Concurrent Systems

In this survey paper, we present known results and open questions on a proper subclass of the class of regular languages. This class, denoted by W, is especially robust: it is closed under union, intersection, product, shuffle, left and right quotients, inverse of morphisms, length preserving morphisms and commutative closure. It can be defined as the largest positive variety of languages not containing the language (ab) * . It admits a nontrivial algebraic characterization in terms of finite ordered monoids, which implies that W is decidable: given a regular language, one can effectively decide whether or not it belongs to W. We propose as a challenge to find a constructive description and a logical characterization of W. ⋆ The authors acknowledge support from the AutoMathA programme of the European Science Foundation.

Abstract. Workflow nets, a subclass of Petri nets, are known as attractive models for analysing complex business processes. In a hospital environment, for example, the processes show a complex and dynamic behavior, which is difficult to control; the workflow net which models such a complex process provides a good insight into it, and due to its formal representation offers techniques for improved control. We propose a method whose main advantage consists in discovering the workflow Petri nets automatically from process ...

We propose a formalism for construction and performance of musical pieces composed of temporal structures involv- ing discrete interactive events. The occurrence in time of these structures and events is partially defined according to constraints, such as Allen temporal relations. We rep- resent the temporal structures using two constraint mod- els. A constraints propagation model is used for the score composition stage whereas a non deterministic temporal concurrent constraint calculus (NTCC) is used for the per- formance phase. The models are tested with examples of temporal structures computed with the GECODE con- straint system library and run with a NTCC interpreter.

Network protocols are critical software that must be verified in order to ensure that they fulfil the requirements. This verification can be performed using model checking, which is a fully automatic technique for checking concurrent software properties in which the states of a concurrent system are explored in an explicit or implicit way. However, the state explosion problem limits the size of the models that are possible to check. Particle Swarm Optimization (PSO) is a metaheuristic technique that has obtained good results in optimization problems in which exhaustive techniques fail due to the size of the search space. Unlike exact techniques, metaheuristic techniques can not be used to verify that a program satisfies a given property, but they can find errors on the software using a lower amount of resources than exact techniques. In this paper, we propose the application of PSO to solve the problem of finding safety errors in network protocols. We implemented our ideas in the Java Pathfinder (JPF) model checker to validate them and present our results. To the best of our knowledge, this is the first time that PSO is used to find errors in concurrent systems. The results show that PSO is able to find errors in protocols in which some traditional exhaustive techniques fail due to memory constraints. In addition, the lengths of the error trails obtained by PSO are shorter (better quality) than the ones obtained by the exhaustive algorithms.

Liveness properties in concurrent systems are, informally, those properties that stipulate that something good eventually happens during execution. In order to prove that a given system satisfies a liveness property, model checking techniques are utilized. However, most of the model checkers found in the literature use exhaustive deterministic algorithms that require huge amounts of memory if the concurrent system is large. Here we propose the use of an algorithm based on ACOhg, a new kind of Ant Colony Optimization algorithm, for searching for liveness property violations in concurrent systems. We also take into account the structure of the liveness property in order to improve the efficacy and efficiency of the search. The results state that our algorithmic proposal, called ACOhg-live, is able to obtain very short error trails in faulty concurrent systems using a low amount of resources, outperforming by far the results of Nested-DFS and Improved-Nested-DFS, two algorithms used in the literature for this task in the model checking community. This fact makes ACOhg-live a very suitable algorithm for finding liveness errors in large faulty concurrent systems, in which traditional techniques fail because of the model size.

In the European project MOGENTES methods for model-based generation of efficient test cases are developed. A special focus is laid on test cases, which not only allow for assessing the fulfillment of requirements, but in particular looking for potential faults – or prove their absence. This is achieved by mutation-based testing: an original model is modified to simulate faults, and then test cases are searched which are able to distinguish between original and mutated model. This paper gives an overview of MOGENTES, presents an application example from the automotive domain, and summarizes the results from this example.

A new approach to support the development of distributed software systems is outlined. As far as static aspects are concerned, standard object-oriented design methods are used. Dynamic aspects like status of services or resource handling in objects and methods, however, play the key role in distributed systems. The main contribution of the approach is a method which puts the focus on these aspects right from the beginning of a design. A new formalism based on extended Petri-Nets { so called Object Coordination Nets (OCoNs) { is used to describe the behavior of an object on a per method basis and for the usage of object resources. The formalism is integrated into higher levels of object-oriented design as an additional means to describe dynamic behavior. Integration with a standard sequential object-oriented language like C++ is used to organize method nets in a class context. This provides a type system for the nets as well. The sequential language can be interpreted as lling the computational gaps in the coordination skeleton provided by the OCoN for a method.

CLP*(D) is a class of constraint logic programming languages which incorporates the notion of abstraction. Predicates in CLP*(D) are (potentially) infinite rational trees which represent abstractions of constraint expressions. This view of predicates as constraint abstractions was motivated by the language Scheme, where closures are viewed as abstractions of functional expressions. A semantics and an efficient implementation of the language are provided, along with several examples of the novel programming techniques provided by this class of languages.

Analyzing array-based computations to determine data dependences is useful for many applications including automatic parallelization, race detection, computation and communication overlap, verification, and shape analysis. For sparse matrix codes, array data dependence analysis is made more difficult by the use of index arrays that make it possible to store only the nonzero entries of the matrix (e.g., in A[B[i]], B is an index array). Here, dependence analysis is often stymied by such indirect array accesses due to the values of the index array not being available at compile time. Consequently, many dependences cannot be proven unsatisfiable or determined until runtime. Nonetheless, index arrays in sparse matrix codes often have properties such as monotonicity of index array elements that can be exploited to reduce the amount of runtime analysis needed. In this paper, we contribute a formulation of array data dependence analysis that includes encoding index array properties as universally quantified constraints. This makes it possible to leverage existing SMT solvers to determine whether such dependences are unsatisfiable and significantly reduces the number of dependences that require runtime analysis in a set of eight sparse matrix kernels. Another contribution is an algorithm for simplifying the remaining satisfiable data dependences by discovering equalities and/or subset relationships. These simplifications are essential to make a runtime-inspection-based approach feasible.

Analyzing array-based computations to determine data dependences is useful for many applications including automatic parallelization, race detection, computation and communication overlap, verification, and shape analysis. For sparse matrix codes, array data dependence analysis is made more difficult by the use of index arrays that make it possible to store only the nonzero entries of the matrix (e.g., in A[B[i]], B is an index array). Here, dependence analysis is often stymied by such indirect array accesses due to the values of the index array not being available at compile time. Consequently, many dependences cannot be proven unsatisfiable or determined until runtime. Nonetheless, index arrays in sparse matrix codes often have properties such as monotonicity of index array elements that can be exploited to reduce the amount of runtime analysis needed. In this paper, we contribute a formulation of array data dependence analysis that includes encoding index array properties as universally quantified constraints. This makes it possible to leverage existing SMT solvers to determine whether such dependences are unsatisfiable and significantly reduces the number of dependences that require runtime analysis in a set of eight sparse matrix kernels. Another contribution is an algorithm for simplifying the remaining satisfiable data dependences by discovering equalities and/or subset relationships. These simplifications are essential to make a runtime-inspection-based approach feasible.

In this paper, we discuss the two approaches to the type of formalism used to express specifications: logic-based approach and model-based approach. Temporal logic and state machine, representatives of formalisms used in each approach, are compared. As a result of this comparison, we know that although temporal logics have many advantages, especially abstraction and flexibility of the specification process, they fail to directly characterize situations easily modeled by model-based formalisms, such as "local" properties of execution sequences. To copy with these drawbacks, we present a new kind of formalism: fair transition system specification (FTSS). This approach combines the best features of temporal logic and state machine methods and it is easy to understand and use. A nontrivial example is used to illustrate our approach and it shows that our FTSS approach is promising.

The class of so-called non-truth-functional logics constitutes a challenge to the usual algebraic based semantic tools, such as matrix semantics [ LS58]. The problem with these logics is the existence of non-congruent connectives that are not always interpreted ...

Communicating Sequential Processes for Java (JCSP) is a mature library that implements CSP‐derived concurrency primitives in Java. A JCSP system is a hierarchical network of autonomous processes communicating over synchronous (optionally buffered) channels, and multiway synchronising through barriers. This paper presents a significant extension to the barrier mechanism: the fast resolution of choice between any number of barrier events, channel communications (in either direction) and timeouts. Previously, and in line with all currently released libraries and languages offering the CSP concurrency model, choice was restricted to channel inputs and timeouts. The paper demonstrates an application of alting barriers and explains the mechanisms used in their implementation that enables their use as guards in a choice. It also shows how choice over channel outputs becomes possible, as a simple consequence of having choice over barriers. Finally, an efficient implementation of CSP's b...

