Characterizing Fault-Tolerant Systems by Means of Simulation Relations
Size: px
Start display at page:

Download "Characterizing Fault-Tolerant Systems by Means of Simulation Relations"

Transcription

1 Characterizing Fault-Tolerant Systems by Means of Simulation Relations TECHNICAL REPORT Ramiro Demasi 1, Pablo F. Castro 2,3, Thomas S.E. Maibaum 1, and Nazareno Aguirre 2,3 1 Department of Computing and Software, McMaster University, Hamilton, Ontario, Canada, demasira@mcmaster.ca,tom@maibaum.org 2 Departamento de Computación, FCEFQyN, Universidad Nacional de Río Cuarto, Río Cuarto, Córdoba, Argentina, {pcastro,naguirre}@dc.exa.unrc.edu.ar 3 Consejo Nacional de Investigaciones Científicas y Técnicas (CONICET), Argentina Abstract. We aim to formally characterize the various fault-tolerant behaviors that a computer system may exhibit, i.e., to capture the various possible executions of a system that in some way tolerate faults. This formalization is achieved by using particular notions of simulation and bisimulation, in order to compare executions of systems that exhibit faults with executions where no faults occur. This characterization allows us to algorithmically verify, using standard (bi)simulation algorithms, that a system behaves in an acceptable way, even under the occurrence of faults. This approach has the benefit of being simple and supporting an efficient automated treatment. We demonstrate the practical application of this theoretical framework through some well-known case studies, which illustrate that the main ideas behind most fault-tolerance mechanisms are naturally captured in this setting. Keywords: Formal Methods, Fault-Tolerance, Temporal Logic, Model Checking, Bisimulation. 1 Introduction The increasing use of computer systems in critical areas has implied that dependability and constant availability are two important characteristics that need to be taken into account when designing software. Some examples of such critical systems include software for medical devices and software controllers in the avionics and automotive industries. These systems are subject to a variety of potential failures that may corrupt, or degrade, their performance. So, being able to reason about these systems behaviors in the presence of potential faults, in order to provide guarantees for software robustness, has gained considerable attention. When a system is able to tolerate faults in some way, it is called fault-tolerant. If a system is able to tolerate faults, it is well-known that it may do so exhibiting different degrees of so called fault-tolerance. For instance, the system may

2 2 R. Demasi, P.F. Castro, T.S.E. Maibaum, N. Aguirre completely tolerate the faults, not allowing these to have any observable consequences for the users; this is often called masking fault-tolerance. Alternatively, after a fault occurs, the system may undergo some process to eventually take the system back to a good behavior (after some amount of time); this is usually called nonmasking tolerance and it is normally observable at the fault-tolerant component s interface. Also, the system may react to a fault by switching to a behavior that is safe but in which the system is restricted in its capacity; this is called failsafe fault-tolerance. The field of fault-tolerant systems is concerned with providing techniques that can be used to increase the fault-tolerance characteristics of software, or of systems in general. Some examples of traditional techniques employed to deal with fault-tolerance are component replication, N-version programming, exception mechanisms, transactions, etc. Some emerging approaches try to deal with fault-tolerance in formal settings, with the aim of mathematically proving that a given system effectively tolerates faults. One of the early examples of formal approaches to fault-tolerance is the one presented in [3 5], where Unity programs are complemented with fault steps, and the logic underlying Unity is used to prove properties of programs. More recently, formal approaches involving model checking, applied to fault-tolerance, have been proposed. In these approaches, temporal logics are employed to capture fault-tolerance properties of reactive systems, and model checking algorithms are used to automatically verify that these properties hold for a given system. It is widely known that model checking provides significant benefits over other semi automated or manual formal approaches. This is because model checking provides fully automated analysis, and the counterexamples that are generated when a property does not hold are extremely helpful in finding the source of the problem in the system, and dealing with it. The languages employed for the description of systems and system properties in model checking do not provide a built-in way of distinguishing between normal and abnormal behaviors. Thus, when capturing fault-tolerant systems, and expressing fault-tolerance properties, the specifier needs to encode in some suitable way the faults and their consequences. This may make formulas longer and more difficult to understand, and even have a potential negative impact on analysis, since the performance of model checking algorithms depends on the length of the formula being analyzed. In this paper, we propose an alternative automated approach for dealing with the analysis of fault-tolerance, which appropriately distinguishes faulty behaviors from normal ones, with a notion of abnormal transition built into the formalism. This approach enables for the automated analysis of fault-tolerance, meaning that the approach allows one to show, without the need for user intervention, that the system is able to tolerate faults to some degree (masking, nonmasking, failsafe). The approach is based on defining simulation/bisimulation relations for different degrees of fault tolerance, and employing (bi)simulation algorithms for checking fault tolerance. The remainder of the paper is structured as follows. In section 2 we introduce the main notions used throughout the paper. In section 3 we define masking, nonmasking and failsafe versions of fault-tolerance by means of simulation relations.

3 Characterizing Fault-Tolerant Systems by Means of Simulation Relations 3 We present some examples in section 5. Finally, we discuss some conclusions and directions for further work in section 7. 2 Preliminaries In this section, we introduce some concepts that will be necessary throughout the paper. For the sake of brevity, we assume some basic knowledge on model checking; the interested reader may consult [7]. We model fault-tolerant systems by means of coloured Kripke structures, as introduced in [8]. Given a set of propositional letters AP = {p, q, s,...}, a colored Kripke structure is a 5-tuple S, I, R, L, N, where S is a set of states, I S is a set of initial states, R S S is a transition relation, L : S (AP ) is a labeling function indicating which propositions are true in each state, and N S is a set of normal, or green states. Arcs leading to abnormal states (i.e., states not in N ) can be thought of as faulty transitions, or simply faults. Then, normal executions are those transiting only through green states. The set of normal executions is denoted by N T. We assume that in every colored Kripke structure, and for every normal state, there exists at least one successor state that is also normal, and that at least one initial state is green. This guarantees that every system has at least one normal execution, i.e., that N T. As is usual in the definition of temporal operators, we employ the notion of trace. A trace is a maximal sequence of states, whose consecutive pairs are adjacent w.r.t. R. When a trace starts in an initial state, it is called an execution of M, with partial executions corresponding to non-maximal sequences of adjacent states. Given a trace σ = s 0, s 1, s 2, s 3,..., the ith state of σ is denoted by σ[i], and the final segment of σ starting in position i is denoted by σ[i..]. Moreover, we distinguish among the different kinds of outgoing transitions from a state. Given a Kripke structure M = S, I, R, L, N, we denote by the restriction of R to faulty transitions, and the restriction of R to non-faulty transitions. We define P ost N (s) = {s S s s } as the set of successors of s reachable via non-faulty (or good) transitions; similarly, P ost F (s) = {s S s s } represents the set of successors of s reachable via faulty arcs. Analogously, we define P re N (s ) and P re F (s ) as the set of predecessor of s via normal and faulty transitions, respectively. Moreover, P ost (s) denotes the states which are reachable from s. Without loss of generality, we assume that every state has a successor [7]. We denote by the transitive closure of. In order to state properties of systems, we employ a fragment of dctl [8] (named dctl-), a branching time temporal logic with deontic operators designed for fault-tolerant system verification. Formulas in this logic refer to properties of behaviors of colored Kripke structures, in which a distinction between normal and abnormal states (and therefore also a distinction between normal and abnormal traces) is made. The logic dctl is defined over the Computation Tree Logic CTL, with its novel part being the deontic operators O(ψ) (obligation) and P(ψ) (permission), which are applied to a certain kind of path formula ψ. The

4 4 R. Demasi, P.F. Castro, T.S.E. Maibaum, N. Aguirre intention of these operators is to capture the notion of obligation and permission over traces. Intuitively, these operators have the following meaning: O(ψ): property ψ is obliged in every future state, reachable via non-faulty transitions. P(ψ): there exists a normal execution, i.e., not involving faults, starting from the current state and along which ψ holds. Obligation and permission will enable us to express intended properties which should hold in all normal behaviors and some normal behaviors, respectively. These deontic operators have an implicit temporal character, since ψ is a path formula. Let us present the syntax of dctl-. Let AP be a set {p 0, p 1,...} of atomic propositions; the sets Φ and Ψ of state and path formulas, respectively, are mutually recursively defined as follows: Φ ::= p i Φ Φ Φ A(Ψ) E(Ψ) O(Ψ) P(Ψ) Ψ ::= XΦ Φ U Φ Φ W Φ Other boolean connectives (here, state operators), such as,, etc., can be defined as usual. Also, traditional temporal operators G and F can be expressed, as G(φ) φ W, and F(φ) U φ. The standard boolean operators and the CTL quantifiers A and E have the usual semantics. Now, we formally state the semantics of the logic. We start by defining the relation, formalizing the satisfaction of dctl- state formulas in colored Kripke structures. The definition of is as follows: M, s. M, s p i p i L(s), where p i AP. M, s ϕ not M, s ϕ. M, s ϕ ϕ (M, s ϕ) or (M, s ϕ ). M, s E(ψ) M, σ ψ for some traces σ such that σ[0] = s. M, s A(ψ) M, σ ψ for all traces σ such that σ[0] = s. M, s O(ψ) for every σ N T such that σ[0] = s we have that for every i 0 M, σ[i..] ψ. M, s P(ψ) for some σ N T such that σ[0] = s we have that for every i 0 M, σ[i..] ψ. For the standard CTL operators the definition of is as usual (see [7]). We denote by M ϕ the fact that M, s ϕ holds for every state s of M, and by ϕ the fact that M ϕ for every colored Kripke structure M. In order to illustrate the semantics of the deontic operators, let us consider the colored Kripke structure in Figure 1, where the set of propositional variables is {p, q, r, t}, and each state is labeled by the set of propositional variables that hold in it. The states that are the target of dashed arcs are abnormal states (ones which indicate that something has gone wrong); faulty states are also drawn with dashed lines, while the remaining ones represent normal configurations. Note that the unique faulty state in this model is the one named t. In this simple model, for every non-faulty execution, p q is always true. In dctl- this is expressed by the

5 Characterizing Fault-Tolerant Systems by Means of Simulation Relations 5 formula O(p q). Note that there also exist normal executions for which p q r holds; this fact is expressed as P(p q r). Other deontic operators such as prohibition can be expressed by using the ones introduced above (cf. [8]). One of the interesting characteristics of dctl- is the possibility of distinguishing between formulas that state properties of good executions and the standard formulas, which state properties over all the possible executions. For any formula ϕ, we define an analogous formula ϕ N which captures the same property as ϕ, but restricted to good executions. The definition is as follows. Fig. 1. A Simple Colored Kripke Structure Definition 1. The normative formula ϕ N, derived from a dctl formula ϕ over an alphabet AP, is defined as follows: (p i ) N def = p i. ( ϕ) N def = ϕ N. (ϕ ϕ ) N def = ϕ N ϕ N. (A(ϕ U ϕ )) N def = O(ϕ N U ϕ N ). (E(ϕ U ϕ )) N def = P(ϕ N U ϕ N ). (A(ϕ W ϕ )) N def = O(ϕ N W ϕ N ). (E(ϕ W ϕ )) N def = P(ϕ N W ϕ N ). (O(ϕ U ϕ ))) N def = O(ϕ N U ϕ N ). (P(ϕ U ϕ )) N def = P(ϕ N U ϕ N ). (O(ϕ W ϕ )) N def = O(ϕ N W ϕ N ). (P(ϕ W ϕ )) N def = P(ϕ N W ϕ N ).

