Probably Safe or Live

This paper presents a formal characterisation of safety and liveness properties \`a la Alpern and Schneider for fully probabilistic systems. As for the classical setting, it is established that any (probabilistic tree) property is equivalent to a conjunction of a safety and liveness property. A simple algorithm is provided to obtain such property decomposition for flat probabilistic CTL (PCTL). A safe fragment of PCTL is identified that provides a sound and complete characterisation of safety properties. For liveness properties, we provide two PCTL fragments, a sound and a complete one. We show that safety properties only have finite counterexamples, whereas liveness properties have none. We compare our characterisation for qualitative properties with the one for branching time properties by Manolios and Trefler, and present sound and complete PCTL fragments for characterising the notions of strong safety and absolute liveness coined by Sistla

Responses of a tundra system to warming using SCAMPS : a stoichiometrically coupled, acclimating microbe–plant–soil model

Author Posting. © Ecological Society of America, 2014. This article is posted here by permission of Ecological Society of America for personal use, not for redistribution. The definitive version was published in Ecological Monographs 84 (2014): 151-170, doi:10.1890/12-2119.1.Soils, plants, and microbial communities respond to global change perturbations through coupled, nonlinear interactions. Dynamic ecological responses complicate projecting how global change disturbances will influence ecosystem processes, such as carbon (C) storage. We developed an ecosystem-scale model (Stoichiometrically Coupled, Acclimating Microbe–Plant–Soil model, SCAMPS) that simulates the dynamic feedbacks between aboveground and belowground communities that affect their shared soil environment. The belowground component of the model includes three classes of soil organic matter (SOM), three microbially synthesized extracellular enzyme classes specific to these SOM pools, and a microbial biomass pool with a variable C-to-N ratio (C:N). The plant biomass, which contributes to the SOM pools, flexibly allocates growth toward wood, root, and leaf biomass, based on nitrogen (N) uptake and shoot-to-root ratio. Unlike traditional ecosystem models, the microbial community can acclimate to changing soil resources by shifting its C:N between a lower C:N, faster turnover (bacteria-like) community, and a higher C:N, slower turnover (fungal-like) community. This stoichiometric flexibility allows for the microbial C and N use efficiency to vary, feeding back into system decomposition and productivity dynamics. These feedbacks regulate changes in extracellular enzyme synthesis, soil pool turnover rates, plant growth, and ecosystem C storage. We used SCAMPS to test the interactive effects of winter, summer, and year-round soil warming, in combination with microbial acclimation ability, on decomposition dynamics and plant growth in a tundra system. Over 50-year simulations, both the seasonality of warming and the ability of the microbial community to acclimate had strong effects on ecosystem C dynamics. Across all scenarios, warming increased plant biomass (and therefore litter inputs to the SOM), while the ability of the microbial community to acclimate increased soil C loss. Winter warming drove the largest ecosystem C losses when the microbial community could acclimate, and the largest ecosystem C gains when it could not acclimate. Similar to empirical studies of tundra warming, modeled summer warming had relatively negligible effects on soil C loss, regardless of acclimation ability. In contrast, winter and year-round warming drove marked soil C loss when decomposers could acclimate, despite also increasing plant biomass. These results suggest that incorporating dynamically interacting microbial and plant communities into ecosystem models might increase the ability to link ongoing global change field observations with macro-scale projections of ecosystem biogeochemical cycling in systems under change.This work was funded by a DOE Global Change Education Program Graduate Fellowship, the NOAA Climate and Global Change Postdoctoral Fellowship Program, and UCSB EEMB Block Grant to S. A. Sistla and NSF DEB 0919049 to E. B. Rastetter and J. P. Schimel, and Arctic LTER Project NSF-1026843

Model Checking CTL is Almost Always Inherently Sequential

The model checking problem for CTL is known to be P-complete (Clarke, Emerson, and Sistla (1986), see Schnoebelen (2002)). We consider fragments of CTL obtained by restricting the use of temporal modalities or the use of negations---restrictions already studied for LTL by Sistla and Clarke (1985) and Markey (2004). For all these fragments, except for the trivial case without any temporal operator, we systematically prove model checking to be either inherently sequential (P-complete) or very efficiently parallelizable (LOGCFL-complete). For most fragments, however, model checking for CTL is already P-complete. Hence our results indicate that, in cases where the combined complexity is of relevance, approaching CTL model checking by parallelism cannot be expected to result in any significant speedup. We also completely determine the complexity of the model checking problem for all fragments of the extensions ECTL, CTL+, and ECTL+

Efficient Symmetry Reduction and the Use of State Symmetries for Symbolic Model Checking

One technique to reduce the state-space explosion problem in temporal logic model checking is symmetry reduction. The combination of symmetry reduction and symbolic model checking by using BDDs suffered a long time from the prohibitively large BDD for the orbit relation. Dynamic symmetry reduction calculates representatives of equivalence classes of states dynamically and thus avoids the construction of the orbit relation. In this paper, we present a new efficient model checking algorithm based on dynamic symmetry reduction. Our experiments show that the algorithm is very fast and allows the verification of larger systems. We additionally implemented the use of state symmetries for symbolic symmetry reduction. To our knowledge we are the first who investigated state symmetries in combination with BDD based symbolic model checking

Interrupt Timed Automata: verification and expressiveness

We introduce the class of Interrupt Timed Automata (ITA), a subclass of hybrid automata well suited to the description of timed multi-task systems with interruptions in a single processor environment. While the reachability problem is undecidable for hybrid automata we show that it is decidable for ITA. More precisely we prove that the untimed language of an ITA is regular, by building a finite automaton as a generalized class graph. We then establish that the reachability problem for ITA is in NEXPTIME and in PTIME when the number of clocks is fixed. To prove the first result, we define a subclass ITA- of ITA, and show that (1) any ITA can be reduced to a language-equivalent automaton in ITA- and (2) the reachability problem in this subclass is in NEXPTIME (without any class graph). In the next step, we investigate the verification of real time properties over ITA. We prove that model checking SCL, a fragment of a timed linear time logic, is undecidable. On the other hand, we give model checking procedures for two fragments of timed branching time logic. We also compare the expressive power of classical timed automata and ITA and prove that the corresponding families of accepted languages are incomparable. The result also holds for languages accepted by controlled real-time automata (CRTA), that extend timed automata. We finally combine ITA with CRTA, in a model which encompasses both classes and show that the reachability problem is still decidable. Additionally we show that the languages of ITA are neither closed under complementation nor under intersection

Interval temporal logic model checking: The border between good and bad HS fragments

The model checking problem has thoroughly been explored in the context of standard point-based temporal logics, such as LTL, CTL, and CTL 17, whereas model checking for interval temporal logics has been brought to the attention only very recently. In this paper, we prove that the model checking problem for the logic of Allen\u2019s relations started-by and finished-by is highly intractable, as it can be proved to be EXPSPACE-hard. Such a lower bound immediately propagates to the full Halpern and Shoham\u2019s modal logic of time intervals (HS). In contrast, we show that other noteworthy HS fragments, namely, Propositional Neighbourhood Logic extended with modalities for the Allen relation starts (resp., finishes) and its inverse started-by (resp., finished-by), turn out to have\u2014maybe unexpectedly\u2014the same complexity as LTL (i.e., they are PSPACE-complete), thus joining the group of other already studied, well-behaved albeit less expressive, HS fragments

Interactive Termination Proofs Using Termination Cores

Abstract. Recent advances in termination analysis have yielded new methods and tools that are highly automatic. However, when they fail, even experts have difficulty understanding why and determining how to proceed. In this paper, we address the issue of building termination analysis engines that are both highly automatic and easy to use in an interactive setting. We consider the problem in the context of ACL2, which has a first-order, functional programming language. We introduce the notion of a termination core, a simplification of the program under consideration which consists of a single loop that the termination engine cannot handle. We show how to extend the Size Change Termination (SCT) algorithm so that it generates termination cores when it fails to prove termination, with no increase to its complexity. We show how to integrate this into the Calling Context Graph (CCG) termination analysis, a powerful SCT-based automatic termination analysis that is part of the ACL2 Sedan. We also present several new, convenient ways of allowing users to interface with the CCG analysis, in order to guide it to a termination proof.

Complexity and Expressivity of Branching- and Alternating-Time Temporal Logics with Finitely Many Variables

We show that Branching-time temporal logics CTL and CTL*, as well as Alternating-time temporal logics ATL and ATL*, are as semantically expressive in the language with a single propositional variable as they are in the full language, i.e., with an unlimited supply of propositional variables. It follows that satisfiability for CTL, as well as for ATL, with a single variable is EXPTIME-complete, while satisfiability for CTL*, as well as for ATL*, with a single variable is 2EXPTIME-complete,--i.e., for these logics, the satisfiability for formulas with only one variable is as hard as satisfiability for arbitrary formulas.Comment: Prefinal version of the published pape

Explainable Reactive Synthesis

Reactive synthesis transforms a specification of a reactive system, given in a temporal logic, into an implementation. The main advantage of synthesis is that it is automatic. The main disadvantage is that the implementation is usually very difficult to understand. In this paper, we present a new synthesis process that explains the synthesized implementation to the user. The process starts with a simple version of the specification and a corresponding simple implementation. Then, desired properties are added one by one, and the corresponding transformations, repairing the implementation, are explained in terms of counterexample traces. We present SAT-based algorithms for the synthesis of repairs and explanations. The algorithms are evaluated on a range of examples including benchmarks taken from the SYNTCOMP competition