Handling Conflicts in Depth-First Search for LTL Tableau to Debug Compliance Based Languages
EE. Pimentel, V. Valero (Eds.): Workshop on Formal Languagesand Analysis of Contract-Oriented Software 2011 (FLACOS’11)EPTCS 68, 2011, pp. 39–53, doi:10.4204/EPTCS.68.5
Handling Conflicts in Depth-First Search for LTL Tableau toDebug Compliance Based Languages ∗ Francois Hantry Mohand-Said Hacid
Universit´e Claude Bernard Lyon 1LIRIS CNRS UMR 5205Lyon, France [email protected] [email protected]
Providing adequate tools to tackle the problem of inconsistent compliance rules is a critical researchtopic. This problem is of paramount importance to achieve automatic support for early declarativedesign and to support evolution of rules in contract-based or service-based systems. In this paper weinvestigate the problem of extracting temporal unsatisfiable cores in order to detect the inconsistentpart of a specification. We extend conflict-driven SAT-solver to provide a new conflict-driven depth-first-search solver for temporal logic. We use this solver to compute LTL unsatisfiable cores withoutre-exploring the history of the solver.
Providing adequate tools to tackle the problem of inconsistent compliance rules is a critical researchtopic. However, few tools fully analyze conflicts over underpinning logics of a natural language (eg.temporal logic, deontic logic...). Such early and declarative specifications can be critical for specifyingpolicies and requirements in agile and distributed environments. Thus, formal languages for compliancerequirements and their analysis have become critical in many computer science domains (eg businessprocess management, service oriented computing, e-commerce). An ongoing research topic is the anal-ysis of a conflicting set of temporal logic compliance rules. For instance, Table 1.a gives a toy set ofcompliance rules. It will be used as a running example in the paper. All those rules except the last oneoriginate from an ongoing supply contract. Let us assume that the last one (r3.c) originates from anotherinternal requirement from a supplier. It comes out that this new requirement entails a conflict with rules(r3.a) and rules (r3.b) shown on Table 1.b. This example shows the importance of automatic detectionof conflicting subsets of compliance rules. This problem is critical for debugging declarative specifica-tions [16, 21], handling conflicting contracts [10], or tackling unrealizable service compositions [20].There exist several formalisms to deal with time such as LTL, MSO [9], TLTL , MTL [1]. These logicsunderpine many of modern compliance languages and their associated theories and tools are used to ad-dress problems related to verification [15, 26, 7], service composition [20], graphical design of propertypatterns [21, 16].We investigate the problem of efficiently extracting temporal logic unsatisfiable cores for debuggingcompliance rules. Intuitively, an unsatisfiable core is a conflicting subset of rules. We restrict ourselvesto LTL for which many results and efficient model checking methods exist. However, the problem ofefficiently detecting a small LTL unsatisfiable core is still open [23] [6]. Conflict driven methods existfor SAT-solver algorithms. They provide quite efficient extraction of conflicting rules written in proposi-tional logic [28]. SAT-solvers have been extended (e.g.,Unbounded Model Checking (UMC) SAT-solvers ∗ The research leading to these results has received funding from the European Community’sSeventh Framework ProgrammeFP7/2007-2013 under grant agreement 215483 (S-Cube). [2]) to deal with the more expressive LTL. For the case of satisfiability , it consists in searching a lasso-shaped model of length k ≤ O ( | f | ) and in reducing to boolean SAT problems for increasing k ∈ [ , O ( | f | ) ] .One of critical (and basic) points of current boolean SAT-solvers is their ability of pruning ‘bad’ searchspace. It is based on a smart use of boolean propagation. Analyzing the propagation enables to han-dle conflict while backtracking and enables to avoid revisiting immediately the same conflict. Learningconflict using conflict clause also avoids revisiting the conflict later. This conflict-driven approach leadseasily to the extraction of a core. [6] proposes to extract unsatisfiable cores from the UMC method of[17]. The authors propose also a ‘Sat Modulo Theory’ like framework applied with symbolic globalmodel checking [5], but the conflict handling is not introduced inside the symbolic global model check-ing. [23] analyzes a very expanded tableau of [14] to define unsatisfiable core but again no analysis ofconflict is performed. Thus, on the contrary to boolean SAT-solver and extended UMC, neither globalmodel checking, nor On-The-Fly techniques handle conflict. Moreover, in the nineties, resolution [12]for temporal logic has been proposed to tackle unfair SCC as minimal ‘temporal conflict’ but to the bestof our knowledge current boolean SAT-Solvers(e.g.,[17],[13], [24],[18] ) have not investigated this ideayet, mainly because they are Breadth-First-Search. But, a drawback of resolution is that any conflict isrecorded using resolvent, this entails a too large use of memory space in contrast to On-The-Fly tableau,symbolic model checking and UMC. In this paper, we propose a new conflict-driven depth-first-searchsolver inspired by SAT-based ones, DFS for tableau and resolution for temporal logic. Furthermore, weshow how it is possible to extract a small unsatisfiable core. Overview of the paper
Section 2 introduces Background. Section 3 describes sound technical detailsof section 4. Section 4 shows the Solver. Section 5 is devoted to the correctness, completeness,extractionof unsatisfiable cores. We conclude in Section 6.
