A Bounded Domain Property for an Expressive Fragment of First-Order Linear Temporal Logic

First-Order Linear Temporal Logic (FOLTL) is well-suited to specify infinite-state systems. However, FOLTL satisfiability is not even semi-decidable, thus preventing automated verification. To address this, a possible track is to constrain specifications to a decidable fragment of FOLTL, but known fragments are too restricted to be usable in practice. In this paper, we exhibit various fragments of increasing scope that provide a pertinent basis for abstract specification of infinite-state systems. We show that these fragments enjoy the Bounded Domain Property (any satisfiable FOLTL formula has a model with a finite, bounded FO domain), which provides a basis for complete, automated verification by reduction to LTL satisfiability. Finally, we present a simple case study illustrating the applicability and limitations of our results

Towards an Updatable Strategy Logic

This article is about temporal multi-agent logics. Several of these formalisms have been already presented (ATL-ATL*, ATLsc, SL). They enable to express the capacities of agents in a system to ensure the satisfaction of temporal properties. Particularly, SL and ATLsc enable several agents to interact in a context mixing the different strategies they play in a semantical game. We generalize this possibility by proposing a new formalism, Updating Strategy Logic (USL). In USL, an agent can also refine its own strategy. The gain in expressive power rises the notion of "sustainable capacities" for agents. USL is built from SL. It mainly brings to SL the two following modifications: semantically, the successor of a given state is not uniquely determined by the data of one choice from each agent. Syntactically, we introduce in the language an operator, called an "unbinder", which explicitely deletes the binding of a strategy to an agent. We show that USL is strictly more expressive than SL.Comment: In Proceedings SR 2013, arXiv:1303.007

An insertion operator preserving infinite reduction sequences

International audienceA common way to show the termination of the union of two abstract reduction systems, provided both systems terminate, is to prove that they enjoy a specific property (some sort of 'commutation' for instance). This specific property is actually used to show that, for the union not to terminate, one of the systems must itself be non-terminating, which leads to a contradiction. Unfortunately, the property may be impossible to prove because some of the objects that are reduced do not enjoy an adequate form. Hence the purpose of this paper is threefold: - First, it introduces an operator enabling us to insert a reduction step on such an object, and therefore to change its shape, while still preserving the ability to use the property. Of course, some new properties will need to be verified. - Second, as an instance of our technique, the operator is applied to relax a well-known lemma stating the termination of the union of two termination abstract reduction systems. - Finally, this lemma is applied in a peculiar and then in a more general way to show the termination of some lambda calculi with inductive types augmented with specific reductions dealing with: (i) copies of inductive types; (ii) the representation of symmetric groups

Formal Modelling and Safety Analysis of an Avionic Functional Architecture with Alloy

International audienceWe propose an approach based on Alloy to formally model and assess a system architecture with respect to system-level safety requirements. The system on which we instantiate our approach is a specific Required Navigation Performance system from a Thalès Avionics named Localizer Performance with Vertical guidance Approach (LPV). In this article, we describe how to define such a system architecture and how to verify safety objectives

Lightweight specification and analysis of dynamic systems with rich configurations

Model-checking is increasingly popular in the early phases of the software development process. To establish the correctness of a software design one must usually verify both structural and behavioral(or temporal) properties. Unfortunately, most specification languages, and accompanying model-checkers, excel only in analyzing either one or the other kind. This limits their ability to verify dynamic systems with rich configurations: systems whose state space is characterized by rich structural properties, but whose evolution is also expected to satisfy certain temporal properties.To address this problem, we first propose Electrum, an extension of the Alloy specification language with temporal logic operators, where both rich configurations and expressive temporal properties can easily be de fined. Two alternative model-checking techniques are then proposed, one bounded and the other unbounded, to verify systems expressed in this language, namely to verify that every desirable temporal property holds for every possible configuration.ERDF - European Regional Development Fund()info:eu-repo/semantics/publishedVersio

Sur l’assignation de buts comportementaux à des coalitions d’agents

International audienceDans cet article, nous présentons un cadre de modélisation formelle pour l'ingénierie du besoin qui prenne simultanément en compte les buts comportementaux et les agents. Pour ce faire, nous introduisons un langage noyau, appelé KHI, ainsi que sa sémantique dans une logique de straté-gies appelée USL. Dans KHI, les agents sont décrits par leurs capacités et les buts sont définis par des formules de logique temporelle linéaire. Une « assignation » associe alors chacun des buts à un ensemble (une coalition) d'agents, qui sont responsables de sa satisfaction. Nous présentons et dis-cutons ensuite différents critères de correction pour cette relation d'assignation. Ceux-ci permettent d'évaluer la « pertinence » d'une assignation de buts à des coalitions. Ils différent selon les interactions qu'ils permettent entre les coalitions d'agents. Nous proposons alors une procédure décidable de vérification pour la satisfaction des critères de correction pour l'assignation. Elle consiste à réduire la satisfaction des critères à des instances du problème de model-checking pour des formules d'USL dans une structure dérivée des capacités des agents. 1 Contexte Si, en toute rigueur, la discipline de la modélisation du besoin ne se restreint pas à elles seules [17, 14], les approches dites par buts [18] ou par agents [2, 9] ont le vent en poupe dans la communauté idoine (cf. les citations précédentes mais aussi [12, 15]). En KAOS [18], la question première est de déterminer les besoins dont il faut tenir compte pour rendre compte d'un système au sein d'un environnement, le tout formant un système global à mettre au point. Celui-ci doit répondre à des buts et est constitué d'agents (entités actives). Un but est défini comme un énoncé prescriptif sous la responsabilité d'agents du système global. Les buts peuvent être de toutes sortes (on retrouve les traditionnelles taxonomies autour des buts non-fonctionnels [11]). Mais on distingue en particulier les buts comportementaux qui caractérisent des traces et peuvent donc faire l'objet d'une formalisation dans une logique temporelle telle que LTL. Bien que partageant superficiellement de nombreuses notions avec KAOS, TROPOS se concentre avant tout sur la notion d'acteur, défini comme un agent intentionnel. Un tel agent est muni de buts qu'il sou-haite voir remplis mais dont la satisfaction, partielle comme complète, n'est pas nécessairement de sa responsabilité. Celle-ci peut être déléguée à d'autres acteurs. TROPOS [2] pousse ainsi à l'explicitation des liens de dépendance et de collaboration entre acteurs. Ceci s'explique en particulier par le fait que les systèmes visés par la méthode sont susceptibles de comprendre des acteurs « humains » ou institu-tionnels. TROPOS a aussi fait l'objet d'une proposition formelle visant à étudier dans quelle mesure des acteurs peuvent contribuer à satisfaire des buts pour d'autres acteurs. L'approche en question [9, 10] introduit à cette fin les notions, dites « sociales », de rôle, d'engagement (commitment) et de protocole. Le rôle représente le comportement attendu des acteurs. Une assignation de rôles à des acteurs est alors évaluée au moyen d'un critère de correction. Celui-ci revient essentiellement à vérifier que les capacités d'un acteur entraînent les conséquents des engagements où le rôle assigné apparaît comme débiteur

Proposition of an action layer for electrum

Electrum is an extension of Alloy that adds (1) mutable signatures and fields to the modeling layer; and (2) connectives from linear temporal logic (with past) and primed variables à la TLA+ to the constraint language. The analysis of models can then be translated into a SAT-based bounded model-checking problem, or to an LTL-based unbounded model-checking problem. Electrum has proved to be useful to model and verify dynamic systems with rich configurations. However, when specifying events, the tedious and sometimes error-prone handling of traces and frame conditions (similarly as in Alloy) remained necessary. In this paper, we introduce an extension of Electrum with a so-called “action” layer that addresses these questions.This work is financed by the ERDF - European Regional Development Fund - through the Operational Programme for Competitiveness and Internationalisation - COMPETE 2020 - and by National Funds through the Portuguese funding agency, FCT - Fundação para a Ciência e a Tecnologia, within project POCI-01-0145-FEDER016826, and the French Research Agency project FORMEDICIS ANR-16-CE25-000

Remarks on isomorphisms of simple inductive types

International audienceWe study isomorphisms of types in the system of simply-typed λ-calculus with inductive types and recursion operators. It is shown that in some cases (multiproducts, copies of types), it is possible to add new reductions in such a way that strong normalisation and confluence of the calculus are preserved, and the isomorphisms may be regarded as intensional w.r.t. a stronger equality relation

Simulation under arbitrary temporal logic constraints

Most model checkers provide a useful simulation mode, that allows users to explore the set of possible behaviours by interactively picking at each state which event to execute next. Traditionally this simulation mode cannot take into consideration additional temporal logic constraints, such as arbitrary fairness restrictions, substantially reducing its usability for debugging the modelled system behaviour. Similarly, when a specification is false, even if all its counter-examples combined also form a set of behaviours, most model checkers only present one of them to the user, providing little or no mechanism to explore alternatives. In this paper, we present a simple on-the-fly verification technique to allow the user to explore the behaviours that satisfy an arbitrary temporal logic specification, with an interactive process akin to simulation. This technique enables a unified interface for simulating the modelled system and exploring its counter-examples. The technique is formalised in the framework of state/event linear temporal logic and a proof of concept was implemented in an event-based variant of the Electrum framework.This work is financed by the ERDF - European Regional Development Fund - through the Operational Programme for Competitiveness and Internationalisation - COMPETE 2020 - and by National Funds through the Portuguese funding agency, FCT - Fundação para a Ciência e a Tecnologia, within project POCI-01- 0145-FEDER-016826, and the French Research Agency project FORMEDICIS ANR-16-CE25-0007. The third author was also supported by the FCT sabbatical grant with reference SFRH/BSAB/143106/2018

Isomorphisms of simple inductive types through extensional rewriting

International audienceWe study isomorphisms of inductive types (that is, recursive types satisfying a condition of strict positivity) in an extensional simply typed $\lambda$-calculus with product and unit types. We first show that the calculus enjoys strong normalisation and confluence. Then we extend it with new conversion rules ensuring that all inductive representations of the product and unit types are isomorphic, and such that the extended reduction remains convergent. Finally, we define the notion of a faithful copy of an inductive type and a corresponding conversion relation that also preserves the good properties of the calculus