Compositional Verification with Stutter-invariant

LATEST TRENDS on COMPUTERS (Volume I)

Compositional Verification with Stutter-invariant Propositional Projection Temporal Logic ∗ Chen Yang

Zhenhua Duan

Institute of Computing Theory and Technology Xidian University, Xi’an 710071, People’s Republic of China {chyang,zhhduan}@mail.xidian.edu.cn Abstract: This paper investigates compositional verification with Propositional Projection Temporal Logic (PPTL). To this end, a sublogic Stutter-invariant PPTL (written as PPTLst ) is first proposed. As a specification language, PPTL st helps designers get rid of irrelevant detail in compositional verification of a concurrent system since the projection construct of PPTLst allows designers to assert formulas over points of interest through an execution. In this way, modules can be abstracted based on their local properties defined by projection construct, and substitution of modules by the abstracted ones will not affect overall properties of the system. PPTLst is proved to be able to capture all stutter-invariant properties expressive in PPTL. Further, an algorithm translating PPTL formulas to PPTL st ones is also given. And the complexity of the algorithm is accordingly studied. Moreover, an example– automatic gas station, is studied to illustrate compositional verification with PPTLst . Key–Words: Propositional projection temporal logic, Stutter-invariance, Compositional verification, Partial-order model-checking

1 Introduction

properties of a given component, viewed within some context, do not make abstraction of invisible statechanges by other components [1]. Here the “invisible state-change” is equal to the transition that does not change values of propositional variables included in the property formula.

Lamport has argued that a specification of concurrent systems should be stutter-invariant [9, 18]. A specification that is not invariant under stuttering will not allow refinement or abstraction and thus will be useless in hierarchical (modular) verification. Besides, experience has shown that the best way to compositionally verify concurrent systems is through a hierarchy of levels of abstraction, starting from abstraction of each module by considering only relevant state-changes so that the local properties are not affected, and ending with proof of overall property in the reduced system formed by replacing each module by its abstraction. Propositional Linear Temporal Logic (PLTL)[17], is a popular alternative for specifying properties in the formal verification of concurrent systems. One way to assure that only stutter-invariant properties are specified is to restrict PLTL to only those formulas without “next” operator. Peled proved that “next”-free PLTL can accept all stutter-invariant properties expressible in PLTL[9]. However, PLTL offers a poor support for compositional (modular) verification since it is not capable of supporting abstraction. It has been mentioned by Mokkedem that semantics of PLTL is defined in terms of global states in such a way that temporal

Propositional Projection Temporal Logic (PPTL) [24, 25], as an extension of Propositional Interval Temporal Logic (PITL) [3], provides a new projection construct (P1 , . . . , Pm ) prj Q (symbol “prj ” denotes projection operator) for modular abstraction. This enables PPTL to support compositional verification (The comparison between the original projection construct of PITL and the new one can refer to [22]). Intuitively, as shown in Fig. 1, the projection construct means that formula Q is interpreted in parallel with sequential execution P1 ; . . . ; Pm (symbol “;” denotes chop operator) over an interval obtained by taking the endpoints (rendezvous points) of the intervals over which formulas P1 , . . . , Pm are interpreted. Significantly, when the projection construct is used to specify a concurrent system S , the left hand side, (P1 , . . . , Pm ), of the construct can be employed to abstract executions of S by restricting each execution over points of interest (i.e. restricting point-sequence s0 , . . . , sn over s0 , . . . , s4 in the figure), while the right hand side Q can be used to express (safety or liveness) properties of the abstraction.

∗

This research is supported by the NSFC Grant No. 60433010, and 60873018.

ISSN: 1792-4251

For example, the payment transaction via a pos

272

ISBN: 978-960-474-201-1

LATEST TRENDS on COMPUTERS (Volume I)

P1 s0 s0

s1

... ...

P2 s2

s3

s4

s1

s5 s2

Q

s6

...

