q is an initial state
in the constraint automaton Astmt,I for stmt and q(i) an initial state in the constraint
automaton Astmti,I for stmti.
• The transitions −→ are given by the following two rules, where the first stands for
the receipt of the signal to switch to the j-th network topology and the second rule
stands for the execution of a concurrent I/O-operation in the i-th topology:
45
3.2. The modeling languages RSL and CARML Chapter 3. Modeling formalism and languages
q(j) initial state of Astmtj ,I for stmtj
〈q, q(i)〉 C.reconf?idj−−−−−−−−−→ 〈q, q(j)〉
〈q, q(i)〉 c−→i 〈q, p(i)〉
〈q, q(i)〉 c−→ 〈q, p(i)〉
(3.1)
where C.reconf?idj denotes the unique concurrent I/O-operation c with
active(c) = {C.reconf} and c(C.reconf) = idj .
• The set of quiescent states is defined as Q def= Q(1) ∪ . . . ∪Q(t)
3.2.2. Constraint automata reactive module language (CARML)
The input languages of Vereofy for the specification of components (and connectors) in
terms of constraint automata is a guarded command language, called CARML (constraint
automata reactive module language), that describes the transitions of constraint automata
in a symbolic way, i.e., by means of Boolean conditions on the states and the enabled
concurrent I/O-operations. CARML provides a convenient way to specify the component
interfaces and to provide a high-level description of the operational behavior of compo-
nents. CARML supports channel-based message passing and communication over shared
variables. The latter is irrelevant for exogenous coordination, but can be useful to incorpo-
rate the coordination primitives of an endogenous approach e.g. for existing systems where
the coordination protocol is given in an imperative language. In this case, modeling the pro-
tocol by means of the coordination language can be much harder than providing a CARML
specification. CARML is even expressive enough to specify complex component connec-
tors. To ease the automatic translation of CARML specifications into a compact internal
BDD-based representation, we adapted some concepts of reactive modules [AH99] for the
syntax of CARML modules.
Standard data types such as Boolean, finite integer ranges, arrays, unions and enumerations
together with the usual operators and predicates on them can be used as data types for vari-
ables and message-types for I/O-ports. The set of data types, operators and predicates with
fixed semantics is denoted as for RSL by DT,Op and Pred. CARML modules can also use
uninterpreted symbols for data types, operators and predicates. That is, a CARML module
M can be parameterized by a set Θ of data types and a set Ω of operator symbols, a set Π
of predicate symbols, and a set Υ of variables with types in DT = DT ∪Θ.
The general schema of a CARML module is shown in Figure 3.17.
46
Chapter 3. Modeling formalism and languages 3.2. The modeling languages RSL and CARML
MODULEM〈type : Θ, op : Ω, pred : Π, var : Υ〉 {
// interface declaration: source ports
in : T in1 A1;
... // Ai with message-types T ini ∈ DT
in : T ink Ar;
// interface declaration: sink ports
out : T out1 B1;
... // Bi with message-types T outi ∈ DT
out : T out` Bs;
// definition of local variables Xi with data types T vari ∈ DT
// with initial value init valuei ∈ T vari (optional)
var : T var1 X1 init := init value1;
...
var : T var` X` init := init value`;
// definition of atomic propositions ai
ap : a1 ↔ state guarda1 ;
...
ap : am ↔ state guardam ;
// transition definitions
state guard1−[ I/O guard1 ]→ state assignment1;
...
...
...
state guardn−[ I/O guardn ]→ state assignmentn;
}
Figure 3.17: Schema of a CARML module
47
3.2. The modeling languages RSL and CARML Chapter 3. Modeling formalism and languages
Interface declaration. It consists of a (possibly empty) parameter list, the interface dec-
laration where the source and sink ports of a component and its local variables are defined
followed by the transition definitions specifying the behavioral interface. The shorthand
notation
“type : Θ, op : Ω, pred : Π”
in Figure 3.17 refers to a list where all uninterpreted symbols S ∈ Θ ∪ Ω ∪ Π are encoun-
tered together with the corresponding keyword type, op or pred and their types in case of
the operator and predicate symbols. Similarly, the notation var : Υ stands short for an enu-
meration of all variables in Υ together with the keyword var and their types. All variables
in Υ are passed according to the concept “call-by-value”.
Let M be the name of the CARML module in Figure 3.17. The data types with fixed
semantics together with the parameters Θ, Ω, Π, Υ and the set VarM of variables that can
be used inM (see below) constitute the signature ofM which is given by
SigM = (DT,Op,Pred,VarM)
where DT = DT ∪Θ. Op = Op ∪ Ω and Pred = Pred ∪Π.
Local variables. The variables that can be used in a CARML moduleM are local vari-
ables and the variables in Υ. The local variables together with their types have to be listed
in the declaration part ofM. Thus, a CARML module conforming to the schema shown in
Figure 3.17 has the local variables X1, . . . , X`. The type of local variable Xi is T vari which
has to be an element of DT. The specification of an initial value for the local variables is
optional.
Global variables. With our hybrid modeling approach, where CARML specifications can
be embedded in the scripting language RSL (cf. Subsection 3.2.1), CARML modules can
also use global or shared variables which have to be declared in the RSL (main) program.
The treatment of shared variables requires some additional rules in the constraint automaton
product to ensure mutually exclusive writes. As global variables are an additional concept
outside the scope of our exogenous coordination setting we will not go into the technical
details for the treatment of global variables.
The interface declaration of a CARML module M following the schema shown in Fig-
ure 3.17 will induce the port-set N = {A1, . . . , Ar, B1, . . . , Bs} of a constraint automaton
AM,I = 〈Q,N ,−→, Q0,Q,AP , L〉,
where I is an interpretation for the uninterpreted symbols S ∈ Θ ∪ Ω ∪ Π. The type of
source port Ai is T ini , while sink port Bj is of type T
out
j . Again, the types T
in
i and T
out
j
are elements of DT. The evaluations for the local variables of a module will form the state
space Q of the resulting constraint automaton AM,I , while the set of initial states Q0 is
defined according to the provided initial values for each local variable Vi for 1 ≤ i ≤ `.
The set of quiescent states in AM,I is defined as Q def= {q ∈ Q | c∅ 6∈ CIO(q)}.
48
Chapter 3. Modeling formalism and languages 3.2. The modeling languages RSL and CARML
Atomic propositions. The formal notion of atomic propositions over SigM are predi-
cates of the form pr(t1, . . . , tk) where type(pr) = (T1, . . . , Tk) and t1, . . . , tk are terms
over SigM such that ti is of type Ti. For the standard set AP of atomic propositions for
a CARML module M, we assume that it contains all boolean expressions of predicates
pr(t1, . . . , tk) over SigM. Additionally, we allow to enrich the standard set of atomic
propositions (cf. Figure 3.17). This allows labeling of states according to the evaluation
of their local variables. These atomic propositions serve as shortcut notations useful for
transition definitions and within formulas.
For a CARML module as the one depicted in Figure 3.17 the set {a1, . . . , am} will addi-
tionally be included in the set of atomic propositions AP . For a1, . . . , am new predicate
symbols are being introduced in the signature SigM. The labeling function is defined ac-
cording to the definition provided in the CARML module:
ai ∈ L(q) iff state guardai holds in state q ∈ Q.
Formally, a state guard is a (possibly empty) conjunction of atomic propositions, i.e., pred-
icates pr(t1, . . . , tk) over SigM. The transition definitions will yield the transition rela-
tion −→ as follows.
Transition definitions. Each transition definition consists of local conditions on the cur-
rent state (a state guard), conditions on the concurrent I/O-operations to be fired (an I/O-
guard) and the effect of firing such an I/O-operation on the states (formalized by the state
assignments). An I/O-guard is a condition on the observable dataflow, formalized by a
Boolean combination of atomic propositions over an extended signature SigNM that allows
to reason about the data items that are observable at the locations in N . The motivation for
having symbols for state variables as well as for dataflow locations in the extended signature
SigNM is that we want define predicates which serve for comparing the observable dataflow
at some location with the evaluation of local variable(s), i.e., an I/O-guard is a Boolean
combination of atoms of the form dataA  rhs, where is a Boolean operator from the set
{<,≤,=, 6=,≥, >} and the abstract syntax for the right hand side (rhs) is given by:
rhs ::= k
∣∣ dataB ∣∣ X ∣∣ γ(rhs1, . . . , rhsn)
Here, dataA and dataB refer to the observable dataflow at some ports A and B. The observ-
able dataflow can be compared to either a constant value k, the data value dataB observable
at port some port B, a value of a local variable X , or the value of an n-ary function ρ.
Formally, SigNM denotes the signature that results from SigM by adding
• a special type TI/O that serves for a characterization of the I/O-ports,
• a new monadic predicate symbol active with type(active) = TI/O,
• constant symbols dataA with type(dataA) = λM(A) for all A ∈ N .
49
3.2. The modeling languages RSL and CARML Chapter 3. Modeling formalism and languages
The special type symbol TI/O is needed for technical reasons only. Note that the location-
symbol A is of type TI/O, while its message-type is λM(A) = type(dataA). For the inter-
pretations I of SigNM we require that TI/OI = NM. The intuitive meaning of the atomic
proposition active(A) is a port activity flag which indicates that dataflow at location A is
observed.
A state assignment is a (possibly empty) conjunction of assignments for local variables, i.e.,
state assignments have the form
V1 := t1 ∧ V2 := t2 ∧ . . . ∧ Vp := tp
where V1, . . . , Vp are pairwise distinct variables in VarM and tj are terms over the extended
signature SigNM. Intuitively, when firing a transition via a concurrent I/O-operation c with
a state assignment as above as then in the next state the value of the variables Vi agrees
with the value of the term ti under the interpretation given by the current state and the c.
Variables V ∈ VarM \ {V1, . . . , Vp} keep their value after the transition has been taken.
Example 3.2.5 (CARML module of FIFO1 channel with initial value). Figure 3.18 shows a
CARML module for a FIFO channel with capacity one whose initial value is set according
to the parameter variable init value.
MODULE FIFO1〈var : init value〉{
in : Data A;
out : Data B;
var : enum{empty,full} state init := full;
var : Data value init := init value;
state = empty −[ {A} ]→ state := full ∧ value := dataA;
state = full −[ {B} ∧ dataB = value ]→ state := empty;
}
Figure 3.18: CARML module for a FIFO1 channel with initial value init value
The module description of the FIFO1 with initial value contains two local variables “state”
and “value” representing the current configuration and of the FIFO1 (empty or full) and
the current value d ∈ Data stored in the buffer. The initial configuration is that the FIFO1
channel is filled with data item init value ∈ Data provided in the parameter list of the
module. The behavior agrees with the standard FIFO1 behavior, i.e., data can be stored if
the FIFO1 is in the configuration “empty” and taken off in the “full” configuration.
50
Chapter 3. Modeling formalism and languages 3.2. The modeling languages RSL and CARML
Figure 3.19 shows the induced constraint automaton for Data = {0, 1} and init value = 1.
{A}   dA = 0
{A}   dA = 1
{B}   dB = 0
{B}   dB = 1
hfull, 1i
hfull, 0ihempty, 0i
hemtpy, 1i
{empty}
{empty} {full, contains1}
{full, contains0}
Figure 3.19: Induced constraint automaton for the CARML module of Figure 3.18
Example 3.2.6 (CARML module of a stack data structure with capacity cap). In Figure 3.20
shows a CARML module for a stack which stores values of type T . The data type T is the
first parameter of the module definition whereas the second parameter cap determines the
capacity of a stack.
MODULE Stack〈type: T, var : cap〉{
in : T A;
out : T B;
var : (T ∪ {⊥})[cap] values init := ⊥;
var : int(0, cap) pos init := 0;
pos < cap −[ {A} ]→ values[pos] := dataA ∧ pos := pos+1;
pos > 0 −[ {B} ∧ dataB = values[pos] ]→ values[pos] := ⊥ ∧ pos := pos−1;
}
Figure 3.20: CARML module for a stack with capacity cap
The module for the stack contains two local variables. The variable values is an array of
type T ∪{⊥} and size cap and holds the actual values pushed on the stack via input port A.
The second variable pos is of integer type and holds the position of the top-most element of
the stack. The value of pos will be increased on any push operation carried out by a write
on the input port A and decreased on every pop operation happening when the top-most
element is written on output port B.
51
52
4 Alternating-time stream logic
Temporal logics such as LTL (linear temporal logic) [Pnu77], and CTL (computation tree
logic) [CE81] and related temporal logics are well investigated formalisms for the mod-
eling, verification, and synthesis of reactive systems. Within this family, the alternating-
time temporal logic (ATL) [AHK02] introduced a useful generalization that helps modeling
and analyzing distributed systems. Whereas, classical temporal logics are interpreted over
transition-system-like structures, alternating-time logics are interpreted over game struc-
tures. Game logics such as alternating-time temporal logic (ATL) [AHK02] allow reason-
ing about strategies for coalitions of components. A typical scenario for this game-based
view of a distributed system would consist of a coalition of controllable components that is
playing against its environment and/or a coalition of components that is assumed to behave
in an uncontrollable way. ATL now provides modalities for reasoning about the existence
of a strategy for the controllable components coalition that ensures a certain temporal logic
property to hold no matter how the opponents behave.
In this chapter we introduce the alternating-time stream logic (ASL) for reasoning about
strategies in the Reo and constraint automata framework. For this, constraint automata are
being interpreted as multi-player game structures. We are interested in the existence of a
strategy for the controllable parts of the system to cooperate in such a way that they achieve
a common goal. Here, a strategy means that the controllable components can restrict or even
refuse performing certain actions or participate to synchronize actions with its environment
and the uncontrollable parts of the system.
Organization. In Section 4.1 we provide an interpretation of constraint automata as multi-
player games. The syntax and semantics of ASL are presented in Section 4.2. The ASL
model checking procedures are introduced in Section 4.3, whereas Section 4.4 contains a
discussion about the complexity of ASL model checking. In Section 4.5 ASL we discuss
the concept of fairness for ASL.
The work presented in this section has partially been published in [KB09, KB10].
4.1. Constraint automata as multi-player games
In this section we introduce a game-based interpretation of constraint automata. The data
type and polarity information for the ports of constraint automata played an important role
for the modeling, but throughout this chapter the dataflow vocabulary can be ignored as it
is not essential for the introduced temporal logic and the model checking.
53
4.1. Constraint automata as multi-player games Chapter 4. Alternating-time stream logic
For this game-based view of constraint automata, it is assumed that the constraint automa-
ton under consideration models a system where several components are glued via a network
consisting of several (a)synchronous channels. The players of the game are the individual
components. Each of the players has control over his write and read operations at its inter-
face ports. A player might refuse some or even any synchronization operation with other
players. Players might build arbitrary coalitions to achieve a certain common goal, e.g., to
enforce that a certain temporal property holds. In our approach, a coalition of players is
given by a set of names for the controllable ports N ⊆ N , the union of all controllable
coalition ports, for which the players might try to develop a common strategy to achieve
their objectives.
Let N ⊆ N be the set of controllable ports. Then a transition q c−→ q′ in a constraint au-
tomaton is called controllable from the perspective of the N -agents if ∅ 6= active(c) ⊆ N .
The opponents cannot prevent a controllable transition as they are not involved in the con-
current I/O-operation and the transition may fire even if they refuse an interaction with
their environment. The transition is preventable from the perspective of the N -agents if
active(c) ∩ N 6= ∅ and unpreventable otherwise. Hence, for the N -agent there is a sym-
metric argument, saying that they can only prevent transitions if they are involved in the
concurrent I/O-operation. Otherwise, the transition is unpreventable from the perspective
of the N -agents. Hence, transitions with the empty concurrent I/O-operation c∅ are unpre-
ventable for the N -agents and their opponents.
Intuitively, a strategy for the set N of controllable ports, briefly called an N -strategy takes
the history of the system, formalized by a finite execution, as input (i.e., we suppose here
perfect recall) and declares the conditions under which theN -agents (members of the coali-
tion) are willing to cooperate with each other and their opponents. For instance, an N -
strategy might offer to write data value 0 at a dataflow location A ∈ N , but refuse to write
data value 1. Furthermore, anN -strategy might suggest that theN -agents completely refuse
any participation in concurrent I/O-operations. The special symbol
√
will be used for this
purpose.
Definition 4.1.1 (Strategy). Let A be a constraint automaton as in Definition 2.1.2, and let
N ⊆ N be a set of port names. An N -strategy is a function
S : Execfin(A)→ 2CIO
√
,
assigning to any finite execution η a set S(η) consisting of I/O-operations c ∈ CIO or the
special symbol
√
such that if c ∈ CIO and active(c) ∩ N = ∅ then c ∈ S(η). The latter
condition ensures that unpreventable transitions cannot be refused by the N -agents.
Unlike strategies in standard multi-player games, an N -strategy does not necessarily de-
termine unique activities for the controlled components. Instead it yields a set of potential
interactions. This is reasonable for the game semantics of constraint automata since the
availability of a concurrent I/O-operation c with active(c) = M depends on the agree-
ment of all components that have an I/O-port in M to perform synchronized write and read
operations according to c. Hence, only if M is a nonempty subset of N the concurrent
54
Chapter 4. Alternating-time stream logic 4.1. Constraint automata as multi-player games
I/O-operation c is controllable by N in the sense that the N -ports can offer c, although they
cannot enforce that c will indeed be taken.
The rationale behind the condition requiring that c ∈ S(η) whenever c is a concurrent
I/O-operation with active(c) ∩ N = ∅ is that the N -ports are not in the position to refuse
an I/O-operation c where none of the N -ports is involved. In particular, invisible I/O-
operations (i.e., the concurrent I/O-operation c∅ with active(c) = ∅) cannot be ruled out by
an N -strategy. Thus, c∅ ∈ S(η) for each execution η and N -strategy S.
Given anN -strategy S, the S-paths are those paths inA that can be obtained when the I/O-
operations performed at the ports in N are consistent with S. For finite paths, consistency
with S requires that S returns the special symbol
√
(which indicates that the N -agents
refuse any further interactions at their ports) or that the opponents have been in the position
to stop dataflow by refusing any I/O-request. This is formalized by the notion of quiescence.
From now on we will consider a state q ∈ Q to be quiescent if all enabled concurrent
I/O-operations require some activity of at least one I/O-port of either the N -agents or the
opponents.
Definition 4.1.2 (Quiescent states). Let q ∈ Q be a state in the constraint automaton A.
State q is said to be quiescent if for all concurrent I/O-operations c that are enabled in
state q (i.e., all c ∈ CIO(q)), the port-set active(c) is nonempty. Hence, the set of all
quiescent states Q is defined as Q = {q ∈ Q | active(c) 6= ∅ for all c ∈ CIO(q)}.
Stated differently, the set Q consists of all states q is in which c∅ 6∈ CIO(q) holds. Note
that dataflow does not need to stop in quiescent states. Instead dataflow continues if there is
an enabled concurrent I/O-operation c where the involved components agree on interacting
with each other by means of performing the write and read operation specified by c. For each
non-quiescent state q, at least one invisible transition is enabled, i.e., we have c∅ ∈ CIO(q).
This I/O-operation does not require any interaction with the components and will fire, unless
another transition is taken.
Definition 4.1.3 (S-executions, S-completeness). Let S be an N -strategy. A S-execution
is a finite or infinite execution
η = q0
c1−−→ q1 c2−−→ . . .
such that for any position i ∈ N with i < |η| we have ci+1 ∈ S(η ↓ i).
Each infinite S-execution is said to be S-complete. A finite S-execution η is called S-
complete if its last state q is quiescent (cf. Definition 4.1.2) and at least one of the following
two conditions (i) or (ii) holds:
(i)
√ ∈ S(η)
(ii) there is no c ∈ CIO(q) ∩S(η) such that active(c) ⊆ N .
55
4.1. Constraint automata as multi-player games Chapter 4. Alternating-time stream logic
Condition (i) indicates that refusing any dataflow on the N -ports is a potential behavior
under strategy S, while (ii) stands for the possibility of the opponents to do the same on
their part (i.e. refusing any synchronization on the N \N -ports).
Definition 4.1.4 (S-paths). Let S be an N -strategy. A S-path denotes any infinite S-
execution or any finite path
π = q0
c1−−→ . . . cn−−→ qn
√
−−→ qn
where π ↓ n is a S-complete S-execution.
We write Paths(q,S) to denote all S-paths starting in q. Similarly, Execfin(q,S) denotes
the set of all finite S-executions from q.
The general definition of strategies does not impose any restrictions on their realizability.
E.g., strategies may even be not computable. As we will see later, for our purposes strategies
with finite memory are sufficient. These are strategies that make their decisions on the basis
of a finite automaton rather than the full history.
Definition 4.1.5 (Finite-memory and memoryless strategies). A finite-memory N -strategy
is a tuple M = 〈Modes,∆, µ,m0〉, where
• Modes is a finite set (of so-called modes),
• m0 ∈ Modes the starting mode,
• µ : Q×Modes→ 2CIO√ the decision function, and
• ∆ : Modes× (Q× CIO×Q)→ Modes the next-mode function.
For the decision function µ we require that µ(q,m) ⊇ {c ∈ CIO : active(c) ∩ N = ∅}
for all states q ∈ Q and modes m ∈ Modes. If Modes is a singleton then we refer to
M as a memoryless strategy. Memoryless strategies are typically specified as functions
S : Q→ 2CIO√ .
Given a finite-memory N -strategy M then the associated N -strategy SM (in the sense of
Definition 4.1.1) is given by:
SM
(
q0
c1−−→ . . . ci−−→ qi
)
= µ
(
qi,∆
∗(m0, q0
c1−−→ . . . ci−−→ qi)
)
where ∆∗(m, η) is defined by induction on the length of η. For executions of length 0 we
put ∆∗(m, q0)
def
= m. For executions of length 1, ∆∗ agrees with the next-mode function
∆, i.e.,
∆∗(m, q0
c1−−→ q1) def= ∆(m, q0 c1−−→ q1),
while for executions of length i ≥ 2 we define:
∆∗
(
m, q0
c1−−→ q1 c2−−→ . . . ci−−→ qi
) def
= ∆∗
(
∆(m, q0
c1−−→ q1), q1 c2−−→ . . . ci−−→ qi
)
.
56
Chapter 4. Alternating-time stream logic 4.1. Constraint automata as multi-player games
Example 4.1.6 (Finite-memory strategies). LetA be a constraint automaton as depicted on
the left of Figure 4.1, with
active(c1) ∩N 6= ∅, active(c2) ⊆ N, and active(c3) ∩N = ∅
for a set of port names N ⊆ N , i.e., c1 is a preventable, c2 is a controllable, and c3 is an
unpreventable concurrent I/O-operation from the perspective of the N -agents. Let the goal
for this example now be to specify a finite-memory N -strategy S which ensures that the
number of visits of state q′2 is at most one and that state q1 is not visited at all along all paths
π ∈ Paths(q0,S).
Let M = 〈Modes,∆, µ,m0〉 be a finite-memory N -strategy with Modes = {m0,m1}
and m0 ∈ Modes the starting mode. The next-mode function ∆ is a partial function for
which the relevant parts are shown on the right of Figure 4.1 and the decision function
µ(qi,m0) = {c∅, c2, c3} and µ(qi,m1) = {c∅, c3}
for all i ∈ N. The ratio behind M is 1) that the preventable transition q0 c1−−→ q1 should
q0
q1 q2
q02q3
c1
c2
c2
c3
m0 m1
q0
c2  ! q02
q0
c2  ! q2
q0
c3  ! q3 q0 c3  ! q3
q02
c;  ! q0
q3
c;  ! q0q3
c;  ! q0
q2
c;  ! q0c;
c;
c;
c;
Figure 4.1: Constraint automaton and a finite-memory N -strategy
never be taken and 2) that the controllable transitions q0
c2−−→ q2 and q0 c2−−→ q′2 with
the concurrent I/O-operation c2 are supported in the initial mode m0. Once the transition
q0
c2−−→ q′2 has fired the finite-memory N -strategy M changes its mode to m1 and from then
on refuses any synchronization with either c1 or c2. Thus, inA the state q′2 can be visited at
most once.
The associated N -strategy SM is
SM
(
q0
c1−−→ . . . ci−−→ qi
)
=
{
µ(qi,m0) = {c∅, c2, c3} if qj 6= q′2 for all 0 ≤ j ≤ i
µ(qi,m1) = {c∅, c3} else
57
4.2. Syntax and semantics Chapter 4. Alternating-time stream logic
4.2. Syntax and semantics
Syntax of ASL state and path formulas. State formulas (denoted by capital Greek letters
Φ, Ψ) and path formulas (denoted by lower case Greek letters ϕ, ψ) of ASL are built by the
following grammar:
Φ ::= true
∣∣∣ a ∣∣∣ Φ1 ∧ Φ2 ∣∣∣ ¬Φ ∣∣∣ ENϕ
ϕ ::= 〈Z〉Φ
∣∣∣ [[Z]]Φ ∣∣∣ Φ1 UΦ2 ∣∣∣ Φ1 RΦ2
whereN ⊆ N , a ∈ AP andZ = 〈Z,Σ,−→Z , Z0, ZF 〉 is a nondeterministic finite automa-
ton (NFA), where Z is a finite set of states, Σ = CIO√ a finite alphabet,−→Z ⊆ Z×Σ×Z
the transition relation, Z0 ⊆ Z a set of starting states, and ZF a set of final states.
The operators 〈Z〉 and [[Z]] are used as existential and universal quantifiers on prefixes
characterized by Z . The intended meaning of 〈Z〉Φ is that it holds for a path π iff π has
a finite prefix generating an I/O-stream which is accepted by Z and Φ holds for the state
reached afterwards. [[Z]]Φ is the dual operator of 〈Z〉Φ and holds for a path π iff for all
finite prefixes of π generating an I/O-stream accepted by Z , the formula Φ holds for the last
state of the prefix.
Beside the special
√
-transitions, Z can be viewed as a constraint automaton Z with an
additional set ZF of final (accept) states. The atomic propositions and labeling function are
irrelevant for Z .
We call a run θ = z0
c1−−→Z . . . cn−−→Z zn in Z an accepting run if z0 ∈ Z0 and zn ∈ ZF .
The language accepted by Z is defined as
L(Z) def= {c1 . . . cn ∈ CIO∗√ | z0 c1−−→Z . . . cn−−→Z zn is an accepting run in Z}.
For L(Z) we require that L(Z) ⊆ CIO∗∪CIO∗√. By the special role of the end symbol√,
we may assume that Z’s state space contains a subset Z√ ⊆ Z such that
1. z
√
−−→Z z′ implies z′ ∈ Z√,
2. z c−→Z z′ with z′ ∈ Z√ implies c =
√
and
3. z ∈ Z√ implies that z is a terminal state.
As a consequence we have that L(Z) ⊆ CIO∗ ∪ CIO∗√.
Derived operators. The operator EN corresponds to an existential quantification over all
N -strategies. The dual operator ANϕ, stating that no strategy for the ports in N can avoid
ϕ to hold, is defined by:
AN 〈Z〉Φ def= ¬EN [[Z]]¬Φ
AN [[Z]]Φ def= ¬EN 〈Z〉¬Φ
AN (Φ1 UΦ2)
def
= ¬EN (¬Φ1 R¬Φ2)
AN (Φ1 RΦ2)
def
= ¬EN (¬Φ1 U¬Φ2)
58
Chapter 4. Alternating-time stream logic 4.2. Syntax and semantics
Other Boolean connectives, like disjunction or implication, are obtained in the standard
way. In the following, we shortly write
EAϕ for E{A}ϕ and AAϕ for A{A}ϕ.
ASL path formulas are interpreted over paths in a constraint automaton. The modalities U
and R denote the standard until-operator and release-operator, respectively. The eventually
and always operator are obtained in the usual way by
3Φ
def
= (trueUΦ) and 2Φ def= (falseRΦ).
The standard next operator is derived in ASL by
XΦ
def
= 〈Ztt〉Φ
where Ztt is an NFA accepting words over CIO of length one. Thus, XΦ holds for all paths
where the underlying execution has at least one transition and Φ holds afterwards.
Semantics of ASL. Let A be a constraint automaton and π a path in A. The satisfaction
relation |= for ASL state formulas is defined by structural induction as shown below:
q |= true
q |= a iff a ∈ L(q)
q |= Φ1 ∧ Φ2 iff q |= Φ1 and q |= Φ2
q |= ¬Φ iff q 6|= Φ
q |= ENϕ iff there is an N -strategy S such that
for all π ∈ Paths(q,S) we have: π |= ϕ.
For the dual alternating-time modality AN we obtain the expected semantics:
q |= ANϕ iff for all N -strategies S
there exists π ∈ Paths(q,S) such that π |= ϕ.
The satisfaction relation |= for ASL path formulas and the path π inA is defined as follows:
π |= 〈Z〉Φ iff there exists n ∈ N such that 0 ≤ n ≤ |π| and
ios(π ↓ n) ∈ L(Z) and qn |= Φ
π |= [[Z]]Φ iff for all n ∈ N such that 0 ≤ n ≤ |π| we have:
ios(π ↓ n) ∈ L(Z) implies qn |= Φ
π |= Φ1 UΦ2 iff there exists n ∈ N such that 0 ≤ n < |π| where
qn |= Φ2 and qi |= Φ1 for 0 ≤ i < n
π |= Φ1 RΦ2 iff at least one of the following conditions (i) or (ii) holds:
(i) for all n ∈ N with 0 ≤ n < |π| we have: qn |= Φ2
(ii) there exists some n ∈ N with 0 ≤ n ≤ |π| such that:
qn |= Φ1 ∧ Φ2 and qi |= Φ2 for 0 ≤ i ≤ n.
59
4.2. Syntax and semantics Chapter 4. Alternating-time stream logic
Definition 4.2.1 (Winning strategy). Given a state q and an ASL path formula ϕ, an N -
strategy S is called winning for the tuple 〈q, ϕ〉 if ϕ holds for all S-paths starting in q.
Thus, q |= ENϕ iff there exists a winning N -strategy for 〈q, ϕ〉. We say that S is winning
for ϕ if S is winning for all pairs 〈q, ϕ〉 where q |= ENϕ.
Remark 4.2.2 (Nesting of strategy quantifiers). For formulas of the form ENϕ where ϕ
itself contains a strategy quantifier EN ′ϕ′ it is worth noticing that a winning strategy for the
inner formula is in general not related to the winning strategy for the outer formula even if
N ′ and N agree. In general the two strategies cannot be combined into a single winning
strategy. E.g., let Φ0 = EN2(Φ ∧ EN3¬Φ) be a nested ASL formula. Any winning N -
strategy S for ϕ = 2(Φ ∧ EN3¬Φ) ensures Φ to hold globally and at the same time it
ensures staying in states from which there exists a differentN -strategy S′ which is winning
for ϕ′ = 3¬Φ. Obviously the two strategies S and S′ cannot be combined into a single
N -strategy which is winning for ϕ and ϕ′ at the same time. Similar phenomena can be
observed when nesting ENϕ with AN ′ϕ′ in any possible combination. These phenomena
are not specific to the ASL, but do exist already in branching-time logics such as CTL,
which quantify over paths (or prefixes of paths) rather than over strategies. E.g., for the
CTL state formula ∀2(Φ ∧ ∀3¬Φ) we observe a similar situation.
