Safety first: a two-stage algorithm for the synthesis of reactive systems

In the game-theoretic approach to the synthesis of reactive systems, specifications are often expressed as ω-regular languages. Computing a winning strategy to an infinite game whose winning condition is an ω-regular language is then the main step in obtaining an implementation. Conjoining all the properties of a specification to obtain a monolithic game suffers from the doubly exponential determinization that is required. Despite the success of symbolic algorithms, the monolithic approach is not practical. Existing techniques achieve efficiency by imposing restrictions on the ω-regular languages they deal with. In contrast, we present an approach that achieves improvement in performance through the decomposition of the problem while still accepting the full set of ω-regular languages. Each property is translated into a deterministic ω-regular automaton explicitly while the two-player game defined by the collection of automata is played symbolically. Safety and persistence properties usually make up the majority of a specification. We take advantage of this by solving the game incrementally. Each safety and persistence property is used to gradually construct the parity game. Optimizations are applied after each refinement of the graph. This process produces a compact symbolic encoding of the parity game. We then compose the remaining properties and solve one final game after possibly solving smaller games to further optimize the graph. An implementation is finally derived from the winning strategies computed. We compare the results of our tool to those of the synthesis tool Anzu.     

Category localization semantics for specification refinements

We describe the theory of refinements of specifications based on localizations of categories. The approach allows us to enlarge the family of refinements (i.e. specification morphisms) of the category Spec – the category of first order theories (specifications) of multi-sorted algebras. We prove that the class of specification morphisms in the category Spec can be enriched by the class of all interpretations of theories from Spec in all definitional extensions of theories of multi-sorted algebras. It provides a guide for finding a path leading from a given specification to a specification which is a provably correct code in a programming language (like C++, Lisp, Java).     

Decentralized supervisory control of discrete event systems with communication delays based on conjunctive and permissive decision structures

In many practical discrete event systems (DESs), some unexpected and uncontrollable events can subsequently occur before a proper control action is actually applied to a plant due to communication delays. For such DESs, this paper investigates necessary and sufficient conditions for the existence of a nonblocking decentralized supervisor that can correctly achieve a given language specification when the decentralized supervisor is assumed to have a conjunctive and permissive decision structure. In particular, this paper presents a notion of delay-coobservability for a given language specification and shows that it is a key condition for the existence of such a decentralized supervisor.     

Type inference and strong static type checking for Promela

The Spin model checker and its specification language Promela have been used extensively in industry and academia to check the logical properties of distributed algorithms and protocols. Model checking with Spin involves reasoning about a system via an abstract Promela specification, thus the technique depends critically on the soundness of this specification. Promela includes a rich set of data types including first-class channels, but the language syntax restricts the declaration of channel types so that it is not generally possible to deduce the complete type of a channel directly from its declaration. We present the design and implementation of Etch, an enhanced type checker for Promela, which uses constraint-based type inference to perform strong type checking of Promela specifications, allowing static detection of errors that Spin would not detect until simulation/verification time, or that Spin may miss completely. We discuss theoretical and practical problems associated with designing a type system and type checker for an existing language, and formalise our approach using a Promela-like calculus. To handle subtyping between base types, we present an extension to a standard unification algorithm to solve a system of equality and subtyping constraints, based on bounded substitutions.     

Submodule construction from concurrent system specifications

The submodule construction problem (SCP) as stated and formulated by Merlin and Bochmann [P. Merlin, G.V. Bochmann, On the construction of submodule specification and communication protocols, ACM Trans. Prog. Lang. Sys., 5(1) (1983) 1–25] is considered: given the specification of a system (module) and that of its n−1 submodules, determine the specification of the nth submodule that together with the given n−1 submodules will satisfy the given system specification. We recast SCP in a formal setting and proceed to present and prove the correctness of an algorithm for the solution of SCP where submodules are prefix-closed finite state machines.     