Pm sn−5 sn−4 sn−3 sn−2 sn−1 sn s3

system is regarded as a module. To avoid considering irrelevant detail, we use the abstracted automaton in stead of the original one for the pos system in the verification. Therefore, in this way projection formula ϕ can guide abstracting component κ which it specifies. In particular, invisible transitions of κ that cause exponential increase in size of parallel composition with other components are abstracted away. Nevertheless, to guarantee the abstraction being equivalent to κ w.r.t ϕ and also satisfying ϕ, formula ϕ itself must be stutter-invariant. So, we are motivated to propose stutter-invariant PPTL in order to support compositional verification. The decision procedure for PPTL given in [5] can be applied in explicitly model-checking [6]. Besides, it is proved that PPTL can express exactly the full regular language (ω-regular + regular languages) [7]. This also encourages us to investigate stutterinvariant PPTL for compositional verification. To this end, we first examine all constructs of PPTL, which can generate only stutter-invariant formulas. We call the sub-logic restricted by these constructs stutterinvariant PPTL, denoted by PPTLst . Then, we prove that PPTLst can express every stutter-invariant property expressible in PPTL. Following the proof, we propose a translation function τ of PPTL formula ϕ into its corresponding PPTLst formula τ(ϕ). Thus, checking whether a PPTL formula defines a stutterinvariant property is induced to checking the validity of ϕ ↔ τ(ϕ). Finally, we show that this translation incurs blowup with an upper bound of 2O(n×k) × |ϕ| in a worst case, where n is the number of distinct propositions in ϕ, and k is the “next”-depth of ϕ. Besides, partial-order model-checking against PPTL st properties is the underlying technique to support our compositional verification. The technique is based on automata-theoretic approach. More precisely, PPTLst formulas are employed to define the properties to be checked, and the negation of each formula is transformed to a B¨uchi automata Ap . The transformation algorithm can be found in [6, 5, 7]. Meanwhile the system modeled in ProMela language [10] is translated to an automata As as well. Then, whether the system satisfies PPTLst properties or not can be checked by computing the product automaton of A s and A p , and checking whether or not the product automaton accepts the empty word. The above method has been implemented based on the successful model checker SPIN [10, 11] so that the partial-order model-checking algorithm included in SPIN can be used off-the-shelf. The rest of the paper is organized as follows. In the following section, we briefly introduce PPTL. In Section 3, PPTLst is introduced based on the defini-

s4

Figure 1: Semantics of formula (P1 , . . . , Pm ) prj Q machine can be modeled by the communication of two individual processes pos machine and account in ProMeLa language [10], which simulate the pos machine and bank account management respectively, as shown in Fig.2(1). For better understanding, let’s have a brief look at ProMeLa. The do statement is repetition structure. Various options are specified after doubled colons “::”, and only one option can be selected for execution at a time. The if statement is represented very similarly to the do except for repetition. Message passing is represented in CSP notation [4]. For instance, c!m indicates that the message (data) m should be sent along channel c. Similarly, c?m indicates that a message received on channel c should be stored in variable m. Back to our example, with parallel composition [4] (denoted by symbol “||”) of the two processes, we obtain an automaton, as shown in the middle of the Fig.2(1), which includes all possible executions. In the automaton, we use Sc to denote the synchronization of c!n and c?m, i.e. Sc = c!n || c?m. And on each execution, we will check if the following PPTL property can be faithfully satisfied ϕ = (es , ea , er , e p ) prj ((p1 ; q1 ) ∨ (p2 ; q2 )) where proposition es , ea , er and e p respectively represent occurrences of transitions swipe, Saccess , S reply and prepay in the automaton, and pi is defined as equation usr = cusi , qi as payer = cusi . The chop construct (p ; q) indicates proposition q eventually becomes true if p holds now. In this way, the property says that (i) along each execution which is a sequential composition of only four transitions: es , ea , er and e p , (ii) customer cusi can pay money only from his account (payer = cusi ). Observe that there are only two executions in the automaton, both of which begin from transition (swipe? usr, pas, amt) and end in (prepay! payer, amt). They distinguish each other by paths indicated by dotted lines and circles, whereas the sequence of (i) can be obtained from either of the two executions. Meanwhile, (p1 ; q1 ) holds in one execution and (p2 ; q2 ) in the other. Thus, the property holds in the automaton. Moreover, the automaton can be abstracted by ignoring the dotted paths, so from the view of its environment, the automaton becomes a more succinct one, as shown in the right of Fig.2(1). In Section 4, we will study the compositional verification of a concurrent system–Automatic Gas Station, in which the pos ISSN: 1792-4251

273

ISBN: 978-960-474-201-1

LATEST TRENDS on COMPUTERS (Volume I) proctype account(){ do ::access? usr, pas, amt; if ::(usr==cus1 && pas==pas1 && amt where t0 , t1 , . . . tl is obtained from r1 , . . . , rh by deleting all duplicates. That is, t1 , . . . , tl is the longest strictly increasing subsequence of r1 , . . . , rh . For instance, < s0 , s1 , s2 , s3 >↓ (0, 0, 2, 2, 3) =< s0 , s2 , s3 > Thus, it is convenient for us to define an interval obtained by taking the endpoints (rendezvous points) of the intervals over which P1 , . . . , Pm are interpreted in the projection construct. Interpretations An interpretation is a tuple I = (σ, k, j), where σ is an interval, k integer, and j an integer or ω such that k  j ≤ |σ|. We use the notation (σ, k, j) |= P to mean that some formula P is interpreted and satisfied in the sub-interval < sk , ..., s j > of σ with the current state being sk . The satisfaction relation (|=) is inductively defined as follows: −I |= p iff sk (p) = true, for any given proposition p. −I |= ¬P iff I |= P −I |= P ∨ Q iff I |= P or I |= Q −I |= (P1 ; P2 ) iff there exists r such that k ≤ r ≤ j, (σ, k, r) |= P1 and (σ, r, j) |= P2 −I |= P iff k < j and (σ, k + 1, j) |= P −I |= (P1 , ..., Pm ) prj Q if there exist integers k = r0 ≤ r1 ≤ ... ≤ rm ≤ j such that (σ, rl−1 , rl ) |= Pl for (1 ≤ l ≤ m), and (σ , 0, |σ |) |= Q for one of the following: (i) rm < j and σ = σ ↓ (r0 , ..., rm ) · σ(rm +1, ..., j) or (ii) rm = j and σ = σ ↓ (r0 , ..., rm ) The following are some useful derived formulas (n ≥ 1, n ∈ N0 ). def def ε = ¬  true f alse = P ∧ ¬P def def 0 P = P ♦P = true; P def def n P = (n−1 P)  P = ¬ ♦¬P where ♦ (sometimes) and  (always) are derived temporal operators; ε (empty) denotes an interval with zero length. ISSN: 1792-4251