Regular I/O-stream expressions. Instead of an NFA we will often use a regular I/O-
stream expression αwhich uses I/O-constraints as atoms. The abstract syntax of regular I/O-
stream expressions, briefly called stream expressions, is given by the following grammar:
α ::= g
∣∣∣ √ ∣∣∣ α∗ ∣∣∣ α1;α2 ∣∣∣ α1 ∪ α2
where g ∈ IOC ranges over all I/O-constraints. Any stream expression represents a regular
set of I/O-streams. In the sequel we denote the set of all I/O-streams by IOS.
The formal definition of the regular languages IOS(α) ⊆ CIO∗ ∪ CIO∗√ is given by struc-
tural induction. IOS(g) is the set consisting of the I/O-streams of length 1 given by g, i.e.,
IOS(g) def= dge. (Recall that the semantics dge of an I/O-constraint g ∈ IOC has been de-
fined in Definition 2.2.1). Similarly, IOS(
√
) is the singleton set consisting of the I/O-stream√
. Union (∪), Kleene star (∗) and concatenation (;) have their standard meaning.
IOS(α1 ∪ α2) def= IOS(α1) ∪ IOS(α2)
IOS(α1;α2)
def
= IOS(α1); IOS(α2).
The Kleene star and concatenation rely on a special treatment of the termination symbol
√
.
For I1, I2 ⊆ IOS we define
I1; I2 def=
{
i1i2 : i1 ∈ I1 ∩ CIO∗ ∧ i2 ∈ I2
}
IOS(α∗) def=
⋃
n≥0
IOS(α)(n)
60
Chapter 4. Alternating-time stream logic 4.2. Syntax and semantics
where I(0)1
def
= {ε}, I(1)1 = I1, and I
(n+1)
1
def
= I1; I(n)1 .
As usual, we write α+ for α;α∗. Using standard methods for regular languages (see
e.g. [HMU06]), we first generate a nondeterministic finite automaton (NFA) Z over the
alphabet Σ = IOC√ for a stream expression α and then transfer it into an NFA Zα with
alphabet Σ = CIO√ such that
L(Z) = L(Zα) = IOS(α).
Let from now on Zα denote an NFA with alphabet Σ = CIO√ with the above property.
The quiescent states are characterized by the state formula ∃〈√〉true, while ∀〈√〉true is
satisfied in exactly those states where no concurrent I/O-operation is enabled. The path
formula [[tt∗;
√
]]false is characteristic for the infinite paths, while 〈tt∗;√〉true holds exactly
for the finite paths.
Clearly, the use of stream expressions rather than NFA in ASL path formulas does not affect
the expressiveness of ASL. Using well-known techniques for regular expressions and NFA,
each ASL path formula can be transformed to an equivalent formula with stream expressions
in the modalities 〈α〉 and [[α]] rather than 〈Z〉 and [[Z]]. The transformation, however, can
cause an exponential blow-up.
Sub-logics (ASL ⊃ BTSL ⊃ CTL). The sub-logic BTSL as presented in [KB09] is a
branching-time logic which can be derived from ASL. The standard existential and univer-
sal path quantifiers that range over all paths can be derived using the EN and AN -quantifiers
with the port-set N = ∅.
∀ϕ def= E∅ϕ and ∃ϕ def= A∅ϕ
This is due to the fact that N -strategies for the empty port-set N = ∅ cannot rule out any
concurrent I/O-operation, i.e., CIO ⊆ S(η) for each ∅-strategy S and execution η. Hence,
all paths are S-paths.
The abstract syntax of BTSL can be described by the following grammar.
Φ ::= true
∣∣∣ a ∣∣∣ Φ1 ∧ Φ2 ∣∣∣ ¬Φ ∣∣∣ ∃ϕ
ϕ ::= 〈Z〉Φ
∣∣∣ [[Z]]Φ ∣∣∣ Φ1 UΦ2 ∣∣∣ Φ1 RΦ2
The sub-logic CTL (computation tree logic) first proposed in [CE81] corresponds to BTSL,
but without the dataflow quantifiers 〈Z〉 and [[Z]]. To preserve the CTL next step operator
we explicitly include it into the syntax.
Φ ::= true
∣∣∣ a ∣∣∣ Φ1 ∧ Φ2 ∣∣∣ ¬Φ ∣∣∣ ∃ϕ
ϕ ::= XΦ
∣∣∣ Φ1 UΦ2 ∣∣∣ Φ1 RΦ2
61
4.2. Syntax and semantics Chapter 4. Alternating-time stream logic
Example 4.2.3. For a simple example, consider a system consisting of two components
CA and CB that are connected via a FIFO1 channel with a single buffer cell as illustrated
in the left part of Figure 4.2. The corresponding constraint automaton for the data domain
Data = {0, 1} is depicted on the right where we treat CA and CB as black box components.
Suppose that empty is an atomic proposition stating that the buffer is empty. Then, the ASL
CA CB q0
p1
p2
A
dA = 0
dA = 1
dB = 0
dB = 1
B
{empty}
Figure 4.2: Two components connected via a FIFO channel
state formula EA2 empty asserts that component CA has the power to ensure that the buffer
remains always empty. In fact, we have
q0 |= EA2 empty
as the memoryless A-strategy that assigns {√} ∪ {c ∈ CIO : B ∈ active(c)} to all states is
winning for state q0 and the objective 2 empty. Similarly,
q0 |= EA2 (buffer 6= 0)
holds where (buffer 6= 0) is an atomic proposition stating that either the buffer is empty or
contains a data value different from 0. However, A has no strategy that ensures that A can
write two times to the buffer. That is,
q0 6|= EA〈tt∗;A; tt;A〉true.
The reason for this is that once CA has written some value into the buffer then CA is not
in the position to force CB to read the written value eventually. But if CB never takes the
element from the buffer then CA’s writing request at port A remains disabled forever.
Standard turn-based games are determined [BL69, Mar75]. In our setting, determinacy
means that given a state q, a coalition C and a winning objective ϕ, then either C has a
strategy to ensure that ϕ holds or the opponents, i.e., all agents not in C, have a strategy to
ensure that ¬ϕ holds. This does not hold for the ASL games. We illustrate this phenomenon
by means of two toy examples.
62
Chapter 4. Alternating-time stream logic 4.2. Syntax and semantics
Example 4.2.4 (ASL games are not determined). A system with two components CA and
CB with one output port each (called A and B, respectively) is shown on the left of Fig-
ure 4.3 where we used the Reo syntax to depict the network. The glue code consists of two
circular FIFO channels with a single buffer cell. The picture on the right of Figure 4.3 shows
a corresponding constraint automaton where we treat CA and CB as black box components
and assume that the internals of the Reo connector are hidden. Initially (state q0), the upper
buffer contains the data item 0, while the lower buffer is empty. For the data domain we
assume that Data = {0}. As long as neither CA nor CB writes into the buffer then the
data item 0 can alternate between the upper and lower buffers via a non-observable step (the
empty concurrent I/O-constraint c∅). In state q0 the write operation at port A of component
CA is blocked (as the upper buffer is full), while component CB can write into the lower
buffer by performing a write operation at port B. The situation where the lower buffer is
full and the upper buffer is empty (state q1) is symmetric. As soon as one of the compo-
nents writes on its output port, both buffers become full (state q2) which blocks any further
dataflow in the network. We now consider the ASL state formula Φ = EA3¬∃X true. We
CA
CB
q0
c; q1
c;
q2
0
A
B {B}
{A}
Figure 4.3: Network (left) and constraint automaton (right)
first observe that q |= ¬∃X true iff q = q2. Thus, Φ asserts that port A (i.e., component
CA) has a strategy to ensure that eventually state q2 will be reached. Intuitively, one might
expect Φ to hold for states q0 and q1, since a write operation at port A is enabled in state q1
and leads to state q2. However, this is not the case since CA cannot avoid the path
π = q0
c∅−−→ q1
c∅−−→ q0
c∅−−→ . . .
where no I/O-operation at A or B will be performed. Note that π is a S-path for any A-
strategy S that offers a write operation at port A whenever the system is in state q1, e.g., the
memoryless strategy S(qi) = CIO. Thus, A has no winning strategy for 〈q0,3¬∃X true〉.
Therefore
q0 6|= EA3¬∃X true
which can be rephrased as q0 |= AA2∃X true stating that A cannot avoid that the system
is always in one of the states q0 or q1. On the other hand, the opponent CB does not have
a winning strategy for the objective ¬3¬∃X true ≡ 2∃X true either, as CB cannot avoid
that in state q1 the A-transition to state q2 will be taken eventually.
63
4.2. Syntax and semantics Chapter 4. Alternating-time stream logic
In the above example, the property to reach state q2 cannot be enforced by A since the
writing request by component CA might be ignored forever. This pathological case can be
ruled out by imposing appropriate fairness assumptions where all controllable concurrent
I/O-operations that are infinitely often offered by a strategy will be taken infinitely often
(see Section 4.5). However, even under such fairness assumptions the multi-player game
associated with a constraint automaton is not determined, because of the internal nondeter-
minism that is inherent in the choice between transitions with the same source state and the
same I/O-operation.
Example 4.2.5 (ASL games are not determined (internal nondeterminism)). Consider a
network with three components CA, C1, C2 as shown on the left in Figure 4.4. The compo-
nents C1 and C2 have one input and one output port, whereas CA has one output port Aout
and two input ports Ain1 and A
in
2 . We assume that the interface specifications of CA, C1,
and C2 declare that their read and write actions alternate. That is, component CA serves
as an initial producer (i.e., it starts with a write) and C1 and C2 as initial consumers (i.e.,
each starts with a read). Again we use Reo syntax to specify the glue code and hide the
internals of the connector when looking at the constraint automaton. The network consists
of three synchronous channels, a component connector that realizes an exclusive router and
two FIFO1 channels. The (data-abstract) operational semantics of this network is modeled
by the constraint automaton with the port-set
N = {Ain1 , Ain2 , Aout, Bin1 , Bout1 , Bin2 , Bout2 }
shown on the right in Figure 4.4. In the initial state q0 the two buffers are empty and the
CA
C1
C2
EXR
Ain1
Ain2
Bout1
Bout2
q0
q1
q2
q3
q4
{Bin1 }
{Aout}
{Aout}
{Bin2 }
{Ain1 , Bout1 }
{Ain2 , Bout2 }
Bin1
Bin2
Aout
Figure 4.4: Network with three components and its constraint automaton
only possible action is a write operation performed by CA at its output port Aout. Then,
the exclusive router delivers the data item written by CA to one of the two buffers where
the decision of which buffer is chosen is resolved internally in a nondeterministic way.
Depending on which buffer is full, we are in state qi where i = 1 or i = 2, and then
component Ci can perform a read operation on its input port Bini to take the data item
written by CA from the buffer. The resulting state is q3 or q4, and CA can synchronize with
Ci via the synchronous channel Aini B
out
i which leads back to the initial state q0.
64
Chapter 4. Alternating-time stream logic 4.2. Syntax and semantics
Because of the nondeterminism in the initial state q0, neither CA has the power to enforce
that state q1 will be reached eventually, nor does the coalition {C1, C2} have a strategy to
guarantee that state q1 will never be reached. Thus, we have that
q0 6|= EN3∃〈Bin1 〉true and q0 6|= EN\N2¬∃〈Bin1 〉true
where N = {Ain1 , Ain2 , Aout}. Note that q |= ∃〈Bin1 〉true iff q = q1.
As we have seen in the above two examples the reason for ASL not to be determined is based
on the fact that there are situations where neither the N -agents nor their opponents have a
winning strategy for ϕ and ¬ϕ, respectively. We will now consider deterministic turn-based
constraint automata, as for this class of system models ASL will become determined.
Definition 4.2.6 (Deterministic constraint automata). Let A = 〈Q,N ,−→, Q0,Q,AP , L〉
be a constraint automaton. A is deterministic if the transition relation can be written as a
partial function
δ : Q× CIO×Q
such that δ(q, c∅) 6= ⊥ implies δ(q, c) = ⊥ for all c ∈ CIO \ {c∅}.
Definition 4.2.7 ((Non)deterministic two-player turn-based game structures). Let A =
〈Q,N ,−→, Q0,Q,AP , L〉 be a constraint automaton and N ⊆ N a set of ports. A can be
interpreted as a two-player turn-based game structure for player N and player N \N if the
following three conditions hold:
i) The set of states Q can be partitioned into sets Q1 and Q2
ii) The transition relation −→ can be written as −→ = −→1 ∪ −→2, where:
−→1 ⊆ Q1 × CIO×Q2 with 〈q, c, q′〉 ∈ −→1 implies ∅ 6= active(c) ⊆ N
−→2 ⊆ Q2 × CIO×Q1 with 〈q, c, q′〉 ∈ −→2 implies ∅ 6= active(c) ⊆ N \N
iii) The set of initial states Q0 is either a subset of Q1 or of Q2.
A two-player turn-based game structure is deterministic if −→1 and −→2 can be written as
partial functions (cf. Definition 4.2.6).
Lemma 4.2.8 (ASL for turn-based games). LetA be a constraint automaton which is struc-
tured as in Definition 4.2.7 with player N and player N \N for some N ⊆ N . Further-
more, let q ∈ Q be a state in A and ϕ an ASL path formula. Then,
q |= ENϕ ⇐⇒ q 6|= EN\N¬ϕ
(
⇐⇒ q |= AN\Nϕ
)
where the right equivalence holds by definition.
65
4.3. Branching-time and alternating-time model checking Chapter 4. Alternating-time stream logic
Proof. We will prove this by contradiction and start with the assumption that
q |= ENϕ and q |= EN\N¬ϕ.
Hence, there exists an N -strategy S and a N \N -strategy S′ such that
i) π |= ϕ for all S-paths π starting in q and
ii) π 6|= ϕ for all S′-paths π starting in q
Thus, there is no path π ∈ Paths(q,S) ∩ Paths(q,S′). We will now construct such a path
which is in the intersection of both strategies. Let
η = q0
c1−−→ q1 c2−−→ . . . cn−−→ qn
be an execution of length n, which is a S-execution and at the same time a S′-execution.
For the case qn ∈ Q1 (according to Definition 4.2.7) we have that, if η is a complete S-
execution (according to Definition 4.1.3), then η is also a complete S′-execution. This is
due to the fact, that if S suggests to stop in qn ∈ Q1 (either by
√ ∈ S(η) or by S(η) = ∅),
the opponents strategy S′ can not force the game to continue. A symmetric argument holds
for qn ∈ Q2. Here we have that, if η is a complete S′-execution then η is also a complete
S-execution. Hence we can conclude that
η
√
−−→ qn is a path π ∈ Paths(q,S) ∩ Paths(q,S′).
Otherwise, if the execution η is not a complete execution in the above sense, we assume
w.l.o.g. that qn ∈ Q1 and show that η can be extended to a S-execution η′ = η c−→ qn+1 of
length n+1 for some c ∈ S(η). As active(c) ⊆ N we observe that c ∈ S′(η) and hence
η′ is also a S′-execution of length n+1. The execution η′ is either S′-complete or can be
further extended by some c′ ∈ S′(η′) to an S′-execution of length n+2 which is also a S-
execution now due to the fact the last state qn+2 of η′ is inQ2 and hence active(c′) ⊆ N\N .
Together with the observation that the execution η = q0 = q of length 0 is an S-execution
and a S′-execution at the same time and by repeating the above procedure, we can construct
a path π ∈ Paths(q,S) ∩ Paths(q,S′).
4.3. Branching-time and alternating-time model checking
This subsection explains the model-checking procedures for ASL state formulas. First we
will illustrate the model checking for the sublogic BTSL. We then present the methods
for the ASL operators EN (Φ1 UΦ2), EN (Φ1 RΦ2), EN 〈Z〉Φ and EN [[Z]]Φ as the remain-
ing operators can be handled with the help of standard methods for CTL model check-
ing [CES86].
66
Chapter 4. Alternating-time stream logic 4.3. Branching-time and alternating-time model checking
The model-checking problem for ASL asks whether, for a given constraint automaton A
and ASL state formula Φ0, all initial states q0 ofA satisfy Φ0. The main procedure for ASL
model checking follows the standard approach for CTL-like branching-time [CES86] and
alternating-time logics [AHK02]. It recursively calculates the satisfaction sets
Sat(Φ)
def
= {q ∈ Q : q |= Φ}
for all subformulas Φ of Φ0. Thus, the CTL fragment of ASL can be checked by means of
a standard CTL model checker.
4.3.1. BTSL model checking
We explain here an algorithm for ∃〈Z〉Φ and ∃[[Z]]Φ. The treatment of formulas ∀〈Z〉Φ
and ∀[[Z]]Φ is obtained by the duality laws
∀〈Z〉Φ ≡ ¬∃[[Z]]¬Φ and ∀[[Z]]Φ ≡ ¬∃〈Z〉¬Φ.
For formulas of the form ∃〈Z〉Φ or ∃[[Z]]Φ, we build the product A⊗Z where the states
are pairs 〈q, z〉 consisting of a state q in A and a state z in Z .
Definition 4.3.1 (BTSL automata product). Let A = 〈Q,N ,−→A, Q0,Q,AP , L〉 and
Z = 〈Z,N ,−→Z , Z0, ZF 〉 be as before. We define the automaton A⊗Z as follows:
A⊗Z def= 〈Q× Z,N ,−→A⊗Z , Q0 × Z0,Q⊗ ,AP ′, L′〉.
The transitions in A⊗Z are obtained by the following rules:
q
c−→A q′ ∧ z c−→Z z′
〈q, z〉 c−→A⊗Z 〈q′, z′〉
q is quiescent in A ∧ z
√
−−→Z z′
〈q, z〉
√
−−→A⊗Z 〈q, z′〉
(4.1)
where we use the subscripts A, Z or A⊗Z for the transition relations in A, Z and A⊗Z ,
respectively. The atomic propositions and labeling function in A⊗Z are given by the set
AP ′ = AP ∪ {aΦ,final} and the following conditions:
aΦ ∈ L′(〈q, z〉) iff q |= Φ
final ∈ L′(〈q, z〉) iff z ∈ ZF
a ∈ L′(〈q, z〉) iff a ∈ L(q)
Please note, that Z and A make use of the same port-set N and thus (besides the special
treatment of
√
) their product A⊗Z corresponds to the synchronous part of the constraint
automaton product ( ./ ) as introduced by rule (2.2) in Definition 2.1.8.
67
4.3. Branching-time and alternating-time model checking Chapter 4. Alternating-time stream logic
The following proposition now provides a reduction to CTL.
Proposition 4.3.2 (Reduction to CTL).
(a) q |=A ∃〈Z〉Φ iff there exists z0 ∈ Z0 with
〈q, z0〉 |=A⊗Z ∃3(aΦ ∧ final).
(b) If Z is deterministic then
q |=A ∃[[Z]]Φ iff 〈q, z0〉 |=A⊗Z ∃2(final→ aΦ)
where z0 is the initial state of Z .
Proof.
(a) If q |=A ∃〈Z〉Φ then there exists a finite execution
η = q0
↑
q
c1−−→ . . . ck−−→ qk ∈ Execfin(A)
such that q = q0, c1 . . . ck ∈ L(Z), and qk |=A Φ.
Let θ = z0
c1−−→ . . . ck−−→ zk be an accepting run in Z for c1 . . . ck, i.e., zk ∈ ZF and
z0 ∈ Z0. Then,
η̃ = 〈q0, z0〉 c1−−→ . . . ck−−→ 〈qk, zk〉 ∈ Execfin(A⊗Z)
and hence, 〈q, z0〉 |=A⊗Z ∃3(aΦ ∧ final).
Let us now assume that 〈q, z0〉 |=A⊗Z ∃3(aΦ ∧ final) where z0 ∈ Z0. Then, there
exists a finite execution
η̃ = 〈q0, z0〉 c1−−→ . . . ck−−→ 〈qk, zk〉 ∈ Execfin(A⊗Z)
with 〈q0, z0〉 ∈ Q0×Z0 and 〈qk, zk〉 |=A⊗Z (aΦ∧final), i.e., qk |=A Φ and zk ∈ ZF .
Thus,
θ = z0
c1−−→ . . . ck−−→ zk
is an accepting run for c1 . . . ck in Z . This yields c1 . . . ck ∈ L(Z). Since qk |=A Φ,
η =
q
↓
q0
c1−−→ . . . ck−−→ qk
is an execution in A, which can be extended to a complete execution, i.e., a path π,
such that π |= 〈Z〉Φ.
68
Chapter 4. Alternating-time stream logic 4.3. Branching-time and alternating-time model checking
(b) Let Z be deterministic and z0 the initial state of Z . If q |=A ∃[[Z]]Φ then there exists
a path
π = q0
↑
q
c1−−→ q1 c2−−→ q2 c3−−→ . . . ∈ Paths(A)
such that π |= [[Z]]Φ. Let us consider a prefix η = π ↓ k = q0 c1−−→ . . . ck−−→ qk of
path π. If there is no corresponding run for c1 . . . ck inZ and henceZ does not accept
c1 . . . ck, π can be lifted to a path in A⊗Z where 2(final → aΦ) holds. Otherwise
let
θ = z0
c1−−→ . . . ck−−→ zk
be the unique run for c1 . . . ck in Z . Then, zk ∈ ZF implies qk |=A Φ. Thus,
path π can be lifted to a path in A⊗Z where 2(final → aΦ) holds. This yields
〈q, z0〉 |=A⊗Z ∃2(final→ aΦ).
Let us now assume that 〈q, z0〉 |=A⊗Z ∃2(final→ aΦ) and let
π̃ = 〈q0, z0〉 c1−−→ 〈q1, z1〉 c2−−→ . . . ∈ Paths(A⊗Z)
be a path in A⊗Z where q = q0 and π̃ |=A⊗Z 2(final→ aΦ).
The projection of π̃ to the A-components yields a path π in A starting in state q. We
now show that π |=A [[Z]]Φ. Let
η = π ↓ k = q0
↑
q
c1−−→ . . . ck−−→ qk
be a prefix of π. Then, z0
c1−−→ . . . ck−−→ zk is the (unique) run in Z for the word
c1 . . . ck. Since η |= 2(final → aΦ), we have: zk ∈ ZF implies qk |=A Φ. This
yields the claim.
Part (a) of Proposition 4.3.2 allows to compute Sat(∃〈Z〉Φ) by means of a backward reach-
ability analysis inA⊗Z as shown in Algorithm 1, where PreA⊗Z(P ) returns the set of all
predecessor states of P ⊆ Q× Z in A⊗Z , i.e.,
PreA⊗Z(P )
def
= {〈q, z〉 ∈ Q× Z | 〈q, z〉 c−→ 〈q′, z′〉 ∈ P}
∪ {〈q, z〉 ∈ Q× Z | 〈q, z〉
√
−−→ 〈q, z′〉 ∈ P}
69
4.3. Branching-time and alternating-time model checking Chapter 4. Alternating-time stream logic
Algorithm 1 Computation of Sat
(
∃〈Z〉Φ
)
P := {〈q, z〉 ∈ Q× Z | q ∈ Sat(Φ) ∧ z ∈ ZF };
repeat
V := P ;
P := P ∪ PreA⊗Z(P );
until (V = P );
return {q ∈ Q | ∃z0 ∈ Z0 s.t. 〈q, z0〉 ∈ P};
Note that part (b) of Proposition 4.3.2 becomes wrong if Z is nondeterministic. For an NFA
Z , there may exist two runs
θ = z0
c1−−→Z z1 c2−−→Z . . . and θ′ = z′0
c1−−→Z z′1
c2−−→Z . . .
in Z for the same sequence of concurrent I/O-operations, where only one of them is accept-
ing. This fact may induce two different paths in the product automatonA⊗Z (correspond-
ing to a single path in A), one of them satisfying 2(final → aΦ), while this property does
not hold for the other path. The problem is that the non-accepting run yields a witness for
∃2(final→ aΦ)
in the product. The following example illustrates this phenomenon.
Example 4.3.3 (NFA vs. DFA). Figure 4.5 shows a constraint automatonA and an NFA Z
where the boxed state z0 ∈ ZF is accepting. Let N = {A} be the common port-set of A
q0
{A} ^ dA = 1
q1
tt
z0 z1
{A} ^ dA = 1
tt tt
Figure 4.5: Constraint automaton A and NFA Z with L(Z) = (c(A) = 1)∗
and Z . The recognized language of Z is
L(Z) = (c(A) = 1)∗
Assuming that q0 |= Φ and q1 6|= Φ it becomes obvious that A 6|= ∃[[Z]]Φ.
When building the product as shown in Figure 4.6 it turns out that
A⊗Z |= ∃2(final→ aΦ)
holds, since
π̃ = 〈q0, z0〉 c−→ 〈q1, z1〉 c−→ 〈q1, z1〉 . . . ∈ Paths(A⊗Z)
70
Chapter 4. Alternating-time stream logic 4.3. Branching-time and alternating-time model checking
{A} ! dA = 1
!q0, z0"
!q1, z0"
!q1, z1"{A} ! dA = 1
{A} ! dA = 1
tt
tt
Figure 4.6: Product automaton A⊗Z
with c(A) = 1 is a possible path within the product automaton.
For Sat(∃[[Z]]Φ), part (b) of Proposition 4.3.2, therefore, suggests to switch from Z to an
equivalent deterministic finite automaton (DFA) and a fixpoint computation on the product
of A and the DFA Z . Algorithm 2 computes Sat(∃[[Z]]Φ).
Algorithm 2 Computation of Sat
(
∃[[Z]]Φ
)
for NFA Z
construct a DFA Z ′ = 〈Z,N ,−→Z , z0, ZF 〉 from NFA Z;
P := {〈q, z〉 ∈ Q× Z | q ∈ Sat(Φ) ∨ z 6∈ ZF };
repeat
V := P ;
P := P ∩ PreA⊗Z′(P );
until (V = P );
return {q ∈ Q | 〈q, z0〉 ∈ P};
4.3.2. ASL model checking
The interesting part of the ASL model checking is the calculation of Sat(ENϕ) for an ASL
path formula ϕ and port-set N ⊆ N . The essential ingredient for this is a modified prede-
cessor operator Pre(P,N) for some P ⊆ Q, which in the case of ASL depends on the set
N and is defined as the set of all states q ∈ Q such that the agents controlling the N -ports
have a strategy which guarantees to move within one step to a state in P ⊆ Q.
Definition 4.3.4 (Post, Pre-operator). If c is a concurrent I/O-operation and q a state then
Post[c](q) def= {p ∈ Q : q c−→ p}.
71
4.3. Branching-time and alternating-time model checking Chapter 4. Alternating-time stream logic
Let P ⊆ Q and let N ⊆ N be a port-set. Then, Pre(P,N) denotes the set of all states
q ∈ Q such that the following two conditions hold:
(1) for all c ∈ CIO(q) such that active(c) ∩N = ∅ we have Post[c](q) ⊆ P
(2) there exists c ∈ CIO(q) such that active(c) ⊆ N and Post[c](q) ⊆ P.
Recall that CIO(q) denotes the set of all concurrent I/O-operations that are enabled in state q.
Condition (1) is needed to ensure that no uncontrollable transition (from the view of the
N -agents) leads to a state outside of P , while condition (2) asserts the existence of at least
one concurrent I/O-operation that is controllable by the N -agents and certainly leads to a
state in P .
Lemma 4.3.5 (Correctness of the Pre-operator). Let A = 〈Q,N ,−→A, Q0,Q,AP , L〉 be
a constraint automaton as before, P ⊆ Q a set of states in A, and let N ⊆ N be a port-set.
Then,
Pre(P,N) =
{
q ∈ Q : q |= EN XP
}
.
Proof. “⊆”: Suppose that q ∈ Pre(P,N). Let S be a memoryless N -strategy such that
S(q) = {c ∈ CIO : active(c) ∩N = ∅} ∪
{c ∈ CIO(q) : active(c) ⊆ N ∧ Post[c](q) ⊆ P}.
We then have:
• {c ∈ S(q) : active(c) ⊆ N} 6= ∅ by condition (2) in Definition 4.3.4,
• Post[c](q) ⊆ P for all c ∈ S(q) ∩ CIO(q) by condition (1) in Definition 4.3.4.
Hence, each S-complete S-execution η from q starts with a transition q c−→ p where
c ∈ S(q) ∩ CIO(q). But then π |= XP for all π ∈ Paths(q,S). Thus, S yields a
witness for q |= EN XP .
“⊇”: Suppose now that q |= EN XP . We have to check conditions (1) and (2) in Defini-
tion 4.3.4. Let S be a memoryless N -strategy winning for 〈q, XP 〉.
(1) Let c ∈ CIO(q) such that active(c) ∩N = ∅ and let p ∈ Post[c](q). By the require-
ments for N -strategies, we have c ∈ S(q). Let π be an arbitrary S-path that starts
with the transition q c−→ p. Since π |= XP we get p ∈ P .
72
Chapter 4. Alternating-time stream logic 4.3. Branching-time and alternating-time model checking
(2) If q is quiescent then the execution q of length 0 cannot be S-complete, since
q
√
−−→ q 6|= X true
and XP holds for all S-paths from q. Hence, there exists a concurrent I/O-operation
c ∈ CIO(q) ∩ S(q) such that active(c) ⊆ N . We now show that Post[c](q) ⊆ P .
For each state p ∈ Post[c](q) there exists a S-path π that starts with the transition
q
c−→ p. As π |= XP we get p ∈ P .
As for standard CTL (and ATL), the semantics of the until and release operator have a
fixed point characterization. The set Sat(EN (Φ1 UΦ2)) is the least fixpoint, while the set
Sat(EN (Φ1 RΦ2)) is the greatest fixpoint of the following operators 2Q → 2Q:
P 7→ Sat(Φ2) ∪ (Pre(P,N) ∩ Sat(Φ1)) (until)
P 7→ Sat(Φ2) ∩ (Pre(P,N) ∪ Sat(Φ1)) (release)
The treatment of the modalities until and release in ASL relies (as for standard CTL and
ATL) on expansion laws. For ASL we have the following expansion laws:
EN (Φ1 UΦ2) ≡ Φ2 ∨ (Φ1 ∧ EN XEN (Φ1 UΦ2))
EN (Φ1 RΦ2) ≡ Φ2 ∧ (Φ1 ∨ EN XEN (Φ1 RΦ2))
where ≡ denotes equivalence of ASL state formulas. On the basis of the expansion laws,
we obtain that for winning objectives formalized by ASL path formulas ϕ of the form
(Φ1 UΦ2) or (Φ1 RΦ2), memoryless strategies are sufficient. Furthermore, the satisfaction
set Sat(ENϕ) can be computed by means of the standard procedures to compute least and
greatest fixed points of monotonic operators.
The main steps are summarized in Algorithms 3 and 4 which, at the same time, compute a
memoryless N -strategy S that is winning for all states q where EN (Φ1 UΦ2) (respectively
EN (Φ1 RΦ2)) holds. The correctness of these algorithms is stated in the following lemma.
Lemma 4.3.6 (Correctness of Algorithms 3 and 4). Let A be a constraint automaton as
before, N ⊆ N a port-set and let Φ1 and Φ2 be ASL state formulas. Then:
(a) Algorithm 3 correctly returns the set Sat(EN (Φ1 UΦ2)) and the computed memory-
less N -strategy S is winning for all states q ∈ Sat(EN (Φ1 UΦ2)) and the ASL path
formula (Φ1 UΦ2).
(b) Algorithm 4 correctly returns the set Sat(EN (Φ1 RΦ2)) and the computed memory-
less N -strategy S is winning for all states q ∈ Sat(EN (Φ1 RΦ2)) and the ASL path
formula (Φ1 RΦ2).