Definition 1 (Syntax of LTL)Let P be a non empty finite set of propositional variables, and p ∈ P . A and B two LTL formulas. Atemporal logic formula is inductively built by means of the following rules:TRUE | FALSE | p | A ∧ B | A ∨ B |¬ A | X ( A ) AU B | AW B
Furthermore, G ( A ) = ( A ) W ( FALSE ) and F ( A ) = ( T RU E ) U ( A ) . Definition 2 (Semantic [9]) A linear time structure is an element M in ( P ) N . ∀ i ∈ N , ∀ M ∈ ( P ) N :– ( M , i ) (cid:15) p with p ∈ P iff p ∈ M ( i ) – if A is a propositional combination of LTL formulas ( M , i ) (cid:15) A is defined as usual.– ( M , i ) (cid:15) X ( A ) iff ( M , i + ) (cid:15) A – ( M , i ) (cid:15) AU B iff ∃ j ≥ i , ( M , j ) (cid:15) B and ∀ k , i ≤ k < j , ( M , k ) (cid:15) A – ( M , i ) (cid:15) AW B iff ∀ j ≥ i , ( M , j ) (cid:15) A or ( ∃ j ≥ i , ( M , j ) (cid:15) B and ∀ k , i ≤ k < j , ( M , k ) (cid:15) A ) No model to check against a LTL formula The expansion disregards boolean conflict . Hantry,M-S. Hacid 41
Rules LTLr1.a F ( o ) r1.b G ( ¬ c ) r2.a G ( o ⇒ ( F ( p ) ∧ F ( g ))) r2.b ( ¬ g ) W p r3.a F ( i ) r3.b ( ¬ i ) W p r3.c G ( p ⇒ G ( ¬ i )) (a) compliance rules. Conflicting Rules LTL core
T RU ET RU ET RU ET RU E r3.a F ( i ) r3.b ( ¬ i ) W p r3.c G ( p ⇒ G ( ¬ i )) (b) unsatisfiable core. Table 1: LTL-translations of the running exampleIntuitively, the formula X ( A ) stands for ‘at the next time A will hold’, AU B stands for ‘ B will hold inthe future and from current time until B holds, A must hold’, AW B stands for ‘if B holds in the future thenfrom current time until B holds, A must hold, and if B will never hold, then A must hold forever(weakuntil)’. G ( A ) stands for ‘at any time A holds’ and F ( A ) stands for ‘ A will hold in the future’. For instance ¬ iW p means that i cannot occur as long as p has not occurred.In the rest of the paper we will assume w.l.g that any LTL formula solely may contain ¬ symbol appliedto propositional variable(s). We call such formula Negative Normal Form (NNF). Definition 3 (LTL SAT problem) A LTL formula φ is satisfiable iff there exists a linear model M suchthat ( M , ) (cid:15) φ . Conversely, a LTL formula φ is unsatisfiable iff there is no linear model M such that ( M , ) (cid:15) φ . Definition 4 (unsatisfiable core) An unsatisfiable core of an unsatisfiable formula φ is a formula φ (cid:48) such that (1) φ (cid:48) is the result of some substitution(s) in φ of some positive subformula(s) by TRUE, (2) φ (cid:48) has no subformula of the form AU / W ( T RU E ) , ( T RU E ) W B , A ∨ ( T RU E ) , ∧ i True or X ( T RU E ) and (3) φ (cid:48) still remains unsatisfiable. Table 1.b shows a small unsatisfiable core of our toy example formula. Itis critical to find a small (or ideally a minimal (MU)) unsatisfiable core in order to detect the cause of aconflict. Theorem 1 (LTL minimal unsatisfiable core decision problem)Deciding if a LTL formula is a minimal unsatisfiable core is in P-SPACE( sketch of the proof ): For each positive subformula of f , substitute by T RU E and check unsatisfiability.f is a MU iff any substitution leads to a satisfiable formula. There is a linear number of subformulas,and each checking is in P − SPACE.
We furthermore conjecture that the above problem is P-SPACE complete.[23] discusses the notion of granularity of core. A coarse unsatisfiable core of a formula f : f ∧ f ... ∧ f n only substitutes T RU E at the f j and not in a deeper subformula. Structure preserving translations ofthe LTL formula f into definitional conjunctive normal form provide an equi-satisfiable formula f (cid:48) : f (cid:48) ∧ f (cid:48) ... ∧ f (cid:48) m . The minimal coarse unsatisfiable cores of f (cid:48) correspond to the minimal unsatisfiablecores of f (see [23] for details). For instance if f : G ( a ∧ ¬ b ) ∧ F ( b ) , an equi-satisfiable formula maybe f (cid:48) : G ( x a ∧¬ b ) ∧ G ( x a ∧¬ b ⇒ a ) ∧ G ( x a ∧¬ b ⇒ ¬ b ) ∧ F ( b ) . A coarse MU of f (cid:48) is G ( x a ∧¬ b ) ∧ T RU E ∧ G ( x a ∧¬ b ⇒ ¬ b ) ∧ F ( b ) . It provides a f -MU : G ( T RU E ∧ ¬ b ) ∧ F ( b ) . W.l.g [23], the solver will focus An unsatisfiable core φ is minimal iff φ is its only one unsatisfiable core on finding small coarse unsatisfiable core. Definition 5 (Closure) Let f a LTL formula. We note the set of closure variables of f - Cl ( f ) - as thesmallest set Set such that :– f ∈ Set – If ψ = ψ ∧ .. ∧ ψ s ∈ Set and ψ j is not a conjunction, ∀ j ψ j ∈ Set – If ψ = ψ ∨ .. ∨ ψ r ∈ Set and ψ j is not a disjunction, ∀ j ψ j ∈ Set – If ψ = F / G ( ψ (cid:48) ) ∈ Set , ψ (cid:48) ∈ Set and
X F / G ( ψ (cid:48) ) ∈ Set – If ψ = ψ (cid:48) U / W ψ (cid:48)(cid:48) ∈ Set , ψ (cid:48)(cid:48) and ψ (cid:48) ∧ X ( ψ ) are in Set – If ψ = X ( ψ (cid:48) ) ∈ Set then ψ (cid:48) ∈ Set
Furthermore the number of closure variables of Cl ( f ) is linear in the size of f [11].A traditional mathematical tool to analyze satisfiability is tableau. It is a particular automata ofstates, whose any state is a subset of Cl ( f ) . Intuitively, a state is built from a prestate. A prestate is eitherthe starting state containing only the starting formula f either a state containing only closure formulasderived from a precedent state. The derivation of a formula X h at a state is h at the next prestate. Theprestates are intermediary results to build the tableau and do not occur in the tableau except the first one.On Figure 1, the rounded rectangle is a prestate, the others are states. A state is computed by unwindingthe formulas and making a choice for the disjunctive ones. For instance, the occurrence of G ( ¬ i ) impliesthe occurrence of ¬ i and X G ( ¬ i ) . In Figure 1, at the goal state of transition 1, the p is chosen from thedisjunction p ∨ ( ¬ i ∧ X ( ¬ iW p )) unwound from ¬ iW p . Definition 6 (state, prestate, f -tableau) The f -tableau is a special finite state automata ( St , s , R ) with St the set of states, s the initial state and R ⊂ ST the set of transitions. The f -tableau is the ’minimal’automata A such that:– Any state of A is a subset of Cl ( f ) .– s is a prestate with s = ∪ i { f i } where f = ∧ i f i .– Let a set S derived from a prestate PS st. PS ⊂ S ⊂ Cl ( f ) and ∃ ρ a total choice function from S ∩ ( dis junction ∪ Future ∪ U ntil ∪ WU ntil ) to S . Furthermore, if S is the smallest set Set suchthat – PS ⊆ Set – If ψ = ψ ∧ .. ∧ ψ s and ψ j is not a conjunction, ∀ j ψ j ∈ Set – If ψ = ψ ∨ .. ∨ ψ r and ψ j is not a disjunction, ρ ( ψ ) = ψ j ∈ Set for some j – If ψ = F ( ψ (cid:48) ) , ρ ( ψ ) ∈ { ψ (cid:48) ; X F ( ψ (cid:48) ) } ∩ Set – If ψ = G ( ψ (cid:48) ) , ψ (cid:48) ∈ Set and
X G ( ψ (cid:48) ) ∈ Set – If ψ = ψ (cid:48) U / W ψ (cid:48)(cid:48) , ρ ( ψ ) ∈ { ψ (cid:48)(cid:48) ; ψ (cid:48) ∧ X ( ψ ) } ∩ Set ,then S is a state of A .– Let a set PS containing only all formulas derived from a precedent state S such that PS = { φ , st . X φ ∈ S } . Then, PS is a prestate of A .– Transitions R of a f -tableau stand for the collapsing of S → PS → S derivation sequences, i.e.,collapsed transitions of the form S → S . . Hantry,M-S. Hacid 43 F ( i ) , ¬ iW pG ( ¬ c ) , ¬ c , X ( G ( ¬ c )) G ( p ⇒ G ( ¬ i )) F ( i ) , X ( F ( i )) G ( ¬ c ) , ¬ c , X ( G ( ¬ c )) , ¬ iW p , pG ( p ⇒ G ( ¬ i )) , ¬ p ∨ G ( ¬ i ) G ( ¬ i ) , ¬ i , XG ( ¬ i ) XG ( p ⇒ G ( ¬ i )) F ( i ) , X ( F ( i )) G ( ¬ c ) , ¬ c , X ( G ( ¬ c )) G ( ¬ i ) , ¬ i , XG ( ¬ i ) , G ( p ⇒ G ( i )) , ¬ p ∨ G ( ¬ i ) , XG ( p ⇒ G ( ¬ i )) F ( i ) , X ( F ( i )) G ( ¬ c ) , ¬ c , X ( G ( ¬ c )) G ( ¬ i ) , ¬ i , XG ( ¬ i ) , G ( p ⇒ G ( i )) , ¬ p ∨ G ( ¬ i ) , ¬ p , XG ( p ⇒ G ( ¬ i )) F ( i ) , X ( F ( i )) G ( ¬ c ) , ¬ c , X ( G ( ¬ c )) , ¬ iW p , ¬ i ∧ X ( ¬ iW p )) , X ( ¬ iW p ) G ( p ⇒ G ( ¬ i )) , ¬ p ∨ G ( ¬ i ) G ( ¬ i ) , ¬ i , XG ( ¬ i ) , XG ( p ⇒ G ( ¬ i )) F ( i ) , X ( F ( i )) G ( ¬ c ) , ¬ c , X ( G ( ¬ c )) , ¬ iW p , ¬ i ∧ X ( ¬ iW p )) , X ( ¬ iW p ) G ( p ⇒ G ( ¬ i )) , ¬ p ∨ G ( ¬ i ) , ¬ pXG ( p ⇒ G ( ¬ i )) F ( i ) , X ( F ( i )) G ( ¬ c ) , ¬ c , X ( G ( ¬ c )) , ¬ iW p , ¬ i ∧ X ( ¬ iW p )) , X ( ¬ iW p ) G ( p ⇒ G ( ¬ i )) , ¬ p ∨ G ( ¬ i ) , ¬ pG ( ¬ i ) , ¬ i , XG ( ¬ i ) , XG ( p ⇒ G ( ¬ i )) Theorem 2 ([19],[14]) A LTL formula f is satisfied iff there exists a path of states in the f -tableau(finite with no successor at the last state or infinite) starting from the starting prestate and such that anyoccurrence of Future and Until modal operator in a state of the path fulfills its corresponding promiseoperand later (in the future) in the path. We call the path : fair path.In Figure 1, f is a simpler version of our toy example, and there is only unsatisfiable paths (infinitein this case) since each possible path contains a Future F ( i ) but does not realize the promise operand i .An argument is that any infinite path will reach in the future a Strongly Connected Component (SCC)where the path will remain in forever. Then f is unsatisfiable. On-the-fly techniques for satisfiability oftemporal logic (eg. [14], [19]) use nested deep-first-search of fair loop or simple deep first search of fairSCC. Theorem 3 ([25],[19]) There exists a depth-first-search algorithm for computing SCCs of a f -tableau,and for deciding their fairness.In Figure 1, the exploration steps of simple depth-first-search follow the numbered labels on thetransitions. An example of a SCC is the set of states as a support for the set of transitions {
3; 4; 5; 6 } . disjunctive unwinding are not shown in the tableau since this is an intermediary result F ( i ) , ¬ iW pG ( ¬ ( c )) , G ( p ⇒ G ( ¬ i )) F ( i ) , X ( F ( i )) G ( ¬ ( c )) , ¬ c , XG ( ¬ ( c )) ¬ iW p , pG ( p ⇒ G ( ¬ i )) , ¬ p ∨ G ( ¬ i ) G ( ¬ i ) , ¬ i , XG ( ¬ i ) XG ( p ⇒ G ( ¬ i )) F ( i ) , X ( F ( i )) G ( ¬ ( c )) , ¬ c , XG ( ¬ ( c )) G ( ¬ i ) , ¬ i , XG ( ¬ i ) , G ( p ⇒ G ( i )) , ¬ p ∨ G ( ¬ i ) , XG ( p ⇒ G ( ¬ i )) F ( i ) , X ( F ( i )) G ( ¬ ( c )) , ¬ c , XG ( ¬ ( c )) , ¬ iW p , ¬ i ∧ X ( ¬ iW p )) , X ( ¬ iW p ) G ( p ⇒ G ( ¬ i )) , ¬ p ∨ G ( ¬ i ) , ¬ pXG ( p ⇒ G ( ¬ i ))
123 54Figure 2: Depth-first-search with conflict handling and prime implicant
We will show how it is possible, by handling conflicts, to enhance above depth-first search method andto drastically shrink the search space. Our solver shown in Section 4 is based on the following intuitions.First, the idea is to record which occurrences of elements of the closure at a given state entail another oneby using unit rule propagation technique from SAT-Solvers. It enables to extract cause of conflict andnon-chronologically backtrack at the last involved choice and eventually to learn information from theconflict, in order to not revisit the same conflict. Furthermore, our solver uses fair prime implicant searchto also shrink good but redundant search space. These optimizations enable to only explore the tableauof Figure 2 to decide unsatisfiability of the running example f − tableau of figure 1. In the following weexplain how unwinding from prestate to state is simulated by a boolean SAT-problem. To tackle the particular choice function handling at Definition 5 (one literal per occurring disjunction) weneed a ’three-values’ logic which enables partial instantiation. It is also convenient for prime implicanthandling.
Definition 7 (‘three-value’ logic, closure variables, literals, clause) Let S be a set of LTL formulas. Wecall state closure of S - StCl ( S ) - any formula met in Set of the closure algorithm with the initial conditionon
Set = S instead of Set = { f } and without the last rules ( X g derives g ). For any element g in the closurewe note x g a fresh boolean variable, that we call closure variable . This means presence of g in the state.We will use the word ‘literal’ for x g or ¬ x g . Finally, we call a clause a disjunction of such literals (alsorepresented by a set of literals). Let S (cid:48) ⊂ Cl ( f ) . We say that S (cid:48) is conflicting if there exists h and ¬ h in S (cid:48) .Let V be a set of closure variables, L the literals of V . Then if g and h are ‘three-values’ logic formulasthen x h (cid:48) ∈ V , g ∧ h , and ¬ g are ‘three-values’ formulas. Furthermore assuming S (cid:48) is non-conflicting :– S (cid:48) (cid:15) x h (cid:48) iff h (cid:48) ∈ S (cid:48) – S (cid:48) (cid:15) g ∧ h iff S (cid:48) (cid:15) g and S (cid:48) (cid:15) h – S (cid:48) (cid:15) ¬ g iff S (cid:48) (cid:50) g We say that a three-values formula g is valid iff for any non-conflicting set of S (cid:48) , S (cid:48) (cid:15) g . We say that g isfair-valid if for any S (cid:48) which is a state from any fair path S (cid:48) (cid:15) g . Definition 8 ( Unwinding clauses from a prestate) Let PS a prestate and Presence ( PS ) = { x h | h ∈ PS } .The corresponding Unwound Clause Set UCS ( PS ) is a set containing the unwound clauses and AU X ( PS ) . Hantry,M-S. Hacid 45 the three values conditions. Set , AU X ( PS ) and UCS ( PS ) are the smallest sets following the rules :– Presence ( PS ) ⊆ Set ∩ UCS ( PS ) – If x ψ = x ψ ∧ .. ∧ ψ s ∈ Set and any x ψ j is not a conjunction, ∀ j the formulas x ψ ⇒ x ψ j ∈ UCS and ∀ j x ψ j ∈ Set – If x ψ = x ψ ∨ .. ∨ ψ r ∈ Set and any x ψ j is not a disjunction, x ψ ⇒ ( x ψ ∨ ... ∨ x ψ r ) ∈ UCS and ∀ j x ψ j ∈ Set – If x ψ = x ψ (cid:48) U / W x ψ (cid:48)(cid:48) , x ψ ⇒ ( x ψ (cid:48)(cid:48) ∨ ( x ψ (cid:48) ∧ X ( ψ ) )) ∈ UCS and x ψ (cid:48)(cid:48) and x ψ (cid:48) ∧ X ( ψ ) ∈ Set – x h , x ¬ h ∈ Set then ¬ x h ∨ ¬ x ¬ h ∈ AU X
Furthermore,
AU X ( f ) (resp. UCS ( f ) , Presence ( f ) )is the union of AU X ( PS ) for any PS in the f -tableau (resp UCS ( PS ) , Presence ( PS ) ). The unwound formulas UCS ( PS ) \ Presence ( PS ) are fair validformulas (see proof section 5) and of the form x φ ⇒ dis j x φ where dis j x φ is the classical disjunctiveunwinding of closure formulas [14], [19].The formula f of Figure 3 provides the clause UCS ( f ) : x F ( i ) ⇒ x i ∨ x XF ( i ) x G ¬ c ) ⇒ x XG ¬ c x G ¬ c ⇒ x ¬ c x ( ¬ i ) W p ⇒ x p ∨ x ¬ i ∧ X (( ¬ i ) W p ) x ¬ i ∧ X (( ¬ i ) W p ) ⇒ x ¬ i x ¬ i ∧ X (( ¬ i ) W p ) ⇒ x X (( ¬ i ) W p ) x G ( p ⇒ G ( ¬ i ))) ⇒ x XG ( p ⇒ G ( ¬ i )) x G ( p ⇒ G ( ¬ i ))) ⇒ x p ⇒ G ( ¬ i ) x p ⇒ G ( ¬ i ) ⇒ x ¬ p ∨ x G ( ¬ i ) x G ( ¬ i ) ⇒ x XG ( ¬ i ) x G ( ¬ i ) ⇒ x ¬ i ∀ v ∈ CLST f ¬ x v ∨ ¬ x ¬ v Proposition 1
An instance IS of the boolean SAT problem UCS ( PS ) ∪ AU X ( PS ) provides a state S from PS and reciprocally.Since many instances correspond to a state in the tableau, and since several states may be redundantregarding LTL satisfiability problem, we introduce Fair Prime Implicant. Definition 9 (Fair Prime Implicant) Let IS as above, a Fair Prime Implicant IS . FPI of IS is a maxi-mal switching from some assigned x h at IS to ¬ x h such that h is not a promise operand and IS . FPI (cid:15)
UCS ( PS ) ∪ AU X ( PS ) . At a given IS . FPI it corresponds only one state
FPI in the f -tableau. Theorem 4 (Fair prime implicant version of Depth-First-Search ) A formula f in LTL is satisfiable iffthere exists a fair path solely with FPIs as states.( proof is omitted ).For instance, the FPI technique enables in our depth first search to ignore the goal state of the transitionnumber 4 at Figure 1.To solve the boolean SAT-problem current solvers use unit rule propagation [8]. Definition 10 (Unit rule propagation)– Each instantiated literal must be propagated over any non yet satisfied clause containing the op-posite one. This opposite literal is then temporally erased from the clause.– If a clause becomes unit literal l because of unit rule propagation(s), then l is assignedThis propagation is critical for conflict analysis. In the following we show how to handle unit rulepropagations to support conflict analyses. Intuitively the switching simulates the removal of closure element in corresponding state a Weakest version and optimized one of current solvers requires only propagation along watched literals [22] x F ( i ) x ( ¬ i ) W p x p x p ⇒ G ( ¬ i ) x G ( p ⇒ G ( ¬ i ))) x G ( ¬ c ) x XF ( i ) ¬ x i x XG ( ¬ i ) x G ( ¬ i ) x XG ( p ⇒ G ( ¬ i )) x XG ( ¬ c ) x ¬ c x F ( i ) x G ( ¬ i ) ¬ x ¬ p , , f lip = x G ( p ⇒ G ( ¬ i )) x G ( ¬ c ) x XF ( i ) ¬ x i x XG ( ¬ i ) x p ⇒ G ( ¬ i ) x XG ( p ⇒ G ( ¬ i )) x XG ( ¬ c ) x ¬ c x F ( i ) ¬ x i x G ( ¬ i ) x ¬ p , f lip = x G ( p ⇒ G ( ¬ i )) x G ( ¬ c ) x XF ( i ) x XG ( ¬ i ) x p ⇒ G ( ¬ i ) x XG ( p ⇒ G ( ¬ i )) x XG ( ¬ c ) x ¬ c Figure 3: Implication graph and conflict analyses
The Implication Graph is an extension of propositional SAT-solvers’ one to LTL-tableau. The intuitionis to record the occurrences of elements of the closure at a given state that entail another one. AnImplication Graph is a bicolor graph ( Nodes , T red , T black ) where T red and T black are subsets of Nodes .Figure 3 shows a part of the Implication Graph adapted from the f -tableau of Figure 1. Intuitively, theImplication Graph is a concatenation of several IS s implication graphs denoted IS . IG . The red part T red is used for conflict analysis of the depth-first-search stack S and it is a DAG, and the black part T black records some past red edges and corresponds to the conflict analysis of the SCC-search using stack S (cid:48) and allows loop for inductive reasoning . Nodes’ feature
Intuitively, a Node N stands for an assigned literal at a given state. On Figure 3, therounded corners rectangles are Nodes. Each node is inside a big rectangle standing for state. Moreprecisely, a Node corresponds to the ongoing prestate, to an ongoing IS while it is found and to a chosenextracted IS . FPI in this case. On Figure 3, the three states are the one which support the transitions {
2; 3; 4 } on Figure 1. Furthermore a Node can be either choosen or required. On Figure 3, a chosen nodeis doubly surrounded. The level of a chosen Node N is its chronological order of choice in the whole f -tableau. On figure 3 numbers are levels of chosen nodes. The level of any node N is the maximum level of the choosen nodes which involve N i.e which are ancestors of N in T red . The level of a set ofnodes is the maximum level its nodes. A required node is either without antecedent but with level 0either gets an antecedent in T red . Transitions’ feature
If a Node N l which corresponding literal l comes from a clause C = ∨ j l j ∨ l whichhas become unit, then the red edges ( N ∼ l j , N l ) are in T red just after this unit propagation. Let’s focus onthe above state. For instance, ( x p , x G ( ¬ i ) ) and ( x p ⇒ G ( ¬ i ) , x G ( ¬ i ) ) are red edges because of the unit rulefrom the clause x p ⇒ G ( ¬ i ) ⇒ ( x ¬ p ∨ x G ( ¬ i ) . Furthermore, the derivation from a state to a next state is alsorecorded using red edges such that the occurrence of x Xg ∈ IS . FPI entails the occurrence of x g at the nextprestate. For instance on Figure 3, the above FPI derives to the middle one, thus there exists a red edgein the graph from x XF ( i ) at above state to x F ( i ) at the next one. for understanding but w.l.g, the below state is not a FPI . Hantry,M-S. Hacid 47 Furthermore, while a FPI is revisited, then the current IS implication graph IS . IG has to be con-nected to the first one IG old which visited the same FPI. The algorithm creates black transitions fromany nodes N ( ¬ x op pro ) (resp. x Xh ∈ IS . FPI ) at IS . IG to the same literal one of IG old . This connectionis called ‘bind’ function. For instance, for corresponding derivation on Figure 1 for IS . IG at the goalstate of transitions {
3; 5; 6 } the IS . IG and IG old are the same. For simplicity and w.l.g they have beensuperimposed at Figure 3. In this case, the transitions of ‘bind’have been omitted w.l.g, and solely thebottom-up edges from source state to the goal state of transitions {
3; 5; 6 } are shown (e.g., x XF ( i ) at thebelow state to x F ( i ) at the same state for transition 3). Finally, given a T red and a choosen Node N still red, f lip ( Nodes , T red , T black , N ) = ( Nodes ∪ {∼ N ( red ) } , T red \ { ( N , N ) ∈ T red | level ( N ) ≥ level ( N ) } , T black ) is the flipped Implication Graph regarding N with ∼ N ( red ) a fresh node. Our depth-first search temporal conflict driven solver is a combination of depth first search of fair SCCin tableau [19] and of boolean SAT-solver. Thus, our solver uses unit rule propagation method, booleanconflict handling [22]. It also uses a new temporal conflict driven method inspired by resolution fortemporal logic[12].
Basic Solver Algorithm 1 shows the main method of the algorithm called Solver. At each new prestate,the solver populates by clauses by unwinding the prestate according to Definition 8. Otherwise, unitrules and boolean conflict detection are launched. A Backtrack (Algorithm 2) is triggered in case of aconflict, otherwise if it is possible, a choice of literal following a heuristic is done. Once an IS is foundand a FPI extracted, then a SCC-search-forward (Algorithm 3) function is called. Otherwise the Solveris recursively called. Algorithm 1 : Solver if not unwound then Unwind;Unit-rule ; bool-conflict-detection ; if conflict then Backtrack; if IS found then
SCC-search-forward; else make a choice of literal;Solver ;
Propositional Conflict Handling while backtracking
A Propositional Conflict Handling is trig-gered when a clause is falsified (or equivalently when a literal and its opposite occurs). Similarly toSAT-solvers’one, the Propositional Conflict Handling starts from a set of conflicting nodes
Nodes C andcorresponding literals C which falsifies the clause ¬ C and analyzes which nodes have involved those con-flicting literals using ( Nodes ( red ) , T red ) . Let A ( C ) be the subDAG of ( Nodes ( red ) , T red ) which standsfor ancestors of Nodes C . Let A ( C )( con f lict − level ) be the subDAG of A ( C ) with nodes of ‘conflicting’level of Nodes C ie. con f lict − level and N ( con f lict − level ) the choosen node of level con f lict − level . Let Limit ( C ) = { N ( con f lict − level ) } ∪ ( Parent T red [ A ( C )( con f lict − level ) \ { N ( con f lict − level ) } ] ∩ Level ( con f lict − level − , A ( C ))) where Level ( m , A ( C )) means the subDAG of A ( C ) with node level The particular computation of fixpoint remains the same while superimposing in this simple case The main components of the algorithm are shown in a recursive form for convenience a boolean conflict detection occurs while a clause is falsified by current partial assignment at most m . We call limit conflict clause ¬ Limit ( C ) . The last conflicting choosen node N ( con f lict − level ) is then switched if the corresponding flipped partial assignment has not been visited yet (node.flip=1).In this first case, similarly to boolean SAT-solvers, the function ‘Conflict-require’ adds red edges to ( Nodes ( red ) , T red ) : the red transitions with a source node in Limit ( C ) \ { N ( con f lict − level ) } to thegoal node ∼ N ( con f lict − choice ) . However, differently from boolean SAT-solver, since the algorithmrecords informations in black part ( Nodes ( black ) , T black ) in the second case (flip=2), the same transitionsbut in color black are added. Furthermore, ∼ N ( con f lict − level ) is now required and not choosen. Thosered or black edges are to ensure we can compute the reason of the requirement of ∼ N ( con f lict − level ) .Finally, if the conflict level is 0 then the algorithm terminates by unsatisfiable. Algorithm 2 : BacktrackCompute Conflict-level; if Conflict-level=0 then print (‘unsat’) , break;State-Conflict-Clause-learning;Tableau.IG.erase(Conflict-level); stack-s.erase(C-level);stack-s’.erase(C-level);Conflict-require;SCC-search-backward;On Figure 3, the backtrack is done from the conflicting (see. TC-Analysis) nodes x G ( ¬ i ) and x F ( i ) atthe middle state. Following the red part, the last involved and chosen node is x p at above state. Whilebacktracking bad states and corresponding nodes are erased ( above state at Figure 3). On the contraryto propositional SAT-solver, the algorithm has to record the cause of these states to be bad (to avoidrevisiting them) using a conflict clause per state .These learned clauses must not be forgotten. On figure3, the yellow literals are conflicting literals at middle state but the clause ¬ x G ( ¬ i ) ∨ ¬ x F ( i ) has already beenlearned. At above state, the pink literals provide the learned clause ¬ x p ∨ ¬ x p → G ( ¬ i ) ∨ ¬ x f ( i ) . Finally, aSCC-search backward is launched. Algorithm 2 summarizes the above ideas. We refer to [27] for moredetails about backtracking in boolean SAT-solvers. Algorithm 3 : SCC-search-forward if FPI is new then
Nb(FPI):=i:=i+1;Lp(FPI):=Lv(FPI:=Nb(FPI);stack-s.push(FPI);stack-s’.push(FPI);parent=FPI; prestate=FPI.next();Solver; elsecase state ∈ stack − S Lp(Parent):= min(Lp(Parent),Nb(FPI)); case
FPI / ∈ stack − S ∧ Nb ( parent ) > Nb ( FPI ) Lv(Parent) :=min(Lv(parent),Nb(
FPI ));parent.unr-prom= parent.unr-prom ∩ FPI old .unr-prom; bind ( IS . IG , IG old ) ;SCC-search-backward ; SCC-Search-Forward
The SCC-search-forward shown Algorithm 3 is similar to the ‘forward’ partof the computation of strongly connected components and uses depth first search numbers (Lp,Nb,Lv). Ifthe FPI is new, then new numbers are computed and if it is possible, the next prestate (and corresponding We ask that the conflicting clause forbids corresponding red FPI of state . Hantry,M-S. Hacid 49 prestate Nodes and transitions from derivations) are created from the (red) nodes from literals x Xh ∈ IS . FPI , otherwise the problem is satisfiable. Moreover, if the already visited
FPI old is still in
Stack − S (cid:48) or in Stack − S , a computation on Tarjan’s numbers is also launched. The unrealizable promises arealso computed. Furthermore, in any revisiting case, a rollback is launched while calling SCC-search-backward (see Algorithm 4). SCC-Search-Backward
First the algorithm adds black copies of red edges in IS . IG . Then, startingwith the current choosen node N of current level, the Algorithm 4 simply finds the last non-flipped chosennode. If it is in IS then, it calls f lip ( IG , N ) and Solver. Otherwise change color red to black at the ‘next’edges from parent . IG to IG . Then a SCC test over Tarjan numbers is launched from the parent state,and if a
SCC is found a SCC-handling is called, otherwise, update of unrealizable promise is done. If apromise is unrealizable then SCC-handling calls a Temporal Conflict Analysis (TC-Analysis), otherwisethe problem is satisfiable.
Algorithm 4 : SCC-search-backwardN=node(level)IS.IG.edges.black-copies if N.flip=2 ∧ N ∈ IS then level=level-1; SCC-Search-Backward if N . f lip = ∧ N ∈ IS then flip(IG,N)Solver; if N / ∈ IS then red-to-black-parent.IG-IS.IG-derivationFPI=parent; pop stack-sparent= head stack-s if Lp(FPI)=Nb(FPI)=Lv(FPI) then
SCC − handling ∗ else Lp(parent)=min(Lp(parent),Lp(FPI))Lv(parent)=min(Lv(parent),Lv(FPI))parent.unr-prom= parent.unr-prom ∩ FPI .unr-promSCC-search-backward
SCC − handling ∗ :: if unrealizablepromise = /0 then print ‘satisfiable’; break; else TC-Analysis;
TC-Analysis of unfair SCC
In the SCC, the algorithm 5 chooses an unfair promise and computesa backward fixpoint from some nodes N ( ¬ x op ( Promise ) ) for any SCC states along the recorded blackimplication graph. Precisely, except the root state of the SCC, any state of the SCC gets a correspondingblack ‘IG’ from stack − S which is the IS . IG . edges . black − copies one while SCC-backward-search. Forthe root state SCC, only the nodes N ( x Xh ) and N ( ¬ x op ( Promise ) ) get some black transitions.The fixpoint computation starts from those nodes at IS . IG . edges . black − copies or particular nodes atthe root. Once the inflationary backward fixpoint using T black is terminated, then at each state in SCC , thealgorithm picks up a corresponding IG . For any state, the ‘prestate(s)’ Nodes Nodes prestate in the IG which are also in the fixpoint are declared conflicting with the unfair promise and the algorithm learnsand must not forget the conflict clause. Then, the method erases all the states of this SCC. It finallytriggers a classical Backtracking at the nodes of the Root from the conflicting prestate(s)Nodes of the Please see for more details about Tarjan’s numbers [25] Since the root has been revisited, it gets at least one black IG Algorithm 5 : Temporal Conflict AnalysisINI: Vector= ¬ ops ( Promise ) ∩ SCC ; while ∃ e ∈ Vector ∧ e not marked do mark e ; v = e . black − parents ; for l ∈ v ∧ l not marked do Vector.push(l) end ∀ state ∈ SCC pick up a State.IG;do learn(
Vector ∩ state . IG . prestate , promise );erase SCC;Backtrack;root. At Figure 3, the unfair promise is F ( i ) , and the fixpoint computation is shown by double arrow. Inthis SCC, the yellow and green Nodes are involved in the temporal conflict, and the yellow are the causesof this conflict, ie., x F ( i ) and x G ( ¬ i ) are conflicting. Thus, ¬ x G ( ¬ i ) ∨ ¬ x F ( i ) is learned forever. Lemma 1
Any clause from
AU X ( f ) or UCS ( f ) \ Presence ( f ) are fair valid. proof : Any fair state is non conflicting then AUX is fair valid. By construction, any fair state satisfiesany clause from UCS ( PS ) \ Presence ( PS ) . Lemma 2
Let f be a LTL formula. Assume the Algorithm has computed a conflict analysis from theconflicting literals C . Let ICl ( f , C ) = AU X ( f ) ∪ UCS ( f ) ∪ Learn ( f , C ) with Learn ( f , C ) containing anylearned clause occurring in the algorithm strictly before C and any limit conflict clause occurring atany conflict handling strictly before C . Assume that Learn ( f , C ) are fair valid clauses. Let C f be theconjunction of conflicting literals used to learn a resulting clause of the conflict analysis ¬ C f . Then ¬ C f is fair valid. sketch of the proof : Thanks to lemma 1,
ICl ( f , C ) \ Presence ( f ) are fair valid clauses. Let any state S from any fair path p of any tableau of a temporal logic formula. Assume now that S (cid:15) C f . We have twocases:1. Either the conflict C is boolean. Let A (cid:48) ( C ) = Level ( A ( C ) , con f lict − level ) and Limit ( C ) asabove. Then each node in A (cid:48) ( C ) \ { n ( con f lict − level ) } is required and it originates either fromstate to prestate derivation, either from a clause Cl ∈ ICl ( f , C ) \ Presence ( f ) which has becomeunit at a given state. Since ICl ( f , C ) \ Presence ( f ) are assumed fair valid then S (cid:48) (cid:15) Cl for such aclause Cl and for any state S (cid:48) in p S . Then the proof from A (cid:48) ( C ) by unit rule of the conflict C of our algorithm implies that there exists a state S (cid:48) con f lict in p S such that S (cid:48) con f lict contains (cid:3) . Thisimplies a contradiction since p is assumed fair and then no state of p should be conflicting.2. Either the conflict C is temporal. Assume S (cid:48) any state of the unfair SCC. For any state of the SCC,let Pre ( S (cid:48) ) be the set of ‘black’ prestates from a chosen IS . IG . from S (cid:48) . Let k ∈ N . Imagine virtuallythe exploration of any non conflicting prefix path p (cid:48) of length k in the induced tableau T ( Pre ) byalso considering ICl ( f , C ) \ Presence ( f ) . It consists of the building of a boolean SAT-problembased on the following observations:– Since any bad old SCC is not reachable by not forgetting any conflict clause of bad state/badSCC, then there exists a k-depth-first navigation over the Prime Implicants from T ( Pre ) but the limit conflict clause is ¬ Limit ( C ) ; we consider it even if the limit conflict clause is not learned by the solver suffixes of p from S . Hantry,M-S. Hacid 51 remaining in the unfair SCC and following the Prime implicant depth-first-search of the f -tableau.– if ( s i = Pre , s i , ...., s i k ) is a Prime Implicant path in T ( Pre ) from the precedent k-depth-first navigation, then from the algorithm, at any transition ( s i j , s i j + ) , it corresponds (several)state(s) Implication graphs IG i j for s i j , and IG i j + for s i j + corresponding at any (re)visit ofthe states.– There exists a k-depth-first navigation of full T ( Pre ) following the Prime implicant depth-first-search of the f -tableau, such that if ( s (cid:48) i = Pre , s (cid:48) i , ...., s (cid:48) i k ) is a path of states in T ( Pre ) ,then a corresponding Prime implicant path ( s i = Pre , s i , ...., s i k ) is one from k-depth-firstnavigation of the Prime implicant f -tableau.– Let Cl ( Pre ) , UC k ( f ) \ Presence k ( f ) , AU X k ( f ) , Learn k ( f , C ) be the timestamped variablesand corresponding clauses. Let Next k = { x j ( X ( f )) ⇒ x j + ( f ) | ≤ j < k } be the clausesencoding the state to next prestate derivations. Then there exists a DLL-exploration E of thepropositional problem Cl ( Pre ) ∪ UC k ( f ) \ Presence k ( f ) ∪ AU X k ( f ) ∪ Learn k ( f , C ) ∪ Next k following the k-depth-first navigation of the full T ( Pre ) but disregarding conflicts which donot occur in the DFS of the SCC in the f -tableau.– Let E (cid:48) be the modified exploration of E but by pruning any part of the exploration whichcontradict any timestamped limit conflict clause.– Let E Promise be the modified exploration of E (cid:48) for the boolean SAT problem Cl ( Pre ) , UC k ( f ) \ Presence k ( f ) , AU X k ( f ) , Learn k ( f , C ) , Next k , x k ( Promise ) without learning. Furthermore itnon chronologically backtracks. It also considers only conflicts of the form { x k ( op ( Promise )) ; ¬ x k ( op ( Promise )) } . Then clearly E Promise does not find any solution because the promise isnot fulfilled and particularly at step k, ie. the boolean problem is unsatisfiable.It is now feasible to show that :(a) The last conflict C last of E Promise is at level 0. This means that ancestor literals in A k ( C last ) with no parent gets a level 0, ie. they correspond to clauses Core k of length one in Cl ( Pre ) , UC k ( f ) \ Presence k ( f ) , AU X k ( f ) , Learn k ( f , C ) , Next k , x k ( op ( Promise )) since there is nolearning in E Promise . Furthermore x k (( op ( Promise )) ∈ Core k . Finally, Core k , UC k ( f ) \ Presence k ( f ) , AU X k ( f ) , Learn k ( f , C ) , Next k , x k ( op ( Promise )) is an unsatisfiable core.(b) Let C f (cid:48) k = Core k \ ( { x k ( op ( Promise )) } ∪ learn k ( f , C )) , then C f (cid:48) k ⊂ Cl ( Pre ) . Let C f k bethe non timestamped literals. Then if S (cid:15) C f k and since S is a state of a fair path, thenif p S , k is the suffix path from S but truncated of length k , p S , k (cid:15) Core k \ x k ( op ( Promise )) , UC k ( f ) \ Presence k ( f ) , AU X k ( f ) , Learn k ( f , C ) , Next k (cid:15) ¬ x k ( op ( Promise )) (c) C f k = { e ∈ Pre | N ( e = e ) → N ( e ) → ... → N ( e k = ¬ x op ( Promise ) ) , with N ( e i ) → N ( e i + ) ∈ T black and N ( ¬ x op ( Promise ) ) ∈ SCC } It is then straightforward that if S (cid:15) x Promise ∧ k ∈ N C f k then there is a contradiction since p S willnever realize the operand promise x op ( Promise ) . Furthermore, ∧ k ∈ N C f k is computed as the set of Pre contained in the backward fixpoint over T Black computing ancestors of any ¬ x op ( Promise ) for allstates of the SCC. Theorem 5
The learned clauses and Limit conflict clauses are fair valid. sketch of the proof : By chronological induction on the learned clause and limit conflict clause perconflict. First, assume that conflict C is the first, thus the Learn ( f , C ) = /0 at lemma 2. Thus ¬ C f and in case of propositional conflict ¬ Limit C is fair valid. Assume now that Learn ( f , C ) are valid. Thanks to lemma 2, it follows that ¬ C f and ¬ Limit ( C ) are fair valid. Theorem 6
The algorithm terminates, is correct and complete( sketch of the proof ): As long as a state is not known to be bad or in a Bad SCC, then it is recorded to avoid infinite loop. As soon as it is sure that it is a bad state or in a bad SCC, then a clause which willnever be forgotten and standing for the bad state is learned. Thus, our algorithm is similar to a depth-first-search of SCC in a LTL tableau [19]. However, as soon as there is a conflict, the algorithm prunespart of the tableau which is sure to lead to a failing state/SCC by, sound learning and backtracking usingimplication dependencies of conflict. Theorem 7 (Extraction of coarse small unsatisfiable core)If f = ∧ i f i then ∧ i { f i | x f i ∈ A ( C last ) } is a coarse small unsatisfiable core.( sketch of the proof ): If the algorithm terminates with ‘unsat’, the last conflict C last is at level 0. Thismeans that ancestor nodes in A ( C last ) with no parent gets a level 0, ie. they correspond to some clausein presence ( f ) : x f i where f = ∧ i f i or eventually to some learned clause of the form ¬ x h . But since ICl ( f , C last ) \ Presence ( f ) are fair valid, then ∧ i { f i | x f i ∈ A ( C last ) } is a coarse small unsatisfiable core. In order to detect which compliance rules are conflicting, we have provided a conflict-driven Tableaudepth-first-search for LTL. We have shown how it can be used to extract a small unsatisfiable core. Ourmethod is theoretically
EX PT IME and
EX PSPACE , but although deciding a MU is in P − SPACE no P − SPACE method have been proposed to extract cores yet. Our method does not suffer from cumbersometimestamped variables, handling of incrementation, searching upper bound for UMC. Implementation isongoing work. Three enhancements of the method would be to study a QBF-encoding of our method andanalyzes if the learning we propose is easy for QBF solvers to learn. Other ways could be to use symbolicDFS [3] or alternating B¨uchi automata. Detecting conflicts in rules is critical for human interactivecontract management systems. Moreover, our method pinpoints temporal issues in any automatic toolwhich is sensitive to the consistency of many evolving heterogeneous policies such as regulatory laws,internal business rules, security or privacy. The extension of our method to deontic modality [4, 10] usedin contracts appears straightforward, and we are also focusing on this issue.
References [1] Rajeev Alur & Thomas A. Henzinger (1991):
Logics and Models of Real Time: A Survey . In:
REX Workshop ,pp. 74–106, doi:10.1007/BFb0031988.[2] Armin Biere, Alessandro Cimatti, Edmund M. Clarke & Yunshan Zhu (1999):
Symbolic Model Checkingwithout BDDs . In:
TACAS , pp. 193–207, doi:10.1007/3-540-49059-0 14.[3] Armin Biere, Edmund M. Clarke & Yunshan Zhu:
Multiple State and Single State Tableaux for CombiningLocal and Global Model Checking . doi:10.1007/3-540-48092-7 8.[4] Jan Broersen, Frank Dignum, Virginia Dignum & John-Jules Ch. Meyer (2004):
Designing a Deontic Logicof Deadlines . In:
DEON , doi:10.1007/978-3-540-25927-5 5.[5] Jerry R. Burch & all. (1992):
Symbolic Model Checking: States and Beyond . Inf. Comput. by a hash table for instance . Hantry,M-S. Hacid 53[6] A. Cimatti, M. Roveri, V. Schuppan & S. Tonetta (2007): Boolean Abstraction for Temporal Logic Satisfia-bility . In:
CAV , pp. 532–546, doi:10.1007/978-3-540-73368-3 53.[7] Elio Damaggio, Alin Deutsch & Victor Vianu (2011):
Artifact systems with data dependencies and arith-metic . In:
ICDT , pp. 66–77, doi:10.1145/1938551.1938563.[8] Martin Davis, George Logemann & Donald W. Loveland (1962):
A machine program for theorem-proving . Commun. ACM
Temporal and Modal Logic . HTCS, Volume B: Formal Models and Sematics (B) .[10] Stephen Fenech, Gordon J. Pace & Gerardo Schneider (2009):
Automatic Conflict Detection on Contracts .In:
ICTAC , pp. 200–214, doi:10.1007/978-3-642-03466-4 13.[11] Michael J. Fischer & Richard E. Ladner (1979):
Propositional Dynamic Logic of Regular Programs . J.Comput. Syst. Sci.
A Resolution Method for Temporal Logic . In:
IJCAI , pp. 99–104.[13] Malay K. Ganai, Aarti Gupta & Pranav Ashar (2005):
Beyond safety: customized SAT-based model checking .In:
DAC , pp. 738–743, doi:10.1145/1065579.1065773.[14] Rob Gerth, Doron Peled, Moshe Y. Vardi & Pierre Wolper (1995):
Simple on-the-fly automatic verificationof linear temporal logic . In:
PSTV , pp. 3–18.[15] Aditya Ghose & George Koliadis (2007):
Auditing Business Process Compliance . In:
ICSOC , pp. 169–180,doi:10.1007/978-3-540-74974-5 14.[16] C. Giblin, A. Liu, S. M¨uller & B. Pfitzmann (2005):
Regulations Expressed As Logical Models (REALM) .In:
JURIX , pp. 37–48.[17] Keijo Heljanko, Tommi A. Junttila & Timo Latvala (2005):
Incremental and Complete Bounded ModelChecking for Full PLTL . In:
CAV , pp. 98–111, doi:10.1007/11513988 10.[18] Toni Jussila & Armin Biere (2007):
Compressing BMC Encodings with QBF . Electr. Notes Theor. Comput.Sci.
A Decision Algorithm for Full Propositional TemporalLogic . In:
CAV , pp. 97–109, doi:10.1007/3-540-56922-7 9.[20] Annapaola Marconi & Marco Pistore (2009):
Synthesis and Composition of Web Services . In:
SFM , pp.89–157, doi:10.1007/978-3-642-01918-0 3.[21] M. Montali, M. Pesic, W. v.d. Aalst, F. Chesani & P. Mello (2010):
Declarative specification and verificationof service choreographies . TWEB
Chaff: Engineering an Efficient SATSolver . In:
DAC , pp. 530–535. Available at .[23] Viktor Schuppan (2010):
Towards a notion of unsatisfiable and unrealizable cores for LTL . Science ofComputer Programming doi:10.1016/j.scico.2010.11.004.[24] Mary Sheeran, Satnam Singh & Gunnar St˚almarck (2000):
Checking Safety Properties Using Induction anda SAT-Solver . In:
FMCAD , pp. 108–125, doi:10.1007/3-540-40922-X 8.[25] Robert Endre Tarjan (1972):
Depth-First Search and Linear Graph Algorithms . SIAM J. Comput.
BPSL Modeler - Visual Notation Language for Intuitive Business PropertyReasoning . ENTCS
Efficient Conflict Driven Learning in BooleanSatisfiability Solver . In:
ICCAD , pp. 279–285. Available at http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.18.2715 .[28] L. Zhang & S. Malik (2003):
Extracting small unsatisfiable cores from unsatisfiable Boolean formula.
In: