ABSTRACT MODEL REPAIR

Size: px
Start display at page:

Download "ABSTRACT MODEL REPAIR"

Transcription

1 Logical Methods in Comuter Science Vol. 11(3:11)2015, Submitted Jul. 2, 2014 Published Se. 17, 2015 ABSTRACT MODEL REPAIR GEORGE CHATZIELEFTHERIOU a, BORZOO BONAKDARPOUR b, PANAGIOTIS KATSAROS c, AND SCOTT A. SMOLKA d a Deartment of Informatics, Aristotle University of Thessaloniki, Thessaloniki, Greece address: gchatzie@csd.auth.gr b Deartment of Comuting and Software, McMaster University, 1280 Main Street West, Hamilton, ON L8S 4L7, Canada address: borzoo@mcmaster.ca c Deartment of Informatics, Aristotle University of Thessaloniki, Thessaloniki, Greece address: katsaros@csd.auth.gr d Deartment of Comuter Science, Stony Brook University, Stony Brook, NY , USA address: sas@cs.sunysb.edu Abstract. Given a Krike structure M and CTL formula φ, where M does not satisfy φ, the roblem of Model Reair is to obtain a new model M such that M satisfies φ. Moreover, the changes made to M to derive M should be minimum with resect to all such M. As in model checking, state exlosion can make it virtually imossible to carry out model reair on models with infinite or even large state saces. In this aer, we resent a framework for model reair that uses abstraction refinement to tackle state exlosion. Our framework aims to reair Krike Structure models based on a Krike Modal Transition System abstraction and a 3-valued semantics for CTL. We introduce an abstract-model-reair algorithm for which we rove soundness and semi-comleteness, and we study its comlexity class. Moreover, a rototye imlementation is resented to illustrate the ractical utility of abstract-model-reair on an Automatic Door Oener system model and a model of the Andrew File System 1 rotocol. 1. Introduction Given a model M and temoral-logic formula φ, model checking [16] is the roblem of determining whether or not M = φ. When this is not the case, a model checker will tyically rovide a counterexamle in the form of an execution ath along which φ is violated. The user should then rocess the counterexamle manually to correct M. An extended version of the model-checking roblem is that of model reair: given a model M and temoral-logic formula φ, where M = φ, obtain a new model M, such that 2012 ACM CCS: [Theory of comutation]: Logic Verification by model checking / Abstraction; [Software and its Engineering]: Software organization and roerties Software functional roerties Formal methods Model checking. Key words and hrases: Model Reair, Model Checking, Abstraction Refinement. A reliminary version of the aer has aeared in [15]. LOGICAL METHODS l IN COMPUTER SCIENCE DOI: /LMCS-11(3:11)2015 c G. Chatzieleftheriou, B. Bonakdarour, P. Katsaros, and S. A. Smolka CC Creative Commons

2 2 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA M = φ. The roblem of Model Reair for Krike structures and Comutation Tree Logic (CTL) [28] roerties was first introduced in [12]. State exlosion is a well known limitation of automated formal methods, such as model checking and model reair, which imedes their alication to systems having large or even infinite state saces. Different techniues have been develoed to coe with this roblem. In the case of model checking, abstraction [18, 42, 33, 23, 31] is used to create a smaller, more abstract version ˆM of the initial concrete model M, and model checking is erformed on this smaller model. For this techniue to work as advertised, it should be the case that if ˆM = φ then M = φ. Motivated by the success of abstraction-based model checking, we resent in this aer a new framework for Model Reair that uses abstraction refinement to tackle state exlosion. The resulting Abstract Model Reair (AMR) methodology makes it ossible to reair models with large state saces, and to seed-u the reair rocess through the use of smaller abstract models. The major contributions of our work are as follows: We rovide an AMR framework that uses Krike structures (KSs) for the concrete model M, Krike Modal Transition Systems (KMTSs) for the abstract model ˆM, and a 3-valued semantics for interreting CTL over KMTSs [38]. An iterative refinement of the abstract KMTS model takes lace whenever the result of the 3-valued CTL model-checking roblem is undefined. If the refinement rocess terminates with a KMTS that violates the CTL roerty, this roerty is also falsified by the concrete KS M. Then, the reair rocess for the refined KMTS is initiated. We strengthen the Model Reair roblem by additionally taking into account the following minimality criterion (refer to the definition of Model Reair above): the changes made to M to derive M should be minimum with resect to all M satisfying φ. To handle the minimality constraint, we define a metric sace over KSs that uantifies the structural differences between them. We introduce an Abstract Model Reair algorithm for KMTSs, which takes into account the aforementioned minimality criterion. We rove the soundness of the Abstract Model Reair algorithm for the full CTL and the comleteness for a major fragment of it. Moreover, the algorithm s comlexity is analyzed with resect to the abstract KMTS model size, which can be much smaller than the concrete KS. We illustrate the utility of our aroach through a rototye imlementation used to reair a flawed Automatic Door Oener system [5] and the Andrew File System 1 rotocol. Our exerimental results show significant imrovement in efficiency comared to a concrete model reair solution. Organization. The rest of this aer is organized as follows. Sections 2 and 3 introduce KSs, KMTSs, as well as abstraction and refinement based on a 3-valued semantics for CTL. Section 4 defines a metric sace for KSs and formally defines the roblem of Model Reair. Section 5 resents our framework for Abstract Model Reair, while Section 6 introduces the abstract-model-reair algorithm for KMTSs and discusses its soundness, comleteness and comlexity roerties. Section 7 resents the exerimental evaluation of our method through its alication to the Andrew File System 1 rotocol (AFS1). Section 8 considers related work, while Section 9 concludes with a review of the overall aroach and inoints directions for future work.

3 ABSTRACT MODEL REPAIR 3 0 err = 0 1 err = 0 2 err = 0 0 err = 1 1 err = 1 2 err = 1 oen 0 err = 2 1 err = 2 2 err = 2 alarm Figure 1. The Automatic Door Oener (ADO) System. 2. Krike Modal Transition Systems Let AP be a set of atomic roositions. Also, let Lit be the set of literals: Lit = AP { AP } Definition 2.1. A Krike Structure (KS) is a uadrule M = (S, S 0, R, L), where: (1) S is a finite set of states. (2) S 0 S is the set of initial states. (3) R S S is a transition relation that must be total, i.e., s S : s S : R(s, s ). (4) L : S 2 Lit is a state labeling function, such that s S : AP : L(s) / L(s). The fourth condition in Def. 2.1 ensures that any atomic roosition AP has one and only one truth value at any state. Examle. We use the Automatic Door Oener system (ADO) of [5] as a running examle throughout the aer. The system, given as a KS in Fig 1, reuires a three-digit code ( 0, 1, 2 ) to oen a door, allowing for one and only one wrong digit to be entered at most twice. Variable err counts the number of errors, and an alarm is rung if its value exceeds two. For the uroses of our aer, we use a simler version of the ADO system, given as the KS M in Fig. 3a, where the set of atomic roositions is AP = {} and (oen = true). Definition 2.2. A Krike Modal Transition System (KMTS) is a 5-tule ˆM = R must, R may, ˆL), where: (1) Ŝ is a finite set of states. (2) Ŝ0 Ŝ is the set of initial states. (Ŝ, Ŝ0,

4 4 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA (3) R must Ŝ Ŝ and R may Ŝ Ŝ are transition relations such that R must R may. (4) ˆL : Ŝ 2Lit is a state-labeling such that ŝ Ŝ, AP, ŝ is labeled by at most one of and. A KMTS has two tyes of transitions: must-transitions, which exhibit necessary behavior, and may-transitions, which exhibit ossible behavior. Must-transitions are also may-transitions. The at most one condition in the fourth art of Def. 2.2 makes it ossible for the truth value of an atomic roosition at a given state to be unknown. This relaxation of truth values in conjunction with the existence of may-transitions in a KMTS constitutes a artial modeling formalism. Verifying a CTL formula φ over a KMTS may result in an undefined outcome ( ). We use the 3-valued semantics [38] of a CTL formula φ at a state ŝ of KMTS ˆM. Definition 2.3. [38] Let ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) be a KMTS. The 3-valued semantics of a CTL formula φ at a state ŝ of ˆM, denoted as ( ˆM, ŝ) = 3 φ, is defined inductively as follows: If φ = false [( ˆM, ŝ) = 3 φ] = false If φ = true [( ˆM, ŝ) = 3 φ] = true If φ = where AP [( ˆM, ŝ) = 3 φ] = true, iff ˆL(ŝ). [( ˆM, ŝ) = 3 φ] = false, iff ˆL(ŝ). [( ˆM, ŝ) = 3 φ] =, otherwise. If φ = φ 1 [( ˆM, ŝ) = 3 φ] = true, iff [( ˆM, ŝ) = 3 φ 1 ] = false. [( ˆM, ŝ) = 3 φ] = false, iff [( ˆM, ŝ) = 3 φ 1 ] = true. [( ˆM, ŝ) = 3 φ] =, otherwise. If φ = φ 1 φ 2 [( ˆM, ŝ) = 3 φ] = true, iff [( ˆM, ŝ) = 3 φ 1 ] = true or [( ˆM, ŝ) = 3 φ 2 ] = true. [( ˆM, ŝ) = 3 φ] = false, iff [( ˆM, ŝ) = 3 φ 1 ] = false and [( ˆM, ŝ) = 3 φ 2 ] = false. [( ˆM, ŝ) = 3 φ] =, otherwise. If φ = φ 1 φ 2 [( ˆM, ŝ) = 3 φ] = true, iff [( ˆM, ŝ) = 3 φ 1 ] = true and [( ˆM, ŝ) = 3 φ 2 ] = true. [( ˆM, ŝ) = 3 φ] = false, iff [( ˆM, ŝ) = 3 φ 1 ] = false or [( ˆM, ŝ) = 3 φ 2 ] = false. [( ˆM, ŝ) = 3 φ] =, otherwise. If φ = AXφ 1 [( ˆM, ŝ) = 3 φ] = true, iff for all ŝ i such that (ŝ, ŝ i ) R may, [( ˆM, ŝ i ) = 3 φ 1 ] = true. [( ˆM, ŝ) = 3 φ] = false, iff there exists some ŝ i such that (ŝ, ŝ i ) R must and [( ˆM, ŝ i ) = 3 φ 1 ] = false. [( ˆM, ŝ) = 3 φ] =, otherwise. If φ = EXφ 1 [( ˆM, ŝ) = 3 φ] = true, iff there exists ŝ i such that (ŝ, ŝ i ) R must and [( ˆM, ŝ i ) = 3 φ 1 ] = true. [( ˆM, ŝ) = 3 φ] = false, iff for all ŝ i such that (ŝ, ŝ i ) R may, [( ˆM, ŝ i ) = 3 φ 1 ] = false. [( ˆM, ŝ) = 3 φ] =, otherwise.

5 ABSTRACT MODEL REPAIR 5 If φ = AGφ 1 [( ˆM, ŝ) = 3 φ] = true, iff for all may-aths π may = [ŝ, ŝ 1, ŝ 2,...] and for all ŝ i π may it holds that [( ˆM, ŝ i ) = 3 φ 1 ] = true. [( ˆM, ŝ) = 3 φ] = false, iff there exists some must-ath π must = [ŝ, ŝ 1, ŝ 2,...], such that for some ŝ i π must, [( ˆM, ŝ i ) = 3 φ 1 ] = false. [( ˆM, ŝ) = 3 φ] =, otherwise. If φ = EGφ 1 [( ˆM, ŝ) = 3 φ] = true, iff there exists some must-ath π must = [ŝ, ŝ 1, ŝ 2,...], such that for all ŝ i π must, [( ˆM, ŝ i ) = 3 φ 1 ] = true. [( ˆM, ŝ) = 3 φ] = false, iff for all may-aths π may = [ŝ, ŝ 1, ŝ 2,...], there is some ŝ i π may such that [( ˆM, ŝ i ) = 3 φ 1 ] = false. [( ˆM, ŝ) = 3 φ] =, otherwise. If φ = AF φ 1 [( ˆM, ŝ) = 3 φ] = true, iff for all may-aths π may = [ŝ, ŝ 1, ŝ 2,...], there is a ŝ i π may such that [( ˆM, ŝ i ) = 3 φ 1 ] = true. [( ˆM, ŝ) = 3 φ] = false, iff there exists some must-ath π must = [ŝ, ŝ 1, ŝ 2,...], such that for all ŝ i π must, [( ˆM, ŝ i ) = 3 φ 1 ] = false. [( ˆM, ŝ) = 3 φ] =, otherwise. If φ = EF φ 1 [( ˆM, ŝ) = 3 φ] = true, iff there exists some must-ath π must = [ŝ, ŝ 1, ŝ 2,...], such that there is some ŝ i π must for which [( ˆM, ŝ i ) = 3 φ 1 ] = true. [( ˆM, ŝ) = 3 φ] = false, iff for all may-aths π may = [ŝ, ŝ 1, ŝ 2,...] and for all ŝ i π may, [( ˆM, ŝ i ) = 3 φ 1 ] = false. [( ˆM, ŝ) = 3 φ] =, otherwise. If φ = A(φ 1 U φ 2 ) [( ˆM, ŝ) = 3 φ] = true, iff for all may-aths π may = [ŝ, ŝ 1, ŝ 2,...], there is ŝ i π may such that [( ˆM, ŝ i ) = 3 φ 2 ] = true and j < i : [( ˆM, ŝ j ) = 3 φ 1 ] = true. [( ˆM, ŝ) = 3 φ] = false, iff there exists some must-ath π must = [ŝ, ŝ 1, ŝ 2,...], such that i. for all 0 k < π must : ( j < k : [( ˆM, ŝ j ) = 3 φ 1 ] false) ([( ˆM, ŝ k ) = 3 φ 2 ] = false) ii. (for all 0 k < π must : [( ˆM, ŝ k ) = 3 φ 2 ] false) π must = [( ˆM, ŝ) = 3 φ] =, otherwise. If φ = E(φ 1 Uφ 2 ) [( ˆM, ŝ) = 3 φ] = true, iff there exists some must-ath π must = [ŝ, ŝ 1, ŝ 2,...] such that there is a ŝ i π must with [( ˆM, ŝ i ) = 3 φ 2 ] = true and for all j < i, [( ˆM, ŝ j ) = 3 φ 1 ] = true. [( ˆM, ŝ) = 3 φ] = false, iff for all may-aths π may = [ŝ, ŝ 1, ŝ 2,...] i. for all 0 k < π may : ( j < k : [( ˆM, ŝ j ) = 3 φ 1 ] false) ([( ˆM, ŝ k ) = 3 φ 2 ] = false) ii. (for all 0 k < π may : [( ˆM, ŝ k ) = 3 φ 2 ] false) π may = [( ˆM, ŝ) = 3 φ] =, otherwise. From the 3-valued CTL semantics, it follows that must-transitions are used to check the truth of existential CTL roerties, while may-transitions are used to check the truth of universal CTL roerties. This works inversely for checking the refutation of CTL roerties. In what follows, we use = instead of = 3 in order to refer to the 3-valued satisfaction relation.

6 6 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA s s α(s) γ(ŝ) α(s ) ŝ Figure 2. Abstraction and Concretization. 3. Abstraction and Refinement for 3-Valued CTL 3.1. Abstraction. Abstraction is a state-sace reduction techniue that roduces a smaller abstract model from an initial concrete model, so that the result of model checking a roerty φ in the abstract model is reserved in the concrete model. This can be achieved if the abstract model is built with certain reuirements [18, 31]. Definition 3.1. Given a KS M = (S, S 0, R, L) and a air of total functions (α : S Ŝ, γ : Ŝ 2 S ) such that s S : ŝ Ŝ : (α(s) = ŝ s γ(ŝ)) the KMTS α(m) = (Ŝ, Ŝ0, R must, R may, ˆL) is defined as follows: (1) ŝ Ŝ0 iff s γ(ŝ) such that s S 0 (2) lit ˆL(ŝ) only if s γ(ŝ) : lit L(s) (3) R must = {(ŝ 1, ŝ 2 ) s 1 γ(ŝ 1 ) : s 2 γ(ŝ 2 ) : (s 1, s 2 ) R} (4) R may = {(ŝ 1, ŝ 2 ) s 1 γ(ŝ 1 ) : s 2 γ(ŝ 2 ) : (s 1, s 2 ) R} For a given KS M and a air of abstraction and concretization functions α and γ, Def. 3.1 introduces the KMTS α(m) defined over the set Ŝ of abstract states. In our AMR framework, we view M as the concrete model and the KMTS α(m) as the abstract model. Any two concrete states s 1 and s 2 of M are abstracted by α to a state ŝ of α(m) if and only if s 1, s 2 are elements of the set γ(ŝ) (see Fig 2). A state of α(m) is initial if and only if at least one of its concrete states is initial as well. An atomic roosition in an abstract state is true (resectively, false), only if it is also true (resectively, false) in all of its concrete states. This means that the value of an atomic roosition may be unknown at a state of α(m). A must-transition from ŝ 1 to ŝ 2 of α(m) exists, if and only if there are transitions from all states of γ(ŝ 1 ) to at least one state of γ(ŝ 2 ) ( condition). Resectively, a may-transition from ŝ 1 to ŝ 2 of α(m) exists, if and only if there is at least one transition from some state of γ(ŝ 1 ) to some state of γ(ŝ 2 ) ( condition). Definition 3.2. Given a air of total functions (α : S Ŝ, γ : Ŝ 2S ) such that s S : ŝ Ŝ : (α(s) = ŝ s γ(ŝ)) and a KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL), the set of KSs γ( ˆM) = {M M = (S, S 0, R, L)} is defined such that for all M γ( ˆM) the following conditions hold: (1) s S 0 iff α(s) Ŝ0 (2) lit L(s) if lit ˆL(α(s))

7 ABSTRACT MODEL REPAIR 7 (3) (s 1, s 2 ) R iff s 1 γ(α(s 1)) : s 2 γ(α(s 2)) : (α(s 1 ), α(s 2 )) R may and, s 1 γ(α(s 1)) : s 2 γ(α(s 2)) : (α(s 1 ), α(s 2 )) R must For a given KMTS ˆM and a air of abstraction and concretization functions α and γ, Def. 3.2 introduces a set γ( ˆM) of concrete KSs. A state s of a KS M γ( ˆM) is initial if its abstract state α(s) is also initial. An atomic roosition in a concrete state s is true (resectively, false) if it is also true (resectively, false) in its abstract state α(s). A transition from a concrete state s 1 to another concrete state s 2 exists, if and only if there are concrete states s 1 γ(α(s 1)) and s 2 γ(α(s 2)), where (α(s 1 ), α(s 2 )) R may, and there is at least one concrete state s 2 γ(α(s 2)) such that for all s 1 γ(α(s 1)) it holds that (α(s 1 ), α(s 2 )) R must. Abstract Interretation. A air of abstraction and concretization functions can be defined within an Abstract Interretation [20, 21] framework. Abstract interretation is a theory for a set of abstraction techniues, for which imortant roerties for the model checking roblem have been roved [23, 24]. Definition 3.3. [23, 32] Let M = (S, S 0, R, L) be a concrete KS and ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) be an abstract KMTS. A relation H S Ŝ for M and ˆM is called a mixed simulation, when H(s, ŝ) imlies: ˆL(ŝ) L(s) if r = (s, s ) R, then there is exists ŝ Ŝ such that r may = (ŝ, ŝ ) R may and (s, ŝ ) H. if r must = (ŝ, ŝ ) R must, then there exists s S such that r = (s, s ) R and (s, ŝ ) H. The abstraction function α of Def. 3.1 is a mixed simulation for the KS M and its abstract KMTS α(m). Theorem 3.4. [32] Let H S Ŝ be a mixed simulation from a KS M = (S, S 0, R, L) to a KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL). Then, for every CTL formula φ and every (s, ŝ) H it holds that [( ˆM, ŝ) = φ] [(M, s) = φ] = [( ˆM, ŝ) = φ] Theorem 3.4 ensures that if a CTL formula φ has a definite truth value (i.e., true or false) in the abstract KMTS, then it has the same truth value in the concrete KS. When we get from the 3-valued model checking of a CTL formula φ, the result of model checking roerty φ on the corresonding KS can be either true or false. Examle. An abstract KMTS ˆM is resented in Fig. 3a, where all the states labeled by are groued together, as are all states labeled by Refinement. When the outcome of verifying a CTL formula φ on an abstract model using the 3-valued semantics is, then a refinement ste is needed to acuire a more recise abstract model. In the literature, there are refinement aroaches for the 2-valued CTL semantics [17, 19, 22], as well as a number of techniues for the 3-valued CTL model

8 8 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA s 0 s 1 s 2 ŝ 0 ŝ 1 s 3 s 4 s 5 s 10 α(m) s 6 s 7 s 8 must-transition may-transition s 9 M (a) The KS and initial KMTS. s 0 s 1 s 2 ŝ 01 ŝ 1 s 3 s 4 s 5 s 10 ŝ 02 α Refined (M) s 6 s 7 s 8 must-transition may-transition s 9 M (b) The KS and refined KMTS. Figure 3. The KS and KMTSs for the ADO system. checking [31, 46, 47, 35]. The refinement techniue that we adot is an automated two-ste rocess based on [17, 46]: (1) Identify a failure state in α(m) using the algorithms in [17, 46]; the cause of failure for a state ŝ stems from an atomic roosition having an undefined value in ŝ, or from an outgoing may-transition from ŝ.

9 ABSTRACT MODEL REPAIR 9 (2) Produce the abstract KMTS α Refined (M), where α Refined is a new abstraction function as in Def. 3.1, such that the identified failure state is refined into two states. If the cause of failure is an undefined value of an atomic roosition in ŝ, then ŝ is slit into states ŝ 1 and ŝ 2, such that the atomic roosition is true in ŝ 1 and false in ŝ 2. Otherwise, if the cause of failure is an outgoing may-transition from ŝ, then ŝ is slit into states ŝ 1 and ŝ 2, such that there is an outgoing must-transition from ŝ 1 and no outgoing may- or must-transition from ŝ 2. The described refinement techniue does not necessarily converge to an abstract KMTS with a definite model checking result. A romising aroach in order to overcome this restriction is by using a different tye of abstract model, as in [46], where the authors roose the use of Generalized KMTSs, which ensure monotonicity of the refinement rocess. Examle. Consider the case where the ADO system reuires a mechanism for oening the door from any state with a direct action. This could be an action done by an exert if an immediate oening of the door is reuired. This roerty can be exressed in CTL as φ = AGEX. Observe that in α(m) of Fig. 3a, the absence of a must-transition from ŝ 0 to ŝ 1, where [(α(m), ŝ 1 ) = ] = true, in conjunction with the existence of a may-transition from ŝ 0 to ŝ 1, i.e. to a state where [(α(m), ŝ 1 ) = ] = true, results in an undefined modelchecking outcome for [(α(m), ŝ 0 ) = φ]. Notice that state ŝ 0 is the failure state, and the may-transition from ŝ 0 to ŝ 1 is the cause of the failure. Conseuently, ŝ 0 is refined into two states, ŝ 01 and ŝ 02, such that the former has no transition to ŝ 1 and the latter has an outgoing must-transition to ŝ 1. Thus, the may-transition which caused the undefined outcome is eliminated and for the refined KMTS α Refined (M) it holds that [α Refined (M), ŝ 1 ) = φ] = false. The initial KS and the refined KMTS α Refined (M) are shown in Fig. 3b. 4. The Model Reair Problem In this section, we formulate the roblem of Model Reair. A metric sace over Krike structures is defined to uantify their structural differences. This allows us taking into account the minimality of changes criterion in Model Reair. Let π be a function on the set of all functions f : X Y such that: π(f) = {(x, f(x)) x X} A restriction oerator (denoted by ) for the domain of function f is defined such that for X 1 X, f X1 = {(x, f(x)) x X 1 } By S C, we denote the comlement of a set S. Definition 4.1. For any two M = (S, S 0, R, L) and M = (S, S 0, R, L ) in the set K M of all KSs, where S = (S S IN ) S OUT for some S IN S C, S OUT S, R = (R R IN ) R OUT for some R IN R C, R OUT R, L = S 2 LIT, the distance function d over K M is defined as follows: d(m, M ) = S S + R R + π(l S S ) π(l S S ) 2 with A B reresenting the symmetric difference (A B) (B A).