73
4.3. Branching-time and alternating-time model checking Chapter 4. Alternating-time stream logic
Algorithm 3 Algorithm for computing Sat
(
EN (Φ1 UΦ2)
)
P0 := Sat(Φ2);
i := 0;
repeat
Pi+1 := Pi ∪
(
Sat(Φ1) ∩ Pre(Pi, N)
)
;
for all states p ∈ Pi+1 \ Pi do
S(p) :=
{
c ∈ CIO : active(c) ∩N = ∅ ∨ ∅ 6= Post[c](p) ⊆ Pi
}
;
end for
i := i+1;
until Pi = Pi−1;
for all states p ∈ (Q \ Pi) ∪ Sat(Φ2) do
S(p) := CIO√;
end for
return Pi; (* Pi = Sat(EN (Φ1 UΦ2)) *)
Algorithm 4 Algorithm for computing Sat
(
EN (Φ1 RΦ2)
)
for all states p ∈ Q do
S(p) := CIO√;
end for
P0 := Sat(Φ2);
i := 0;
repeat
Pi+1 := Pi ∩
(
Sat(Φ1) ∪ Pre(Pi, N)
)
;
for all states p ∈ Pi+1 \ Sat(Φ1) do
S(p) := S(p) \ { c ∈ CIO(p) : Post[c](p) 6⊆ Pi };
end for
i := i+1;
until Pi = Pi−1;
return Pi; (* Pi = Sat(EN (Φ1 RΦ2)) *)
74
Chapter 4. Alternating-time stream logic 4.3. Branching-time and alternating-time model checking
Proof. Both algorithms rely on the standard iterative approach to compute least and great-
est fixed points of monotonic operators. This yields that the returned sets Pi agree with
the satisfaction set Sat(EN (Φ1 UΦ2)) and Sat(EN (Φ1 RΦ2)), respectively. It remains to
check that the computed strategies are winning.
ad (a). Let j be the number of iterations of the repeat-loop in Algorithm 3. Then:
Sat(Φ2) = P0 ( P1 ( . . . ( Pj−1 ( Pj = Sat(EN (Φ1 UΦ2))
Let us first observe that S is indeed an N -strategy, i.e., S(q) contains all c ∈ CIO where
active(c) ∩N = ∅. This condition is obvious for the states q ∈ (Q \ Pj) ∪ Sat(Φ2). If q is
a state in Pi+1 \ Pi, then
{c ∈ CIO : active(c) ∩N = ∅} ⊆ S(q)
by the definition of S(q).
It remains to check that Φ1 UΦ2 holds for all S-paths that start in a state q ∈ Pj . This is
obvious for q ∈ Sat(Φ2). Suppose q ∈ Pi+1 \ Pi where 0 ≤ i < j. Then, q ∈ Pre(Pi, N).
By the definition of the Pre-operator and the definition of S(q) we obtain:
• Post[c](q) ⊆ Pi for all c ∈ S(q) and
• S(q) ∩ {c ∈ CIO(q) : active(c) ⊆ N} 6= ∅.
From this, we get by induction on n that for each finite S-execution
η = q0
c0−−→ q1 c1−−→ . . . cn−−→ qn
where q0 |= EN (Φ1 UΦ2) and qi 6|= Φ2 for 0 ≤ i ≤ n the following two conditions hold:
• There exist indices j ≥ j0 > j1 > j2 > . . . > jn such that qi ∈ Pji for 0 ≤ i ≤ n.
• η is not S-complete, i.e., there is a c ∈ S(qn) ∩ CIO(qn) with active(c) ⊆ N .
As Pi ⊆ Sat(Φ1) for i ≥ 1 and P0 = Sat(Φ2) we obtain that π |= (Φ1 UΦ2) for each
S-path π that starts in a state q0 ∈ Pj = Sat(EN (Φ1 UΦ2)).
ad (b). Let j be the number of iterations of the repeat-loop in Algorithm 4. Then, Algo-
rithm 4 returns the set Pj and we have
Sat(EN (Φ1 RΦ2)) = Pj ( Pj−1 ( . . . ( P0 = Sat(Φ2).
We first check that S meets the condition required forN -strategies, i.e., S does not rule out
any non-controllable concurrent I/O-operation. This is obvious for the states p ∈ Sat(Φ1)∪
(Q \ Pj). If p ∈ Pj \ Sat(Φ1) then
{c ∈ CIO(p) : Post[c](p) ⊆ Pj} ⊆ S(p).
75
4.3. Branching-time and alternating-time model checking Chapter 4. Alternating-time stream logic
Furthermore, p ∈ Pre(Pj , N) which yields that Post[c](p) ⊆ Pj for all c ∈ CIO with
active(c) ∩N = ∅ by condition (1) in Definition 4.3.4.
We now show that Φ1 RΦ2 holds for all S-paths that start in a state q ∈ Pj . For the states
q ∈ Pj ∩ Sat(Φ1) we have q |= Φ1 ∧ Φ2, and therefore π |= (Φ1 RΦ2) for all paths π
starting in q. If q ∈ Pj \ Sat(Φ1) then for all c ∈ S(q) we have Post[c](q) ⊆ Pj (by
definition of S) and q ∈ Pre(Pj , N). The definition of the Pre-operator yields the existence
of a concurrent I/O-operation c ∈ CIO(q) such that
active(c) ⊆ N and Post[c](q) ⊆ Pj .
But then c ∈ S(q), and each S-execution ending in q is S-incomplete.
Hence, each S-path π = q0
c1−−→ q1 c2−−→ . . . ∈ Paths(q0,S) starting in a state q0 ∈ Pj is
either
• infinite and consists of states in Pj \ Sat(Φ1) or
• has a prefix q0 c1−−→ . . . cn−−→ qn where q0, . . . , qn−1 |= Φ2 and qn |= Φ1 ∧ Φ2.
In both cases, we have π |= (Φ1 RΦ2).
It remains to provide algorithms for the computation of the satisfaction sets for ASL state
formulas of the form EN 〈Z〉Φ or EN [[Z]]Φ. In what follows, we assume that N is a
nonempty subset of N . To compute the satisfaction sets of EN 〈Z〉Φ or EN [[Z]]Φ, we
follow an automata-theoretic approach which resembles the standard automata-based LTL
model-checking procedure and relies on model checking ASL state formulas of the form
EÑ3Φ and EÑ2Φ, respectively, in the product of A and Z .
In the sequel, let Z = 〈Z,N ,−→Z , z0, ZF 〉 without loss of generality be a deterministic
finite automaton. Given A and Z , we built the product AZ , similar to the product of
finite automata and the join operator for constraint automata [BSAR06], but with special
treatment of the pseudo-transitions with label
√
. In fact, the product construction we use
here differs from those used in the BTSL model-checking procedure presented in the be-
ginning of this section since in the context of the EN -operator we have to incorporate the
possibilities of the N -agents to enforce termination. For this purpose, the product will use
an additional controllable port A√. Thus, forAZ we will ask for (N ∪{A√})-strategies
rather than N -strategies. Furthermore, let cstop denote some concurrent I/O-operation with
active(cstop) = {A√}. The data item cstop(A√) is irrelevant. It can be an arbitrary element
from the data domain Data. The treatment of ASL state formulas of the form EN 〈Z〉Φ has
been illustrated in Figure 4.7.
76
Chapter 4. Alternating-time stream logic 4.3. Branching-time and alternating-time model checking
EN hZi , with DFA Zautomaton A
constraint
hq, z0i |=A Z EN[{Ap}⌃(a  ^ final)
compute the set of states q in A s.t.
construct the product A  Z
ASL state formula
Figure 4.7: Schema for the treatment of EN 〈Z〉Φ
Definition 4.3.7 (ASL automata product). Let A = 〈Q,N ,−→A, Q0,Q,AP , L〉 and Z =
〈Z,N ,−→Z , z0, ZF 〉 be as before. Furthermore, let N ⊆ N a port-set and Φ an ASL state
formula. We define the product automaton AN,ΦZ , or briefly AZ as follows:
AZ def= 〈Q× Z,N ∪ {A√},−→, Q0 × {z0},Q ,AP ′, L′〉
where A√ is a fresh port-name (not yet contained in N ). The transitions in AZ for q in
A and state z ∈ Z \ Z√ are obtained by the following synchronization rule which agrees
with the first part of rule (4.1) in the BTSL product (cf. Definition 4.3.1).
q
c−→A q′ ∧ z c−→Z z′
〈q, z〉 c−→AZ 〈q′, z′〉
(4.2)
In addition, we have the following rules for each quiescent state q inA and state z ∈ Z \Z√
which replaces the second part of rule (4.1) for quiescent states in the BTSL product (cf.
Definition 4.3.1).
z
√
−−→Z z′ ∧ q is quiescent ∧ ¬∃c ∈ CIO(q) s.t. active(c) ⊆ N
〈q, z〉 c∅−−→ 〈q, z′〉
(4.3)
z
√
−−→Z z′ ∧ q is quiescent ∧ ∃c ∈ CIO(q) s.t. active(c) ∩N 6= ∅
〈q, z〉 cstop−−−→ 〈q, z′〉
(4.4)
The atomic propositions and labeling function in AZ are the same as in the BTSL prod-
uct A⊗Z and given by the set AP ′ = AP ∪ {aΦ,final} and the following conditions:
aΦ ∈ L′(〈q, z〉) iff q |= Φ
final ∈ L′(〈q, z〉) iff z ∈ ZF
a ∈ L′(〈q, z〉) iff a ∈ L(q).
77
4.3. Branching-time and alternating-time model checking Chapter 4. Alternating-time stream logic
Rule (4.3) in Definition 4.3.7 formalizes the fact that if q is quiescent and there is no
c ∈ CIO(q) such that active(c) ⊆ N then the opponents of the N -agents may refuse any
write or read operation and can therefore enforce dataflow to stop. This is modeled in the
product by a transition with the label c∅. Rule (4.4) stands for the fact that whenever q is
a quiescent state for which some concurrent I/O-operation c is enabled where the N -ports
are involved then the N -agents might decide not to participate in any further I/O-operation.
This is modeled in the product by a transition with the label cstop where the new port A√ is
supposed to be controllable.
Properties of the ASL product. As stated in the beginning of Section 4.2, we suppose Z
contains a special subset Z√ ⊆ Z such that for all states z ∈ Z:
z
√
−−→Z z′ implies z′ ∈ Z√.
Thus, for all transitions of the product generated by the rules (4.3) and (4.4) in Defini-
tion 4.3.7, a state in 〈q, z〉 ∈ S√
S√
def
= Q× Z√
will be entered. For technical reasons we add self-loops with label c∅ for the states in S√:
〈q, z〉 c∅−−→ 〈q, z〉
These transitions ensure that all paths in the product that eventually enter a state 〈q, z〉 ∈ S√
are infinite and repeat state 〈q, z〉 forever.
The following lemma states some properties of quiescent states in the product. Remem-
ber that a quiescent state in a constraint automaton might have outgoing transitions with
nonempty port-sets (cf. Definition 4.1.2).
Lemma 4.3.8 (Quiescent states in the ASL product). If 〈q, z〉 is quiescent in AZ then
(a) q is quiescent in A,
(b) there is a c ∈ CIO(q) such that ∅ 6= active(c) ⊆ N , and
(c) cstop is enabled in 〈q, z〉.
Proof. Let 〈q, z〉 be a quiescent state in the product. Thus, c∅ /∈ CIO(〈q, z〉).
ad (a). Each transition q
c∅−−→A p in A can be lifted to a transition in the product:
〈q, z〉 c∅−−→ 〈p, z′〉
78
Chapter 4. Alternating-time stream logic 4.3. Branching-time and alternating-time model checking
where z
c∅−−→ z′. Hence, if state q is not quiescent in A, then 〈q, z〉 is not quiescent in the
product.
ad (b). There is some concurrent I/O-operation c ∈ CIO(q) such that active(c) ⊆ N , as
otherwise rule (4.3) would yield that c∅ is enabled in 〈q, z〉.
ad (c). We show that cstop ∈ CIO(〈q, z〉). This can be seen as follows:
We have c∅ /∈ CIO(q) (as q is quiescent in A by part (b)). Suppose by contradiction that
cstop /∈ CIO(〈q, z〉). Then, there is no c ∈ CIO(q) such that active(c) ∩N 6= ∅ (premise of
rule (4.4) in Definition 4.3.7). But then
active(c) ∩N = ∅ for all c ∈ CIO(q).
As c∅ /∈ CIO(q), there is no c ∈ CIO(q) such that active(c) ⊆ N . But then rule (4.3)
in Definition 4.3.7 yields c∅ ∈ CIO(〈q, z〉). This contradicts the assumption that 〈q, z〉 is
quiescent in the product.
We will now investigate the relationship of paths in A and paths in the product AZ .
For this we need the notion of A-projections of paths in the product which are roughly
obtained by dropping the Z-components from the states. Moreover, we will need the notion
of Z-projection which is defined analogously by dropping the A-components.
Definition 4.3.9 (A-projections, Z-projections). For each transition in the product (ob-
tained by one of the above composition rules) we define its projection to A as follows:
• If 〈q, z〉 c−→ 〈q′, z′〉 arises by applying rule (4.2) in Definition 4.3.7 then its A-
projection is q c−→A q′.
• If 〈q, z〉 c−→ 〈q, z′〉 (where z′ ∈ Z√ and c ∈ {c∅, cstop}) is obtained from rule (4.3)
or rule (4.4) in Definition 4.3.7 then the A-projection is q
√
−−→A q.
• The A-projection of the pseudo-transition 〈q, z〉
√
−−→ 〈q, z〉 that might appear at the
end of a finite path in AZ is q
√
−−→A q.
Given a path π̃ in the product AZ that does not enter a state of the form 〈q, z〉 ∈ S√
then we define the A-projection projA(π̃) as the unique path in A that results by taking the
A-projection of all transitions in π̃. For a path π̃ that eventually enters a state of the form
〈q, z〉 with z ∈ ZF we ignore the (infinite) suffix
〈q, z〉 c∅−−→ 〈q, z〉 c∅−−→ . . .
and define projA(π̃) as the A-projection of the prefix of π that leads to 〈q, z〉.
79
4.3. Branching-time and alternating-time model checking Chapter 4. Alternating-time stream logic
Similarly, we define the Z-projection projZ(π̃) as an infinite or finite sequence of elements
in Z of the same length as projA(π̃). Then, if π̃ starts in a state 〈q0, z0〉 (where z0 is
the initial state of Z) then projZ(π̃) is the run for the I/O-stream of projA(π̃) in Z . The
definitions of the projections are extended for executions (i.e., prefixes of paths) in the
obvious way.
Lemma 4.3.10 (Projection of paths in the ASL product). If π̃ is a path in AZ then
projA(π̃) is a path in A.
Proof. By Lemma 4.3.8, all paths in the product are infinite or end in a state 〈q, z〉 where
q is quiescent in A and cstop is enabled in 〈q, z〉. The projection of an infinite path π̃ in
the product that never enters a state in S√ is an infinite path in A, since all their transitions
arise by rule (4.2) (i.e., their labels are concurrent I/O-operations for the original name-set
N ). The same holds for all finite paths in the product that do not enter S√. They end in a
quiescent state 〈q, z〉 of the product. But then q is quiescent in A and the A-projection is a
finite path in A. Paths in the product AZ that eventually enter a state in S√ are infinite,
but they are projected to finite paths in A.
Lemma 4.3.11 (ASL path formulas 〈Z〉Φ). For each path π̃ in the product AZ starting
in a state 〈q, z0〉 we have:
π̃ |= 3(aΦ ∧ final) iff projA(π̃) |= 〈Z〉Φ.
Proof. Let π̃ be a path in the product starting in a state 〈q, z0〉 and let π def= projA(π̃) be its
A-projection.
“=⇒”: Suppose first that π̃ |= 3(aΦ ∧ final). Then, π̃ has a finite prefix that leads to a
state 〈p, z〉 where (aΦ ∧ final) holds. Hence, p |= Φ and z ∈ ZF . Let n be the length of this
prefix and let z0 z1 . . . zn be the sequence of states obtained by the projection projZ(π̃ ↓ n)
and c1 . . . cn = ios(π̃ ↓ n) its I/O-stream. We may suppose that n ≤ |π|. (Note that paths
that eventually enter a state 〈p, z〉 ∈ S√ stay in this state 〈p, z〉 forever.) Then, we have:
• c1 . . . cn = ios(π ↓ n)
• z0 z1 . . . zn is the run for c1 . . . cn in Z and zn = z ∈ ZF
But then c1 . . . cn is accepted by Z and we get c1 . . . cn ∈ L(Z). Furthermore, the last state
of π ↓ n is p. Since Φ holds in p, this yields π |= 〈Z〉Φ.
80
Chapter 4. Alternating-time stream logic 4.3. Branching-time and alternating-time model checking
“⇐=”: Suppose now that π |= 〈Z〉Φ. Then, there is some prefix π ↓ n of π such that its
I/O-stream ios(π ↓ n) belongs to L(Z) and the last state p of π ↓ n belongs to Sat(Φ). Let
z0, . . . , zn be the run for ios(π ↓ n) in Z . Then, zn ∈ ZF and state 〈p, zn〉 is the last state
of π̃ ↓ n. As
〈p, zn〉 |= (aφ ∧ final)
we get π̃ |= 3(aΦ ∧ final).
We will now investigate the relation between strategies in A and strategies in the product
AZ .
Lemma 4.3.12 (Correspondence of strategies inA andAZ). Let S be anN -strategy for
A and S̃ an (N ∪ {A√})-strategy for AZ such that for all finite executions η̃ in AZ
starting in a state 〈q, z0〉 the following conditions hold:
(a) If c ∈ CIO is a concurrent I/O-operation then
c ∈ S̃(η̃) iff c ∈ S(projA(η̃))
(b) cstop ∈ S̃(η̃) iff
√ ∈ S(projA(η̃))
(c)
√
/∈ S̃(η̃).
Then, the A-projections of the S̃-paths starting in a state 〈q, z0〉 are exactly the S-paths
starting in q.
Proof. We first show that the A-projection of each S̃-path is a S-path:
• Each S̃-execution that enters S√ via a transition 〈p, z〉 c∅−−→ 〈p, z′〉 with z′ ∈ Z√ is
projected to a finite path π that ends with the pseudo-transition
p
√
−−→A p.
By the premise of rule (4.3) in Definition 4.3.7, we get that active(c) \ N 6= ∅ for
all c ∈ CIO(p). If n = |π|−1 then the prefix π ↓ n of π leads from some initial
state q0 ∈ Q0 to state p and constitutes a S-complete S-execution. Hence, π is a
finite S-path.
• Each S̃-execution that enters S√ via a transition 〈p, z〉 cstop−−−→ 〈p, z′〉 with z′ ∈ Z√
is also projected to a finite path π that ends with the pseudo-transition
p
√
−−→A p.
Again, let n = |π|−1. We regard the prefix η̃ = π̃ ↓ n of π̃ that leads from the first
state 〈q, z0〉 of π̃ to 〈p, z〉. Then, the concurrent I/O-operation cstop belongs to S̃(η̃).
By the second assumption on the relation between S̃ and S we get:
81
4.3. Branching-time and alternating-time model checking Chapter 4. Alternating-time stream logic
√ ∈ S(η) for the A-projection η = projA(η̃).
State p is quiescent by the premise of rule (4.4) in Definition 4.3.7. Hence, we get the
execution η = π ↓ n is S-complete. Therefore, π is a finite S-path.
• We now regard a S̃-complete finite execution η̃ that does not visit S√ and ends in
state 〈p, z〉. Then, 〈p, z〉 is quiescent and there is no concurrent I/O-operation
c̃ ∈ S̃(η̃) ∩ CIO(〈p, z〉)
such that active(c̃) ⊆ N ∪ {A√}. Hence, there is also no
c ∈ S(η) ∩ CIO(p)
such that active(c) ⊆ N . But then η def= projA(η̃) is a S-complete execution and
therefore the corresponding path π is a S-path.
• Given an infinite S̃-execution η̃ that does not enter S√, its A-projection is an infinite
path in A and therefore a S-path.
This shows that the projections of all S̃-paths are S-paths.
We now regard a S-path π in A and show that it is the A-projection of some S̃-path. This
is obvious if π is infinite, since then it can be lifted to an infinite S̃-path in the product that
does not enter S√. Assume now that the path
π = q0
c1−−→A . . . cn−−→A qn
√
−−→A qn
is finite and of length n+1. Let z0 z1 . . . zn zn+1 be the run for the I/O-stream c1 . . . cn
√
of π. Then,
η̃ = 〈q0, z0〉 c1−−→ . . . cn−−→ 〈qn, zn〉
is a S̃-execution in the product and its projection η def= projA(η̃) = π ↓ n is S-complete.
Hence, qn is quiescent and at least one of the following two conditions (1) or (2) holds:
(1)
√ ∈ S(η)
(2) there is no CIO c ∈ S(η) ∩ CIO(qn) such that active(c) ⊆ N .
If 〈qn, zn〉 is non-quiescent then (because of rule (4.3) in Definition 4.3.7) c∅ is enabled in
〈qn, zn〉 and we have:
Post[c∅](〈qn, zn〉) = {〈qn, z′〉}
where zn
cstop−−−→ z′. But then π is the projection of the infinite S̃-path
η̃
c∅−−→ 〈qn, z′〉
c∅−−→ 〈qn, z′〉
c∅−−→ . . .
where z0
cstop−−−→ z′.
82
Chapter 4. Alternating-time stream logic 4.3. Branching-time and alternating-time model checking
Let us now assume that 〈qn, zn〉 is quiescent, i.e., c∅ is not enabled in 〈qn, zn〉. Then,
∅ 6= active(c) ⊆ N for all c ∈ CIO(qn)
because otherwise the premise of rule (4.3) in Definition 4.3.7 applies and 〈qn, zn〉 would
be non-quiescent.
Suppose first that case (1) applies. Then, cstop ∈ S̃(η̃) and
η̃
cstop−−−→ 〈qn, z′〉
c∅−−→ 〈qn, z′〉
c∅−−→ . . .
is an infinite S̃-path where z0
cstop−−−→ z′ and its A-projection is π.
Suppose now that case (2), but not case (1) applies. That is,
√
/∈ S(η) and there is no
concurrent I/O-operation c ∈ S(η)∩CIO(qn) such that active(c) ⊆ N . Then, cstop /∈ S̃(η̃).
Hence, there is no concurrent I/O-operation
c̃ ∈ S̃(η̃) ∩ CIO(〈qn, zn〉) such that active(c̃) ⊆ N ∪ {A√}.
But then η̃ is S̃-complete and
η̃
√
−−→ 〈qn, zn〉
is a S̃-path and its projection is π.
The following lemma formalizes the reduction of the model-checking problem for an ASL
state formula of the form EN 〈Z〉Φ to the problem of computing satisfaction sets for for-
mulas of the type EN∪{A√}3Φ in the product (which can be treated via Algorithm 3 as
presented on Page 74). Furthermore, it asserts the existence of finite-memory winning
strategies for objectives of the form 〈Z〉Φ.
Lemma 4.3.13 (Treatment of EN 〈Z〉Φ). Let A be a constraint automaton, and Z =
〈Z,N ,−→Z , z0, ZF 〉 a DFA. Furthermore, let q be a state in A, N ⊆ N and Φ an ASL
state formula. Then, the following statements are equivalent:
(a) q |= EN 〈Z〉Φ in A
(b) 〈q, z0〉 |= EN∪{A√}3(aΦ ∧ final) in AZ
(c) there exists a finite-memory N -strategy S that is winning for 〈q, 〈Z〉Φ〉.
83
4.3. Branching-time and alternating-time model checking Chapter 4. Alternating-time stream logic
Proof. The implication (c) “=⇒” (a) is obvious.
“(a) =⇒ (b)”: Suppose that q |= EN 〈Z〉Φ and that S is anN -strategy forA that is winning
for 〈q, 〈Z〉Φ〉. The goal is to define a corresponding (N ∪ {A√})-strategy S̃ for AZ .
Given a finite execution η̃ in the product we take itsA-projection η def= projA(η̃) and define
S̃(η̃)
def
=
{
S(η) : if
√
/∈ S(η)
(S(η) \ {√}) ∪ {cstop} : otherwise.
Then, S̃ and S are related as required in Lemma 4.3.12. Furthermore, for each path π̃ in
the product starting in a state 〈q, z0〉 we have:
π̃ |= 3(aΦ ∧ final) iff projA(π̃) |= 〈Z〉Φ
as shown in Lemma 4.3.11. Hence, S̃ is winning for the state 〈q, z0〉 in the product and the
objective 3(aΦ ∧ final).
“(b) =⇒ (c)”: Suppose 〈q, z0〉 |= EN∪{A√}3(aΦ ∧ final). Part (a) of Lemma 4.3.6 as-
serts the existence of a memoryless (N ∪ {A√})-strategy S̃ for AZ that is winning for
〈〈q, z0〉,3(aΦ ∧ final)〉.
We now define a finite-memory N -strategy M = (Modes,∆, µ,m0) for A as follows.
The set of modes agrees with the state-space of Z , i.e., Modes = Z. The decision function
µ is given by:
µ(q, z)
def
=
{
S̃(〈q, z〉) : if cstop /∈ S̃(〈q, z〉)
(S̃(〈q, z〉) \ {cstop}) ∪ {
√} : otherwise.
The transition relation ∆ is defined by ∆(z, q c−→ p) def= z′ where z c−→ z′.
It remains to show that M is winning for 〈q, 〈Z〉Φ〉. In fact, S̃ and M are related as in
Lemma 4.3.12. Again, we make use of the fact that π̃ |= 3(aΦ ∧ final) if and only if
projA(π̃) |= 〈Z〉Φ, provided that π̃ is a path in the product starting in a state 〈q, z0〉. Thus,
we may conclude that M is winning for 〈q, 〈Z〉Φ〉.
There is an analogous result for ASL state formulas of the type EN [[Z]]Φ where the objective
[[Z]]Φ in A is transformed to the objective 2(final → aΦ) in the product. The treatment of
ASL state formulas of the form EN [[Z]]Φ has been illustrated in Figure 4.8.
84
Chapter 4. Alternating-time stream logic 4.3. Branching-time and alternating-time model checking
EN [[Z]] , with DFA Zautomaton A
constraint
hq, z0i |=A Z EN[{Ap}⇤(¬final _ a )
compute the set of states q in A s.t.
construct the product A  Z
ASL state formula
Figure 4.8: Schema for the treatment of EN [[Z]]Φ
Lemma 4.3.14 (Treatment of EN [[Z]]Φ). Let A be a constraint automaton, q be a state in
A and Z = 〈Z,N ,−→Z , z0, ZF 〉 a DFA. Furthermore, let N ⊆ N and Φ an ASL state
formula. Then, for all states q ∈ Q the following statements are equivalent:
(a) q |= EN [[Z]]Φ in A
(b) 〈q, z0〉 |= EN∪{A√}2(final→ aΦ) in AZ
(c) there exists a finite memory N -strategy S which is winning for 〈q, [[Z]]Φ〉.
Proof. The argument is analogous to the proof of Lemma 4.3.13 and relies on the observa-
tion that
π̃ |= 2(final→ aΦ) iff projA(π̃) |= [[Z]]Φ
for each path π̃ in the product starting in a state 〈q, z0〉. This is shown in the following
Lemma.
Lemma 4.3.15 (ASL path formulas [[Z]]Φ). For each path π̃ in the product starting in a
state 〈q, z0〉 we have:
π̃ |= 2(final→ aΦ) iff projA(π̃) |= [[Z]]Φ.
Proof. Let π̃ = 〈q0, z0〉 c1−−→ 〈q1, z1〉 c2−−→ . . . be a path in the product starting in a
state 〈q0, z0〉 and let π def= projA(π̃) be its A-projection.
85
4.3. Branching-time and alternating-time model checking Chapter 4. Alternating-time stream logic
“=⇒”: Suppose first that π̃ |= 2(final→ aΦ). Let n ≤ |π| such that
ios(π ↓ n) ∈ L(Z).
Then, z0 z1 . . . zn is the run for ios(π ↓ n) in Z . Hence, zn ∈ ZF and therefore we have
〈qn, zn〉 |= final. As
π̃ |= 2(final→ aΦ)
and 〈qn, zn〉 is the (n+1)-st state of π̃, we have 〈qn, zn〉 |= aΦ. This yields that qn |= Φ,
and therefore π |= [[Z]]Φ.
“⇐=”: Assume π |= [[Z]]Φ. Let n ≤ |π̃|. The goal is to show that the (n+1)-st state of π̃
satisfies (final→ aΦ), i.e.,
〈qn, zn〉 |= (final→ aΦ).
This is obvious if final does not hold for 〈qn, zn〉. Assume now that 〈qn, zn〉 |= final. Then,
zn ∈ ZF .
• If 〈qn, zn〉 6∈ S√ then n ≤ |π| and z0 z1 . . . zn is the run for ios(π ↓ n) in Z . As
zn ∈ ZF we get that
ios(π ↓ n) ∈ L(Z),
and therefore qn |= Φ. But then, 〈qn, zn〉 |= aΦ.
• If 〈qn, zn〉 ∈ S√ then there is some m ≤ n such that m ≤ |π| and
〈qm, zm〉 = 〈qm+1, zm+1〉 = . . . = 〈qn, zn〉.
Then, z0 z1 . . . zm is the run for ios(π ↓ m) in Z . As zm = zn ∈ ZF we get that
ios(π ↓ m) ∈ L(Z).
But this yields qm |= Φ. Hence, 〈qm, zm〉 = 〈qn, zn〉 |= aΦ.
Thanks to Lemma 4.3.13 and Lemma 4.3.14 the satisfaction sets
Sat(EN 〈Z〉Φ) and Sat(EN [[Z]]Φ)
can be computed by means of a reduction to the model-checking problem for the EN -
operator in combination with the eventually- and always-modalities. More precisely, we
first build the productAZ and then apply the algorithm for until and release, respectively,
to compute the satisfaction sets for
EN∪{A√}3(aΦ ∧ final) and EN∪{A√}2(final→ aΦ)
in the product. Furthermore, the memoryless winning (N∪{A√})-strategies for the product
and the goals
3(aΦ ∧ final) and 2(final→ aΦ)
yield finite-memory winning N -strategies in A for the objectives 〈Z〉Φ and [[Z]]Φ, respec-
tively.
86
Chapter 4. Alternating-time stream logic 4.3. Branching-time and alternating-time model checking
√
-free stream expressions. We conclude this section by a simple observation concerning
the case α is a
√
-free expression (i.e., does not contain a subexpression of the form β;
√
).
In fact, for
√
-free expressions, the “best” strategy for the N -agents to ensure [[Zα]]Φ is to
stop the dataflow whenever possible. This is formalized in the following lemma:
Lemma 4.3.16 (Winning strategies for
√
-free expressions). Let S√ be the memoryless
N -strategy given by S√(q) = {√}∪{c ∈ CIO : active(c)∩N = ∅} for all states q. Then,
for each
√
-free stream expression α and state q we have:
q |= EN [[Zα]]Φ iff S√ is winning for 〈q, [[Zα]]Φ〉.
Proof. The implication =⇒ is obvious by the semantics for the modality EN . Suppose now
that q |= EN [[Zα]]Φ. The goal is to show that S√ is a winning strategy for 〈q, [[Zα]]Φ〉.
