-
Unifying Asynchronous Logics for Hyperproperties
Authors:
Alberto Bombardelli,
Laura Bozzelli,
César Sánchez,
Stefano Tonetta
Abstract:
We introduce and investigate a powerful hyper logical framework in the linear-time setting, we call generalized HyperLTL with stuttering and contexts (GHyperLTL_SC for short). GHyperLTL_SC unifies known asynchronous extensions of HyperLTL and the well-known extension KLTL of LTL with knowledge modalities under both the synchronous and asynchronous perfect recall semantics. As a main contribution,…
▽ More
We introduce and investigate a powerful hyper logical framework in the linear-time setting, we call generalized HyperLTL with stuttering and contexts (GHyperLTL_SC for short). GHyperLTL_SC unifies known asynchronous extensions of HyperLTL and the well-known extension KLTL of LTL with knowledge modalities under both the synchronous and asynchronous perfect recall semantics. As a main contribution, we individuate a meaningful fragment of GHyperLTL_SC, we call simple GHyperLTL_SC, with a decidable model-checking problem, which is more expressive than HyperLTL and known fragments of asynchronous extensions of HyperLTL with a decidable model-checking problem. Simple GHyperLTL_SC subsumes KLTL under the synchronous semantics and the one-agent fragment of KLTL under the asynchronous semantics, and to the best of our knowledge, it represents the unique hyper logic with a decidable model-checking problem which can express powerful non-regular trace properties when interpreted on singleton sets of traces. We justify the relevance of simple GHyperLTL_SC by showing that it can express diagnosability properties, interesting classes of information-flow security policies, both in the synchronous and asynchronous settings, and bounded termination (more in general, global promptness in the style of Prompt LTL).
△ Less
Submitted 25 April, 2024;
originally announced April 2024.
-
Asynchronous Composition of LTL Properties over Infinite and Finite Traces
Authors:
Alberto Bombardelli,
Stefano Tonetta
Abstract:
The verification of asynchronous software components poses significant challenges due to the way components interleave and exchange input/output data concurrently. Compositional strategies aim to address this by separating the task of verifying individual components on local properties from the task of combining them to achieve global properties. This paper concentrates on employing symbolic model…
▽ More
The verification of asynchronous software components poses significant challenges due to the way components interleave and exchange input/output data concurrently. Compositional strategies aim to address this by separating the task of verifying individual components on local properties from the task of combining them to achieve global properties. This paper concentrates on employing symbolic model checking techniques to verify properties specified in Linear-time Temporal Logic (LTL) on asynchronous software components that interact through data ports. Unlike event-based composition, local properties can now impose constraints on input from other components, increasing the complexity of their composition. We consider both the standard semantics over infinite traces as well as the truncated semantics over finite traces to allow scheduling components only finitely many times.
We propose a novel LTL rewriting approach, which converts a local property into a global one while considering the interleaving of infinite or finite execution traces of components. We prove the semantic equivalence of local properties and their rewritten version projected on the local symbols. The rewriting is also optimized to reduce formula size and to leave it unchanged when the temporal property is stutter invariant. These methods have been integrated into the OCRA tool, as part of the contract refinement verification suite. Finally, the different composition approaches were compared through an experimental evaluation that covers various types of specifications.
△ Less
Submitted 22 December, 2023;
originally announced December 2023.
-
Automatic Generation of Scenarios for System-level Simulation-based Verification of Autonomous Driving Systems
Authors:
Srajan Goyal,
Alberto Griggio,
Jacob Kimblad,
Stefano Tonetta
Abstract:
With increasing complexity of Automated Driving Systems (ADS), ensuring their safety and reliability has become a critical challenge. The Verification and Validation (V&V) of these systems are particularly demanding when AI components are employed to implement perception and/or control functions. In ESA-funded project VIVAS, we developed a generic framework for system-level simulation-based V&V of…
▽ More
With increasing complexity of Automated Driving Systems (ADS), ensuring their safety and reliability has become a critical challenge. The Verification and Validation (V&V) of these systems are particularly demanding when AI components are employed to implement perception and/or control functions. In ESA-funded project VIVAS, we developed a generic framework for system-level simulation-based V&V of autonomous systems. The approach is based on a simulation model of the system, an abstract model that describes symbolically the system behavior, and formal methods to generate scenarios and verify the simulation executions. Various coverage criteria can be defined to guide the automated generation of the scenarios.
