Efficient Patterns for Model Checking Partial State Spaces in CTL & LTL

Compositional model checks of partial Kripke structures are efficient but incomplete as they may fail to recognize that all implementations satisfy the checked property. But if a property holds for such checks, it will hold in all implementations. Such checks are therefore under-approximations. In this paper we determine for which popular specification patterns, documented at a communityled pattern repository, this under-approximation is precise in that the converse relationship holds as well for all model checks. We find that many such patterns are indeed precise. Those that arent lose precision because of a sole propositional atom in mixed polarity. Hence we can compute, with linear blowup only, a semantic minimization in the same temporal logic whose efficient check renders the precise result for the original imprecise pattern. Thus precision can be secured for all patterns at low cost. © 2006 Elsevier B.V. All rights reserved

On the complexity of semantic self-minimization

Partial Kripke structures model only parts of a state space and so enable aggressive abstraction of systems prior to verifying them with respect to a formula of temporal logic. This partiality of models means that verifications may reply with true (all refinements satisfy the formula under check), false (no refinement satisfies the formula under check) or dont know. Generalized model checking is the most precise verification for such models (all dont know answers imply that some refinements satisfy the formula, some dont), but computationally expensive. A compositional model-checking algorithm for partial Kripke structures is efficient, sound (all answers true and false are truthful), but may lose precision by answering dont know instead of a factual true or false. Recent work has shown that such a loss of precision does not occur for this compositional algorithm for most practically relevant patterns of temporal logic formulas. Formulas that never lose precision in this manner are called semantically self-minimizing. In this paper we provide a systematic study of the complexity of deciding whether a formula of propositional logic, propositional modal logic or the propositional modal mu-calculus is semantically self-minimizing. © 2009 Elsevier B.V. All rights reserved

Applying Formal Methods to Networking: Theory, Techniques and Applications

Despite its great importance, modern network infrastructure is remarkable for the lack of rigor in its engineering. The Internet which began as a research experiment was never designed to handle the users and applications it hosts today. The lack of formalization of the Internet architecture meant limited abstractions and modularity, especially for the control and management planes, thus requiring for every new need a new protocol built from scratch. This led to an unwieldy ossified Internet architecture resistant to any attempts at formal verification, and an Internet culture where expediency and pragmatism are favored over formal correctness. Fortunately, recent work in the space of clean slate Internet design---especially, the software defined networking (SDN) paradigm---offers the Internet community another chance to develop the right kind of architecture and abstractions. This has also led to a great resurgence in interest of applying formal methods to specification, verification, and synthesis of networking protocols and applications. In this paper, we present a self-contained tutorial of the formidable amount of work that has been done in formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial

Qualitative Spatial and Temporal Reasoning based on And/Or Linear Programming An approach to partially grounded qualitative spatial reasoning

Acting intelligently in dynamic environments involves anticipating surrounding processes, for example to foresee a dangerous situation or acceptable social behavior. Knowledge about spatial configurations and how they develop over time enables intelligent robots to safely navigate by reasoning about possible actions. The seamless connection of high-level deliberative processes to perception and action selection remains a challenge though. Moreover, an integration should allow the robot to build awareness of these processes as in reality there will be misunderstandings a robot should be able to respond to. My aim is to verify that actions selected by the robot do not violate navigation or safety regulations and thereby endanger the robot or others. Navigation rules specified qualitatively allow an autonomous agent to consistently combine all rules applicable in a context. Within this thesis, I develop a formal, symbolic representation of right-of-way-rules based on a qualitative spatial representation. This cumulative dissertation consists of 5 peer-reviewed papers and 1 manuscript under review. The contribution of this thesis is an approach to represent navigation patterns based on qualitative spatio-temporal representation and the development of corresponding effective sound reasoning techniques. The approach is based on a spatial logic in the sense of Aiello, Pratt-Hartmann, and van Benthem. This logic has clear spatial and temporal semantics and I demonstrate how it allows various navigation rules and social conventions to be represented. I demonstrate the applicability of the developed method in three different areas, an autonomous robotic system in an industrial setting, an autonomous sailing boat, and a robot that should act politely by adhering to social conventions. In all three settings, the navigation behavior is specified by logic formulas. Temporal reasoning is performed via model checking. An important aspect is that a logic symbol, such as \emph{turn left}, comprises a family of movement behaviors rather than a single pre-specified movement command. This enables to incorporate the current spatial context, the possible changing kinematics of the robotic system, and so on without changing a single formula. Additionally, I show that the developed approach can be integrated into various robotic software architectures. Further, an answer to three long standing questions in the field of qualitative spatial reasoning is presented. Using generalized linear programming as a unifying basis for reasoning, one can jointly reason about relations from different qualitative calculi. Also, concrete entities (fixed points, regions fixed in shape and/or position, etc.) can be mixed with free variables. In addition, a realization of qualitative spatial description can be calculated, i.e., a specific instance/example. All three features are important for applications but cannot be handled by other techniques. I advocate the use of And/Or trees to facilitate efficient reasoning and I show the feasibility of my approach. Last but not least, I investigate a fourth question, how to integrate And/Or trees with linear temporal logic, to enable spatio-temporal reasoning