6 6 R. Demasi, P.F. Castro, T.S.E. Maibaum, N. Aguirre 3 Simulations and Fault-Tolerance In this section we present suitable notions of simulation relations that allow us to capture diverse fault-tolerance properties, namely, masking, nonmasking, and failsafe fault-tolerance. In order to define these properties, we follow the basic definitions regarding simulation and bisimulation relations given in [7]. Fault-tolerance properties are based on the grades of satisfaction of safety and liveness properties that a model may exhibit in the presence of faults. Recall that any specification can be written as a conjunction of safety and liveness properties [1]. In the following definitions, given a Kripke structure with a labeling L, we consider the notion of a sub-labeling function, we say that L 0 is a sub-labeling of L (denoted by L 0 L), if L 0 (s) = L(s) AP, for all states s and some AP AP, we also say that L 0 is obtained by restricting AP to AP. The concept of sub-labeling allows us to focus on certain properties of models. Basically, in order to check fault-tolerance we consider two coloured Kripke structures of a system, the first one acting as a specification of the intended behaviour and the second as the fault-tolerant implementation. The existence of an appropriate (bi)simulation relation between the two will correspond to the achievement of a certain kind of fault-tolerant behaviour. Now, we introduce the notion of masking tolerance relations. 3.1 Masking Faul-Tolerance Definition 2. (Masking fault-tolerance) Given two colored Kripke structures M = S, I, R, L, N and M = S, I, R, L, N, we say that a relationship Mask S S is masking fault-tolerant for sub-labelings L 0 L and L 0 L iff: (A) s 1 I ( s 2 I : s 1 Mask s 2 ) and s 2 I ( s 1 I : s 1 Mask s 2 ). (B) for all s 1 Mask s 2 the following holds: (1) L 0 (s 1 ) = L 0(s 2 ). (2) if s 1 P ost N (s 1 ), then there exists s 2 P ost N (s 2 ) with s 1 Mask s 2. (3) if s 2 P ost N (s 2 ), then there exists s 1 P ost N (s 1 ) with s 1 Mask s 2. (4) if s 2 P ost F (s 2 ), then either there exists s 1 P ost N (s 1 ) with s 1 Mask s 2 or s 1 Mask s 2. Roughly speaking, conditions A, B.1, B.2 and B.3 imply that we have a bisimulation between the normative parts of M and M. Condition B.4 states that every outgoing faulty transition from s 2 either must be matched by an outgoing normal transition from s 1 or s 2 is masking fault-tolerant for s 1. Observe that, if there exists a self-loop at state s 2, then we can stay forever satisfying s 1 Mask s 2. Therefore, a fairness condition needs to be imposed on B.4 to ensure that masking implementations preserve liveness properties; for example, we can assume that, if a set of non-faulty transition are enabled infinitely often, then these transitions are executed infinitely often. We denote by M f ϕ the restriction of to fair executions. It is worth remarking that the symmetric condition

7 Characterizing Fault-Tolerant Systems by Means of Simulation Relations 7 to (B.4) is not required, this is because we are only interested in the masking properties of M. We say that state s 2 is masking fault-tolerant for s 1 when s 1 Mask s 2. Intuitively, starting in s 2 we can mask the faults in such a way that the behavior exhibited is the same as the one observed when we start from s 1 (and execute transitions without faults). Moreover, we say that M masks faults for M iff s 0 Mask s 0 (where s 0 and s 0 are the corresponding initial states 4 ) for some masking fault-tolerant Mask ; we denote this situation by M Mask M. We present a simple example to illustrate the above definition. Example 1. Let us consider a memory cell that stores a bit of information and supports reading and writing operations. Briefly, each state maintains the current value of the memory cell (m = i, for i = 0, 1) and the last write operation that was performed (w = i, for i = 0, 1). Evidently, in this system the result of a read operation depends on the value stored in the cell. Some potential faults in this problem occur when a bit s value (say 1) unexpectedly loses its charge and it turns into another value (say 0). We employ the technique of redundancy to deal with this situation; that is, we use three memory bits instead of one. Writing operations are performed simultaneously on the three bits, whereas a reading returns the value that is repeated at least twice in the memory bits (also known as voting), and then the value read by voting is written back in all the bits. Each state in the model is described by variables m and w which record the last writing operation performed and the actual reading in the state. In addition, each state has three bits, described by boolean variables c 0, c 1 and c 2. For instance, the state s 0 contains the information 11/111, representing the state: w = 1, m = 1, c 0 = 1, c 1 = 1, and c 2 = 1. Now, consider the colored Fig. 2. Two masking fault-tolerance colored Kripke structures. Kripke structures M (left) and M (right) depicted in Figure 2. M contains only 4 In general, models have a unique initial state.

8 8 R. Demasi, P.F. Castro, T.S.E. Maibaum, N. Aguirre normal transitions describing the expected ideal behavior and does not take into account faults. On the other hand, M expresses the same ideal behavior but now a fault may occur; in this case, a bit may suffer a discharge and then it changes its value from 1 to 0. We can show that in this simple case there exists a relation of masking fault-tolerance between M and M with the sub-labelings L 0 and L 0 obtained by restricting L and L to propositions m and w, respectively. The relation R 1 = {(s 0, t 0 ), (s 1, t 1 ), (s 0, t 2 )} is a masking fault-tolerance for (M, M ). Notice that each pair of R 1 satisfies the Definition 2: (s 0, t 0 ) satisfies condition B.1 because L 0 (s 0 ) = L 0(t 0 ). Conditions B.2 and B.3 are satisfied because the transition s 0 s 0 is masked by t 0 t 0 and vice versa with (s 0, t 0 ) R 1, and transition t 0 t 1 masks s 0 s 1 and vice versa with (s 1, t 1 ) R 1. Finally, condition B.4 is satisfied because the faulty transition t 0 t 2 masks the normal transition s 0 s 0 with (s 0, t 2 ) R 1. (s 1, t 1 ) satisfies condition B.1 because L 0 (s 1 ) = L 0(t 1 ). Conditions B.2 and B.3 are satisfied because the normal transition t 1 t 0 is masked by s 1 s 0 and vice versa with (s 0, t 0 ) R 1, and the normal transition t 1 t 1 masks s 1 s 1 and vice versa with (s 1, t 1 ) R 1. (s 0, t 2 ) satisfies condition B.1 since L 0 (s 0 ) = L 0(t 2 ) (taking into account that reading operations return the value that is repeated at least twice in the memory bits). Conditions B.2 and B.3 are satisfied because the normal transition t 2 t 0 masks s 0 s 0 and vice versa with (s 0, t 0 ) R 1, and the normal transition t 2 t 1 masks s 0 s 1 and vice versa with (s 1, t 1 ) R 1. Now, we extend the definition of masking fault-tolerance to paths. Lemma 1. (Masking fault-tolerance on paths) Suppose we are given two colored Kripke structures M and M and a masking fault-tolerance Mask for (M, M ) and s 1 Mask s 2. Then for each path fragment σ 2 = s 0,2 s 1,2 s 2,2 s 3,2... starting in s 0,2 = s 2 there exists a normative path fragment σ 1 = s 0,1 s 1,1 s 2,1 s 3,1... from state s 0,1 = s 1 of the same length such that s j,1 Mask s j,2 for all j. Proof. Let σ 2 = s 0,2 s 1,2 s 2,2 s 3,2... P aths(s 2 ) be a path fragment in M starting in s 0,2 = s 2 and assume s 1 Mask s 2. We successively define a corresponding path fragment in M from state s 0,1 = s 1, where the transitions s i,2 2 s i+1,2 or s i,2 2 s i+1,2 are matched by transitions s i,1 1 s i+1,1 such that s i+1,1 Mask s i+1,2. We proceed by induction on i. Base case: i = 0. It follows from s 0,1 Mask s 0,2 which is equivalent to s 1 Mask s 2 that the transition either s 2 = s 0,2 2 s 1,2 or s 2 = s 0,2 2 s 1,2 can be matched by a transition s 1 = s 0,1 1 s 1,1 such that s 1,1 Mask s 1,2 by conditions (B.3) and (B.4) of definition 2, respectively. This yields the path fragment s 1 s 1,1 in M.