In this paper, we describe the instantiation of the VIVAS framework for an ADS case study. This is based on the integration of CARLA, a widely-used driving simulator, and its ScenarioRunner tool, which enables the creation of diverse and complex driving scenarios. This is also used in the CARLA Autonomous Driving Challenge to validate different ADS agents for perception and control based on AI, shared by the CARLA community. We describe the development of an abstract ADS model and the formulation of a coverage criterion that focuses on the behaviors of vehicles relative to the vehicle with ADS under verification. Leveraging the VIVAS framework, we generate and execute various driving scenarios, thus testing the capabilities of the AI components. The results show the effectiveness of VIVAS in automatically generating scenarios for system-level simulation-based V&V of an automated driving system using CARLA and ScenarioRunner. Therefore, they highlight the potential of the approach as a powerful tool in the future of ADS V&V methodologies.
△ Less
Submitted 16 November, 2023;
originally announced November 2023.
-
A first-order logic characterization of safety and co-safety languages
Authors:
Alessandro Cimatti,
Luca Geatti,
Nicola Gigante,
Angelo Montanari,
Stefano Tonetta
Abstract:
Linear Temporal Logic (LTL) is one of the most popular temporal logics, that comes into play in a variety of branches of computer science. Among the various reasons of its widespread use there are its strong foundational properties: LTL is equivalent to counter-free omega-automata, to star-free omega-regular expressions, and (by Kamp's theorem) to the First-Order Theory of Linear Orders (FO-TLO).…
▽ More
Linear Temporal Logic (LTL) is one of the most popular temporal logics, that comes into play in a variety of branches of computer science. Among the various reasons of its widespread use there are its strong foundational properties: LTL is equivalent to counter-free omega-automata, to star-free omega-regular expressions, and (by Kamp's theorem) to the First-Order Theory of Linear Orders (FO-TLO). Safety and co-safety languages, where a finite prefix suffices to establish whether a word does not belong or belongs to the language, respectively, play a crucial role in lowering the complexity of problems like model checking and reactive synthesis for LTL. SafetyLTL (resp., coSafetyLTL) is a fragment of LTL where only universal (resp., existential) temporal modalities are allowed, that recognises safety (resp., co-safety) languages only. The main contribution of this paper is the introduction of a fragment of FO-TLO, called SafetyFO, and of its dual coSafetyFO, which are expressively complete with respect to the LTL-definable safety and co-safety languages. We prove that they exactly characterize SafetyLTL and coSafetyLTL, respectively, a result that joins Kamp's theorem, and provides a clearer view of the characterization of (fragments of) LTL in terms of first-order languages. In addition, it gives a direct, compact, and self-contained proof that any safety language definable in LTL is definable in SafetyLTL as well. As a by-product, we obtain some interesting results on the expressive power of the weak tomorrow operator of SafetyLTL, interpreted over finite and infinite words. Moreover, we prove that, when interpreted over finite words, SafetyLTL (resp. coSafetyLTL) devoid of the tomorrow (resp., weak tomorrow) operator captures the safety (resp., co-safety) fragment of LTL over finite words.
△ Less
Submitted 9 August, 2023; v1 submitted 6 September, 2022;
originally announced September 2022.
-
The VMT-LIB Language and Tools
Authors:
Alessandro Cimatti,
Alberto Griggio,
Stefano Tonetta
Abstract:
We present VMT-LIB, a language for the representation of verification problems of linear-time temporal properties on infinite-state symbolic transition systems. VMT-LIB is an extension of the standard SMT-LIB language for SMT solvers, developed with the goal of facilitating the interoperability and exchange of benchmark problems among different verification tools. Besides describing its syntax and…
▽ More
We present VMT-LIB, a language for the representation of verification problems of linear-time temporal properties on infinite-state symbolic transition systems. VMT-LIB is an extension of the standard SMT-LIB language for SMT solvers, developed with the goal of facilitating the interoperability and exchange of benchmark problems among different verification tools. Besides describing its syntax and semantics, we also present a set of open-source tools to work with the language.
△ Less
Submitted 27 September, 2021;
originally announced September 2021.
