40 research outputs found
A Bounded Domain Property for an Expressive Fragment of First-Order Linear Temporal Logic
First-Order Linear Temporal Logic (FOLTL) is well-suited to specify infinite-state systems. However, FOLTL satisfiability is not even semi-decidable, thus preventing automated verification. To address this, a possible track is to constrain specifications to a decidable fragment of FOLTL, but known fragments are too restricted to be usable in practice. In this paper, we exhibit various fragments of increasing scope that provide a pertinent basis for abstract specification of infinite-state systems. We show that these fragments enjoy the Bounded Domain Property (any satisfiable FOLTL formula has a model with a finite, bounded FO domain), which provides a basis for complete, automated verification by reduction to LTL satisfiability. Finally, we present a simple case study illustrating the applicability and limitations of our results
Towards an Updatable Strategy Logic
This article is about temporal multi-agent logics. Several of these
formalisms have been already presented (ATL-ATL*, ATLsc, SL). They enable to
express the capacities of agents in a system to ensure the satisfaction of
temporal properties. Particularly, SL and ATLsc enable several agents to
interact in a context mixing the different strategies they play in a semantical
game. We generalize this possibility by proposing a new formalism, Updating
Strategy Logic (USL). In USL, an agent can also refine its own strategy. The
gain in expressive power rises the notion of "sustainable capacities" for
agents.
USL is built from SL. It mainly brings to SL the two following modifications:
semantically, the successor of a given state is not uniquely determined by the
data of one choice from each agent. Syntactically, we introduce in the language
an operator, called an "unbinder", which explicitely deletes the binding of a
strategy to an agent. We show that USL is strictly more expressive than SL.Comment: In Proceedings SR 2013, arXiv:1303.007
An insertion operator preserving infinite reduction sequences
International audienceA common way to show the termination of the union of two abstract reduction systems, provided both systems terminate, is to prove that they enjoy a specific property (some sort of 'commutation' for instance). This specific property is actually used to show that, for the union not to terminate, one of the systems must itself be non-terminating, which leads to a contradiction. Unfortunately, the property may be impossible to prove because some of the objects that are reduced do not enjoy an adequate form. Hence the purpose of this paper is threefold: - First, it introduces an operator enabling us to insert a reduction step on such an object, and therefore to change its shape, while still preserving the ability to use the property. Of course, some new properties will need to be verified. - Second, as an instance of our technique, the operator is applied to relax a well-known lemma stating the termination of the union of two termination abstract reduction systems. - Finally, this lemma is applied in a peculiar and then in a more general way to show the termination of some lambda calculi with inductive types augmented with specific reductions dealing with: (i) copies of inductive types; (ii) the representation of symmetric groups
Verifying temporal relational models with Pardinus
This short paper summarizes an article published in the Journal of Automated Reasoning [7]. It presents, an extension of the popular [12] relational model finder with linear temporal logic (including past operators) to simplify the analysis of dynamic systems. includes a SAT-based bounded model checking engine and an SMV-based complete model checking engine, both allowing iteration through the different instances (or counterexamples) of a specification. It also supports a decomposed parallel analysis strategy that improves the efficiency of both analysis engines on commodity multi-core machines.Work financed by the European Regional Development Fund (ERDF) through the Operational Programme for Competitiveness and Internationalisation (COMPETE2020) and by National Funds through the Portuguese funding agency, Fundação para a Ciência e a Tecnologia (FCT) within project POCI-01-0145-FEDER-016826 and by the French Research Agency project FORMEDICIS ANR-16-CE25-0007 and by the research project CONCORDE of the Defense Innovation Agency (AID) of the French Ministry of Defense (2019650090004707501)
Adding records to alloy
Records are a composite data type available in most programming and specification languages, but they are not natively supported by Alloy. As a consequence, users often find themselves having to simulate records in ad hoc ways, a strategy that is error prone and often encumbers the analysis procedures. This paper proposes a conservative extension to the Alloy language to support record signatures. Uniqueness and completeness is imposed on the atoms of such signatures, while still supporting Alloy’s flexible signature hierarchy. The Analyzer has been extended to internally expand such record signatures as partial knowledge for the solving procedure. Evaluation shows that the proposed approach is more efficient than commonly used idioms.This work is supported by the research project CONCORDE of the Defense Innova tion Agency (AID) of the French Ministry of Defense (2019650090004707501), and by National Funds through the Portuguese funding agency, FCT - Fundação para a Ciência e a Tecnologia within project EXPL/CCI-COM/1637/202
Formal Modelling and Safety Analysis of an Avionic Functional Architecture with Alloy
International audienceWe propose an approach based on Alloy to formally model and assess a system architecture with respect to system-level safety requirements. The system on which we instantiate our approach is a specific Required Navigation Performance system from a Thalès Avionics named Localizer Performance with Vertical guidance Approach (LPV). In this article, we describe how to define such a system architecture and how to verify safety objectives
Lightweight specification and analysis of dynamic systems with rich configurations
Model-checking is increasingly popular in the early phases of the software development process. To establish the correctness of a software design one must usually verify both structural and behavioral(or temporal) properties. Unfortunately, most specification languages, and accompanying model-checkers, excel only in analyzing either one or the other kind. This limits their ability to verify dynamic systems with rich configurations: systems whose state space is characterized by rich structural properties, but whose evolution is also expected to satisfy certain temporal properties.To address this problem, we first propose Electrum, an extension of the Alloy specification language with temporal logic operators, where both rich configurations and expressive temporal properties can easily be de fined. Two alternative model-checking techniques are then proposed, one bounded and the other unbounded, to verify systems expressed in this language, namely to verify that every desirable temporal property holds for every possible configuration.ERDF - European Regional Development Fund()info:eu-repo/semantics/publishedVersio
Sur l’assignation de buts comportementaux à des coalitions d’agents
International audienceDans cet article, nous présentons un cadre de modélisation formelle pour l'ingénierie du besoin qui prenne simultanément en compte les buts comportementaux et les agents. Pour ce faire, nous introduisons un langage noyau, appelé KHI, ainsi que sa sémantique dans une logique de straté-gies appelée USL. Dans KHI, les agents sont décrits par leurs capacités et les buts sont définis par des formules de logique temporelle linéaire. Une « assignation » associe alors chacun des buts à un ensemble (une coalition) d'agents, qui sont responsables de sa satisfaction. Nous présentons et dis-cutons ensuite différents critères de correction pour cette relation d'assignation. Ceux-ci permettent d'évaluer la « pertinence » d'une assignation de buts à des coalitions. Ils différent selon les interactions qu'ils permettent entre les coalitions d'agents. Nous proposons alors une procédure décidable de vérification pour la satisfaction des critères de correction pour l'assignation. Elle consiste à réduire la satisfaction des critères à des instances du problème de model-checking pour des formules d'USL dans une structure dérivée des capacités des agents. 1 Contexte Si, en toute rigueur, la discipline de la modélisation du besoin ne se restreint pas à elles seules [17, 14], les approches dites par buts [18] ou par agents [2, 9] ont le vent en poupe dans la communauté idoine (cf. les citations précédentes mais aussi [12, 15]). En KAOS [18], la question première est de déterminer les besoins dont il faut tenir compte pour rendre compte d'un système au sein d'un environnement, le tout formant un système global à mettre au point. Celui-ci doit répondre à des buts et est constitué d'agents (entités actives). Un but est défini comme un énoncé prescriptif sous la responsabilité d'agents du système global. Les buts peuvent être de toutes sortes (on retrouve les traditionnelles taxonomies autour des buts non-fonctionnels [11]). Mais on distingue en particulier les buts comportementaux qui caractérisent des traces et peuvent donc faire l'objet d'une formalisation dans une logique temporelle telle que LTL. Bien que partageant superficiellement de nombreuses notions avec KAOS, TROPOS se concentre avant tout sur la notion d'acteur, défini comme un agent intentionnel. Un tel agent est muni de buts qu'il sou-haite voir remplis mais dont la satisfaction, partielle comme complète, n'est pas nécessairement de sa responsabilité. Celle-ci peut être déléguée à d'autres acteurs. TROPOS [2] pousse ainsi à l'explicitation des liens de dépendance et de collaboration entre acteurs. Ceci s'explique en particulier par le fait que les systèmes visés par la méthode sont susceptibles de comprendre des acteurs « humains » ou institu-tionnels. TROPOS a aussi fait l'objet d'une proposition formelle visant à étudier dans quelle mesure des acteurs peuvent contribuer à satisfaire des buts pour d'autres acteurs. L'approche en question [9, 10] introduit à cette fin les notions, dites « sociales », de rôle, d'engagement (commitment) et de protocole. Le rôle représente le comportement attendu des acteurs. Une assignation de rôles à des acteurs est alors évaluée au moyen d'un critère de correction. Celui-ci revient essentiellement à vérifier que les capacités d'un acteur entraînent les conséquents des engagements où le rôle assigné apparaît comme débiteur
Proposition of an action layer for electrum
Electrum is an extension of Alloy that adds (1) mutable signatures and fields to the modeling layer; and (2) connectives from linear temporal logic (with past) and primed variables à la TLA+ to the constraint language. The analysis of models can then be translated into a SAT-based bounded model-checking problem, or to an LTL-based unbounded model-checking problem. Electrum has proved to be useful to model and verify dynamic systems with rich configurations. However, when specifying events, the tedious and sometimes error-prone handling of traces and frame conditions (similarly as in Alloy) remained necessary. In this paper, we introduce an extension of Electrum with a so-called “action” layer that addresses these questions.This work is financed by the ERDF - European Regional Development Fund - through the Operational Programme for Competitiveness and Internationalisation - COMPETE 2020 - and by National Funds through the Portuguese funding agency, FCT - Fundação para a Ciência e a Tecnologia, within project POCI-01-0145-FEDER016826, and the French Research Agency project FORMEDICIS ANR-16-CE25-000
Remarks on isomorphisms of simple inductive types
International audienceWe study isomorphisms of types in the system of simply-typed λ-calculus with inductive types and recursion operators. It is shown that in some cases (multiproducts, copies of types), it is possible to add new reductions in such a way that strong normalisation and confluence of the calculus are preserved, and the isomorphisms may be regarded as intensional w.r.t. a stronger equality relation