Automata-theoretic and bounded model checking for linear temporal logic

In this work we study methods for model checking the temporal logic LTL. The focus is on the automata-theoretic approach to model checking and bounded model checking. We begin by examining automata-theoretic methods to model check LTL safety properties. The model checking problem can be reduced to checking whether the language of a finite state automaton on finite words is empty. We describe an efficient algorithm for generating small finite state automata for so called non-pathological safety properties. The presented implementation is the first tool able to decide whether a formula is non-pathological. The experimental results show that treating safety properties can benefit model checking at very little cost. In addition, we find supporting evidence for the view that minimising the automaton representing the property does not always lead to a small product state space. A deterministic property automaton can result in a smaller product state space even though it might have a larger number states. Next we investigate modular analysis. Modular analysis is a state space reduction method for modular Petri nets. The method can be used to construct a reduced state space called the synchronisation graph. We devise an on-the-fly automata-theoretic method for model checking the behaviour of a modular Petri net from the synchronisation graph. The solution is based on reducing the model checking problem to an instance of verification with testers. We analyse the tester verification problem and present an efficient on-the-fly algorithm, the first complete solution to tester verification problem, based on generalised nested depth-first search. We have also studied propositional encodings for bounded model checking LTL. A new simple linear sized encoding is developed and experimentally evaluated. The implementation in the NuSMV2 model checker is competitive with previously presented encodings. We show how to generalise the LTL encoding to a more succint logic: LTL with past operators. The generalised encoding compares favourably with previous encodings for LTL with past operators. Links between bounded model checking and the automata-theoretic approach are also explored.reviewe

Decision Problems for Partial Specifications: Empirical and Worst-Case Complexities

Partial specifications allow approximate models of systems such as Kripke structures, or labeled transition systems to be created. Using the abstraction possible with these models, an avoidance of the state-space explosion problem is possible, whilst still retaining a structure that can have properties checked over it. A single partial specification abstracts a set of systems, whether Kripke, labeled transition systems, or systems with both atomic propositions and named transitions. This thesis deals in part with problems arising from a desire to efficiently evaluate sentences of the modal μ-calculus over a partial specification. Partial specifications also allow a single system to be modeled by a number of partial specifications, which abstract away different parts of the system. Alternatively, a number of partial specifications may represent different requirements on a system. The thesis also addresses the question of whether a set of partial specifications is consistent, that is to say, whether a single system exists that is abstracted by each member of the set. The effect of nominals, special atomic propositions true on only one state in a system, is also considered on the problem of the consistency of many partial specifications. The thesis also addresses the question of whether the systems a partial specification abstracts are all abstracted by a second partial specification, the problem of inclusion. The thesis demonstrates how commonly used “specification patterns” – useful properties specified in the modal μ-calculus, can be efficiently evaluated over partial specifications, and gives upper and lower complexity bounds on the problems related to sets of partial specifications

Explicit or Symbolic Translation of Linear Temporal Logic to Automata

Formal verification techniques are growing increasingly vital for the development of safety-critical software and hardware in practice. Techniques such as requirements-based design and model checking for system verification have been successfully used to verify systems for air traffic control, airplane separation assurance, autopilots, CPU logic designs, life-support, medical equipment, and other functions that ensure human safety. Formal behavioral specifications written early in the system-design process and communicated across all design phases increase the efficiency, consistency, and quality of the system under development. We argue that to prevent introducing design or verification errors, it is crucial to test specifications for satisfiability. We advocate for the adaptation of a new sanity check via satisfiability checking for property assurance. Our focus here is on specifications expressed in Linear Temporal Logic (LTL). We demonstrate that LTL satisfiability checking reduces to model checking and satisfiability checking for the specification, its complement, and a conjunction of all properties should be performed as a first step to LTL model checking. We report on an experimental investigation of LTL satisfiability checking. We introduce a large set of rigorous benchmarks to enable objective evaluation of LTL-to-automaton algorithms in terms of scalability, performance, correctness, and size of the automata produced. For explicit model checking, we use the Spin model checker; we tested all LTL-to-explicit automaton translation tools that were publicly available when we conducted our study. For symbolic model checking, we use CadenceSMV, NuSMV, and SAL-SMC for both LTL-to-symbolic automaton translation and to perform the satisfiability check. Our experiments result in two major findings. First, scalability, correctness, and other debilitating performance issues afflict most LTL translation tools. Second, for LTL satisfiability checking, the symbolic approach is clearly superior to the explicit approach. Ironically, the explicit approach to LTL-to-automata had been heavily studied while only one algorithm existed for LTL-to-symbolic automata. Since 1994, there had been essentially no new progress in encoding symbolic automata for BDD-based analysis. Therefore, we introduce a set of 30 symbolic automata encodings. The set consists of novel combinations of existing constructs, such as different LTL formula normal forms, with a novel transition-labeled symbolic automaton form, a new way to encode transitions, and new BDD variable orders based on algorithms for tree decomposition of graphs. An extensive set of experiments demonstrates that these encodings translate to significant, sometimes exponential, improvement over the current standard encoding for symbolic LTL satisfiability checking. Building upon these ideas, we return to the explicit automata domain and focus on the most common type of specifications used in industrial practice: safety properties. We show that we can exploit the inherent determinism of safety properties to create a set of 26 explicit automata encodings comprised of novel aspects including: state numbers versus state labels versus a state look-up table, finite versus infinite acceptance conditions, forward-looking versus backward-looking transition encodings, assignment-based versus BDD-based alphabet representation, state and transition minimization, edge abbreviation, trap-state elimination, and determinization either on-the-fly or up-front using the subset construction. We conduct an extensive experimental evaluation and identify an encoding that offers the best performance in explicit LTL model checking time and is constantly faster than the previous best explicit automaton encoding algorithm

Computational model validation using a novel multiscale multidimensional spatio-temporal meta model checking approach

This thesis was submitted for the award of Doctor of Philosophy and was awarded by Brunel University LondonComputational models of complex biological systems can provide a better understanding of how living systems function but need to be validated before they are employed for real-life (e.g. clinical) applications. One of the most frequently employed in silico approaches for validating such models is model checking. Traditional model checking approaches are limited to uniscale non-spatial computational models because they do not explicitly distinguish between different scales, and do not take properties of (emergent) spatial structures (e.g. density of multicellular population) into account. This thesis defines a novel multiscale multidimensional spatio-temporal meta model checking methodology which enables validating multiscale (spatial) computational models of biological systems relative to how both numeric (e.g. concentrations) and spatial system properties are expected to change over time and across multiple scales. The methodology has two important advantages. First it supports computational models encoded using various high-level modelling formalisms because it is defined relative to time series data and not the models used to produce them. Secondly the methodology is generic because it can be automatically reconfigured according to case study specific types of spatial structures and properties using the meta model checking approach. In addition the methodology could be employed for multiple domains of science, but we illustrate its applicability here only against biological case studies. To automate the computational model validation process, the approach was implemented in software tools, which are made freely available online. Their efficacy is illustrated against two uniscale and four multiscale quantitative computational models encoding phase variation in bacterial colonies and the chemotactic aggregation of cells, respectively the rat cardiovascular system dynamics, the uterine contractions of labour, the Xenopus laevis cell cycle and the acute inflammation of the gut and lung. This novel model checking approach will enable the efficient construction of reliable multiscale computational models of complex systems.Brunel University Londo