Hyperdocuments as Automata: Veri cation of Trace-based ... - CiteSeerX

Download PDF
1 downloads 0 Views 410KB Size Report
Comment
called model checking is then used to verify that these speci cations are met by the ..... computer program, and in fact, it is the one we use in the model checker ...
Hyperdocuments as Automata: Veri cation of Trace-based Browsing Properties by Model Checking P. David Stotts Richard Furuta Computer Science Department Department of Computer Science University of North Carolina Texas A&M University Chapel Hill, NC 27599-3175 College Station, TX 77843-3112 [email protected]

[email protected]

J. Cyrano Ruiz Reliability Engineering Department University of Maryland College Park, MD 20742

 This work is based upon work supported by the National Science Foundation under grant numbers IRI{ 9007746 and IRI{9015439. Portions of this work were reported previously in preliminary form at the ECHT '92 conference [41].

1

Abstract

As hypertext systems proliferate and as networks become more ubiquitous, an important problem is to determine how to provide hyperdocument interoperability. Instead of taking the approach of standardizing, and implementing, a large and complex set of browsing features gleaned from some \union" of existing systems, we present an approach that allows each document to encode its own browsing semantics in the links of the hyperdocument. Any implementation o ering the \follow link" operation can then simulate the intent of the author. The method requires a mental shift in how a hyperdocument is viewed abstractly. Instead of treating the links of a document as de ning a static directed graph, they are thought of as de ning an abstract program, termed the links-automaton of the document. A branching temporal logic notation, termed HTL , is introduced for specifying properties a document should exhibit during browsing. An automated program veri cation technique called model checking is then used to verify that these speci cations are met by the behavior of the links-automaton. We illustrate the generality of these technique by applying them rst to a Trellis document, and then to a Hyperties document.

CR Categories: I.7.2 (Hypertext/hypermedia), H.5.1 (Hypertext navigation and maps), D.2.2 (Petri nets), D.2.4 (Program veri cation), F.3.1 (Specifying and Verifyingand Reasoning about Programs). General terms: Veri cation, documentation. Additional key words: hypertext, place/transition nets, Petri nets, browsing semantics, synchronization, security, temporal logic, veri cation, access control, versions, model checking.

1 The problem and the approach Among others, Halasz has noted the need for structural search and query mechanisms for increasing the utility of hypertext nets. He identi es two major subtasks [18]: \: : :to design a query language geared toward describing hypermedia network structures," and \: : :implementation of a search engine capable of satisfying the queries expressible in the new language." This report describes an approach to both of these subtasks. We concentrate on a mechanism for answering queries concerning dynamic properties a document has, that is, what sequences of links a reader may be allowed to follow during browsing. However, the basic technique, that of model checking (borrowed from concurrent system veri cation), can be easily adapted to locating readers within the structure under examination. The work described deals with hypertexts that are best thought of as cohesive, consistently structured, non-linear documents rather than as accumulated collections of information. We see a current and future need for hypertextual documents that \tell a story": training scripts, tutorials, interactive writing/ ction, descriptive/persuasive texts: : :these are a few examples of the class of hypertext under discussion in this paper. Many uses also exist for hypertexts that are not \writing" per se, but nonetheless are structured documents that have an identi able author (one person or a tightly-coupled collaboration) and in which some constraints, prescriptions, and proscriptions need to apply to the linkages among elements. In this view, a hypertext is an intentional interactive document, providing a non-linear, dynamic analogue to the traditional notion of structured document. In an interactive setting, the notion of a document's structure must extend beyond the normal static concept of its graph (trees, typically, for paper-based documents) of components into the dynamic domain 2

of browsing. A formal, analyzable description must be available of how those components might be presented to a reader|the possible sequences and parallel threads of activity within the document. We refer to this as the dynamic structure of an interactive document [16], as contrasted with the notion of static structure provided by a collection of links. This report presents an approach to expressing dynamic properties an author may want in a document, and provides a method for verifying in an automated fashion whether the linked structure of a document satis es the required property speci cations. The emphasis here is on behavior that is allowed by links alone, independent of any navigation aids that a browser or navigation program might provide. Such knowledge allows an author to build a structure to o er the desired linkages no matter what system is used to accessed the document. This approach is a start on meaningful system-independent data for hypertext and hypermedia. In this report, we rst explain our idea of browsing properties, and present a temporal-logicbased speci cation language for expressing such properties. We introduce a checking method for this language based on existing automated methods for veri cation of concurrent programs. We illustrate this veri cation method rst on Trellis documents, and then on a Hyperties document, to emphasize the system-independence of the idea. We conclude with a discussion of the limitations of the work as it now stands, and directions for more research. Portions of this work have been previously reported in preliminary form [41].

1.1 Links-only document behavior

Trellis is a general man/machine interaction model that has been used previously as the basis for various hypertext systems and experiments [36, 38, 37]. Though we will rst explain our general veri cation techniques in the context of Trellis, we would like to emphasize that the approach is applicable to documents produced by any hypertext system. What is required is a particular way of thinking about a document, that is, one must view a document as an abstract automaton that speci es the process of browsing within it. Such a view is easily obtained for the hypertext systems in use today. In fact, for systems other than Trellis, the linked structure of a document can usually be thought of as the state transition diagram of a nite state machine. We will refer to this automaton as the links-automaton of the hyperdocument. This conceptual framework is illustrated in Figure 1. Other research e orts to formalize some aspects of browsing, such as the HAM [8], have focused on removing the arbitrary nature of the Turing machine that provides browsing services for a directed graph. In Trellis, we have extended the fundamental power of the links-only structure itself. The browser program in a Trellis system is limited to a strict implementation of the transition rule for that automaton. We have obtained more power, more expressibility, by using a more general class of automaton, the place/transition net (Petri net),1 rather than a nite state machine as the basic document structure. A place/transition net inherently allows parallel threads of activity (obtained with multi-head/multi-tail links), and also is not limited to expressing a nite number of states. To illustrate the meaning of a links-automaton, consider the abstract document shown in Figure 1. In this structure, it is clear that there exists a browsing path from the starting node (A), continuing through the nodes E and D, and ending with node C. The link-only behavior of the document does not allow any further browsing from this point, because there is no transition out of node C. In order for browsing to continue, the author of this structure must be relying on some feature of the browser Turing machine (such as backup, general history, restart,

1 We assume some familiarity with general net theory. Interested readers can get details in previous Trellis papers [36], and in summaries texts by Murata [29], Reisig [33], or Peterson [30].

3

document (directed graph) browser program (arbitrary Turing Machine) (history, bookmarks, etc.)

b

a

document alone (automaton, finite state machine)

link1 current E state

H m

h

A

r

G f

start state

s

F

p

browsing

n

x link3

B y

links-only browsing execution of the transition function for the state machine

w

c

link2 I

defines possible node sequences, possible button sequences

D

without relying on the features of a browser program

k

δ (E,link1)=F δ (E,link2)=I δ (E,link3)=D, etc...

J

C Figure 1: Traditional view of hypertext document, and automaton view.

or bookmark at the table-of-contents, for example) to \warp" the reader to another location within the document. In order to guarantee behavior that does not require browser features, an author of a document may wish to ensure that there is some path from each node back to the start node, for instance. In Trellis, a document's links form a place/transition net. With this class of automaton, the behavioral features of traditional browsing programs can be directly encoded; less wellknown behavior can be programmed as well, including synchronized parallel browsing threads, multi-headed/multi-tailed links, and (in the most recent Trellis model realization) interactions of multiple readers as needed in collaboration-support systems [40].

1.2 Formalizing browsing properties

Suppose we are given a hypertext containing among other things content elements X and Y and buttons B and C (link anchors). We would like to formalize statements like \all (suciently long) browsing sessions must encounter X, but only sometime after seeing Y," or \there is at least one browsing session encountering Y," or \there is a browsing session in which at some 4

A

start

H

I . . .

D

J . . .

a

E

B

C

I . . .

D . . .

F E . . .

C

x A . . .

h . . .

b

y

m . . .

link1

w

k

s . . .

link2

r . . .

possible link sequences

k

c

p . . . possible node sequences

link3

f . . .

Figure 2: Branching event trees for links-automaton in Figure1 point buttons B and C are both selectable." More general speci cations include \there must be some path from any node X back to the index," and \every node Y must have some out links." The links-automaton of a hyperdocument is an abstract program, and it can be thought of as generating a tree of possible event sequences (either sequences of button clicks, or sequences of content displays, depending on the properties to be studied). Figure 2 illustrates event sequences for the links-automaton in Figure 1; in each tree shown, an underlined node has no children. The tree on the left shows the possible sequences of content displays whereas the tree on the right shows possible sequences of button selections. Consider the left tree in Figure 2. One possible ( nite) sequence of content displays is nodes A, B, C; another possible sequence is A, B, H, J, : : :and on, perhaps not terminating. We will formalize the browsing behavior allowed in a hyperdocument as the collection of possible event traces produced by the links-automaton of the document. We will specify properties we want the traces to exhibit with a branching temporal logic.2 Finally, we will analyze the document for the presence or absence of properties with a program veri cation technique called model checking. In a branching temporal logic, formulae are interpreted as assertions about tree-like event spaces in which each event may have numerous distinct possible next events. Operators in such a logic allow statements about the structure of an event sequence, and also allow quanti cation over collections of possible event sequences in the tree. Branching temporal logic, then, is a natural way to express properties that hold for the browsing traces allowed by a hyperdocument.

1.3 Background in Temporal Logic

Work in temporal logic was rst conducted under the name of tense logic by symbolic logicians and philosophers for reasoning about ordering of events in time without mentioning time explicitly. In the last decade, temporal logic has become a convenient formalism used, among other things, in program veri cation [7, 32], in arti cial intelligence and cognitive science [20, 19, 23], in speci cation and veri cation of concurrent computations [3, 26], in veri cation of network protocols and sequential circuits [28], and in veri cation of software requirements speci cations [2]. A complete survey of classical works in temporal logic as well as its current applications is found in [1]. 2 The concept of time implied by the term \temporal" is not duration but rather the relative ordering of events in a sequence.

5

In a branching temporal logic one introduces special logic symbols which allow formulation of assertions involving relative ordering as well as quanti cation over paths in the tree-like model of time. Various authors have proposed distinct syntaxes and semantics for branching time logics [22, 5], which di er in expressive power. However, CTL , developed by Emerson and Halpern [13], is one of the most general languages for branching time logics, since it properly contains most of the other branching time logic languages. We have choosen CTL as as the basis for our hyperdocument notation, called HTL , or hypertext temporal logic. The work of Gabbay et al. [17] shows that CTL , (and so HTL ) is expressively complete in the sense that all rst-order logic properties can be represented by temporal formulae. However, not all properties of hypertext are rst-order logic properties. Similar limitations in other contexts have inspired the so called Extended Temporal Logics. Wolper proposed an expansion to existing branching time logic languages [44] by adding new operators associated with regular expressions.

2 Hypertext Temporal Logic Usually, there are two fundamental methods to present temporal logic systems: using models and interpreting formulae in them, or using axioms and inference systems. Our approach is to present the semantics of HTL via a speci c model, that of an annotated, interpreted, nite state automaton. We rst introducing in this section the HTL notation used for property speci cation; in later sections, we illustrate the approach by deriving appropriate link models rst from Trellis documents (based on place/transition nets), and then from Hyperties documents. In this section, we introduce HTL which is closely related semantically to CTL [13]. The syntax has been altered to more directly re ect the hypertext domain, using a di erent notation and backward path quanti cation to more conveniently express the kinds of statement authors need to make about how documents are to be browsed. The reader may choose to skim this section, noting expecially the examples given in section 2.4, and come back to it after reading section 3 on the veri cation method.

2.1 The syntax of HTL Foundations: the kernel

The kernel of HTL , in the sense explained in [21], is the language we call SL (State Language). SL is really a typed rst-order language [25]. Typed rst-order languages are also known as many-sorted languages3 . SL allows a basic description of a particular state of a hypertext (e.g. a button is selectable, or a content element is active). HTL is a temporal extension of SL, that is to say, HTL includes all symbols of SL with additional temporal logic operators, including backward path quanti ers as explained later. To denote these temporal operators, we use a notation similar to that of Wolper [44] and Lamport [22] for example. Except for the di erence in the kernel and the backward path quanti er, HTL is essentially the same language as CTL . In fact, in some contexts we will sometime use both terms interchangeability. The backward path operator nds a very natural model theoretical interpretation described in more detail in section 2.2 where we de ne the semantics of HTL . The notion of backward path quanti er is not a new concept in temporal logic. For instance, Pinter and Wolper introduced the 3 Ordinary rst-order logic is not sucient since we deal with di erent types of primitive elements (e.g. buttons and content elements).

6

notion of backward path quanti er in the branching temporal logic language called POTL [31], which gives rise to operators of the kind: 82 (for all forward paths it is always the case that : : : ) and 93 (there is at least one forward path for which eventually : : : ) as well as their backward counterparts. However, these POTL operators are not decomposable, that is to say, symbols like 8 and 2 are not operators themselves. As we shall see, these restrictions do not apply in the case of HTL . Another di erence is that in HTL these backward path quanti ers make reference to a particular state, namely the starting state. We mentioned before that the interpretation of HTL lies primarily on the coverability graph4 of the place/transition net comprising a hypertext [33]. The need for backward path quanti ers becomes apparent when one considers the fact that there are states in the coverability graph which have in nitely many distinct backward paths to the starting state.5 Backward path quanti ers are therefore convenient to express certain properties of this kind of state. After the formal de nition of the syntax of HTL , we introduce a \menagerie" of new symbols. These symbols are de ned in terms of the \constructor" symbols and are intended merely to be useful abbreviations of rather complex HTL formulae. Our goal is to enrich the expressiveness convenience of HTL which, after all, is intended to be a tool for verifying browsing properties of hypertexts. In this section, we de ne the syntax based on a minimal set of operators and quanti ers from which it is possible to de ne the other symbols. Then we de ne the formation rules which allow us to construct all the well-formed formulae of HTL . Next, we introduce the new tense operators as well as the quanti ers intended to be the useful abbreviations. Finally, some preliminary examples are presented at the end of section 2.1 to illustrate valid HTL formulae. These examples are informal in the sense that the semantics of HTL formulae are not de ned until section 2.2.

Formation rules

The alphabet for HTL subsumes the following: 1. Symbols of the typed rst order logic language that we call SL (State Language). Since the emphasis of this paper is on the temporal dimension of HTL , we will not expand too much on SL, and assume that its syntax and meaning are clear. Basically, SL will allow the construction of atomic formulas that will be the basis for the interpretation of HTL . SL comprises6 the following:  Variable and constant symbols of type place and transition.  The unary relation symbol, V , for content elements, holding if the content element is visible and the unary relation symbol, S, for buttons, holding if the button is selectable.

The coverability graph is also known in the early literature of place/transition nets as \reachability tree" [30]. However, this term is not quite appropriate. Based solely on this graph, one is able to answer questions regarding coverability of states. Hence the term coverability graph seems more adequate. 5 It is straightforward to write an algorithm to nd all backward paths from a given node to the initial node. 6 For the time being, SL is con ned to its minimum expression; it will allow us to express the two basic properties of a particular state, namely: \is a content element visible ?", and \is a button selectable?". It is possible to augment SL expressive power introducing new atomic predicates, but here we are focusing in the temporal dimension of the language. 4

7

2. The usual logic connectives : (negation) and _ (disjunction). 3. The unary operator  (next time), and the binary operator U (until) termed tense operators. These are applied in order to formulate assertions on sequences of states, referred to as paths. The formula 'U holds for a path if and only if:  

eventually occurs in the sequence, and ' is true in all states from the beginning until the rst state where

is true.

Nothing else is implied; that is, ' may or may not continue to hold thereafter.7 Similarly, ' holds for a path if and only if ' is true in the next state in the path, that is, in the second state of the of the sequence. !

4. The symbols 9 and 9 meaning \there is at least one forward (respectively backward) path from this state such that : : :". These operators are called existential path quanti ers.8 ! One can use standard abbreviations like 9 !, standing for \there is a unique forward path such that : : :". This is a minimal (but clearly not unique) set of symbols for HTL in the sense that all the other usual temporal symbols can be constructed from these ones. It is worth repeating that the precise meaning of these symbols is not formally de ned until section 2.2. For the time being we rely on intuitive notions to shed some light on the interpretation of the syntax. We now de ne all the syntactically well formed formulas of HTL . First, we de ne inductively two kinds of formulas: state formulae describing what is the case at a speci c state, and path formulae describing what holds over an entire path. 1. A state formula is de ned as follows:

S1. All atomic formulae of the sublanguage SL are state formulae. We shall refer to these

atomic formulae as simple formulae (the rules by which we construct simple formulae obey the basic rules of typed rst order logic). S2. If ' and are state formulae then so are :('), ('_g). ! S3. If ' is a path formula then 9 (') and 9 (') are state formulae. 2. A path formula is de ned as follows:

P1. All state formulae are path formulae. P2. If ' and are path formulae then so are :('), ('_g). P3. If ' and are path formulae then so are ('U ) and (') (this inductive rule is very

powerful in that it allows the construction of complex path formulae containing path as well as state subformulae).

7 As a matter of fact, the formal interpretation ascribed to the operator U allows stronger conditions on the path. For instance, according to the de nition given in section 2.2, 'U can hold without problem if ' holds for all the states in the sequence before the third occurrence of (this, of course, implies that ' holds before the rst occurrence of ). 8 The backward path quanti er, as explained in section 2.2, refers speci cally to the initial state. This is in some sense more restrictive than the backward operators of POTL, but it is all that is needed in this context. Moreover, this restriction will eventually simplify the checking process.

8

3. Nothing else is a path or a state formula. The well formed HTL formulae are all, and only the state formulae9 generated by the above rules. The use of !parentheses can be relaxed if we introduce a precedence among the operators. We ascribe to 9 and  the same precedence. These in turn, have a higher precedence than U , which has itself a higher precedence than all the symbols in SL (Simple Language). As in every language, notational shorthands are desirable. We give next a list of new symbols de ned in terms of these previous ones.

Operator abbreviations and examples

The previous two subsections might be considered as the formal syntactic framework of HTL . We were interested in a minimal set of \constructors". However, as we proceed with the interpretation and the use of HTL to express browsing properties of hypertext, we will use for expressive convenience several abbreviations in writing formulae.

Standard Abbreviations: We introduce the following symbols: 1. The logic symbols ^ (conjunction), ! (conditional) and $ (if and only if) are de ned in the usual way. For instance, using DeMorgan's rules, we get for the symbol ^: '^

 :(:' _ :

)

We also use the abbreviations true and false standing for any tautology and contradiction respectively. 2. The two unary tense operators 2 (always) and 3 (sometime) are de ned as follows:

3(') 2(')

9



true U '

 :(3(:'))

Obviously we are just interested in nite expressions of HTL symbols.

9

3. The following operators are also useful:  ' atnext meaning \' holds at the next time state that holds". Is de ned as: ' atnext  : U ('^ ) _ 2:  ' unless meaning \if there is a following state at which holds then ' holds up to that point or else ' is always true". Is de ned as: ' unless  'U _ 2' 4. The universal path quanti ers

! 8

and

!

8

de ned as follows: !

8 (')  :( 9 (:')) 8 (')  :( 9 (:'))

Past tense operators: The `past' operators:

P2

(always in the past), P 3 (sometime in the

past) and P  (immediately before). All of these operators have a `conditional spirit', so to

speak. For instance, 'P 3 is a path formula intuitively stating: \ if ' holds in a certain state of the sequence, then sometime in the `past' (i.e. in a previous state) must have held." Notice that the eventual realization of ' is not assumed. The other two operator have the obvious similar intuitive meaning. The `current' state is not considered as a `past' state in our de nitions (the same observations are in order for `future' operators). Formally we have10: 'P 2  2(2:' _ U ') 'P 3  2:' _ :'U 'P   2('! ) Future tense operators: The future operators: F 2 (always in the future), F 3 (sometime in the future) and F  (immediately after) have analogous interpretations: 'F 2  2('!2 ) 'F 3  2('!3 ) 'F   2('! ) State Language abbreviations: We write the formulae V (x) and S(y) simply as c:x and b:y. Also, to improve readability, we use full words instead of letters to refer to places and transitions. For instance, c.hello and b.help are formulae which say respectively that document hello is visible and that button help is selectable (the `c' and `b' are pre xed to remind us that we are referring to a content element and to a button respectively). Other Temporal Logic notation: It is worth mentioning that the original notation for CTL di ers from the one used in this paper. In [13] F, X,!and G!represent the operators 3, , and 2 respectively; similarly, A and E stand for 8 and 9 . There are no backward path quanti ers. This notation is more convenient when we try to input a formula in a computer program, and in fact, it is the one we use in the model checker described in section 3.

10 The de nition of P 2 turns out to be similar to the de nition of U in [44] where there is no \eventually" component. This operator is also known as the unless operator.

10

To illustrate the syntax of HTL , we give examples of well formed temporal formulae. Many of them are classical in temporal logic literature and are intended to be a quick exposition for readers not familiar with temporal logic. These are preliminary examples in the sense that the formal semantics of HTL are not introduced until section 2.2. 1. The formula 32' holds for a path if and only if there is a state in the sequence such that from this state on ' is always valid. Considering now the formula 23' we see that it has a di erent meaning altogether. It holds for sequence if and only if at each state of the sequence ' holds sometime in the future. If the sequence is in nite for example, then the previous statement amounts to saying that ' holds in in nitely many states in the sequence11 or, in other words, that ' occurs in nitely often (also known as \fairness requirement"). Correspondingly, the other combinations 2 ; 3'; : : : express di erent conditions. 2. The following formulas may be considered an \unrolling" of the basic tense operators using the next time operator. We have

'U

2' 3' 



' ^ 2'

' _ 3' _ ('^('U )) ^ 3 

3. The following HTL formulae fail to capture the intended meaning of the operator F 2 (it is a good exercise to convince oneself of this).

3' ! 2  3' ! 2  3' ! 3'U2  2(3' ! 2 )  2(' ! ( ^ 2 )).12 4. The following formulae illustrate di erent levels of responsiveness as explained in [17]. We are trying to characterize how a request p will eventually force a response q. 

  

!

Response to insistence: 8 2(2p ! 3q) ! Response to persistence: 8 2(23p ! 3q) ! Response to impulse: 8 2(p ! 3q)

These are just a few examples. A complete list of temporal logical laws may be found in [21]. In the next section we formalize the semantics of HTL with respect to a given hypertext. Then, to illustrate the syntax and semantics of HTL , we present a complete set of examples. 11 Suppose not, then there is a \last" state in the sequence for which ' holds. But then in the next state (since the sequence is in nite) it would be false that sometime ' will hold; this yields a contradiction. 12 Even though this formula does not capture the intented meaning, it provides a very similar one; the only di erence is that the must be true in all future states as well as in the current one.

11

2.2 The semantics of HTL The model and its basic entities

Let H =< N; C; W; B; Pl; Pd > be a hypertext and M0 an initial marking of N. We de ne an HTL interpretation, model or structure as a pair < H;  > where  is the coverability graph of N as de ned in [43]. In , nodes correspond naturally to states, since each node in the graph is unique. This model is the equivalent of a Kripke structure in contexts as described in [11]. It is important to notice that since the coverability graph is always nite, ([43, 30]) it follows that all HTL models are nite. This will play an important role for model checking issues. Also, H allows us to determine the validity of atomic formulae of SL. The rst basic entity of our model is the one of states which, in light of our previous remark, correspond to nodes in . Secondly, we have the concept of forward and backward paths or sequences de ned as follows:   = (0 ; 1 ; 2; : : :) is a forward sequence from state  if and only if 8i; i+1 is immediately reachable from i .   = (0 ; 1 ; 2; : : :; M0) is a backward sequence from state  if and only if 8i; i is immediately reachable from i+1 , and M0 is the initial state. In both cases we have that  = 0 . Notice that forward as well as backward sequences may be in nite. However, if cycles are not taken into account, both are nite. This will be important for model checking issues. It is clear that the validity of atomic formulae of SL can be completely determined using just H. That is to say, given a certain state, we can determine whether or not a transition is enabled, or a place is active. To de ne validity we use the standard notation. Let M0 be an initial marking of N and  a reachable state. If ' is a state formula, we write: M0 ;  j=N ' to mean that formula ' is valid in the state . A similar notation applies for path formulae holding for a sequence . When there is no confusion about the place/transition net we just write j= instead of j=N . Similarly, when the initial marking M0 is implicit then we omit it from the left hand side of the expression. For paths or sequences, we write  = (0 ; 1; 2 ; : : :) to refer to a path, rst() to refer to the state 0 , and i to refer to the sequence obtained by shifting  one position to the left, for instance 1 = (1 ; 2 ; : : :) . Based on the coverability graph, it is clear that there is a very close relationship between forward paths and valid sequences of transition rings (which can, in most cases, be represented by regular expressions).

Validity of HTL formulae

In what follows, we assume that we have speci ed a place/transition net N and an initial marking M0 (we do not explicitly include them in the notation). We denote as usual, a state by  and a path by . We use the rst greek letters for path formulae and the last for state formulae. Having now speci ed the concept of state and sequence, we proceed to de ne the relation j= inductively. We could do this restricting ourselves to the minimal set of constructors symbols used to de ne the syntax of HTL in section 2.1. However, we already have introduced the additional tense operators and path quanti ers. We choose to be slightly redundant, and de ne the exact meaning of most of the symbols we introduced in section 2.1. This will help to clarify the intuitive meanings developed up to this point. We proceed as follows: 12

1. Recall that a simple formula is an atomic formula of SL. Thus, a simple formula contains neither tense operators nor path quanti ers, and hence, by de nition, a simple formula is a path as well as a state formula. Let ' be a simple formula.  j= ' if and only if ' holds13 in state . Similarly,  j= ' if and only if ' holds in state rst(). 2. The connectives :, _, ^, : : : induce natural de nitions. For instance, if ' is a state formula, we have  j= :(') if and only if it is not the case that  j= '. Or, if and are path formulae, we have  j= ( _ ) if and only  j= or  j= . The others connectives are de ned similarly. 3. Let be a path formula and  a particular state. The meaning of the path quanti ers is de ned as follows:    

!

 j= 8 ( ) if and only if for every forward sequence  from the state  (i.e. rst() = ), we have  j= . !  j= 9 ( ) if and only if there is a forward sequence, say , from , such that  j= .  j= 8 ( ) if and only if for every backward sequence  from the state  (i.e. rst() = ), we have  j= .  j= 9 ( ) if and only if there is a backward sequence, say , from , such that  j= .

4. Let ' and be state formulae and  a sequence. The tense operators are interpreted as follows: 



 j= 2(') if and only if 8i  0; rst(i ) j= '. That is to say, formula ' is valid in all states of the sequence .  j= 3(') if and only if 9i  0; rst(i ) j= '. That is to say, formula ' is valid in at least one state of the sequence .  j= (') if and only if rst(1) j= '. That is, the formula ' is valid in the second state of .14  j= 'F 2 if and only if (9i  0; rst(i ) j= ') ! (8j; j > i ! rst(j ) j= ) In other words, in , if ' holds in some state then will hold in all the following states. The binary operators F 3 and F  are de ned analogously in the obvious way.  j= 'P 2 if and only if (9i  0; rst(i) j= ')!(8j; 0  j < i ! rst(j ) j= ) In other words, in  if ' holds in some state then must have happened in all the previous states. The operators P 3 and P  are de ned analogously.

13 We assume that the meaning of a simple formula being valid in a particular state is clear and need not be de ned. 14 For the  operator we require a sequence  of length at least two.

13





The operator U is given the standard interpretation15 :  j= 'U if and only if 9i  0; ( rst(i) j= ^ (8j; 0  j < i ! rst(j ) j= ')) For the operator atnext we have  j= ' atnext if and only if (9i  0; rst(i) j= )!( rst(j ) j= ' for the least j  0 such that rst(j ) j= )

5. Let and be now path formulae. The tense operators are interpreted as follows: 



 

 j= 2( ) if and only if 8i  0 (i j= ).  j= 3( ) if and only if 9i  0 (i j= ).  j= ( ) if and only if 1 j= .  j= ( F 2 ) if and only if (9i  0; i j= ) ! (8j; j > i ! j j= ) The binary operators F 3 and F  are de ned similarly.  j= P 2 if and only if (9i  0; i j= ) ! (8j; 0  j < i ! j j= ) The operators P 3 and P  are de ned analogously.  j= U if and only if 9i  0; (i j= ^ (8j; 0  j < i ! j j= )).  j= atnext if and only if (9i  0; i j= )!(j j= for the least j  0 such that j j= )

2.3 Further HTL abbreviations and extensions Notational abbreviations

Before presenting the examples, we develop additional notation. Let ' be a state formula and  a path. We say that 3n ' holds for path  if and only if ' holds at least n times in the path . It is easy to construct formulae expressing 3n, for every n. For instance 33 '  3' ^ (' ! (3' ^ ' ! 3')) In general, we inductively de ne the formulae 3n' (for any natural n) as follows:  ' if n = 1 3n ' = 3 3' ^ (' ! 3n?1') if n > 1 From this de nition, one can immediately express two concepts:  ' happens at most n times  :3n+1 '.  ' happens exactly n times  3n' ^ :3n+1 '. 15 Actually this interpretation implies 'U ! 3 . However, some authors, like Wolper, give a slightly di erent interpretation to the operator U in such a way that does not necessarily hold in the sequence. This is precisely the meaning of the operator unless.

14

We write 3n ', 3n ', and 3=n ' to mean that ' happens at most, at least, or exactly n times respectively. By boolean combinations of the previous formulae one can express the fact that a property hold between n and m times, and so on. Extensions of the U operator are also possible. We write ' U n to mean that ' occurs in all states of the sequence until the nth occurrence of . As in the case of U , nothing else is implied in the de nition. That is, ' may or may not continue to hold thereafter. This concept is easily de ned by recursion as follows:  if n = 1 'U n = ''UU ( ^ ('U n?1 ) if n > 1 For instance 'U 3  'U ( ^ U ( ^ 'U )). The extensions of the  (next time) operator are similar. We write n' to mean that ' will hold in all the states of the sequence up to, and including, the nth state. We write =n ' to mean that ' will hold in the nth state of the sequence. Finally, n' means that16 ' will not hold until the nth state of the sequence. These are de ned inductively as follows:  ' if n = 0 =n ' = (=(n?1) ') if n > 0  ' if n = 0 n' = (n?1)' ^ =n ' if n > 0  ' if n = 0 n' = (n?1):' ^ =n ' if n > 0 The previous extensions induce natural ones for the binary past and future operators. For example 'F 3=2 or 'P 2 have the obvious meaning.

Extended hypertext temporal logic

We discuss the advantages of Wolper's extended temporal logic [44] using regular expression operators. It is shown in [17] that temporal logic with the \until" operator is expressibly complete, in the sense that all rst order logic properties can be written as temporal formulae. However, Wolper[44] pointed out that not all properties are rst order logic properties. His contribution, Propositional Temporal Logic (PTL) developed in [5], enriches the expressiveness power of the (linear) temporal language. Given a right-linear grammar G = (VNT ; VT ; P; V0) where VT = fv1; v2 ; : : : ; vng, Wolper de nes in [44] the operator Gi , corresponding to the non-terminal symbol Vi , as follows:  j= Gi ('1 ; : : : ; 'n) if and only if there is a string ! = v!0 v!1 : : : (1  !i  n) generated by G from Vi such that 8j; j j= '! . Each regular expression17 therefore extends HTL in a natural way. This extension preserves the decidability properties of the language [44]. It has been shown that extended temporal logic allows the formulationof certain properties not expressible using just the original tense operators. For instance, the path formula saying that ' is true just in the even states of the sequence is not expressible in (non extended) temporal logic. Certain properties are easier to express using regular expressions. It seems therefore natural to de ne EHTL (Extended HTL ) in the sense just explained. j

16 This notation is somewhat misleading in that we are not stating that ' will hold for all the states after the nth . We are just saying that ' does not hold for all the states strictly less than n, and furthermore, that it holds in state n. 17 Regular expressions are well known to be equivalent to right linear grammars.

15

2.4 Examples in the context of hypertext

We give a list of formulae in the context of hypertext. In all of these formulae we assume that we are referring to the initial state of the hypertext. !

 8 (3c.menu ^



c.menuP 3 c.identi cation) which will be interpreted as \in all (forward) browsing sessions content element menu is eventually visible, but only sometime after content element identi cation is visible." Notice that the second conjunct only states \for all browsing sessions if menu is visible, then sometime in the past identi cation was visible." ! 9 3c.warning which will mean \there is a browsing session encountering warning." !

 9 3(b.option1 ^

b.option5) will be interpreted as \there is a browsing session in which at some point buttons option1 and option5 are both selectable." !

 8 (c.no-help-modeF 2 :b.help)

signi es \for all browsing sessions, if content element no-

help-mode is visible then button help will never be selectable."

!

 8 2(c.error $

c.description) reads \for all browsing sessions, it is always the case that content element error is visible if and only if description is visible." !

 8 (3' _

2:') is a trivial tautology which states that in all browsing sessions either ' happens at least once or it never happens at all.

!

 8 (

atnext ') states that immediately after the rst occurrence of ', will happen. !

Notice that the formula 8 ('F  ) would be too strong since we would be requiring the original condition for all occurrences of ', not just for the rst one. ! Similarly: 8 ( atnext ') states that during the rst occurrence of ', happens, and ! 8 ( atnext ') says that before the rst occurrence of ', must happen.

 8 3=n ' 

means \At this point of the browsing session, ' must have occurred exactly n times." ! 8 2 9 2t.help means \wherever you happen to be, you could have gotten there having the button `help' always selectable." ! !

 8 2 9 3p.menu means \wherever  

you happen to be, it is possible to eventually get back to the menu." ! 9 2:t.con dential means \there is a way to browse the hypertext such that the button `con dential' is never selectable". ! ! 9 3 8 2(:t.info) means \it is possible for button `info' to eventually die, that is, to never again be selectable." ! !

 8 2 9 3(t.info) means exactly the opposite of the previous statement, that is \button `info'

never dies". This does not mean that it is always selectable, but rather that, in all situations, button `info' can eventually become selectable. This is similar to level 3 of liveness for a transition de ned in [30]. 16

! !

 9 3 8 2:(b:B1 ; 

: : : ; b:Bk ) where B1 ; : : : ; Bk are all the buttons, means that it is possible to fall into a \deadlock." ! 8 3=1 p.password signi es \For all browsing sessions the content `password' is active exactly once." This would be useful in the case where a reader is allowed to browse the higher level (menus) of the hypertext without identifying himself. If he intends to use one of the modules, then an identi cation is required, but only once. This way, the identi cation is ! not necessarily done at the beginning of the browsing session. A formula like 8 p.password would not capture the intended meaning. ! !

 8 2 9 p.end means \Wherever

you are, you can immediately leave the hypertext" (assuming that this is the interpretation of content \end").

!

 8 p.hello means \At the beginning of every browsing session, you must encounter as content 

the `hello' element." Suppose that we would like to express that content \double-check" (like changing a password or something so important that it requires veri cation twice) is never active or appears an even number of times. The intended meaning is therefore something similar to !

8 (2:p.double-check _ :3=(2n?1)p.double-check) 8n;

n1 However, this is clearly not an HTL formula because it is an in nite expression. We therefore use EHTL . Let G be the regular grammar expressing the condition that terminal symbol a occurs an ! 18 even number of times (including zero). Then 8 G0 (p.double-check) says precisely what is required.

3 Verifying the validity of HTL Formulae 3.1 The model checking approach

As we mentioned in the introduction, we are not directly interested in a logical inference system for HTL . That is to say, given a temporal formula, we are not interested in proving that this formula is valid using axioms and inference rules. Our main goal, at least for the time being, is to present HTL as a powerful and expressive temporal logic language especially suited for verifying browsing properties in the Trellis model of hypertext. What we really require in this context is a way to verify if a given hypertext satis es certain properties speci ed in HTL . This kind of problem has already been extensively studied in other contexts [11], most notably in the domain of protocols speci ed by collections of nite state machines. These solutions are collectively referred to as model checking. Model checking issues involve two phases. First, and more importantly, one needs to show the feasibility of such process. Second, one can begin to look for more ecient ways of checking the model for the properties expressed by temporal logic sentences. In the case of HTL , the model to check (the net coverability graph) is well known to be nite [43], therefore the process is clearly feasible. However, in the general case and especially with very long formulae, the complexity of model checking for HTL may become exponential as explained in [11]. However, 18

Writing this grammar is straightforward.

17

positive results have been obtained by Emerson and Lei in [14] to that respect. We discuss them at the end of this section. Section 2.1 de nes the rules of formation for HTL formulae. Choosing proper subsets of this set of rules allows the de nition of other branching-time logic languages. Of particular interest is the language HTL, the analogous of CTL. Formally, HTL is a proper subset of HTL ; the formation rules are the same, as de ned in section 2.1 except that now the path formulae are restricted as follows: P1. If ' is a path formula then so is :('). P2. If ' and are state formulae then ('U ) and (') are path formulae. P3. Nothing else is a path formula. HTL permits only branching-time operators; each path quanti er must be immediately followed by exactly one of the operators  or U . HTL could be consider the restriction of HTL (which trivially subsumes pure linear and branching temporal logic) to its branching time dimension. As a matter of fact, a more explicit de nition of HTL can be given as follows:  Every simple formula is a formula in HTL. !

!

If ' and are HTL formulae, then so are :', '_ , 9 3('), 9 3('), 9 ['U ], 9 ['U ]. Because of the backward path operators, HTL turns out to be syntactically equivalent to POTL rather than to CTL. POTL proposed proposed by Pinter and Wolper is described in [31]. As one can see in the formation rules, HTL gives rise to an inseparable combination of temporal ! operators. For instance, 9  and 9  stand for \there is an immediate successor" and \there is an immediate predecessor" respectively. All the usual abbreviation are de ned and interpreted in the obvious way. The language HTL is important in that much work has been done for checking eciently the validity of formulae in a given model. Although HTL severely restricts the expressiveness power of HTL it is still appropriate to express many interesting properties in the context of hypertext. Clarke, et al., have studied the model checking problem for CTL extensively [11, 12, 6]. In the general case, the model process for HTL may become very complex. However, in most practical cases it has been shown that this model checking is possible even in very large systems. Based on previous results by Lichtenstein and Pnueli [24], Emerson and Lei showed in [14] that formulae of the logic CTL which combine both branching-time and linear-time operators, could be checked with complexity exponential in the length of the temporal formula, yet linear in the size of the structure. In practice, the kind of formulae that an hypertext author may be interested in should not be too long. The size of the document is involved only in a linear manner. Therefore, in the Trellis model, this kind of complexity would be acceptable. 

3.2 Examples of browsing property veri cation

In this section we demonstrate how we have applied a model checker for CTL developed at Carnegie Mellon by Clarke to veri cation of browsing properties. We rst illustrate the method for Trellis, and then demonstrate its generality by analyzing a well-known Hyperties document. The examples shown in typewriter font are direct transcriptions of input and output for the model checking software. The syntax in these examples uses the ASCII character representation 18

Figure 3: Small Trellis document. of the CTL operators that is employed in Clarke's model checker. \A, E" correspond to \8; 9"; \G, F, U, X" are \2; 3; U ; " respectively. To aid in following this notational shift, we show some formulae in both symbolic operator form, and in ASCII model checker input form.

A simple Trellis document and sample queries

The Trellis document shown in gure 3 is a small net that expresses the browsing behavior found in some hypertext systems, namely that when a link is followed out of a node, the source content stays visible and the target content is added to the screen. The source must later be explicitly disposed of by clicking a \remove" button. In our terms, the Petri net is the links-automaton of this hyperdocument. It is not, however, in a form that is normally thought of as a nite state machine. In order to obtain a nite state machine for model checking, we compute the coverability graph of the net [30, pp. 91-95] and use that. The Petri net in our example gives rise to a coverability graph of 11 states. From this, we generate an 8-node nite state machine, the links-automaton for this document.19 The transition diagram, and its encoding for the CTL checker, are shown in Figure 4. The number of states and transitions (\CUBES") is given rst. Next, atomic predicates are named in the 19 The state count drops because construction of the coverability graph produces a structure with repeated nodes in it. These nodes are removed when converting to the FSM input format for the model checker.

19

NAME = RefB.fsm; INPUTS = ; STATES = 8; CUBES = 12; MOORE-OUTPUTS = C_welcome.H,C_overview.H,C_shuttle.H,C_engines.H,C_allow.H,C_inhibit.H, B_begin.H,B_orbiter.H,B_propulsion.H,B_start.H,B_return.H,B_remove.H; #0

100010100000 1 010010011000 2 6 010101000011 3 4 000110000010 0 110001100001 0 5 010001000001 1 011001000101 7 4 001010000100 0

#1

#2

#3 #4

#5 #6

#7

3

0

1

2

5

7

4

6

#END

Figure 4: Links-automaton and FSM encoding for Trellis document section \MOORE-OUTPUTS." For our experiment, a predicate like \C welcome" means the \welcome" content element is visible, and \B begin" means the \begin" button is selectable; we have not attempted to encode any document properties other than these simple ones, though more complicated properties could certainly be represented as predicates. The bit vector next to a state number indicates which of the atomic predicates are true in that state; the order in the vector comes from the order in which predicates are listed in \MOORE-OUTPUTS." Finally, the transitions out of a state are given as a list of destination state numbers following each bit vector. This model can then be queried with the model checker for any browsing properties that involve combinations of the atomic predicates. In our experiment, due to our choices for atomic predicates, we can investigate properties about when during browsing certain buttons will be selectable, or when certain content elements will be visible. We illustrate several queries following. 

Is there some browsing path such that at some point both the \orbiter" and \propulsion" 20

buttons are selectable on one screen? ! 9 3(B orbiter ^ B propulsion) |= EF(B_orbiter & B_propulsion). The formula is TRUE.



Does there exist a browsing path such that at some point both the \shuttle" text and the \engines" text are concurrently visible? ! 9 3(C shuttle ^ C engines) |= EF(C_shuttle & C_engines). The formula is FALSE.



Is there some browsing path that reaches a point at which no buttons are selectable? |= EF( ~B_begin & ~B_remove & ~B_propulsion & ~B_orbiter & ~B_start & ~B_return ). The formula is FALSE.



Is there some browsing path that will eventually simultaneously show the \overview" panel and the \engines" panel? |= EF(C_overview & C_engines). The formula is TRUE.

An alternate way to express this query is to reverse the sense: On all paths is it always the case that either \overview" or \engines" is not showing? ! 8 2(:C overview_:C engines) |= AG(~C_overview | ~C_engines). The formula is FALSE.



Is it possible during browsing to see both the \welcome" and \engines" panels on the same screen? |= EF(C_welcome & C_engines). The formula is FALSE.



Can both the \allow" access control and the \inhibit" access control ever be in force at the same time? |= EF(C_inhibit & C_allow). The formula is FALSE.

21

Figure 5: CSP program as browsable Trellis document 

Is it possible to select the \orbiter" button twice on some browsing path without selecting the \remove" button in between? ! ! ! 9 3(B orbiter ^ 8 ( 8 [B remove U B orbiter])) |= EF(B_orbiter & AX(A[B_remove U B_orbiter])). The formula is FALSE.

This last query is a bit more complex. The informal expression of it does not parallel closely the actual operators employed to check the property.

A larger Trellis document

The model checker has also been tested on the larger Trellis document shown in Figure 5. The state machine derived from this net contains nearly a thousand states. The performance of the veri cation software on formulae like those discussed for the smaller example was on the order of a few seconds, with the most complicated query we tried requiring about 25 seconds on an engineering workstation. We suspect that authors of interactive documents will nd such timing not at all unreasonable for establishing the presence or absence of critical browsing properties, and we hope that future, less primitive systems, might exhibit improved performance as well. 22

A Hyperties document

To illustrate that these browsing veri cation concepts are not speci c to Trellis-based systems, but are indeed general, we have applied the approach to a Hyperties [34, 27] document. Specifically, we have extracted the link structure from the Hyperties version of ACM's Hypertext On Hypertext, and use the directed graph as the nite state machine for the model checker. The model contains 298 states (content nodes), and over 700 links. Here are the results of some sample queries, all of which were answered by the model checker in less than two seconds on an engineering workstation.  On all paths from the initial node, is it always the case (at all nodes) that some future path contains the Table of Contents (TOC) node? ! ! 8 2( 9 3(C tableofc)) |= AG ( EF (C_tableofc)). The formula is FALSE.



Since this property does not hold, this says the document contains at least one node from which it is impossible to reach the TOC. Note that these properties are being tested for the link structure of the document alone, and do not account for any system-supplied browsing aids, such as backup or full history. On all paths from the initial node, will the TOC eventually be seen? On all paths from the initial node, will the Introduction eventually be seen? |= AF (C_tableofc). The formula is FALSE. |= AF (C_introduc). The formula is TRUE.



The previous property asked if TOC could be reached from any node; this property is di erent in that it asks if TOC will eventually be reached (at least once) when browsing from the initial node. Such a property could be satis ed if, for example, TOC were the rst or second node on all paths, whether or not it could then be returned to after browsing past it. The second formula above illustrates this with the Introduction node. Since the Introduction is the initial node of the document, the property trivially holds, but it says nothing about whether the Introduction can be revisited once it is passed. Is there at least one path such that once the Introduction is reached, it can be later revisited? ! ! ! 9 3(C introduc ^ 9 ( 9 3(C introduc))) |= EF (C_introduc & EX (EF (C_introduc))). The formula is FALSE.

Since the Introduction is the rst node on all paths, the failure of this property implies that can be read only once during any traversal of the document (again, considering only the link structure proper). In Hyperties, this means the special browser features, like history, must be relied on. 23



On all paths from the initial node, is it always the case (at all nodes) that the TOC is exactly one link away? On all paths from the initial node, is it always the case (at all nodes) that the TOC is no more than three links away? |= AG (EX (C_tableofc)). The formula is FALSE. |= AG (EX (C_tableofc | EX (C_tableofc | EX (C_tableofc) ) ) ). The formula is FALSE.



This rst property might well be one an author wants a document to have, though it is a bit strong. The second property is more relaxed and more probable for a document to exhibit. The proper semantics are obtained by nesting the \next step" operator. Of course, neither property holds for this document since we have already seen that some nodes exist from which TOC is not reachable at all. Is there some path from the initial node on which it is always the case (at all nodes) that the TOC is exactly one link away? |= EG (EX (C_tableofc)). The formula is TRUE.



Interestingly enough, though we saw that the \one hop away" property for TOC does not hold for all paths, it does hold for at least one path in this document. On all paths from the initial node, is it always the case (at all nodes) that either the Bibliography is not displayed, or else some path eventually leads from it to the TOC? |= AG(~C_bibliogr | EF(C_tableofc)). The formula is FALSE.

This query attempts to further re ne the nding that the TOC cannot be reached from some nodes. Here we see that the Bibliography node is one such node.

4 Discussion and conclusions In previous papers we have shown how the inherent execution semantics of place/transition nets can be used in a model of hypertext to provide a rich set of access control facilities during browsing. We have also provided several interpretations for such access control, including secure sections, multiple versions, and multiple interacting readers. In this report we have described an authoring mechanism whereby the creator of a hypertext can verify that the net structure exhibits certain desired browsing properties. This method is automatable; author input is required to express the properties to be checked, but no human-generated proof is required. The use has application in scripting languages and other path control mechanisms. We emphasize that the Trellis hypertext model based on place/transition nets provides the author of a document with greater control over the sequences in which nodes will be browsed. Other 24

researchers have found a similar need to permit this kind of speci cation (both within one document and among multiple documents [9, 10, 45, 46]. However, the place/transition net model is general enough to be used as an implementation vehicle for arbitrary scripting mechanisms, permitting exible speci cation of such sequencing. In summary, we have implemented Trellis, a proof-of-principle prototype hypertext browser based on our model. We have used our experiences with this system to re ne the model and to investigate the classes of problems solved by the model. Of equal importance to a complete hypertext system is the provision of an authoring environment. We are creating such an environment in which we are paying particular attention to the ways in which the analyses permitted by the reachability graph can be made accessible to the author. The HTL based model checking algorithms are one method of providing this veri cation power.

4.1 Related Work on Temporal Logic for Nets

Work has also been done to relate the power of temporal logic to place/transition nets. For instance, Suzuki and Lu [42] de ne a new class of place/transition nets called temporal Petri nets. Formally, a temporal Petri net is a pair TN = (N; f), where N is a place/transition net and f is a temporal logic formula of LN . This temporal language is a variant of propositional temporal logic of linear time. The idea behind temporal Petri nets is, as the authors say, \to describe clearly and compactly causal and temporal relationships between the events of a system, including eventuality and fairness." In particular, they discuss how temporal Petri nets can be apply to the modeling and analysis of a handshake daisy chain arbiter. However, temporal Petri nets are not really a descriptive tool; in fact, they modify the execution behavior of the place/transition net itself. To our knowledge, the introduction of temporal Petri nets constitute one of the rst explicit attempt to relate temporal logic to place/transition nets. This approach is, however, fundamentally di erent from our method for several reasons:  The formula f in the case of temporal Petri nets is more than a description of the causal and temporal relationship between the element of the net. Indeed, the formula f modi es the execution behavior of the net; the formula can be considered as a meta-rule for the execution of the net. Place/transition nets endowed with this meta-rule capability are very easily shown to be Turing equivalent [42]. This, of course, precludes most of the analysis we want for hyperdocuments. In contrast, HTL is designed to be a genuine tool for describing the causal and temporal relationships of events in a Trellis model hypertext. A net may or may not satisfy an HTL speci cation; in no way does the formula a ect browsing behavior of the hyperdocument de ned by the net.  The atomic formulae of the language LN are: \p has a token", \t is rable" and \t res". The rst two are identical to the ones we shall de ne for the case of HTL . The third is of a very di erent nature though. In fact, this is the one that destroys the \permissive nature of transition rings in a Petri net", as explained in [30]. HTL avoids such atomic formulae simply because, from a purely descriptive point of view, it does not make much sense to force a transition to re. This formulae are really restrictive and not descriptive.  HTL is really based on the coverability graph of a place/transition net, not in the net itself. Temporal Petri nets deal directly with the nets; no explicit use of the coverability graph is made (in fact the temporal formula may modify the coverability graph). 25

In another study, Sinachopoulos has considered the application of temporal logic to the study of place/transition nets [35], exploring the di erences between branching time and partial order logics. It is suggested to apply UB [5], CTL [15], CTL [13] and POTL [31] to the study of the ring sequences in place/transition nets. Emphasis is on an axiomatic speci cation approach. Finally, Berri at al. [4] have presented a method for using a modal (temporal) logic for structural queries in a hyperdocument. A document is treated as a graph, with the goal of a query being to locate a particular subgraph. Queries in the temporal logic are essentially structural patterns to be matched against the document.

4.2 Building Links-automata for other systems

We have illustrated model checking for links-automata derived from two hypertext systems: Trellis, and Hyperties. To such development for other systems, we discuss here the concepts involved in encoding browser behavior into a links-automaton. Hyperties behavior is fairly straight-forward to encode. Links are not typed (or, minimally typed), so not much behavioral or semantic information is encoded into them. The graph composed from the raw links in a Hyperties document translates almost directly into the transition diagram of nite state machine { a checkable links-automaton in itself. Trellis, on the other hand, encodes more behavioral information in the links of a document. The links are still not typed, but in aggregate the links de ne a parallel automaton. This parallel automaton happens to have a potentially in nite number of states, so it must be converted into a nite state machine to deriving a checkable links-automaton. We employ the coverability graph of the place/transition net to achieve this conversion. This results in a potentially exponential growth in automaton size, though in practice the growth is more modest. For other systems, producing a links-automaton for analysis requires rst determining how much of the system browser behavior needs to be encoded, based on the purposes for the analysis. In our experiments, we have worked with the hypothesis that a document from one system can present only its links to another system. Therefore, we did not wish to encode browser behavior into a links-automaton. For example, we did not try to derive a links-automaton for Hyperties that allows a transiition from each node directly to the \Table of Contents" node; this feature of Hyperties is maintained by the browser software, and is not represented directly as links in each document. We have sought to analyze behavior that can be counted on to appear across systems where the only common browsing function is \unconditionally follow link". Our basic analysis methods, though, are generally applicable and can be employed to answer behavioral questions about individual documents in individual systems. For example, if we wish to analyze KMS documents for KMS users only, and we are not concerned with exchanging them to other systems, then we would build a links-automaton for each document that contained in the state machine as much of the browsing behavior as we could reasonably encode. Thus link types would be represented in the links-automaton as di erent alternatives arising from a single link. Access control would appear in the same way. The links automaton will be enlarged as it bears the burden of behaving formally (that is, with the transition rule of the automaton) in the same manner as the full system browser.

Limitations of HTL

For forward path quanti ers, we need the assumption that the browsing sessions continue as long as it is possible (i.e. as long as a button is selectable). This may cause problems, if we consider that an user!may choose to `abort' the browsing session at any moment. Therefore, 26

statements like:

!

8 3(c.warning)

are to be understood as \in every suciently long browsing session, content element `warning' will eventually be displayed". Of course this does not imply that all browsing sessions in real life must encounter content element `warning', inasmuch as a user can quit immediately after selecting the rst button. HTL statements are intended to describe the hypertext dynamics, not human behavior. Things are di erent with backward path quanti ers though. If a user is in a certain state, then based on the behavior of the hypertext, we can make de nite conclusions about what happened in the past. In this case we do not need assumptions, since the reader is already in the given state. Therefore, in a sense, backward path quanti er assertions are closer to reality. Certain problems like the reachability problem, or problems which are equivalent to it like the deadlock problem [30, pp.103-106], may not be answered with the coverability graph. In practical terms a model checker can give an incorrect answer. This is due to the model in which HTL is based, namely the coverability graph. In other words, the lack of soundness is due to the limitations of the model not to HTL itself. For bounded systems however, (as it is the case for most of the documents), the coverability graph is a faithful representation of the place/transition net. Therefore, HTL can be used to check properties of the document.

Practical application of model checking

Clearly, for practical application of the veri cation techniques reported here, an authoring interface will be needed that allows an author to express properties without having to be an expert in temporal logic syntax and semantics. We do not have such an application at this time, and view the design of such an interface as an important research problem. In the authoring of hypertexts, HTL plays two important roles which are related but at the same time dual to each other. On the one hand, HTL could be used as an a posteriori veri cation tool. That is to say, it can be employed as an after-the-fact checking facility to test if a given hypertext satis es certain browsing properties. On the other hand, HTL could also be used as an a priori speci cation method. In other words, certain restrictions and integrity constraints could be expressed by temporal formulae before constructing the hypertext. Then, perhaps with the help of authoring environments, one could generate hypertext satisfying the integrity constraints. In the limit, one could conceive a hypertext as a set of temporal integrity constraint formulae. By this latter concept we simply mean a set of HTL formulae which need to be satis ed. A particular structure modeling these constraints, a place/transition net for instance, would be a valid implementation of this hypertext. Another interesting idea is that of incremental satis ability analysis. More speci cally, suppose we are given a hypertext satisfying a certain set of temporal integrity constraints. We now add an extra temporal formula, that is an extra integrity constraint, and would like to obtain a hypertext satisfying the new augmented set of temporal formulae. Obviously much of the work as already been done with the initial hypertext. Looking for ecient ways of using this work in order to satisfy the new set of integrity constraints seems to be a challenging but promising idea. Finally, a short term goal is to implement a temporal branching logic for timed hypertexts as de ned in [38]. This also appears to be a challenging task. However, timed place/transition nets are well known to be Turing equivalent. This can be detrimental from an analysis perspective. Parallel Finite Automata (PFA for short), recently proposed in [39], are worth studying, we believe, in the hypertext context. Basically PFAs are place/transition nets in which the states 27

are normalized after each transition ring to have only one token or none in each place; PFAs, then, are equivalent to nite state systems. The coverability graph computed from a PFA has no ! symbols (and is therefore a reachability graph), so a PFA is completely and exactly analyzable with our madel checking techniques. We would like, therefore, to study how convenient timed PFAs are for interactive document structure. There is, however, a subtle point to this. Saying that the Trellis model, in the case of place/transition nets, is not Turing equivalent just because place/transition nets are not Turing equivalent, is a very imprecise statement which can be easily misinterpreted. The Trellis model is in fact Turing equivalent inasmuch as one can associated programs with the nodes of the place/transition nets. Hence any computable function could be easily modeled by a trivial net consisting of just one node associated with this computable function! The point is that, in a certain sense, there is no restriction on what one is able to compute with the Trellis model. What is inherently restricted because of the net structure is the way one can browse a hypertext and the way that the di erent components of the net interact with each other. A very good analogy occurs in the domain of programming languages. The syntax of a language like Pascal is well known to be practically expressible with a context-free grammar. However, this does not imply by any means that Pascal, as a programming language, is not Turing equivalent. The context-free nature of Pascal lies in a di erent dimension than that of its computational power. The same phenomenon occurs with the Trellis model; the place/transition net paradigm does not diminish its computational power. In modeling considerations there is usually a tradeo between modeling possibilities and decision power, as explained in [30]. In general the following rule applies: the better the modeling possibilities, the lower the decision power. In the Chomski hierarchical spectrum, both place/ transition nets and PFAs enjoy privileged positions insofar as decidability is concerned. This makes them desirable modeling tools especially in the case of hypertexts. The loss in modeling power in the case of PFAs does not appear to have serious consequences. In fact, although the details are beyond the scope of this paper, the model checking algorithms we use \normalize" in a certain sense the coverability graph of the hypertext. More speci cally, the only relevant fact is whether or not a content element is visible. The number of tokens residing in each place of the net is irrelevant for most cases.

References [1] Antony, G., Ed. Temporal Logics and their applications. Academic Press, Harcourt Brace Jovanovich, Publishers, 1987. [2] Atlee, J. M., and Gannon, J. D. State-based model checking of event-driven system requirements. IEEE Transactions on Software Engineering (Jan. 1993), 24{40. [3] Barringer, H., Kuiper, R., and Pnueli, A. Now you may compose temporal logic speci cations. In Proc. of the Sixteenth ACM Symp. on Theory of Computing (1984), pp. 51{63. [4] Beeri, C., and Kornatzky, Y. A logical query language for hypertext systems. In Hypertext: Concepts, Systems, and Applications, A. Rizk, N. Streitz, and J. Andre, Eds. Cambridge University Press, Nov. 1990, pp. 67{80. Proceedings of the European Conference on Hypertext. 28

[5] Ben-Ari, M., Pnueli, A., and Manna, Z. The temporal logic of branching time. In fProc. Eighth ACM Symp. on Principles of Programming Languages (1981), pp. 164{176. [6] Bursh, J. R., Clark, E. M., and McMillan, K. L. Symbolic model checking: 10 to the 20 states and beyond. Carnegie Mellon and Stanford Universities, 1989. [7] Burstall, R. M. Program proving as hand simulation with a little induction. Information Processing 74 (1974), 308{312. [8] Campbell, B., and Goodman, J. M. HAM: A general purpose hypertext abstract machine. Commun. ACM 31, 7 (July 1988), 856{861. [9] Christodoulakis, S., Ho, F., and Theodoridou, M. The multimedia object presentation manager of MINOS: A symmetric approach. In Proceedings of ACM SIGMOD '86 (May 1986), pp. 295{310. Washington, DC. [10] Christodoulakis, S., Theodoridou, M., Ho, F., and Papa, M. Multimedia document presentation, information extraction, and document formation in MINOS: A model and a system. ACM Trans. Oce Inf. Syst. 4, 4 (Oct. 1986), 345{383. [11] Clarke, E. M., Emerson, E. A., and Sistla, A. P. Automatic veri cation of nitestate concurrent systems using temporal logic speci cations. ACM Transactions on Programming Languages and Systems 8 (1986), 244{263. [12] Clarke, E. M., and Grumberg, O. Research on automatic veri cation of nite-state concurrent systems. Ann. Rev. Comput. Sci. 2 (1987), 269{290. [13] Emerson, E. A., and Halpern, J. Y. \sometimes" and \not never" revisited: on branching vs. linear time. In Proc. Tenth ACM Symp. on Principles of Programming Languages (1983), pp. 127{140. [14] Emerson, E. A., and Lei, C. L. Modalities for model checking: Branching time strikes back. In Twelfth Symposium on Principles of Programming Languages (1985), pp. 84{96. [15] Emerson, E. A., and Srinivasan. Branching time temporal logic. In Proc. of the REX School/Workshop 1988 on Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency (1989), Springer-Verlag.

[16] Furuta, R., and Stotts, P. D. Structured dynamic behavior in hypertext. Technical Report CS-TR-2597 (UMIACS-TR-91-14), University of Maryland Department of Computer Science and Institute for Advanced Computer Studies, Jan. 1991. [17] Gabbay, D., Pnueli, A., Shelah, S., and Stavi, J. On the temporal analysis of fairness. In Proc. Seventh ACM Symp. on Principles of Programming Languages (1980), pp. 163{173. [18] Halasz, F. G. Re ections on NoteCards: Seven issues for the next generation of hypermedia systems. Commun. ACM 31, 7 (July 1988), 836{852. [19] Kahn, K., and Gorry, G. A. Mechanizing temporal knowledge. Arti cial Intelligence 9 (1977), 67{95. [20] Kowalski, R. A., and Sergot, M. J. A logic-based calculus of events. New Generation Computing 4 (1983), 67{95. 29

[21] Kroger, F. Temporal Logic of Programs. Springer-Verlag, 1987. [22] Lamport, L. \Sometime" is sometimes \not never": on the temporal logic of programs. In Proc. Seventh ACM Symp. on Programming Languages (1980), pp. 174{185. [23] Lee, R. M., Coelho, H., and Cotta, J. C. Temporal inferencing on administrative databases. Information Systems 10 (1985), 197{206. [24] Lichtenstein, O., and Pnueli, A. Checking that nite state concurrent programs satisfy their linear speci cation. In Twelfth Annu. ACM Symp. Principles on Programming Languages. (1985), pp. 97{107. [25] Lloyd, J. W. Foundations of Logic Programming, second ed. Springer-Verlag, 1987. [26] Manna, Z., and Pnueli, A. Veri cation of concurrent programs: the temporal framework. In The Correctness Problem in Computer Science, R. S. Boyer and J. S. Moore, Eds. Academic Press, 1981, pp. 215{273. [27] Marchionini, G., and Shneiderman, B. Finding facts vs. browsing knowledge in hypertext systems. Computer 21, 1 (Jan. 1988), 70{80. [28] Moszkowski, B. Reasoning about digital circuits. PhD thesis, Standford University, CA, 1983. [29] Murata, T. Petri nets: Properties, analysis and applications. Proceedings of the IEEE 77, 4 (Apr. 1989), 541{580. [30] Peterson, J. L. Petri Net Theory and the Modeling of Systems. Prentice-Hall, Inc., 1981. [31] Pinter, S. S., and Wolper, P. A temporal logic for reasoning about partially ordered computations. In Proc. of the third ACM Symp. on Principles of Distributed Computing (1984). [32] Pnueli, A. The temporal logic of programs. In Proc. Eighteenth IEEE Symp. on Foundations of Computer Science (1977), pp. 46{67. [33] Reisig, W. Petri Nets: An Introduction. Springer-Verlag, 1985. [34] Shneiderman, B. User interface design for the Hyperties electronic encyclopedia. In Proceedings of Hypertext '87 (Nov. 1987), pp. 189{194. Published by the Association for Computing Machinery, 1989. [35] Sinachopoulos, A. Logics for Petri-nets: Partial order logics, branching time logics and how to distinguish between them. Petri Net Newsletter (8 1989), 9{14. [36] Stotts, P. D., and Furuta, R. Petri-net-based hypertext: Document structure with browsing semantics. ACM Transactions on Information Systems 7, 1 (Jan. 1989), 3{29. [37] Stotts, P. D., and Furuta, R. Browsing parallel process networks. Journal of Parallel and Distributed Computing 9 (1990), 224{235. [38] Stotts, P. D., and Furuta, R. Temporal hyperprogramming. Journal of Visual Languages and Computing 1, 3 (1990), 237{253. 30

[39] Stotts, P. D., and Furuta, R. Hyperprograms: Concurrent automata as information structures. In Proceedings of the 29th Allerton Conference on Comunication, Control, and Computing (Oct. 1991), University of Illinois, Urbana-Champaign. [40] Stotts, P. D., and Furuta, R. Modeling and prototyping collaborative software processes. In Information and Collaboration Models of Integration (1994), S. Y. Nof, Ed., Kluwer Academic Publishers, pp. 365{390. Also published as Technical Report TR93-020, Computer Science Collaboratory, Univ. of North Carolina at Chapel Hill, 1993; and as Tech Report TAMU-HRL 93-006, Hypermedia Research Laboratory, Texas A&M University, July 1993. [41] Stotts, P. D., Furuta, R., and Ruiz, J. C. Hyperdocuments as automata: Tracebased browsing property veri cation. In Proceedings of the ACM Conference on Hypertext (ECHT '92), D. Lucarella, J. Nanard, M. Nanard, and P. Paolini, Eds. ACM Press, 1992, pp. 272{281. [42] Suzuki, I., and Lu, H. Temporal Petri nets and their application to modeling and analysis of a handshake daisy chain arbiter. IEEE Trans. Comput. 38, 5 (1989), 696{704. [43] Wolfgang, R. Petri Nets an Introduction. Springer-Verlag, 1985. [44] Wolper, Z. Temporal logic can be more expressive. In Proc. of the Twenty-second IEEE Symp. on Foundations of Computer Science (1981), pp. 340{348. [45] Zellweger, P. T. Directed paths through collections of multi-media documents. In Hypertext '87 (Nov. 1987). Position paper. [46] Zellweger, P. T. Active paths through multimedia documents. In Document Manipulation and Typography, J. C. van Vliet, Ed. Cambridge University Press, Apr. 1988, pp. 19{34. Proceedings of the International Conference on Electronic Publishing, Document Manipulation, and Typography, Nice (France), April 20{22, 1988.

31

Suggest Documents

Hyperdocuments as Automata: Veri cation of Trace-based ... - CiteSeerX

Hyperdocuments as Automata: Veri cation of Trace-based ... - CiteSeerX
Read more
Mechanical Veri cation of Timed Automata: A Case Study - CiteSeerX

Mechanical Veri cation of Timed Automata: A Case Study - CiteSeerX
Read more
Veri cation of Compilers - CiteSeerX

Veri cation of Compilers - CiteSeerX
Read more
Hyperdocuments as Automata: Trace-based ... - Semantic Scholar

Hyperdocuments as Automata: Trace-based ... - Semantic Scholar
Read more
Hyperdocuments as Automata: Trace-based ... - Semantic Scholar

Hyperdocuments as Automata: Trace-based ... - Semantic Scholar
Read more
Automatic Veri cation of Requirements Implementation - CiteSeerX

Automatic Veri cation of Requirements Implementation - CiteSeerX
Read more
Speci cation and Veri cation of Compiler Frontend Tasks - CiteSeerX

Speci cation and Veri cation of Compiler Frontend Tasks - CiteSeerX
Read more
Speci cation and Veri cation of Media Constraints using ... - CiteSeerX

Speci cation and Veri cation of Media Constraints using ... - CiteSeerX
Read more
Speci cation, Veri cation and Prototyping of an Optimized ... - CiteSeerX

Speci cation, Veri cation and Prototyping of an Optimized ... - CiteSeerX
Read more
Program Veri cation using HOL-UNITY - CiteSeerX

Program Veri cation using HOL-UNITY - CiteSeerX
Read more
Towards Formal Speci cation and Veri cation in ... - CiteSeerX

Towards Formal Speci cation and Veri cation in ... - CiteSeerX
Read more
Group Membership Protocol: Speci cation and Veri cation ... - CiteSeerX

Group Membership Protocol: Speci cation and Veri cation ... - CiteSeerX
Read more
Data-Structures for the Veri cation of Timed Automata? S - CiteSeerX

Data-Structures for the Veri cation of Timed Automata? S - CiteSeerX
Read more
Speci cation, Veri cation and Prototyping of an ... - Google Sites

Speci cation, Veri cation and Prototyping of an ... - Google Sites
Read more
Speci cation, Veri cation and Prototyping of an ... - Semantic Scholar

Speci cation, Veri cation and Prototyping of an ... - Semantic Scholar
Read more
Cryptographic Veri cation of Test Coverage Claims - CiteSeerX

Cryptographic Veri cation of Test Coverage Claims - CiteSeerX
Read more
Automatic Generation of Assertions for Formal Veri cation ... - CiteSeerX

Automatic Generation of Assertions for Formal Veri cation ... - CiteSeerX
Read more
Formal Design and Veri cation of a Reliable Computing ... - CiteSeerX

Formal Design and Veri cation of a Reliable Computing ... - CiteSeerX
Read more
Compositional Veri cation of Real-Time Applications

Compositional Veri cation of Real-Time Applications
Read more
Visual Veri cation of Reactive Systems?

Visual Veri cation of Reactive Systems?
Read more
Formal Design and Veri cation of a Reliable Computing ... - CiteSeerX

Formal Design and Veri cation of a Reliable Computing ... - CiteSeerX
Read more
Semantic Veri cation of Web Sites Using Natural Semantics - CiteSeerX

Semantic Veri cation of Web Sites Using Natural Semantics - CiteSeerX
Read more
Automatic veri cation of GIS data using high resolution ... - CiteSeerX

Automatic veri cation of GIS data using high resolution ... - CiteSeerX
Read more
Automatic Veri cation of Concurrent Ada Programs - CiteSeerX

Automatic Veri cation of Concurrent Ada Programs - CiteSeerX
Read more