10 10 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA For any two KSs defined over the same set of atomic roositions AP, function d counts the number of differences S S in the state saces, the number of differences R R in their transition relation and the number of common states with altered labeling. Proosition 4.2. The ordered air (K M, d) is a metric sace. Proof. We use the fact that the cardinality of the symmetric difference between any two sets is a distance metric. It holds that: (1) S S 0, R R 0 and π(l S S ) π(l S S ) 0 (non-negativity) (2) S S = 0 iff S = S, R R = 0 iff R = R and π(l S S ) π(l S S ) = 0 iff π(l S S ) = π(l S S ) (identity of indiscernibles) (3) S S = S S, R R = R R and π(l S S ) π(l S S ) = π(l S S ) π(l S S ) (symmetry) (4) S S S S + S S, R R R R + R R, π(l S S ) π(l S S ) π(l S S) π(l S S) + π(l S S ) π(l S S ) (triangle ineuality) We will rove that d is a metric on K M. Suose M, M, M K M It easily follows from (1) that d(m, M ) 0 (non-negativity) From (2), d(m, M ) = 0 iff M = M (identity of indiscernibles) Adding the euations in (3), results in d(m, M ) = d(m, M) (symmetry) If we add the ineualities in (4), then we get d(m, M ) d(m, M) + d(m, M ) (triangle ineuality) So, the roosition is true. Definition 4.3. For any two ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) and ˆM = (Ŝ, Ŝ0, R must, R may, ˆL ) in the set K ˆM of all KMTSs, where Ŝ = (Ŝ ŜIN ) ŜOUT for some ŜIN ŜC, ŜOUT Ŝ, ˆR must = ( ˆR must ˆR IN ) ˆR OUT for some ˆR IN ˆR C must, ˆR OUT ˆR must, ˆR may = ( ˆR may ˆR IN ) ˆR OUT for some ˆR IN ˆR C may, ˆR OUT ˆR may, ˆL = Ŝ 2 LIT, the distance function ˆd over K ˆM is defined as follows: ˆd(M, M ) = Ŝ Ŝ + ˆR must ˆR must + ( ˆR may ˆR must ) ( ˆR may ˆR must) + π(ˆl Ŝ Ŝ ) π(ˆl Ŝ Ŝ ) 2 with A B reresenting the symmetric difference (A B) (B A). We note that ˆd counts the differences between ˆR may and ˆR may, and those between ˆR must and ˆR must searately, while avoiding to count the differences in the latter case twice (we remind that must-transitions are also included in ˆR may ). Proosition 4.4. The ordered air (K ˆM, ˆd) is a metric sace. Proof. The roof is done in the same way as in Pro. 4.2.

11 ABSTRACT MODEL REPAIR 11 Failure Initial Concrete Model (KS) M Abstraction α(m) Abstract Model (KMTS) ˆM = α(m) Refinement Failure Reaired Abstract Model (KMTS) ˆM Abstract Model Reair α Refined (M) No Abstract MC ( ˆM, ŝ) = ϕ? Undefined γ( ˆM ) Concretization Reaired Concrete Model (KS) M Reaired γ( ˆM ) Yes (M, s) = ϕ Figure 4. Abstract Model Reair Framework. Definition 4.5. Given a KS M and a CTL formula φ where M = φ, the Model Reair roblem is to find a KS M, such that M = φ and d(m, M ) is minimum with resect to all such M. The Model Reair roblem aims at modifying a KS such that the resulting KS satisfies a CTL formula that was violated before. The distance function d of Def. 4.1 features all the attractive roerties of a distance metric. Given that no uantitative interretation exists for redicates and logical oerators in CTL, d can be used in a model reair solution towards selecting minimum changes to the modified KS. 5. The Abstract Model Reair Framework Our AMR framework integrates 3-valued model checking, model refinement, and a new algorithm for selecting the reair oerations alied to the abstract model. The goal of this algorithm is to aly the reair oerations in a way, such that the number of structural changes to the corresonding concrete model is minimized. The algorithm works based on a artial order relation over a set of basic reair oerations for KMTSs. This section describes the stes involved in our AMR framework, the basic reair oerations, and the algorithm The Abstract Model Reair Process. The rocess stes shown in Fig. 4 rely on the KMTS abstraction of Def These are the following: Ste 1.: Given a KS M, a state s of M, and a CTL roerty φ, let us call ˆM the KMTS obtained as in Def Ste 2.: For state ŝ = α(s) of ˆM, we check whether ( ˆM, ŝ) = φ by 3-valued model checking. Case 1.: If the result is true, then, according to Theorem 3.4, (M, s) = φ and there is no need to reair M.

12 12 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA Case 2.: If the result is undefined, then a refinement of ˆM takes lace, and: Case 2.1.: If an ˆM Refined is found, the control is transferred to Ste 2. Case 2.2.: If a refined KMTS cannot be retrieved, the reair rocess terminates with a failure. Case 3.: If the result is false, then, from Theorem 3.4, (M, s) = φ and the reair rocess is enacted; the control is transferred to Ste 3. Ste 3.: The AbstractReair algorithm is called for the abstract KMTS ( ˆM Refined or ˆM if no refinement has occurred), the state ŝ and the roerty φ. Case 1.: AbstractReair returns an ˆM for which ( ˆM, ŝ) = φ. Case 2.: AbstractReair fails to find an ˆM for which the roerty holds true. Ste 4.: If AbstractReair returns an ˆM, then the rocess ends with selecting the subset of KSs from γ( ˆM ), with elements whose distance d from the KS M is minimum with resect to all the KSs in γ( ˆM ) Basic Reair Oerations. We decomose the KMTS reair rocess into seven basic reair oerations: AddMust: Adding a must-transition AddMay: Adding a may-transition RemoveMust: Removing a must-transition RemoveMay: Removing a may-transition ChangeLabel: Changing the labeling of a KMTS state AddState: Adding a new KMTS state RemoveState: Removing a disconnected KMTS state Adding a must-transition. Definition 5.1 (AddMust). For a given KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) and ˆr n = (ŝ 1, ŝ 2 ) / R must, AddMust( ˆM, ˆr n ) is the KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) such that R must = R must {ˆr n } and R may = R may {ˆr n }. Since R must R may, ˆr n must also be added to R may, resulting in a new may-transition if ˆr n / R may. Fig. 5 shows how the basic reair oeration AddMust modifies a given KMTS. The newly added transitions are in bold. Proosition 5.2. For any ˆM = AddMust( ˆM, ˆr n ), it holds that ˆd( ˆM, ˆM ) = 1. Definition 5.3. Let M = (S, S 0, R, L) be a KS and let α(m) = (Ŝ, Ŝ0, R must, R may, ˆL) be the abstract KMTS derived from M as in Def Also, let ˆM = AddMust(α(M), ˆr n ) for some ˆr n = (ŝ 1, ŝ 2 ) / R must. The set K min γ( ˆM ) with all KSs, whose distance d from M is minimized is: K min = {M M = (S, S 0, R R n, L)} (5.1) where R n is given for one s 2 γ(ŝ 2 ) as follows: R n = {(s 1, s 2 ) s γ(ŝ 2 ) : (s 1, s) R} s 1 γ(ŝ 1 )

13 ABSTRACT MODEL REPAIR 13 M M M M α γ α γ AddMust AddMust ˆM ˆM ˆM ˆM (a) May-transition exists (b) May-transition does not exist Figure 5. AddMust: Adding a new must-transition Def. 5.3 imlies that when the AbstractReair algorithm alies AddMust on the abstract KMTS ˆM, then a set of KSs is retrieved from the concretization of ˆM. The same holds for all other basic reair oerations and conseuently, when AbstractReair finds a reaired KMTS, one or more KSs can be obtained for which roerty φ holds. Proosition 5.4. For all M K min, it holds that 1 d(m, M ) S. Proof. Recall that d(m, M ) = S S + R R + π(l S S ) π(l S S ) 2 Since S S = 0 and π(l S S ) π(l S S ) = 0, d(m, M ) = R R = R R + R R = 0 + R n. Since R n 1 and R n S, it is roved that 1 d(m, M ) S. From Pro. 5.4, we conclude that a lower and uer bound exists for the distance between M and any M K min Adding a may-transition. Definition 5.5 (AddMay). For a given KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) and ˆr n = (ŝ 1, ŝ 2 ) / R may, AddMay( ˆM, ˆr n ) is the KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) such that R must = R must {ˆr n } if S 1 = 1 or R must = R must if S 1 > 1 for S 1 = {s 1 s 1 γ(ŝ 1 )} and R may = R may {ˆr n }. From Def. 5.5, we conclude that there are two different cases in adding a new maytransition ˆr n ; adding also a must-transition or not. In fact, ˆr n is also a must-transition if and only if the set of the corresonding concrete states of ŝ 1 is a singleton. Fig. 6 dislays the two different cases of alying basic reair oeration AddMay to a KMTS. Proosition 5.6. For any ˆM = AddMay( ˆM, ˆr n ), it holds that ˆd( ˆM, ˆM ) = 1.

14 14 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA M M M M α γ α γ AddMay AddMay ˆM (a) Only may-transition is added ˆM ˆM (b) Must-transition is also added ˆM Figure 6. AddMay: Adding a new must-transition Definition 5.7. Let M = (S, S 0, R, L) be a KS and let α(m) = (Ŝ, Ŝ0, R must, R may, ˆL) be the abstract KMTS derived from M as in Def Also, let ˆM = AddMay(α(M), ˆr n ) for some ˆr n = (ŝ 1, ŝ 2 ) / R may. The set K min γ( ˆM ) with all KSs, whose structural distance d from M is minimized is given by: K min = {M M = (S, S 0, R {r n }, L)} (5.2) where r n R n and R n = {r n = (s 1, s 2 ) s 1 γ(ŝ 1 ), s 2 γ(ŝ 2 ) and r n / R}. Proosition 5.8. For all M K min, it holds that d(m, M ) = 1. Proof. d(m, M ) = S S + R R + π(l S S ) π(l S S ) 2. Because S S = 0 and π(l S S ) π(l S S ) = 0, d(m, M ) = R R = R R + R R = 0 + {r n } = 1. So, we rove that d(m, M ) = Removing a must-transition. Definition 5.9 (RemoveMust). For a given KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) and ˆr m = (ŝ 1, ŝ 2 ) R must, RemoveMust( ˆM, ˆr m ) is the KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) such that R must = R must {ˆr m } and R may = R may {ˆr m } if S 1 = 1 or R may = R may if S 1 > 1 for S 1 = {s 1 s 1 γ(ŝ 1 )}. Removing a must-transition ˆr m, in some secial and maybe rare cases, could also result in the deletion of the may-transition ˆr m as well. In fact, this occurs if transitions to the concrete states of ŝ 2 exist only from one concrete state of the corresonding ones of ŝ 1. These two cases for function RemoveMust are resented grahically in Fig. 7. Proosition For any ˆM = RemoveMust( ˆM, ˆr m ), it holds that ˆd( ˆM, ˆM ) = 1.