9 Characterizing Fault-Tolerant Systems by Means of Simulation Relations 9 Induction Step: Assume i 0 and that the path fragment s 0,1 s 1,1 s 2,1 s i,1 is already constructed with s j,1 Mask s j,2 for j = 1,..., i. We consider the step s i,2 2 s i+1,2 and s i,2 2 s i+1,2 in σ 2. Since s i,1 Mask s i,2, there exists a transition s i,1 1 s i+1,1 with s i+1,1 Mask s i+1,2 by condition (B.3) and (B.4) of definition 2, respectively. This yields a path fragment s 1 s 1,1... s i,1 s i+1,1 which is statewise related to the prefix s 2 s 1,2... s i,2 s i+1,2 of σ 2. Notice that if we only consider normal executions starting in s 1 and s 2 with s 1 Mask s 2, by conditions (B.3) and (B.4) of definition 2 we have that for each path fragment starting in s 2, there exists a path fragment from s 1 of the same length, and viceversa. This means that normal behavior are respected in both cases. An important property of masking fault-tolerance is that both safety and liveness properties of normative (i.e., non-faulty) executions are preserved by masking tolerant implementations under fairness restrictions. As we said above, we can assume that, if a set of non-faulty transition are enabled infinitely often, then these transitions are executed infinitely often. In order to express this fairness assumption, we follow the ideas introduced in [2], where Kripke structures are augmented with fairness conditions, the authors consider a transition fairness defined as follow: A path π is fair with respect to the transition fairness condition iff all the transitions that are enabled along π infinitely often are also taken along π infinitely often. Formally, a transition v, w R is enabled in position i along π, if π[i] = v. It is taken, if in addition π[i + 1] = w. Thus, the semantics of dctl- is slightly modified such that the state formulae O(ϕ) and P(ϕ) are interpreted over all normative fair paths rather than over all possible normative paths. Finally, the fairness assumption f is expressed as follow: f def = GF(v) GF(w) with w P ost N (v). Now, we can state the following theorem. Theorem 1. If s 1 Mask s 2 for sub-labelings L 0 and L 0 obtained by restricting AP to AP, then M, s 1 f ϕ N M, s 2 f ϕ, where all the propositional variables of ϕ are in AP. Proof. We proceed by induction over the structure of the formula ϕ. Base case: ϕ = p. From s 1 Mask s 2 it follows by condition (B.1) for masking fault-tolerance that s 1 and s 2 have the same valuation. Thus, M, s 1 f p N M, s 2 f p, where (p i ) N = p i by definition 1. Inductive case: Case 1: ϕ = ψ. Suppose M, s 1 f ( ψ) N and M, s 2 ψ; the latter is equivalent to M, s 2 f ψ M, s 2 f ψ. But note by induction hypothesis and lemma 1, M, s 1 f ψ N holds, which contradicts our assumption. Then, M, s 1 f ( ψ) N M, s 2 f ψ. Similar for ϕ = ψ 1 ψ 2.

10 10 R. Demasi, P.F. Castro, T.S.E. Maibaum, N. Aguirre Case 2: ϕ = A(ψ 1 U ψ 2 ). Suppose that M, s 1 f (A(ψ 1 U ψ 2 )) N and M, s 2 A(ψ 1 U ψ 2 )), the latter is equivalent to M, s 2 f E (ψ 1 U ψ 2 ). Intuitively, it means that for some paths starting in s 2 either ψ 1 stops to hold too early, i.e., before ψ 2 becomes valid or ψ 1 always holds but never ψ 2. Formally, in the first case, for some path fragment σ 2 such that σ 2 [0] = s 2, there exists a j 0 such that M, σ 2 [j] = ψ 2, and for every 0 l < k < j, it holds that M, σ 2 [l] = ψ 1 and M, σ 2 [k] = ψ 1. In the second case, for some path fragment σ 2 such that σ 2 [0] = s 2, there exists a j 0 such that M, σ 2 [j] = ψ 1 ψ 2. Furthermore, we have that s 1 Mask s 2, then, by lemma 1, for each path fragment starting in s 2 there exists a normative path fragment σ 1 such that σ 1 [0] = s 1 of the same length which is statewise related to σ 2, i.e., for the second case for each path fragment σ 2 such that M, σ 2 [j] = ψ 1 ψ 2 with j 0, there exists a normative path fragment with σ 1 [0] = s 1 such that M, σ 1 [j] = ψ 1 ψ 2. Similar for the first case. This yields a contradiction because contradicts the assumption that M, s 1 f (A(ψ 1 U ψ 2 )) N M, s 1 f O((ψ 1 ) N U (ψ 2 ) N ), i.e, for all normal paths σ 1 such that σ 1 [0] = s 1, there exists a j 0 such that M, σ 1 [j] = ψ 2, and for every 0 k < j, M, σ 1 [k] = ψ 1. Case 3: ϕ = E(ψ 1 U ψ 2 ). Similar to the proof for case 2. Case 4: ϕ = E(ψ 1 W ψ 2 ). Suppose that M, s 1 f (E(ψ 1 W ψ 2 )) N and M, s 2 E(ψ 1 W ψ 2 )), the latter is equivalent to M, s 2 f A (ψ 1 W ψ 2 ) M, s 2 f A ((ψ 1 ψ 2 ) U ( ψ 1 ψ 2 )). Intuitively, it means that for all paths starting in s 2 ψ 1 stops to hold too early, i.e., before ψ 2 becomes valid. In addition, we have that s 1 Mask s 2, then, by lemma 1, for each path fragment σ 2 such that σ 2 [0] = s 2, there exists a j 0 such that M, σ 2 [j] = ( ψ 1 ψ 2 ), and for every 0 k < j, M, σ 2 [k] = (ψ 1 ψ 2 ), there exists a normative path fragment from state s 1 of the same length which is statewise related to σ 2. This yields a contradiction because contradicts the assumption that M, s 1 f (E(ψ 1 W ψ 2 )) N M, s 1 f P((ψ 1 ) N W (ψ 2 ) N ), i.e, for some normal paths either there exists j 0 such that M, σ[j] f ψ 2 and for every 0 k < j it holds that M, σ[j] f ψ 1, or for every j 0 we have that M, σ[j] f ψ 1. The proof is similar for case ϕ = A(ψ 1 W ψ 2 ). Case 5: ϕ = O(ψ 1 U ψ 2 ). Suppose that M, s 1 f (O((ψ 1 U ψ 2 ))) N and M, s 2 O((ψ 1 ) N U (ψ 2 ) N ). Intuitively, it means that (ψ 1 ) N U (ψ 2 ) N does not hold for all normative paths starting in s 2. But not that by lemma 1, we can construct a matching execution from s 1 of the same length which is statewise related to the path in which (ψ 1 ) N U (ψ 2 ) N does not hold. However, this yields a contradiction because contradicts the assumption that for all normative path starting in s 1, (O((ψ 1 U ψ 2 ))) N holds. Hence, we can conclude M, s 1 f (O(ψ 1 U ψ 2 )) N M, s 2 f O((ψ 1 ) N U (ψ 2 ) N ). The proof for cases ϕ = P(ψ 1 U ψ 2 ), ϕ = O(ψ 1 W ψ 2 ), ϕ = O(ψ 1 W ψ 2 ) are similar to proof of case 5.

11 Characterizing Fault-Tolerant Systems by Means of Simulation Relations Nonmasking Fault-tolerance Nonmasking tolerance is less strict than masking tolerance, it allows for the existence of some states which do not mask faults. Technically speaking, the liveness part is always guaranteed but the safety part is only eventually respected. Intuitively, this type of fault-tolerance allows the program to violate the safety specification while it is recovering to the normal behaviour. The characterization of this kind of behavior is given as follows: Definition 3. (Nonmasking fault-tolerance) Given two colored Kripke structures M = S, I, R, L, N and M = S, I, R, L, N, we say that a relation Nonmask S S is nonmasking for sub-labeling L 0 L and L 0 L iff: (A) s 1 I ( s 2 I : s 1 Nonmask s 2 ) and s 2 I ( s 1 I : s 1 Nonmask s 2 ). (B) for all s 1 Nonmask s 2 the following holds: (1) L 0 (s 1 ) = L 0(s 2 ). (2) if s 1 P ost N (s 1 ), then there exists s 2 P ost N (s 2 ) with s 1 Nonmask s 2. (3) if s 2 P ost N (s 2 ), then there exists s 1 P ost N (s 1 ) with s 1 Nonmask s 2. (4) if s 2 P ost F (s 2 ), then there exists s 1 P ost N (s 1 ) with s 1 Nonmask or s 2, (5) if s 2 P ost F (s 2 ) with s 1 Nonmask s 2 for all s 1 P ost N (s 1 ), then there exists a finite path fragment s 2 s 2 s 2 such that either: s 1 Nonmask s 2 for some s 1 P ost N (s 1 ), or s 1 Nonmask s 2. Conditions A, B.1, B.2, B.3, B.4 are similar to the conditions of Definition 2 of masking fault-tolerance. Condition B.5 asserts that, in the case that for each outgoing faulty transition s 2 s 2 where all normal successors of s 1 are not in a nonmasking relation with s 2, then there exists a path fragment that leads from s 2 to s 2 such that s 1 Nonmask s 2 for some normal successor state s 1 of s 1, or s 2 is nonmasking fault-tolerant for s 1. In this case we say that state s 2 is nonmasking tolerant for s 1, denoted by s 1 Nonmask s 2. In addition, we say that M is nonmasking fault-tolerant w.r.t. M iff s 0 Nonmask s 0 (where s 0 and s 0 are the corresponding initial states) for some nonmasking fault-tolerance Nonmask ; this fact is indicated by M Nonmask M. At first sight this kind of simulation seems similar to the notion of weak bisimulation used in process algebra [12], where silent steps are taken into account; however, note that faults may produce observable changes, whereas silent steps produce not observable (i.e. internal) changes. Let us present an example of nonmasking tolerance. Example 2. For the memory cell introduced in example 1, consider now the colored Kripke structures M (left) and M (right) depicted in figure 3. In this case, M expresses the same behavior that M does, but now we consider that two faults may occur: a bit changes its value from 1 to 0 and after that another bit may change its value too (i.e., two errors may occur consecutively). The relation R 2 = {(s 0, t 0 ), (s 1, t 1 ), (s 0, t 2 )}

12 12 R. Demasi, P.F. Castro, T.S.E. Maibaum, N. Aguirre is nonmasking tolerant for (M, M ) and the sub-labelings L 0 and L 0 obtained by restricting L and L to propositions m and w, respectively. Let us check the required conditions of Definition 3 for each pair of R 2 : Fig. 3. Two nonmasking fault-tolerance colored Kripke structures. (s 0, t 0 ) satisfies conditions B.1, B.2 and B.3. Finally, condition B.4 is satisfied because the faulty transition t 0 t 2 is nonmasking in relation to the normal transition s 0 s 0 with (s 0, t 2 ) R 2. (s 0, t 2 ) satisfies conditions B.1, B.2, and B.3. Finally, condition B.5 is satisfied since we have that t 3 is not nonmasking w.r.t. any successor of s 0, i.e. s 0 Nonmask t 3 and s 1 Nonmask t 3 ; and there exists a finite path fragment t 2 t 3 t 0 with (s 0, t 0 ) R 2. Moreover, there exists another finite path fragment t 2 t 3 t 1 with (s 1, t 1 ) R 2. (s 1, t 1 ) satisfies conditions B.1, B.2 and B.3. Note that for each pair described above, conditions B.1, B.2, and B.3 are satisfied by similar arguments used in the previous example shown above. We can extend nonmasking on path in the similar way that in Lemma 1. Lemma 2. (Nonmasking fault-tolerance on paths) Suppose we are given two colored Kripke structures M and M and a nonmasking fault-tolerance Nonmask for (M, M ) and s 1 Nonmask s 2. Then for each path fragment σ 2 = s 0,2 s 1,2 s 2,2 s 3,2... starting in s 0,2 = s 2 there exists a normative path fragment σ 1 = s 0,1 s 1,1 s 2,1 s 3,1... from state s 0,1 = s 1 such that s j,1 Nonmask s j,2 for all j. Let us investigate the properties of our definition of nonmasking. An obvious property is the following one: if we have a nonmasking fault-tolerance relation between s 1 and s 2 and for every state of normal paths starting in s 1, ϕ holds in the absence of faults, then eventually in fair executions we return to the ideal behavior in all possible futures in the presence of faults, in paths starting in s 2. The fairness assumption is the same imposed on the theorem 3.1.