We pick a winning strategy S̃ for 〈q, [[Zα]]Φ〉. That is, π |= [[Zα]]Φ for all S̃-paths π
that start in state q. By definition of S√ we get that for each incomplete S√-execution
η = q0
c1−−→ . . . ci−−→ qi we have:
S√(qi) ∩ CIO(qi) ⊆ S̃(η)
Hence, all incomplete executions in Execfin(q,S√) are prefixes of S̃-executions. Thus, if
η ∈ Execfin(q,S√) and η is an incomplete S̃-execution starting in q then we have:
ios(η) ∈ IOS(α) implies p |= Φ where p is the last state of η.
In particular, this yields π |= [[Zα]]Φ for all infinite S√-paths that start in q. As α is
√
-free,
none of the I/O-streams in IOS(α) contains the termination symbol
√
. Hence, for each
finite S√-path π we have ios(π) /∈ IOS(α) and therefore π |= [[Zα]]Φ.
Thus, if α is
√
-free then the set Sat(EN [[Zα]]Φ) can be computed by considering the sub-
automaton A′ of A that results from the memoryless strategy S√ and then computing the
satisfaction set for SatA′(∀[[Zα]]Φ) in A′. This can be done by means of a BTSL model
checker as described in the beginning of Section 4.3.
In the next Section we will discuss the complexity of solving the ASL (and BTSL) model-
checking problem in detail.
87
4.4. Complexity of the ASL model-checking problem Chapter 4. Alternating-time stream logic
4.4. Complexity of the ASL model-checking problem
We first study the asymptotic worst-case time complexity of the ASL model-checking algo-
rithm sketched in Section 4.3. For this, we assume an explicit representation of A as a di-
rected graph with list representations for the enabled concurrent I/O-constraints c ∈ CIO(q)
and the successor sets Post[c](q) for each state q. The size |A| of A denotes the number of
states plus the total number of transitions.
The time required to derive the predecessor-sets Pre(P ) and Pre(P,N) respectively from
the explicit representation ofA is polynomially bounded in |A|. The precise time complex-
ity depends on the data structures used for P and N and the organization of the additional
information of the concurrent I/O-constraints. Such details are irrelevant for the following
considerations.
The treatment of the ASL until or release operator on the basis of Algorithms 3 and 4 relies
on a standard fixed point computation and requires at most |Q| iterations. Hence, assuming
that Sat(Φ1) and Sat(Φ2) have already been computed, then both algorithms run in time
O(poly(|A|)). We now address the time complexity of the automata-based approach to
compute the satisfaction sets of ASL state formulas of the form EN 〈Z〉Φ and EN [[Z]]Φ.
Assuming that Sat(Φ) and a DFA Z are given, the time complexity is polynomial in the
size of the product constraint automaton AZ .
Remark 4.4.1. When starting with a regular stream expression α or an NFA rather than a
DFA Z , in the worst-case the size of Z for α can be exponential in the length of α. These
observations yield that the time complexity of the proposed ASL model-checking procedure
is polynomial in |A| and exponential in the length of the given ASL state formula Φ0.
Hence, the model complexity (i.e., for fixed formula) is polynomial, and the ASL model-
checking problem (where both the constraint automaton A and the ASL state formula Φ0
are viewed as inputs) belongs to the complexity class EXPTIME.
Lower complexity bound for ASL model-checking. In fact, we do not expect much better
ASL model-checking algorithms, since we will prove the ASL (and BTSL) model-checking
problem to be PSPACE-hard.
Theorem 4.4.2 (Lower bound for ASL (and BTSL) model-checking). The ASL (and BTSL)
model-checking problems are PSPACE-hard as the following two problems are PSPACE-
hard:
(a) given a constraint automaton A with port-set N ⊆ N , state q0 in A and an NFA Z
over the alphabet CIO√, check whether q0 |= EN [[Z]] false.
(b) given a constraint automatonA with port-setN , state q0 inA and an NFA Z over the
alphabet CIO√, check whether q0 |= ∃[[Z]] false.
88
Chapter 4. Alternating-time stream logic 4.4. Complexity of the ASL model-checking problem
Proof. From the results by Chadha et al. [CSV09], it can be derived that the following
problem is PSPACE-hard:
• given: an NFA Z over some alphabet Σ that does not accept the empty word
• question: does there exists an infinite word ϑ = σ1σ2σ3 . . . ∈ Σω such that no finite
prefix of ϑ belongs to the language of Z , i.e., σ1σ2 . . . σn /∈ L(Z) for all n ≥ 1?
We now provide polynomial reductions from the above problem to the model-checking
problem for formulas of the type EN [[Z]] false and BTSL formulas of the type ∃[[Z]] false.
The letters in the alphabet Σ are treated as concurrent I/O-constraints. LetA be a constraint
automaton with a single state q0 and the transitions
q0
σ−→ q0 for all σ ∈ Σ.
Formally, we may deal with the name-set N def= {Aσ : σ ∈ Σ} and introduce self-loops of
state q0 labeled with concurrent I/O-operations σ such that active(σ) = {Aσ} for all σ ∈ Σ.
In fact, it suffices to restrict Σ to the letters that appear as labels of at least one transition in
Z . Then, it is obvious that A can be constructed in time linear in the size of Z .
Let Z ∪ tt∗ ;√ denote an NFA for the language L(Z) ∪ (CIO∗√). That is, Z ∪ tt∗ ;√
accepts all finite I/O-streams that end by the termination symbol
√
and all I/O-streams
c1 c2 . . . cn ∈ CIO∗ that are accepted by Z , while all other words are rejected by Z∪ tt∗ ;
√
.
Note that such an NFA can be obtained by adding two states to Z . Hence, we can safely
assume that Z ∪ tt∗ ;√ can be constructed from Z in polynomial time. We now consider
the formulas
Ψ1
def
= EN [[Z ∪ tt∗ ;
√
]] false
Ψ2
def
= ∃[[Z ∪ tt∗ ;√]] false
and show the equivalence of the following three statements:
(1) q0 |= Ψ1
(2) q0 |= Ψ2
(3) there exists an infinite word ϑ ∈ Σω such that no finite prefix of ϑ belongs to L(Z).
“(1) =⇒ (2)”: Suppose q0 |= Ψ1. Then, there exists a strategy S for all ports (i.e., for
the name-set N = N ) such that π |= [[Z ∪ tt∗ ;√]] false for all π ∈ Paths(q0,S).
Hence, we may pick an arbitrary S-path π that starts in state q0 to obtain a witness for
q0 |= ∃[[Z ∪ tt∗ ;
√
]] false.
“(2) =⇒ (3)”: Suppose q0 |= Ψ2. Then, there exists a path π that starts in state q0 and
fulfills the path formula [[Z ∪ tt∗ ;√]] false. This path π must be infinite, because otherwise
π would have a finite prefix with an I/O-stream in IOS(tt∗ ;
√
) ⊆ IOS(Z ∪ tt∗ ;√) which
is impossible as π |= [[Z ∪ tt∗ ;√]] false. Say π has the form
q0
σ1−−→ q0 σ2−−→ q0 σ3−−→ . . .
89
4.4. Complexity of the ASL model-checking problem Chapter 4. Alternating-time stream logic
and let ϑ def= σ1σ2σ3 . . . ∈ Σω be the infinite I/O-stream of π. Let n ∈ N. The I/O-stream
of the finite prefix π ↓ n is the finite prefix σ1 . . . σn of ϑ. As π |= [[Z ∪ tt∗ ;
√
]] false we
get that σ1 . . . σn /∈ L(Z).
“(3) =⇒ (1)”: Suppose ϑ = σ1σ2σ3 . . . ∈ Σω is an infinite word such that σ1 . . . σn /∈
L(Z) for all n ∈ N. We now consider the N -strategy S given by
S(η)
def
= {σn} if η is an execution of length n−1.
Then, there is a single S-path in A, namely
π = q0
σ1−−→ q0 σ2−−→ q0 σ3−−→ . . .
Since π |= [[Z ∪ tt∗ ;√]] false the strategy S is winning for 〈q0, [[Z ∪ tt∗ ;
√
]] false〉. Hence,
q0 |= Ψ1.
As the length of both formulas Ψ1 and Ψ2 is polynomial in the size of Z , this completes the
proof of Theorem 4.4.2.
Part (a) of Theorem 4.4.2 shows that the NFA-based approach for the ASL model-checking
problem is computationally hard, even under the assumption that all ports cooperate in a
single coalition. For the special case that no port is controllable, the ASL model-checking
problem is computationally hard as well, as the ASL formula ∀∅[[Z]]Φ is equivalent the
BTSL formula ∃[[Z]]Φ that has been shown to be PSPACE-hard in Part (b) of Theorem 4.4.2.
Complexity of ASL (and BTSL) model-checking. By Theorem 4.4.2, we obtain PSPACE-
hardness of the ASL (and the BTSL) model-checking problem. At this place it is worth
noting that there is a polynomially time-bounded algorithm for the model-checking prob-
lem for BTSL formulas of the form ∃〈Z〉Φ, provided that Sat(Φ) is given. In this case, an
automata-based approach with NFA rather than DFA is applicable.
PSPACE is also an upper bound for the BTSL model-checking problem. The algorithms to
compute the satisfaction sets of BTSL state formulas of the type ∃(Φ1 UΦ2), ∃(Φ1 RΦ2)
and ∃〈Z〉Φ are polynomially time-bounded, and therefore polynomially space-bounded. It
remains to show that the satisfaction sets for BTSL state formulas of the type ∃[[Z]]Φ can
be computed by a polynomial space-bounded algorithm.
Algorithm 5 is a nondeterministic decision procedure for q0 |= ∃[[Z]]a, where
• q0 ∈ Q0 is a state in the constraint automaton A = 〈Q,N ,−→, Q0,Q,AP , L〉,
• Z = 〈Z,N ,−→Z , Z0, ZF 〉 is an NFA, and
• a ∈ AP an atomic proposition
90
Chapter 4. Alternating-time stream logic 4.4. Complexity of the ASL model-checking problem
The decision procedure relies on an on-the-fly construction of the product of A and the
determinized version of Z . The states space in the product is S = Q × 2Z , where Q is the
state space of A and Z is the state space of Z . The presented algorithm performs a forward
search in the product and constructs a witness path π = q0
c1−−→ q1 c2−−→ . . . in A such that
π |= [[Z]]a holds.
Algorithm 5 Nondeterministic decision procedure for q0 |= ∃[[Z]]a.
〈q,M〉 := 〈q0, Z0〉;
for i = 1 . . . (|Q| · 2|Z|) do
if ((q 6|= a) and z ∈ ZF for some z ∈M ) then
return “q0 6|= ∃[[Z]]a”;
end if
if (q is terminal) then
return “q0 |= ∃[[Z]]a”;
end if
guess some transition q c−→ q′ in A or pair 〈q′, c〉 def= 〈q, cstop〉 nondeterministically;
〈q,M〉 := 〈q′, {z′ ∈ Z | z c−→Z z′ for some z ∈M}〉;
end for
return “q0 |= ∃[[Z]]a”;
As Algorithm 5 is an on-the-fly variant of Algorithm 2 which applied standard methods for
the determinization of Z , the algorithm correctly decides whether q0 |= ∃[[Z]]a.
The time-complexity of the above algorithm is linear in the number of states in A and
exponential in the number of states in the NFA Z . As it is sufficient to store only the
last state of the product that will be visited throughout the execution of the for-loop, the
complexity in space is bounded by the number of bits used to store one state of the product
only, i.e., O(log2(|Q| · 2|Z|)). Hence, the problem to decide “q0 |= ∃[[Z]]a” can be solved
nondeterministically with space linear in the size of Z and logarithmic in the size of A.
With these observations, we obtain:
Lemma 4.4.3 (Upper bound for the complexity of BTSL model checking). The BTSL
model-checking problem is in PSPACE.
Corollary 4.4.4 (PSPACE-completeness for BTSL). From part (b) of Theorem 4.4.2 and
Lemma 4.4.3 we can conclude that the BTSL model-checking problem is PSPACE-complete.
For the ASL model checking we present a similar result. We show that PSPACE is also an
upper bound for the ASL model-checking problem. The algorithms to compute the satisfac-
tion sets of ASL state formulas of the type EN (Φ1 UΦ2) and EN (Φ1 RΦ2) are polynomially
time-bounded, and therefore polynomially space-bounded.
91
4.4. Complexity of the ASL model-checking problem Chapter 4. Alternating-time stream logic
It remains to show that the satisfaction sets for ASL state formulas of the type EN 〈Z〉Φ
and EN [[Z]]Φ can be computed by a polynomial space-bounded algorithm. We start with
formulas of the type EN 〈Z〉Φ. The result can be established by providing a polynomial re-
duction to the emptiness problem for alternating finite automata (AFA) with unary alphabet
which is known to be PSPACE-complete [Hol95]. More precisely, we provide a polynomial
reduction from the ASL model-checking problem
“does q0 |= EN 〈Z〉a hold?”
where q0 is a state of a constraint automaton A, Z an NFA, N ⊆ N a set of port-names
and a ∈ AP an atomic proposition. We combine A and Z to obtain an alternating finite
automaton that is non-empty if and only if q0 |= EN 〈Z〉a.
The idea behind the construction of an AFA from A and Z is to create a two-player game
structure, which separates transitions in AZ into three steps. In the first step the N -
player may select one of the enabled actions, whereas in the second step the opponent can
select a compatible action as well as the successor state in A. In the last step the N -player
chooses a successor state in Z .
Definition 4.4.5 (Alternating finite automaton, e.g., [JS07]). An alternating finite automa-
ton is a tuple S = 〈S,Σ,∆, s0, SF 〉 where S is a finite set of states, Σ a finite alphabet,
∆ : S × Σ→ Bool+(S)
is the transition function, s0 is the initial state, and SF ⊆ S the set of accepting states. Here,
Bool+(S) denotes the set of (positive) boolean formulas that only use ∧ and ∨ as boolean
connectives and elements of the state space S as variables.
For the acceptance we define the relation Acc ⊆ S × Σ∗ by induction on the length of the
input word ϑ ∈ Σ∗. We write Acc(s, ϑ) if 〈s, ϑ〉 ∈ Acc.
Acc(s, ε) ⇐⇒ s ∈ SF
Acc(s, νϑ) ⇐⇒ v |= ∆(s, ν) for ν ∈ Σ and the boolean assignment v satisfying
(v(s′) = 1 ⇐⇒ Acc(s′, ϑ)) for all s′ ∈ Q.
With this definition an AFA A accepts the language L(A) def= {ϑ ∈ Σ∗ | Acc(s0, ϑ)}.
Let A = 〈Q,N ,−→, Q0,Q,AP , L〉 be a constraint automaton, q0 ∈ Q a state in A,
Φ = EN 〈Z〉a, where N ⊆ N a set of ports, a ∈ AP an atomic proposition, and
Z = 〈Z,CIO√,−→Z , Z0, ZF 〉 be an NFA. We construct an AFA S = 〈S,Σ,∆, s0, SF 〉 as
follows:
– S def= {s0} ∪ (Q× Z) ∪
{〈q, z, c〉 ∈ Q× Z × CIO√ | c = cstop or c ∈ CIO(q) ∩ CIO(z)} ∪
{〈q, c, z〉 ∈ Q× CIO√ × Z | c = cstop or c ∈ CIO(z)},
92
Chapter 4. Alternating-time stream logic 4.4. Complexity of the ASL model-checking problem
– Σ def= {ν} where ν is an arbitrary input symbol,
– s0 ∈ S the starting state, and
– SF
def
= {〈q, z〉 ∈ Q× Z | q |= a and z ∈ ZF }
– As the input alphabet Σ is a singleton set, the transition function can now be interpreted
as a function ∆ : S → Bool+(S) which is given by the following definition
∆(s)
def
=

∧
s′∈λ(s)
s′ if s ∈ {s0} ∪ (Q× Z × CIO√)∨
s′∈λ(〈q,z〉)
s′ if s ∈ (Q× Z) ∪ (Q× CIO√ × Z)
Here, λ is a total function λ : S → 2S which is given by
λ(s0)
def
= {〈q0, z〉 ∈ S | z ∈ Z0}
λ(〈q, z〉) def= {〈q, z, c〉 ∈ S | c ∈ CIO(〈q, z〉) in AZ}
λ(〈q, z, c〉) def= {〈q′, c′, z〉 ∈ S | 〈q, z〉 c
′
−→AZ 〈q′, z′〉 with c′ ∈ compAct(c,N)}
λ(〈q, c, z〉) def= {〈q, z′〉 ∈ S | z c−→ z′}
where compAct(c,N) stands for the set of all c-compatible actions when N ⊆ N is
the set of controllable ports, i.e.,
compAct(c,N) def= {c}
∪ {c′ ∈ CIO | active(c′) ∩N = ∅}
∪ {cstop | if active(c) \N 6= ∅}
The structure of the AFA above is constructed in such a way that the states s ∈ (Q× Z) ∪
(Q×CIO√×Z) where theN -player moves the transition function has a disjunctive format,
i.e., ∆(s) = s1 ∨ . . . ∨ sn, and whenever the opponent moves in a state s ∈ {s0} ∪ (Q ×
Z×CIO√) the transition function has a conjunctive format, i.e., ∆(s) = s1 ∧ . . .∧ sn. The
accepted language of the constructed AFA will be non-empty if the N -player can choose
(at least) one action and later a successor state in Z in any of his game configurations such
that all of the opponents moves lead to a state s ∈ SF . Hence, we have that
L(S) 6= ∅ iff q0 |= EN 〈Z〉a.
Clearly, the construction of S can be performed in polynomial time and space.
It remains to provide a similar reduction for ASL formulas of the type EN [[Z]]Φ. More
precisely, we provide a polynomial reduction from the ASL model-checking problem
“does q0 |= EN [[Z]]a hold?”
93
4.4. Complexity of the ASL model-checking problem Chapter 4. Alternating-time stream logic
where q0 is a state of a constraint automatonA, Z an NFA, N ⊆ N a set of port-names and
a ∈ AP an atomic proposition. Here we combine A and Z to obtain an alternating finite
automaton that is empty if and only if q0 |= EN [[Z]]a.
Let A = 〈Q,N ,−→, Q0,Q,AP , L〉 be a constraint automaton, q0 ∈ Q a state in A,
Φ = EN [[Z]]a, where N ⊆ N a set of ports, a ∈ AP an atomic proposition, and
Z = 〈Z,CIO√,−→Z , Z0, ZF 〉 be an NFA. We construct an AFA S = 〈S,Σ,∆, s0, SF 〉 as
follows:
– S def= {s0}∪(Q×Z)∪{〈q, z, c〉 ∈ Q×Z×CIO√ | c = cstop or c ∈ CIO(q)∩CIO(z)},
– Σ def= {ν} where ν is an arbitrary input symbol,
– s0 ∈ S the starting state, and
– SF
def
= {〈q, z〉 ∈ Q× Z | q 6|= a and z ∈ ZF }
– As the input alphabet Σ is a singleton set, the transition function can now be interpreted
as a function ∆ : S → Bool+(S) which is given by the following definition
∆(s)
def
=

∨
s′∈λ(s)
s′ if s ∈ {s0} ∪ (Q× Z × CIO√)∧
s′∈λ(〈q,z〉)
s′ if s ∈ (Q× Z)
Here, λ is a total function λ : S → 2S which is given by
λ(s0)
def
= {〈q0, z〉 ∈ S | z ∈ Z0}
λ(〈q, z〉) def= {〈q, z, c〉 ∈ S | c ∈ CIO(〈q, z〉) in AZ}
λ(〈q, z, c〉) def= {〈q′, z′〉 ∈ S | 〈q, z〉 c
′
−→AZ 〈q′, z′〉 with c′ ∈ compAct(c,N)}
where compAct(c,N) again stands for the set of all c-compatible actions.
The accepted language of the constructed AFA will be empty if theN -player can choose (at
least) one action in any of his game configurations such that none of the opponents moves
leads to a state s ∈ SF . Hence, we have that
L(S) = ∅ iff q0 |= EN [[Z]]a.
As there is a polynomially space-bounded algorithm for checking emptiness of AFA with
unary alphabet, we obtain the following lemma:
Lemma 4.4.6 (Upper bound for the complexity of ASL model checking). The ASL model-
checking problem is in PSPACE.
Corollary 4.4.7 (PSPACE-completeness for ASL). From part (a) of Theorem 4.4.2 and
Lemma 4.4.6 we can conclude that the ASL model-checking problem is PSPACE-complete.
94
Chapter 4. Alternating-time stream logic 4.5. ASL with fairness
Complexity of the ATL-fragment. We will conclude this section with a short inspection
of the complexity of the ATL-model checking problem. By the ATL-fragment of ASL,
we mean the sublogic of ASL without stream expressions, i.e., path formulas of the ATL-
fragment are generated by the standard path modalities U , R and X , but not 〈Z〉 or [[Z]].
The difference to standard ATL [AHK02] is that in the classical setting logic reasons about
infinite behavior only. ATL as introduced in [AHK02] does not have a notion for quiescence
and finite behavior.
The worst complexity of our model-checking algorithm for the ATL-fragment is roughly the
same as for standard ATL, i.e., linear in the size of A and the length of the given ASL state
formula, when appropriate data structures for the internal representation of the constraint
automaton are assumed.
4.5. ASL with fairness
Several extensions of ASL could be considered. We conclude this chapter with a few re-
marks on introducing fairness for ASL, as this concept is of special interest for our game-
based interpretation of constraint automata. In this section we provide a preview on the
most important aspects a reasonable notion of ASL fairness must address and examine
the relationship to controller synthesis. The concept of fairness, implicitly introduced by
Dijkstra [Dij65, Dij68], is often necessary to establish liveness properties [Fra86, Kwi89,
VVK05] for nondeterministic transition systems and models with interleaving processes.
In such nondeterministic system models fairness serves to rule out pathological behaviors
that exists due to unfair resolution of nondeterministic choices. There exists three differ-
ent types of fairness conditions: for unconditional fairness it is required that every process
is scheduled infinitely often. For strong fairness we require that every process that is en-
abled infinitely often acts infinitely often, while for weak fairness only processes that are
continuously enabled need to get the turn infinitely often. The notions of weak and strong
fairness have first been introduced for shared variable concurrent programs [LPS81] and
later considered in the context of transition systems [QS83].
In addition to the standard notion of process fairness, our special interpretation of constraint
automata as multi-player games demands for some additional ASL fairness assumptions that
go beyond the standard notion of process fairness. The goal is to rule out “unfair behavior”
which is imposed by schedulers that continuously ignore the choice of an ASL strategy.
To illustrate the need for this special form of fairness assumptions, we revisit Example 4.2.4.
One would expect that the ASL state formula EA3¬∃X true would be fulfilled, since the
memoryless strategy S, which tries to write on A whenever q1 is reached during an execu-
tion should be winning for 〈q0,3¬∃X true〉. However, S cannot rule out the case where
only the empty transition fires, while the write request at port A never gets granted. This,
however, is a pathological case which can be avoided with appropriate fairness assumptions.
In the following definition we introduce one reasonable notion of strong fairness for paths
with respect to a port-set N and a given N -strategy S.
95
4.5. ASL with fairness Chapter 4. Alternating-time stream logic
Definition 4.5.1 (〈N,S〉-fairness). Let A = 〈Q,N ,−→A, Q0,Q,AP , L〉 be a constraint
automaton, N ⊆ N a port-set, S an N -strategy, and π = q0 c1−−→ q1 c2−−→ . . . a S-path in
A. Then π is called (strongly) 〈N,S〉-fair if either π is finite or for all c ∈ CIO we have:
∞
∃ i ≥ 0. c ∈ CIO(qi) ∩S(π ↓ i) and ∅ 6= active(c) ⊆ N implies
∞
∃ i ≥ 0. ci = c,
where
∞
∃ i means “there exist infinitely many i”. If N and S are understood from the con-
text we simply talk about fairness rather than 〈N,S〉-fairness.
Note that the very special notion of fairness introduced in this section is an additional con-
cept to standard process fairness. Compared to standard process our notion of fairness is
different as it does not impose any constraint on the specific write and read operations of the
opponents of N . Instead, it just requires that any I/O-operation c that is fully controllable
by N and offered infinitely often by the given N -strategy S will not be ignored forever.
Example 4.5.2 (Fair und unfair paths). Dealing with N = {A} and the memoryless N -
strategy S that attempts to write on A whenever the current state is q1 in Example 4.2.4, the
path that alternates between states q0 and q1 via the empty I/O-operation c∅ is not 〈N,S〉-
fair.
For the system in Example 4.2.5 and N = {Aout, Ain1 , Ain2 }, i.e., the port-set of component
CA, and the memorylessN -strategy S that does not rule out any I/O-operation (i.e., S(q) =
CIO√ for all q ∈ Q), the S-path that runs forever through the cycle
q0
c1−−→ q1 c2−−→ q3 c3−−→ q0
with active(c1) = {Aout}, active(c2) = {Bin1 }, and active(c3) = {Ain1 , Bout1 } is 〈N,S〉-
fair, although the transition from q0 to q2 is never taken.
It should be noticed that 〈N,S〉-fairness asserts that any controllable I/O-operation c that is
infinitely often enabled and offered by S will be taken infinitely often, but 〈N,S〉-fairness
does not impose a fair resolution of the choice between several c-transitions.
Compositional controller synthesis. The notion of fairness needed in the context of ASL
is closely related to our work on compositional controller synthesis [BKK11a] which is
applicable to various automata types. With constraint automata the presented approach
relies on a similar game-based interpretation as for ASL.
In ASL we were asking for the existence or absence of a winning strategy for a temporal
property, whereas the question in controller synthesis is whether or not there is a way of
connecting components to make a certain temporal objective hold. The orchestrating com-
ponent(s) and network ensuring a given property to hold is called a controller. We studied
the problem of how to synthesis such controllers exogenously within our Reo and constraint
automata framework. Starting with an ASL formula, the goal is to derive a constraint au-
tomaton from finite-memory winning N -strategy which can then serve as a controller for
96
Chapter 4. Alternating-time stream logic 4.5. ASL with fairness
the part of the system that is controllable, namely the N -components. In [ABdB+05] an
algorithm has been presented that constructs a Reo network from a given constraint au-
tomaton. This approach is compositional and relies on a preprocessing step that generates
an ω-regular expression from the given constraint automaton. We presented an alterna-
tive approach [BKK11c, BKK11b] for the generation of a Reo network directly from the
constraint automaton A which reuses some ideas of [ABdB+05], but avoids the potential
exponential blow-up in the construction of an ω-regular expression.
In the compositional controller synthesis setting as presented in [BKK11a] our starting point
is a temporal logic formula of the form Φ = Φ1 ∧ . . . ∧ Φn. The goal is to subsequently
create the controllers Ci for each of the sub-formulas Φi and to synthesize and connect the
controllers with the controlled parts of the system exogenously. Applying the presented
framework to the setting of Reo and constraint automata, the synthesized controllers can
be again regarded as constraint automata (with some additional fairness constraints). These
automata can then likewise be transformed into Reo networks using the (controller) syn-
thesis construction presented in [BKK11b]. In the context of the compositional controller
synthesis most-general controllers that preserve as much behavior of the controlled system
as possible are of special interest. To support compositional controller synthesis, where we
gradually create and compose controllers for all sub-formulas, the controllers have to be
most-general in the sense that they capture all possible ways in which a given sub-formula
may be enforced in the system. In [BKK11a] we presented a compositional controller syn-
thesis approach covering regular safety and co-safety objectives for a partial information
and partial control setting. A detailed discussion as well as further extensions towards the
full set of ω-regular languages will be discussed in the upcoming thesis [Kle12]. In the next
chapter, we present our implementation of the Vereofy tool set, which already includes a
prototype implementation for the synthesis of a Reo network from a given constraint au-
tomaton. Algorithms addressing the compositional controller synthesis problem are also
planned to be integrated into the Vereofy tool set.
97
98
5 Implementation
The presented approach for modeling, verification and synthesis of the Chapters 3 and 4
has been implemented and integrated (along with other verification formalisms [BBKK09b,
BKK11b]) in our model-checking tool set Vereofy [BKK12]. Vereofy1 is jointly developed
by members of our group at Technische Universität Dresden. To overcome the state-space
explosion problem the constraint automata for components and the coordinating network
are represented symbolically. For this purpose we rely on well-known concepts to encode
automata as switching functions and represent them by binary decision diagrams (BDDs).
(See e.g. [Bry86, McM93, HS96, Min96, DB98, MT98, Weg00].) In this chapter we present
the relevant details of the BDD encoding along with further important implementation de-
tails of Vereofy. The tool set Vereofy has successfully been used in two major case stud-
ies [BBK+10, KKSB11] within the former EU project CREDO [GJA+10] and served well
for the evaluation of our hierarchical modeling approach and the verification engines. At
the end of this chapter our approach is evaluated by means of various case studies carried
out with Vereofy.
Organization. Section 5.1 provides the relevant implementation details about Vereofy. In
Section 5.2 we present the details of the BDD-based model checking of ASL formulas and
Section 5.3 gives insights some of the case studies we carried out for the evaluation our
modeling and verification approach.
5.1. The model-checking tool Vereofy
Vereofy is a tool set for the formal verification of component-based systems described in
terms of Reo and constraint automata. The tool set uses the two input languages CARML
and RSL for modeling component-based systems. Vereofy itself is written in C++ and runs
on Mac OS X, Linux, and Windows. Vereofy can be used as a standalone application or as
an Eclipse plugin for the Extensible Coordination Tools (ECT)2 [Kra11], a graphical user
interface developed at the Centrum Wiskunde & Informatica (CWI) Amsterdam3 supporting
Reo and constraint automata. The Vereofy plugin in the Extensible Coordination Tools
supports conversion between graphical Reo connectors and RSL scripts, and vice versa.
Figure 5.1 provides an overview on the main elements of Vereofy.
1http://www.vereofy.de/
2http://reo.project.cwi.nl/cgi-bin/trac.cgi/reo/wiki/Tools
3http://www.cwi.nl/
99
5.1. The model-checking tool Vereofy Chapter 5. Implementation
Symbolic CA
Representation
Model Checker
(LTL, BTSL, ASL)
YES/ NO + witness/couterexample
(graphical and textual representation)
Bisimulation Checker
YES/ NO
Constraint Automata 
Reactive Module 
Language (CARML)
graphical representation
of the constraint automaton
Reo scripting language 
(RSL)
graphical representation
of the network
LIBRARIES
(pre- and user defined)
Reo GUI from CWI's Extensible Coordination Tools (ECT)
Figure 5.1: Main elements of the Vereofy tool set
Main features. For the modeling we use CARML and RSL as described in Chapter 3.2.
In the implementation we provide some additional language features such as functions,
enumerator concepts, conditional code inclusion, labels for transitions, etc. Global variables
are not yet fully supported in the currently released version of Vereofy. For details about
additional language and tool features we refer to the Vereofy manual [BKK12].
Vereofy provides a library of Reo channels, connectors and useful components that can be
used to compose more complex connectors and components. A user may define his own
libraries of channels, connectors, and components that are then available for further com-
position. For debugging, Vereofy allows to write the structure of a Reo circuit constituted
by its components and connectors to a GraphViz4 file. For constraint automata (with a rea-
sonably small number of states and ports) Vereofy supports writing them to GraphViz files
as well.
The constraint automata for components and the orchestrating network are represented sym-
bolically by means of switching functions stored in binary decision diagrams (BDDs). A
detailed description of the encoding of constraint automata in terms of switching functions
as well as symbolic reformulations of the algorithms presented in Chapter 4 are be provided
in the next section. For the implementation we use the external BDD library JINC5 [Oss10].