3 Stutter-Invariance of PPTL 3.1 Stutter-invariance Since PPTL formulas are interpreted over intervals, we first consider the definition of stuttering w.r.t intervals below. Definition 1 (Stuttering) Stuttering occurs in an interval σ of states when a state occurs two or more times consecutively; that is, for σ =< s0 , . . . , s|σ| > if there is some i ∈ N such that si = si+1 so that σ =< s0 , . . . , si , si , si+2 , . . . , s|σ| >. In [9], Peled gives the definition of stutterequivalent linear-time structures for PLTL. We adopt the analogous definition for PPTL based on stuttering intervals. Definition 2 (Stutter-equivalence) two intervals σ =< s0 , . . . , s|σ| > and σ =< s0 , . . . , s|σ | > are said to be stutter-equivalent, written as σ ∼st σ , if there are infinite or finite sequences 0 = i0 < i1 < i2 < . . . and 0 = j0 < j1 < j2 < . . . such that for every k ≥ 0: sik = sik +1 = . . . = sik+1 −1 = sjk = sjk +1 = . . . = sjk+1 −1 As shown in Fig. 3, intervals σ and σ are stutterequivalent, and they have same trend in state-change. σ: σ :

s3

s0

s1

s2

s0

s1

s2 s3 s2 = s3 = s2 = s3

s0 = s0 = s1

s4

s5

s4 s4 = s4

s5 s5 = s5

Figure 3: An example of stutter-equivalent intervals A property is a set of intervals interpreted over a set AP of atomic propositions. On the basis of stutterequivalent intervals, we present an analogous definition of stutter-invariant property in order to introduce properties expressible in PPTL as follows: Definition 3 (Stutter-invariant property) A property is stutter-invariant if the set of intervals which characterizes the property is a union of stutter-equivalence classes. That is, whenever σ and σ are stutterequivalent intervals then either σ and σ belong to this set or none of them belongs to this set. Definition 4 (Property expressible in PPTL) A property is said to be defined by PPTL formula ϕ if it is the set of all intervals σ interpreted over AP such that (σ, 0, |σ|) |= ϕ. In this case, one also can say that this property is expressible in PPTL. We say that an interval σ =< s0 , . . . , s|σ| > is stutter-free if either si  si+1 for every i ≥ 0 or there exists a k ≥ 0 such that si  si+1 for i < k and sk = sk+1 = . . . = s|σ| . Note that stutter-free intervals can be finite or infinite. And every suffix of a stutterfree interval is also a stutter-free interval. Further, 275

ISBN: 978-960-474-201-1

LATEST TRENDS on COMPUTERS (Volume I)

state sk by i (i ≥ 1) copies of itself, the new interval we obtained, denoted by σ , satisfies σ ∼st σ . Moreover we have (σ , 0, |σ |) |= P; Q. So, stuttering state sk in interval σ will not affect satisfaction of P; Q on the interval. Thus, P; Q is stutter-invariant. (6) Let P1 , . . . , Pm , q ∈ P st . Since stuttering states sr0 , . . . , srm in interval σ has no effect on the fact that formula P1 , . . . , Pm are executed sequentially over it, namely for any interval σ such that σ ∼ st σ we have (σ , 0, |σ |) |= P1 ; . . . ; Pm . Besides, since Q is stutterinvariant (δ , 0, | δ |) |= Q for one of the following: (a) rm < |σ | and δ = σ ↓ (r0 , . . . , rm ) · σ(rm +1,..., j) or (b) rm = |σ | and δ = σ ↓ (r0 , . . . , rm ) Thus, (P1 , . . . , Pm ) prj Q is stutter-invariant according to the semantics of projection. (7) Let P, Q ∈ P st . I |= (P ; Q) ∨ Q1 if (i) I |= P ; Q, i.e., there exists some integer k such that (σ , k + 1, |σ |) |= Q and (σ , 0, k) |= P, or (ii) I |= Q. In the case sk  sk+1 , stuttering of any state will not affect the satisfiability of formula P ; Q in the resulting interval since state sk+1 is remained. When sk = sk+1 , we have σ(0,...,k+1) |= 2(P ∧ Q), by stuttering, states s0 , . . . , sk+1 might be merged into one state so that formula P ; Q does not hold any more, but formula Q holds. Thus, in either case formula (P ; Q) ∨ Q is stutter-invariant.   According to Lemma 1, we define a sub-logic of PPTL (stutter-invariant PPTL, written as PPTLst ) as follow: P := p | ¬P | P1 ∨ P2 | P1 ; P2 | (P1 , . . . , Pn ) prj P | (P1 ; P2 ) ∨ P2 where p ∈ AP. The next operator is allowed to appear in construct (P1 ; P2 ) ∨ P2 . Lemma 2 Any property expressive in PPTLst is stutter-invariant. Theorem 1 Any stutter-invariant property expressible in PPTL is expressible in PPTLst . Suppose AP = {p0 , . . . , pn−1 }, we will show that for every PPTL formula ϕ there exists a PPTLst formual τ(ϕ) that agrees with ϕ on all stutter-free intervals:

