Results 11  20
of
186
On The Logic Of Cooperation And Propositional Control
, 2005
"... Cooperation logics have recently begun to attract attention within the multiagent systems community. Using a cooperation logic, it is possible to represent and reason about the strategic powers of agents and coalitions of agents in gamelike multiagent systems. These powers are generally assumed t ..."
Abstract

Cited by 57 (23 self)
 Add to MetaCart
Cooperation logics have recently begun to attract attention within the multiagent systems community. Using a cooperation logic, it is possible to represent and reason about the strategic powers of agents and coalitions of agents in gamelike multiagent systems. These powers are generally assumed to be implicitly defined within the structure of the environment, and their origin is rarely discussed. In this paper, we study a cooperation logic in which agents are each assumed to control a set of propositional variablesthe powers of agents and coalitions then derive from the allocation of propositions to agents. The basic modal constructs in this Coalition Logic of Propositional Control (CLPC) allow us to express the fact that a group of agents can cooperate to bring about a certain state of affairs. After motivating and introducing CLPC, we provide a complete axiom system for the logic, investigate the issue of characterising control in CLPC with respect to the underlying power structures of the logic, and formally investigate the relationship between CLPC and Pauly's Coalition Logic. We then show that the model checking and satisfiability problems for CLPC are both PSPACEcomplete, and conclude by discussing our results and how CLPC sits in relation to other logics of cooperation.
Software Model Checking
"... Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis o ..."
Abstract

Cited by 52 (0 self)
 Add to MetaCart
(Show Context)
Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis of logical questions. The undecidability theorem [Turing 1936] ruled out the possibility of a sound and complete algorithmic solution for any sufficiently powerful programming model, and even under restrictions (such as finite state spaces), the correctness problem remained computationally intractable. However, just because a problem is hard does not mean it never appears in practice. Also, just because the general problem is undecidable does not imply that specific instances of the problem will also be hard. As the complexity of software systems grew, so did the need for some reasoning mechanism about correct behavior. (While we focus here on analyzing the behavior of a program relative to given correctness specifications, the development of specification mechanisms happened in parallel, and merits a different survey.) Initially, the focus of program verification research was on manual reasoning, and
Social laws in alternating time: Effectiveness, feasibility, and synthesis
 SYNTHESE (2007) 156:1–19
, 2007
"... Since it was first proposed by Moses, Shoham, and Tennenholtz, the social laws paradigm has proved to be one of the most compelling approaches to the offline coordination of multiagent systems. In this paper, we make four key contributions to the theory and practice of social laws in multiagent syst ..."
Abstract

Cited by 47 (17 self)
 Add to MetaCart
Since it was first proposed by Moses, Shoham, and Tennenholtz, the social laws paradigm has proved to be one of the most compelling approaches to the offline coordination of multiagent systems. In this paper, we make four key contributions to the theory and practice of social laws in multiagent systems. First, we show that the Alternatingtime Temporal Logic (atl) of Alur, Henzinger, and Kupferman provides an elegant and powerful framework within which to express and understand social laws for multiagent systems. Second, we show that the effectiveness, feasibility, and synthesis problems for social laws may naturally be framed as atl model checking problems, and that as a consequence, existing atl model checkers may be applied to these problems. Third, we show that the complexity of the feasibility problem in our framework is no more complex in the general case than that of the corresponding problem in the Shoham–Tennenholtz framework (it is npcomplete). Finally, we show how our basic framework can easily be extended to permit social laws in which constraints on the legality or otherwise of some action may be explicitly required. We illustrate the concepts and techniques developed by means of a running example.
Threadmodular verification for sharedmemory programs
 In Proc. 2002 European Symposium on Programming
, 2002
"... Abstract. Ensuring the reliability of multithreaded software systems is difficult due to the interaction between threads. This paper describes the design and implementation of a static checker for such systems. To avoid considering all possible thread interleavings, the checker uses assumeguarantee ..."
Abstract

Cited by 47 (6 self)
 Add to MetaCart
Abstract. Ensuring the reliability of multithreaded software systems is difficult due to the interaction between threads. This paper describes the design and implementation of a static checker for such systems. To avoid considering all possible thread interleavings, the checker uses assumeguarantee reasoning, and relies on the programmer to specify an environment assumption that constrains the interaction between threads. Using this environment assumption, the checker reduces the verification of the original multithreaded program to the verification of several sequential programs, one for each thread. These sequential programs are subsequently analyzed using extended static checking techniques (based on verification conditions and automatic theorem proving). Experience indicates that the checker is capable of handling a range of synchronization disciplines. In addition, the required environment assumptions are simple and intuitive for common synchronization idioms. 1
Preserving secrecy under refinement
 Proc. of the 33rd Internat. Colloq. on Automata, Languages and Programming (ICALP ’06), volume 4052 of Lecture Notes in Computer Science
, 2006
"... Abstract. We propose a general framework of secrecy and preservation of secrecy for labeled transition systems. Our definition of secrecy is parameterized by the distinguishing power of the observer, the properties to be kept secret, and the executions of interest, and captures a multitude of defini ..."
Abstract

Cited by 45 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a general framework of secrecy and preservation of secrecy for labeled transition systems. Our definition of secrecy is parameterized by the distinguishing power of the observer, the properties to be kept secret, and the executions of interest, and captures a multitude of definitions in the literature. We define a notion of secrecy preserving refinement between systems by strengthening the classical tracebased refinement so that the implementation leaks a secret only when the specification also leaks it. We show that secrecy is in general not definable in μcalculus, and thus not expressible in specification logics supported by standard modelcheckers. However, we develop a simulationbased proof technique for establishing secrecy preserving refinement. This result shows how existing refinement checkers can be used to show correctness of an implementation with respect to a specification. 1
Deterministic Generators and Games for LTL Fragments
 ACM TRANS. COMPUT. LOG
, 2001
"... Deciding infinite twoplayer games on finite graphs with the winning condition specified by a linear temporal logic (Ltl) formula, is known to be 2Exptimecomplete. In this paper, we identify Ltl fragments of lower complexity. Solving Ltl games typically involves a doublyexponential translation from ..."
Abstract

Cited by 42 (2 self)
 Add to MetaCart
Deciding infinite twoplayer games on finite graphs with the winning condition specified by a linear temporal logic (Ltl) formula, is known to be 2Exptimecomplete. In this paper, we identify Ltl fragments of lower complexity. Solving Ltl games typically involves a doublyexponential translation from Ltl formulas to deterministic !automata. First, we show that the longest distance (length of the longest simple path) of the generator is also an important parameter, by giving an O(d log n)space procedure to solve a Buchi game on a graph with n vertices and longest distance d. Then, for the Ltl fragment with only eventualities and conjunctions, we provide a translation to deterministic generators of exponential size and linear longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Pspacecomplete. Introducing next modalities in this fragment, we provide a translation to deterministic generators still of exponential size but also with exponential longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Exptimecomplete. For the fragment resulting by further adding disjunctions, we provide a translation to deterministic generators of doublyexponential size and exponential longest distance, show both of these bounds to be optimal, and prove the corresponding games to be Expspace. Finally, we show tightness of the doubleexponential bound on the size as well as the longest distance for deterministic generators for Ltl even in the absence of next and until modalities.
Synchronous and bidirectional component interfaces
 In CAV 02: Proc. of 14th Conf. on Computer Aided Verification, volume 2404 of Lect. Notes in Comp. Sci
, 2002
"... ..."
Predictive modeling of signaling crosstalk during C. elegans vulval development
 PLoS Comput. Biol
, 2007
"... Caenorhabditis elegans vulval development provides an important paradigm for studying the process of cell fate determination and pattern formation during animal development. Although many genes controlling vulval cell fate specification have been identified, how they orchestrate themselves to genera ..."
Abstract

Cited by 35 (9 self)
 Add to MetaCart
(Show Context)
Caenorhabditis elegans vulval development provides an important paradigm for studying the process of cell fate determination and pattern formation during animal development. Although many genes controlling vulval cell fate specification have been identified, how they orchestrate themselves to generate a robust and invariant pattern of cell fates is not yet completely understood. Here, we have developed a dynamic computational model incorporating the current mechanistic understanding of gene interactions during this patterning process. A key feature of our model is the inclusion of multiple modes of crosstalk between the epidermal growth factor receptor (EGFR) and LIN12/Notch signaling pathways, which together determine the fates of the six vulval precursor cells (VPCs). Computational analysis, using the modelchecking technique, provides new biological insights into the regulatory network governing VPC fate specification and predicts novel negative feedback loops. In addition, our analysis shows that most mutations affecting vulval development lead to stable fate patterns in spite of variations in synchronicity between VPCs. Computational searches for the basis of this robustness show that a sequential activation of the EGFRmediated inductive signaling and LIN12 / Notchmediated lateral signaling pathways is key to achieve a stable cell fate pattern. We demonstrate experimentally a timedelay between the activation of the inductive and lateral signaling pathways in wildtype animals and the loss of sequential signaling in mutants showing unstable fate patterns; thus, validating two key predictions provided by our modeling work. The insights gained by our modeling study further substantiate the
Assumeguarantee Verification of Source Code with DesignLevel Assumptions
 In Proceedings 26th International Conference on Software Engineering
, 2004
"... Model checking is an automated technique that can be used to determine whether a system satisfies certain required properties. To address the "state explosion" problem associated with this technique, we propose to integrate assumeguarantee verification at different phases of system develo ..."
Abstract

Cited by 35 (4 self)
 Add to MetaCart
(Show Context)
Model checking is an automated technique that can be used to determine whether a system satisfies certain required properties. To address the "state explosion" problem associated with this technique, we propose to integrate assumeguarantee verification at different phases of system development. During design, developers build abstract behavioral models of the system components and use them to establish key properties of the system. To increase the scalability of model checking at this level, we have developed techniques that automatically decompose the verification task by generating component assumptions for the properties to hold. The designlevel artifacts are subsequently used to guide the implementation of the system, but also to enable more efficient reasoning at the source codelevel. In particular, we propose to use designlevel assumptions to similarly decompose the verification of the actual system implementation. We demonstrate our approach on a significant NASA application, where designlevel models were used to identify and correct a safety property violation, and designlevel assumptions allowed us to check successfully that the property was preserved by the implementation.
Decomposing Refinement Proofs using AssumeGuarantee Reasoning
, 2000
"... Modelchecking algorithms can be used to verify, formally and automatically, if a lowlevel description of a design conforms with a highlevel description. However, for designs with very large state spaces, prior to the application of an algorithm, the refinementchecking task needs to be decomposed ..."
Abstract

Cited by 32 (2 self)
 Add to MetaCart
Modelchecking algorithms can be used to verify, formally and automatically, if a lowlevel description of a design conforms with a highlevel description. However, for designs with very large state spaces, prior to the application of an algorithm, the refinementchecking task needs to be decomposed into subtasks of manageable complexity. It is natural to decompose the task following the component structure of the design. However, an individual component often does not satisfy its requirements unless the component is put into the right context, which constrains the inputs to the component. Thus, in order to verify each component individually, we need to make assumptions about its inputs, which are provided by the other components of the design. This reasoning is circular: component A is verified under the assumption that context B behaves correctly, and symmetrically, B is verified assuming the correctness of A. The assumeguarantee paradigm provides a systematic theory and methodology for ensuring the soundness of the circular style of postulating and discharging assumptions in componentbased reasoning. We give a tutorial introduction to the assumeguarantee paradigm for decomposing refinementchecking tasks. To illustrate the method, we step in detail through the formal veri cation of a processor pipeline against an instruction set architecture. In this example, the verification of a threestage pipeline is broken up into three subtasks, one for each stage of the pipeline.