-
Expressiveness of Extended Bounded Response LTL
Authors:
Alessandro Cimatti,
Luca Geatti,
Nicola Gigante,
Angelo Montanari,
Stefano Tonetta
Abstract:
Extended Bounded Response LTL with Past (LTLEBR+P) is a safety fragment of Linear Temporal Logic with Past (LTL+P) that has been recently introduced in the context of reactive synthesis. The strength of LTLEBR+P is a fully symbolic compilation of formulas into symbolic deterministic automata. Its syntax is organized in four levels. The first three levels feature (a particular combination of) futur…
▽ More
Extended Bounded Response LTL with Past (LTLEBR+P) is a safety fragment of Linear Temporal Logic with Past (LTL+P) that has been recently introduced in the context of reactive synthesis. The strength of LTLEBR+P is a fully symbolic compilation of formulas into symbolic deterministic automata. Its syntax is organized in four levels. The first three levels feature (a particular combination of) future temporal modalities, the last one admits only past temporal operators. At the base of such a structuring there are algorithmic motivations: each level corresponds to a step of the algorithm for the automaton construction. The complex syntax of LTLEBR+P made it difficult to precisely characterize its expressive power, and to compare it with other LTL+P safety fragments.
In this paper, we first prove that LTLEBR+P is expressively complete with respect to the safety fragment of LTL+P, that is, any safety language definable in LTL+P can be formalized in LTLEBR+P, and vice versa. From this, it follows that LTLEBR+P and Safety-LTL are expressively equivalent. Then, we show that past modalities play an essential role in LTLEBR+P: we prove that the future fragment of LTLEBR+P is strictly less expressive than full LTLEBR+P.
△ Less
Submitted 16 September, 2021;
originally announced September 2021.
-
Model-based analysis support for dependable complex systems in CHESS
Authors:
Felicien Ihirwe,
Silvia Mazzini,
Pierluigi Pierini,
Alberto Debiasi,
Stefano Tonetta
Abstract:
The challenges related to dependable complex systems are heterogeneous and involve different aspects of the system. On one hand, the decision-making processes need to take into account many options. On the other hand, the design of the system's logical architecture must consider various dependability concerns such as safety, reliability, and security. Moreover, in case of high-assurance systems, t…
▽ More
The challenges related to dependable complex systems are heterogeneous and involve different aspects of the system. On one hand, the decision-making processes need to take into account many options. On the other hand, the design of the system's logical architecture must consider various dependability concerns such as safety, reliability, and security. Moreover, in case of high-assurance systems, the analysis of such concerns must be performed with rigorous methods. In this paper, we present the new development of CHESS, a cross-domain, model-driven, component-based, and open-source tool for the development of high-integrity systems. We focus on the new recently distributed version of CHESS, which supports extended model-based development and analyses for safety and security concerns. Finally, we present contributions of CHESS to several international research projects.
△ Less
Submitted 12 November, 2020; v1 submitted 13 September, 2020;
originally announced September 2020.
-
Reactive Synthesis from Extended Bounded Response LTL Specifications
Authors:
Alessandro Cimatti,
Luca Geatti,
Nicola Gigante,
Angelo Montanari,
Stefano Tonetta
Abstract:
Reactive synthesis is a key technique for the design of correct-by-construction systems and has been thoroughly investigated in the last decades. It consists in the synthesis of a controller that reacts to environment's inputs satisfying a given temporal logic specification. Common approaches are based on the explicit construction of automata and on their determinization, which limit their scalabi…
▽ More
Reactive synthesis is a key technique for the design of correct-by-construction systems and has been thoroughly investigated in the last decades. It consists in the synthesis of a controller that reacts to environment's inputs satisfying a given temporal logic specification. Common approaches are based on the explicit construction of automata and on their determinization, which limit their scalability.
In this paper, we introduce a new fragment of Linear Temporal Logic, called Extended Bounded Response LTL (\LTLEBR), that allows one to combine bounded and universal unbounded temporal operators (thus covering a large set of practical cases), and we show that reactive synthesis from \LTLEBR specifications can be reduced to solving a safety game over a deterministic symbolic automaton built directly from the specification. We prove the correctness of the proposed approach and we successfully evaluate it on various benchmarks.
△ Less
Submitted 12 August, 2020;
originally announced August 2020.
