Richard J. Trefler

Parametric quantitative temporal reasoning

We define Parameterized Real-Time Computation Tree Logic (PRTCTL), which allows quantitative temporal specifications to be parameterized over the natural numbers. Parameterized quantitative specifications are quantitative specifications in which concrete timing information has been abstracted away. Such abstraction allows designers to specify quantitative restrictions on the temporal ordering of events without having to use specific timing information from the model. A model checking algorithm for the logic is given which is polynomial for any fixed number of parameters. A subclass of formulae are identified for which the model checking problem is linear in the length of the formula and size of the structure. PRTCTL is generalised to allow quantitative reasoning about the number of occurrences of atomic events.

Explaining Counterexamples Using Causality

When a model does not satisfy a given specification, a counterexample is produced by the model checker to demonstrate the failure. A user must then examine the counterexample trace, in order to visually identify the failure that it demonstrates. If the trace is long, or the specification is complex, finding the failure in the trace becomes a non-trivial task. In this paper, we address the problem of analyzing a counterexample trace and highlighting the failure that it demonstrates. Using the notion of causality , introduced by Halpern and Pearl, we formally define a set of causes for the failure of the specification on the given counterexample trace. These causes are marked as red dots and presented to the user as a visual explanation of the failure. We study the complexity of computing the exact set of causes, and provide a polynomial-time algorithm that approximates it. This algorithm is implemented as a feature in the IBM formal verification platform RuleBase PE, where these visual explanations are an integral part of every counterexample trace. Our approach is independent of the tool that produced the counterexample, and can be applied as a light-weight external layer to any model checking tool, or used to explain simulation traces.

Assume-Guarantee Based Compositional Reasoning for Synchronous Timing Diagrams

The explosion in the number of states due to several interacting components limits the application of model checking in practice. Compositional reasoning ameliorates this problem by reducing reasoning about the entire system to reasoning about individual components. Such reasoning is often carried out in the assume-guarantee paradigm: each component guarantees certain properties based on assumptions about the other components. Naive applications of this reasoning can be circular and, therefore, unsound. We present a new rule for assume-guarantee reasoning, which is sound and complete. We show how to apply it, in a fully automated manner, to properties specified as synchronous timing diagrams. We show that timing diagram properties have a natural decomposition into assume-guarantee pairs, and liveness restrictions that result in simple subgoals which can be checked efficiently. We have implemented our method in a timing diagram analysis tool, which carries out the compositional proof in a fully automated manner. Initial applications of this method have yielded promising results, showing substantial reductions in the space requirements for model checking.

Safety and liveness in branching time

Extends B. Alpern & F.B. Schneiders linear time characterization of safety and liveness properties to branching time, where properties are sets of trees. We define two closure operators that give rise to the following four extremal types of properties: universally safe, existentially safe, universally live and existentially live. The distinction between universal and existential properties captures the difference between the CTL (computation tree logic) path quantifiers /spl forall/ (for all paths) and /spl exist/ (there is a path). We show that every branching time property is the intersection of an existentially safe property and an existentially live property, a universally safe property and a universally live property, and an existentially safe property and a universally live property. We also examine how our closure operators behave on linear-time properties. We then focus on sets of finitely branching trees and show that our closure operators agree on linear-time safety properties. Furthermore, if a set of trees is given implicitly as a Rabin tree automaton /spl Bscr/, we show that it is possible to compute the Rabin automata corresponding to the closures of the language of /spl Bscr/. This allows us to effectively compute /spl Bscr//sub safe/ and /spl Bscr//sub live/ such that the language of /spl Bscr/ is the intersection of the languages of /spl Bscr//sub safe/ and /spl Bscr//sub live/. As above, /spl Bscr//sub safe/ and /spl Bscr//sub live/ can be chosen so that their languages are existentially safe and existentially live, universally safe and universally live, or existentially safe and universally live.

Generalized Quantitative Temporal Reasoning: An Automata Theoretic Approach

This paper proposes an expressive extension to Propositional Linear Temporal Logic dealing with real time correctness properties and gives an automata-theoretic model checking algorithm for the extension. The algorithm has been implemented and applied to examples.

On the completeness of compositional reasoning methods

Hardware systems and reactive software systems can be described as the composition of several concurrently active processes. Automated reasoning based on model checking algorithms can substantially increase confidence in the overall reliability of a system. Direct methods for model checking a concurrent composition, however, usually suffer from the explosion in the number of program states that arises from concurrency. Reasoning compositionally about individual processes helps mitigate this problem. A number of rules have been proposed for compositional reasoning, typically based on an assume-guarantee reasoning paradigm. Reasoning with these rules can be delicate, as some are syntactically circular in nature, in that assumptions and guarantees are mutually dependent. This is known to be a source of unsoundness. In this article, we investigate rules for compositional reasoning from the viewpoint of completeness. We show that several rules are incomplete: that is, there are properties whose validity cannot be established using (only) these rules. We derive a new, circular, reasoning rule and show it to be sound and complete. We show that the auxiliary assertions needed for completeness need be defined only on the interface of the component processes. We also show that the two main paradigms of circular and noncircular reasoning are closely related, in that a proof of one type can be transformed in a straightforward manner to one of the other type. These results give some insight into the applicability of compositional reasoning methods.

Abstract Patterns of Compositional Reasoning

Compositional Reasoning – reducing reasoning about a concurrent system to reasoning about its individual components – is an essential tool for managing proof complexity and state explosion in model checking. Typically, such reasoning is carried out in an assume-guarantee manner: each component guarantees its behavior based on assumptions about the behavior of other components. Restrictions imposed on such methods to avoid unsoundness usually also result in incompleteness – i.e., one is unable to prove certain properties. In this paper, we construct an abstract framework for reasoning about process composition, formulate an assume-guarantee method, and show that it is sound and semantically complete. We then show how to instantiate the framework for several common notions of process behavior and composition. For these notions, the instantiations result in the first methods known to be complete for mutually inductive, assume-guarantee reasoning.

Uncovering Symmetries in Irregular Process Networks

In this work, we consider distributed protocols that operate on arbitrary networks. The analysis of such protocols is challenging, as an arbitrarily chosen network may have limited global symmetry. We describe a methodology that uncovers significant local symmetries by appropriately abstracting node neighborhoods in a network. The local symmetries give rise to uniform compositional proofs of correctness. As an illustration of these ideas, we show how to obtain a uniform compositional invariance proof for a Dining Philosophers protocol operating on a fixed-size, arbitrary network. An interesting and somewhat unexpected consequence is that this proof generalizes easily to a parametric proof, which holds on any network regardless of size or structure.

A lattice-theoretic characterization of safety and liveness

The distinction between safety and liveness properties is due to Lamport who gave the following informal characterization. Safety properties assert that nothing bad ever happens while liveness properties assert that something good happens eventually. In a well-known paper Alpern and Schneider gave a topological characterization of safety and liveness for the linear time framework. Gumm has stated these notions in the more abstract setting of V-complete Boolean algebras. Recently, we characterized safety and liveness for the branching time framework and found that neither the topological characterization nor Gumms characterization were general enough for our needs. We present a lattice theoretic characterization that allows us to unify previous results on safety and liveness, including the results for the linear time and branching time frameworks and for w-regular string and tree languages.

Model Checking Real-Time Properties of Symmetric Systems

We develop efficient algorithms for model checking quantitative properties of symmetric reactive systems in the general framework of a Real-Time Mu-calculus. Previous work has been limited to qualitative correctness properties. Our work not only permits handling of quantitative correctness, but it provides a strictly more expressive framework for qualitative correctness since the Mu-calculus strictly subsumes, e.g, CTL. Unlike the previous “group-theoretic” approaches of [CE96] and [ES96] and the technical “automata-theoretic” approach of [ES97], our new approach may be viewed as “model-theoretic”.