each stutter-equivalence class contains stutter-free intervals, so an interval belongs to a class if it is stutterequivalent to the stutter-free interval included in the class. Definition 5 (Stutter-invariant formula) A PPTL formula ϕ is stutter-invariant if and only if for each pair of stutter-equivalent intervals σ ∼st σ , we have (σ, 0, |σ|) |= ϕ i f and only i f (σ , 0, |σ |) |= ϕ

3.2 Stutter-invariant PPTL (PPTLst ) Lemma 1 The set of all stutter-invariant PPTL formulas is denoted by Pst . The following are some closure properties of Pst : (1) If p ∈ AP, then p ∈ Pst ; (2) If P ∈ Pst , then ¬P ∈ Pst ; (3) If P, Q ∈ P st , then P ∧ Q ∈ P st ; (4) If P ∈ Pst , then P ∈ Pst ; (5) If P, Q ∈ P st , then (P ; Q) ∈ Pst ; (6) If P1 , . . . , Pm , Q ∈ P st , then ((P1 , . . . , Pm ) prj Q) ∈ P st ; (7) If P, Q ∈ Pst , then (P ; Q) ∨ Q ∈ Pst Proof: Suppose I = (σ, 0, |σ|), I = (σ , 0, |σ |) and I  = (σ , 0, |σ |), we have (1) Let p ∈ AP. I |= p if s0 [p] = true. So, only the current state is relevant to the satisfaction of p. As for subsequent states, stuttered or not, they have no effect on the satisfaction of p over the interval. Thus, p is stutter-invariant. (2) Let P ∈ P st . If ¬P is not stutter-invariant, there exists two stutter-equivalent intervals σ and σ such that I |= ¬P and I  |= P. Note that I  |= ¬P if and only if I  P. So, according to Definition 5 formula P is not stutter-invariant. This is contrary to stutter-invariance of P. Therefore, ¬P is stutterinvariant. (3) Let P, Q ∈ P st . If P∧ Q is not stutter-invariant, there accordingly exist two stutter-equivalent intervals σ and σ such that I |= P ∧ Q, i.e. I  |= P and I  |= Q, and I   P ∧ Q, i.e., I   P or I   Q, which is contrary to the assumption that P and Q are stutter-invariant. So P ∧ Q is stutter-invariant. (4) Let P ∈ P st . I |= P if for all 0 ≤ k ≤ |σ|, (σ, k, |σ|) |= P. As for state sk , stuttered or not, does not have effect on the satisfaction of P over the interval. So, formula P still holds over any suffix of the resulting interval. Therefore, P is stutterinvariant. (5) Let P, Q ∈ P st . I |= P; Q if there exists k (0 ≤ k ≤ |σ|) such that (σ, 0, k) |= P and (σ, k, |σ|) |= Q. Because of stutter-invariance of P and Q we do not need to consider the subintervals σ(0,...,k) and σ(k,...,|σ|) . In this way, we just consider state sk which cuts the interval σ into two sub-intervals. Note that if we replace ISSN: 1792-4251

(σ, 0, |σ|) |= ϕ ↔ τ(ϕ)

for stutter-free σ

The proof is analogous to that of Theorem 1 in [9], which proceeds by induction on the structure of ϕ. Proof: Base For p ∈ AP we can simply set τ(p) = p. Induction If ϕ is of the form ¬ϕ , we can set τ(ϕ) = ¬τ(ϕ ). Similarly, if ϕ is of the form ϕ ∨ ϕ or ϕ ; ϕ , we can set τ(ϕ) = τ(ϕ ) ∨ τ(ϕ ) or τ(ϕ) = τ(ϕ ) ; τ(ϕ ) as the case may be. If ϕ is of the form (ϕ1 , . . . , ϕm ) prj ϕ , we can set τ(ϕ) = 1