-
A Cloud-Based Collaboration Platform for Model-Based Design of Cyber-Physical Systems
Authors:
Peter Gorm Larsen,
Hugo Daniel Macedo,
John Fitzgerald,
Holger Pfeifer,
Martin Benedikt,
Stefano Tonetta,
Angelo Marguglio,
Sergio Gusmeroli,
George Suciu Jr
Abstract:
Businesses, particularly small and medium-sized enterprises, aiming to start up in Model-Based Design (MBD) face difficult choices from a wide range of methods, notations and tools before making the significant investments in planning, procurement and training necessary to deploy new approaches successfully. In the development of Cyber-Physical Systems (CPSs) this is exacerbated by the diversity o…
▽ More
Businesses, particularly small and medium-sized enterprises, aiming to start up in Model-Based Design (MBD) face difficult choices from a wide range of methods, notations and tools before making the significant investments in planning, procurement and training necessary to deploy new approaches successfully. In the development of Cyber-Physical Systems (CPSs) this is exacerbated by the diversity of formalisms covering computation, physical and human processes. In this paper, we propose the use of a cloud-enabled and open collaboration platform that allows businesses to offer models, tools and other assets, and permits others to access these on a pay-per-use basis as a means of lowering barriers to the adoption of MBD technology, and to promote experimentation in a sandbox environment.
△ Less
Submitted 5 May, 2020;
originally announced May 2020.
-
Linear-time Temporal Logic with Event Freezing Functions
Authors:
Stefano Tonetta
Abstract:
Formal properties represent a cornerstone of the system-correctness proofs based on formal verification techniques such as model checking. Formalizing requirements into temporal properties may be very complex and error prone, due not only to the ambiguity of the textual requirements but also to the complexity of the formal language. Finding a property specification language that balances simplici…
▽ More
Formal properties represent a cornerstone of the system-correctness proofs based on formal verification techniques such as model checking. Formalizing requirements into temporal properties may be very complex and error prone, due not only to the ambiguity of the textual requirements but also to the complexity of the formal language. Finding a property specification language that balances simplicity, expressiveness, and tool support remains an open problem in many real-world contexts.
In this paper, we propose a new temporal logic, which extends First-Order Linear-time Temporal Logic with Past adding two operators "at next" and "at last", which take in input a term and a formula and represent the value of the term at the next state in the future or last state in the past in which the formula holds. We consider different models of time (including discrete, dense, and super-dense time) and Satisfiability Modulo Theories (SMT) of the first-order formulas. The "at next" and "at last" functions can be seen as a generalization of Event-Clock operators and can encode some Metric Temporal operators also with counting. They are useful to formalize properties of component-based models because they allow to express constraints on the data exchanged with messages at different instants of time. We provide a simple encoding into equisatisfiable formulas without the extra functional symbols. We implement a prototype tool support based on SMT-based model checking.
△ Less
Submitted 7 September, 2017;
originally announced September 2017.
-
Verification of railway interlocking - Compositional approach with OCRA
Authors:
Christophe Limbree,
Quentin Cappart,
Charles Pecheur,
Stefano Tonetta
Abstract:
In the railway domain, an electronic interlocking is a computerised system that controls the railway signalling components (e.g. switches or signals) in order to allow a safe operation of the train traffic. Interlockings are controlled by a software logic that relies on a generic software and a set of application data particular to the station under control. The verification of the application dat…
▽ More
In the railway domain, an electronic interlocking is a computerised system that controls the railway signalling components (e.g. switches or signals) in order to allow a safe operation of the train traffic. Interlockings are controlled by a software logic that relies on a generic software and a set of application data particular to the station under control. The verification of the application data is time consuming and error prone as it is mostly performed by human testers. In the first stage of our research, we built a model of a small Belgian railway station and we performed the verification of the application data with the nusmv model checker. However, the verification of larger stations fails due to the state space explosion problem. The intuition is that large stations can be split into smaller components that can be verified separately. This concept is known as compositional verification. This article explains how we used the ocra tool in order to model a medium size station and how we verified safety properties by mean of contracts. We also took advantage of new algorithms (k-liveness and ic3) recently implemented in nuxmv in order to verify LTL properties on our model.
△ Less
Submitted 20 May, 2016;
originally announced May 2016.
-
Formal Design of Asynchronous Fault Detection and Identification Components using Temporal Epistemic Logic
Authors:
Marco Bozzano,
Alessandro Cimatti,
Marco Gario,
Stefano Tonetta
Abstract:
Autonomous critical systems, such as satellites and space rovers, must be able to detect the occurrence of faults in order to ensure correct operation. This task is carried out by Fault Detection and Identification (FDI) components, that are embedded in those systems and are in charge of detecting faults in an automated and timely manner by reading data from sensors and triggering predefined alar…
▽ More
Autonomous critical systems, such as satellites and space rovers, must be able to detect the occurrence of faults in order to ensure correct operation. This task is carried out by Fault Detection and Identification (FDI) components, that are embedded in those systems and are in charge of detecting faults in an automated and timely manner by reading data from sensors and triggering predefined alarms. The design of effective FDI components is an extremely hard problem, also due to the lack of a complete theoretical foundation, and of precise specification and validation techniques. In this paper, we present the first formal approach to the design of FDI components for discrete event systems, both in a synchronous and asynchronous setting. We propose a logical language for the specification of FDI requirements that accounts for a wide class of practical cases, and includes novel aspects such as maximality and trace-diagnosability. The language is equipped with a clear semantics based on temporal epistemic logic, and is proved to enjoy suitable properties. We discuss how to validate the requirements and how to verify that a given FDI component satisfies them. We propose an algorithm for the synthesis of correct-by-construction FDI components, and report on the applicability of the design approach on an industrial case-study coming from aerospace.
△ Less
Submitted 10 February, 2016; v1 submitted 16 June, 2015;
originally announced June 2015.
-
IC3 Modulo Theories via Implicit Predicate Abstraction
Authors:
Alessandro Cimatti,
Alberto Griggio,
Sergio Mover,
Stefano Tonetta
Abstract:
We present a novel approach for generalizing the IC3 algorithm for invariant checking from finite-state to infinite-state transition systems, expressed over some background theories. The procedure is based on a tight integration of IC3 with Implicit (predicate) Abstraction, a technique that expresses abstract tran- sitions without computing explicitly the abstract system and is incremental with re…
▽ More
We present a novel approach for generalizing the IC3 algorithm for invariant checking from finite-state to infinite-state transition systems, expressed over some background theories. The procedure is based on a tight integration of IC3 with Implicit (predicate) Abstraction, a technique that expresses abstract tran- sitions without computing explicitly the abstract system and is incremental with respect to the addition of predicates. In this scenario, IC3 operates only at the Boolean level of the abstract state space, discovering inductive clauses over the abstraction predicates. Theory reasoning is confined within the underlying SMT solver, and applied transparently when performing satisfiability checks. When the current abstraction allows for a spurious counterexample, it is refined by discov- ering and adding a sufficient set of new predicates. Importantly, this can be done in a completely incremental manner, without discarding the clauses found in the previous search. The proposed approach has two key advantages. First, unlike current SMT gener- alizations of IC3, it allows to handle a wide range of background theories without relying on ad-hoc extensions, such as quantifier elimination or theory-specific clause generalization procedures, which might not always be available, and can moreover be inefficient. Second, compared to a direct exploration of the concrete transition system, the use of abstraction gives a significant performance improve- ment, as our experiments demonstrate.
△ Less
Submitted 25 October, 2013;
originally announced October 2013.
-
Formalization and Validation of Safety-Critical Requirements
Authors:
Alessandro Cimatti,
Marco Roveri,
Angelo Susi,
Stefano Tonetta
Abstract:
The validation of requirements is a fundamental step in the development process of safety-critical systems. In safety critical applications such as aerospace, avionics and railways, the use of formal methods is of paramount importance both for requirements and for design validation. Nevertheless, while for the verification of the design, many formal techniques have been conceived and applied, the…
▽ More
The validation of requirements is a fundamental step in the development process of safety-critical systems. In safety critical applications such as aerospace, avionics and railways, the use of formal methods is of paramount importance both for requirements and for design validation. Nevertheless, while for the verification of the design, many formal techniques have been conceived and applied, the research on formal methods for requirements validation is not yet mature. The main obstacles are that, on the one hand, the correctness of requirements is not formally defined; on the other hand that the formalization and the validation of the requirements usually demands a strong involvement of domain experts. We report on a methodology and a series of techniques that we developed for the formalization and validation of high-level requirements for safety-critical applications. The main ingredients are a very expressive formal language and automatic satisfiability procedures. The language combines first-order, temporal, and hybrid logic. The satisfiability procedures are based on model checking and satisfiability modulo theory. We applied this technology within an industrial project to the validation of railways requirements.
△ Less
Submitted 27 June, 2012; v1 submitted 8 March, 2010;
originally announced March 2010.