4http://www.graphviz.org/
5http://jossowski.de/projects/jinc/jinc.html
100
Chapter 5. Implementation 5.1. The model-checking tool Vereofy
Vereofy supports symbolic model checking for ASL (and BTSL) formulas (cf. Chapter 4)
as well as model checking for linear-time properties and equivalence checking using bisim-
ulation [BBKK09b, BKK11b]. The syntax of ASL/BTSL path formulas of the form 〈Z〉Φ
and [[Z]]Φ uses regular I/O-stream expressions α, from which a symbolic NFA Zα = Z is
built.
The BTSL model checker allows computing and printing witnesses and counterexamples
for BTSL formulas. This option is activated in Vereofy by the command line option btsl-
witness-level. Using the Vereofy Eclipse plugin for the Extensible Coordination Tools
(ECT) one can explore counterexamples and witnesses of BTSL formulas in the graphi-
cal user interface by skimming through the detailed state information (i.e., the evaluation of
the state variables) and the observable dataflow along the counterexample or witness path.
For ASL a witness for a formula of the form ENϕ is a strategy S such that when the strategy
is applied, all remaining S-paths in the constraint automaton A satisfy ϕ. Vereofy allows
to compute such a winning finite-memory strategy as suggested by the model checking al-
gorithms presented in Section 4.3 and Section 5.2. This option is activated in Vereofy by
the command line option compute-asl-strategy. The computed strategy S can be repre-
sented by a constraint automaton which Vereofy can write to a GraphViz file for debugging.
Moreover, Vereofy allows to store the strategy symbolically, apply the computed strategy S
to A, and rerun the model checker with the modified system and modified BTSL (or CTL)
formula to validate S to be a winning. This check is activated in Vereofy by the command
line option check-result. E.g., when starting with a constraint automaton A and an ASL
state formula of the form ENϕ, Vereofy may successfully constructs an N -strategy S that
is winning and stored in terms of a constraint automaton AS. Then Vereofy builds the syn-
chronous product of A and AS and starts the BTSL model checking procedure to check
whether ∀ϕ holds in the product. This check has been carried out (together with some addi-
tional sanity checks) for all ASL formulas presented later for the case studies in this chapter
to verify the result of the model checker.
Vereofy also provides some heuristics and methods that should improve the ASL and BTSL
model checking. For ASL and BTSL path formulas of the form 〈Z〉 and [[Z]] we start with
a regular I/O-stream expression α and create an NFA Z with L(Z) = IOS(α). For the NFA
we use a data structure that allows to store the states of Z explicitly and represent the tran-
sition labels (i.e., data constraints) symbolically in terms of switching functions. For BTSL
state formulas of the form ∃[[Z]]Φ as well as ASL state formulas of the form EN 〈Z〉Φ
and EN [[Z]]Φ and their duals AN [[Z]]Φ and AN 〈Z〉Φ this NFA is determinized and mini-
mized to reduce the actual amount of states. For this, Vereofy provides algorithms based
on the ideas of Hopcroft [Hop71] and Brzozowski [Brz62], where Hopcroft is selected by
default. The minimization method can be selected in Vereofy by using the command line
option minimize-dfa. In the very last step the NFA is transferred into a new data structure
that is fully symbolic and allows to encode states and transitions of Z in terms of switch-
ing functions. This symbolic representation of Z is used throughout the model checking
procedures.
The model checking engine for ASL and BTSL uses an early termination mechanism allow-
ing fixpoint computation to be stopped before the actual fixpoint is reached. Early termina-
tion will only be applied if the current formula under inspection is a top-level formula. The
101
5.2. BDD-based model checking Chapter 5. Implementation
termination succeeds for greatest fixpoints if it is clear from the current satisfaction set that
shrinking the satisfaction set further cannot change satisfiability of the formula. For least
fixpoints the condition is that expanding the satisfaction set cannot change satisfiability of
the formula.
In the next section we show the symbolic representation for constraint automata as well as
symbolic formulations of the model-checking algorithms, which then work on the symbolic
rather than an explicit representation of constraint automata. For this, we adapted standard
concepts of symbolic model checking with BDDs for labeled transitions systems [BCM+92,
CGP99, McM93, Som99] to our framework of constraint automata and the alternating-time
logic ASL.
5.2. BDD-based model checking
The implementation of our modeling and verification approach in the verification tool set
Vereofy including the ASL model-checking procedures as they were introduced in the previ-
ous chapter is based on a symbolic representation of constraint automata in terms of switch-
ing functions. The data structures used to store switching functions are ordered binary
decision diagrams (OBDDs) [Bry86]. This section summarizes the main aspects of our
symbolic encoding of constraint automata, namely states, transition relation (and labeling
function), with the help of switching functions. Moreover we present symbolic versions of
the product construction for constraint automata and of the algorithms introduced in Sec-
tion 4.3.
Constraint automata encoding. To represent a constraint automatonA by a BDD, we fix a
binary encoding of the states. For a constraint automata A = 〈Q,N ,−→A, Q0,Q,AP , L〉
we embed Q into {0, 1}n by an injective function
bin : Q→ {0, 1}n
where n = dlog |Q|e. We choose boolean state variables v1, . . . , vn and then identify each
state q with the evaluation for v1, . . . , vn given by bin(q). We write q̄ for the variable tuple
(v1, . . . , vn). In the same way, we may encode the data items by bit tuples. For simplicity,
we assume here the boolean data domain Data = {0, 1} and treat the symbols dA and
ports A ∈ N as boolean variables. In the sequel, let N = {A1, . . . , Ak} and di = dAi ,
i = 1, . . . , k. We write c̄ for the variable tuple (A1, . . . , Ak, d1, . . . , dk).
The transition relation −→A can be identified with its characteristic function and viewed as
a switching function
TA : Eval(q̄, c̄, q̄′)→ {0, 1},
where Eval(q̄, c̄, q̄′) denotes the set of evaluations for the variable tuples q̄, c̄ and q̄′. The
tuple q̄ = (v1, . . . , vn) encodes the starting state, q̄′ = (v′1, . . . , v
′
n) the target state, while c̄
serves to represent the concurrent I/O-operation. For instance, the transition relations of the
constraint automata for a synchronous channel and a synchronous drain with source port A
102
Chapter 5. Implementation 5.2. BDD-based model checking
and sink port B are given by:
Tsync channel(v1, A,B, dA, dB, v
′
1) = v1 ∧A ∧B ∧ (dA ↔ dB) ∧ v′1
Tsync drain(v1, A,B, dA, dB , v′1) = v1 ∧A ∧B ∧ v′1
For a FIFO1 channel we have to encode three states, say
bin(q(∅)) = 00, bin(q(1)) = 11 and bin(q(0)) = 10,
and then may represent the automaton by
TFIFO1(v1, v2, A,B, dA, dB, v
′
1, v
′
2) =
write into FIFO1︷ ︸︸ ︷
(¬v1 ∧ ¬v2 ∧A ∧ ¬B ∧ (q′2 ↔ dA) ∧ v′1)
∨ (v1 ∧ ¬A ∧B ∧ (v2 ↔ dB) ∧ ¬v′1 ∧ ¬v′2)︸ ︷︷ ︸
read from the FIFO1
Beside the transition relation, we also need a BDD representation of the initial states Q0,
quiescent states Q and the labeling function L. This can be done by representing the char-
acteristic function of Q0, Q and
Sat(a) = {q ∈ Q | a ∈ L(q)}
by a BDD for the induced function SATQ0 , SATQ, SAT a : Eval(q̄) → {0, 1}. In the
sequel, we use the shorthand notation quieA for the quiescent states in A, i.e., the charac-
teristic function SATQ.
The BDD representation for the transition relation of a constraint automaton can be con-
structed in a compositional manner, by mimicking Reo’s composition operators using the
corresponding operators on constraint automata and applying the analogous symbolic oper-
ations for manipulating switching functions. LetAi = 〈Qi,Ni,−→i, Q0,i〉 for i ∈ {1, 2} be
two constraint automata without labeling and quiescence and Ti(Vi) their switching func-
tion representations, where Vi = (q̄i, c̄i, q̄i′). The rules of the constraint automata product
for the transition relation from Definition 2.1.8 can be expressed symbolically by:
TA1 ./A2(V1, V2) = (T1(V1) ∧ T2(V2))︸ ︷︷ ︸
synchronous part
∨ (T1(V1) ∧ idA2(V2) ∨ (idA1(V1) ∧ T2)(V2))︸ ︷︷ ︸
asynchronous part
where
idA(v1, . . . , vn, A1, . . . , Ak, d1, . . . , dk, v′1, . . . , v
′
n) =
∧
j=1,...,n
(vj ↔ v′j) ∧
∧
A∈NA
¬A.
The boolean function idA describes that A does not change its state and no port is active,
i.e., in the product we freeze the state of one constraint automaton and prohibit any port
activity, while the other automaton moves.
103
5.2. BDD-based model checking Chapter 5. Implementation
Symbolic BTSL model checking. Similarly, the rules for the BTSL product A⊗Z (cf.
Definition 4.3.1) and ASL product AZ (cf. Definition 4.3.7) can be expressed symbol-
ically. For the BTSL product we need to include a boolean variable v√ (which is not yet
part of the encoding of A) for the √-transitions in the finite automaton Z and in the prod-
uct. Let A = 〈Q,N ,−→A, Q0,Q,AP , L〉 be a constraint automaton. Furthermore let
Z = 〈Z,N ,−→Z , Z0, ZF 〉 be a finite automaton as in Definition 4.3.1 and let TA(VA) and
TZ(VZ) be the switching function representation of their transition relations. The symbolic
way of expressing the BTSL product is
TA⊗Z(VA, VZ) =
synchronous part︷ ︸︸ ︷
(TA(VA) ∧ TZ(VZ) ∧ ¬v√)
∨ (quieA(q̄) ∧ TZ(VZ) ∧ v√ ∧ idA(VA))︸ ︷︷ ︸
quiescent part
.
Symbolic reformulations of Algorithm 1 and 2 are shown in Algorithm 6 and 7 where it
is assumed that the BDD SATΨ for Sat(Ψ) has already been constructed. BDD represen-
tations SATΨ for the satisfaction sets Sat(Ψ) of the subformulas Ψ of Φ are obtained by
reformulating the model-checking algorithms in a symbolic way with boolean operators and
applying the corresponding BDD synthesis algorithms.
We use the variable tuple q̄ = (v1, . . . , vn) to encode the states in A and z̄ = (z1, . . . , zm)
for the states in Z . Subsets V of Q×Z are encoded by the variables in q̄ and z̄. The sets Z0
and ZF are represented by BDDs with the variables z̄. The symbolic fixpoint computation
makes use of a symbolic representation of the predecessors Pre(P ):
ΛPre(P )(q̄) = ∃q̄′ ∃c̄. [TA(VA) ∧ P (q̄′ ← q̄)]
where the notation P (q̄′ ← q̄) means that the variables q̄ of P are renamed into their primed
copies and ∃v̄. [f ] = (f |v1=0 ∨ f |v1=1) ∨ (f |v2=0 ∨ f |v2=1) ∨ . . . ∨ (f |vn=0 ∨ f |vn=1)
denotes the existential quantification for the variable tuple v̄ = (v1, . . . , vn) and switching
function f . The switching function f |v=c is called the cofactor of f and results from f by
evaluating variable v with the constant value c ∈ {0, 1}.
Algorithm 6 Symbolic computation of Sat
(
∃〈Z〉Φ
)
for NFA Z
generate BDD representations for the sets Z0 and ZF and for TA⊗Z ;
P := SATΦ ∧ ZF ;
repeat
V := P ;
P := P ∨ ∃〈q̄′, z̄′〉 ∃c̄. [TA⊗Z(q̄, z̄) ∧ P (〈q̄′, z̄′〉 ← 〈q̄, z̄〉)];
until (V = P );
return ∃z̄. [P ∧ Z0];
(
* symbolic representation of Sat(∃〈Z〉Φ) by SAT ∃〈Z〉Φ *
)
104
Chapter 5. Implementation 5.2. BDD-based model checking
Algorithm 7 Symbolic computation of Sat
(
∃[[Z]]Φ
)
for DFA Z
generate BDD representations for the sets Z0 and ZF and for TA⊗Z ;
P := ¬ZF ∨ SATΦ;
repeat
V := P ;
P := P ∧ ∃〈q̄′, z̄′〉 ∃c̄. [TA⊗Z(q̄, z̄) ∧ P (〈q̄′, z̄′〉 ← 〈q̄, z̄〉)];
until (V = P );
return ∃z̄. [P ∧ Z0];
(
* symbolic representation of Sat(∃[[Z]]Φ) by SAT ∃[[Z]]Φ *
)
Symbolic ASL model checking. In the case of the ASL product we use the variable v√ for
the encoding of
√
-transitions in the finite automaton Z and the variable vstop to encode port
activity at the additional port A√ in the product. Moreover we add characteristic functions
contNA , prev
N
A : Eval(q̄) −→ {0, 1}
to characterize the states inAwhich have controllable transitions (i.e., active(c) ⊆ N ), and
the states which have preventable transitions (i.e., active(c) ∩N 6= ∅), respectively. These
functions are given by
contNA (q̄) = ∃c̄∃q̄′. [TA(VA) ∧
∨
A∈N
A ∧
∧
A∈NA\N
¬A]
prevNA (q̄) = ∃c̄∃q̄′. [TA(VA) ∧
∨
A∈N
A]
Let A = 〈Q,N ,−→A, Q0,Q,AP , L〉 be a constraint automaton. Furthermore let Z =
〈Z,N ,−→Z , Z0, ZF 〉 be a finite automaton as in Definition 4.3.1. Let TA(VA) and TZ(VZ)
be the switching function representation of their transition relations. As v√ will not be
needed in the ASL product of A and Z , we define the symbolic representation of the ASL
product to be of the form
TAZ(VAZ)
def
= ∃v√. [Tγ(VAZ)]
where VAZ consists of all variables in VA, VZ and the additional variable vstop and where
Tγ(VAZ) = (TA(VA) ∧ TZ(VZ) ∧ ¬v√ ∧ ¬vstop)︸ ︷︷ ︸
synchronous part
∨ (quieA(q̄) ∧ ¬contNA (q̄) ∧ TZ(VA) ∧ v√ ∧ ¬vstop ∧ idA(VA))︸ ︷︷ ︸
quiescent part (1)
∨ (quieA(q̄) ∧ prevNA (q̄) ∧ TZ(VZ) ∧ v√ ∧ vstop ∧ idA(VA)︸ ︷︷ ︸
quiescent part (2)
).
In the ASL case we are not only interested in whether or not a strategy does exist, but also
in the concrete strategy. For this, we introduce the switching function
SP,N (q̄, c̄) : Eval(q̄, c̄)→ {0, 1}
105
5.2. BDD-based model checking Chapter 5. Implementation
keeping track of all controllable transitions that enforce moving to a state in P :
SP,N (q̄, c̄) = ∃q̄′. [T contA (VA) ∧ P (q̄′ ← q̄)] ∧ ¬∃q̄′. [T contA (VA) ∧ ¬P (q̄′ ← q̄)]
where
T contA (VA) = TA(VA) ∧
∨
A∈N
A ∧
∧
A∈NA\N
¬A
describes the controllable fragment of the transition relation. The symbolic realization of
Algorithms 3 and 4 for computing the satisfaction sets
Sat(EN (Φ1 UΦ2)) and Sat(EN (Φ1 RΦ2)),
and hence the computation of Sat(EN 〈Z〉Φ) and Sat(EN [[Z]]Φ), depends on the symbolic
representation of the predecessors Pre(P,N):
ΛPre(P,N)(q̄) = ¬∃c̄∃q̄′. [TA(VA) ∧
∧
A∈N
¬A ∧ ¬P (q̄′ ← q̄)]︸ ︷︷ ︸
condition (1) in Definition 4.3.4
∧ ∃c̄.
[
∃q̄′. [SP,N (q̄, c̄)]
]︸ ︷︷ ︸
condition (2) in Definition 4.3.4
Algorithms 8 and 9 show symbolic realizations of Algorithms 3 and 4.
Algorithm 8 Symbolic computation of Sat
(
EN (Φ1 UΦ2)
)
P := SATΦ2 ;
TS := ∃q̄′.
[
TA(VA) ∧
∧
A∈N
¬A
]
;
repeat
V := P ;
P ′ := (SATΦ1 ∧ ΛPre(P,N));
P := P ∨ P ′;
TS := TS ∨ (P ∧ ¬(∃c̄∃q̄′. [TS]) ∧ SP ′,N (q̄, c̄));
until (V = P );
return P ;
(
* symbolic representation of Sat(EN (Φ1 UΦ2)) by SATEN (Φ1 UΦ2) *
)
106
Chapter 5. Implementation 5.2. BDD-based model checking
Algorithm 9 Symbolic computation of Sat
(
EN (Φ1 RΦ2)
)
P := SATΦ2 ;
TS := ∃q̄′.
[
TA(VA) ∧
∧
A∈N
¬A
]
;
repeat
V := P ;
P := P ∧ (SATΦ1 ∨ ΛPre(P,N));
until (V = P );
TS := TS ∨ (P ∧ SP,N (q̄, c̄));
return P ;
(
* symbolic representation of Sat(EN (Φ1 RΦ2)) by SATEN (Φ1 RΦ2) *
)
Implementation details. The BDD library JINC [Oss10] has its own memory manage-
ment that allocates the main memory in chunks. When temporary functions become useless,
i.e., there is no reference to the corresponding BDD node, the nodes are kept in memory to
be referenced again. The number of “dead nodes” kept in memory before freeing the mem-
ory for other nodes is called garbage collection delay (GCD) and can be set from outside of
the BDD library. In Vereofy we use a GCD of 1500 BDD nodes in the composition phase
and 200000 BDD nodes in the analysis phase. Vereofy allows to modify these two values by
the command line options gcd-building and gcd-checking. JINC uses computed tables for
the Boolean and other BDD operators that allow storing the result of conjunctions, disjunc-
tions, etc. of two functions. Whenever the same operator is applied to the same functions
the result will be taken from the computed table. Vereofy uses the default values of JINC,
i.e., 1048576 entries for each operator. The values can be changed by providing new values
in the configuration file of JINC.
The implementation of Vereofy provides various heuristics that help in reducing size of the
BDD, i.e., the number of BDD nodes needed to store constraint automata symbolically. The
memory to store the symbolic representation of a constraint automaton is dominated by the
number of BDD nodes for the encoding of its transition relation. Each BDD node requires
40 bytes in the main memory.
A heuristic is used to identify dataflow locations in the Reo network that are always guar-
anteed to act the exact same way, i.e, they are either both active or passive and if active
the same data is observable. For these ports there is only a single BDD variable encoding
their activity and only one set of data bits required for their encoding. This heuristic can
be enabled or disabled in Vereofy by using the command line options optimize-ports and
no-shared-data.
The size of the entire BDD structure crucially depends on the order of the BDD variables.
It is well known that for a given function the number of BDD nodes may vary from linear
to exponential. The initial variable ordering is created in the building phase, in which the
BDD representation of a Reo circuit is built by gradually building and composing the BDD
representation of all components, channels, connectors and Reo nodes. The traversal of the
Reo circuit is done in depth-first-search manner such that the distance of BDD variables of
107
5.2. BDD-based model checking Chapter 5. Implementation
components and connectors interacting with each other is minimized. When creating new
BDD variables encoding states, ports, or observable data the order in which the variables
appear in the BDD structure is chosen according to the same rule.
This initial order can be further optimized by applying a heuristic for dynamic reordering
of the BDD that allow to compute more reasonable variable orderings. For this, a variant
of the sifting [Rud93, PS95] algorithm, that tries to minimize the number of BDD nodes
by swapping neighboring variable levels is implemented in JINC. The computed variable
ordering can be stored and loaded for subsequent compositions of the same system model.
Sifting uses a max-growth constant to limit the space in which we allow the BDD to grow
during the swap of variable levels. The max-growth value can be set in Vereofy via the
command line option dynamic-reorder-max-growth. We equipped this standard version
of sifting with a new concept of a reorder-timeout, limiting the number of milliseconds in
which the BDD size cannot be decreased, before considering the current swap of a variable
level to be worthless. The timeout can be set in Vereofy using the command line option
dynamic-reorder-timeout. This allows to limit the overall time spent on the sifting consid-
erably. It turns out that, even for small values of the timeout value (100 to 300ms), the grade
of the solution, i.e., the number of BDD nodes needed to represent a system model, does
not suffer much from spending only a small fraction of time on reordering. The dynamic
reordering can be triggered by Vereofy in two different ways. The reordering can either
be executed whenever the number of BDD nodes has doubled after the last time sifting
was executed. Vereofy supports this by the command line option dynamic-reorder. The
reordering can also be triggered at designated points in the building procedure. This option
is activated in Vereofy by using the command line argument selective-reorder.
Precomputing the reachable part of the state space before the model checking allows a more
compact representation of some of the boolean functions during the model checking as
they can be modified for unreachable states using the BDD constrain operator [CBM90]
to end up with more compact BDD representations. The precomputation is enabled by
using the command line option precompute-reachable. In the building phase of a system,
one can use the options constrain-to-reachable-components and constrain-to-reachable-
circuits to constrain each instance of a CARML module and RSL circuit with respect to its
reachable states before the composition moves on.
In the next section we present a few examples and practical results that illustrate applica-
bility of our approach for different system types and evaluate the implementation of our
modeling formalism and verification algorithms realized in Vereofy. The Vereofy models
presented throughout this section make use of some language features of CARML and RSL
that are not yet released in the current version and will be part of an upcoming releases of
Vereofy. The full CARML / RSL code of the models is available online on:
http://wwwtcs.inf.tu-dresden.de/˜klueppel/PhD/examples.zip:
All computations were performed on a dual processor server with two Intel(R) Xeon(R)
L5630 CPUs at 2.13GHz, and 32 GB RAM running on Debian GNU/Linux 6.0.3 and kernel
2.6.32-5-amd64.
108
Chapter 5. Implementation 5.3. Tool evaluation
5.3. Tool evaluation
The first class of system models that we will consider for a simple case study are classical
board games. For this, we will stay in the component-based setting and have one component
for the game arena, holding the current configuration of the game, and another component
accepting the legal moves of the players. The latter will be called Rules and serves to model
the rules of the game. For the players themselves no component will be introduced and
a priori we do not make any assumptions regarding their behavior. Instead, we model an
open system where players can connect to the open ports of our model. The structure of a
two-player game in the component-based setting is depicted in Figure 5.2.
Game Arena
Rules of 
the GameP1
P2
Figure 5.2: Component model for a two-player game
Players can connect to the interface ports P1 and P2 provided by the Rules component,
which will accept legal moves on its input ports in the right order, e.g. alternately or concur-
rent. The moves of a player are immediately carried out by a synchronous write operation
on the game arena, which updates the current configuration of the game. Moves that will
not be legal due to the current game configuration will be completely blocked and not be
accepted by the Rules component. For example, in some games the arena itself does not
accept a move of a player if the field on the game board is already occupied. This illustrates
that some of the intelligence deciding whether or not a move is legal relies on the current
game configuration and thus on the corresponding component, while others depend on the
context-independent rules of the game. This is elegantly captured within our component-
based model.
Remark 5.3.1 (Turn-based games and ASL). In ASL each component or player has the
possibility to refuse interaction with the other components at any time. This is not a natural
interpretation when reasoning about turn-based games. Intuitively, this means that each
player has the possibility of leaving the game board at any time, even before the game
is over. To eliminate this phenomena, it is sufficient to hide all opponent moves in the
constraint automata in a structure-preserving way. Hence, when asking for a strategy for
109
5.3. Tool evaluation Chapter 5. Implementation
the first player, we will hide the moves of the second player and vice versa. This results
in c∅-transitions for all opponent moves which can neither be controlled by the player nor
refused by the opponent.
Our first example of a game is the famous Tic-Tac-Toe, also called noughts and crosses. It
has been selected to show that our approach is also applicable for solving questions typically
raised in the context of turn-based games.
5.3.1. Tic-Tac-Toe
Tic-Tac-Toe is a well known two-player, turn-based game with complete information. The
game arena is an n×n grid board where the players called player X and player O alternately
mark the fields with their own symbols. Initially the board is empty and usually player X
goes first. The goal of the game for both players is to place three of their own marks in
a horizontal, vertical, or diagonal row. The game stops if either one of the two players
wins or there is no unmarked field left on the grid. The latter is called a draw. Each play
consists of finitely many steps and thus the number of possible plays is finite. In the 3×3
case the number of reachable game configurations is 5478 and the number of possible plays
is 255.168, from which 131.184 are finished plays won by player X, 77.904 are won by
player O, and 46.080 are draws6. Tic-Tac-Toe belongs to the class of solved games and it
is well known that neither of the players has a winning strategy when their opponent plays
optimally.
We present a parameterized model of the game with grids of size n×n to see how good
the ASL model checking scales. The set of considered properties includes the standard
questions studied for Tic-Tac-Toe in the literature (see e.g. [RvdHW09]) and also some
non-standard questions which have not been addressed previously. E.g., we will see that
player O has a strategy to avoid a draw, i.e., player O can enforce a play that is winning for
either player O or player X. When scaling the size of the game board to size n × n in our
model the players need n in a row to win the game.
The Vereofy model for the Tic-Tac-Toe game. Figure 5.3 shows the declarations of con-
stants and types within the RSL main program for the Tic-Tac-Toe game. The declaration
part also contains some function definitions for the computation of field indices and to
get the current configuration of the game arena at a certain position. Figure 5.4 shows a
CARML module for the rules of the Tic-Tac-Toe game. Here, the basic rules are that the
moves of player O and player X do alternate and players can only place their own symbol
on the game board. Figure 5.5 shows the CARML code for the game arena of Tic-Tac-Toe.
The arena accepts incoming put operations as long as the addressed field is still empty and
the game is not yet over. The latter requires to check the winning condition of player O
and player X. A sequence of atomic propositions at the beginning of the module definition
serves for this purpose.
6The number of different configurations and plays can significantly be reduced due to the symmetry.
110
Chapter 5. Implementation 5.3. Tool evaluation
CONST arena_size_default = 3;
CONST arena_size = arena_size_default;
TYPE index_t = int(0,arena_size-1);
CONST field_size = (arena_size * arena_size);
TYPE field_index_t = int(0,field_size-1);
TYPE symbol_t = enum{empty,cross,circle};
TYPE position_t = int(0,arena_size-1);
TYPE put_t = struct{
symbol_t symbol;
};
#include "builtin"
TYPE row_index_t = index_t;
TYPE column_index_t = index_t;
FUNCTION field_index_t value(row_index_t row, column_index_t col)
= (arena_size*row)+col;
FUNCTION symbol_t get(
symbol_t[field_size] field, row_index_t row, column_index_t col)
= field[value(row,col)];
Figure 5.3: RSL declarations for the Tic-Tac-Toe game
MODULE TTT_ROTG{
in: put_t PlayerXput;
in: put_t PlayerOput;
out: put_t put_out;
var: enum{PlayerX,PlayerO} turn := PlayerX;
turn == PlayerX
-[ {PlayerXput,put_out}
& #put_out == #PlayerXput
& #PlayerXput.symbol == cross ]->
turn := PlayerO;
turn == PlayerO
-[ {PlayerOput,put_out}
& #put_out == #PlayerOput
& #PlayerOput.symbol == circle ]->
turn := PlayerX;
}
Figure 5.4: CARML module for the rules of the Tic-Tac-Toe game
111
5.3. Tool evaluation Chapter 5. Implementation
MODULE TTT_Arena{
in: put_t put;
var: symbol_t[field_size] arena := empty;
ap: cross_wins_h
<=> OR(j in index_t; AND(i in index_t; get(arena,j,i)==cross));
ap: cross_wins_v
<=> OR(j in index_t; AND(i in index_t; get(arena,i,j)==cross));
ap: cross_wins_d1
<=> AND(i in index_t; get(arena,i,i)==cross);
ap: cross_wins_d2
<=> AND(i in index_t; get(arena,arena_size-1-i,i)==cross);
ap: cross_wins_d
<=> cross_wins_d1 | cross_wins_d2;
ap: cross_wins
<=> cross_wins_h | cross_wins_v | cross_wins_d;
ap: circle_wins_h
<=> OR(j in index_t; AND(i in index_t; get(arena,j,i)==circle));
ap: circle_wins_v
<=> OR(j in index_t; AND(i in index_t; get(arena,i,j)==circle));
ap: circle_wins_d1
<=> AND(i in index_t; get(arena,i,i)==circle);
ap: circle_wins_d2
<=> AND(i in index_t; get(arena,arena_size-1-i,i)==circle);
ap: circle_wins_d
<=> circle_wins_d1 | circle_wins_d2;
ap: circle_wins
<=> circle_wins_h | circle_wins_v | circle_wins_d;
ap: someone_wins <=> circle_wins | cross_wins;
ap: isFull <=> AND(i in field_index_t; arena[i]!=empty);
ap: game_over <=> someone_wins | isFull;
ap: running_game <=> !game_over;
running_game
-[ {put} & IF(get(arena,#put.yposition,#put.xposition) == empty) ]->
arena[value(#put.yposition,#put.xposition)] := #put.symbol;
}
Figure 5.5: CARML module for the game arena of the Tic-Tac-Toe game
112
Chapter 5. Implementation 5.3. Tool evaluation
The Tic-Tac-Toe game itself is composed with the help of an RSL script as shown in Fig-
ure 5.6. The script creates an instance of the game arena and of the Rules component and
joins their interface ports. Additionally, some of the atomic propositions defined for the
game arena are lifted to the game level. These atomic propositions are now available for
use within ASL formulas. Moreover the script provides a mechanism to hide the moves of
player X and/or player O (compare Remark 5.3.1) by setting corresponding command line
flags of Vereofy. Finally, an alias is set, which identifies the Tic-Tac-Toe game as the main
system to be analyzed by default.
CIRCUIT TTT_Game{
theArena = new TTT_Arena(NULL);
theRules = new TTT_ROTG(PlayerX,PlayerO;NULL);
join(theArena.source,theRules.sink);
AP("cross_wins", "theArena.cross_wins");
AP("circle_wins", "theArena.circle_wins");
AP("winning", "theArena.someone_wins");
AP("draw", "theArena.isFull & !winning");
AP("game_over", "theArena.game_over");
@if +hide_PlayerO_moves
PlayerO = NULL;
@endif
@if +hide_PlayerX_moves
PlayerX = NULL;
@endif
}
ALIAS main = TTT_Game;
Figure 5.6: RSL circuit composing the Tic-Tac-Toe game
113
5.3. Tool evaluation Chapter 5. Implementation
Model statistics. We will now present some statistics regarding the size of the composed
system model for the Tic-Tac-Toe game as well as the time needed to parse the RSL main
program and build the symbolic representation of the model. Table 5.1 shows the statistics
for various sizes of the game board.
board size reachable states BDD variables BDD nodes build time (s)
3×3 5.4 · 103 78 (19) 4076 0.1
4×4 9.7 · 106 120 (33) 50121 0.3
5×5 1.6 · 1011 180 (51) 359207 2.6
6×6 2.4 · 1016 246 (73) 2106808 23
7×7 3.3 · 1022 324 (99) 11803721 970
Table 5.1: Composition time and size of the system model of the Tic-Tac-Toe game
The first column of the table shows the size of the game board, which corresponds to the
arena size constant defined in the RSL main program declaration part. By passing
this constant value via the command line, it takes precedence over the previous definition
in the source code of the model. In the second column the number of reachable states
of the composed system is shown. This value agrees with the number of possible game
configurations. The third column shows the number of BDD variables used by Vereofy
to encode all constraint automata including their ports and data bits for the encoding of
the state space. The fourth column contains the number of BDD nodes used to encode
the transition relation for the selected BDD variable ordering of the underlying constraint
automaton. The last column shows the time spent to compose the entire system model for a
variable ordering that was previously computed, stored, and then loaded before starting the
composition procedure.