This article describes a technique based on network grammars and abstraction to verify families of state-transition systems. The family of state-transition systems is represented by a context-free network grammar. Using the structure of the network grammar our technique constructs a process invariant that simulates all the state-transition systems in the family. A novel idea introduced in this article is the use of regular languages to express state properties. We have implemented our techniques and verified two nontrivial examples.

In recent years many techniques have been developed for automatically verifying concurrent systems and most of them are based on a representation of the concurrent system by means of a transition system. State explosion is one of the most serious problems of this approach: in fact often the prohibitive number of states renders the veri cation ine cient and, in some cases, impossible. We propose an approach to the reduction of the state space of the transition system corresponding to a CCS process, which takes into account the deadlock freeness property. The reduced transition system is generated by means of a non-standard operational semantics containing a set of rules which are, in some sense, an abstraction, preserving deadlock freeness, of the inference rules of the standard semantics.

The paper presents a process algebraic approach to formal specification and verification of social networks. They are described using the Calculus of Communicating Systems and we reason and verify such formal systems by using directed model checking, which uses AI-inspired heuristic search strategies in order to improve model checking techniques.

We define a model checking technique that applies to a finite state representation of sequential programs. This representation is built by means of an abstraction method which cuts the state explosion by introducing a special symbol, ' , to model 'unknown' variable values. Program properties are expressed by means of a temporal logic, which allow a further abstraction on the basis of the structure of the formulae. The satisfaction of the formulae is checked through a sort of symbolic execution of the programs which may produce a number of false results depending on the number of ' values associated to the variables. Each abstraction produces a different level of incompleteness of the verification result.

In this paper we show how the Cousots' approach to abstract interpretation can be easily and profitably applied to the analysis of concurrent calculi. Actually, when dealing with concurrent processes, a number of interesting properties are independent from the computed values, while they strongly depend on the behavior of processes in terms of performed sequences of actions. In this paper abstract interpretation is applied to the analysis of such a behavior. For this reason, we refer to a quite basic concurrent language: Calculus of Communicating Systems (CCS) without values. The analysis we want to perform can be called interesting actions analysis: the behavior of a process P is observed in an "abstract" way, disregarding all the non-interesting actions. This abstraction can be used as a method for efficiently verifying properties of CCS processes. The abstract semantics we present for such language is able to build a reduced transition system which maintains, with respect to the set of interesting actions, the behavior of the original CCS process. We show how the use of our abstract semantics leads to a reduced transition system on which the properties can be equivalently checked. We consider, as the meaning of CCS processes, the well-known trace semantics, which describes the sequences of actions which can be performed by a process. The interesting actions analysis is seen as an abstraction of such a concrete semantics.

A system supporting video on demand is modeled in the process calculus CCS (Calculus of Communicating Systems), while some properties are expressed in a temporal logic and verified by means of the model checkers of the North Carolina Concurrency Workbench. This application was chosen as a case study to evaluate the usefulness of a methodology, by means of which a property is checked on reduced models obtained issuing abstractions of the system on the basis of the formula. Experimental results are shown and discussed.

In model checking environments, system requirements are usually expressed by means of temporal logic formulas. We propose a user-friendly interface (UFI) with the aim of simplifying the writing of concurrent system properties. The tool is endowed with a graphical interface that supplies a set of patterns from the natural language; the defined patterns constitute a logic (UFL) that is adequate to express the classes of properties usually checked on actual systems. Moreover, UFI is integrated with the CWB-NC tool-kit which is a verification environment based on process algebras and the mu-calculus temporal logic; UFI supports the automatic translation of UFL formulas into mu-calculus formulas and save the translation in the format required by the CWB-NC. Nevertheless, UFI is a flexible tool that can be easily integrated with other environments.

In model checking for temporal logic, the correctness of a (concurrent) system with respect to a desired behavior is verified by checking whether a structure that models the system satisfies a formula describing the behaviour. Most existing verification techniques, and in particular those defined for concurrent calculi like as CCS, are based on a representation of the concurrent system by means of a labelled transition system. In this approach to verification, state explosion is one of the most serious problems. In this paper we present a new temporal logic, the selective mu-calculus, with the property that only the actions occurring in a formula are relevant to check the formula itself. We prove that the selective mu-calculus is as powerful as the mu-calculus. We define the notion of p-bisimulation between transition systems: given a set of actions p, a transition system p-bisimulates another one if they have the same behaviour with respect to the actions in p. We prove that, if two transition systems are p-equivalent, they preserve all the selective mu-calculus formulae with occurring actions in p. Consequently, a formula with occurring actions p can be more efficiently checked on a transition system p-equivalent to the standard one, but smaller than it.

Java is largely used to develop distributed and concurrent systems, but testing multithreaded systems cannot guarantee the quality of the software; in contrast, verification techniques give us a higher confidence about the system and, among these, model checking methods automatically establish properties of complex systems. Such techniques are usually applied to specification languages, and several environments exist to verify temporal properties of concurrent specifications. In this paper we present an attempt to apply model checking techniques for verifying a subset of multithreaded Java programs. In particular, we use a tool based on the selective mu-calculus logic to check systems described through the CCS specification language.

Ensuring deadlock freedom is one of the most critical requirements in the design and validation of concurrent systems. The biggest challenge toward the development of effective deadlock detection schemes remains the state-space explosion problem when model checking is used for proving the correctness of a system with respect to a desired behavior. In this paper we propose the use of the Ant Colony Optimization (ACO) to reduce the state explosion problem arising when finding deadlocks in complex networks described using Calculus of Communicating Systems (CCS). Moreover, ACO is used to provide minimal counterexamples. In fact, although one of the strongest advantages of model checking is the generation of counterexamples when verification fails, traditional model checkers may return very long counterexamples. We present an implementation of our technique and encouraging experimental results on several benchmarks. These results are then compared with other heuristic-based search strategies, retaining the advantages of our approach.

Verification of a concurrent system can be accomplished by model checking the properties on a structure representing the system; this structure is, in general, a transition system which contains a prohibitive number of states. In this paper, we apply a method to reduce the state explosion problem by pointing out the events of the system to be ignored on the basis of the property to be verified. We evaluate the method by means of a real application used as a case study: the system is specified by a CCS program, then the program is reduced by means of syntactic rules; afterwards, the corresponding transition system is built by means of a non-standard operational semantics, which performs further reductions during the construction. Prototype tools perform both kinds of reductions; finally the required properties are checked by means of the model checkers of the CWB-NC.

Software engineering research is driven by the aim of making software development more dynamic, flexible and evolvable. Nowadays the emphasis is on the evolution of pre-existing sub-systems and component and service-based development, where often only a part of the system is totally under control of the designer, most components being remotely operated by external vendors. In this context, we tackle the following problem: given the formal specification of the (incomplete) system, say it p, already built, how to characterize collaborators of p to be selected, based on a given communication interface L, so that a given property ϕ is satisfied. Using properties described by temporal logic formulae and systems by CCS processes, if ϕ is the formula to be satisfied by the complete system, an efficient and automatic procedure is defined to identify a formula ψ such that, for each existing process q satisfying ψ, the process (p | q) \ L satisfies ϕ. Important features of this result are simplicity of the derived property ψ, compared to the original one, and scalability of the verification process. Such characteristics are necessary for applying the method to both incremental design and system evolution scenarios where p is already in place, and one needs to understand the specification of the functionality of the new component that should correctly interact with p. Indeed, in general, finding a suitable partner for p is easier than finding a complete system satisfying the global property. Moreover, in this paper it is shown how ψ can be used also to select a set of possible candidate processes q through a property-directed and structural heuristic. From the verification point of view, the description of the lacking component through a logic formula guarantees correctness of the integration with p of any process that exhibits a behaviour compliant with the inferred formula.

In model checking for temporal logic, the correctness of a system with respect to a desired behavior is verified by checking whether a structure that models the system satisfies a formula describing the behavior. Most existing verification techniques are based on a representation of the system by means of a labeled transition system. In this approach to verification, the efficiency of the model checking is essentially influenced by the number of states of the transition system. In this paper we present a new temporal logic, the selective mu-calculus, and an equivalence between transition systems based on the formulae of this logic. This property preserving equivalence can be used to reduce the size of transition systems. The equivalence (calledequivalence) is based on the set, , of actions occurring inside the modal operators of a selective mu-calculus formula. We prove that the -equivalence coincides with the equivalence induced by the set of the selective mu-calculus formulae with occurring actions in . Thus a formula can be more efficiently checked on a transition system -equivalent to the standard one, but smaller than it, since all the actions not in are "discarded".

This work presents a technique of early simulation in the design phase of concurrent and distributed systems. A P/T net is used to model the system whose behavior is simulated by the net execution; the truly concurrent semantics of P/T nets establishes a partial order among the system events. The designer can interact with the simulator asking for measures about the system behavior that concern all executions respecting the same partial order. Some measures, such as the degree of parallelism exploited, are not easily obtainable from an interleaving semantics. Moreover, the designer can force the system behavior to re¯ect resource-constrained environments.

The time separation of events (TSE) problem is that of finding the maximum and minimum separation between the times of occurrence of two events in a concurrent system. It has applications in the performance analysis, optimization and verification of concurrent digital systems. This paper introduces an efficient polynomial-time algorithm to give exact bounds on TSE's for choice-free concurrent systems, whose operational semantics obey the max-causality rule. A choicefree concurrent system is modeled as a strongly-connected marked graph, where delays on operations are modeled as bounded intervals with unspecified distributions. While previous approaches handle acyclic systems only, or else require graph unfolding until a steady-state behavior is reached, the proposed approach directly identifies and evaluates the asymptotic steady-state behavior of a cyclic system via a graph-theoretical approach. As a result, the method has significantly lower computational complexity than previously-proposed solutions. A prototype CAD tool has been developed to demonstrate the feasibility and efficacy of our method. A set of experiments have been performed on the tool as well as two existing tools, with noticeable improvement on runtime and accuracy for several examples. This paper addresses the problem of finding the maximum and minimum time separation of events (TSE) in concurrent systems. A concurrent system is considered as a set of interacting processes which communicate through channels. When a process initiates a communication with one or more other processes, it waits for all parties to respond before it proceeds. Such operating semantics is said to obey the max-causality rule, or to operate under the max timing constraint. This model can be applied to problems in a wide range of domains. A "process" can correspond to the transition of a signal at the circuit level, or to a partition of functional units at the system level. Several delay models have been used in modelling these systems. A "stochastic model" is often used for the performance analysis of these systems , . However, for verification, a "bounded-delay" model, where the computation time of each process is assumed to be bounded below (min) and above (max) by non-negative real numbers, with no distribution specified, is much more useful. In the special case where the upper and lower bounds of the computation time are identical, a "fixed-delay" model is said to be used. This paper targets concurrent systems under a bounded-delay model. To make the problem amenable for analysis, the system is assumed to be decision-free; such systems can be modeled by marked graphs , which are commonly used to capture concurrent behavior. The TSE problem for bounded-delay systems has applications to performance analysis, optimization of verification of concurrent systems. In this case, while it is generally not possible to provide accurate average case performance metrics, since no delay distribution is given, one can usefully predict best case and worst case performance metrics, such as system throughput. For the restricted case of fixed-delay systems, TSE also becomes a performance measure of the system, as in this case the distribution of the delay is trivially known (i.e. exactly one delay value per event in the system).

Runtime verification (RV) of first-order temporal logic must handle a potentially large amount of data, accumulated during the monitoring of an execution. The DejaVu RV system represents data elements and relations using BDDs. This achieves a compact representation, which allows monitoring long executions. However, the potentially unbounded, and frequently very large amounts of data values can, ultimately, limit the executions that can be monitored. We present an automatic method for "forgetting" data values when they no longer affect the RV verdict on an observed execution. We describe the algorithm and illustrate its operation through an example.

Genetic programming (GP) is a heuristic method for automatically generating code. It applies probabilistic-based generation and mutation of code, combined with “natural selection” principles, using a fitness function. Often, the fitness is calculated based on a large test suite. Recently, GP was applied for synthesizing correct-by-design concurrent code from temporal specification, where model checking was used for calculating the fitness function. A deficiency of this approach is that it uses a limited number of fitness values, based on a small number of modes for each verified specification property (e.g., satisfies, does not satisfy a given property). Furthermore, the need to apply model checking on many candidate solutions using the genetic process makes using an off-the-shelf model checker such as Spin prohibitively expensive. The repeated invocation of such a tool, compiling the code for a new candidate solution and running it, can render the performance of this approach sever...

Concurrent systems are prone to deadlocks that arise from competing access to shared resources and synchronization between the components. At the same time, concurrency leads to a dramatic increase of the possible state space due to interleavings of computations, which makes standard verification techniques often infeasible. Previous work has shown that approximating the state space of component based systems by computing invariants allows to verify much larger systems then standard methods that compute the exact state space. The approach comes with the drawback, though, that not all of the reported specification violations may be reachable in the system. This paper deals with that problem by combining the information from the invariant with model checking techniques and strategies for reducing the memory footprint. The approach is implemented as post processing step for generating the exact set of reachable specification violations along with traces to demonstrate the error.

Automatic and manual software verification is based on applying mathematical methods to a model of the software. Modeling is usually done manually, thus it is prone to modeling errors. This means that errors found in the model may not correspond to real errors in the code, and that if the model is found to satisfy the checked properties, the actual code may still have some errors. For this reason, it is desirable to be able to perform some consistency checks between the actual code and the model. Exhaustive consistency checks are usually not possible, for the same reason that modeling is necessary. We propose a methodology for improving the throughput of software verification by performing some consistency checks between the original code and the model, specifically, by applying software testing. In this paper we present such a combined testing and verification methodology and demonstrate how it is applied using a set of software reliability tools. We introduce the notion of a neighborhood of an error trace, consisting of a tree of execution paths, where the original error trace is one of them. Our experience with the methodology shows that traversing the neighborhood of an error is extremely useful in locating its cause. This is crucial not only in understanding where the error stems from, but in getting an initial idea of how to redesign the code. We use as a case study a robot control system, and report on several design and modeling errors found during the verification and testing process.

Model checking is an automatic approach for the verification of systems. Explicit states model checking applies a search algorithm (e.g., depth or breadth first search) to the state space of the verified system. In concurrent systems, and in particular in communication protocols, the number of states can grow exponentially with the number of independent components (processes). There are many different methods that attempt to automatically reduce the number of checked states. Such methods show encouraging results, but often still fail to reduce the number of states required for the verification to become manageable. We propose here the use of code annotation in order to control the verification process and reduce the number of states searched. Our extension of the C programming language allows the user to put into the code instructions that are executed by the model checker during the verification. With the new language construct, we may exploit additional insight that the verifier may have about the checked program in order to limit the search. We describe our implementation and present some experimental results.

One technique to reduce the state-space explosion problem in temporal logic model checking is symmetry reduction. The combination of symmetry reduction and symbolic model checking by using BDDs suffered a long time from the prohibitively large BDD for the orbit relation. Dynamic symmetry reduction calculates representatives of equivalence classes of states dynamically and thus avoids the construction of the orbit relation. In this paper, we present a new efficient model checking algorithm based on dynamic symmetry reduction. Our experiments show that the algorithm is very fast and allows the verification of larger systems. We additionally implemented the use of state symmetries for symbolic symmetry reduction. To our knowledge we are the first who investigated state symmetries in combination with BDD based symbolic model checking. 1

In this paper we are interested in refusals based model for validating timed systems. We propose a new refusals graph named timed refusals regions graphs (TRRGs). In this case specifications are modeled by durational actions timed automata (DATA*) based on maximality semantics which claim that actions have durations. This latter model is in one hand useful for modeling and validating reel aspects of systems. In the other hand, it is determinizable. In TRRG, refusals could be temporary or permanent. Permanent refusals are provoked by the nondeterminism in the specifications. However, temporary refusals are the result of the fact that actions elapse in time. We propose a framework for generating timed refusals regions graph. This framework is implemented by a combination of Meta-modelling and Graph Grammars, to transform a DATA* structure into a TRRG. This permits the automatic generation of a visual modeling tool. Finally, we argue the use of TRRG in formal test of timed systems.

Testing is a validation activity used to check the system's correctness with respect to the specification. In this context, test based on refusals is studied in theory and tools are effectively constructed. This paper addresses, a formal testing based on stochastic refusals graphs (SRG) in order to test stochastic system represented by maximality-based labeled stochastic transition systems (MLSTS). First, we propose a framework to generate SRGs from MLSTSs. Second, we present a new technique to generate automatically a canonical tester from stochastic refusal graph and conformance relation conf SRG . Finally, implementation is proposed and the application of our approach is shown by an example.

We present a comparative evaluation of some generalization strategies which are applied by a method for the automated verification of infinite state reactive systems. The verification method is based on (1) the specialization of the constraint logic program which encodes the system with respect to the initial state and the property to be verified, and (2) a bottom-up evaluation of the specialized program. The generalization strategies are used during the program specialization phase for controlling when and how to perform generalization. Selecting a good generalization strategy is not a trivial task because it must guarantee the termination of the specialization phase itself, and it should be a good balance between precision and performance. Indeed, a coarse generalization strategy may prevent one to prove the properties of interest, while an unnecessarily precise strategy may lead to high verification times. We perform an experimental evaluation of various generalization strategies on several infinite state systems and properties to be verified.

Model checking and testing are two areas with a similar goal: to verify that a system satisfies a property. They start with different hypothesis on the systems and develop many techniques with different notions of approximation, when an exact verification may be computationally too hard. We present some notions of approximation with their logic and statistics backgrounds, which yield several techniques for model checking and testing: Bounded Model Checking, Approximate Model Checking, Approximate Black-Box Checking, Approximate Model-based Testing and Approximate Probabilistic Model Checking. All these methods guarantee some quality and efficiency of the verification.

In this paper we investigate an approach to perform a distributed CTL Model checker algorithm on a network of workstations using Kleen three value logic, the state spaces is partitioned among the network nodes, We represent the incomplete state spaces as a Maximality labeled Transition System MLTS which are able to express true concurrency. we execute in parallel the same algorithm in each node, for a certain property f on an incomplete MLTS , this last compute the set of states which satisfy f or which if they fail f are assigned the value  .The third value  mean unknown whether true or false because the partial state space lacks sufficient information needed for a precise answer concerning the complete state space .To solve this problem each node exchange the information needed to conclude the result about the complete state space. The experimental version of the algorithm is currently being implemented using the functional programming language Erlang.

I w ant t o t hank Professor Mohsen Jafari of Rutgers University for his help with t he CRAMTD project and for kindness and e n thusiasm since our rst meeting a t a conference. A person who d eserves much credit for my a c hievements i s S t efania Bandini of the Universita a d egli Studi di Milano, who h as always been able to keep me o n m y t oes and t o come t o m y aid whenever necessary. She h as always been the source of precious advice. Dr. R. Kurshan of AT&T Bell Laboratories was very kind a n d h elpful during t he n al pha s e o f m y t hesis by providing v aluable information on many technical details and d evelopments i n t he t heory of related topics. I w ant t o t hank Professor J. T. Schwartz for his valuable comments o n my w ork. Professor R. Wallace is the person who i n troduced me t o t he W alking Machine problem. He designed and w orked on the h ardware and w as very helpful in giving m e feedback i n o r d er to k eep my research rmly set on a pragmatic foundation. v Friends like Giovanni Gallo and A l berto P olicriti are a blessing for anybody who is doing research a n d w h o n eeds a companion to s n eak out t o t he movies every once in a while. I w ant t o t hank Professor K. Perlin, Professor S. Mallat, Professor D. Shasha a n d Professor R. Boppana for their kindness and for their suggestions over the past years. Special thanks go to m any p e o ple in Milan who h ave i n v arious ways contributed to m y s u ccess as a graduate s t udent: Professor G. Mau r i o f t he Dipartimento di Scienze dell'Informazione o f t he Universita a d egli Studi di Milano and all the friends at Quinary S.p.A., where the m achines are named after Lisp functions. Thanks are also due to Anina Karmen-Meade o f t he Department of Computer Science of NYU for her patience with m y o verly complicated administrative problems and t o F red Hansen for all his work i n t he Robotics Research Laboratory. A group of people who d eserves thanks and o t her things is constituted by my roommate o ver the y ears: Sunder Sethuraman, a great m athematician and a b e t ter soccer player than I'll ever be; David Bacon, Ron Even and Marek Teichmann, my t hree o ce mates who e n dured me a n d T oto P axia, who I had to e n dure. Finally, I t hank Mary, w h o m I l o ve, who l o ves me a n d, luckily, t hinks the factorial of any n umb e r i s 7 .

This white paper demonstrates that reverse engineering Unidentified Aerial Phenomena (UAP) is NP-complete under classical computational paradigms. By modeling UAP reconstruction as an automaton identification problem with a state characterization matrix M(D, T, E) and examining the inherent challenges in data gathering as well as unknown physics, we show that inferring internal mechanisms (such as Isotopically-Engineered-Materials or unconventional propulsion systems) from finite observational data is computationally intractable. Data D, comprising both operational non-reproducible observations and reproducible analysis data from purported crash retrievals, remains inherently fragmentary. Even if UAP observables were reproducible, the absence of a comprehensive theoretical framework ensures that reverse engineering remains NP-complete, and may escalate to PSPACE-hard or to an Entscheidungsproblem. This intractability challenges current UAP reverse engineering efforts and has profound implications for transparency on UAP technology and related venture investments. Hence, UAP are as analogous to modern smartphones in the hands of Neanderthals.

Kilim: A Server Framework with Lightweight Actors, Isolation Types & Zero-copy Messaging Sriram Srinivasan Internet services are implemented as hierarchical aggregates of communicating components: networks of data centers, networks of clusters in a data center, connected servers in a cluster, and multiple virtual machines on a server machine, each containing several operating systems processes. This dissertation argues for extending this structure to the intra-process level, with networks of communicating actors. An actor is a single-threaded state machine with a private heap and a thread of its own. It communicates with other actors using well-defined and explicit messaging protocols. Actors must be light enough to comfortably match the inherent concurrency in the problem space, and to exploit all available parallelism. Our aims are two-fold: (a) treat SMP systems as they really are: distributed systems with eventual consistency, and (b) recognize from the outset that a server is always part of a larger collection of communicating components, thus eliminating the mindset mismatch between concurrent programming and distributed programming. Although the actor paradigm is by no means new, our design points are informed by drawing parallels between the macro and micro levels. As with components in a distributed system, we expect that actors must be isolatable in a number of ways: memory isolation, fault isolation, upgrade isolation, and execution isolation. The application should be able to have a say in actor placement and scheduling, and actors must be easily monitorable. To Alka, my dearest. Life's a wonderful journey, and I have the best travel companion. To Amma and Appa, for the easy laughter, love and encouragement, and the early mornings and late nights they have lavished on me. This dissertation is dedicated to Amma. She would have exclaimed "hai"! To my parents-in-law, for being an additional set of parents. One should be so lucky. To my advisors. Prof. Jean Bacon, for making this excursion possible, for allowing me to gradually discover my interests and strengths without pressure, and for her gentle and selfless guidance to collaborate with other groups. To Prof. Alan Mycroft, for setting distant Bézier control points that so significantly influenced the arc of my learning, for his exhortations and for his unwavering belief that I would get there. To Dr. Ken Moody, for his critical reading of my papers and this document, for his cheerful and enthusiastic cross-pollination of ideas, and tours of beers and wines. To Reto Kramer, for his friendship, guidance, technical knowledge, and a brain the size of a planet. There are a few dissertations lurking in there. To Lauri Pesonen and David Pearce, for the critical reviews, for the long coffee sessions packed with techie talk, and for sharing my enthusiasm for programming languages. To Eiko Yoneki, Pedro Brandão, David Eyers, Dave Evans, Minor Gordon and Niko Matsakis for sharing their impressive knowledge, opinions and good humor, for challenging my biases and assumptions, and for the gentle prodding to get on with it. To Boris Feigin and Kathryn Gray for introducing me to the world of types and semantics, and holding me accountable to rigor.

We recently proposed a definition of a language for nonmonotonic reasoning based on intuitionistic logic. Our main idea is a generalization of the notion of answer sets for arbitrary propositional theories. We call this extended framework safe beliefs. We present an algorithm, based on the Davis-Putnam (DP) method, to compute safe beliefs for arbitrary propositional theories. We briefly discuss some ideas on how to extend this paradigm to incorporate preferences. Keywords: Answer Sets, Davis Putnam, Safe Beliefs, ...

We extend previous constructions of probabilities for a prime event structure E by allowing arbitrary confusion. Our study builds on results related to fairness in event structures that are of interest per se. Executions of E are captured by the set Ω of maximal configurations. We show that the information collected by observing only fair executions of E is confined in some σ-algebra F0, contained in the Borel σ-algebra F of Ω. Equality F0 = F holds when confusion is finite (formally, for the class of locally finite event structures), but inclusion F0 ⊆ F is strict in general. We show the existence of an increasing chain F0 ⊆ F1 ⊆ F2 ⊆ . . . of subσ-algebras of F that capture the information collected when observing executions of increasing unfairness. We show that, if the event structure unfolds a 1-safe net, then unfairness remains quantitatively bounded, that is, the above chain reaches F in finitely many steps. The construction of probabilities typically relies on a Kolmogorov extension argument. Such arguments can achieve the construction of probabilities on the σ-algebra F0 only, while one is interested in probabilities defined on the entire Borel σ-algebra F. We prove that, when the event structure unfolds a 1-safe net, then unfair executions all belong to some set of F0 of zero probability. Whence F0 = F modulo 0 always holds, whereas F0 = F in general. This yields a new construction of Markovian probabilistic nets, carrying a natural interpretation that "unfair executions possess zero probability".

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.