13 Characterizing Fault-Tolerant Systems by Means of Simulation Relations 13 Theorem 2. If s 1 Nonmask s 2 for sub-labelings L 0 and L 0 obtained by restricting AP to AP, then M, s 1 f ϕ N M, s 2 f AFAG(ϕ) 5, where all the propositional variables of ϕ are in AP. Proof. We proceed by induction over the structure of the formula ϕ. Base case: ϕ = p. From s 1 Nonmask s 2 it follows by condition (B.1) for nonmasking fault-tolerance that s 1 and s 2 have the same valuation. Thus, M, s 1 f p N M, s 2 f p, where (p i ) N = p i by definition 1. Inductive case: Case 1: ϕ = ψ. Suppose M, s 1 f ( ψ) N and M, s 2 f ψ; the latter is equivalent to M, s 2 f ψ M, s 2 f ψ. But note by induction hypothesis and lemma 2, M, s 1 f ψ N holds, which contradicts our assumption. Then, M, s 1 f ( ψ) N M, s 2 f ψ. In fact, holds for M, s 2 f AFAG( ψ). Similar for ϕ = ψ 1 ψ 2. Case 2: ϕ = A(ψ 1 U ψ 2 ). Suppose that M, s 1 f (A(ψ 1 U ψ 2 )) N and M, s 2 f AFAG(A(ψ 1 U ψ 2 )), the latter is equivalent to M, s 2 f E (ψ 1 U ψ 2 ). Intuitively, it means that for some paths starting in s 2 either ψ 1 stops to hold too early, i.e., before ψ 2 becomes valid or ψ 1 always holds but never ψ 2. Formally, in the first case, for some path fragment σ 2 such that σ 2 [0] = s 2, there exists a j 0 such that M, σ 2 [j] = ψ 2, and for every 0 l < k < j, it holds that M, σ 2 [l] = ψ 1 and M, σ 2 [k] = ψ 1. In the second case, for some path fragment σ 2 such that σ 2 [0] = s 2, there exists a j 0 such that M, σ 2 [j] = ψ 1 ψ 2. Furthermore, we have that s 1 Nonmask s 2, then, by lemma 2, for each path fragment starting in s 2 there exists a normative path fragment σ 1 such that σ 1 [0] = s 1 of the same length which is statewise related to σ 2, i.e., for the second case for each path fragment σ 2 such that M, σ 2 [j] = ψ 1 ψ 2 with j 0, there exists a normative path fragment with σ 1 [0] = s 1 such that M, σ 1 [j] = ψ 1 ψ 2. Similar for the first case. This yields a contradiction because contradicts the assumption that M, s 1 f (A(ψ 1 U ψ 2 )) N M, s 1 f O((ψ 1 ) N U (ψ 2 ) N ), i.e, for all normal paths σ 1 such that σ 1 [0] = s 1, there exists a j 0 such that M, σ 1 [j] = ψ 2, and for every 0 k < j, M, σ 1 [k] = ψ 1. Case 3: ϕ = E(ψ 1 U ψ 2 ). Similar to the proof for case 2. Case 4: ϕ = E(ψ 1 W ψ 2 ). Suppose that M, s 1 f (E(ψ 1 W ψ 2 )) N and M, s 2 f AFAG(E(ψ 1 W ψ 2 )), the latter is equivalent to M, s 2 f A (ψ 1 W ψ 2 ) M, s 2 f A ((ψ 1 ψ 2 ) U ( ψ 1 ψ 2 )). Intuitively, it means that for all paths starting in s 2 ψ 1 stops to hold too early, i.e., before ψ 2 becomes valid. In addition, we have that s 1 Nonmask s 2, then, by lemma 2, for each path fragment σ 2 such that σ 2 [0] = s 2, there exists a j 0 such that 5 We assume that a subsequent execution of M from these states eventually reaches a state from where the desired correctness properties of M are satisfied.

14 14 R. Demasi, P.F. Castro, T.S.E. Maibaum, N. Aguirre M, σ 2 [j] = ( ψ 1 ψ 2 ), and for every 0 k < j, M, σ 2 [k] = (ψ 1 ψ 2 ), there exists a normative path fragment from state s 1 of the same length which is statewise related to σ 2. This yields a contradiction because contradicts the assumption that M, s 1 f (E(ψ 1 W ψ 2 )) N M, s 1 f P((ψ 1 ) N W (ψ 2 ) N ), i.e, for some normal paths either there exists j 0 such that M, σ[j] f ψ 2 and for every 0 k < j it holds that M, σ[j] f ψ 1, or for every j 0 we have that M, σ[j] f ψ 1. The proof is similar for case ϕ = A(ψ 1 W ψ 2 ). Case 5: ϕ = O(ψ 1 U ψ 2 ). Suppose that M, s 1 f (O((ψ 1 U ψ 2 ))) N and M, s 2 f AFAG(O((ψ 1 ) N U (ψ 2 ) N )). Intuitively, it means that (ψ 1 ) N U (ψ 2 ) N does not hold for all normative paths starting in s 2. But not that by lemma 2, we can construct a matching execution from s 1 of the same length which is statewise related to the path in which (ψ 1 ) N U (ψ 2 ) N does not hold. However, this yields a contradiction because contradicts the assumption that for all normative path starting in s 1, (O((ψ 1 U ψ 2 ))) N holds. Hence, we can conclude M, s 1 f (O(ψ 1 U ψ 2 )) N M, s 2 f AFAG(O((ψ 1 ) N U (ψ 2 ) N )). The proof for cases ϕ = P(ψ 1 U ψ 2 ), ϕ = O(ψ 1 W ψ 2 ), ϕ = O(ψ 1 W ψ 2 ) are similar to proof of case Failsafe Fault-tolerance Finally, we present a characterization of failsafe fault-tolerance. Failsafe faulttolerance ensures that the system will stay in a safe state; this means that the safety invariants (regarding normative states) are preserved, but liveness conditions may not be. Definition 4. (Failsafe fault-tolerance) Given two colored Kripke structures M = S, I, R, L, N and M = S, I, R, L, N, we say that a relation F ailsafe S S is failsafe for sub-labelings L 0 L and L 0 L iff: (A) s 1 I ( s 2 I : s 1 F ailsafe s 2 ) and s 2 I ( s 1 I : s 1 F ailsafe s 2 ). (B) for all s 1 F ailsafe s 2 the following holds: (1) L 0 (s 1 ) = L 0(s 2 ). (2) if s 1 P ost N (s 1 ), then there exists s 2 P ost N (s 2 ) with s 1 F ailsafe s 2. (3) if s 2 P ost N (s 2 ), then there exists s 1 P ost N (s 1 ) with s 1 F ailsafe s 2. (4) if s 2 P ost F (s 2 ), then either there exists s 1 P ost N (s 1 ) with L 0 (s 1) = L 0(s 2) or L 0 (s 1 ) = L 0(s 2). Conditions A, B.1, B.2, and B.3 are similar to the conditions of Definition 2 of masking fault-tolerance. Condition B.4 states that every outgoing faulty transition from s 2 either must be matched by an outgoing normal transition from s 1, requiring that states s 1 and s 2 are labeled with the same propositions, or s 2 is failsafe fault-tolerant for s 1. We say that state s 2 is failsafe fault-tolerant for s 1, denoted s 1 F ailsafe s 2. Moreover, we say that M is failsafe fault-tolerant for M iff s 0 F ailsafe s 0

15 Characterizing Fault-Tolerant Systems by Means of Simulation Relations 15 (where s 0 and s 0 are the corresponding initial states) for some failsafe relation F ailsafe ; we denote this situation by M F ailsafe M. We present a simple example to illustrate this notion. Example 3. Consider the colored Kripke structures M (left) and M (right) depicted in Figure 4. M contains only normal transitions describing the expected ideal behavior. On the other hand, M expresses the same behavior that M does but it considers the occurrence of one fault. The relation R 3 = {(s 0, t 0 ), (s 1, t 1 )} is a failsafe fault-tolerance relation for (M, M ) and the sub-labelings that we obtain by restricting L and L to propositions m and w. Now, we show that each pair of R 3 satisfies the Definition 4: Fig. 4. Two failsafe fault-tolerance colored Kripke structures. (s 0, t 0 ) satisfies conditions B.1, B.2, and B.3. Finally, condition B.4 is satisfied because the faulty transition t 0 t 2 is failsafe in relation to the normal transition s 0 s 0 with L(s 0 ) = L (t 2 ). (s 1, t 1 ) satisfies conditions B.1, B.2, and B.3. Note that for each pair described above, conditions B.1, B.2, and B.3 are satisfied by arguments identical to those used in example 1. Now, we extend the definition of failsafe fault-tolerance to paths. Lemma 3. (Failsafe fault-tolerance on paths) Suppose we are given two colored Kripke structures M and M and a failsafe fault-tolerance F ailsafe for (M, M ) and s 1 F ailsafe s 2. Then for each path fragment σ 2 = s 0,2 s 1,2 s 2,2 s 3,2... starting in s 0,2 = s 2 there exists a normative path fragment σ 1 = s 0,1 s 1,1 s 2,1 s 3,1... from state s 0,1 = s 1 of the same length such that s j,1 F ailsafe s j,2 for all j.