Model checking for the Tic-Tac-Toe game. We will now provide the model checking
results for the Tic-Tac-Toe game. First we will consider a set of CTL formulas before
providing some results for properties specified in terms of BTSL and ASL.
CTL model checking. For the sublogic CTL we will consider the formulas:
Φ1 = ∃((“winning” ∧ “draw” ∧ “game over”) U “cross wins”)
Φ2 = ∃((“winning” ∧ “draw” ∧ “game over”) U “circle wins”)
Φ3 = ∃((“winning” ∧ “draw” ∧ “game over”) U “draw”)
Φ4 = ∀((“winning” ∧ “draw” ∧ “game over”) U “game over”)
Φ5 = ∃2 “winning”
Φ6 = ∀2((“winning” ∨ “draw”) =⇒ ¬∃X true)
Here, by “ a ” we mean the negation of an atomic proposition a ∈ AP . The above CTL
formulas reason about the visited states along paths in the constraint automaton, i.e., plays
114
Chapter 5. Implementation 5.3. Tool evaluation
in the Tic-Tac-Toe game. The first three properties are liveness properties stating that con-
figurations where player X wins, player O wins, or the game ends in a draw are reachable.
Φ4 states that all plays end in a configuration where the game is over. Φ5 states the existence
of a path that is globally not visiting a winning configuration. In Φ6 it is stated that there
is always possible a next step, if the current state is neither a winning state nor a state in
which the game is a draw. Here, the sub formula ∃X true states the existence of a next step,
i.e., characterizes the set of states that are not terminal states. All CTL formulas are defined
such that they are satisfied for the system model of size 3×3. Indeed they hold for all board
sizes that have been investigated within this case study.
We successfully checked the above properties with Vereofy. Figure 5.7 shows the output
when executing Vereofy for the Tic-Tac-Toe game and formula Φ4. After building the
symbolic representation of the constraint automaton and checking Φ4 (and its subformulas
recursively), a witness path constituted by the configurations of the game board and the
moves of the players is printed. The game configuration (which is indeed a draw) that is
reached in the witness path (cf. output presented in Figure 5.7) is depicted in Figure 5.8.
Table 5.2 shows the time in seconds spent to check the given properties. The table consists
of three sub-tables, where the first shows the time when the reachable fragment of the state
space has been computed before starting the model checking. The time shown in the first
sub-table includes the time needed for the precomputation of the reachable game config-
urations. The second sub-table shows the times when precomputation has been disabled
and replaced by a dynamic reordering during the model checking procedure again using
a time and spaced bounded variant of sifting. The third sub-table shows the times when
neither the reachable fragment has been computed in advance, nor dynamic reordering was
carried out. The Vereofy process was executed with a limited memory of 20GB (which was
never exceeded throughout our experiments) and a limited time of 2, 3, or 4 hours. Once
the resources were exhausted either in time or space the process has been killed which is
indicated by the entries in the tables that are marked red.
115
5.3. Tool evaluation Chapter 5. Implementation
Figure 5.7: Executing Vereofy for the Tic-Tac-Toe game and formula Φ4
116
Chapter 5. Implementation 5.3. Tool evaluation
Figure 5.8: Tic-Tac-Toe draw configuration as reached in the witness path in Figure 5.7
reachable fragment, no dynamic reordering:
board size Φ1 Φ2 Φ3 Φ4 Φ5 Φ6
3×3 0.04 0.04 0.04 0.04 0.05 0.02
4×4 5.71 8.56 6.91 1.33 6.18 0.53
5×5 4205 3519 3133 69 2413 23
6×6 >3h >3h >3h 10603 >3h 1690
7×7 >3h >3h >3h >3h >3h >3h
full game arena, with dynamic reordering:
board size Φ1 Φ2 Φ3 Φ4 Φ5 Φ6
3×3 1.37 1.37 1.34 1.33 1.40 0.42
4×4 48 68 104 44 95 8.54
5×5 3984 4756 >3h 1117 >3h 27
6×6 >3h >3h >3h >3h >3h 68
7×7 >3h >3h >3h >3h >3h 461
full game arena, no dynamic reordering:
board size Φ1 Φ2 Φ3 Φ4 Φ5 Φ6
3×3 0.04 0.03 0.05 0.04 0.05 0.01
4×4 10 12 50 5.38 36 0.03
5×5 3277 3684 >3h 751 >3h 0.37
6×6 >3h >3h >3h >3h >3h 4.9
7×7 >3h >3h >3h >3h >3h 275
Table 5.2: Time in seconds for CTL model checking of Tic-Tac-Toe
117
5.3. Tool evaluation Chapter 5. Implementation
As one can see, the runtime of the model checker is dominated by the precomputation of
the reachable fragment (where carried out). For a board size of 6×6 the precomputation
takes almost 30 minutes, whereas for board size 7×7 it takes weeks to finish. In case of
Φ4 the precomputation of the reachable fragment allowed to improve the runtime of the
symbolic model checking algorithms, but this does not hold in general and depends on the
investigated system model and the current formula. Here, for some of the selected formulas
such as Φ1 and Φ2 the precomputation required some additional time and the time for model
checking reduced about the same order. For other CTL formulas such as Φ5 and Φ6 the
model checking does not benefit from the precomputation at all. The dynamic reordering
has no positive effect on the runtime here although it helps to reduce the required memory.
BTSL model checking. For BTSL we will consider the following formulas:
Φ1 = ¬∃〈tt∗; dataPlayerX = circle〉true
Φ2 = ¬∃〈tt∗; dataPlayerO = cross〉true
Φ3 = ¬∃〈tt∗;PlayerX;PlayerX〉true
Φ4 = ¬∃〈tt∗;PlayerO;PlayerO〉true
Φ5 = ¬∃〈tt∗;PlayerX〉(“cross wins” ∧ “draw” ∧ ¬∃〈PlayerO〉true)
Φ6 = ¬∃〈tt∗;PlayerO〉(“circle wins” ∧ “draw” ∧ ¬∃〈PlayerX〉true)
The above BTSL formulas now reason about states and the observable dataflow at the two
existing ports PlayerX and PlayerO. Again, all BTSL formulas are defined in a way
such that they are satisfied for the system model. For Φ1, . . . ,Φ4 this means that there is
not a single play in the game with the specified prefix, i.e., where one of the players puts
the wrong symbol on the game board or has the ability to make two back-to-back moves.
Formula Φ5 states that there should not be play in which player X made the last move, the
reached configuration is neither winning for player X nor a draw and the opponent cannot
place his next mark on the game board. Formula Φ6 formulates an analog proposition for
player O. Table 5.3 depicts the time in seconds to check the given BTSL formula.
118
Chapter 5. Implementation 5.3. Tool evaluation
reachable fragment, no dynamic reordering:
board size Φ1 Φ2 Φ3 Φ4 Φ5 Φ6
3×3 0.02 0.02 0.02 0.02 0.02 0.03
4×4 0.41 0.41 0.45 0.46 0.54 0.53
5×5 20 21 22 21 22 22
6×6 1651 1646 1652 1661 1687 1670
7×7 >3h >3h >3h >3h >3h >3h
full game arena, with dynamic reordering:
board size Φ1 Φ2 Φ3 Φ4 Φ5 Φ6
3×3 0.42 0.42 0.42 0.42 0.42 0.43
4×4 8.58 8.58 8.53 8.54 8.56 8.59
5×5 27 28 27 27 28 27
6×6 68 67 69 70 72 72
7×7 457 459 472 477 655 600
full game arena, no dynamic reordering:
board size Φ1 Φ2 Φ3 Φ4 Φ5 Φ6
3×3 0.01 0.01 0.01 0.01 0.01 0.01
4×4 0.02 0.02 0.04 0.04 0.07 0.07
5×5 0.21 0.23 0.39 0.41 0.64 0.65
6×6 3.08 3.3 5.17 5.33 9.3 9.08
7×7 229 255 268 286 538 740
Table 5.3: Time in seconds for BTSL model checking of Tic-Tac-Toe
119
5.3. Tool evaluation Chapter 5. Implementation
As Table 5.3 shows that the selected BTSL formulas can be checked efficiently without
dynamic reordering and precomputation of the reachable states. This is due to the fact
that we quantity over prefixes that cannot occur, as for Φ1, . . . ,Φ4 or the combination of
states and prefix cannot occur. For Φ5 and Φ6 this means that they are a little more time-
consuming.
ASL model checking. For ASL we will consider the following formulas:
Φ1 = E{PlayerX,P layerO}3 “draw”
Φ2 = ¬E{PlayerX}3 “cross wins”
Φ3 = ¬E{PlayerX}3 “draw”
Φ4 = E{PlayerX}3 (“game over” ∧ (“cross wins” =⇒ “draw”))
Φ5 = E{PlayerX}2 (“game over” =⇒ (“cross wins” =⇒ “draw”))
Φ6 = ¬E{PlayerO}3 “circle wins”
Φ7 = ¬E{PlayerO}3 “draw”
Φ8 = E{PlayerO}3 (“game over” ∧ (“circle wins” =⇒ “draw”))
Φ9 = E{PlayerO}2 (“game over” =⇒ (“circle wins” =⇒ “draw”))
Φ10 = E{PlayerO}3 “someone wins”
The above ASL formulas now reason about strategies rather than only states and dataflow.
For different sets of controllable ports the formulas state whether or not certain liveness and
safety properties can be enforced. In case of ASL our formulas are defined such that they
are satisfied for the system model of size 3×3. As we found out with the help of Vereofy,
the formulas Φ3 and Φ10 do not hold for board size 4×4, which is why the corresponding
fields in Table 5.4 are highlighted. The table depicts the time in seconds to check the given
ASL formula.
One can see that the ASL model checking is consuming more time than needed for the pre-
sented CTL and BTSL formulas and applicable up to the board size of 5×5 only. We claim
that this is due to the fact that far more memory is needed during the fixpoint computations
as the transition relation has to be decided into controllable and (un)preventable transitions
and hence more (temporary) BDD nodes are introduced into the BDD structure. Further-
more we claim that this may change when adding regular expressions for reasoning about
the dataflow. Indeed, the above ASL formulas are ATL formulas only. At the end of this
subsection we now compare the memory and time-usage during the fixpoint computation
for different formula types more systematically.
120
Chapter 5. Implementation 5.3. Tool evaluation
reachable fragment, no dynamic reordering:
board size Φ1 Φ2 Φ3 Φ4 Φ5 Φ6 Φ7 Φ8 Φ9 Φ10
3×3 0.09 0.10 0.03 0.11 0.03 0.09 0.05 0.13 0.03 0.15
4×4 436 78 491 94 1.1 44 286 240 1.02 516
5×5 >3h >3h >3h >3h 287 >3h >3h >3h 305 >3h
6×6 >3h >3h >3h >3h >3h >3h >3h >3h >3h >3h
full game arena, with dynamic reordering:
board size Φ1 Φ2 Φ3 Φ4 Φ5 Φ6 Φ7 Φ8 Φ9 Φ10
3×3 1.85 1.47 1.31 1.77 0.38 1.50 1.35 1.88 0.42 1.75
4×4 288 164 797 453 18 165 790 452 18 936
5×5 >3h >3h >3h >3h 60 >3h >3h >3h 60 >3h
6×6 >3h >3h >3h >3h >3h >3h >3h >3h >3h >3h
full game arena, no dynamic reordering:
board size Φ1 Φ2 Φ3 Φ4 Φ5 Φ6 Φ7 Φ8 Φ9 Φ10
3×3 0.12 0.08 0.06 0.16 0.02 0.07 0.05 0.16 0.01 0.15
4×4 1105 149 1207 533 0.47 147 1206 532 0.43 1575
5×5 >3h >3h >3h >3h 135 >3h >3h >3h 95 >3h
6×6 >3h >3h >3h >3h >3h >3h >3h >3h >3h >3h
Table 5.4: Time in seconds for ASL model checking of Tic-Tac-Toe
121
5.3. Tool evaluation Chapter 5. Implementation
Memory-usage. To analyze the memory-usage of the different Pre-operators, we now look
at the Tic-Tac-Toe game with board size of 3×3 and 4×4, fix the variable ordering and
measure the number of BDD nodes kept in memory for the different Pre-operators applied
when checking the following CTL, BTSL, ATL, and ASL formulas which have a similar
structure:
CTL formula Φ1 = ∃3“draw”
BTSL formula Φ2 = ∃〈Zk〉“draw”
ATL formula Φ3 = E{PlayerX,P layerO}3“draw”
ASL formula Φ4 = E{PlayerX,P layerO}〈Zk〉“draw”
where Zk is an NFA accepting the language
L(Zk) =
{
c1 . . . ck
∣∣ active(c1) = {PlayerX} and active(c2) = {PlayerO}} (5.1)
Here, we set k def= n2 if the selected board size equals n×n as k is the maximum number
of moves that the two players can make. Hence, the fixpoint computation for the selected
formulas requires exactly k Pre-image steps before termination for all the selected formu-
las. Figure 5.9 shows the number of BDD nodes (including all temporal BDD nodes) that
are stored for each of the four formulas when looking at a board size of 3×3. The first plot
illustrates the memory usage when the precomputation of the reachable states is disabled,
while the second plot shows the same progression, but here the precomputation is enabled.
One can see that storing the characteristic function of the reachable fragment requires some
additional memory, as the starting point for all four plots is higher in the second diagram.
Moreover, the alternating-time logics seem to require about twice as much memory as their
branching-time counterparts. This is due to the more complex Pre-operator, which requires
the controllable and the (un)preventable parts of the transition relation to be stored sepa-
rately. Here, another interesting observation is, that using an NFA Z of the form describes
in equation (5.1) in the BTSL and ASL formula can reduce the actual amount of memory
that is needed in comparison with their CTL and ATL counterpart formulas, although new
BDD variables for the state space ofZ have been added to the BDD structure. This does not
hold in general, as the structure of the NFA and hence the model checking can be arbitrary
complex.
Figure 5.10 shows the same progression for a board size of 4×4. In these plots we can
observe some similar behavior to the 3×3 case, but at some point the number of BDD nodes
breaks down to some lower value. This behavior can be observed, because at this point of the
fixpoint computation a threshold of unused temporary BDD nodes has been reached and the
garbage collection is carried out. Executing the garbage collection at this point consumes
some additional time and reduces the number of BDD nodes dramatically. In Figure 5.11 we
plot the progression in the 4×4 case when setting the garbage collection delay (gcd), i.e.,
the number of unused BDD nodes kept in memory before starting the garbage collection
procedure, to “infinity”. When selecting a value that will never be reached (indicated by
gcd=inf), one can observe the same behavior as in the 3×3 case (cf. Figure 5.9) where the
garbage collection has not been started during the fixpoint computation either.
Again, the alternating-time logics require more memory as their branching-time counter-
parts and using the BTSL and ASL formula rather than a similar CTL and ATL formula
122
Chapter 5. Implementation 5.3. Tool evaluation
reduces the actual amount of memory needed during the fixpoint computation. The latter
result crucially depends on the structure of the NFA and the system itself and cannot be
generalized as the BTSL and ASL model checking problem can become arbitrary difficult
by increasing the complexity of the NFA.
As the above results include the temporary BDD nodes, we close this paragraph by compar-
ing the memory usage during the fixpoint computation for the four formulas when setting
the garbage collection delay to value zero. Hence, the number of BDD nodes plotted in
Figures 5.12 and 5.13 show the progression for the board sizes 4×4 and 3×3 when all
the temporary BDD nodes are instantaneously removed from the memory once they get
unused. This reduces the memory usage, requires some additional time for collecting the
unused BDD nodes, and slows down the entire fixpoint computation as temporal results
cannot be reused in terms of a computed table.
Overall, the two figures show that the plots for BTSL and ASL as well as CTL and ATL
have a very similar shape. We observe here, that the actual amount of memory (which does
not include the BDD nodes of temporal intermediate results) is larger for the BTSL and
ASL formulas than for the CTL and ATL formulas. This is because, after each image step
we look at the result characterized by boolean functions over the BDD variables for the state
space of the product of A and Zk rather than variables for the state space of A only.
Time and memory correlation. As all the model checking algorithms introduced in the
previous chapters use BDDs as data structure predominantly, we do expect the runtime
of the model checking to be correlated with the size of the BDD structure. Figure 5.14
shows the overall runtime of the model checking procedures for the formulas Φ1, . . . ,Φ4 as
introduced above. The first graph plots the time in seconds needed to verify the properties
for the board size 3×3 whereas the second graph shows the overall runtime in seconds
in the 4×4 case. The plots are again given for the two cases, when precomputing the
reachable fragment is enabled or disabled. The garbage collection delay has again been
set to “infinity” to ensure that the garbage collection is disabled and does not consume any
additional time.
The correlation between the allocated memory and the runtime can be seen at different posi-
tions. The first is, that having the reachable fragment of the state space precomputed, allows
to have a more compact representation of the intermediate results (by constraining with re-
spect to the reachable states). Hence, the overall runtime for the selected type of formulas
(i.e., liveness property whose satisfaction set is characterized by a least fixpoint) decreases
along with the allocated memory (compare, e.g., Figure 5.12). Another point is that the
verification of the alternating-time formulas requires more time than the branching-time
properties, as more temporary boolean functions must be computed and stored (cf. Fig-
ure 5.11). Hence, the runtime is dominated by the size of the temporary functions. Another
important influence comes from the size of the boolean functions storing the intermediate
results during the model checking. This can be seen when comparing the time for model
checking of the ASL and the ATL formulas in the Tic-Tac-Toe game of size 4×4. Here,
checking the ASL formula requires more time although the overall allocated memory for
checking is much larger when checking the ATL formula. This is because for the ATL for-
mula the functions storing intermediate results can be represented by fewer BDD nodes (cf.
Figure 5.12).
123
5.3. Tool evaluation Chapter 5. Implementation
 20000
 40000
 60000
 80000
 100000
 120000
 140000
 160000
 180000
 200000
 0  1  2  3  4  5  6  7  8
B
D
D
 n
od
es
image steps
precomputation of the reachable states disabled
ATL
ASL
CTL
BTSL
 20000
 40000
 60000
 80000
 100000
 120000
 140000
 160000
 180000
 200000
 0  1  2  3  4  5  6  7  8
B
D
D
 n
od
es
image steps
precomputation of the reachable states enabled
ATL
ASL
CTL
BTSL
Figure 5.9: BDD nodes during fixpoint computation for Tic-Tac-Toe 3×3 (gcd=default)
124
Chapter 5. Implementation 5.3. Tool evaluation
 0
 5e+06
 1e+07
 1.5e+07
 2e+07
 2.5e+07
 3e+07
 3.5e+07
 4e+07
 0  2  4  6  8  10  12  14
B
D
D
 n
od
es
image steps
precomputation of the reachable states disabled
ATL
ASL
CTL
BTSL
 0
 5e+06
 1e+07
 1.5e+07
 2e+07
 2.5e+07
 3e+07
 3.5e+07
 4e+07
 0  2  4  6  8  10  12  14
B
D
D
 n
od
es
image steps
precomputation of the reachable states enabled
ATL
ASL
CTL
BTSL
Figure 5.10: BDD nodes during fixpoint computation for Tic-Tac-Toe 4×4 (gcd=default)
125
5.3. Tool evaluation Chapter 5. Implementation
 0
 2e+07
 4e+07
 6e+07
 8e+07
 1e+08
 1.2e+08
 1.4e+08
 0  2  4  6  8  10  12  14
B
D
D
 n
od
es
image steps
precomputation of the reachable states disabled
ATL
ASL
CTL
BTSL
 0
 1e+07
 2e+07
 3e+07
 4e+07
 5e+07
 6e+07
 7e+07
 0  2  4  6  8  10  12  14
B
D
D
 n
od
es
image steps
precomputation of the reachable states enabled
ATL
ASL
CTL
BTSL
Figure 5.11: BDD nodes during fixpoint computation for Tic-Tac-Toe 4×4 (gcd=inf)
126
Chapter 5. Implementation 5.3. Tool evaluation
 100000
 200000
 300000
 400000
 500000
 600000
 700000
 0  2  4  6  8  10  12  14
B
D
D
 n
od
es
image steps
precomputation of the reachable states disabled
BTSL
ASL
CTL
ATL
 120000
 140000
 160000
 180000
 200000
 220000
 240000
 260000
 280000
 300000
 320000
 0  2  4  6  8  10  12  14
B
D
D
 n
od
es
image steps
precomputation of the reachable states enabled
BTSL
ASL
CTL
ATL
Figure 5.12: BDD nodes during fixpoint computation for Tic-Tac-Toe 4×4 (gcd=0)
127
5.3. Tool evaluation Chapter 5. Implementation
 11000
 12000
 13000
 14000
 15000
 16000
 17000
 18000
 19000
 0  1  2  3  4  5  6  7  8
B
D
D
 n
od
es
image steps
precomputation of the reachable states disabled
BTSL
ASL
CTL
ATL
 11000
 12000
 13000
 14000
 15000
 16000
 17000
 18000
 0  1  2  3  4  5  6  7  8
B
D
D
 n
od
es
image steps
precomputation of the reachable states enabled
BTSL
ASL
CTL
ATL
Figure 5.13: BDD nodes during fixpoint computation for Tic-Tac-Toe 3×3 (gcd=0)
128
Chapter 5. Implementation 5.3. Tool evaluation
 0
 0.05
 0.1
 0.15
 0.2
 0.25
 0.3
 0.35
 0.4
 0.45
ASL ATL CTL BTSL
Ti
m
e 
in
 s
ec
on
ds
Formula type
pre=0
pre=1
 1
 10
 100
 1000
 10000
ASL ATL CTL BTSL
Ti
m
e 
in
 s
ec
on
ds
 (l
og
 s
ca
le
)
Formula type
pre=0
pre=1
Figure 5.14: Time needed for fixpoint computation in Tic-Tac-Toe (gcd=inf)
129
5.3. Tool evaluation Chapter 5. Implementation
5.3.2. Other game examples
We used Vereofy to build and check a number of other games such as Teeko, connect-k,
and the boss-puzzle. The structure of our models of these games all follow the component
model illustrated in Figure 5.2 and varies in the size of the game arena and the complexity
of the game rules. It turned out that we could compose and verify system models that have
about the same order of magnitude of reachable states as for the Tic-Tac-Toe game with our
approach. E.g., we built the connect-k for a board size of 6×5 in 752 seconds. Computing
the number of reachable states (2.82 · 109) consumed 6256 seconds.
The full models and some example properties are included in the zip archive available at:
http://wwwtcs.inf.tu-dresden.de/˜klueppel/PhD/examples.zip
5.3.3. A dining philosophers example
In our next case study, which constitutes a very simple protocol, we revisit a variant of the
prominent dining philosophers originated by Dijkstra [Dij68]. A number of philosophers
are sitting at a round table. Their main activity is thinking, while from time to time they
get hungry and want to eat some of the food placed in a bowl in the center of the table.
To take some food out of the bowl, a philosopher needs exactly two pieces of cutlery, each
of which is situated between any two neighboring philosophers. Hence, two neighboring
philosophers share a single piece of cutlery, which can only be used by one of them at the
same time. Hence, neighboring philosophers never eat at the simultaneously.
Our Vereofy model consists of a CARML module for each philosopher. The component
modeling the behavior of each philosopher has four output ports to trigger the subsequent
take and release actions of the cutlery pieces on their left and on their right. Furthermore,
we provide CARML modules for the cutlery pieces, which can either be available or taken
and they have two input ports for accepting take and release actions of the philosophers.
The entire system is composed of these components and synchronous Reo channels. The
channels connect the output ports of the philosopher components with the input port of the
cutlery components. Here, a Reo standard node is created, ensuring mutually exclusive take
actions. Figure 5.15 shows our component model for the dining philosophers example.
The constraint automata for the philosophers and the cutlery are shown in Figure 5.16. For
the data domain Data of our Vereofy model we just require a single data item, i.e., the
domain can be a singleton such as Data = {0}.
130
Chapter 5. Implementation 5.3. Tool evaluation
Phil0
Phil1
Phil2Phil3
Phil4
cutl1
cutl0
cutl2
cutl3
cutl4
Figure 5.15: Component model for the dining philosophers
thinking
{take first} {take second}
{release first,release second}
waiting eating
{take}
{release}
available taken
Figure 5.16: Constraint automata for the dining philosophers components
It is well known that a global deadlock may happen, e.g., when all philosophers simultane-
ously pick up the cutlery on their left (or in arbitrary order) and then wait for the second
piece. Furthermore, there does not exist a fully symmetric deterministic solution without
global control that can avoid this kind of deadlocks (e.g., see [Lyn96]). There are differ-
ent ways to design a protocol for the philosophers which avoids these kinds of deadlock
situations. One way is to break the symmetry by letting one of the philosophers take the
cutlery on its right before taking the piece on the left whereas the other philosophers take
the cutlery on the left first. To achieve this in our exogenous component model we will just
connect the synchronous channels of one of the philosophers accordingly (see Figure 5.17),
rather than modifying the specification of one of the philosophers [Arb05].
131
5.3. Tool evaluation Chapter 5. Implementation
Phil0
Phil1
Phil2Phil3
Phil4
cutl1
cutl0
cutl2
cutl3
cutl4
Figure 5.17: Alternative component model for the dining philosophers without deadlock
We provided RSL scripts for both variants of the protocol – with and without deadlocks –
and also variants of the philosopher having four states rather than three and releasing the
cutlery in two steps rather than in one. All variants are included in the zip archive which is
available on the web:
http://wwwtcs.inf.tu-dresden.de/˜klueppel/PhD/examples.zip.
Model statistics. We will again first present some statistics regarding the size of the com-
posed system model as well as the time needed to parse the RSL main program and build the
symbolic representation of the model. We show here the numbers for the model variant that
includes a potential deadlock and where releasing the cutlery is done within a single step.
Table 5.5 shows the statistics for an increasing number of philosophers. Here, we stopped
at 1000 philosophers, where a peak number of 58741573 BDD nodes (almost 2.2GB) was
needed to compose the system and compute the reachable part. The value “inf” for the
number of reachable states indicated that the maximum value for floating-point represen-
tation was exceeded and the actual value could not be computed. This amount of memory
is needed when computing the reachable states using the default garbage collection delay.
When disabling the garbage collection entirely (gcd=inf) the maximum number of BDD
nodes reached 571878848 which is almost 21GB.
132
Chapter 5. Implementation 5.3. Tool evaluation
philosophers reachable states BDD vars BDD nodes build time (s)
5 82 75 539 2.51 0.02 0.02
6 198 90 692 3.02 0.03 0.04
7 478 105 835 3.52 0.04 0.03
8 1154 120 983 4.01 0.03 0.03
9 2786 135 1131 4.53 0.04 0.04
10 6726 150 1284 5.08 0.06 0.06
20 4.5 · 107 300 2759 11.0 0.16 0.13
30 3.0 · 1011 450 4243 16.0 0.39 0.41
40 2.0 · 1015 600 5719 20.0 0.52 0.54
50 1.4 · 1019 750 7199 26.0 0.8 0.89
60 9.3 · 1022 900 8684 32.0 1.93 2.06
70 6.2 · 1026 1050 10159 37.0 1.78 1.92
80 4.2 · 1030 1200 11639 42.0 2.32 2.57
90 2.8 · 1034 1350 13119 48.0 3.08 3.34
100 1.9 · 1038 1500 14599 54.0 3.85 4.17
150 2.6 · 1057 2250 21999 83.0 9.52 10.0
200 3.6 · 1076 3000 29404 121.0 28.0 30.0
250 4.9 · 1095 3750 36799 147.0 29.0 32.0
300 6.8 · 10114 4500 44199 183.0 44.0 49.0
350 9.4 · 10133 5250 51599 219.0 62.0 68.0
400 1.3 · 10153 6000 59004 284.0 127.0 142.0
450 1.8 · 10172 6750 66399 298.0 105.0 119.0
500 2.4 · 10191 7500 73799 341.0 134.0 151.0
600 4.6 · 10229 9000 88599 432.0 202.0 228.0
700 8.8 · 10267 10500 103404 621.0 428.0 502.0
800 1.7 · 10306 12000 118204 758.0 695.0 701.0
900 “inf” 13500 132999 760.0 477.0 571.0
1000 “inf” 15000 147799 887.0 724.0 743.0
Table 5.5: Composition time and size of the dining philosophers
133
5.3. Tool evaluation Chapter 5. Implementation
Again, for the numbers presented in Table 5.5 a variable ordering has been computed, stored
and loaded before executing the build procedure again, but this time we applied the dynamic
reordering of variables at designated points during the build process. The column for the
composition time shows three time values for three different values of the garbage collection
delay. The first value is for value 0, the second for the default value, and the last for setting
the garbage collection delay to “inf”.
One can see that the number of reachable states grows exponentially, while at the same time
the number of BDD nodes needed to represent the system behavior grows only linearly. For
the composition time displayed in the last column of the table we observe that the time is
not increasing strictly monotonously for all selected values of the garbage collection delay.
Figure 5.18 shows a plot for the build times. It seems that there small irregularities for
the composition of 200, 400, and 800 philosophers. As the effect seems to be independent
from the chosen garbage collection delay and hence independent from the size of tempo-
rary functions, we claim that the effect traces back to the quality of the computed variable
ordering.
 0.01
 0.1
 1
 10
 100
 1000
 0  100  200  300  400  500  600  700  800  900  1000
tim
e 
in
 s
ec
on
ds
 (l
og
 s
ca
le
)
number of philosophers
time for composing the dining philosophers example
gcd=default
gcd=inf
gcd=zero
Figure 5.18: Composition time in seconds for the dining philosophers protocol
Similar irregularities can also be observed when looking at the peak number of BDD nodes
after precomputing the reachable states, which took less than a second even for 1000 philoso-
phers. Figure 5.19 shows the memory usage in terms of the peak number of BDD nodes in
memory after precomputing the reachable states.
134
Chapter 5. Implementation 5.3. Tool evaluation
 1000
 10000
 100000
 1e+06
 1e+07
 1e+08
 1e+09
 0  100  200  300  400  500  600  700  800  900  1000
B
D
D
 n
od
es
 (l
og
 s
ca
le
)
number of philosophers
BDD peak size in the dining philosophers example after precompute reachable
gcd=default
gcd=inf
gcd=zero
Figure 5.19: BDD nodes: precomputing reachable states of the dining philosophers
Model checking for the dining philosophers. The formulas listed below represent some
of the properties that have been verified with the help of Vereofy for the dining philosophers
protocol of various input sizes.
