Model Checking Linear Logic Specifications

The overall goal of this paper is to investigate the theoretical foundations of algorithmic verification techniques for first order linear logic specifications. The fragment of linear logic we consider in this paper is based on the linear logic programming language called LO enriched with universally quantified goal formulas. Although LO was originally introduced as a theoretical foundation for extensions of logic programming languages, it can also be viewed as a very general language to specify a wide range of infinite-state concurrent systems. Our approach is based on the relation between backward reachability and provability highlighted in our previous work on propositional LO programs. Following this line of research, we define here a general framework for the bottom-up evaluation of first order linear logic specifications. The evaluation procedure is based on an effective fixpoint operator working on a symbolic representation of infinite collections of first order linear logic formulas. The theory of well quasi-orderings can be used to provide sufficient conditions for the termination of the evaluation of non trivial fragments of first order linear logic.Comment: 53 pages, 12 figures "Under consideration for publication in Theory and Practice of Logic Programming

Simulated time for testing railway interlockings with TTCN-3

In this report, we first give an overview of software systems based on Vital Processor Interlocking (VPI). Interlockings guarantee safety of railway control systems, so testing these software systems is a key issue. We show why testing such systems with real time and scaled time is inefficient. We also provide a time semantics for simulated time that is more suitable for testing VPI's software. We provide a solution that allows simulated time for TTCN-3 test systems. TTCN-3 is a standard language for specifying and executing test suites. In the context of the TT-MEDAL project, TTCN-3 is applied to various domains, in particular to testing railway and automotive systems. TTCN-3 supports real-time and scaled-time testing but not simulated-time testing. The solution is based on a distributed termination detection algorithm that we extend to provide the main ingredients of simulated time: idleness detection and correct time progress. We implemented our solution as a TTCN-3 module and several Java classes that can be reused for testing other systems that have characteristics similar to those of VPI

Modular Analysis of Distributed Hybrid Systems using Post-Regions (Full Version)

We introduce a new approach to analyze distributed hybrid systems by a generalization of rely-guarantee reasoning. First, we give a system for deductive verification of class invariants and method contracts in object-oriented distributed hybrid systems. In a hybrid setting, the object invariant must not only be the post-condition of a method, but also has to hold in the post-region of a method. The post-region describes all reachable states after method termination before another process is guaranteed to run. The system naturally generalizes rely-guarantee reasoning of discrete object-oriented languages to hybrid systems and carries over its modularity to hybrid systems: Only one dL-proof obligation is generated per method. The post-region can be approximated using lightweight analyses and we give a general notion of soundness for such analyses. Post-region based verification is implemented for the Hybrid Active Object language HABS

Proving Looping and Non-Looping Non-Termination by Finite Automata

A new technique is presented to prove non-termination of term rewriting. The basic idea is to find a non-empty regular language of terms that is closed under rewriting and does not contain normal forms. It is automated by representing the language by a tree automaton with a fixed number of states, and expressing the mentioned requirements in a SAT formula. Satisfiability of this formula implies non-termination. Our approach succeeds for many examples where all earlier techniques fail, for instance for the S-rule from combinatory logic

Automated verification of termination certificates

In order to increase user confidence, many automated theorem provers provide certificates that can be independently verified. In this paper, we report on our progress in developing a standalone tool for checking the correctness of certificates for the termination of term rewrite systems, and formally proving its correctness in the proof assistant Coq. To this end, we use the extraction mechanism of Coq and the library on rewriting theory and termination called CoLoR

Fifty years of Hoare's Logic

We present a history of Hoare's logic.Comment: 79 pages. To appear in Formal Aspects of Computin

Size-Change Termination as a Contract

Termination is an important but undecidable program property, which has led to a large body of work on static methods for conservatively predicting or enforcing termination. One such method is the size-change termination approach of Lee, Jones, and Ben-Amram, which operates in two phases: (1) abstract programs into "size-change graphs," and (2) check these graphs for the size-change property: the existence of paths that lead to infinite decreasing sequences. We transpose these two phases with an operational semantics that accounts for the run-time enforcement of the size-change property, postponing (or entirely avoiding) program abstraction. This choice has two key consequences: (1) size-change termination can be checked at run-time and (2) termination can be rephrased as a safety property analyzed using existing methods for systematic abstraction. We formulate run-time size-change checks as contracts in the style of Findler and Felleisen. The result compliments existing contracts that enforce partial correctness specifications to obtain contracts for total correctness. Our approach combines the robustness of the size-change principle for termination with the precise information available at run-time. It has tunable overhead and can check for nontermination without the conservativeness necessary in static checking. To obtain a sound and computable termination analysis, we apply existing abstract interpretation techniques directly to the operational semantics, avoiding the need for custom abstractions for termination. The resulting analyzer is competitive with with existing, purpose-built analyzers