In the emerging field of database centric business process management, interorganizational networks of people, information and communication systems are often described by the interplay between individual goals and actions and the strategic dependencies among individuals and subgroups. Our research aims at improving requirements engineering for such networks by not just representing these goals and dependencies statically, but also by studying the dynamic interactions between both. In previous work, we proposed the prototype environment SNet for the representation and dynamic simulation of agent-based designs for inter-organizational networks. A key feature of SNet was the automatic translation of extended i* models into the action language ConGolog. While this allowed the simulation of agent networks specified in i*, the resulting agents were purely reactive. In this paper we explicitly incorporate deliberation into the agent design of SNet. At the level of i*, deliberation is represented in terms of goals which are satisfiable by di#erent tasks or agents. Utilities are modeled, in part, using the existing concept of softgoals, which are given a quantitative interpretation. At the level of ConGolog, decisiontheoretic features are built into the interpreter, which drives the simulations, and the process of delegating tasks to other agents is explicitly represented.

Concurrent programming languages are growing in importance with the advent of multi-core systems. However, concurrent programs suffer from problems, such as data races and deadlock, absent from sequential programs. Unfortunately, traditional race and deadlock detection techniques fail on both large programs and small programs with complex behaviors. In this paper, we present a compositional deadlock detection technique for a concurrent language—SHIM—in which tasks run asynchronously and communicate using synchronous CSP-style rendezvous. Although SHIM guarantees the absence of data races, a SHIM program may still deadlock if the communication protocol is violated. Our previous work used NuSMV, a symbolic model checker, to detect deadlock in a SHIM program, but it did not scale well with the size of the problem. In this work, we take an incremental, divide-and-conquer approach to deadlock detection. In practice, we find our procedure is faster and uses less memory than the existing technique, especially on large programs, making our algorithm a practical part of the compilation chain.

Abstract. We present an approach for the verification of spatial properties with Spin. We first extend one of Spin’s main property specification mechanism, i.e., the linear-time temporal logic LTL, with spatial connectives that allow to restrict the reasoning of the behaviour of a system to some components of the system only. For instance, one can express whether the system can reach a certain state from which a subset of processes can evolve alone until some property is fulfilled. We give a model checking algorithm for the logic and propose how Spin can be minimally extended to include the algorithm. We also discuss potential improvements to mitigate the exponential complexity introduced by spatial connectives. Finally, we present some experiments that compare our Spin extension with a spatial model checker for the π-calculus. 1

Under certain constraints the test case generation problem can be represented as a model checking problem, thus enabling the use of powerful model checking tools to perform the test case generation automatically. There are, however, several different model checking techniques, and to date there is little evidence and comparison on which of these techniques is best suited for test case generation. This paper presents the results of an evaluation of several different model checkers on a set of realistic formal specifications given in the SCR [21] notation. For each specification test cases are generated for a set of coverage criteria with each of the model checkers using different configurations. The evaluation shows that the best suited model checking technique and optimization very much depend on the specification that is used to generate test cases. However, from the experiments we can draw general conclusions about which optimizations are useful and which model checking technique is best suited for which type of model. Finally, we demonstrate that by combining several model checking techniques it is possible to significantly speed up test case generation and also achieve full test coverage for cases where none of the techniques by itself would succeed. 1.

Many architecture description languages have been proposed and some analysis techniques have also been explored. In this paper, we present a graphical formal software architecture description model called software architecture model (SAM). SAM is a general software architecture development framework based on two complementary formalisms––Petri nets and temporal logic. Petri nets are used to visualize the structure and model the behavior of software architectures while temporal logic is used to specify the required properties of software architectures. These two formal methods are nicely integrated through the SAM software architecture framework. Furthermore, SAM provides the flexibility to choose different compatible Petri net and temporal logic models according to the nature of system under study. Most importantly, SAM supports formal analysis of software architecture properties in a variety of well-established techniques––simulation, reachability analysis, model checking, and interactive proving. In this paper, we show how to formally analyze SAM software architecture specifications using two well-known techniques––symbolic model checking with tool Symbolic Model Verifier, and theorem proving with tool STeP.

Abstract. In this paper we introduce the notion of net-slice to describe a subnet of a marked Petri net Σ that approximates Σ’s behaviour in respect to a set of places P. We show that a slice built for the set of atomic propositions of φ enables falsification of φ with φ being an LTL formula or verification of φ with φ being an LTL-X formula, which is an LTL formula built without using the next-time operator. We first discuss the slicing approach on a basic Petri net slicing algorithm. This algorithm is refined to slice more aggressively. The refined algorithm generates slices that can be smaller than the original net Σ even if Σ is strongly connected. 1

Formal methods have been applied to reactive systems in order to capture errors early on in the development life-cycle and reduce redesign costs. The Reactive Systems Development Support (RSDS) method provides support for the analysis and design of reactive systems and generates code from these specifications. An RSDS system is specified by a set of invariants, a set of statemachines and a Data Control Flow Diagram (DCFD), which are then verified using the B theorem-prover. B however requires user interaction and is not capable of proving temporal properties easily. This thesis extends RSDS by integrating model checking so that temporal properties can be verified. The model checker used is the Symbolic Model Verifier (SMV). There are two distinct semantic views of statemachines in RSDS: the coarse-grain and the fine-grain, with the key difference between them being the granularity of a step. We describe a translation to SMV for each semantic view and we guarantee the quality of the translations by formally proving their correctness. This proof is a vital part in our provision of transparent formal method support for system design. To overcome the state explosion problem of model checking, we propose some natural ways of using the RSDS decomposition techniques for dividing the system

Symbolic trajectory evaluation is a model checking approach based on partial order representation of state spaces. It computes the next-state function using symbolic simulation. Symbolic trajectory evaluation has been successful in dealing with large circuits which prompts an examination of the approach to determine if it is applicable for verifying software. This research report presents a suitable logical framework for model checking software: the program logic (PLF) and its associated satisfaction relation, based on the quaternary logic Q. PLF is appropriate for expressing the truth of propositions about partially ordered state spaces. Using this framework verification conditions called assertions are defined and verified. Symbolic trajectory evaluation still suffers from the state explosion problem. Compositionality is an approach that has been successfully combined with symbolic trajectory evaluation to overcome this problem. A primary contribution of this research report is the de...

In this paper, we explore an architecture, called K-Trek, that enables mobile users to travel across knowledge distributed over a large geographical area (ranging from large public buildings to a national park). Our aim is providing, distributing, and enriching the environment with location-sensitive information for use by agents on board of mobile and static devices. Local interactions among KTrek devices and the distribution of information in the larger environment adopt some typical peer-to-peer patterns and techniques. We introduce the architecture, discuss some of its potential knowledge management applications, and present a few experimental results obtained with simulation.

x CHAPTERS 1