Φ1 = ∀2(∃X true)
Φ2 = ∃3“all phils are waiting”
Φ3 = ∃〈take first[0]; take second[0]〉“phil[0] is eating”
Φ4 = ∃[[step+]]“phil[0] is waiting”
Φ5 = ∃(“phil[0] is thinking” U ∃[[step∗]]“phil[0] is waiting”
Φ6 = Aphil[0],phil[2]3“phil[1] is eating”
Φ7 = Aphil[0],phil[2]〈step; step+; take first[1]; take second[1]〉“phil[1] is eating”
The above ASL and BTSL formulas reason about different properties of the dining philoso-
phers protocol. Φ1 is a CTL formula characterizing the absence of a deadlock. Φ2 states
that there is a path to a configuration where all philosophers are in their waiting state. The
formula Φ3 states the existence of a path where the first philosopher immediately takes the
two pieces of cutlery and starts eating. Φ4 reasons about the existence of a path where after
k steps the first philosopher is globally waiting for k ≥ 1. The formula Φ5 is a similar
formula, but here along the path the first philosopher can stay at its initial location until in
the next step he is waiting forever. The last two formulas are ATL and ASL formulas, where
Aphil[0],phil[2] serves a shorthand notation for
A{take first[0],take second[0],take first[2],take second[2]}
135
5.3. Tool evaluation Chapter 5. Implementation
i.e., all ports of the first and third philosopher. Both formulas state similar properties –
Φ7 includes an existential quantification over the observable actions and Φ6 does not. We
expect Φ6 and Φ7 to hold, as none of the neighboring philosophers can distract the philoso-
phers in between them, because the nondeterminism may be resolved in a way such that the
philosopher is the one that takes the cutlery.
Table 5.6 shows the results of the model checking without precomputing the reachable states
for the model variant with three states per philosopher and no deadlock. Formula Φ2 spec-
ifies the property that the system can get into a deadlock situation, where all philosophers
are waiting. It can be seen in Table 5.6 that falsifying Φ2 gets expensive such that the model
checking runs into a timeout for the deadlock-free model. For Φ2 Table 5.6 contains also
the time for model checking for the model variant where a deadlock can occur and also
the time for model checking the deadlock-free model when the set of reachable states has
been precomputed in advance. Precomputing the reachable states took less than a second
even for 1000 philosophers. Hence, precomputing the reachable states for this variant of the
dining philosophers is rather cheap and the effort is worth doing it. Also the formulas Φ4
and Φ5 benefit from precomputing the reachable states. As for Φ2 the model checking can
be carried out in less than a second even for 1000 philosophers.
136
Chapter 5. Implementation 5.3. Tool evaluation
philosophers Φ1 Φ2 (dead) (pre) Φ3 Φ4 Φ5 Φ6 Φ7
5 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01
6 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01
7 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01
8 0.01 0.02 0.01 0.01 0.01 0.01 0.01 0.01 0.01
9 0.03 0.03 0.01 0.01 0.01 0.01 0.01 0.01 0.01
10 0.03 0.04 0.01 0.01 0.01 0.01 0.01 0.01 0.02
20 0.09 0.5 0.01 0.01 0.01 0.01 0.01 0.01 0.02
30 0.19 2.12 0.01 0.01 0.01 0.03 0.04 0.02 0.06
40 0.26 6.65 0.02 0.01 0.01 0.04 0.06 0.02 0.08
50 0.34 14 0.01 0.01 0.01 0.07 0.07 0.02 0.09
60 0.41 26 0.01 0.02 0.01 0.09 0.1 0.02 0.1
70 0.54 47 0.01 0.02 0.01 0.16 0.15 0.03 0.13
80 0.6 77 0.01 0.02 0.01 0.18 0.19 0.03 0.14
90 0.78 121 0.01 0.02 0.01 0.28 0.28 0.05 0.19
100 0.87 183 0.01 0.03 0.02 0.37 0.36 0.04 0.23
150 1.28 1273 0.03 0.06 0.02 0.95 0.93 0.09 0.39
200 2.01 6413 0.04 0.08 0.02 1.77 1.82 0.12 0.53
250 2.23 >3h 0.03 0.08 0.03 2.2 2.16 0.13 0.55
300 2.53 >3h 0.05 0.13 0.05 6.69 7.18 0.22 0.77
350 3.04 >3h 0.06 0.12 0.05 13 14 0.2 0.85
400 3.34 >3h 0.07 0.14 0.06 36 71 0.24 0.95
450 3.9 >3h 0.1 0.11 0.04 472 471 0.22 0.97
500 11 >4h 0.1 0.22 0.07 817 820 0.35 1.34
600 17 >4h 0.14 0.29 0.1 1725 1738 0.43 1.81
700 24 >4h 0.16 0.31 0.14 3057 3086 0.47 2.05
800 31 >4h 0.21 0.38 0.15 4938 4957 0.58 2.43
900 18 >4h 0.17 0.39 0.13 9223 8486 0.81 3.51
1000 13 >4h 0.3 0.37 0.16 >4h >4h 0.73 3.06
Table 5.6: Time in seconds for model checking of a dining philosophers protocol
137
5.3. Tool evaluation Chapter 5. Implementation
5.3.4. Other protocol examples
We used Vereofy to build and check a number of other protocols such as a mutual exclusion
protocol using semaphores [BBKK09a], a peer-to-peer network [GJA+10] and a sensor
network protocol [BBK+10]. These applications illustrate already that our modeling and
verification approach is applicable to systems of practical relevance. From the case studies
of more complex and more data-intensive protocols one could see that the composition and
analysis becomes more and more difficult.
In the last paragraph of this section we will give a brief overview on a case study of an
industrial communication system – called the ASK system – that has an impressive size and
is very data-intensive. Nevertheless, the case studies is a perfect example for our holistic
approach. The entire ASK system model has an hierarchical structure that covers various
layers of the hardware/software stack and the RSL code of the Vereofy model contains
various Boolean flags that allow to compose the system model in different levels of detail.
The work presented in this section has partially been published in [KKSB11].
5.3.5. The ASK communication system
ASK is an industrial software system for connecting people to each other. The system uses
intelligent matching functionality in order to find effective connections between requesters
and responders in a community. ASK has been developed by Almende7, a Dutch research
company focusing on the application of self-organization techniques in human organiza-
tions and agent-oriented software systems. The system is marketed by ASK Community
Systems8. ASK provides mechanisms for matching users requiring information or services
with potential suppliers. Based on information about earlier established contacts and feed-
back of users, the system learns to bring people into contact with each other in the most
effective way. Typical applications for ASK are workforce planning, customer service,
knowledge sharing, social care and emergency response. Customers of ASK include the
European mail distribution company TNT Post, the cooperative financial services provider
Rabobank and the world’s largest pharmaceutical company Pfizer. The amount of people
using a single ASK configuration varies from several hundreds to several thousands. Cus-
tomers of ASK include TNT Post, Rabobank and Pfizer. The number of people using a
single ASK system varies from several hundreds to several thousands.
System Architecture. The ASK system can be technically divided into three parts: the web
front-end, the database and the ASK core. The web front-end acts as a configuration dash-
board, via which typical domain data like users, groups, phone numbers, mail addresses,
interactive voice response menus, services and scheduled jobs can be created, edited and
deleted. This data is stored in a database, one for each deployment instance of the ASK
system. The feedback of users and the knowledge derived from earlier established con-
tacts are also stored in this database. Central to our case study, however, is the ASK core
(see Figure 5.20), the “communication engine” of the system, which consists of the follow-
7http://www.almende.com/
8http://www.ask-cs.com/
138
Chapter 5. Implementation 5.3. Tool evaluation
Reception
Scheduler
Resource
Matcher Executer
manager
Figure 5.20: ASK core overview
ing components: Reception, Matcher, Executer, Resource Manager and Scheduler. These
components handle all communication with and between users of ASK, provide matching
functionality and schedule outbound communication and other kinds of jobs.
The “heartbeat” of the ASK core is the Request loop, indicated with thick arrows. Requests
flow through the request loop until they are fully completed and removed. Requests are
primarily initiated by the Resource Manager and normally removed by the Executer. The
request loop itself is medium and resource independent. Within the Resource Manager
component, the loop is separated from the level of media-specific resources needed for ful-
filling the request. Telephony connections are handled inside the Resource Manager with
the help of Asterisk (IAX), a telephony development tool kit. In particular, the individual
components in the ASK core perform the following tasks: The Reception coordinates the
communication process, i.e., the steps to be taken by ASK in order to fulfill a request, while
the Matcher seeks appropriate context-based participants for a request. The Executer deter-
mines the best way in which the matching participants can be connected at the time of the
request and the Resource Manager effectuates and maintains the actual connection between
participants. Finally, the Scheduler schedules jobs, in particular requests for (outbound)
communication between the ASK system and its users.
Vereofy model of the ASK system. The Vereofy model of the ASK system is hierarchically
structured according to the levels shown in Figure 5.21. The top most level is called the
context level. It contains the ASK core, which can be interpreted as an open system or
as a closed system when connected to driver components modeling the database and the
communication with the outside world. The system level is constituted by the Reception,
Matcher, Executer, Resource Manager, and Scheduler processes. Each of the processes
contains a workers pool and a task queue which constitute the process level. The workers
in the original ASK system are called Monks and can apply for various types of tasks. The
tasks constitute the thread level. Figure 5.22 illustrates the idea of refining the ASK core
with the help of Reo into components and their orchestrating network. The components
model is structured according to the request loop of the ASK core (cf. Figure 5.20), but with
the Reo network in between the components the interaction becomes explicit. For each of
139
5.3. Tool evaluation Chapter 5. Implementation
Context Level
System Level
Process Level
Thread Level
Function Level
..., IAX Driver, DB Driver, ASK Core
..., Reception, Executer, Scheduler
..., SchedulerMain, SchedulerMonk
..., HostessTask, UpdateJobsTask, GaugeHappinessTask
(automaton)
Figure 5.21: Abstraction levels in the ASK model and components contained in the level
the above levels RSL scripts are provided that refine into concepts of the subjacent level.
At the bottom-most level, the function level, constraint automata provide the operational
behavior for each of the tasks. For each of the levels or layers in this model appropriate
methods are needed to translate the “implementation concepts” of the system (processes,
threads, shared data structures, functions, function calls, etc.) into the “modeling concepts”
of Reo (channels, connectors, and nodes) and constraint automata (states, transitions, and
constraints). For this purpose, the data domain for the messages in the model is structured
in such a way as to capture the essential information present in the implementation, e.g.
function parameters or return values. Threads, tasks and shared variables are modeled as
components with the appropriate connector that orchestrates the components, while the
various queues in the ASK system are mapped to FIFO channels. More complex data
structures, such as a hash table for mapping addresses are modeled as well by specifying
their behavior as constraint automata. A detailed description of the model for ASK system
is given in [KKSB11] and the complete and updated version of the CARML and RSL code
together with example properties is available online on
http://wwwtcs.inf.tu-dresden.de/˜klueppel/PhD/ask_typed.zip
This variant of the model is an updated version of the model presented in [KKSB11]. Instead
of using one large data domain to encode all possible messages in a single tagged union,
which consists of all possible message types plus an additional tag indicating the type, the
latest version of the model is now fully typed. That is, all I/O-ports of components are
associated with an individual type and hence allow sending and receiving messages of a
certain data type only. In earlier versions this was modeled via additional checks in all
the transition definitions prohibiting messages which were not tagged in the expected way.
With the fully typed version of the model we expect more a compact BDD representation
without changing the operational behavior.
140
Chapter 5. Implementation 5.3. Tool evaluation
ASK Core
IAXInIAXOut
ASK Core
DBIn DBOut
Matcher
RequestIn Req.Out
Executer
Req.In Request
Out
Scheduler
HappinessRequestOutHappinessResponseIn
OutboundCall
RequestOut
Reception
Req.In
Matcher
RequestOut
Executer
RequestOut
Resource
Manager
RequestInReceptionRequestOut
HappinessResponseOut
OutBoundCallRequestInOutBoundCallRequestOut
IAXInIAXOut
DBIn DBOut DBIn DBOut DBIn DBOut
DBIn DBOut
component = Executer
component = Matcher
component 
= 
Reception
c
o
m
p
o
n
e
n
t 
=
 S
c
h
e
d
u
le
r
Figure 5.22: Reo network for the ASK core
Model statistics and verification. The ASK system is the largest case study we did with
Vereofy. The entire model for the ASK system consists of more than 2000 lines of CARML
and RSL code. At the same time it is the most complex one with respect to its data-intensity
and the ASK system provides a challenging test case for the our tool set.
Overall, the latest version of the ASK model in its simplest version, where all parameters
(e.g., the sizes of task queues and workers) have been set to small reasonable values, con-
sists of 328 component instances and channels (with 63 different types) from which 73
constitute the Scheduler, 38 the Matcher, 40 the Reception, and 141 the Resource Manager.
The remaining channels form the coordinating network. The symbolic representation of
the ASK model at full detail uses 323 boolean variables to encode the state space of the
composite system. On each of the levels (cf. Figure 5.21) various kinds of messages and
data need to be handled, e.g., requests, tasks, telephone calls, or database communication
messages – each of them with different parameters. There are 1007 distinct communication
points in the model, i.e., interface ports or Reo nodes.
Model checking for the ASK system. Modeling the ASK system gives rise to a variety
of important verification issues such as various liveness and safety properties ensuring the
correct functioning of the individual system components in isolation, the coordination em-
ployed to model the real-world concepts in the Reo network, and the components acting
together in concert [KKSB11]. The majority of the properties for verifying the correct
141
5.3. Tool evaluation Chapter 5. Implementation
functioning of the modeling concepts on the various levels could be specified with BTSL
and LTL formulas. On the context level there are also a few ASL properties of interest. For
small number of tasks and a small capacity of the task queue we were able to build (and
verify) the ASK system model in full detail, but only up to the system level. Due to the
complexity of the model, a reasonable variant of the ASK core (i.e., the context level) could
neither be built nor analyzed. With the model version presented in [KKSB11] we were able
to build the Scheduler with two monks and a task queue capacity of 3. The structure of the
Vereofy model for the Scheduler is shown in Figure 5.23. The largest components of the
Scheduler
Job
Queue
DBIn DBOut
Main
Scheduler
Monk(1)
Scheduler
Monk(n)
TaskIn
TaskIn
DBIn DBOut
DBIn DBOut
Task
Queue
TaskOut
JobMutationOut
JobMutationOut
JobIn
Happ.
Req.Out
Happiness
ResponseIn
OutboundCall
RequestOut
Happiness
RequestOut
Outb.
Call
Req.Out
Happiness
RequestOut
OutboundCall
RequestOut
Happiness
ResponseIn
Happ.
Resp.In
Happ.
Value
hIn hOut
hIn hOut
hInhOut
JobMutationIn
JobOut
address = 1
address = n
Figure 5.23: Reo network for the scheduler process
ASK system that we could build in full detail had about 1010 states. Although we could not
compose the Resource Manager or the ASK core itself, the updated model variant with fully
typed I/O-ports now allows to build and verify processes with more monks and larger task
queues. Table 5.7 shows the times for composition and the reachable states for the scheduler
process with different task queue capacities (tq1, . . ., tq12) and number of monks. Again,
the variable ordering was computed and stored in advance.
One can see that the time to compose the Scheduler is not strictly increasing with a growing
capacity of the task queue. It can be seen in Figure 5.24 that the time for the composition is
correlated with the number of BDD nodes. Hence, we claim that better variable orderings
exists for some input sizes and that there are more compact representations of the Scheduler.
142
Chapter 5. Implementation 5.3. Tool evaluation
two monks three monks
build time reach. states build time reach. states
tq1 5.3s 5.66 · 108 8.6s 3.59 · 1010
tq2 5.9s 1.04 · 1011 10s 6.67 · 1012
tq3 8.9s 1.89 · 1013 30s 1.23 · 1015
tq4 8.9s 3.42 · 1015 31s 2.26 · 1017
tq5 12s 6.14 · 1017 34s 4.10 · 1019
tq6 14s 1.10 · 1020 − −
tq7 14s 1.94 · 1022 − −
tq8 13s 3.44 · 1024 − −
tq9 20s 6.05 · 1026 − −
tq10 31s 1.06 · 1029 − −
tq11 20s 1.85 · 1031 − −
Table 5.7: Composition time and reachable states for the scheduler process
143
5.3. Tool evaluation Chapter 5. Implementation
 100000
 1e+06
 1e+07
 0  2  4  6  8  10  12
nu
m
be
r B
D
D
 n
od
es
 (l
og
 s
ca
le
)
task queue size
BDD size for composing the scheduler processes
3 monks
2 monks
 1
 10
 100
 0  2  4  6  8  10  12
tim
e 
in
 s
ec
on
ds
 (l
og
 s
ca
le
)
task queue size
time for composing the scheduler processes
2 monks
3 monks
Figure 5.24: Time and memory usage for the scheduler process
144
Chapter 5. Implementation 5.3. Tool evaluation
The same effect becomes even more visible when looking at the Reception (and Matcher).
Table 5.8 shows the composition time and number of reachable states of the Reception for
a growing number of monks and increasing task queue capacities. In Figure 5.25 the time
and memory usage for the Reception are plotted.
two monks three monks four monks
build time reachable build time reachable build time reachable
tq1 0.4s 1.79 · 1007 0.7s 1.19 · 1010 1.9s 7.92 · 1012
tq2 0.4s 3.18 · 1009 0.8s 2.12 · 1012 2.8s 1.40 · 1015
tq3 0.5s 5.64 · 1011 1.3s 3.77 · 1014 3.0s 2.48 · 1017
tq4 0.7s 1.00 · 1014 3.0s 6.71 · 1016 8.8s 4.41 · 1019
tq5 2.0s 1.78 · 1016 8.2s 1.20 · 1019 18s 7.83 · 1021
tq6 2.3s 3.17 · 1018 29s 2.13 · 1021 47s 1.39 · 1024
tq7 6.0s 5.64 · 1020 45s 3.81 · 1023 283s 2.48 · 1026
tq8 5.8s 1.00 · 1023 37s 6.81 · 1025 194s 4.43 · 1028
tq9 1.3s 1.79 · 1025 41s 1.22 · 1028 8.5s 7.90 · 1030
tq10 2.2s 3.19 · 1027 59s 2.18 · 1030 158s 1.41 · 1033
tq11 1.6s 5.70 · 1029 47s 3.90 · 1032 6.9s 2.52 · 1035
tq12 2.7s 1.08 · 1032 1.9s 6.99 · 1034 4.8s 4.51 · 1037
Table 5.8: Composition time and reachable states for the reception process
Summary. The case studies presented in this chapter show the applicability of our model-
ing and verification approach to a large class of system models including systems of indus-
trial relevance. For systems which are regularly structured and are not data-intensive such
as the dining philosophers protocol, our model checking is applicable and can treat system
models with 10300 states and even beyond. For systems that are more data-intensive and
more complex the approach can still be applied to system models with about 1030 and more
states. With a growing complexity of the systems and data-intensive protocols the need for
advanced abstraction techniques and heuristics grows as well.
145
5.3. Tool evaluation Chapter 5. Implementation
 1000
 10000
 100000
 1e+06
 1e+07
 1e+08
 0  2  4  6  8  10  12
nu
m
be
r B
D
D
 n
od
es
 (l
og
 s
ca
le
)
task queue size
BDD size for composing the reception processes
5 monks
4 monks
3 monks
2 monks
 0.1
 1
 10
 100
 1000
 10000
 0  2  4  6  8  10  12
tim
e 
in
 s
ec
on
ds
 (l
og
 s
ca
le
)
task queue size
time for composing the reception processes
5 monks
4 monks
3 monks
2 monks
Figure 5.25: Time and memory usage for the reception process
146
6 Conclusion
The goal of this thesis was to provide an approach for modeling, analysis, and synthesis
which targets towards a closer integration in the system design phase of complex parallel
(and distributed) hardware and software systems, as the proposed approach involves input
languages that are expressive and simple, allow a clear separation of computation and coor-
dination, support compositional and hierarchical modeling, allow specifying systems at any
layer of the hardware/software stack, have clear formal semantics eligible to formal methods
as well as temporal logics and model checking algorithms that treat exogenous coordina-
tion in component-based systems as a first class citizen, allow reasoning about aspects of
coordination and dataflow, allow reasoning about alternating-time aspects such as control-
lability, are decidable within reasonable time and space bounds. For this, we decided to use
an exogenous modeling approach for component-based system models which is inspired
by the coordination language Reo [Arb04] and yields an elegant declarative framework for
the compositional construction of component connectors by creating channels and glueing
their channels ends, the I/O-ports of components, or sub-connectors together. It facilitates
hierarchical modeling and reusability and exchangeability of components and the orches-
trating network and does align perfectly in the refinement procedures known from software
engineering.
CARML and RSL. For the modeling of exogenously coordinated component-based systems,
we proposed a hybrid modeling framework based on two newly introduced input languages
that allows for the compositional and hierarchical design and supports reusability of com-
ponents and coordination units. The first is the guarded command language CARML which
mainly serves to specify the I/O-ports of components and their stepwise “observable” be-
havior at their interface ports. The second specification language RSL is a scripting lan-
guage which combines the major features of the exogenous coordination language Reo
with concepts to specify connectors with dynamically changing network topologies and
some features of other languages (such as data types). The two languages both rely on con-
straint automata as their operational semantic and indeed, RSL treats components, channels
and component connectors in the same way. This means that a channel is viewed as a
primitive component connector and any component connector can use components or other
connectors as building blocks via the instantiation mechanism.
BTSL and ASL. For reasoning about the interface behavior of the components, the coordi-
nation mechanisms implemented in terms of components connectors and the overall behav-
ior of the composite system we introduced the two temporal logics BTSL and ASL. The
branching-time logic BTSL combines the standard CTL operators with an existential path
modality 〈Z〉 and its dual universal modality [[Z]] that allow reasoning about the observable
dataflow at any dataflow location (i.e., I/O-ports of the components and component connec-
tors as well as at internal nodes of a Reo network), by means of a finite automaton Z . The
147
Chapter 6. Conclusion
alternating-time temporal logic ASL is based on a multi-player game interpretation of con-
straint automata. The logic ASL combines features of standard alternating-time logics such
as ATL with the concept of having finite automataZ as in BTSL to reason about the observ-
able dataflow. For existential quantification over N -strategies we provided the additional
modality EN whereas AN serves as the dual universal modality operator. Combining the
BTSL and the ASL modalities yields a rather powerful logic to specify classical temporal
safety and liveness properties, to reason about dataflow and to express game-theoretic prop-
erties of the components viewed as players in the game structure of a constraint automaton.
We proposed the model checking algorithms for ASL and BTSL formulas, investigated their
complexity and showed that ASL as well as BTSL model checking is PSPACE complete.
Vereofy. We combined the prototype implementations of our very first BTSL model checker,
an LTL model checker [BBKK09b] and a bisimulation checker [BB08] for the Reo and
constraint automaton framework that have been developed in our group into a single tool
set called Vereofy. The tool set uses BDDs to store the characteristic boolean functions
for constraint automata that were specified with the help of CARML and RSL. Vereofy
supports symbolic branching-time, linear-time and alternating-time model checking as well
as bisimulation checking. The wide range of application areas of Reo (such as modeling
of compliance-aware business processes [AKM08], long-run business transactions [KA09],
orchestration of web services [DA04, LPA04, MA07, MA10], etc.) makes our modeling
and verification approach with the tool set Vereofy applicable for many purposes. In this
thesis we presented some of the experimental studies that we did with the Vereofy tool set
that illustrate the applicability of the proposed approach to a wide area of systems. The
class of the investigated system models reaches from very small toy examples and games
to complex industrial case studies such as a sensor network [BBK+10] or a communication
platform [KKSB11].
Future work. In future work we will try to eliminate some of the minor weaknesses
and limitations of the current approach. For example, improving the modeling approach
for dynamic system behavior to support more flexible reconfiguration and runtime adap-
tation operations. Furthermore we aim to have a more flexible notion of quiescence. In
the current approach any component can at any time refuse interacting with its environ-
ment. In this context we require to have a finer notion where for example some com-
ponents are declared to be “passive” and cannot refuse communication. Another way
would be to declare some locations, i.e., local states of components, to be safe for stop-
ping. Another natural improvement would be to weaken some of the assumptions made
on the available knowledge that our N -strategies can rely on. The notion of strategies
studied in this thesis relies on the assumption that the strategies have complete informa-
tion on the system history. In future work we will switch to observation-based strate-
gies [APR91, CDHR07, vdHRW05, vdHW03, Rei84, WDR06, Sch04b] and include know-
ledge and epistemic aspects [RS02, Jam03, vdHWJ05, RP80, Rei79]. These changes usu-
ally entail an increased complexity as solving the underlying games requires power-set con-
structions as in [Rei84].
148
Chapter 6. Conclusion
The linear-time perspective. In future work we aim to have a closer integration of the linear-
time, branching-time, and alternating-time model checking engines of Vereofy and study the
relationship between compositional controller synthesis [BKK11a, Kle12] and the proposed
alternating-time logic ASL. The latter is a very promising approach for addressing fairness
issues in ASL model checking and providing more expressive logics and model checking
algorithms, e.g., for ASL∗ where ASL is combined with the linear-time modalities.
Quantitative aspects and QoS. As QoS measures become an important aspect for dynamic
reconfiguration, runtime adaptations and in the context of contract negotiation for non-
functional properties [MS08], we also plan to provide extensions of our formal modeling
and verification approach by quantitative aspects such as real-time, probabilities, and other
quantitative measures for reasoning about QoS aspects and important system properties,
e.g., energy, throughput, speed, reliability, etc. For some of these quantitative measures
there exists already some work on extensions of Reo, e.g. for real-time [Kem06, Kem11]
and probabilities [Bai05, ACvdM+09] and for others new operational model must be de-
veloped that potentially support combinations of the above measures. Hence, one impor-
tant goal of future work is to extend CARML and RSL to allow modeling the quantitative
behavior of channels, connectors, and components with respect to the QoS measures men-
tioned above. The main challenge here is to maintain the compositionality of the underlying
quantitative automata models that must still permit the application of model checking tech-
niques. For the verification we plan to use external tools like the real-time model checker
UPPAAL [LPY97] and the probabilistic model checker PRISM [KNP04] which is based on
MTBDDs (multi-terminal BDDs) or MRMC [KZH+09] – an explicit-state model checker.
Where adequate, new temporal logics providing logical operators that fit with our modeling
language and automata models and corresponding model checking algorithms need to be
designed and integrated into our existing approach.
Parallel skeletons. We also plan to investigate the application spectrum of our framework
in the area of algorithmic skeletons [Col89, Col88]. With algorithmic skeleton frameworks
(ASKF) [GVL10] one can describe the high-level structure of a parallel program rather than
the implementation code for a certain platform. There exist three classes of skeletons: data-
parallel skeletons (e.g., fork, map, reduce etc.), task-parallel skeletons (e.g., sequential,
if, for, while, etc.), and resolution (e.g., divide-and-conquer, branch-and-bound, dynamic-
programming). The skeletons allow to compose programs from abstract building blocks
that cover commonly used patterns of parallel (and sequential) computation, synchronous
and asynchronous communication and interaction. Apart from a language independent for-
malization of programs that can be compiled and optimized for different (heterogenous and
highly adaptable) hardware architectures before or in runtime, one of the major conceptional
goals of using skeletons is to provide a clear separation of coordination and computation.
As this is also the major motivation for applying exogenous coordination, we are going to
study the applicability of the Reo and our modeling languages for ASKF and work on lan-
guage extensions enabling to provide a collection of important and typical skeletons that
can be bundled into a CARML / RSL-library available in Vereofy.
149
Chapter 6. Conclusion
Complexity. With the growing complexity of the systems, their quantitative behavior in
various dimensions and hence the system models the demand for advanced abstraction
and reduction techniques that tackle the state explosion problem grows rapidly. Hence,
new techniques have to be introduced and well known techniques such as partial order
reduction [Val92, God96, Pel93],symmetry reduction [CEFJ96], slicing for concurrent pro-
grams [Wei84, Kri03], (learning-based) assume-guarantee reasoning [Pnu85, HQR98], iter-
ative (counterexample-guided) abstraction-refinement algorithms [GS97, CGJ+00] or SAT-
based model checking [BCCZ99, WBCG00] have to be adapted and integrated into our
modeling and verification framework.
150
Bibliography
[ABdB+05] F. Arbab, C. Baier, F. de Boer, J.J.M.M. Rutten, and M. Sirjani. Synthe-
sis of Reo Circuits for Implementation of Component Connector Automata
Specifications. In Proceedings of the 7th International Conference on Co-
ordination Models and Languages (COORDINATION’05), volume 3454 of
Lecture Notes in Computer Science, pages 236–251. Springer, 2005.
[ABdBR04] F. Arbab, C. Baier, F. S. de Boer, and J.J.M.M. Rutten. Models and Tem-
poral Logics for Timed Component Connectors. Proceedings 2nd IEEE
International Conference on Software Engineering and Formal Methods
(SEFM’04), 0:198–207, 2004.
[ACvdM+09] F. Arbab, T. Chothia, R. van der Mei, S. Meng, Y.J. Moon, and C. Verhoef.
From Coordination to Stochastic Models of QoS. In Proceedings of the 11th
International Conference on Coordination Models and Languages (COOR-
DINATION’09), volume 5521 of Lecture Notes in Computer Science, pages
268–287. Springer, 2009.
[AH99] R. Alur and T.A. Henzinger. Reactive Modules. Formal Methods in System
Design, 15(1):7–48, 1999.
[AHK02] R. Alur, T.A. Henzinger, and O. Kupferman. Alternating-time temporal
logic. Journal of the ACM, 49(5):672–713, 2002.
[AHM+98] R. Alur, T.A. Henzinger, F. Mang, S. Qadeer, S. Rajamani, and S. Tasiran.
MOCHA: Modularity in model checking. In Computer Aided Verification
(CAV’98), volume 1427 of Lecture Notes in Computer Science, pages 521–
525. Springer, 1998.
[AK86] K.R. Apt and D. Kozen. Limits for the automatic verification of finite-state
concurrent systems. Information Processing Letters, 22(6):307–309, 1986.
[AKM08] F. Arbab, N. Kokash, and S. Meng. Towards Using Reo for Compliance-
Aware Business Process Modeling. In Proceedings of the 3rd International
Symposium on Leveraging Applications of Formal Methods, Verification and
Validation (ISoLA’08), volume 17 of Communications in Computer and In-
formation Science, pages 108–123. Springer, 2008.
[ALSN01] F. Achermann, M. Lumpe, J.-G. Schneider, and O. Nierstrasz. PICCOLA—
a small composition language, Formal methods for distributed processing,
pages 403–426. Cambridge University Press, New York, NY, USA, 2001.
[APR91] S. Azhar, G. Peterson, and J. Reif. On Multiplayer Non-Cooperative Games
of Incomplete Information: Part 1 & 2. Technical report, Durham, NC, USA,
1991.
151
BIBLIOGRAPHY BIBLIOGRAPHY
[AR02] F. Arbab and J.J.M.M. Rutten. A Coinductive Calculus of Component Con-
nectors. In Proceedings of the International Workshop on Algebraic Devel-
opment Techniques (WADT’02), volume 2755 of Lecture Notes in Computer
Science, pages 34–55. Springer, 2002.
[Arb96] F. Arbab. The IWIM Model for Coordination of Concurrent Activities. In
Proceedings of the 1st International Conference on Coordination Languages
and Models (COORDINATION’96), volume 1061 of Lecture Notes in Com-
puter Science, pages 34–56. Springer, 1996.
[Arb04] F. Arbab. Reo: A Channel-Based Coordination Model for Component Com-
position. Mathematical Structures in Computer Science, 14(3):329–366,
2004.
[Arb05] F. Arbab. Abstract Behavior Types: a foundation model for components and
their composition. Science of Computer Programming, 55(13):3–52, 2005.
[Arn94] A. Arnold. Finite Transition Systems. Prentice-Hall, 1994.
[Bai05] C. Baier. Probabilistic Models for Reo Connector Circuits. Journal of Uni-
versal Computer Science, 11(10):1718–1748, 2005.
[BB87] T. Bolognesi and E. Brinksma. Introduction to the ISO specification lan-
guage LOTOS. Computer Networks and ISDN Systems, 14(1):25–59, 1987.