15 ABSTRACT MODEL REPAIR 15 M M M M α γ α γ RemoveMust RemoveMust ˆM ˆM (a) May-transition is not removed ˆM (b) May-transition is also removed ˆM Figure 7. RemoveMust: Removing an existing must-transition Definition Let M = (S, S 0, R, L) be a KS and let α(m) = (Ŝ, Ŝ0, R must, R may, ˆL) be the abstract KMTS derived from M as in Def Also, let ˆM = RemoveMust(α(M), ˆr m ) for some ˆr m = (ŝ 1, ŝ 2 ) R must. The set K min γ( ˆM ) with all KSs, whose structural distance d from M is minimized is given by: K min = {M M = (S, S 0, R {R m }, L)} (5.3) where R m is given for one s 1 γ(ŝ 1 ) as follows: R m = {(s 1, s 2 ) R} s 2 γ(ŝ 2 ) Proosition For M, it holds that 1 d(m, M ) S. Proof. d(m, M ) = S S + R R + π(l S S ) π(l S S ) 2. Because S S = 0 and π(l S S ) π(l S S ) = 0, d(m, M ) = R R = R R + R R = R m + 0 = R m. It holds that R m 1 and R m S. So, we roved that 1 d(m, M ) S Removing a may-transition. Definition 5.13 (RemoveMay). For a given KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) and ˆr m = (ŝ 1, ŝ 2 ) R may, RemoveMay( ˆM, ˆr m ) is the KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) such that R must = R must {ˆr m } and R may = R may {ˆr m }. Def ensures that removing a may-transition ˆr m imlies the removal of a musttransition, if ˆr m is also a must-transition. Otherwise, there are not any changes in the set of must-transitions R must. Fig. 8 shows how function RemoveMay works in both cases. Proosition For any ˆM = RemoveMay( ˆM, ˆr m ), it holds that ˆd( ˆM, ˆM ) = 1.

16 16 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA M M M M α γ α γ RemoveMay RemoveMay ˆM ˆM (a) May-transition is also a musttransition ˆM ˆM (b) May-transition is not a musttransition Figure 8. RemoveMay: Removing an existing may-transition Definition Let M = (S, S 0, R, L) be a KS and let α(m) = (Ŝ, Ŝ0, R must, R may, ˆL) be the abstract KMTS derived from M as in Def Also, let ˆM = RemoveMay(α(M), ˆr m ) for some ˆr m = (ŝ 1, ŝ 2 ) R may with ŝ 1, ŝ 2 Ŝ. The KS M γ( ˆM ), whose structural distance d from M is minimized is given by: M = (S, S 0, R R m, L} (5.4) where R m = {r m = (s 1, s 2 ) s 1 γ(ŝ 1 ), s 2 γ(ŝ 2 ) and r m R}. Proosition For M, it holds that 1 d(m, M ) S 2. Proof. d(m, M ) = S S + R R + π(l S S ) π(l S S ) 2. Because S S = 0 and π(l S S ) π(l S S ) = 0, d(m, M ) = R R = R R + R R = 0 + R m = R m. It holds that R m 1 and R m S 2. So, we roved that 1 d(m, M ) S Changing the labeling of a KMTS state. Definition 5.17 (ChangeLabel). For a given KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL), a state ŝ Ŝ and an atomic CTL formula φ with φ 2LIT, ChangeLabel( ˆM, ŝ, φ) is the KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL ) such that ˆL = (ˆL {ˆl old }) {ˆl new } for ˆl old = (ŝ, lit old ) and ˆlnew = (ŝ, lit new ) where lit new = ˆL(ŝ) {lit lit φ} { lit lit φ}. Basic reair oeration ChangeLabel gives the ossibility of reairing a model by changing the labeling of a state, thus without inducing any changes in the structure of the model (number of states or transitions). Fig. 9 resents the alication of ChangeLabel in a grahical manner. Proosition For any ˆM = ChangeLabel( ˆM, ŝ, φ), it holds that ˆd( ˆM, ˆM ) = 1.

17 ABSTRACT MODEL REPAIR 17 M M α γ ChangeLabel ˆM ˆM Figure 9. ChangeLabel: Changing the labeling of a KMTS state Definition Let M = (S, S 0, R, L) be a KS and let α(m) = (Ŝ, Ŝ0, R must, R may, ˆL) be the abstract KMTS derived from M as in Def Also, let ˆM = ChangeLabel(α(M), ŝ, φ) for some ŝ Ŝ and φ 2LIT. The KS M γ( ˆM ), whose structural distance d from M is minimized, is given by: M = (S, S 0, R, L L old L new } (5.5) where L old = {l old = (s, lit old ) s γ(ŝ), s S, lit old φ and l old L} L new = {l new = (s, lit new ) s γ(ŝ), s S, lit new φ and l new / L} Proosition For M, it holds that 1 d(m, M ) S. Proof. d(m, M ) = S S + R R + π(l S S ) π(l S S ) 2. Because R R = 0 and R R = 0, d(m, M ) = π(l S S ) π(l S S ) 2 = L old + L new 2 = L old = L new. It holds that L new 1 and L new S. So, we rove that 1 d(m, M ) S Adding a new KMTS state. Definition 5.21 (AddState). For a given KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) and a state ŝ n / Ŝ, AddState( ˆM, ŝ n ) is the KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL ) such that Ŝ = Ŝ {ŝ n} and ˆL = ˆL {ˆl n }, where ˆl n = (ŝ n, ). The most imortant issues for function AddState is that the newly created abstract state ŝ n is isolated, thus there are no ingoing or outgoing transitions for this state, and additionally, the labeling of this new state is. Another conclusion from Def is the fact that the inserted stated is not ermitted to be initial. Alication of function AddState is resented grahically in Fig. 10. Proosition For any ˆM = AddState( ˆM, ŝ n ), it holds that ˆd( ˆM, ˆM ) = 1.

18 18 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA M M α γ AddState ˆM ˆM Figure 10. AddState: Adding a new KMTS state Definition Let M = (S, S 0, R, L) be a KS and let α(m) = (Ŝ, Ŝ0, R must, R may, ˆL) be the abstract KMTS derived from M as in Def Also, let ˆM = AddState(α(M), ŝ n ) for some ŝ n / Ŝ. The KS M γ( ˆM ), whose structural distance d from M is minimized is given by: M = (S {s n }, S 0, R, L {l n }) (5.6) where s n γ(ŝ n ) and l n = (s n, ). Proosition For M, it holds that d(m, M ) = 1. Proof. d(m, M ) = S S + R R + π(l S S ) π(l S S ) 2. Because R R = 0 and π(l S S ) π(l S S ) = 0, d(m, M ) = S S = S S + S S = 0 + {s n } = 1. So, we roved that d(m, M ) = Removing a disconnected KMTS state. Definition 5.25 (RemoveState). For a given KMTS ˆM = (Ŝ, Ŝ0, R must, R may, ˆL) and a state ŝ r Ŝ such that ŝ Ŝ : (ŝ, ŝ r) R may (ŝ r, ŝ) R may, RemoveState( ˆM, ŝ r ) is the KMTS ˆM = (Ŝ, Ŝ 0, R must, R may, ˆL ) such that Ŝ = Ŝ {ŝ r}, Ŝ 0 = Ŝ0 {ŝ r } and ˆL = ˆL {ˆl r }, where ˆl r = (ŝ r, lit) ˆL. From Def. 5.25, it is clear that the state being removed should be isolated, thus there are not any may- or must-transitions from and to this state. This means that before using RemoveState to an abstract state, all its ingoing or outgoing must have been removed by using other basic reair oerations. RemoveState are also used for the elimination of dead-end states, when such states arise during the reair rocess. Fig. 11 resents the alication of RemoveState in a grahical manner. Proosition For any ˆM = RemoveState( ˆM, ŝ r ), it holds that ˆd( ˆM, ˆM ) = 1.

19 ABSTRACT MODEL REPAIR 19 M M α γ RemoveState ˆM ˆM Figure 11. RemoveState: Removing a disconnected KMTS state Definition Let M = (S, S 0, R, L) be a KS and let α(m) = (Ŝ, Ŝ0, R must, R may, ˆL) be the abstract KMTS derived from M as in Def Also, let ˆM = RemoveState(α(M), ŝ r ) for some ŝ r Ŝ with ˆl r = (ŝ r, lit) ˆL. The KS M γ( ˆM ), whose structural distance d from M is minimized, is given by: M = (S, S 0, R, L ) s.t. S = S S r, S 0 = S 0 S r, R = R, L = L L r (5.7) where S r = {s r s r S and s r γ(ŝ r )} and L r = {l r = (s r, lit) l r L}. Proosition For M, it holds that 1 d(m, M ) S. Proof. d(m, M ) = S S + R R + π(l S S ) π(l S S ) 2. Because R R = 0 and π(l S S ) π(l S S ) = 0, d(m, M ) = S S = S S + S S = S r + 0 = S r. It holds that S r 1 and S r S. So, we roved that 1 d(m, M ) S Minimality Of Changes Ordering For Basic Reair Oerations. The distance metric d of Def. 4.1 reflects the need to uantify structural changes in the concrete model that are attributed to model reair stes alied to the abstract KMTS. Every such reair ste imlies multile structural changes in the concrete KSs, due to the use of abstraction. In this context, our distance metric is an essential means for the effective alication of the abstraction in the reair rocess. Based on the uer bound given by Pro. 5.4 and all the resective results for the other basic reair oerations, we introduce the artial ordering shown in Fig. 12. This ordering is used in our AbstractReair algorithm to heuristically select at each ste the basic reair oeration that generates the KSs with the least changes. When it is ossible to aly more than one basic reair oeration with the same uer bound, our algorithm successively uses them until a reair solution is found, in an order based on the comutational comlexity of their alication. If instead of our aroach, all ossible reaired KSs were checked to identify the basic reair oeration with the minimum changes, this would defeat the urose of using abstraction. The reason is that such a check inevitably would deend on the size of concrete KSs.

20 20 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA Remove May d S 2 Remove State d S Remove Must d S Change Label d S Add Must d S Add May d 1 Add State d 1 Figure 12. Minimality of changes ordering of the set of basic reair oerations Algorithm 1 AbstractReair Inut: ˆM = ( Ŝ, Ŝ0, R must, R may, ˆL), ŝ Ŝ, a CTL roerty φ in PNF for which ( ˆM, ŝ) = φ, and a set of constraints C = {(ŝ c1, φ c1 ), (ŝ c2, φ c2 ),..., (ŝ cn, φ cn )} where ŝ ci Ŝ and φ c i is a CTL formula. Outut: ˆM = (Ŝ, Ŝ 0, R must, R may, ˆL ) and ( ˆM, ŝ) = φ or FAILURE. 1: if φ is false then 2: return FAILURE 3: else if φ LIT then 4: return AbstractReair AT OMIC ( ˆM, ŝ, φ, C) 5: else if φ is φ 1 φ 2 then 6: return AbstractReair AND ( ˆM, ŝ, φ, C) 7: else if φ is φ 1 φ 2 then 8: return AbstractReair OR ( ˆM, ŝ, φ, C) 9: else if φ is OP ERφ 1 then 10: return AbstractReair OP ER ( ˆM, ŝ, φ, C) 11: where OP ER {AX, EX, AU, EU, AF, EF, AG, EG} 6. The Abstract Model Reair Algorithm The AbstractReair algorithm used in Ste 3 of our reair rocess is a recursive, syntaxdirected algorithm, where the syntax for the roerty φ in uestion is that of CTL. The same aroach is followed by the SAT model checking algorithm in [39] and a number of model reair solutions alied to concrete KSs [55, 14]. In our case, we aim to the reair of an abstract KMTS by successively calling rimitive reair functions that handle atomic formulas, logical connectives and CTL oerators. At each ste, the reair with the least changes for the concrete model among all the ossible reairs is alied first. The main routine of AbstractReair is resented in Algorithm 1. If the roerty φ is not in Positive Normal Form, i.e. negations are alied only to atomic roositions, then we transform it into such a form before alying Algorithm 1.

21 ABSTRACT MODEL REPAIR 21 An initially emty set of constraints C = {(ŝ c1, φ c1 ), (ŝ c2, φ c2 ),..., (ŝ cn, φ cn )} is assed as an argument in the successive recursive calls of AbstractReair. We note that these constraints can also secify existing roerties that should be reserved during reair. If C is not emty, then for the returned KMTS ˆM, it holds that ( ˆM, ŝ ci ) = φ ci for all (ŝ ci, φ ci ) C. For brevity, we denote this with ˆM = C. We use C in order to handle conjunctive formulas of the form φ = φ 1 φ 2 for some state ŝ. In this case, AbstractReair is called for the KMTS ˆM and roerty φ 1 with C = {(ŝ, φ 2 )}. The same is reeated for roerty φ 2 with C = {(ŝ, φ 1 )} and the two results are combined aroriately. For any CTL formula φ and KMTS state ŝ, AbstractReair either oututs a KMTS ˆM for which ( ˆM, ŝ) = φ or else returns FAILURE, if such a model cannot be found. This is the case when the algorithm handles conjunctive formulas and a KMTS that simultaneously satisfies all conjuncts cannot be found. Algorithm 2 AbstractReair AT OMIC Inut: ˆM = ( Ŝ, Ŝ0, R must, R may, ˆL), ŝ Ŝ, a CTL roerty φ where φ is an atomic formula for which ( ˆM, ŝ) = φ, and a set of constraints C = {(ŝ c1, φ c1 ), (ŝ c2, φ c2 ),..., (ŝ cn, φ cn )} where ŝ ci Ŝ and φ c i is a CTL formula. Outut: ˆM = (Ŝ, Ŝ 0, R must, R may, ˆL ) and ( ˆM, ŝ) = φ or FAILURE. 1: ˆM := ChangeLabel( ˆM, ŝ, φ) 2: if ˆM = C then 3: return ˆM 4: else 5: return FAILURE Algorithm 3 AbstractReair OR Inut: ˆM = ( Ŝ, Ŝ0, R must, R may, ˆL), ŝ Ŝ, a CTL roerty φ = φ 1 φ 2 for which ( ˆM, ŝ) = φ, and a set of constraints C = ((ŝ c1, φ c1 ), (ŝ c2, φ c2 ),..., (ŝ cn, φ cn )) where ŝ ci Ŝ and φ c i is a CTL formula. Outut: ˆM = (Ŝ, Ŝ 0, R must, R may, ˆL ), ŝ Ŝ and ( ˆM, ŝ) = φ or FAILURE. 1: RET 1 := AbstractReair( ˆM, ŝ, φ 1, C) 2: RET 2 := AbstractReair( ˆM, ŝ, φ 2, C) 3: if RET 1 F AILURE && RET 2 F AILURE then 4: 5: ˆM1 := RET 1 ˆM2 := RET 2 6: ˆM := MinimallyChanged( ˆM, ˆM1, ˆM2 ) 7: else if RET 1 F AILURE then 8: ˆM := RET 1 9: else if RET 2 F AILURE then 10: ˆM := RET 2 11: else 12: return FAILURE 13: return ˆM

22 22 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA Algorithm 4 AbstractReair AND Inut: ˆM = ( Ŝ, Ŝ0, R must, R may, ˆL), ŝ Ŝ, a CTL roerty φ = φ 1 φ 2 for which ( ˆM, ŝ) = φ, and a set of constraints C = ((ŝ c1, φ c1 ), (ŝ c2, φ c2 ),..., (ŝ cn, φ cn )) where ŝ ci Ŝ and φ c i is a CTL formula. Outut: ˆM = (Ŝ, Ŝ 0, R must, R may, ˆL ), ŝ Ŝ and ( ˆM, ŝ) = φ or FAILURE. 1: RET 1 := AbstractReair( ˆM, ŝ, φ 1, C) 2: RET 2 := AbstractReair( ˆM, ŝ, φ 2, C) 3: C 1 := C {(ŝ, φ 1 )}, C 2 := C {(ŝ, φ 2 )} 4: RET 1 := F AIURE, RET 2 := F AIURE 5: if RET 1 F AILURE then 6: ˆM1 := RET 1 7: RET 1 := AbstractReair( ˆM 1, ŝ, φ 2, C 1 ) 8: if RET 1 F AILURE then 9: ˆM 1 := RET 1 10: if RET 2 F AILURE then 11: ˆM2 := RET 2 12: RET 2 := AbstractReair( ˆM 2, ŝ, φ 1, C 2 ) 13: if RET 2 F AILURE then 14: ˆM 2 := RET 2 15: if RET 1 F AILURE && RET 2 F AILURE then 16: ˆM := MinimallyChanged( ˆM, ˆM 1, ˆM 2 ) 17: else if RET 1 F AILURE then 18: ˆM := RET 1 19: else if RET 2 F AILURE then 20: ˆM := RET 2 21: else 22: return FAILURE 23: return ˆM 6.1. Primitive Functions. Algorithm 2 describes AbstractReair AT OMIC, which for a simle atomic formula, udates the labeling of the inut state with the given atomic roosition. Disjunctive formulas are handled by reairing the disjunct leading to the minimum change (Algorithm 3), while conjunctive formulas are handled by the algorithm with the use of constraints (Algorithm 4). Algorithm 5 describes the rimitive function AbstractReair AG which is called when φ = AGφ 1. If AbstractReair AG is called for a state ŝ, it recursively calls AbstractReair for ŝ and for all reachable states through may-transitions from ŝ which do not satisfy φ 1. The resulting KMTS ˆM is returned, if it does not violate any constraint in C. AbstractReair EX resented in Algorithm 6 is the rimitive function for handling roerties of the form EXφ 1 for some state ŝ. At first, AbstractReair EX attemts to reair the KMTS by adding a must-transition from ŝ to a state that satisfies roerty φ 1. If a reaired KMTS is not found, then AbstractReair is recursively called for an immediate successor of ŝ through a must-transition, such that φ 1 is not satisfied. If a constraint in C is violated, then (i) a new state is added, (ii) AbstractReair is called for the new state and

23 ABSTRACT MODEL REPAIR 23 Algorithm 5 AbstractReair AG Inut: ˆM = ( Ŝ, Ŝ0, R must, R may, ˆL), ŝ Ŝ, a CTL roerty φ = AGφ 1 for which ( ˆM, ŝ) = φ, and a set of constraints C = {(ŝ c1, φ c1 ), (ŝ c2, φ c2 ),..., (ŝ cn, φ cn )} where ŝ ci Ŝ and φ c i is a CTL formula. Outut: ˆM = (Ŝ, Ŝ 0, R must, R may, ˆL ) and ( ˆM, ŝ) = φ or FAILURE. 1: if ( ˆM, ŝ) = φ 1 then 2: RET := AbstractReair( ˆM, ŝ, φ 1, C) 3: if RET == F AILURE then 4: return FAILURE 5: else 6: ˆM := RET 7: else 8: ˆM := ˆM 9: for all reachable states ŝ k through may-transitions from ŝ such that ( ˆM, ŝ k ) = φ 1 do 10: RET := AbstractReair( ˆM, ŝ k, φ 1, C) 11: if RET == F AILU RE then 12: return FAILURE 13: else 14: ˆM := RET 15: if ˆM = C then 16: return ˆM 17: return FAILURE (iii) a must-transition from ŝ to the new state is added. The resulting KMTS is returned by the algorithm if all constraints of C are satisfied. Algorithm 7 resents rimitive function AbstractReair AX which is used when φ = AXφ 1. Firstly, AbstractReair AX tries to reair the KMTS by alying AbstractReair for all direct may-successors ŝ i of ŝ which do not satisfy roerty φ 1, and in the case that all the constraints are satisfied the new KMTS is returned by the function. If such states do not exist or a constraint is violated, all may-transitions (ŝ, ŝ i ) for which ( ˆM, ŝ i ) = φ 1, are removed. If there are states ŝ i such that r m := (ŝ, ŝ i ) R may and all constraints are satisfied then a reaired KMTS has been roduced and it is returned by the function. Otherwise, a reaired KMTS results by the alication of AddMay from ŝ to all states ŝ j which satisfy φ 1. If any constraint is violated, then the KMTS is reaired by adding a new state, alying AbstractReair to this state for roerty φ 1 and adding a may-transition from ŝ to this state. If all constraints are satisfied, the reaired KMTS is returned. AbstractReair EG which is resented in Algorithm 8 is the rimitive function which is called when inut CTL roerty is in the form of EGφ 1. Initially, if φ 1 is not satisfied at ŝ AbstractReair is called for ŝ and φ 1, and a KMTS ˆM 1 is roduced. At first, a musttransition is added from ŝ to a state ŝ 1 of a maximal must-ath (i.e. a must-ath in which each transition aears at most once) π must := [ŝ 1, ŝ 2,...] such that ŝ i π must, ( ˆM 1, ŝ i ) = φ 1. If all constraints are satisfied, then the reaired KMTS is returned. Otherwise, a KMTS is roduced by recursively calling AbstractReair to all states ŝ i ŝ of any maximal must-ath π must := [ŝ 1, ŝ 2,...] with ŝ i π must, ( ˆM 1, ŝ i ) = φ 1. If there are violated constraints in C, then a reaired KMTS is roduced by adding a new state, calling AbstractReair for this

24 24 G. CHATZIELEFTHERIOU, B. BONAKDARPOUR, P. KATSAROS, AND S. A. SMOLKA Algorithm 6 AbstractReair EX Inut: ˆM = ( Ŝ, Ŝ0, R must, R may, ˆL), ŝ Ŝ, a CTL roerty φ = EXφ 1 for which ( ˆM, ŝ) = φ, and a set of constraints C = {(ŝ c1, φ c1 ), (ŝ c2, φ c2 ),..., (ŝ cn, φ cn )} where ŝ ci ˆM and φ ci is a CTL formula. Outut: ˆM = (Ŝ, Ŝ 0, R must, R may, ˆL ) and ( ˆM, ŝ) = φ or FAILURE. 1: if there exists ŝ 1 Ŝ such that ( ˆM, ŝ 1 ) = φ 1 then 2: for all ŝ i Ŝ such that ( ˆM, ŝ i ) = φ 1 do 3: ˆr i := (ŝ, ŝ i ), ˆM := AddMust( ˆM, ˆr i ) 4: if ˆM = C then 5: return ˆM 6: else 7: for all direct must-reachable states ŝ i from ŝ such that ( ˆM, ŝ i ) = φ 1 do 8: RET := AbstractReair( ˆM, ŝ i, φ 1, C) 9: if RET F AILURE then 10: ˆM := RET 11: return ˆM 12: ˆM := AddState( ˆM, ŝ n ), ˆr n := (ŝ, ŝ n ), ˆM := AddMust( ˆM, ˆr n ) 13: ˆr n := (ŝ n, ŝ n ) 14: ˆM := AddMay( ˆM, ˆr n ) 15: RET := AbstractReair( ˆM, ŝ n, φ 1, C) 16: if RET F AILURE then 17: ˆM := RET 18: return ˆM 19: return FAILURE state and roerty φ 1 and calling AddMust to insert a must-transition from ŝ to the new state. The resulting KMTS is returned by the algorithm, if all constraints in C are satisfied. AbstractReair AF shown in Algorithm 9 is called when the CTL formula φ is in the form of AF φ 1. While there is maximal may-ath π may := [ŝ, ŝ 1,...] such that ŝ i π may, ( ˆM, ŝ i ) = φ 1, AbstractReair AF tries to obtain a reaired KMTS by recursively calling AbstractReair to some state ŝ i π may. If all constraints are satisfied to the new KMTS, then it is returned as the reaired model. AbstractReair EF shown in Algorithm 10 is called when the CTL roerty φ is in the form EF φ 1. Initially, a KMTS is acuired by adding a must-transition from a must-reachable state ŝ i from ŝ to a state ŝ k Ŝ such that ( ˆM, ŝ k ) = φ 1. If all constraints are satisfied then this KMTS is returned. Otherwise, a KMTS is roduced by alying AbstractReair to a must-reachable state ŝ i from ŝ for φ 1. If none of the constraints is violated then this KMTS is returned. At any other case, a new KMTS is roduced by adding a new state ŝ n, recursively calling AbstractReair for this state and φ 1 and adding a must-transition from ŝ or from a must-reachable ŝ i from ŝ to ŝ n. If all constraints are satisfied, then this KMTS is returned as a reaired model by the algorithm. AbstractReair AU is resented in Algorithm 11 and is called when φ = A(φ 1 Uφ 2 ). If φ 1 is not satisfied at ŝ, then a KMTS ˆM 1 is roduced by alying AbstractReair to ŝ for φ 1. Otherwise, ˆM1 is same to ˆM. A new KMTS is roduced as follows: for all may-aths π may := [ŝ 1,..., ŝ m ] such that ŝ i π may, ( ˆM 1, ŝ i ) = φ 1 and for which there does not

ABSTRACT MODEL REPAIR

ABSTRACT MODEL REPAIR ABSTRACT MODEL REPAIR GEORGE CHATZIELEFTHERIOU a, BORZOO BONAKDARPOUR b, PANAGIOTIS KATSAROS c, AND SCOTT A. SMOLKA d a Deartment of Informatics, Aristotle University of Thessaloniki, 54124 Thessaloniki,

More information

Abstract Model Repair

Abstract Model Repair Abstract Model Repair George Chatzieleftheriou Dept. of Informatics Aristotle University of Thessaloniki, Greece Scott. A. Smolka Dept. of Computer Science, Stony Brook University, USA Borzoo Bonakdarpour

More information

Abstract Model Repair

Abstract Model Repair Abstract Model Repair George Chatzieleftheriou 1, Borzoo Bonakdarpour 2, Scott A. Smolka 3, and Panagiotis Katsaros 1 1 Department of Informatics, Aristotle University of Thessaloniki 54124 Thessaloniki,

More information

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle] Chater 5 Model checking, verification of CTL One must verify or exel... doubts, and convert them into the certainty of YES or NO. [Thomas Carlyle] 5. The verification setting Page 66 We introduce linear

More information

Using BDDs to Decide CTL

Using BDDs to Decide CTL Using BDDs to Decide CTL Will Marrero DePaul University, Chicago, IL 60604, USA wmarrero@cs.deaul.edu Abstract. Comutation Tree Logic (CTL) has been used uite extensively and successfully to reason about

More information

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification Model Checking Princiles Model (System Requirements) Secification (System Proerty) Model Checker Answer: Yes, if the model satisfies the secification Counterexamle, otherwise Krike Model Krike Structure

More information

Finite-State Verification or Model Checking. Finite State Verification (FSV) or Model Checking

Finite-State Verification or Model Checking. Finite State Verification (FSV) or Model Checking Finite-State Verification or Model Checking Finite State Verification (FSV) or Model Checking Holds the romise of roviding a cost effective way of verifying imortant roerties about a system Not all faults

More information

MODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL

MODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Technical Sciences and Alied Mathematics MODELING THE RELIABILITY OF CISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Cezar VASILESCU Regional Deartment of Defense Resources Management

More information

Solved Problems. (a) (b) (c) Figure P4.1 Simple Classification Problems First we draw a line between each set of dark and light data points.

Solved Problems. (a) (b) (c) Figure P4.1 Simple Classification Problems First we draw a line between each set of dark and light data points. Solved Problems Solved Problems P Solve the three simle classification roblems shown in Figure P by drawing a decision boundary Find weight and bias values that result in single-neuron ercetrons with the

More information

Elementary Analysis in Q p

Elementary Analysis in Q p Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some

More information

SAT based Abstraction-Refinement using ILP and Machine Learning Techniques

SAT based Abstraction-Refinement using ILP and Machine Learning Techniques SAT based Abstraction-Refinement using ILP and Machine Learning Techniques 1 SAT based Abstraction-Refinement using ILP and Machine Learning Techniques Edmund Clarke James Kukula Anubhav Guta Ofer Strichman

More information

MATH 2710: NOTES FOR ANALYSIS

MATH 2710: NOTES FOR ANALYSIS MATH 270: NOTES FOR ANALYSIS The main ideas we will learn from analysis center around the idea of a limit. Limits occurs in several settings. We will start with finite limits of sequences, then cover infinite

More information

3-Valued Abstraction-Refinement

3-Valued Abstraction-Refinement 3-Valued Abstraction-Refinement Sharon Shoham Academic College of Tel-Aviv Yaffo 1 Model Checking An efficient procedure that receives: A finite-state model describing a system A temporal logic formula

More information

Memoryfull Branching-Time Logic

Memoryfull Branching-Time Logic Memoryfull Branching-Time Logic Orna Kuferman 1 and Moshe Y. Vardi 2 1 Hebrew University, School of Engineering and Comuter Science, Jerusalem 91904, Israel Email: orna@cs.huji.ac.il, URL: htt://www.cs.huji.ac.il/

More information

CTL, the branching-time temporal logic

CTL, the branching-time temporal logic CTL, the branching-time temoral logic Cătălin Dima Université Paris-Est Créteil Cătălin Dima (UPEC) CTL 1 / 29 Temoral roerties CNIL Safety, termination, mutual exclusion LTL. Liveness, reactiveness, resonsiveness,

More information

p,egp AFp EFp ... p,agp

p,egp AFp EFp ... p,agp TUESDAY, Session 2 Temoral logic and model checking, cont 1 Branching time and CTL model checking In a branching time temoral logics, we consider not just a single ath through the Krike model, but all

More information

Linear diophantine equations for discrete tomography

Linear diophantine equations for discrete tomography Journal of X-Ray Science and Technology 10 001 59 66 59 IOS Press Linear diohantine euations for discrete tomograhy Yangbo Ye a,gewang b and Jiehua Zhu a a Deartment of Mathematics, The University of Iowa,

More information

Uniform interpolation by resolution in modal logic

Uniform interpolation by resolution in modal logic Uniform interolation by resolution in modal logic Andreas Herzig and Jérôme Mengin 1 Abstract. The roblem of comuting a uniform interolant of a given formula on a sublanguage is known in Artificial Intelligence

More information

Dialectical Theory for Multi-Agent Assumption-based Planning

Dialectical Theory for Multi-Agent Assumption-based Planning Dialectical Theory for Multi-Agent Assumtion-based Planning Damien Pellier, Humbert Fiorino Laboratoire Leibniz, 46 avenue Félix Viallet F-38000 Grenboble, France {Damien.Pellier,Humbert.Fiorino}.imag.fr

More information

Computation Tree Logic

Computation Tree Logic Comutation Tree Logic Finite State Model Checking of Branching Time Logic Kim Guldstrand Larsen BRICS@Aalborg 1 Tool Suort Finite State Systems System Descrition A Reuirement F CTL TOOL Course Objectives:

More information

Computer arithmetic. Intensive Computation. Annalisa Massini 2017/2018

Computer arithmetic. Intensive Computation. Annalisa Massini 2017/2018 Comuter arithmetic Intensive Comutation Annalisa Massini 7/8 Intensive Comutation - 7/8 References Comuter Architecture - A Quantitative Aroach Hennessy Patterson Aendix J Intensive Comutation - 7/8 3

More information

Approximating min-max k-clustering

Approximating min-max k-clustering Aroximating min-max k-clustering Asaf Levin July 24, 2007 Abstract We consider the roblems of set artitioning into k clusters with minimum total cost and minimum of the maximum cost of a cluster. The cost

More information

Network Configuration Control Via Connectivity Graph Processes

Network Configuration Control Via Connectivity Graph Processes Network Configuration Control Via Connectivity Grah Processes Abubakr Muhammad Deartment of Electrical and Systems Engineering University of Pennsylvania Philadelhia, PA 90 abubakr@seas.uenn.edu Magnus

More information

Feedback-error control

Feedback-error control Chater 4 Feedback-error control 4.1 Introduction This chater exlains the feedback-error (FBE) control scheme originally described by Kawato [, 87, 8]. FBE is a widely used neural network based controller

More information

Model Repair in Systems Design. Panagiotis Katsaros Aristotle University of Thessaloniki (GR)

Model Repair in Systems Design. Panagiotis Katsaros Aristotle University of Thessaloniki (GR) Model Repair in Systems Design Panagiotis Katsaros Aristotle University of Thessaloniki (GR) Model-Based Design for Space Systems @ AUTh Design Validation Studies Using COMPASS! Bozzano, Cimatti, Katoen,

More information

The Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule

The Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule The Grah Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule STEFAN D. BRUDA Deartment of Comuter Science Bisho s University Lennoxville, Quebec J1M 1Z7 CANADA bruda@cs.ubishos.ca

More information

CSE 311 Lecture 02: Logic, Equivalence, and Circuits. Emina Torlak and Kevin Zatloukal

CSE 311 Lecture 02: Logic, Equivalence, and Circuits. Emina Torlak and Kevin Zatloukal CSE 311 Lecture 02: Logic, Equivalence, and Circuits Emina Torlak and Kevin Zatloukal 1 Toics Proositional logic A brief review of Lecture 01. Classifying comound roositions Converse, contraositive, and

More information

Analysis of some entrance probabilities for killed birth-death processes

Analysis of some entrance probabilities for killed birth-death processes Analysis of some entrance robabilities for killed birth-death rocesses Master s Thesis O.J.G. van der Velde Suervisor: Dr. F.M. Sieksma July 5, 207 Mathematical Institute, Leiden University Contents Introduction

More information

Computation Tree Logic

Computation Tree Logic Computation Tree Logic Computation tree logic (CTL) is a branching-time logic that includes the propositional connectives as well as temporal connectives AX, EX, AU, EU, AG, EG, AF, and EF. The syntax

More information

Game Specification in the Trias Politica

Game Specification in the Trias Politica Game Secification in the Trias Politica Guido Boella a Leendert van der Torre b a Diartimento di Informatica - Università di Torino - Italy b CWI - Amsterdam - The Netherlands Abstract In this aer we formalize

More information

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift

More information

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction GOOD MODELS FOR CUBIC SURFACES ANDREAS-STEPHAN ELSENHANS Abstract. This article describes an algorithm for finding a model of a hyersurface with small coefficients. It is shown that the aroach works in

More information

Proof Nets and Boolean Circuits

Proof Nets and Boolean Circuits Proof Nets and Boolean Circuits Kazushige Terui terui@nii.ac.j National Institute of Informatics, Tokyo 14/07/04, Turku.1/44 Motivation (1) Proofs-as-Programs (Curry-Howard) corresondence: Proofs = Programs

More information

Estimation of the large covariance matrix with two-step monotone missing data

Estimation of the large covariance matrix with two-step monotone missing data Estimation of the large covariance matrix with two-ste monotone missing data Masashi Hyodo, Nobumichi Shutoh 2, Takashi Seo, and Tatjana Pavlenko 3 Deartment of Mathematical Information Science, Tokyo

More information

Outline. CS21 Decidability and Tractability. Regular expressions and FA. Regular expressions and FA. Regular expressions and FA

Outline. CS21 Decidability and Tractability. Regular expressions and FA. Regular expressions and FA. Regular expressions and FA Outline CS21 Decidability and Tractability Lecture 4 January 14, 2019 FA and Regular Exressions Non-regular languages: Puming Lemma Pushdown Automata Context-Free Grammars and Languages January 14, 2019

More information

The Fekete Szegő theorem with splitting conditions: Part I

The Fekete Szegő theorem with splitting conditions: Part I ACTA ARITHMETICA XCIII.2 (2000) The Fekete Szegő theorem with slitting conditions: Part I by Robert Rumely (Athens, GA) A classical theorem of Fekete and Szegő [4] says that if E is a comact set in the

More information

Topic: Lower Bounds on Randomized Algorithms Date: September 22, 2004 Scribe: Srinath Sridhar

Topic: Lower Bounds on Randomized Algorithms Date: September 22, 2004 Scribe: Srinath Sridhar 15-859(M): Randomized Algorithms Lecturer: Anuam Guta Toic: Lower Bounds on Randomized Algorithms Date: Setember 22, 2004 Scribe: Srinath Sridhar 4.1 Introduction In this lecture, we will first consider

More information

Topic 7: Using identity types

Topic 7: Using identity types Toic 7: Using identity tyes June 10, 2014 Now we would like to learn how to use identity tyes and how to do some actual mathematics with them. By now we have essentially introduced all inference rules

More information

The inverse Goldbach problem

The inverse Goldbach problem 1 The inverse Goldbach roblem by Christian Elsholtz Submission Setember 7, 2000 (this version includes galley corrections). Aeared in Mathematika 2001. Abstract We imrove the uer and lower bounds of the

More information

1-way quantum finite automata: strengths, weaknesses and generalizations

1-way quantum finite automata: strengths, weaknesses and generalizations 1-way quantum finite automata: strengths, weaknesses and generalizations arxiv:quant-h/9802062v3 30 Se 1998 Andris Ambainis UC Berkeley Abstract Rūsiņš Freivalds University of Latvia We study 1-way quantum

More information

The Value of Even Distribution for Temporal Resource Partitions

The Value of Even Distribution for Temporal Resource Partitions The Value of Even Distribution for Temoral Resource Partitions Yu Li, Albert M. K. Cheng Deartment of Comuter Science University of Houston Houston, TX, 7704, USA htt://www.cs.uh.edu Technical Reort Number

More information

DRAFT - do not circulate

DRAFT - do not circulate An Introduction to Proofs about Concurrent Programs K. V. S. Prasad (for the course TDA383/DIT390) Deartment of Comuter Science Chalmers University Setember 26, 2016 Rough sketch of notes released since

More information

Correspondence Between Fractal-Wavelet. Transforms and Iterated Function Systems. With Grey Level Maps. F. Mendivil and E.R.

Correspondence Between Fractal-Wavelet. Transforms and Iterated Function Systems. With Grey Level Maps. F. Mendivil and E.R. 1 Corresondence Between Fractal-Wavelet Transforms and Iterated Function Systems With Grey Level Mas F. Mendivil and E.R. Vrscay Deartment of Alied Mathematics Faculty of Mathematics University of Waterloo

More information

RANDOM WALKS AND PERCOLATION: AN ANALYSIS OF CURRENT RESEARCH ON MODELING NATURAL PROCESSES

RANDOM WALKS AND PERCOLATION: AN ANALYSIS OF CURRENT RESEARCH ON MODELING NATURAL PROCESSES RANDOM WALKS AND PERCOLATION: AN ANALYSIS OF CURRENT RESEARCH ON MODELING NATURAL PROCESSES AARON ZWIEBACH Abstract. In this aer we will analyze research that has been recently done in the field of discrete

More information

Distributed Maximality based CTL Model Checking

Distributed Maximality based CTL Model Checking IJCSI International Journal of Comuter Science Issues Vol 7 Issue No ay ISSN Onlin: 694-784 ISSN Print: 694-84 Distributed aximality based CTL odel Checking Djamel Eddine Saidouni ine EL Abidine Bouneb

More information

Agenda. Propositional Logic. Atomic propositions. References. Truth values. Examples of atomic propositions

Agenda. Propositional Logic. Atomic propositions. References. Truth values. Examples of atomic propositions Proositional Logic Andrew Simson Revised by David Lightfoot Agenda Atomic roositions Logical oerators Truth tables Precedence Tautologies, contradictions and contingencies Euational reasoning 1 2 References

More information

Various Proofs for the Decrease Monotonicity of the Schatten s Power Norm, Various Families of R n Norms and Some Open Problems

Various Proofs for the Decrease Monotonicity of the Schatten s Power Norm, Various Families of R n Norms and Some Open Problems Int. J. Oen Problems Comt. Math., Vol. 3, No. 2, June 2010 ISSN 1998-6262; Coyright c ICSRS Publication, 2010 www.i-csrs.org Various Proofs for the Decrease Monotonicity of the Schatten s Power Norm, Various

More information

On Wald-Type Optimal Stopping for Brownian Motion

On Wald-Type Optimal Stopping for Brownian Motion J Al Probab Vol 34, No 1, 1997, (66-73) Prerint Ser No 1, 1994, Math Inst Aarhus On Wald-Tye Otimal Stoing for Brownian Motion S RAVRSN and PSKIR The solution is resented to all otimal stoing roblems of

More information

Sums of independent random variables

Sums of independent random variables 3 Sums of indeendent random variables This lecture collects a number of estimates for sums of indeendent random variables with values in a Banach sace E. We concentrate on sums of the form N γ nx n, where

More information

Blame, coercion, and threesomes: Together again for the first time

Blame, coercion, and threesomes: Together again for the first time Blame, coercion, and threesomes: Together again for the first time Draft, 19 October 2014 Jeremy Siek Indiana University jsiek@indiana.edu Peter Thiemann Universität Freiburg thiemann@informatik.uni-freiburg.de

More information

A note on the random greedy triangle-packing algorithm

A note on the random greedy triangle-packing algorithm A note on the random greedy triangle-acking algorithm Tom Bohman Alan Frieze Eyal Lubetzky Abstract The random greedy algorithm for constructing a large artial Steiner-Trile-System is defined as follows.

More information

BOUNDS FOR THE COUPLING TIME IN QUEUEING NETWORKS PERFECT SIMULATION

BOUNDS FOR THE COUPLING TIME IN QUEUEING NETWORKS PERFECT SIMULATION BOUNDS FOR THE COUPLING TIME IN QUEUEING NETWORKS PERFECT SIMULATION JANTIEN G. DOPPER, BRUNO GAUJAL AND JEAN-MARC VINCENT Abstract. In this aer, the duration of erfect simulations for Markovian finite

More information

A Social Welfare Optimal Sequential Allocation Procedure

A Social Welfare Optimal Sequential Allocation Procedure A Social Welfare Otimal Sequential Allocation Procedure Thomas Kalinowsi Universität Rostoc, Germany Nina Narodytsa and Toby Walsh NICTA and UNSW, Australia May 2, 201 Abstract We consider a simle sequential

More information

ON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS

ON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS #A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,

More information

2. PROPOSITIONAL LOGIC

2. PROPOSITIONAL LOGIC 2. PROPOSITIONAL LOGIC Contents 2.1: Informal roositional logic 2.2: Syntax of roositional logic 2.3: Semantics of roositional logic 2.4: Logical equivalence 2.5: An examle 2.6: Adequate sets of connectives

More information

By Evan Chen OTIS, Internal Use

By Evan Chen OTIS, Internal Use Solutions Notes for DNY-NTCONSTRUCT Evan Chen January 17, 018 1 Solution Notes to TSTST 015/5 Let ϕ(n) denote the number of ositive integers less than n that are relatively rime to n. Prove that there

More information

Multiplicative group law on the folium of Descartes

Multiplicative group law on the folium of Descartes Multilicative grou law on the folium of Descartes Steluţa Pricoie and Constantin Udrişte Abstract. The folium of Descartes is still studied and understood today. Not only did it rovide for the roof of

More information

Distributed Rule-Based Inference in the Presence of Redundant Information

Distributed Rule-Based Inference in the Presence of Redundant Information istribution Statement : roved for ublic release; distribution is unlimited. istributed Rule-ased Inference in the Presence of Redundant Information June 8, 004 William J. Farrell III Lockheed Martin dvanced

More information

Infinite Number of Twin Primes

Infinite Number of Twin Primes dvances in Pure Mathematics, 06, 6, 95-97 htt://wwwscirorg/journal/am ISSN Online: 60-08 ISSN Print: 60-068 Infinite Number of Twin Primes S N Baibeov, Durmagambetov LN Gumilyov Eurasian National University,

More information

Finite State Model Checking

Finite State Model Checking Finite State Model Checking Finite State Model Checking Finite State Systems System Descrition A Requirement F CTL TOOL No! Debugging Information Yes, Prototyes Executable Code Test sequences Tools: visualstate,

More information

LINEAR SYSTEMS WITH POLYNOMIAL UNCERTAINTY STRUCTURE: STABILITY MARGINS AND CONTROL

LINEAR SYSTEMS WITH POLYNOMIAL UNCERTAINTY STRUCTURE: STABILITY MARGINS AND CONTROL LINEAR SYSTEMS WITH POLYNOMIAL UNCERTAINTY STRUCTURE: STABILITY MARGINS AND CONTROL Mohammad Bozorg Deatment of Mechanical Engineering University of Yazd P. O. Box 89195-741 Yazd Iran Fax: +98-351-750110

More information

An Analysis of Reliable Classifiers through ROC Isometrics

An Analysis of Reliable Classifiers through ROC Isometrics An Analysis of Reliable Classifiers through ROC Isometrics Stijn Vanderlooy s.vanderlooy@cs.unimaas.nl Ida G. Srinkhuizen-Kuyer kuyer@cs.unimaas.nl Evgueni N. Smirnov smirnov@cs.unimaas.nl MICC-IKAT, Universiteit

More information

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM JOHN BINDER Abstract. In this aer, we rove Dirichlet s theorem that, given any air h, k with h, k) =, there are infinitely many rime numbers congruent to

More information

ON FREIMAN S 2.4-THEOREM

ON FREIMAN S 2.4-THEOREM ON FREIMAN S 2.4-THEOREM ØYSTEIN J. RØDSETH Abstract. Gregory Freiman s celebrated 2.4-Theorem says that if A is a set of residue classes modulo a rime satisfying 2A 2.4 A 3 and A < /35, then A is contained

More information

John Weatherwax. Analysis of Parallel Depth First Search Algorithms

John Weatherwax. Analysis of Parallel Depth First Search Algorithms Sulementary Discussions and Solutions to Selected Problems in: Introduction to Parallel Comuting by Viin Kumar, Ananth Grama, Anshul Guta, & George Karyis John Weatherwax Chater 8 Analysis of Parallel

More information

Combinatorics of topmost discs of multi-peg Tower of Hanoi problem

Combinatorics of topmost discs of multi-peg Tower of Hanoi problem Combinatorics of tomost discs of multi-eg Tower of Hanoi roblem Sandi Klavžar Deartment of Mathematics, PEF, Unversity of Maribor Koroška cesta 160, 000 Maribor, Slovenia Uroš Milutinović Deartment of

More information

16.2. Infinite Series. Introduction. Prerequisites. Learning Outcomes

16.2. Infinite Series. Introduction. Prerequisites. Learning Outcomes Infinite Series 6.2 Introduction We extend the concet of a finite series, met in Section 6., to the situation in which the number of terms increase without bound. We define what is meant by an infinite

More information

Positive decomposition of transfer functions with multiple poles

Positive decomposition of transfer functions with multiple poles Positive decomosition of transfer functions with multile oles Béla Nagy 1, Máté Matolcsi 2, and Márta Szilvási 1 Deartment of Analysis, Technical University of Budaest (BME), H-1111, Budaest, Egry J. u.

More information

On the Toppling of a Sand Pile

On the Toppling of a Sand Pile Discrete Mathematics and Theoretical Comuter Science Proceedings AA (DM-CCG), 2001, 275 286 On the Toling of a Sand Pile Jean-Christohe Novelli 1 and Dominique Rossin 2 1 CNRS, LIFL, Bâtiment M3, Université

More information

#A6 INTEGERS 15A (2015) ON REDUCIBLE AND PRIMITIVE SUBSETS OF F P, I. Katalin Gyarmati 1.

#A6 INTEGERS 15A (2015) ON REDUCIBLE AND PRIMITIVE SUBSETS OF F P, I. Katalin Gyarmati 1. #A6 INTEGERS 15A (015) ON REDUCIBLE AND PRIMITIVE SUBSETS OF F P, I Katalin Gyarmati 1 Deartment of Algebra and Number Theory, Eötvös Loránd University and MTA-ELTE Geometric and Algebraic Combinatorics

More information

SCHUR S LEMMA AND BEST CONSTANTS IN WEIGHTED NORM INEQUALITIES. Gord Sinnamon The University of Western Ontario. December 27, 2003

SCHUR S LEMMA AND BEST CONSTANTS IN WEIGHTED NORM INEQUALITIES. Gord Sinnamon The University of Western Ontario. December 27, 2003 SCHUR S LEMMA AND BEST CONSTANTS IN WEIGHTED NORM INEQUALITIES Gord Sinnamon The University of Western Ontario December 27, 23 Abstract. Strong forms of Schur s Lemma and its converse are roved for mas

More information

On generalizing happy numbers to fractional base number systems

On generalizing happy numbers to fractional base number systems On generalizing hay numbers to fractional base number systems Enriue Treviño, Mikita Zhylinski October 17, 018 Abstract Let n be a ositive integer and S (n) be the sum of the suares of its digits. It is

More information

2-D Analysis for Iterative Learning Controller for Discrete-Time Systems With Variable Initial Conditions Yong FANG 1, and Tommy W. S.

2-D Analysis for Iterative Learning Controller for Discrete-Time Systems With Variable Initial Conditions Yong FANG 1, and Tommy W. S. -D Analysis for Iterative Learning Controller for Discrete-ime Systems With Variable Initial Conditions Yong FANG, and ommy W. S. Chow Abstract In this aer, an iterative learning controller alying to linear

More information

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO)

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO) Combining Logistic Regression with Kriging for Maing the Risk of Occurrence of Unexloded Ordnance (UXO) H. Saito (), P. Goovaerts (), S. A. McKenna (2) Environmental and Water Resources Engineering, Deartment

More information

Lilian Markenzon 1, Nair Maria Maia de Abreu 2* and Luciana Lee 3

Lilian Markenzon 1, Nair Maria Maia de Abreu 2* and Luciana Lee 3 Pesquisa Oeracional (2013) 33(1): 123-132 2013 Brazilian Oerations Research Society Printed version ISSN 0101-7438 / Online version ISSN 1678-5142 www.scielo.br/oe SOME RESULTS ABOUT THE CONNECTIVITY OF

More information

Overview. overview / 357

Overview. overview / 357 Overview overview6.1 Introduction Modelling parallel systems Linear Time Properties Regular Properties Linear Temporal Logic (LTL) Computation Tree Logic syntax and semantics of CTL expressiveness of CTL

More information

Multi-Operation Multi-Machine Scheduling

Multi-Operation Multi-Machine Scheduling Multi-Oeration Multi-Machine Scheduling Weizhen Mao he College of William and Mary, Williamsburg VA 3185, USA Abstract. In the multi-oeration scheduling that arises in industrial engineering, each job

More information

How to Estimate Expected Shortfall When Probabilities Are Known with Interval or Fuzzy Uncertainty

How to Estimate Expected Shortfall When Probabilities Are Known with Interval or Fuzzy Uncertainty How to Estimate Exected Shortfall When Probabilities Are Known with Interval or Fuzzy Uncertainty Christian Servin Information Technology Deartment El Paso Community College El Paso, TX 7995, USA cservin@gmail.com

More information

A Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition

A Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition A Qualitative Event-based Aroach to Multile Fault Diagnosis in Continuous Systems using Structural Model Decomosition Matthew J. Daigle a,,, Anibal Bregon b,, Xenofon Koutsoukos c, Gautam Biswas c, Belarmino

More information

arxiv: v2 [quant-ph] 2 Aug 2012

arxiv: v2 [quant-ph] 2 Aug 2012 Qcomiler: quantum comilation with CSD method Y. G. Chen a, J. B. Wang a, a School of Physics, The University of Western Australia, Crawley WA 6009 arxiv:208.094v2 [quant-h] 2 Aug 202 Abstract In this aer,

More information

Model for reactive systems/software

Model for reactive systems/software Temporal Logics CS 5219 Abhik Roychoudhury National University of Singapore The big picture Software/ Sys. to be built (Dream) Properties to Satisfy (caution) Today s lecture System Model (Rough Idea)

More information

A Reduction Theorem for the Verification of Round-Based Distributed Algorithms

A Reduction Theorem for the Verification of Round-Based Distributed Algorithms A Reduction Theorem for the Verification of Round-Based Distributed Algorithms Mouna Chaouch-Saad 1, Bernadette Charron-Bost 2, and Stehan Merz 3 1 Faculté des Sciences, Tunis, Tunisia, Mouna.Saad@fst.rnu.tn

More information

Assignment 1 Solutions Structural Induction and First-Order Logic Due: 11am on Monday 26th August 2013

Assignment 1 Solutions Structural Induction and First-Order Logic Due: 11am on Monday 26th August 2013 Deartment of Comuter Science, Australian National University COMP2600 Formal Methods in Software Engineering Semester 2, 2013 Assignment 1 Solutions Structural Induction and First-Order Logic Due: 11am

More information

Keywords: pile, liquefaction, lateral spreading, analysis ABSTRACT

Keywords: pile, liquefaction, lateral spreading, analysis ABSTRACT Key arameters in seudo-static analysis of iles in liquefying sand Misko Cubrinovski Deartment of Civil Engineering, University of Canterbury, Christchurch 814, New Zealand Keywords: ile, liquefaction,

More information

#A47 INTEGERS 15 (2015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS

#A47 INTEGERS 15 (2015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS #A47 INTEGERS 15 (015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS Mihai Ciu Simion Stoilow Institute of Mathematics of the Romanian Academy, Research Unit No. 5,

More information

SOME TRACE INEQUALITIES FOR OPERATORS IN HILBERT SPACES

SOME TRACE INEQUALITIES FOR OPERATORS IN HILBERT SPACES Kragujevac Journal of Mathematics Volume 411) 017), Pages 33 55. SOME TRACE INEQUALITIES FOR OPERATORS IN HILBERT SPACES SILVESTRU SEVER DRAGOMIR 1, Abstract. Some new trace ineualities for oerators in

More information

Radial Basis Function Networks: Algorithms

Radial Basis Function Networks: Algorithms Radial Basis Function Networks: Algorithms Introduction to Neural Networks : Lecture 13 John A. Bullinaria, 2004 1. The RBF Maing 2. The RBF Network Architecture 3. Comutational Power of RBF Networks 4.

More information

MAS 4203 Number Theory. M. Yotov

MAS 4203 Number Theory. M. Yotov MAS 4203 Number Theory M. Yotov June 15, 2017 These Notes were comiled by the author with the intent to be used by his students as a main text for the course MAS 4203 Number Theory taught at the Deartment

More information

A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract

A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS CASEY BRUCK 1. Abstract The goal of this aer is to rovide a concise way for undergraduate mathematics students to learn about how rime numbers behave

More information

Supplementary Materials for Robust Estimation of the False Discovery Rate

Supplementary Materials for Robust Estimation of the False Discovery Rate Sulementary Materials for Robust Estimation of the False Discovery Rate Stan Pounds and Cheng Cheng This sulemental contains roofs regarding theoretical roerties of the roosed method (Section S1), rovides

More information

Statics and dynamics: some elementary concepts

Statics and dynamics: some elementary concepts 1 Statics and dynamics: some elementary concets Dynamics is the study of the movement through time of variables such as heartbeat, temerature, secies oulation, voltage, roduction, emloyment, rices and

More information

State Estimation with ARMarkov Models

State Estimation with ARMarkov Models Deartment of Mechanical and Aerosace Engineering Technical Reort No. 3046, October 1998. Princeton University, Princeton, NJ. State Estimation with ARMarkov Models Ryoung K. Lim 1 Columbia University,

More information

An Inverse Problem for Two Spectra of Complex Finite Jacobi Matrices

An Inverse Problem for Two Spectra of Complex Finite Jacobi Matrices Coyright 202 Tech Science Press CMES, vol.86, no.4,.30-39, 202 An Inverse Problem for Two Sectra of Comlex Finite Jacobi Matrices Gusein Sh. Guseinov Abstract: This aer deals with the inverse sectral roblem

More information

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) Computation Tree Logic (CTL) Fazle Rabbi University of Oslo, Oslo, Norway Bergen University College, Bergen, Norway fazlr@student.matnat.uio.no, Fazle.Rabbi@hib.no May 30, 2015 Fazle Rabbi et al. (UiO,

More information

An Investigation on the Numerical Ill-conditioning of Hybrid State Estimators

An Investigation on the Numerical Ill-conditioning of Hybrid State Estimators An Investigation on the Numerical Ill-conditioning of Hybrid State Estimators S. K. Mallik, Student Member, IEEE, S. Chakrabarti, Senior Member, IEEE, S. N. Singh, Senior Member, IEEE Deartment of Electrical

More information

The non-stochastic multi-armed bandit problem

The non-stochastic multi-armed bandit problem Submitted for journal ublication. The non-stochastic multi-armed bandit roblem Peter Auer Institute for Theoretical Comuter Science Graz University of Technology A-8010 Graz (Austria) auer@igi.tu-graz.ac.at

More information

HENSEL S LEMMA KEITH CONRAD

HENSEL S LEMMA KEITH CONRAD HENSEL S LEMMA KEITH CONRAD 1. Introduction In the -adic integers, congruences are aroximations: for a and b in Z, a b mod n is the same as a b 1/ n. Turning information modulo one ower of into similar

More information

Mobius Functions, Legendre Symbols, and Discriminants

Mobius Functions, Legendre Symbols, and Discriminants Mobius Functions, Legendre Symbols, and Discriminants 1 Introduction Zev Chonoles, Erick Knight, Tim Kunisky Over the integers, there are two key number-theoretic functions that take on values of 1, 1,

More information

Spin as Dynamic Variable or Why Parity is Broken

Spin as Dynamic Variable or Why Parity is Broken Sin as Dynamic Variable or Why Parity is Broken G. N. Golub golubgn@meta.ua There suggested a modification of the Dirac electron theory, eliminating its mathematical incomleteness. The modified Dirac electron,

More information

Really Visual Temporal Reasoning. Y S Ramakrishna, P M Melliar-Smith, L E Moser, L K Dillon, G Kutty

Really Visual Temporal Reasoning. Y S Ramakrishna, P M Melliar-Smith, L E Moser, L K Dillon, G Kutty Really Visual Temoral Reasoning Y S Ramakrishna, P M Melliar-Smith, L E Moser, L K Dillon, Kutty Deartment of Electrical and Comuter Engineering and Deartment of Comuter Science University of California,

More information