This formula is similar to PLTL “until” formula P UQ, but is interpreted over both finite and infinite intervals. 276

ISBN: 978-960-474-201-1

LATEST TRENDS on COMPUTERS (Volume I)

(τ(ϕ1 ), . . . , τ(ϕm )) prj τ(ϕ ). If ϕ is of the form ϕ , the situation is more difficult. Let V be the set of all possible valuations AP → {true, f alse}, and for each v ∈ V, let βv be the formula α0 ∧ . . . ∧ αn−1 where α j = P j if v(p j ) = true and α j = ¬p j if v(p j ) = f alse. The following is the crucial observation that we will make use of: if v, v ∈ V are such that v  v , then, for any stutter-free σ over AP, we have (σ, 0, |σ|) |= βv ∧ βv ↔ βv ; βv Therefore, (σ, 0, |σ|) |= ϕ for any stutter-free interval σ if and only if either (a) s0 = s1 = . . . and (σ, 0, |σ|) |= ϕ or (b) s0  s1 and σ(1,...,|σ|) =< s1 , s2 , . . . , s|σ| > such that σ(1,...,|σ|) |= ϕ . (Recall that σ(1,...,|σ|) is stutter-free itself.) Thus, we can set   ((βv ∧τ(ϕ ))∨ ((βv ; (βv ∧τ(ϕ ))))) τ(ϕ ) = v∈V

formulas is proved to be non-elementary. The complexity comes from negation of chop or negation of projection structure. Since PPTLst inherits chop and projection operator from PPTL, so the complexity of satisfiability of PPTLst formulas is also nonelementary. As shown in Theorem 2, size of τ(ϕ) is exponentially larger than size of ϕ in the worst case. So, to check whether or not a PPTL formula defines a stutterinvariant property, one can simply check the validity of ϕ ↔ τ(ϕ). Compared with non-elementary complexity of satisfiability of PPTLst , the complexity of translation τ is extremely low and thus can be ignored.

4 Case Study of Compositional Verification in PPTLst 4.1 Partial-order Model-checking with PPTLst Partial-order model-checking against PPTLst properties is the underlying technique to support our compositional verification. As shown in Fig. 4(1), we extend the existing model-checker SPIN [10] to support model-checking with PPTLst . To do so, an automatic tool PPTL2Never is developed for translating PPTLst formulas to the corresponding B¨uchi automata which admit all models of the corresponding formulas. The translation is based on an intermediate tableau graph, called Normal Form Graph (NFG for short), which bridges the gap between formulas and the resulting automata, and the translation algorithm can be found in our earlier work [7]. Besides, translator PPTL2Never is integrated within SPIN. In this way, the partial-order model-checking algorithm that has been implemented in SPIN can be used off-theshelf. Within the method of partial-order modelchecking PPTLst , the system is described in terms of ProMeLa [10] which produces a B¨uchi automaton BA s when executed by ProMeLa interpreter within SPIN. The property is first expressed by a PPTLst formula P, then, with the translator, its negation ¬P is transformed into B¨uchi automaton BAp , further to Never Claim [10] in the syntax of ProMeLa. In this manner, whether or not the system satisfies property P can be checked by computing the product automaton of BAs and BA p , and then checking whether or not the product automaton accepts the empty word. If the word accepted by the product automaton is empty, the system satisfies the property, otherwise the counterexamples are given. To illustrate how our method works, a simulation program indicating an automatic gas station (AGS) is taken as an example. This program is formed by a

v v

Since βv ∧ βv = f alse, formula βv ; (βv ∧ τ(ϕ )) is impossibly satisfied in stutter-free interval of (a). Thus, it holds only in stutter-free interval of (b). Stuttering of interval of (b) has no effect on the satisfaction of formula βv ; (βv ∧ τ(ϕ )) in the interval, so, formula βv ; (βv ∧ τ(ϕ )) is stutter-invariant. In addition, formula (βv ∧ τ(ϕ )) is stutter-invariant. Therefore, this choice is obviously correct.   From the discussion above, we know that a PPTL formula ϕ is stutter-invariant if ϕ ↔ τ(ϕ). Complexity of Determining Stutter-invariance Suppose the number of distinct propositions appearing in ϕ is n. Hence the number of valuations is |V| = 2n , i.e., there are 2n distinct formulas βv for each v ∈ V. Let |ϕ| denote the number of symbols in ϕ. It is not hard to derive the bounds given for |τ(ϕ)|. Observe that the only case which causes a blowup is a sub-formula of the form ϕ . From the definition of τ(ϕ ), we get |τ(ϕ )| ≤ 2n × |τ(ϕ )| + 2O(2n) × |τ(ϕ )|. Thus one can obtain as follows: Theorem 2 Suppose τ is a translation which converts PPTL formulas to equivalent PPTLst formulas. For a stutter-invariant ϕ, τ(k ϕ) is exponentially larger than ϕ, with an upper-bound of |τ(k ϕ)| ≤ 2O(n×k) × |ϕ| in the worst case, where n is the number of distinct propositions appearing in ϕ. The correctness of τ translation follows from the fact that over stutter-free interval ϕ is equivalent to the statement: “the first time after now that some new event happens, ϕ must hold, or else (if nothing new ever happens) ϕ must hold right now” [14]. Complexity of Satisfiability of PPTLst In [8], the lower bound for complexity of satisfiability of PPTL ISSN: 1792-4251

277

ISBN: 978-960-474-201-1

LATEST TRENDS on COMPUTERS (Volume I)

Negation of Property

System

?