[BB08] T. Blechmann and C. Baier. Checking Equivalence for Reo Networks. Elec-
tronic Notes in Theoretical Computer Science, 215:209–226, 2008.
[BBF+01] B. Bérard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, and
P. Schnoebelen. Systems and Software Verification: Model-Checking Tech-
niques and Tools. Springer, 2001.
[BBK+10] C. Baier, T. Blechmann, J. Klein, S. Klüppelholz, and W. Leister. Design
and Verification of Systems with Exogenous Coordination using Vereofy.
In Proceedings of the 4th International Symposium On Leveraging Appli-
cations of Formal Methods, Verification and Validation (ISoLA’10), volume
6416 of Lecture Notes in Computer Science, pages 97–111. Springer, 2010.
[BBKK09a] C. Baier, T. Blechmann, J. Klein, and S. Klüppelholz. A Uniform Frame-
work for Modeling and Verifying Components and Connectors. In Proceed-
ings of the 11th International Conference on Coordination Models and Lan-
guages (COORDINATION’09), volume 5521 of Lecture Notes in Computer
Science, pages 247–267. Springer, 2009.
[BBKK09b] C. Baier, T. Blechmann, J. Klein, and S. Klüppelholz. Formal Verification
for Components and Connectors. In Proceedings of the 7th International
Symposium on Formal Methods for Components and Objects (FMCO’08),
volume 5751 of Lecture Notes in Computer Science, pages 82–101. Springer,
2009.
152
BIBLIOGRAPHY BIBLIOGRAPHY
[BC11] S. Borkar and A.A. Chien. The future of microprocessors. Communications
of the ACM, 54:67–77, May 2011.
[BCCZ99] A. Biere, A. Cimatti, E.M. Clarke, and Y. Zhu. Symbolic Model Check-
ing without BDDs. In Proceedings of the 5th International Conference on
Tools and Algorithms for Construction and Analysis of Systems, TACAS ’99,
pages 193–207, London, UK, 1999. Springer.
[BCM+92] J. Burch, E. M. Clarke, K.L. McMillan, D.L. Dill, and L. Hwang. Symbolic
Model Checking 1020 States and Beyond. Information and Computation,
98(2):142–170, 1992.
[BK85] J.A. Bergstra and J.W. Klop. Algebra of communicating processes with
abstraction. Theoretical Computer Science, 37:77–121, 1985.
[BK08] C. Baier and J.P. Katoen. Principles of Model Checking (Representation and
Mind Series). The MIT Press, 2008.
[BKK11a] C. Baier, J. Klein, and S. Klüppelholz. A Compositional Framework for
Controller Synthesis. In Proceedings of the 22nd International Conference
on Concurrency Theory (CONCUR’11), volume 6901 of Lecture Notes in
Computer Science, pages 512–527. Springer, 2011.
[BKK11b] C. Baier, J. Klein, and S. Klüppelholz. Modeling and Verification of Com-
ponents and Connectors. In Proceedings of the 11th International School
on Formal Methods for the Design of Computer, Communication and Soft-
ware Systems (SFM’11), volume 6659 of Lecture Notes in Computer Sci-
ence, pages 114–147. Springer, 2011.
[BKK11c] C. Baier, J. Klein, and S. Klüppelholz. Synthesis of Reo Connectors for
Strategies and Controllers. In Proceedings of the International Workshop on
Logic, Agents, and Mobility (LAM’11), 2011.
[BKK12] T. Blechmann, J. Klein, and S. Klüppelholz. Vereofy User Manual. Technis-
che Universität Dresden, 2008–2012. http://www.vereofy.de.
[BL69] J.R. Büchi and L. Landweber. Solving Sequential Conditions by Finite-State
Strategies. Transactions of the American Mathematical Society, 138:295–
311, 1969.
[BPe01] J.A. Bergstra, A. Ponse, and S.A. Smolka (editors). Handbook of Process
Algebra. Elsevier Publishers B.V., 2001.
[Bry86] R.E. Bryant. Graph-Based Algorithms for Boolean Function Manipulation.
IEEE Transactions on Computers, 35:677–691, 1986.
[Brz62] J.A. Brzozowski. Canonical regular expressions and minimal state graphs
for definite events. In Mathematical Theory of Automata, volume 12 of MRI
Symposia Series, pages 529–561, Polytechnic Institute of Brooklyn, 1962.
Polytechnic Press.
153
BIBLIOGRAPHY BIBLIOGRAPHY
[BSAR06] C. Baier, M. Sirjani, F. Arbab, and J.J.M.M. Rutten. Modeling Component
Connectors in Reo by Constraint Automata. Science of Computer Program-
ming, 61(2):75–113, 2006.
[CBM90] O. Coudert, C. Berthet, and J.C. Madre. Verification of synchronous sequen-
tial machines based on symbolic execution. In Proceedings of the interna-
tional workshop on Automatic verification methods for finite state systems,
Lecture Notes in Computer Science, pages 365–373, New York, NY, USA,
1990. Springer.
[CCA04] D. Clarke, D. Costa, and F. Arbab. Modelling Coordination in Biological
Systems. In Proceedings of the 1st International Symposium On Leverag-
ing Applications of Formal Methods, Verification and Validation (ISoLA’04),
volume 4313 of Lecture Notes in Computer Science, pages 9–25. Springer,
2004.
[CCA07] D. Clarke, D. Costa, and F. Arbab. Connector colouring I: Synchronisation
and context dependency. Science of Computer Programming, 66(3):205–
225, 2007. Special Issue on the 4th International Workshop on Foundations
of Coordination Languages and Software Architectures (FOCLASA ’05).
[CCF+10] Y.-F. Chen, E.M. Clarke, A. Farzan, F. He, M.-H. Tsai, Y.K. Tsay, B.-Y.
Wang, and L. Zhu. Comparing learning algorithms in automated assume-
guarantee reasoning. In Proceedings of the 4th International Symposium
On Leveraging Applications of Formal Methods, Verification and Validation
(ISoLA’10), volume 6416 of Lecture Notes in Computer Science, pages 97–
111. Springer, 2010.
[CCGR00] A. Cimatti, E.M. Clarke, F. Giunchiglia, and M. Roveri. NuSMV: a new
symbolic model checker. International Journal on Software Tools for Tech-
nology Transfer, 2(4):410–425, 2000.
[CDHR07] K. Chatterjee, L. Doyen, T.A. Henzinger, and J.F. Raskin. Algorithms for
Omega-Regular Games with Imperfect Information. Logical Methods in
Computer Science, 3(3), 2007.
[CE81] E.M. Clarke and E.A. Emerson. Design and Synthesis of Synchronization
Skeletons Using Branching-Time Temporal Logic. In Proceedings of Work-
shop on Logic of Programs, volume 131 of Lecture Notes in Computer Sci-
ence, pages 52–71. Springer, 1981.
[CEFJ96] E.M. Clarke, R. Enders, T. Filkorn, and S. Jha. Exploiting symmetry in
temporal logic model checking. Formal Methods in System Design, 9:77–
104, 1996.
[CES86] E.M. Clarke, E.A. Emerson, and A. Sistla. Automatic Verification of Finite-
State Concurrent Systems Using Temporal Logic Specifications. ACM
Transactions on Programming Languages and Systems, 8(2):244–263, 1986.
154
BIBLIOGRAPHY BIBLIOGRAPHY
[CGJ+00] E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-
Guided Abstraction Refinement. In Proceedings of the 12th International
Conference on Computer Aided Verification, volume 1855 of Lecture Notes
in Computer Science, pages 154–169. Springer, 2000.
[CGP99] E.M. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press,
1999.
[Cha84] D.M. Chapiro. Globally-asynchronous locally-synchronous systems. PhD
thesis, Stanford University, CA., 1984.
[CK96] E.M. Clarke and R. Kurshan. Computer-aided verification. IEEE Spectrum,
33(6):61–67, 1996.
[Col88] M. Cole. Algorithmic skeletons: a structured approach to the management
of parallel computation. PhD thesis, University of Edinburgh, Computer
Science Department, 1988.
[Col89] M. Cole. Algorithmic Skeletons: Structured Management of Parallel Com-
putation. MIT Press & Pitman, 1989.
[Cos10] D. Costa. Formal Models for Context Dependent Connectors. Phd thesis,
Theoretical Computer Science, Free University of Amsterdam, The Nether-
lands, 2010.
[CPLA11] D. Clarke, J. Proença, A. Lazovik, and F. Arbab. Channel-based coor-
dination via constraint satisfaction. Science of Computer Programming,
76(8):681–710, 2011.
[CPS89] R. Cleaveland, J. Parrow, and B. Steffen. The Concurrency Workbench. In
International Workshop on Automatic Verification Methods for Finite State
Systems, volume 407 of Lecture Notes in Computer Science, pages 24–37.
Springer, 1989.
[CS00] E.M. Clarke and H. Schlingloff. Model checking. In A. Robinson and
A. Voronkov, editors, Handbook of Automated Reasoning (Volume II), chap-
ter 24, pages 1635–1790. Elsevier Publishers B.V., 2000.
[CSV09] R. Chadha, A.P. Sistla, and M. Viswanathan. On the expressiveness and
complexity of randomization in finite state monitors. Journal of the ACM,
56(5):1–44, 2009.
[CSZ04] S. Capizzi, R. Solmi, and G. Zavattaro. From Endogenous to Exogenous
Coordination Using Aspect-Oriented Programming. In Proceedings of the
6th International Conference on Coordination Models and Languages (Co-
ordination’04), volume 2949 of Lecture Notes in Computer Science, pages
105–118. Springer, 2004.
[CW96] E.M. Clarke and J. Wing. Formal methods: state of the art and future direc-
tions. ACM Computing Surveys, 28(4):626–643, 1996.
155
BIBLIOGRAPHY BIBLIOGRAPHY
[DA04] N.K. Diakov and F. Arbab. Compositional Construction of Web Services
Using Reo. In Proceedings of the 2nd International Workshop on Web Ser-
vices: Modeling, Architecture and Infrastructure, WSMAI’04, pages 49–58.
INSTICC Press, 2004.
[DB98] R. Drechsler and B. Becker. Binary Decision Diagrams: Theory and Imple-
mentation. Kluwer Academic Publishers, 1998.
[DG95] D. Dams and J.F. Groote. Specification and Implementation of Components
of a µCRL Toolbox. Logic Group Preprint Series 152. Technical report,
1995.
[Dij65] E.W. Dijkstra. Solutions of a problem in concurrent programming control.
Communications of the ACM, 8(9):569, 1965.
[Dij68] E.W. Dijkstra. Cooperating sequential processes. In F. Genuys, editor, Pro-
gramming Languages, pages 43–112. Academic Press, 1968.
[Dij76] E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976.
[FL79] M.J. Fischer and R.J. Ladner. Propositional dynamic logic of regular pro-
grams. Journal of Computer and System Science, 8:194–211, 1979.
[Fra86] N. Francez. Fairness. Springer, 1986.
[GCCC85] D. Gelernter, N. Carriero, S. Chandran, and S. Chang. Parallel Program-
ming in Linda. In Proceedings of the International Conference on Parallel
Processing (ICPP’85), pages 255–263, 1985.
[GJA+10] I. Grabe, M. M. Jaghoori, B. Aichernig, C. Baier, T. Blechmann, F. de Boer,
A. Griesmayer, E.B. Johnsen, J.Klein, S. Klüppelholz, M. Kyas, W. Leister,
R. Schlatte, A. Stam, M. Steffen, S. Tschirner, X. Liang, and W. Yi. Credo
Methodology - Extended Version. In Proceedings of the 8th International
Symposium on Formal Methods for Components and Objects (FMCO’09),
volume 6286 of Lecture Notes in Computer Science, pages 41–69. Springer,
2010.
[GLMS11] H. Garavel, F. Lang, R. Mateescu, and W. Serwe. CADP 2010: A Toolbox
for the Construction and Analysis of Distributed Processes. In P. Abdulla and
K. Leino, editors, Tools and Algorithms for the Construction and Analysis
of Systems, volume 6605 of Lecture Notes in Computer Science, pages 372–
387. Springer, 2011.
[God96] P. Godefroid. Partial Order Methods for the Verification of Concurrent Sys-
tems: An Approach to the State Explosion Problem, volume 1032 of Lecture
Notes in Computer Science. Springer, 1996.
[GS97] S. Graf and H. Saı̈di. Construction of Abstract State Graphs with PVS. In
Proceedings of the 9th International Conference on Computer Aided Verifi-
cation, CAV ’97, pages 72–83, London, UK, 1997. Springer.
156
BIBLIOGRAPHY BIBLIOGRAPHY
[GS03] G. Gößler and J. Sifakis. Component-Based Construction of Deadlock-Free
Systems: Extended Abstract. In Proceedings of the Annual Conference
on Foundations of Software Technology and Theoretical Computer Science
(FSTTCS’03), pages 420–433, 2003.
[GS05] G. Gössler and J. Sifakis. Composition for component-based modeling. Sci-
ence of Computer Programming, 55(1-3):161–183, 2005.
[GS07] J. Guillen-Scholten. Mobile Channels for Exogenous Coordination of Dis-
tributed Systems: Semantics, Implementation and Composition. Phd thesis,
University of Leiden, 2007.
[GSAdBB05] J. Guillen-Scholten, F. Arbab, F.S. de Boer, and M.M. Bonsangue. MoCha-
pi: an exogenous coordination calculus based on mobile channels. In Pro-
ceedings of the ACM symposium on Applied computing (SAC’05), pages
436–442. ACM, 2005.
[GVL10] H. González-Vélez and M. Leyton. A Survey of Algorithmic Skeleton
Frameworks: High-Level Structured Parallel Programming Enablers. Soft-
ware: Practice and Experience, 40(12):1135–1160, 2010.
[Hal02] A. Hall. Correctness by Construction: Integrating Formality into a Commer-
cial Development Process. In Proceeding of Formal Methods - Getting IT
Right, International Symposium of Formal Methods Europe (FME), volume
2391 of Lecture Notes in Computer Science, pages 224–233. Springer, 2002.
[Hal05] A. Hall. Realising the Benefits of Formal Methods. In Proceedings of 7th In-
ternational Conference on Formal Engineering Methods (ICFEM’05), For-
mal Methods and Software Engineering, volume 3785 of Lecture Notes in
Computer Science, pages 1–4. Springer, 2005.
[Har87] D. Harel. Statecharts: a visual formalism for complex systems. Science of
Computer Programming, 8(3):231–274, 1987.
[HC02] A. Hall and R. Chapman. Correctness by construction: developing a com-
mercial secure system. Software, IEEE, 19(1):18–25, 2002.
[HMU06] J.E. Hopcroft, R. Motwani, and J.D. Ullman. Introduction to Automata The-
ory, Languages, and Computation (3rd Edition). Addison-Wesley Longman
Publishing Co., Inc., Boston, MA, USA, 2006.
[Hoa78] C.A.R. Hoare. Communicating sequential processes. Communications of
the ACM, 21(8):666–677, 1978.
[Hoa85] C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985.
[Hol90] G.J. Holzmann. Design and Validation of Computer Protocols. Prentice-
Hall, 1990.
[Hol93] G.J. Holzmann. Design and Validation of Protocols: A Tutorial. Comp.
Networks and ISDN Systems, 25(9):981–1017, 1993.
157
BIBLIOGRAPHY BIBLIOGRAPHY
[Hol95] M. Holzer. On Emptiness and Counting for Alternating Finite Automata. In
Developments in Language Theory, pages 88–97. World Scientific Verlag,
1995.
[Hol97] G.J. Holzmann. The model checker SPIN. IEEE Transactions on Software
Engineering, 23(5):279–295, 1997.
[Hol03] G.J. Holzmann. The SPIN Model Checker: Primer and Reference Manual.
Addison-Wesley, 2003.
[Hop71] J.E. Hopcroft. An n log n algorithm for minimizing states in a finite automa-
ton. Stanford University, Stanford, CA, USA, 1971.
[HQR98] T.A. Henzinger, S. Qadeer, and S. Rajamani. You assume, we guar-
antee: Methodology and case studies. In Computer Aided Verification
(CAV’98), volume 1427 of Lecture Notes in Computer Science, pages 440–
451. Springer, 1998.
[HR99] M. Huth and M.D. Ryan. Logic in Computer Science – Modelling and Rea-
soning about Systems. Cambridge University Press, 1999.
[HS96] G.D. Hachtel and F. Somenzi. Logic Synthesis and Verification Algorithms.
Kluwer Academic Publishers, Boston, 1996.
[JA11] S.-S. T. Q. Jongmans and F. Arbab. Correlating Formal Semantic Models of
Reo Connectors: Connector Coloring and Constraint Automata. In Proceed-
ings of the 4th Interaction and Concurrency Experience (ICE’11), volume 59
of Electronic Proceedings in Theoretical Computer Science, pages 84–103,
2011.
[Jam03] W. Jamroga. Some Remarks on Alternating Temporal Epistemic Logic. In
Proceedings of the Workshop on Formal Approaches to Multi-Agent Systems,
pages 133–140, 2003.
[JS07] P. Jancar and Z. Sawa. A note on emptiness for alternating finite automata
with a one-letter alphabet. Information Processing Letters, 104(5):164–167,
2007.
[KA09] N. Kokash and F. Arbab. Applying Reo to service coordination in long-
running business transactions. In Proceedings of the 2009 ACM symposium
on Applied Computing, SAC ’09, pages 1381–1382. ACM, 2009.
[KB09] S. Klüppelholz and C. Baier. Symbolic model checking for channel-based
component connectors. Science of Computer Programming, 74(9):688–701,
2009. Special Issue on the Fifth International Workshop on Foundations of
Coordination Languages and Software Architectures (FOCLASA’06).
[KB10] S. Klüppelholz and C. Baier. Alternating-time stream logic for multi-
agent systems. Science of Computer Programming, 75(6):398–425, 2010.
10th International Conference on Coordination Models and Languages (CO-
ORD’08).
158
BIBLIOGRAPHY BIBLIOGRAPHY
[Kel76] R.M. Keller. Formal verification of parallel programs. Communications of
the ACM, 19(7):371–384, 1976.
[Kem06] S. Kemper. SAT-based Verification for Abstraction Refinement. Master
thesis, University of Oldenburg, January 2006.
[Kem11] S. Kemper. Modelling and Analysis of Real-Time Coordination Patterns.
PhD thesis, Leiden Institute of Advanced Computer Science (LIACS), 2011.
[KKdV12] N. Kokash, C. Krause, and E.P. de Vink. Reo + mCRL2: A Framework
for Model-Checking Dataflow in Service Compositions. Formal Aspects of
Computing, 24(2):187–216, 2012.
[KKSB11] J. Klein, S. Klüppelholz, A. Stam, and C. Baier. Hierarchical modeling
and formal verification. An industrial case study using Reo and Vereofy. In
Formal Methods for Industrial Critical Systems (FMICS 2011), volume 6959
of Lecture Notes in Computer Science, pages 228–243. Springer, 2011.
[Kle12] J. Klein. Compositional Controller Synthesis. Phd thesis, Technische Uni-
versität Dresden, forthcoming 2012.
[KLM+97] G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. Lopes, J.-M. Lo-
ingtier, and J. Irwin. Aspect-Oriented Programming. In Proceedings of
European Conference on Object-Oriented Programming (ECOOP’97), vol-
ume 1241 of Lecture Notes in Computer Science, pages 220–242. Springer,
1997.
[KNP04] M. Kwiatkowska, G. Norman, and D. Parker. Probabilistic Symbolic Model
Checking with PRISM: A Hybrid Approach. International Journal on Soft-
ware Tools for Technology Transfer, 6(2):128–142, 2004.
[Kra11] C. Krause. Reconfigurable Component Connectors. PhD thesis, Leiden
University, The Netherlands, 2011.
[Kri03] J. Krinke. Context-sensitive slicing of concurrent programs. In Proceedings
of the 9th European software engineering conference held jointly with 11th
ACM SIGSOFT international symposium on Foundations of software engi-
neering, volume 28 of ESEC/FSE-11, pages 178–187, New York, NY, USA,
September 2003. ACM.
[Kro99] T. Kropf. Introduction to Formal Hardware Verification. Springer, 1999.
[Kur94] R. Kurshan. Computer-aided Verification of Coordinating Processes: The
Automata-Theoretic Approach. Princeton University Press, 1994.
[Kwi89] M. Kwiatkowska. Survey of fairness notions. Information and Software
Technology, 31(7):371–386, 1989.
[KZH+09] J.-P. Katoen, I. Zapreev, E.M. Hahn, H. Hermanns, and D.N. Jansen. The
Ins and Outs of the Probabilistic Model Checker MRMC. In Proceedings
159
BIBLIOGRAPHY BIBLIOGRAPHY
of the 2009 Sixth International Conference on the Quantitative Evaluation
of Systems, QEST’09, pages 167–176, Washington, DC, USA, 2009. IEEE
Computer Society.
[LPA04] T. Lemniotes, G.A. Papadopoulos, and F. Arbab. Coordinating Web Services
Using Channel Based Communication. In Proceedings of the 28th Annual
International Computer Software and Applications Conference - Volume 01,
COMPSAC’04, pages 486–491. IEEE Computer Society, 2004.
[LPS81] D. Lehmann, A. Pnueli, and J. Stavi. Impartiality, justice and fairness: the
ethics of concurrent termination. In Proceedings of the 8th Colloquium on
Automata, Languages and Programming (ICALP), volume 115 of Lecture
Notes in Computer Science, pages 264–277. Springer, 1981.
[LPY97] K.G. Larsen, P. Pettersson, and W. Yi. Uppaal in a Nutshell. International
Journal on Software Tools for Technology Transfer, 1(1–2):134–152, 1997.
[Lyn96] N.A. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers, 1996.
[MA07] S. Meng and F. Arbab. Web services choreography and orchestration in Reo
and constraint automata. In Proceedings of the 2007 ACM Symposium on
Applied Computing, SAC’07, pages 346–353. ACM, 2007.
[MA10] S. Meng and F. Arbab. A Model for Web Service Coordination in Long-
Running Transactions. In Proceedings of the 5th IEEE International Sym-
posium on Service-Oriented System Engineering, SOSE’10, pages 121–128,
2010.
[Mar75] D.A. Martin. Borel Determinacy. Annals of Mathematics, 102:363–371,
1975.
[McM93] K.L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers,
1993.
[MCM08] M. Majster-Cederbaum and C. Minnameier. Everything Is PSPACE-
Complete in Interaction Systems. In Proceedings of the 5th International
Colloquium on Theoretical Aspects of Computing (ICTAC’08), volume 5160
of Lecture Notes in Computer Science, pages 216–227. Springer, 2008.
[Mer01] S. Merz. Model checking: a tutorial. In F. Cassez, C. Jard, B. Rozoy,
and M.D. Ryan, editors, Modelling and Verification of Parallel Processes,
volume 2067 of Lecture Notes in Computer Science, pages 3–38. Springer,
2001.
[Mil83] R. Milner. Calculi for synchrony and asynchrony. Theoretical Computer
Science, 25(3):267–310, 1983.
[Mil89] R. Milner. Communication and Concurrency. Prentice-Hall, 1989.
[Mil99] R. Milner. Communicating and Mobile Systems: The Pi-Calculus. Cam-
bridge University Press, 1999.
160
BIBLIOGRAPHY BIBLIOGRAPHY
[Min96] S. Minato. Binary Decision Diagrams and Applications for VLSI CAD.
Kluwer Academic Publishers, 1996.
[MP92] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent
Systems: Specification. Springer, 1992.
[MPW92] R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes. Infor-
mation and Computation, 100:1–40, 1992.
[MS08] M. Mulugeta and A. Schill. Balancing Agility and Formalism in Software
Engineering. volume 5082, chapter A Framework for QoS Contract Negoti-
ation in Component-Based Applications, pages 238–251. Springer, 2008.
[MT98] C. Meinel and T. Theobald. Algorithms and Data Structures in VLSI Design.
Springer, 1998.
[Oss10] J. Ossowski. JINC - A Multi-Threaded Library for Higher-Order Weighted
Decision Diagram Manipulation. Phd thesis, Rheinische Friedrich-
Wilhelms-Universität Bonn, 2010.
[Pel93] D. Peled. All from One, One for All: On Model Checking Using Repre-
sentatives. In Proceedings of the 5th International Conference on Computer
Aided Verification (CAV ’93), volume 697 of Lecture Notes in Computer Sci-
ence, pages 409–423. Springer, 1993.
[Pet77] C.A. Petri. Non-sequential processes. GMD-ISF Report ISF-77-05, GMD,
Sankt Augustin, 1977.
[Pet81] J.L. Peterson. Petri Net Theory and the Modeling of Systems. Prentice-Hall,
1981.
[Pnu77] A. Pnueli. The Temporal Logic of Programs. In Proceedings of the 18th
IEEE Symposium on the Foundations of Computer Science, pages 46–57.
IEEE Computer Society Press, 1977.
[Pnu85] A. Pnueli. In transition from global to modular temporal reasoning about
programs. In Logics and models of concurrent systems, pages 123–144.
Springer, New York, NY, USA, 1985.
[PS95] S. Panda and F. Somenzi. Who are the variables in your neighborhood. In
Proceedings of the 1995 IEEE/ACM international conference on Computer-
aided design, ICCAD ’95, pages 74–77, Washington, DC, USA, 1995. IEEE
Computer Society.
[QS82] J. Queille and J. Sifakis. Specification and Verification of Concurrent Sys-
tems in CESAR. In Proceedings of the 5th Symposium on Programming,
volume 137 of Lecture Notes in Computer Science, pages 337–351. Springer,
1982.
161
BIBLIOGRAPHY BIBLIOGRAPHY
[QS83] J.-P. Queille and J. Sifakis. Fairness and related properties in transition sys-
tems. A temporal logic to deal with fairness. Acta Informatica, 19(3):195–
220, 1983.
[Rei79] J.H. Reif. Universal Games of Incomplete Information. In Proceedings of
the Annual ACM Symposium on Theory of Computing, pages 288–308, 1979.
[Rei84] J.H. Reif. The Complexity of Two-Player Games of Incomplete Information.
Journal of Computer and System Sciences, 29(2):274–301, October 1984.
[RJB99] J. Rumbaugh, I. Jacobson, and G. Booch, editors. The Unified Modeling
Language reference manual. Addison-Wesley Longman Ltd., 1999.
[RP80] J.H. Reif and G.L. Peterson. A Dynamic Logic of Multiprocessing with
Incomplete Information. In Proceedings of the Symposium on Principles of
Programming Languages, pages 193–202, 1980.
[RS02] M. Ryan and P.-Y. Schobbens. Agents and Roles: Refinement in Alternating-
Time Temporal Logic. In Proceedings of the 8th International Workshop
on Intelligent Agents, volume 2333 of Lecture Notes in Computer Science,
pages 100–114. Springer, 2002.
[Rud93] R. Rudell. Dynamic variable ordering for ordered binary decision dia-
grams. In Proceedings of the 1993 IEEE/ACM international conference on
Computer-aided design, ICCAD ’93, pages 42–47, Los Alamitos, CA, USA,
1993. IEEE Computer Society Press.
[RvdHW09] J. Ruan, W. van der Hoek, and M. Wooldridge. Verification of Games in the
Game Description Language. Journal of Logic and Computation, 19:1127–
1156, 2009.
[Sch04a] K. Schneider. Verification of Reactive Systems: Formal Methods and Algo-
rithms. Springer, 2004.
[Sch04b] P.-Y. Schobbens. Alternating-time logic with imperfect recall. Electronic
Notes in Theoretical Computer Science, 85(2):82–93, 2004.
[SLN01] J.G. Schneider, M. Lumpe, and O. Nierstrasz. Agent coordination via script-
ing languages. pages 153–175. Springer, London, UK, 2001.
[Som99] F. Somenzi. Binary decision diagrams. In M. Broy and R. Steinbruggen,
editors, Calculational System Design, volume 173 of NATO Science Series
F: Computer and Systems Sciences, pages 303–366. IOS Press, 1999.
[Ste97] P. Stevens. The Edinburgh Concurrency Workbench (Version 7.1). User man-
ual, 1997.
[Val92] A. Valmari. A Stubborn Attack on State Explosion. Formal Methods in
System Design, 1:297–322, 1992.
162
BIBLIOGRAPHY BIBLIOGRAPHY
[Var96] M. Vardi. An Automata-Theoretic Approach to Linear Temporal Logic. In
Proceedings of the 8th Banff Workshop on Higher Order: Logics for Concur-
rency - Structure versus Automata, volume 1043 of Lecture Notes in Com-
puter Science, pages 238–266. Springer, 1996.
[vdHRW05] W. van der Hoek, M. Roberts, and M. Wooldridge. Knowledge and so-
cial laws. In Proceedings of the fourth international joint conference on
Autonomous agents and multiagent systems, AAMAS ’05, pages 674–681.
ACM, 2005.
[vdHW03] W. van der Hoek and M. Wooldridge. Cooperation, Knowledge, and Time:
Alternating-time Temporal Epistemic Logic and its Applications. vol-
ume 75, pages 125–157. Springer, 2003.
[vdHWJ05] W. van der Hoek, M. Wooldridge, and W. Jamroga. A Logic for Strate-
gic Reasoning. In Proceedings of the 4th International Conference on Au-
tonomous Agents and Multiagent Systems, AAMAS ’05, pages 157–164.
ACM, 2005.
[vdP01] J.C. van de Pol. A Prover for the µCRL-Toolset with Applications: Version
0.1. CWI Report SEN-R 0106, Centrum Wiskunde & Informatica (CWI)
Amsterdam, 2001.
[VVK05] H. Völzer, D. Varacca, and E. Kindler. Defining fairness. In Proceedings of
the 16th International Conference on Concurrency Theory (CONCUR), vol-
ume 3653 of Lecture Notes in Computer Science, pages 458–472. Springer,
2005.
[VW86] M.Y. Vardi and P. Wolper. An Automata-Theoretic Approach to Automatic
Program Verification. In Proceedings of the Symposium on Logic in Com-
puter Science (LICS’86), pages 332–345, Washington, D.C., USA, 1986.
IEEE Computer Society Press.
[WBCG00] P.F. Williams, A. Biere, E.M. Clarke, and A. Gupta. Combining Decision
Diagrams and SAT Procedures for Efficient Symbolic Model Checking. In
Proceedings of the 12th International Conference on Computer Aided Ver-
ification, volume 1855 of CAV ’00, pages 124–138, London, UK, 2000.
Springer.
[WDR06] M. Wulf, L. Doyen, and J.F. Raskin. A Lattice Theory for Solving Games
of Imperfect Information. In Proceedings of HSCC 2006: Hybrid Systems—
Computation and Control, volume 3927 of Lecture Notes in Computer Sci-
ence, pages 153–168. Springer, 2006.
[Weg00] I. Wegener. Branching Programs and Binary Decision Diagrams: Theory
and Applications. Monographs on Discrete Mathematics and Applications.
SIAM, 2000.
[Wei84] M. Weiser. Program Slicing. IEEE Transactions on Software Engineering,
10(4):352–357, 1984.
163
BIBLIOGRAPHY BIBLIOGRAPHY
[Wol95] P. Wolper. An introduction to model checking. Position statement for panel
discussion at the Software Quality workshop, 1995.
[Wou01] A.G. Wouters. Manual for the µCRL Tool Set (Version 2.8.2). CWI Report
SEN-R 0130, Centrum Wiskunde & Informatica (CWI) Amsterdam, 2001.
164