16 16 R. Demasi, P.F. Castro, T.S.E. Maibaum, N. Aguirre Proof. The proof is similar to Lemma 1. The following theorem states that our definition of failsafe fault-tolerance preserves safety properties. Theorem 3. If s 1 F ailsafe s 2 for sublabelings L 0 and L 0 obtained by restricting AP to AP, and ϕ is a safety property, then M, s 1 ϕ N M, s 2 ϕ, where all the propositional variables of ϕ are in AP. Proof. We proceed by induction over the structure of the formula ϕ. Base case: ϕ = p. M, s 1 p N iff p L(s 1 ) (where (p i ) N = p i by definition 1), the latter is equivalent to p L(s 2 ) by condition (B.1) of definition 4 of failsafe fault-tolerance where s 1 and s 2 have the same valuation. Thus, M, s 2 p iff p L(s 2 ). Inductive case: Case 1: ϕ = ψ. Suppose M, s 1 ( ψ) N and M, s 2 f ψ; the latter is equivalent to M, s 2 ψ M, s 2 ψ. But note by induction hypothesis and lemma 3, M, s 1 ψ N holds, which contradicts our assumption. Then, M, s 1 ( ψ) N M, s 2 ψ. Similar for ϕ = ψ 1 ψ 2. Case 2: ϕ = A(ψ 1 U ψ 2 ). Suppose that M, s 1 (A(ψ 1 U ψ 2 )) N and M, s 2 f A(ψ 1 U ψ 2 )), the latter is equivalent to M, s 2 E (ψ 1 U ψ 2 ). Intuitively, it means that for some paths starting in s 2 either ψ 1 stops to hold too early, i.e., before ψ 2 becomes valid or ψ 1 always holds but never ψ 2. Formally, in the first case, for some path fragment σ 2 such that σ 2 [0] = s 2, there exists a j 0 such that M, σ 2 [j] = ψ 2, and for every 0 l < k < j, it holds that M, σ 2 [l] = ψ 1 and M, σ 2 [k] = ψ 1. In the second case, for some path fragment σ 2 such that σ 2 [0] = s 2, there exists a j 0 such that M, σ 2 [j] = ψ 1 ψ 2. Furthermore, we have that s 1 F ailsafe s 2, then, by lemma 3, for each path fragment starting in s 2 there exists a normative path fragment σ 1 such that σ 1 [0] = s 1 of the same length which is statewise related to σ 2, i.e., for the second case for each path fragment σ 2 such that M, σ 2 [j] = ψ 1 ψ 2 with j 0, there exists a normative path fragment with σ 1 [0] = s 1 such that M, σ 1 [j] = ψ 1 ψ 2. Similar for the first case. This yields a contradiction because contradicts the assumption that M, s 1 (A(ψ 1 U ψ 2 )) N M, s 1 O((ψ 1 ) N U (ψ 2 ) N ), i.e, for all normal paths σ 1 such that σ 1 [0] = s 1, there exists a j 0 such that M, σ 1 [j] = ψ 2, and for every 0 k < j, M, σ 1 [k] = ψ 1. Case 3: ϕ = E(ψ 1 U ψ 2 ). Similar to the proof for case 2. Case 4: ϕ = E(ψ 1 W ψ 2 ). Suppose that M, s 1 (E(ψ 1 W ψ 2 )) N and M, s 2 f E(ψ 1 W ψ 2 )), the latter is equivalent to M, s 2 A (ψ 1 W ψ 2 ) M, s 2 A ((ψ 1 ψ 2 ) U ( ψ 1 ψ 2 )). Intuitively, it means that for all paths starting in s 2 ψ 1 stops to hold too early, i.e., before ψ 2 becomes valid.

17 Characterizing Fault-Tolerant Systems by Means of Simulation Relations 17 In addition, we have that s 1 F ailsafe s 2, then, by lemma 3, for each path fragment σ 2 such that σ 2 [0] = s 2, there exists a j 0 such that M, σ 2 [j] = ( ψ 1 ψ 2 ), and for every 0 k < j, M, σ 2 [k] = (ψ 1 ψ 2 ), there exists a normative path fragment from state s 1 of the same length which is statewise related to σ 2. This yields a contradiction because contradicts the assumption that M, s 1 (E(ψ 1 W ψ 2 )) N M, s 1 P((ψ 1 ) N W (ψ 2 ) N ), i.e, for some normal paths either there exists j 0 such that M, σ[j] ψ 2 and for every 0 k < j it holds that M, σ[j] ψ 1, or for every j 0 we have that M, σ[j] ψ 1. The proof is similar for case ϕ = A(ψ 1 W ψ 2 ). Case 5: ϕ = O(ψ 1 U ψ 2 ). Suppose that M, s 1 (O(ψ 1 U ψ 2 )) N and M, s 2 f O((ψ 1 ) N U (ψ 2 ) N ). Intuitively, it means that (ψ 1 ) N U (ψ 2 ) N does not hold for all normative paths starting in s 2. But not that by lemma 3, we can construct a matching execution from s 1 of the same length which is statewise related to the path in which (ψ 1 ) N U (ψ 2 ) N does not hold. However, this yields a contradiction because contradicts the assumption that for all normative path starting in s 1, (O(ψ 1 U ψ 2 )) N holds. Hence, we can conclude M, s 1 (O(ψ 1 U ψ 2 )) N M, s 2 O((ψ 1 ) N U (ψ 2 ) N ). The proof for cases ϕ = P(ψ 1 U ψ 2 ), ϕ = O(ψ 1 W ψ 2 ), ϕ = O(ψ 1 W ψ 2 ) are similar to proof of case 2. Roughly speaking, this property says that if we have a failsafe relation between s 1 and s 2 and for every state in normal paths starting in s 1, ϕ holds in the absence of faults, then ϕ is always true even in the presence of faults in paths starting in s 2. It is worth investigating the relational properties of the relations defined above, this is done in the following theorem: Lemma 4. Given relations Mask, Nonmask and F ailsafe, we have the following properties: Mask, Nonmask, F ailsafe are transitive, If M does not have faults, then: M M M M, where { Mask, Nonmask, F ailsafe } Mask, Nonmask and F ailsafe are not necessarily reflexive. Proof. Nonreflexivity: if Mask is reflexive, then for any colored Kripke structure with state space S, the identity relation R = {(s, s) s S} is masking fault-tolerance for (M, M). Although, we show that Mask is not reflexive via the following counterexample: given the colored Kripke structure M with state space S = {s 0, s 1 } depicted in figure 5, its identity relation R = {(s 0, s 0 ), (s 1, s 1 )} is not masking fault-tolerance because the pair (s 0, s 0 ) does not satisfy condition (B.4) of definition 2: for s 1 P ost F (s 0 ) there does not exist a normal successor from s 0 with s 1 Mask s 1. Symmetry: Assume R a masking fault-tolerance for two colored Kripke structures M and M. Consider R 1 = {(s 2, s 1 ) (s 1, s 2 ) R}

18 18 R. Demasi, P.F. Castro, T.S.E. Maibaum, N. Aguirre Fig. 5. Counterexample for nonreflexivity of Mask, F ailsafe and Nonmask. that is obtained by swapping the states in any pair in R. Clearly, relation R 1 satisfies conditions (A) and (B.1). Conditions (B.2) and (B.3) also holds in R 1 by symmetry of (B.2) and (B.3). Finally, condition (B.4) is satisfied due to we do not take in account the faulty transitions in the left colored kripke structures of the pair (M, M ). Hence, R 1 is masking fault-tolerance for (M, M). Transitivity Let R 1,2 and R 2,3 be masking fault-tolerance for (M 1, M 2 ) and (M 2, M 3 ), respectively. The relation R 1,3 = R 1,2 R 2,3, given by R 1,3 = {(s 1, s 3 ) s 2 S 2 : (s 1, s 2 ) R 1,2 (s 2, s 3 ) R 2,3 } is a masking fault-tolerance for (M 1, M 3 ) where S 2 denotes the set of states in M 2. This can be proven by checking all conditions of definition 2 for a masking fault-tolerance. (A) Consider the initial state s 1 of M 1. Since R 1,2 is a masking fault-tolerance, there is an initial state s 2 of M 2 with (s 1, s 2 ) R 1,2. As R 2,3 is a masking fault-tolerance, there is an initial state s 3 of M 3 with (s 2, s 3 ) R 2,3. Thus, (s 1, s 3 ) R 1,3. In the same way we can check that for any initial state s 3 of M 3, there is an initial state s 1 of M 1 with (s 1, s 3 ) R 1,3. (B.1) By definition of R 1,3, there is a state s 2 in M 2 with (s 1, s 2 ) R 1,2 and (s 2, s 3 ) R 2,3. Then, L 1 (s 1 ) = L 2 (s 2 ) = L 3 (s 3 ). (B.2) Assume (s 1, s 3 ) R 1,3. As (s 1, s 2 ) R 1,2, it follows that if s 1 P ost N (s 1 ) then (s 1, s 2) R 1,2 for some s 2 P ost N (s 2 ). Since (s 2, s 3 ) R 2,3, we have (s 2, s 3) R 2,3 for some s 3 P ost N (s 3 ). Hence, (s 1, s 3 ) R 1,3 (B.3) Similar to the proof for (B.2). (B.4) Assume (s 1, s 3 ) R 1,3. As (s 1, s 2 ) R 1,2, it follows that if s 2 P ost F (s 2 ) then (s 1, s 2) R 1,2 for some s 1 P ost N (s 1 ). Since (s 2, s 3 ) R 2,3, we have (s 2, s 3) R 2,3 for some s 3 P ost F (s 3 ) and s 2 P ost N (s 2 ). Moreover, for s 2 s 2 by condition (B.3) there exists s 1 P ost N (s 1 ) with (s 1, s 2) R 1,2. Thus, we have that there exists s 2 such that (s 1, s 2) R 1,2 and (s 2, s 3) R 2,3. Then, for s 3 P ost F (s 3 ) there exists s 1 P ost N (s 1 ) with (s 1, s 3) R 1,3. The proofs for simmetry and transitive for nonmasking and failsafe are similiar to the the one presented above. Also, we have inclusions between these kinds of relations, for example, any masking fault-tolerant system is also fail-safe, this is stated in the following theorem.