PPTLst Formula Normal Form Graph

Property

Model of System

B¨uchi Automata BAp

SPIN

PPTLst 2Never

Never Claim

B¨uchi Automata BAs Product Automata Checking Emptiness

No (counter-example)

Yes

(1) Skeleton of PPTLst Model Checker

(2) Checking result of Automatic Gas Station

Figure 4: Verification of Automatic Gas Station model using PPTLst Model Checker never {

/* !(((e_s prj p_1);r_1)|| ((e_s prj p_2);r_2)) */ t1 accept_s_1: s1 if ::(t_1)-> goto s_1 t t4 3 ::(t_2)-> goto accept_s_2 t5 t2 t7 ::(t_3)-> goto accept_s_3 τ ::(t_4)-> goto accept_s_4 t ::(t_5)-> goto accept_all 6 t10 t8 t 9 s fi; s3 s5 s2 4 t11 accept_s_2: if t13 t12 ::(t_6)-> goto accept_s_2 ::(t_12)-> goto accept_s_4 t1 : ¬p1 ∧ ¬p2 ∧ ¬e s ::(t_7)-> goto accept_all t2 : ¬p2 ∧ ¬p1 ∧ e s ∧ ¬r2 fi; t3 : p1 ∧ ¬p2 ∧ e s ∧ ¬r1 accept_s_3: t4 : p1 ∧ p2 ∧ e s ∧ ¬r1 ∧ ¬r2 if t5 : ¬p1 ∧ (¬p2 ∨ ¬r2 ) ∨ ¬r1 ∧ (¬p2 ∨ ¬r2 ) ∨ ¬e s ::(t_8)-> goto accept_s_3 ::(t_9)-> goto accept_s_4 t6 : (¬p1 ∧ p2 ∧ e s ∨ ¬p1 ∧ ¬p2 ∨ ¬e s ) ∧ r2 ::(t_13)-> goto accept_all t7 : (¬p1 ∨ ¬r1 ∨ ¬e s ) ∧ ¬r2 fi; t8 : (p1 ∧ ¬p2 ∧ e s ∨ ¬p1 ∧ ¬p2 ∨ ¬e s ) ∧ ¬r1 accept_s_4: t9 : p2 ∧ ¬r1 ∧ ¬r2 ∧ e s if ::(t_10)-> goto accept_s_4 t10 : (p1 ∧ e s ∨ ¬p1 ∧ p2 ∧ e s ∨ ¬p1 ∧ ¬p2 ∨ ¬e s ) ::(t_11)-> goto accept_all ∧ ¬r1 ∧ ¬r2 fi; t11 : ¬r1 ∧ ¬r2 accept_s_5: t : p 12 1 ∧ e s ∧ ¬r1 ∧ ¬r2 accept_all: t13 : (¬p2 ∧ ¬r2 ∧ ¬e s ) ∧ ¬r1 skip }

parallel composition of a pump process, two customer tasks, two operator processes and an pos subsystem which has been described in the introduction. The architecture of AGS is depicted in Fig. 2(2). And the ProMeLa code of these newly introduced process can be found in Fig. 6. The business process can be described as follows: customers are allowed to prepay (S swipe ) at the pos terminal which connects (S access ) to the remote bank. After the remote bank system finishes money account transfer, the acknowledgement (S reply ) is transmitted to the pos terminal, and is delivered (S prepay ) to an operator process automatically assigned to each customer. The operators compete to access (S activate ) the pump. Once accessed, the pump starts to work (S refuel ). Another customer’s request is held when the pump is refueling. After refueling, the operator charges according to the fuel injection quantity (S ack ) provided by the pump, gives the change (S return ) to the customer, and releases the accession of the pump.

(1) Never Claim

Figure 5: B¨uchi automaton and Never Claim of formula ¬(♦((es prj p1 ) ; r1 ) ∧ ♦((es prj p2 ) ; r2 ))

On the business process, it should be guaranteed that operator gives the right change to the right customer after the prepayment. This property can be expressed by PPTL formula ψ = ♦((es prj p1 ) ; r1 ) ∧ ♦((es prj p2 ) ; r2 ), where pi is defined as usr = cusi , ri as rightchangei = true. The sub-formula (es prj pi ) can indicate that a prepayment is made by customer cusi , since it is proved that in the pos subsystem, the prepayment has been done when the customer swipes ISSN: 1792-4251

(2) B¨uchi automaton

card (see the introduction). So the fact that operator gives right change to cusi can be expressed by formula (es prj pi ) ; ri . Meanwhile, though each customer makes a prepayment, this prepayment may not occur at the beginning in executions. Therefore we employ ‘sometimes’ operator ♦ to precisely capture this property. With our method, the negation of the property 278

ISBN: 978-960-474-201-1

LATEST TRENDS on COMPUTERS (Volume I)

¬ψ is first transformed to a B¨uchi automaton (see Fig.5(2), where the centric circle denotes accepting location), and then the B¨uchi automaton is expressed in Never Claim in Fig.5(1). Given the ProMeLa program of the protocol and the Never Claim, by partialorder reduction, SPIN declares the property violated and outputs a run that contains the violation. The run is visualized as a message sequence of chart, as shown in Fig.4(2). The output shows that 41 states and 65 transitions are traversed. We will explain the reason for the violation in next section.

are sequentially bridged.

4.2 Compositional Verifying AGS with PPTLst To illustrate compositional verification with projection construct, we consider the automatic gas station again. By using partial-order model-checking as presented above the pos subsystem can be prove to satisfy its local property, i.e. property defined by formula ϕ given in the introduction. Then, according to the local property, the subsystem is abstracted. And in the architecture of AGS the pos system can be replace by the abstracted one, as shown in Fig. 6, so that the irrelevant detail is avoided and thus the state space is reduced when verifying the global system, meanwhile the replacement does not affect the overall verification.

Note that the gas station program is verified in a compositional manner because the pos subsystem is first verified against a local property which relates to the overall property of the global system, and the pos subsystem is abstracted according to the local property, further used in verification of the global system (see the introduction). With this verification procedure, projection construct plays a significant role.

proctype customer2 (){ swipe! cus2 , pas2 , sum2 ; refuel? (cus2 )tank; return? client, change; if ::(client==cus2 )→ rightchange2 =true; fi;}

Pump

Sactivate Sack Sreturn

Srefuel Customer customeri

Sswipe

Sreturn

j+1

... k Sreturn

state valuation ¬p1 , ¬p2 , ¬q1 , ¬q2 p1 , ¬p2 , ¬q1 , ¬q2 p1 , p2 , ¬q1 , ¬q2

k+1

h

proctype operator(){ prepay? payer, amt; activate! payer; //acquire pump atomic{ ack? liters; //release pump return! payer, (amt - price × liters); } } (2) revised operator process

Figure 7: Violation and revised operator process

5 Conclusion In this paper, we first proposed stutter-invariant propositional projection temporal logic PPTLst , and proved it can express all the stutter-invariant properties expressible in PPTL. The method of determining stutterinvariance of PPTL formulas is also given. Then, as discussed in the introduction the projection construct which characterizes PPTLst , is mainly used to support compositional verification. We illustrated this feature by an example–automatic gas station. Our experience has shown that PPTLst is useful in compositional verification when formulas specifying each module and the global system are provided. However, in practice properties of the overall system are usually provided other than these for modules. Hence, there is a tedious job left for the designer to imply modules’s specifications from the overall ones. This burden is undesirable. Thus, our future research is to study the method of extracting modular specification from the overall specification based on the system’s structure. Further, we will apply PPTLst in compositional verification for large-scale distributed programs, such as Russian Cards Protocol [26, 27] we have just developed.

Operator operator

Pos subsystem (abstracted)

Figure 6: Simulation program and architecture of abstracted automatic gas station Also by using partial-order model-checking, as shown in Fig.7, it proves that the abstracted program violates the overall property, i.e. the property defined by formula ψ presented in the above subsection, and an execution as the witness of the violation is obtained. This is because the value of proposition qi (i = 1, 2) is always kept false when the operator gives a customer’s change to another (Recall qi is defined as payer = cusi in the introduction). The violation can be corrected by replacing the operator process in Fig.6 by that in Fig.7(2). In the upgraded process, actions of acknowledgement (S ack ) and giving change (S return ) are bound together to form an atomic sequence. Therefore, in all executions of the gas station program, actions of swiping card (S swipe ), refueling (S refuel ) and giving change for the same customer ISSN: 1792-4251

i + 1, . . . , j, j + 1, . . . , k, k + 1, . . . , h

j

(1) trail and valuations for its states

Sprepay Sswipe

...

state number 0 1, . . . , i

1 0

i+1

...

proctype customer1 (){ swipe! cus1 , pas1 , sum1 ; refuel? (cus1 )tank; return? client, change; if ::(client==cus1 )→ rightchange1 =true; fi;}

Sswipe

...

proctype pump(){ proctype operator(){ do prepay? payer, amt; :: activate? usr; activate! payer; //acquire pump refuel! usr, gasoline; ack? liters; //release pump ack! quantity; return! payer, (amt - price × liters); od;} }

i

References: [1] A. Mokkedem and D. M´ery: A stuttering closed temporal logic for modular reasoning about concurrent programs. In Gabbay, editor, First International Conference on Temporal Logic, LNCS Vol.827, PP.382-397 (1994). 279

ISBN: 978-960-474-201-1

LATEST TRENDS on COMPUTERS (Volume I)

[16] L. Stockmeyer: The Complexity of Decision Problems in Automata Theory and Logic, Ph. D. thesis, MIT (available as Project MAC Technical Report 133) (1974). [17] O. Lichtenstein and A. Pnueli, Checking that finite state concurrent programs satisfy their linear specification. In Proceedings of the 12th Annual ACM Symposium on Principles of Programming Languages, pp.l 97-107 (1985). [18] L. Lamport: What good is temporal logic, in R. E. A. Mason, ed., Information Processing ’83: Proc. of the IFIP 9th World Computer Congress, pages 657–668, Paris, France, North-Holland, Amsterdam (1983). [19] L. Lamport: Temporal Logic of Actions. Technical Report 79, Systems Research Center of DEC, USA (1991). [20] R. Needham and M. Schroeder. Using encryption for authentification in large networks of computers. Communications of the ACM, 21(12), December (1978). [21] Z. Manna and A. Pnueli. The anchored version of the temporal framework. In J.W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency, LNCS vol. 354, pp. 201-284. Spinger Verlag, New York (1981). [22] Z. Duan, M. Koutny and C. Holt. Projection in Temporal Logic Programming. Proceedings of LPAR1994, LNCS 822, 333-344 (1994). [23] Z. Duan: Temporal Logic and Temporal Logic Programming, Science Press of China (2006). [24] Z. Duan and M. Koutny: A framed temporal logic programming language. J. Comput. Sci. Technol. 19, 333–344 (2004). [25] Z. Duan, X. Yang and M. Koutny: Framed temporal logic programming. Science of Computer Programming 70, 31–61 (2008). [26] Z. Duan and C. Yang: Generalized Russian Cards Problem. Proceedings of COCOA09, LNCS 5573, 85-97, June (2009). [27] Z. Duan and C. Yang: Unconditional secure communication: a Russian Cards protocol. Journal of Combinatorial Optimization. 19(4): 501530 (2010).

[2] A. Alexander, W. Reisig: Compositional Temporal Logic Based on Partial Order. TIME 2004: 125-132 (2004). [3] B. Moszkowski: Reasoning about digital circuits. Ph.D Thesis, Department of Computer Science, Stanford University. TRSTAN-CS-83970 (1983). [4] C.A.R Hoare: Communicating Sequential Processes, Communications of the ACM, Vol.21, 666-677 (1978). [5] C. Tian, Z. Duan and L. Zhang: A decision procedure for propositional projection temporal logic. Acta Informatica 45, 43-78 (2008). [6] C. Tian and Z. Duan: Model Checking Propositional Projection Temporal Logic Based on SPIN, Proceedings of ICFEM07, LNCS 4789, 246-265, Oct (2007). [7] C. Tian and Z. Duan: Propositional Projection Temporal Logic, B¨uchi Automata and ωRegular Expressions, Proceedings of TAMC08, LNCS 4897, 47-58, April (2008). [8] C. Tian and Z. Duan: Complexity of propositional projection temporal logic with star. Mathematical Structures in Computer Science, 19:73100 Cambridge University Press (2009). [9] D. Peled and T. Wilke: Stutter-invariant temporal properties are expressible without the nexttime operator. Information Processing Letters, 63(5), 243–246 (1997). [10] G.J. Holzmann: The Spin Model Checker: Primer and Reference Manual. Addison-Wesley (2003). [11] G.J. Holzmann: The Model Checker Spin. IEEE Trans. on Software Engineering 23(5), 279C295 (1997) [12] H. Bowman and S. J. Thompson: A tableaux method for interval temporal logic with projection. In TABLEAUX’98, International Conference on Analytic Tableaux and Related Methods, volume 1397 of Lecture Notes in AI, pages 108-123. Springer-Verlag, May (1998). [13] J. Jensen, M. Jφrgensen, and N. Klarlund: Monadic second-order logic for parameterized verification. Technical report, BRICS Report Series RS-94-10, Department of Computer Science, University of Aarhus (1994). [14] K. Etessami: A note on a question of Peled and Wilke on stutter-invariant LTL. Inform. Process. Lett. 75(6), 261C263 (2000). [15] K. Etessami: Stutter-invariant Languages, omega-Automata, and Temporal Logic. In Proc. of 11th Int. Conf. on Computer-Aided Verification, pp. 236-248 (1999). ISSN: 1792-4251

280

ISBN: 978-960-474-201-1