Daniele Varacca

Counterexamples in Probabilistic LTL Model Checking for Markov Chains

We propose a way of presenting and computing a counterexample in probabilistic LTL model checking for discrete-time Markov chains. In qualitative probabilistic model checking, we present a counterexample as a pair (*** ,*** ), where *** ,*** are finite words such that all paths that extend *** and have infinitely many occurrences of *** violate the specification. In quantitative probabilistic model checking, we present a counterexample as a pair (W ,R ), where W is a set of such finite words *** and R is a set of such finite words *** . Moreover, we suggest how the counterexample presented helps the user identify the underlying error in the system by means of an interactive game with the model checker.

Defining Fairness in Reactive and Concurrent Systems

We define when a linear-time temporal property is a fairness property with respect to a given system. This captures the essence shared by most fairness assumptions that are used in the specification and verification of reactive and concurrent systems, such as weak fairness, strong fairness, k-fairness, and many others. We provide three characterizations of fairness: a language-theoretic, a game-theoretic, and a topological characterization. It turns out that the fairness properties are the sets that are “large” from a topological point of view, that is, they are the co-meager sets in the natural topology of runs of a given system. This insight provides a link to probability theory where a set is “large” when it has measure 1. While these two notions of largeness are similar, they do not coincide in general. However, we show that they coincide for ω-regular properties and bounded Borel measures. That is, an ω-regular temporal property of a finite-state system has measure 1 under a bounded Borel measure if and only if it is a fairness property with respect to that system. The definition of fairness leads to a generic relaxation of correctness of a system in linear-time semantics. We define a system to be fairly correct if there exists a fairness assumption under which it satisfies its specification. Equivalently, a system is fairly correct if the set of runs satisfying the specification is topologically large. We motivate this notion of correctness and show how it can be verified in a system.

Typed event structures and the linear π-calculus

We propose a typing system for the true concurrent model of event structures that guarantees the interesting behavioural properties known as conflict freeness and confusion freeness. Conflict freeness is the true concurrent version of the notion of confluence. A system is confusion free if nondeterministic choices are localised and do not depend on the scheduling of independent components. Ours is the first typing system to control behaviour in a true concurrent model. To demonstrate its applicability, we show that typed event structures give a semantics of linearly typed version of the @p-calculi with internal mobility. The semantics we provide is the first event structure semantics of the @p-calculus and generalises Winskels original event structure semantics of CCS.

Semantic Subtyping for Objects and Classes

We propose an integration of structural subtyping with boolean connectives and semantic subtyping to define a Java-like programming language that exploits the benefits of both techniques. Semantic subtyping is an approach to defining subtyping relation based on set-theoretic models, rather than syntactic rules. On the one hand, this approach involves some non trivial mathematical machinery in the background. On the other hand, final users of the language need not know this machinery and the resulting subtyping relation is very powerful and intuitive. While semantic subtyping is naturally linked to the structural one, we show how the framework can also accommodate the nominal subtyping. Several examples show the expressivity and the practical advantages of our proposal.

Fair adversaries and randomization in two-player games

Two-player games are used to model open systems. One player models the system, trying to respect some specification, while the other player models the environment. In classical model checking, the objective is to verify that the system can respect its specification, whatever the environment does. In this article, we consider a more realistic scenario when the environment is supposed to be fair. We define a notion of fair player in two-player games. Our solution is inspired by Banach-Mazur games, and leads to a definition of a novel class of 3-player games called ABM-games. For ω-regular specifications on finite arenas, we explore the properties of ABM-games and devise an algorithm for solving them. As the main result, we show that winning in an ABM-game (i.e. winning against a fair player) is equivalent to winning with probability one against the randomized adversary.

A Petri Net Model of Handshake Protocols

We propose a Petri net model of handshake protocols. These are asynchronous communication protocols which enforce several properties such as absence of transmission interference and insensitivity from delays of propagation on wires. We introduce the notion of handshake Petri net, a Petri net with a specific external interface. We show that the set of observable quiescent traces generated by such a net captures the properties defining a handshake protocol. Conversely we show that for any handshake protocol we can construct a corresponding net. We also study different subclasses of the model. Many examples are provided.

Model checking almost all paths can be less expensive than checking all paths

We compare the complexities of the following two model checking problems: checking whether a linear-time formula is satisfied by all paths (which we call universal model checking) and checking whether a formula is satisfied by almost all paths (which we call fair model checking here). For many interesting classes of linear-time formulas, both problems have the same complexity: for instance, they are PSPACE-complete for LTL. In this paper, we show that fair model checking can have lower complexity than universal model checking, viz., we prove that fair model checking for L(F∞) can be done in time linear in the size of the formula and of the system, while it is known that universal model checking for L(F∞) is co-NP-complete. L(F∞) denotes the class of LTL formulas in which (F∞) is the only temporal operator. We also present other new results on the complexity of fair and universal model checking. In particular, we prove that fair model checking for RLTL is co-NP-complete.

Place Bisimulation and Liveness for Open Petri Nets

Petri nets are a kind of concurrent models for distributed and asynchronous systems. However they can only model closed systems, but not open ones. We extend Petri nets to model open systems. In Open Petri Nets, the way of interaction is achieved by composing nets. Some places with labels, called open or external, are considered as an interface with environment. Every external places are both input and output ones. Two such open Petri nets can be composed by joining the external places with the same label. In addition, we focus on the operational semantics of open nets and study observational properties, especially bisimulation properties. We define place bisimulations on nets with external places. It turns out that the largest bisimulation, i.e. the bisimilarity, is a congruence. A further result is that liveness is preserved by bisimilarity.

Continuations, Processes, and Sharing

Continuation-passing style (CPS) transforms have long been important tools in the study of programming. They have been shown to correspond to abstract machines and, when combined with a naming transform that expresses shared values, they enjoy a direct correspondence with encodings into process calculi such as the π-calculus. We present our notion of correctness and discuss the sufficient conditions that guarantee the correctness of transforms. We then consider the call-by-value, call-by-name and call-by-need evaluation strategies for the λ-calculus and present their CPS transforms, abstract machines, π-encodings, and proofs of correctness. Our analysis covers a uniform CPS transform, which differentiates the three evaluation strategies only by the treatment of function calls. This leads to a new CPS transform for call-by-need requiring a less expressive form of side effect, which we call constructive update.

The Calculus of Handshake Configurations

Handshake protocols are asynchronous protocols that enforce several properties such as absence of transmission interference and insensitivity from delays of propagation on wires. We propose a concurrent process calculus for handshake protocols. This calculus uses two mechanisms of synchronization: rendez-vous communication a la CCS, and shared resource usage. To enforce the handshake discipline, the calculus is endowed with a typing system. We provide an LTS semantics of the calculus and show that typed processes denote handshake protocols. We give the calculus another semantics in terms of a special kind of Petri nets called handshake Petri nets. We show that this semantics is complete and fully abstract with respect to weak bisimilarity.