19 Characterizing Fault-Tolerant Systems by Means of Simulation Relations 19 Theorem 4. Let Mask, NMask and FSafe be the sets of masking, nonmasking and failsafe relations between two Kripke structures M and M, then we have: Mask FSafe and Mask NMask Proof Sketch: The proof is simple exploring the definitions of masking, nonmasking, and failsafe fault-tolerance. The three of them share the same conditions about the normative behaviors, this means that conditions A, B.1, B.2, and B.3 are stated in each one of the definitions. Thus, considering the ideal behavior the theorem works. In the presence of faults, on masking fault-tolerance both safety and liveness properties are satisfied, this is the most restricted one compared with failsafe (only safety is guaranteed) and nonmasking (liveness is respected but safety is eventually satisfied). At the first sight, if we have a masking tolerance then it is clear that it is also failsafe and nonmasking. Let check our definitions to be sure that these work correctly. Condition B.4 of Definition 2 is included in Definition 3 of nonmasking tolerance over condition B.4 and part of B.5 respectively. Finally, condition B.4 is included in Definition 4 of failsafe tolerance over condition B.4: if s 2 P ost F (s 2 ), then either there exists s 1 P ost N (s 1 ) with L 0 (s 1) = L 0(s 2) or L 0 (s 1 ) = L 0(s 2), where we only require that for the both cases states s 1 (s 1 ) and s 2 are equally labeled with the same propositions, we do not require that these states are in the relation. Thus, we focus in guarantee the safety properties on failsafe. It is clear to observe that on the definition of masking tolerance, requiring that s 1 Mask s 2 or s 1 Mask s 2, we are evidently requiring that L 0 (s 1) = L 0(s 2) or L 0 (s 1 ) = L 0(s 2). 4 Checking Fault-Tolerance Properties Simulation and bisimulation relations are amenable to efficient treatment. For instance, in [7, 10] algorithms for calculating several simulation and bisimulation relations are described and proven to be polynomial with respect to the number of states and transitions of the corresponding models. We have adapted these algorithms to our setting and then we have obtained efficient procedures to prove masking, nonmasking and failsafe fault-tolerance. Such algorithms can be used to verify whether M M, where { Mask, Nonmask, F ailsafe }. In order to verify fault-tolerance properties, we take coloured Kripke structures M and M over AP, and combine them in a single coloured Kripke structure M M, which basically results from the disjoint union of state spaces. The standard bisimulation algorithms can be used for checking that the intended behaviour describe by the specification is bisimilar to the one exhibited by the fault-tolerant implementation (conditions B.2 and B.3 of masking, nonmasking, and failsafe).

Similar documents

The State Explosion Problem

The State Explosion Problem The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis

More information

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct. EE 244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2016 Temporal logic Stavros Tripakis University of California, Berkeley Stavros Tripakis (UC Berkeley) EE 244, Fall 2016

More information

Model for reactive systems/software

Model for reactive systems/software Temporal Logics CS 5219 Abhik Roychoudhury National University of Singapore The big picture Software/ Sys. to be built (Dream) Properties to Satisfy (caution) Today s lecture System Model (Rough Idea)

More information

First-order resolution for CTL

First-order resolution for CTL First-order resolution for Lan Zhang, Ullrich Hustadt and Clare Dixon Department of Computer Science, University of Liverpool Liverpool, L69 3BX, UK {Lan.Zhang, U.Hustadt, CLDixon}@liverpool.ac.uk Abstract

More information

Chapter 4: Computation tree logic

Chapter 4: Computation tree logic INFOF412 Formal verification of computer systems Chapter 4: Computation tree logic Mickael Randour Formal Methods and Verification group Computer Science Department, ULB March 2017 1 CTL: a specification

More information

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications Shengbing Jiang and Ratnesh Kumar Abstract The paper studies failure diagnosis of discrete event systems with

More information

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège Temporal logics and explicit-state model checking Pierre Wolper Université de Liège 1 Topics to be covered Introducing explicit-state model checking Finite automata on infinite words Temporal Logics and

More information

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of Computer Science University of Oxford Overview Temporal logic Non-probabilistic temporal logic CTL Probabilistic temporal

More information

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either Introduction to Temporal Logic The purpose of temporal logics is to specify properties of dynamic systems. These can be either Desired properites. Often liveness properties like In every infinite run action

More information

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Computation Tree Logic (CTL) & Basic Model Checking Algorithms Computation Tree Logic (CTL) & Basic Model Checking Algorithms Martin Fränzle Carl von Ossietzky Universität Dpt. of Computing Science Res. Grp. Hybride Systeme Oldenburg, Germany 02917: CTL & Model Checking

More information

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms Wen-ling Huang and Jan Peleska University of Bremen {huang,jp}@cs.uni-bremen.de MBT-Paradigm Model Is a partial

More information

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras Introduction to Model Checking Debdeep Mukhopadhyay IIT Madras How good can you fight bugs? Comprising of three parts Formal Verification techniques consist of three parts: 1. A framework for modeling

More information

Model Theory of Modal Logic Lecture 4. Valentin Goranko Technical University of Denmark

Model Theory of Modal Logic Lecture 4. Valentin Goranko Technical University of Denmark Model Theory of Modal Logic Lecture 4 Valentin Goranko Technical University of Denmark Third Indian School on Logic and its Applications Hyderabad, January 28, 2010 Model Theory of Modal Logic Lecture

More information

Computation Tree Logic

Computation Tree Logic Computation Tree Logic Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: zheng@cse.usf.edu Phone: (813)974-4757 Fax: (813)974-5456 Hao Zheng (CSE,

More information

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure Outline Temporal Logic Ralf Huuck Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness Model Checking Problem model, program? M φ satisfies, Implements, refines property, specification

More information

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication Stavros Tripakis Abstract We introduce problems of decentralized control with communication, where we explicitly

More information

Overview. overview / 357

Overview. overview / 357 Overview overview6.1 Introduction Modelling parallel systems Linear Time Properties Regular Properties Linear Temporal Logic (LTL) Computation Tree Logic syntax and semantics of CTL expressiveness of CTL

More information

From Liveness to Promptness

From Liveness to Promptness From Liveness to Promptness Orna Kupferman Hebrew University Nir Piterman EPFL Moshe Y. Vardi Rice University Abstract Liveness temporal properties state that something good eventually happens, e.g., every

More information

Chapter 6: Computation Tree Logic

Chapter 6: Computation Tree Logic Chapter 6: Computation Tree Logic Prof. Ali Movaghar Verification of Reactive Systems Outline We introduce Computation Tree Logic (CTL), a branching temporal logic for specifying system properties. A comparison

More information

Abstraction for Falsification

Abstraction for Falsification Abstraction for Falsification Thomas Ball 1, Orna Kupferman 2, and Greta Yorsh 3 1 Microsoft Research, Redmond, WA, USA. Email: tball@microsoft.com, URL: research.microsoft.com/ tball 2 Hebrew University,

More information

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66 Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66 Teknillisen korkeakoulun tietojenkäsittelyteorian laboratorion tutkimusraportti 66 Espoo 2000 HUT-TCS-A66

More information

Correspondence between Kripke Structures and Labeled Transition Systems for Model Minimization

Correspondence between Kripke Structures and Labeled Transition Systems for Model Minimization Correspondence between Kripke Structures and Labeled Transition Systems for Model Minimization Rob Schoren Abstract This document is mainly an extension of the work of Michel Reniers and Tim Willemse,

More information

Alan Bundy. Automated Reasoning LTL Model Checking

Alan Bundy. Automated Reasoning LTL Model Checking Automated Reasoning LTL Model Checking Alan Bundy Lecture 9, page 1 Introduction So far we have looked at theorem proving Powerful, especially where good sets of rewrite rules or decision procedures have

More information

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr Semantic Equivalences and the Verification of Infinite-State Systems Richard Mayr Department of Computer Science Albert-Ludwigs-University Freiburg Germany Verification of Infinite-State Systems 1 c 2004

More information

A generalization of modal definability

A generalization of modal definability A generalization of modal definability Tin Perkov Polytechnic of Zagreb Abstract. Known results on global definability in basic modal logic are generalized in the following sense. A class of Kripke models

More information

Bisimulation for conditional modalities

Bisimulation for conditional modalities Bisimulation for conditional modalities Alexandru Baltag and Giovanni Ciná Institute for Logic, Language and Computation, University of Amsterdam March 21, 2016 Abstract We give a general definition of

More information

Computation Tree Logic (CTL)

Computation Tree Logic (CTL) Computation Tree Logic (CTL) Fazle Rabbi University of Oslo, Oslo, Norway Bergen University College, Bergen, Norway fazlr@student.matnat.uio.no, Fazle.Rabbi@hib.no May 30, 2015 Fazle Rabbi et al. (UiO,

More information

Verification Using Temporal Logic

Verification Using Temporal Logic CMSC 630 February 25, 2015 1 Verification Using Temporal Logic Sources: E.M. Clarke, O. Grumberg and D. Peled. Model Checking. MIT Press, Cambridge, 2000. E.A. Emerson. Temporal and Modal Logic. Chapter

More information

PSPACE-completeness of LTL/CTL model checking

PSPACE-completeness of LTL/CTL model checking PSPACE-completeness of LTL/CTL model checking Peter Lohmann April 10, 2007 Abstract This paper will give a proof for the PSPACE-completeness of LTLsatisfiability and for the PSPACE-completeness of the

More information

ESE601: Hybrid Systems. Introduction to verification

ESE601: Hybrid Systems. Introduction to verification ESE601: Hybrid Systems Introduction to verification Spring 2006 Suggested reading material Papers (R14) - (R16) on the website. The book Model checking by Clarke, Grumberg and Peled. What is verification?

More information

An Introduction to Temporal Logics

An Introduction to Temporal Logics An Introduction to Temporal Logics c 2001,2004 M. Lawford Outline Motivation: Dining Philosophers Safety, Liveness, Fairness & Justice Kripke structures, LTS, SELTS, and Paths Linear Temporal Logic Branching

More information

Safety and Liveness Properties

Safety and Liveness Properties Safety and Liveness Properties Lecture #6 of Model Checking Joost-Pieter Katoen Lehrstuhl 2: Software Modeling and Verification E-mail: katoen@cs.rwth-aachen.de November 5, 2008 c JPK Overview Lecture

More information

Tableau-based decision procedures for the logics of subinterval structures over dense orderings

Tableau-based decision procedures for the logics of subinterval structures over dense orderings Tableau-based decision procedures for the logics of subinterval structures over dense orderings Davide Bresolin 1, Valentin Goranko 2, Angelo Montanari 3, and Pietro Sala 3 1 Department of Computer Science,

More information

Model Checking Algorithms

Model Checking Algorithms Model Checking Algorithms Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan November 14, 2018 Bow-Yaw Wang (Academia Sinica) Model Checking Algorithms November 14, 2018 1 / 56 Outline

More information

T Reactive Systems: Temporal Logic LTL

T Reactive Systems: Temporal Logic LTL Tik-79.186 Reactive Systems 1 T-79.186 Reactive Systems: Temporal Logic LTL Spring 2005, Lecture 4 January 31, 2005 Tik-79.186 Reactive Systems 2 Temporal Logics Temporal logics are currently the most

More information

Chapter 3: Linear temporal logic

Chapter 3: Linear temporal logic INFOF412 Formal verification of computer systems Chapter 3: Linear temporal logic Mickael Randour Formal Methods and Verification group Computer Science Department, ULB March 2017 1 LTL: a specification

More information

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

CDS 270 (Fall 09) - Lecture Notes for Assignment 8. CDS 270 (Fall 09) - Lecture Notes for Assignment 8. ecause this part of the course has no slides or textbook, we will provide lecture supplements that include, hopefully, enough discussion to complete

More information

Modal and Temporal Logics

Modal and Temporal Logics Modal and Temporal Logics Colin Stirling School of Informatics University of Edinburgh July 23, 2003 Why modal and temporal logics? 1 Computational System Modal and temporal logics Operational semantics

More information

Chapter 5: Linear Temporal Logic

Chapter 5: Linear Temporal Logic Chapter 5: Linear Temporal Logic Prof. Ali Movaghar Verification of Reactive Systems Spring 94 Outline We introduce linear temporal logic (LTL), a logical formalism that is suited for specifying LT properties.

More information

Model Checking: An Introduction

Model Checking: An Introduction Model Checking: An Introduction Meeting 3, CSCI 5535, Spring 2013 Announcements Homework 0 ( Preliminaries ) out, due Friday Saturday This Week Dive into research motivating CSCI 5535 Next Week Begin foundations

More information

Model Checking. Boris Feigin March 9, University College London

Model Checking. Boris Feigin March 9, University College London b.feigin@cs.ucl.ac.uk University College London March 9, 2005 Outline 1 2 Techniques Symbolic 3 Software 4 Vs. Deductive Verification Summary Further Reading In a nutshell... Model checking is a collection

More information

Expressive Power, Mood, and Actuality

Expressive Power, Mood, and Actuality Expressive Power, Mood, and Actuality Rohan French Abstract In Wehmeier (2004) we are presented with the subjunctive modal language, a way of dealing with the expressive inadequacy of modal logic by marking

More information

On simulations and bisimulations of general flow systems

On simulations and bisimulations of general flow systems On simulations and bisimulations of general flow systems Jen Davoren Department of Electrical & Electronic Engineering The University of Melbourne, AUSTRALIA and Paulo Tabuada Department of Electrical

More information

Timo Latvala. February 4, 2004

Timo Latvala. February 4, 2004 Reactive Systems: Temporal Logic LT L Timo Latvala February 4, 2004 Reactive Systems: Temporal Logic LT L 8-1 Temporal Logics Temporal logics are currently the most widely used specification formalism

More information

arxiv:math/ v1 [math.lo] 5 Mar 2007

arxiv:math/ v1 [math.lo] 5 Mar 2007 Topological Semantics and Decidability Dmitry Sustretov arxiv:math/0703106v1 [math.lo] 5 Mar 2007 March 6, 2008 Abstract It is well-known that the basic modal logic of all topological spaces is S4. However,

More information

Chapter 3 Deterministic planning

Chapter 3 Deterministic planning Chapter 3 Deterministic planning In this chapter we describe a number of algorithms for solving the historically most important and most basic type of planning problem. Two rather strong simplifying assumptions

More information

Automata-Theoretic LTL Model-Checking

Automata-Theoretic LTL Model-Checking Automata-Theoretic LTL Model-Checking Arie Gurfinkel arie@cmu.edu SEI/CMU Automata-Theoretic LTL Model-Checking p.1 LTL - Linear Time Logic (Pn 77) Determines Patterns on Infinite Traces Atomic Propositions

More information

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC Alessandro Artale (FM First Semester 2007/2008) p. 1/39 FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC Alessandro Artale Faculty of Computer Science Free University of Bolzano artale@inf.unibz.it http://www.inf.unibz.it/

More information

A logical framework to deal with variability

A logical framework to deal with variability A logical framework to deal with variability (research in progress) M.H. ter Beek joint work with P. Asirelli, A. Fantechi and S. Gnesi ISTI CNR Università di Firenze XXL project meeting Pisa, 21 June

More information

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future... Models Lecture 25: Model Checking CSCI 81 Spring, 2012 Kim Bruce Meanings with respect to model and path through future... M = (S,, L) is a transition system if S is a set of states is a transition relation

More information

Automata-Theoretic Model Checking of Reactive Systems

Automata-Theoretic Model Checking of Reactive Systems Automata-Theoretic Model Checking of Reactive Systems Radu Iosif Verimag/CNRS (Grenoble, France) Thanks to Tom Henzinger (IST, Austria), Barbara Jobstmann (CNRS, Grenoble) and Doron Peled (Bar-Ilan University,

More information

Tutorial on Mathematical Induction

Tutorial on Mathematical Induction Tutorial on Mathematical Induction Roy Overbeek VU University Amsterdam Department of Computer Science r.overbeek@student.vu.nl April 22, 2014 1 Dominoes: from case-by-case to induction Suppose that you

More information

Timo Latvala. March 7, 2004

Timo Latvala. March 7, 2004 Reactive Systems: Safety, Liveness, and Fairness Timo Latvala March 7, 2004 Reactive Systems: Safety, Liveness, and Fairness 14-1 Safety Safety properties are a very useful subclass of specifications.

More information

Lecture 16: Computation Tree Logic (CTL)

Lecture 16: Computation Tree Logic (CTL) Lecture 16: Computation Tree Logic (CTL) 1 Programme for the upcoming lectures Introducing CTL Basic Algorithms for CTL CTL and Fairness; computing strongly connected components Basic Decision Diagrams

More information

Diagnosis of Repeated/Intermittent Failures in Discrete Event Systems

Diagnosis of Repeated/Intermittent Failures in Discrete Event Systems Diagnosis of Repeated/Intermittent Failures in Discrete Event Systems Shengbing Jiang, Ratnesh Kumar, and Humberto E. Garcia Abstract We introduce the notion of repeated failure diagnosability for diagnosing

More information

C. Modal Propositional Logic (MPL)

C. Modal Propositional Logic (MPL) C. Modal Propositional Logic (MPL) Let s return to a bivalent setting. In this section, we ll take it for granted that PL gets the semantics and logic of and Ñ correct, and consider an extension of PL.

More information

540 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL Algorithmic Analysis of Nonlinear Hybrid Systems

540 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL Algorithmic Analysis of Nonlinear Hybrid Systems 540 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL 1998 Algorithmic Analysis of Nonlinear Hybrid Systems Thomas A. Henzinger, Pei-Hsin Ho, Howard Wong-Toi Abstract Hybrid systems are digital

More information

Syntax and Semantics of Propositional Linear Temporal Logic

Syntax and Semantics of Propositional Linear Temporal Logic Syntax and Semantics of Propositional Linear Temporal Logic 1 Defining Logics L, M, = L - the language of the logic M - a class of models = - satisfaction relation M M, ϕ L: M = ϕ is read as M satisfies

More information

Monodic fragments of first-order temporal logics

Monodic fragments of first-order temporal logics Outline of talk Most propositional temporal logics are decidable. But the decision problem in predicate (first-order) temporal logics has seemed near-hopeless. Monodic fragments of first-order temporal

More information

Computation Tree Logic

Computation Tree Logic Computation Tree Logic Computation tree logic (CTL) is a branching-time logic that includes the propositional connectives as well as temporal connectives AX, EX, AU, EU, AG, EG, AF, and EF. The syntax

More information

7 RC Simulates RA. Lemma: For every RA expression E(A 1... A k ) there exists a DRC formula F with F V (F ) = {A 1,..., A k } and

7 RC Simulates RA. Lemma: For every RA expression E(A 1... A k ) there exists a DRC formula F with F V (F ) = {A 1,..., A k } and 7 RC Simulates RA. We now show that DRC (and hence TRC) is at least as expressive as RA. That is, given an RA expression E that mentions at most C, there is an equivalent DRC expression E that mentions

More information

Model Checking Propositional Deontic Temporal Logic via a µ-calculus Characterization

Model Checking Propositional Deontic Temporal Logic via a µ-calculus Characterization Model Checking Propositional Deontic Temporal Logic via a µ-calculus Characterization Araceli Acosta 1, Cecilia Kilmurray 2, Pablo F. Castro 2,3, and Nazareno M. Aguirre 2,3 1 Facultad de Matemática, Astronomía

More information

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052

More information

Linear Temporal Logic and Büchi Automata

Linear Temporal Logic and Büchi Automata Linear Temporal Logic and Büchi Automata Yih-Kuen Tsay Department of Information Management National Taiwan University FLOLAC 2009 Yih-Kuen Tsay (SVVRL @ IM.NTU) Linear Temporal Logic and Büchi Automata

More information

Algebraizing Hybrid Logic. Evangelos Tzanis University of Amsterdam Institute of Logic, Language and Computation

Algebraizing Hybrid Logic. Evangelos Tzanis University of Amsterdam Institute of Logic, Language and Computation Algebraizing Hybrid Logic Evangelos Tzanis University of Amsterdam Institute of Logic, Language and Computation etzanis@science.uva.nl May 1, 2005 2 Contents 1 Introduction 5 1.1 A guide to this thesis..........................

More information

Notes on Modal Logic

Notes on Modal Logic Notes on Modal Logic Notes for PHIL370 Eric Pacuit October 22, 2012 These short notes are intended to introduce some of the basic concepts of Modal Logic. The primary goal is to provide students in Philosophy

More information

Finite-State Model Checking

Finite-State Model Checking EECS 219C: Computer-Aided Verification Intro. to Model Checking: Models and Properties Sanjit A. Seshia EECS, UC Berkeley Finite-State Model Checking G(p X q) Temporal logic q p FSM Model Checker Yes,

More information

Notes on Modal Logic

Notes on Modal Logic Notes on Modal Logic Notes for Philosophy 151 Eric Pacuit January 25, 2009 These short notes are intended to supplement the lectures and text ntroduce some of the basic concepts of Modal Logic. The primary

More information

Introduction to Logic in Computer Science: Autumn 2006

Introduction to Logic in Computer Science: Autumn 2006 Introduction to Logic in Computer Science: Autumn 2006 Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Plan for Today Today s class will be an introduction

More information

Automata-based Verification - III

Automata-based Verification - III COMP30172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20: email: howard.barringer@manchester.ac.uk March 2009 Third Topic Infinite Word Automata Motivation Büchi Automata

More information

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL) Alessandro Artale (FM First Semester 2007/2008) p. 1/37 FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL) Alessandro Artale Faculty of Computer Science Free University of Bolzano artale@inf.unibz.it

More information

A Canonical Contraction for Safe Petri Nets

A Canonical Contraction for Safe Petri Nets A Canonical Contraction for Safe Petri Nets Thomas Chatain and Stefan Haar INRIA & LSV (CNRS & ENS Cachan) 6, avenue du Président Wilson 935 CACHAN Cedex, France {chatain, haar}@lsvens-cachanfr Abstract

More information

Reasoning about Strategies: From module checking to strategy logic

Reasoning about Strategies: From module checking to strategy logic Reasoning about Strategies: From module checking to strategy logic based on joint works with Fabio Mogavero, Giuseppe Perelli, Luigi Sauro, and Moshe Y. Vardi Luxembourg September 23, 2013 Reasoning about

More information

Testing with model checkers: A survey

Testing with model checkers: A survey COMPETENCE NETWORK SOFTNET AUSTRIA Testing with model checkers: A survey SNA-TR-2007-P2-04 Gordon Fraser, Franz Wotawa, Paul E. Ammann SNA TECHNICAL REPORT NOVEMBER 2007 Competence Network Softnet Austria,

More information

Topics in Verification AZADEH FARZAN FALL 2017

Topics in Verification AZADEH FARZAN FALL 2017 Topics in Verification AZADEH FARZAN FALL 2017 Last time LTL Syntax ϕ ::= true a ϕ 1 ϕ 2 ϕ ϕ ϕ 1 U ϕ 2 a AP. ϕ def = trueu ϕ ϕ def = ϕ g intuitive meaning of and is obt Limitations of LTL pay pay τ τ soda

More information

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for? Computer Engineering and Networks Overview Discrete Event Systems Verification of Finite Automata Lothar Thiele Introduction Binary Decision Diagrams Representation of Boolean Functions Comparing two circuits

More information

Notes. Corneliu Popeea. May 3, 2013

Notes. Corneliu Popeea. May 3, 2013 Notes Corneliu Popeea May 3, 2013 1 Propositional logic Syntax We rely on a set of atomic propositions, AP, containing atoms like p, q. A propositional logic formula φ Formula is then defined by the following

More information

Computation Tree Logic

Computation Tree Logic Chapter 6 Computation Tree Logic Pnueli [88] has introduced linear temporal logic to the computer science community for the specification and verification of reactive systems. In Chapter 3 we have treated

More information

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS TKK Reports in Information and Computer Science Espoo 2008 TKK-ICS-R3 MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS Jussi Lahtinen ABTEKNILLINEN KORKEAKOULU TEKNISKA HÖGSKOLAN HELSINKI UNIVERSITY OF

More information

CS632 Notes on Relational Query Languages I

CS632 Notes on Relational Query Languages I CS632 Notes on Relational Query Languages I A. Demers 6 Feb 2003 1 Introduction Here we define relations, and introduce our notational conventions, which are taken almost directly from [AD93]. We begin

More information

Revising UNITY Programs: Possibilities and Limitations 1

Revising UNITY Programs: Possibilities and Limitations 1 Revising UNITY Programs: Possibilities and Limitations 1 Ali Ebnenasir, Sandeep S. Kulkarni, and Borzoo Bonakdarpour Software Engineering and Network Systems Laboratory Department of Computer Science and

More information

LTL is Closed Under Topological Closure

LTL is Closed Under Topological Closure LTL is Closed Under Topological Closure Grgur Petric Maretić, Mohammad Torabi Dashti, David Basin Department of Computer Science, ETH Universitätstrasse 6 Zürich, Switzerland Abstract We constructively

More information

Nonmonotonic Reasoning in Description Logic by Tableaux Algorithm with Blocking

Nonmonotonic Reasoning in Description Logic by Tableaux Algorithm with Blocking Nonmonotonic Reasoning in Description Logic by Tableaux Algorithm with Blocking Jaromír Malenko and Petr Štěpánek Charles University, Malostranske namesti 25, 11800 Prague, Czech Republic, Jaromir.Malenko@mff.cuni.cz,

More information

Lecture Notes on Software Model Checking

Lecture Notes on Software Model Checking 15-414: Bug Catching: Automated Program Verification Lecture Notes on Software Model Checking Matt Fredrikson André Platzer Carnegie Mellon University Lecture 19 1 Introduction So far we ve focused on

More information

Foundations of Mathematics MATH 220 FALL 2017 Lecture Notes

Foundations of Mathematics MATH 220 FALL 2017 Lecture Notes Foundations of Mathematics MATH 220 FALL 2017 Lecture Notes These notes form a brief summary of what has been covered during the lectures. All the definitions must be memorized and understood. Statements

More information

Model Checking with CTL. Presented by Jason Simas

Model Checking with CTL. Presented by Jason Simas Model Checking with CTL Presented by Jason Simas Model Checking with CTL Based Upon: Logic in Computer Science. Huth and Ryan. 2000. (148-215) Model Checking. Clarke, Grumberg and Peled. 1999. (1-26) Content

More information

Context-free grammars and languages

Context-free grammars and languages Context-free grammars and languages The next class of languages we will study in the course is the class of context-free languages. They are defined by the notion of a context-free grammar, or a CFG for

More information

Abstractions and Decision Procedures for Effective Software Model Checking

Abstractions and Decision Procedures for Effective Software Model Checking Abstractions and Decision Procedures for Effective Software Model Checking Prof. Natasha Sharygina The University of Lugano, Carnegie Mellon University Microsoft Summer School, Moscow, July 2011 Lecture

More information

Trace Diagnostics using Temporal Implicants

Trace Diagnostics using Temporal Implicants Trace Diagnostics using Temporal Implicants ATVA 15 Thomas Ferrère 1 Dejan Nickovic 2 Oded Maler 1 1 VERIMAG, University of Grenoble / CNRS 2 Austrian Institute of Technology October 14, 2015 Motivation

More information

PSL Model Checking and Run-time Verification via Testers

PSL Model Checking and Run-time Verification via Testers PSL Model Checking and Run-time Verification via Testers Formal Methods 2006 Aleksandr Zaks and Amir Pnueli New York University Introduction Motivation (Why PSL?) A new property specification language,

More information

Temporal Logic and Fair Discrete Systems

Temporal Logic and Fair Discrete Systems Temporal Logic and Fair Discrete Systems Nir Piterman and Amir Pnueli Abstract Temporal logic was used by philosophers to reason about the way the world changes over time. Its modern use in specification

More information

LTL and CTL. Lecture Notes by Dhananjay Raju

LTL and CTL. Lecture Notes by Dhananjay Raju LTL and CTL Lecture Notes by Dhananjay Raju draju@cs.utexas.edu 1 Linear Temporal Logic: LTL Temporal logics are a convenient way to formalise and verify properties of reactive systems. LTL is an infinite

More information

CTL-RP: A Computational Tree Logic Resolution Prover

CTL-RP: A Computational Tree Logic Resolution Prover 1 -RP: A Computational Tree Logic Resolution Prover Lan Zhang a,, Ullrich Hustadt a and Clare Dixon a a Department of Computer Science, University of Liverpool Liverpool, L69 3BX, UK E-mail: {Lan.Zhang,

More information

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN 1. Introduction These slides are for a talk based on the paper Model-Checking in Dense Real- Time, by Rajeev Alur, Costas Courcoubetis, and David Dill.

More information

Algorithmic verification

Algorithmic verification Algorithmic verification Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2018 Outline Overview Model checking Symbolic execution Outline Overview Model checking Symbolic execution Program verification

More information

A Game-Theoretic Approach to Simulation of Data-Parameterized Systems

A Game-Theoretic Approach to Simulation of Data-Parameterized Systems A Game-Theoretic Approach to Simulation of Data-Parameterized Systems Orna Grumberg 1, Orna Kupferman 2, and Sarai Sheinvald 2 1 Department of Computer Science, The Technion, Haifa 32000, Israel 2 School

More information

Syntax. Notation Throughout, and when not otherwise said, we assume a vocabulary V = C F P.

Syntax. Notation Throughout, and when not otherwise said, we assume a vocabulary V = C F P. First-Order Logic Syntax The alphabet of a first-order language is organised into the following categories. Logical connectives:,,,,, and. Auxiliary symbols:.,,, ( and ). Variables: we assume a countable

More information

Course Runtime Verification

Course Runtime Verification Course Martin Leucker (ISP) Volker Stolz (Høgskolen i Bergen, NO) INF5140 / V17 Chapters of the Course Chapter 1 Recall in More Depth Chapter 2 Specification Languages on Words Chapter 3 LTL on Finite

More information

Price of Stability in Survivable Network Design

Price of Stability in Survivable Network Design Noname manuscript No. (will be inserted by the editor) Price of Stability in Survivable Network Design Elliot Anshelevich Bugra Caskurlu Received: January 2010 / Accepted: Abstract We study the survivable

More information

Assertions and Measurements for Mixed-Signal Simulation

Assertions and Measurements for Mixed-Signal Simulation Assertions and Measurements for Mixed-Signal Simulation PhD Thesis Thomas Ferrère VERIMAG, University of Grenoble (directeur: Oded Maler) Mentor Graphics Corporation (co-encadrant: Ernst Christen) October

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback