Abstract Logical Model Checking of Infinite-State Systems Using Narrowing

A concurrent system can be naturally specified as a rewrite theory R = (Sigma, E, R) where states are elements of the initial algebra of terms modulo E and concurrent transitions are axiomatized by the rewrite rules R. Under simple conditions, narrowing with rules R modulo equations E can be used to symbolically represent the system\u27s state space by means of terms with logical variables. We call this symbolic representation a "logical state space" and it can also be used for model checking verification of LTL properties. Since in general such a logical state space can be infinite, we propose several abstraction techniques for obtaining either an over-approximation or an under-approximation of the logical state space: (i) a folding abstraction that collapses patterns into more general ones, (ii) an easy-to-check method to define (bisimilar) equational abstractions, and (iii) an iterated bounded model checking method that can detect if a logical state space within a given bound is complete. We also show that folding abstractions can be faithful for safety LTL properties, so that they do not generate any spurious counterexamples. These abstraction methods can be used in combination and, as we illustrate with examples, can be effective in making the logical state space finite. We have implemented these techniques in the Maude system, providing the first narrowing-based LTL model checker we are aware of

PALS-Based Analysis of an Airplane Multirate Control System in Real-Time Maude

Distributed cyber-physical systems (DCPS) are pervasive in areas such as aeronautics and ground transportation systems, including the case of distributed hybrid systems. DCPS design and verification is quite challenging because of asynchronous communication, network delays, and clock skews. Furthermore, their model checking verification typically becomes unfeasible due to the huge state space explosion caused by the system's concurrency. The PALS ("physically asynchronous, logically synchronous") methodology has been proposed to reduce the design and verification of a DCPS to the much simpler task of designing and verifying its underlying synchronous version. The original PALS methodology assumes a single logical period, but Multirate PALS extends it to deal with multirate DCPS in which components may operate with different logical periods. This paper shows how Multirate PALS can be applied to formally verify a nontrivial multirate DCPS. We use Real-Time Maude to formally specify a multirate distributed hybrid system consisting of an airplane maneuvered by a pilot who turns the airplane according to a specified angle through a distributed control system. Our formal analysis revealed that the original design was ineffective in achieving a smooth turning maneuver, and led to a redesign of the system that satisfies the desired correctness properties. This shows that the Multirate PALS methodology is not only effective for formal DCPS verification, but can also be used effectively in the DCPS design process, even before properties are verified.Comment: In Proceedings FTSCS 2012, arXiv:1212.657

A Rewriting-Based Model Checker for the Linear Temporal Logic of Rewriting

AbstractThis paper presents a model checker for LTLR, a subset of the temporal logic of rewriting TLR* extending linear temporal logic with spatial action patterns. Both LTLR and TLR* are very expressive logics generalizing well-known state-based and action-based logics. Furthermore, the semantics of TLR* is given in terms of rewrite theories, so that the concurrent systems on which the LTLR properties are model checked can be specified at a very high level with rewrite rules. This paper answers a nontrivial challenge, namely, to be able to build a model checker to model check LTLR formulas on rewrite theories with relatively little effort by reusing Maudeʼs LTL model checker for rewrite theories. For this, the reflective features of both rewriting logic and its Maude implementation have proved extremely useful

Extending the Real-Time Maude Semantics of Ptolemy to Hierarchical DE Models

This paper extends our Real-Time Maude formalization of the semantics of flat Ptolemy II discrete-event (DE) models to hierarchical models, including modal models. This is a challenging task that requires combining synchronous fixed-point computations with hierarchical structure. The synthesis of a Real-Time Maude verification model from a Ptolemy II DE model, and the formal verification of the synthesized model in Real-Time Maude, have been integrated into Ptolemy II, enabling a model-engineering process that combines the convenience of Ptolemy II DE modeling and simulation with formal verification in Real-Time Maude.Comment: In Proceedings RTRTS 2010, arXiv:1009.398

Serotype Distribution and Antimicrobial Resistance of Streptococcus pneumoniae Isolates Causing Invasive and Noninvasive Pneumococcal Diseases in Korea from 2008 to 2014

Introduction. Streptococcus pneumoniae is an important pathogen with high morbidity and mortality rates. The aim of this study was to evaluate the distribution of common serotypes and antimicrobial susceptibility of S. pneumoniae in Korea. Methods. A total of 378 pneumococcal isolates were collected from 2008 through 2014. We analyzed the serotype and antimicrobial susceptibility for both invasive and noninvasive isolates. Results. Over the 7 years, 3 (13.5%), 35 (10.8%), 19A (9.0%), 19F (6.6%), 6A (6.1%), and 34 (5.6%) were common serotypes/serogroups. The vaccine coverage rates of PCV7, PCV10, PCV13, and PPSV23 were 21.4%, 23.3%, 51.9%, and 62.4% in all periods. The proportions of serotypes 19A and 19F decreased and nonvaccine serotypes increased between 2008 and 2010 and 2011 and 2014. Of 378 S. pneumoniae isolates, 131 (34.7%) were multidrug resistant (MDR) and serotypes 19A and 19F were predominant. The resistance rate to levofloxacin was significantly increased (7.2%). Conclusion. We found changes of pneumococcal serotype and antimicrobial susceptibility during the 7 years after introduction of the first pneumococcal vaccine. It is important to continuously monitor pneumococcal serotypes and their susceptibilities

IL-15 promotes self-renewal of progenitor exhausted CD8 T cells during persistent antigenic stimulation

In chronic infections and cancer, exhausted CD8 T cells exhibit heterogeneous subpopulations. TCF1+PD-1+ progenitor exhausted CD8 T cells (Tpex) can self-renew and give rise to Tim-3+PD-1+ terminally differentiated CD8 T cells that retain their effector functions. Tpex cells are thus essential to maintaining a pool of antigen-specific CD8 T cells during persistent antigenic stimulation, and only they respond to PD-1-targeted therapy. Despite their potential as a crucial therapeutic target for immune interventions, the mechanisms controlling the maintenance of virus-specific Tpex cells remain to be determined. We observed approximately 10-fold fewer Tpex cells in the spleens of mice chronically infected with lymphocytic choriomeningitis virus (LCMV) one-year post-infection (p.i.) than at three months p.i. Similar to memory CD8 T cells, Tpex cells have been found to undergo self-renewal in the lymphoid organs, prominently the bone marrow, during chronic LCMV infection. Furthermore, ex vivo treatment with IL-15 preferentially induced the proliferation of Tpex cells rather than the terminally differentiated subsets. Interestingly, single-cell RNA sequencing analysis of LCMV-specific exhausted CD8 T cells after ex vivo IL-15 treatment compared with those before treatment revealed increased expression of ribosome-related genes and decreased expression of genes associated with the TCR signaling pathway and apoptosis in both Tpex and Ttex subsets. The exogenous administration of IL-15 to chronically LCMV-infected mice also significantly increased self-renewal of Tpex cells in the spleen and bone marrow. In addition, we assessed the responsiveness of CD8 tumor-infiltrating lymphocytes (TILs) from renal cell carcinoma patients to IL-15. Similar to the data we obtained from chronic viral infection in mice, the expansion of the Tpex subset of PD-1+ CD8 TILs upon ex vivo IL-15 treatment was significantly higher than that of the terminally differentiated subset. These results show that IL-15 could promote self-renewal of Tpex cells, which has important therapeutic implications

Synchronous AADL and its Formal Analysis in Real-Time Maude

Distributed Real-Time Systems (DRTS), such as avionics systems and distributed control systems in motor vehicles, are very hard to design because of asynchronous communication, network delays, and clock skews. Furthermore, their model checking typically becomes unfeasible due to the large state spaces caused by the interleavings. For many DRTSs, we can use the PALS methodology to reduce the problem of designing and verifying asynchronous DRTSs to the much simpler task of designing and verifying their synchronous versions. AADL is an industrial modeling standard for avionics and automotive systems. We define in this paper the Synchronous AADL language for modeling synchronous real-time systems in AADL, and provide a formal semantics for Synchronous AADL in Real-Time Maude. We have integrated into the OSATE modeling environment for AADL a plug-in which allows us to model check Synchronous AADL models in Real-Time Maude within OSATE. We exemplify such verification on an avionics system, whose Synchronous AADL design can be model checked in less than 10 seconds, but whose asynchronous design cannot be feasibly model checked.Boeing/C8088CNS 08-34709CCF 09-05584The Research Council of Norwayunpublishednot peer reviewe

Source Code for a Multirate PALS framework in Real-Time Maude

We give source code for a Real-Time Maude framework for formally specifying and executing Multirate PALS synchronous designs, along with an example of designing and model checking a distributed controller for turning an airplane.Ope

Rewriting-based model checking methods

Model checking is an automatic technique for verifying concurrent systems. The properties of the system to be verified are typically expressed as temporal logic formulas, while the system itself is formally specified as a certain system specification language, such as computational logics and conventional programming languages. Rewriting logic is a highly expressive computational logic for effectively defining a formal executable semantics of a wide range of system specification languages. This dissertation presents new rewriting-based model checking methods and tools to effectively verify concurrent systems by means of their rewriting-based formal semantics. Specifically, this work develops: (i) efficient model checking algorithms and a tool for a suitable property specification language, namely, linear temporal logic of rewriting (LTLR) formulas under parameterized fairness; (ii) various infinite-state model checking techniques for LTLR properties, such as equational abstraction, folding abstraction, predicate abstraction, and narrowing-based symbolic model checking; and (iii) the Multirate PALS methodology for making it possible to model check virtually synchronous cyber-physical systems by reducing their system complexity. To demonstrate rewriting-based model checking, we have developed fully integrated modeling and model checking tools for two widely-used embedded system modeling languages, AADL and Ptolemy II. This approach provides a model-engineering process that combines the advantages of an existing modeling language with automatic rewriting-based model checking

Symbolic Reachability Analysis of Distributed Systems using Narrowing and Heuristic Search

A concurrent system specified as a rewrite theory can be symbolically analyzed using narrowing-based reachability analysis. Narrowing-based approaches have been applied to formally analyze cryptographic protocols and parameterized protocols. However, existing narrowing-based techniques, based on a breadth-first-search strategy, cannot deal with generic distributed systems with objects and messages due to the symbolic state-space explosion problem. This paper proposes a heuristic search approach for narrowing-based reachability analysis to guide the search for counterexamples involving a small number of objects. As a result, our method can effectively find a counterexample if an error state is reachable. We demonstrate the effectiveness of our technique using a nontrivial distributed consensus algorithm.1