Slicing from formal semantics: Chisel—a tool for generic program slicing

We describe Chisel, a tool that synthesizes a program slicer directly from a given algebraic specification of a programming language operational semantics \(\mathcal {S}\). \(\mathcal {S}\) is assumed to be a rewriting logic specification, given in Maude, while the program is a ground term of this specification. Chisel takes \(\mathcal {S}\) and synthesizes language constructs, i.e., instructions, that produce features relevant for slicing, e.g., data dependency. We implement syntheses adjusted to each feature as model checking properties over an abstract representation of \(\mathcal {S}\). The syntheses results are used by a traditional interprocedural slicing algorithm that we parameterize by the synthesized language features. We present the tool on two language paradigms: high-level, imperative and low-level, assembly languages. Computing program slices for these languages allows for extracting traceability properties in standard compilation chains and makes our tool fitting for the validation of embedded system designs. Chisel’s slicing benchmark evaluation is based on benchmarks used in avionics.     

On controllability of discrete event systems in a behavioral framework

The purpose of this paper is to investigate the controllability and the achievability of discrete event systems within a behavioral framework. Based on the notion of Willems’ behavioral controllability [1, 2], we introduce a new concept related to the controllability of discrete event systems. By using the controllability proposed here and the notion related to achievable behaviors [3, 4], we show that the behavioral controllability for a given specification with respect to language is equivalent to the existence of a controller, so that an interconnected system satisfies the specification exactly. A proposed controller here is represented by the intersection of the behavior of a given plant and that of a given (controllable) specification. We also clarify that our controllers for a given specification fit the properties of well-known supervisory controllers proposed and developed by Ramadge and Wonham [5]. The text was submitted by the authors in English.     

Reliable decentralized supervisory control of discrete eventsystems

We consider a discrete event system controlled by a decentralized supervisor consisting of n local supervisors, and formulate a new decentralized supervisory control problem, called a reliable decentralized supervisory control problem. A decentralized supervisor is said to be k-reliable (1相似文献   

Monitoring Interfaces for Faults

We consider the problem of a module interacting with an external interface (environment) where the interaction is expected to satisfy some system specification Φ. While we have the full implementation details of the module, we are only given a partial external specification for the interface. The interface specification being partial (incomplete) means that the interface displays only a strict subset of the behaviors allowed by the interface specification.Based on the assumption that interface specifications are typically incomplete, we address the question of whether we can tighten the interface specification into a strategy, consistent with the given partial specification, that will guarantee that all possible interactions resulting from possible behaviors of the module will satisfy the system specification Φ. We refer to such a tighter specification as Φ-guaranteeing specification. Rather than verifying whether the interface, which is often an off-the-shelf component, satisfies the tighter specification, the paper proposes a construction of a run-time monitor which continuously checks the existence of a Φ-guaranteeing interface.We view the module and the external interface as players in a 2-player game. The interface has a winning strategy if it can guarantee that no matter what the module does, the overall specification Φ is met. The problem of incomplete specifications is resolved by allowing the interface to follow any strategy consistent with the interface specification. Our approach essentially combines traditional run-time monitoring and static analysis. This allows going beyond the focus of traditional run-time monitoring tools – error detection in the execution trace, towards the focus of the static analysis – bug detection in the programs.     

Decentralized supervisory control of nondeterministic discrete event systems: The existence condition of a robust and nonblocking supervisor

This paper addresses a decentralized supervisory control problem for an uncertain discrete event system (DES) modeled by a set of possible nondeterministic automata with unidentified internal events. For a given language specification, we present the existence condition of a robust and nonblocking decentralized supervisor that achieves this specification for any nondeterministic model in the set. In particular, we show that the given language specification can be achieved based on the properties of its controllability and coobservability with respect to the overall nominal behavior of the uncertain DES. It is further shown that the existence of a nonblocking decentralized supervisor can be examined with a trajectory model of the language specification.     

Coinduction for preordered algebra

We develop a combination, called hidden preordered algebra, between preordered algebra, which is an algebraic framework supporting specification and reasoning about transitions, and hidden algebra, which is the algebraic framework for behavioural specification. This combination arises naturally within the heterogeneous framework of the modern formal specification language CafeOBJ. The novel specification concept arising from this combination, and which constitutes its single unique feature, is that of behavioural transition. We extend the coinduction proof method for behavioural equivalence to coinduction for proving behavioural transitions.     

Nonblocking supervisory control of timed discrete event systems under communication delays: The existence conditions

This paper addresses the problem of nonblocking supervisory control of timed discrete event systems under communication delays based on the framework proposed by Brandin and Wonham. For such a system, a supervisory control command could be applied to the system after some time-delay limited by a finite bound corresponding to the maximal number of tick occurrences, and some uncontrollable events may unexpectedly occur within this time-delay. This paper presents the necessary and sufficient conditions for the existence of a nonblocking supervisor that can achieve a given language specification in consideration of such delayed communications.     

Verifying conformance of multi-agent commitment-based protocols

Although several approaches have been proposed to specify multi-agent commitment-based protocols that capture flexible and rich interactions among autonomous and heterogeneous agents, very few of them synthesize their formal specification and automatic verification in an integrated framework. In this paper, we present a new logic-based language to specify commitment-based protocols, which is derived from ACTL^1c, a logic extending CTL¹ with modalities to represent and reason about social commitments and their actions. We present a reduction technique that formally transforms the problem of model checking ACTL^1c to the problem of model checking GCTL¹ (an extension of CTL¹ with action formulae). We prove that the reduction technique is sound and we fully implement it on top of the CWB-NC model checker to automatically verify the NetBill protocol, a motivated and specified example in the proposed specification language. We also apply the proposed technique to check the compliance of another protocol: the Contract Net protocol with given properties and report and discuss the obtained results. We finally develop a new symbolic algorithm to perform model checking dedicated to the proposed logic.     

Moduli-based language for building problem-solving scenarios

We propose a language for executive specification of problem-solving scenarios. The scenarios are an aggregate of actions realized as independent software moduli, the information connections between them and the sequence of their execution. An executive system controlling the execution of the scenarios was developed on the basis of the language. This system is the kernel of a system for automated control system design. The scenarios have a hierarchical structure. The organization of the scenarios is based on an object-oriented paradigm. Every module is an instance of a particular type module, called class. This allows one and the same module to be executed in different contexts. A unique information interaction mechanism between the moduli in the scenarios, allowing on-line changes in the information flow, was developed. The language is problem-independent, and can be used in various problem domains.     

Supervisory control of discrete event systems with communication delays and partial observations

This paper presents necessary and sufficient conditions for the existence of a nonblocking supervisor that achieves a given language specification for a discrete event system (DES) with communication delays and partial observations. In many practical situations, some uncontrollable events can subsequently occur before a proper control action is applied to the DES due to delays in sensing, communicating, and actuating. Moreover, some of the uncontrollable events may be unobservable. To achieve a given language specification in such situations, this paper presents a language property called delay observability which assures no confliction in making a decision for legal controllable events under partial observation and delay communication.     

Multi-decision diagnosis: decentralized architectures cooperating for diagnosing the presence of faults in discrete event systems

This article deals with decentralized diagnosis, where a set of diagnosers cooperate for detecting faults in a discrete event system. We propose a new framework, called multi-decision diagnosis, whose basic principle consists in using several decentralized diagnosis architectures working in parallel. We first present a generic form of multi-decision diagnosis, where several decentralized diagnosis architectures work in parallel and combine their global decisions disjunctively or conjunctively. We then study in more detail the inference-based multi-decision diagnosis, that is, in the case where each of the decentralized architectures in parallel is based on the inference-based framework. We develop a method that checks if a given specification is diagnosable under the inference-based multi-decision architecture. We also show that with our method, the worst-case computational complexity for checking codiagnosability for our inference-based multi-decision architecture is in the same order of complexity as checking codiagnosability for the inference-based architecture designed by Kumar and Takai. In fact, multi-decision diagnosis is fundamentally undecidable and we have formulated a decidable variant of it. Multi-decision diagnosis is formally based on language decomposition, but it is worth noting that our objective is not to answer the existential question of language decomposition in the general case. Our objective is rather to propose a decentralized diagnosis architecture that generalizes the decidable existing ones.