Ëô Blockin Blockin¬ Blockin

Many modern systems show dynami hara teristi s in a sense that they hange their on guration dynami ally during run-time. In obje t-oriented systems, for example, the on guration of obje ts and their links hanges to re e t the state of systems. Unfortunately, few analysis te hniques address the dynami nature expli itly and, thus, there is a gap between analysis result and reality. That is, it is a hallenge to analyze the properties of dynami evolution without information loss. The goal of this paper is to propose a spe i ation and validation te hnique for dynami systems. In parti ular, we design a new temporal logi , alled HDTL, and revise the tableau method for automati analysis. By employing freeze quanti er, HDTL with the revised tableau method allows us to spe ify the orre tness requirements of dynami systems and validate them. Note that the proposed logi is rather generi , that is, it has only a few assumptions on operational language. We omplete this pi ture by introdu ing a simple dynami modeling language and illustrating its experiment: we spe ify some properties for a model and validate whether it satis es the properties. The experiment shows that HDTL is suitable for spe ifying dynami properties and the analysis te hnique is promising. 2 1 Introdu tion Formal spe i ation has be ome important in software development be ause the formality of spe i ation in reases the on den e on the orre tness of systems by allowing rigorous validation. For example, formal requirements spe i ation an prevent many errors from being introdu ed to the system by removing ambiguity. In general, spe i ation languages an be lassi ed into two ategories. One is for the spe i ation of behaviors, and the other for the spe i ation of properties. There exist many behavioral spe i ation languages based on various formalisms in luding automata[1℄, Petri-nets[2℄,and pro ess algebra[3℄ theories. Their goal is to des ribe pre isely how a system hanges. On the other hand, the goal of property spe i ation languages is to apture what the system should ful ll in a de larative style. Due to their higher abstra tion, it is a ommon pra ti e to validate whether behavioral model or implementation of a system is onsistent with its property spe i ation. For example, most model he king te hnologies su h as SPIN[4℄ and SMV[5℄ employ property spe i ation languages to validate their behavioral models. Propositional temporal logi [6℄ is one of the most widely used languages for property spe i ation. It employs the temporal operators for spe ifying the ordering of events in a system. For example, temporal logi allows to spe ify a temporal property like \the warning must be raised after the elevator door opens". Unfortunately, to use propositional temporal logi s for spe ifying dynami systems [7℄, we must address some problems: during run-time, dynami systems reate and/or remove their onstituents that are instantiated from prede ned templates, whi h are alled as types or lasses. Then, their behaviors are de ned as the intera tion of instan es. This fa t auses a problem be ause propositional temporal logi s annot properly handle the notion of instan es. That is, they 3 only allow to spe ify properties of systems onsisting of distin t onstituents. Therefore, when using propositional temporal logi s, the analysis usually does not distinguish the instan es of same type. Suppose that, for example, there is a simple library system. In this system, it is an important property that when a patron borrows a opy of a book, he/she must return that opy. In this ase, the system must be able to distinguish ea h instan e, says a opy, of the book. Even though it seems possible to over ome this limitation by annotating ea h instan e with an unique identi er, this strategy does not resolve the problem entirely. For example, model he ker SPIN assigns ea h instan e an identi er, alled (pid), in the order of their reation. This allows us to treat ea h instan e as a distin t onstituent be ause it is possible to identify ea h instan e with a type ombined with the pid. However, it should be noted that, when spe ifying properties, we annot determine whi h instan es are parti ipating events. It is be ause pro ess instantiation arises at run-time dynami ally. In the library example, we annot tell whi h opy a patron is demanded to return until he/she a tually borrows one. That is, it is infeasible to know the exa t unique identi ers of opies and patrons before a tual reations o ur, though their identi ers are required to spe ify the above property. First-order temporal logi is an intuitive solution to these problems. Indeed, we an spe ify the properties of dynami systems with rst-order temporal logi properly. However, we en ounter diÆ ulties when we analyze the properties spe i ed using rst-order temporal logi . That is, there are few te hniques for automati analysis of rst-order temporal logi . We strongly believe that lassi al rst order quanti ers, su h as 8 and 9, are the sour es of omplexity that make it diÆ ult to deal with formalism algorithmi ally: the semanti s of lassi al quanti ers are de ned in terms of sets for hara terizing meanings of variables. In general, we annot hara terize xed sets for the valuation of 4 the variables when spe ifying properties be ause the on guration of system omponents evolves over time. Instead of rst-order quanti ers, we adopt the freeze quanti er proposed in TPTL(Timed Propositional Temporal Logi )[8℄: freeze quanti er is de ned in terms of tra es only. That is, the semanti de nition of freeze quanti er permits evaluation of a temporal formula in luding variables over a single tra e, without the notion of sets. By employing freeze quanti er, we design a new temporal logi , alled Half-order Dynami Temporal Logi (HDTL) to spe ify the properties of dynami systems. Then we revise the tableau method[9℄ for veri ation of HDTL, and suggest a dynami analysis1 te hnique. To illustrate the proposed approa h we use a onferen e system model as an example. Then, we spe ify properties for the model, su h as `a parti ipant annot join two sessions at the same time', and validate them using the proposed te hnique. This shows that HDTL is suitable for spe ifying dynami properties and the analysis te hnique is promising. HDTL has only one assumption on operational languages, i.e., the behavior of systems an be de ned in terms of sequen es of messages by whi h instan es intera t with ea h other. Note that the onferen e example employs a small operational language satisfying the assumption. It implies that the assumption is weak enough, and HDTL is appli able to various operational languages. This paper is organized as follows. In Se tion 2, we present the related work of our resear h. HDTL is de ned in Se tion 3, and its analysis te hnique is presented in Se tion 4. Se tion 5 illustrates the appli ability of proposed te hniques with an example. We give on luding remarks in Se tion 6. 1An analysis is said to be dynami when it is ondu ted with a tual exe ution of a system. Examples in lude testing and run-time monitoring. 5 2 Ba kground 2.1 Propositional Temporal Logi and the Tableau Method Temporal logi , suggested by Pnueli in his pioneering work[10℄, has been one of the most widely used formalisms for the spe i ation of on urrent and/or rea tive systems. Due to their de larative style of spe i ation, they are regarded as espe ially suitable for the property spe i ation. Frequently used temporal operators are as follows: J p : p will be true at next instant. p : p will be true at next instant, or the urrent instant is the nal. 3p : p will eventually be ome true sometime in the future. 2p : p is always true from now on. p U q : From now, p remains true until q be omes true. p P q : p always pre edes q2. where, p and q represent the propositions that have the truth values true or false depending on the state of systems. The name PTL (Propositional Temporal Logi ) indi ates that it has the semanti basis on the propositional logi . The tableau method[9℄ plays an important role in algorithmi analysis of temporal logi . The key idea behind the tableau method is that any temporal formula an be split into two onditions: a non-temporal ondition on the urrent state and a temporal ondition on the next states, alled a present ondition and a future ondition, respe tively. For example, a formula 2f an be split into f on the urrent state and 2f on next states. There are a set of su h splitting rules for ea h temporal operators[9℄. Sin e, given a PTL formula, the 2This is de ned mainly to provide the dual operator of U . 6 number of onditions generated in this way is nite, we an onstru t a nite stru ture, alled the initial tableau. It is an automaton that a epts pre isely the set of strings satisfying the PTL formula. 2.2 Freeze Quanti er There are several temporal logi s for spe i ation of real-time systems. Most of them employ the rst-order logi . They in lude a state variable representing time and the rst-order quanti ers, su h as 8 and 9, to quantify the time variable. Alur and Henzinger[8℄ suggested another form of quanti ation, alled freeze quanti ation, in whi h every variable is bound to the time of a parti ular state. For instan e, the typi al time-bounded response requirement that every request p be followed by a response q within 10 time units, an be asserted by the formula 2x:(p! 3y:(q ^ y x+ 10)) (read \whenever there is a request p, and the variable x is frozen to the urrent time, the request is followed by a response q, at time y, su h that y is at most x+10"). The freeze quanti er allows automati analysis of real-time properties by binding every variable with the time of a parti ular state. Our work is based on the observation that there exists a similarity between the real-time systems and the dynami systems. Both of them require the notion of variables to represent the requirements spe i ation; a variable representing time and variables representing the ommuni ating omponents, i.e., the pro ess identities for the sender and the re eiver of messages. The variables, in both ases, may range over an in nite domain. The problem is to determine the proper quanti ation that is readable and enables the algorithmi analysis. We found that the freeze quanti ation is suitable for the spe i ation of 7 dynami systems, also. We adopt the notation of the freeze quanti ation and suggest an analysis te hnique that is able to deal with dynami ism. 3 Half-order Dynami Temporal Logi 3.1 Dynami Systems and their Behavior To de ne a property spe i ation language pre isely, we develop the formal de nition of the behavior of systems. We view the behavior of a system under analysis as a set of sequen es of events, alled tra es, where ea h event denotes the o urren e of a message. Assume that there are an in nite set O and a nite set L for parti ipating omponents and labels of messages, respe tively. Note that the number of omponents is in nite be ause of dynami instantiation. Formally, an event e 2 E is a triple hsender; re eiver; labeli where label 2 L is the label of the o urred message, denoted by label(e), and sender 2 O and re eiver 2 O are its sender and re eiver, denoted by snd(e) and r v(e), respe tively. Throughout this paper, given a tra e = h 0; 1; : : : ni, 0 denotes the rst element of the tra e and i denotes the tra e that results from by deleting the rst i elements. The juxtaposition 0 of two tra es and 0 means su essively followed by 0. It is interesting to ompare our de nition of the behavior of dynami systems with that of other models, su h as [11℄. They build a pre ise exe ution model of obje t-oriented systems, with expli it onsideration for the dynami reation and removal of obje ts. However, their nal de nition of the language of a system (se tion 2.8, pp. 15, in [11℄) does not in lude information about the instan es. Only the lass names and the message names onstitute the alphabet of the language. We think this simpli ation is inevitable, be ause their goal 8 is to he k whether there exists an inheritan e relation between two lasses. In luding information about instan es ertainly in reases the omplexity of the algorithm. However, at the same time, it is also lear that the lost information may be valuable in some appli ations. Espe ially, dynami analyses an be bene ted by it. Some properties an be spe i ed only when we take the information about instan es into a ount. We give su h examples in Se tion 4 and 5. 3.2 Syntax and Semanti s of HDTL Assume that there is a set V for variables x; y; z; : : :. The formulas of HDTL are built from proposition symbols by boolean onne tives, temporal operators, and freeze quanti ers. De nition 1 (Syntax of HDTL) Term and formula of HDTL are indu tively de ned as follows: := snd(x) j r v(x) j label(x) j l := 1 = 2 j false j 1 ! 2 j jJ j 1U 2 j 1U 2 j x: where x 2 V and l 2 L. Additional operators are de ned as usual. For example, : = ! false and 3 = true U . In x: , the variable x is bound by the freeze quanti er \x:" to the given event in whi h x: is evaluated. For example, onsider an HDTL formula as follows: f1 : x:(label(x) = msg1) A tra e satis es this assertion if the rst event 0 is of the form hs0; r0; l0i, and l0 = msg1. The variable x is bound to the urrent event, and referred in the 9 remaining formula. We an extend this formula by adding a temporal operator like this. f2 : 3x:(label(x) = msg1) Then, f2 is the formula asserting that the formula f1 should hold in the future, i.e., it requires that the tra e should in lude an event i = hsi; ri; lii, su h that li = msg1. Another example on erning the dynami aspe t of a system will be given later in Se tion 4. The meanings of the other operators are as usual. Appendix A provides the formal semanti s de nition of HDTL. Note that the meaning of a freeze quanti er is de ned in terms of a tra e only. Thus, when a formula is losed, that is, all o urren es of variables are within the s opes of orresponding freeze quanti ers, its truth value is ompletely determined by a tra e. 4 Dynami Analysis In Se tion 2.1, we brie y introdu ed the tableau method for propositional temporal logi . The automati validation pro edure suggested in this se tion is a revised version of the tableau method[9℄. Most notable di eren e between our method and the original one is that the tableau is in rementally onstru ted during the analysis. The tableau for a propositional temporal logi formula is stati ally generated using the splitting rules[9℄. However, tableaus for HDTL formulas an not be de ned solely by the formulas be ause a tra e is required to resolve freeze quanti ers. To over ome this problem, we de ided to adopt a dynami strategy, i.e. onstru ting tableau in rementally. Table 1 shows the splitting rules we use for HDTL. We interprete a set of formulas (f: : :g ) as a onjun tion of them, and a list of sets (hf: : :g; : : : ; f: : :gi) as a disjun tion of onjun tions. For example, the rule [r2℄ says that a for10 mula of the form 2f is satis ed at urrent state if f is satis ed now, and 2f is satis ed at the next instant (i.e. 2f evaluates true at urrent state). The subje t of the rules is the pair of a formula f and a set of bindings fE , alled an environment. The role of environments is to keep the bindings for the variables in a formula. It should be noted that only the rule [rfrz℄ for freeze quanti ers hanges the environment: it requires an event i to dis harge a quanti er beause the binding to the variable is dependent on the value of the urrent event. This motivates us to design a deferred representation alled a ow tree. Formally, a ow tree G with respe t to an HDTL formula ' is a labeled tree with the following omponents: Lo ations : An in nite set L of lo ations. Transitions : An in nite set T of transitions. Labeling fun tion : A fun tion M that maps ea h lo ation and transition to the set of pairs of a formula and an environment. M : (L [ T ) ! 2h l(') Envi Flow relation : A relation F representing the edges of the ow tree. F (L T ) [ (T L) Initial lo ations : A set I of initial lo ations. I L Final lo ations : A set A of a epting lo ations. A L where Env is the set of all possible binding environments for the variables and l(') is the set of all subformulas of ' and their negations. Subformulas of ' are indu tively obtained through its synta ti stru ture. For a lo ation l 2 L, let Out(l) and In(l) denote the set of outgoing and in oming transitions, respe tively. We say that for l 2 L, ht; l0i is a bran h of l when t 2 Out(l) and F(t; l0). 11 It is worth noting that lo ations and transitions in G orrespond to nodes and edges, respe tively, in PTL tableau explained in Se tion 2.1. Similarly, a ow tree is onstru ted by applying the splitting rules in Table 1. For all t 2 T , formulas of M(t) have no temporal operators, i.e. they represent present onditions. For l 2 L, M(l) denotes a set of hf; Ei pairs that are expe ted to hold in all des endants of l. This expe tation an be he ked indu tively: M(l) holds over h 0; 1; : : : ; ni when there is at least one bran h ht; l0i of l su h that M(t) is evaluated true with 0, and when M(l0) holds over h 1; : : : ; ni. We pro eed to de ne this notion formally. Let l and l0 be lo ations of G, t a transition of G, and e an event in E. We say that e enables t if for ea h pair hfi; Eii 2 M(t), hei j=Ei fi evaluates true. And we say that hl; e; t; l0i is a move of G, and write l he;ti ! l0. A move l he;ti ! l0 is said to be legal i t 2 Out(l) \ In(l0) and e enables t. Suppose = h 0; 1; :::; n 1i 2 E is a tra e with length n. Then has a run of G, a sequen e of lo ations hl0; l1; : : : ; lni with length n + 1, when there is a transition ti su h that li h i;tii ! li+1 is legal for 0 i n. We say that the ow tree G a epts the tra e i there is a run hl0; l1; : : : ; lni of G on su h that l0 2 I and ln 2 A. An HDTL formula is onsistent with respe t to a tra e i there exists a ow tree G whi h a epts . Now we develop a validation te hnique using the de ned ow tree. As opposed to the usual tableau method, we onstru t a ow tree dynami ally sin e its size may be in nite. Main idea behind the deferred representation of ow trees is that it is enough to keep the leaf lo ations only: when an event, say i, is given, it is possible to determine whether or not ea h bran h of the urrent leaf lo ations is legal with respe t to i. At this point, we expand all bran hes of the urrent leaf lo ations and prune ba k illegal bran hes. Note that previous 12 lo ations and transitions are unne essary for determining the a eptan e of the remaining tra e. Thus, we an safely remove them and only maintain the new leaf lo ations. Let Bi be a set of leaf lo ations for pro essing the event i. Then Bi = fbi;1; bi;2; : : : bi;mg where M(bi;j) = fhf1; E1i; hf2; E2i; : : :g represents the label of ea h leaf lo ations. The meaning of bi;j is hara terized by the onjun tion of its elements. Analogously, the meaning of Bi is hara terized by the disjun tion of meanings of its elements. We design a fun tion monitor that implements the deferred representation explained above (Figure 1). We use some fun tions whose de nitions are informally given below. apply rules : applies the splitting rules in Table 1. atomi -parts : extra ts the atomi formulas, i.e. ones whose truth value is determined by the urrent event. next-parts : extra ts the next formulas, i.e. ones with outermost next temporal operators (J; ). remove next : removes the outermost next operators. evaluate : evaluates an atomi formula using an event. The input of monitor is the pair of an event i and Bi onstru ted with urrent leaf lo ations. When i and Bi are given, monitor generates all bran hes of B using the rules in Table 1, prunes ba k illegal bran hes with respe t to i, and outputs the new set of leaf lo ations Bi+1. Then the onsisten y of the HDTL spe i ation with respe t to the tra e monitored so far is de ned in terms of Bi+1 and the set A as follows: 13 1. Bi+1 = ?. This means that the urrent event i enables no transitions, and thus the failure of validation. The analysis tool reports the o urren e of the in onsisten y between the spe i ation and the exe ution tra e. 2. Bi+1 \ A 6= ?. This means that there exist the a epting lo ations in Bi+1. We an on lude that the tra e so far onforms to the spe i ation. 3. Bi+1 \A = ?. This means that the remaining tra e should in lude some events to satisfy the spe i ation. Thus, in the urrent position, the tra e does not onform to the spe i ation. This lassi ation is related to the hara teristi s of the formulas we analyze. We an identify two disjoint lasses of properties, the lass of safety and the lass of liveness[12℄. Informally, a safety property laims that \something bad" does not happen, and a liveness property laims that \something good" eventually happens. The formal de nitions of the lasses of property an be des ribed as follows[12℄. is a safety formula i any sequen e violating ontains a nite pre x [0::k℄ all of whose in nite extensions violate . is a liveness formula i any arbitrary nite sequen e s0; :::; sk an be extended to an in nite sequen e satisfying . This reveals the fa t that liveness properties are not so useful for dynami analyses. We observe up-to-now exe ution of a system and determine whether the exe ution onforms to the spe i ation. We annot determine whether a nite exe ution tra e is onsistent with a liveness property. Thus, it might be 14 more reasonable to restri t the spe i ations to the safety formulas. However, given a temporal logi formula, it is hard to tell what lass it belongs to[13℄. Now, we an explain the relationship between the formula and the ases above. Case 1 represents the violation of a safety formula. Case 2 represents the onforman e to a safety or liveness formula. Case 3 represents the fa t that we need to monitor more events to assure the onforman e to a liveness formula. Let us give the on rete visualization of the ow tree with an example. f0 = 2x:(label(x) = msg1 ! 3y:(label(y) = msg2 ^ r v(x) = snd(y))) (1) The above formula states that whenever a omponent sends a message msg1 to another omponent, the message msg2 should be returned eventually from the re eiver of msg1. The ow tree of level 1 is initially generated as shown in Figure 2. Lo ations are shown as ellipses and transitions are denoted by re tangles. Duble ellipses designate the nal lo ations. Then the fun tion monitor reads the value of the rst event 0 from the environment. It determines the leaf nodes that an be pruned out. If the label of the rst event 0 is msg1(i.e. label( 0) = msg1), then only the ondition assigned in the transition T3 is evaluated true. The lo ations L1 and L2 are pruned o , and the analysis pro eeds with the lo ationL3, whose result is shown in Figure 33. Then, again, the se ond event 1 is used to expand the ow tree. If the label of 1 is also msg1, the tree is pruned ba k as in Figure 3. We an see at L9 that, to satisfy the spe i ation, there should be two more distin t events whose labels are the same (msg2), but senders are di erent. In this way, the analysis pro eeds with the evolution of the ow tree. We emphasize again that the whole nodes of the trees need not to be stored during 3The labels of T4-T8 and L4-L8 are omitted due to spa e limitation. 15 the analysis. Only the set of leaf nodes are kept during the analysis. 5 An Example As an example, we apply the proposed te hnique to the analysis of a onferen e model originally suggested in [14℄. The system onsists of ve kinds of obje ts, representing the onferen e hair, the onferen e, the sessions, the session hairs, and the parti ipants. The typi al s enarios of the system an be listed up as follows: A onferen e hair manages the global pro edure of the onferen e events, for example, the opening and losing of onferen e. A parti ipant registers for a onferen e, and joins one of urrently progressing sessions. After the session is over, all of the parti ipants will leave it. A session hair initiates a session, and then allows the speakers to make their presentations in order. After ea h presentation is over, the hair allows the parti ipants to dis uss about the presentation. When the hair noti e the end of the dis ussion, he initiates the next presentation or nishes the session. In the initial setting, the system onsists of only one onferen e hair obje t. It initiates a onferen e obje t, and the onferen e obje t initiates the session hair obje ts. Then, they initiate the session obje ts. New parti ipant obje ts are dynami ally reated and register for the onferen e during the system runs. We made the model of the system using the syn hronous ommuni ation model like CSP[3℄. Using our notation, the state diagram for a parti ipant an be depi ted as Figure 4. The ommands of the form !obje t.message denote the 16 outputs, and the ones of the form ?obje t.message mean the inputs. The rst parameter obje t represents the type of the ommuni ating partner, and the se ond parameter message represents the type of message transmitted.4 A tual ode is written in LISP. When exe uted, the program generates a tra e of the messages transmitted among the obje ts. Due to the on urren y of the model, the system exhibits nondeterminism. Then the tra e is input to our analysis tool, and it he ks whether the tra e is onsistent with an HDTL spe i ation. Some of the properties that an be spe i ed in HDTL and analyzed by our tool in ludes the followings: End of onferen e { No more sessions are opened after the losing announ e of the onferen e { 2(x:(label(x) = endonferen e)! :3y:(label(y) = open-session)) Limit of joining { A parti ipantmay not parti ipate in multiple sessions simultaneously. { 2x:(label(x) = join-session! (:y:(label(y) = join-session^ snd(y) = snd(x)) Uz:(label(z) = lose-session^ r v(z) = r v(x)))) Dis ussion { On e a dis ussion begins, new presentation annot start until the dis ussion is over. 4It is a generalization of CSP semanti s be ause the name of the partner needs not be expli itly spe i ed. The ommands orrespond to the establishment of a rendezvous with any entities of the spe i ed type. 17 { 2x:(label(x) = start-dis ussion! :y:(label(y) = start-presentation^ r v(y) = snd(x)) Uz:(label(z) = end-dis ussion^ snd(z) = snd(x))) Note that we an't spe ify these properties with the traditional temporal logi . For example, the property limit of joining asserts that, on e an event join-session happens, it annot o ur again until the event lose-session happens. In traditional (propositional) linear temporal logi , they might be expressed as 2(join-session! (:join-session U lose-session). However, in the ase of dynami systems, we should take the instan e information into a ount also. The requirement prohibits the se ond o urring of join-session, only when the instan e sending the signal is the same one that has sent the signal join-session. HDTL in orporating variables and freeze quanti er makes the spe i ation and the analysis of these properties possible. As proved in several resear hes (e.g. [15℄), preserving the onsisten y during dynami on guration is sometimes very diÆ ult. Thus we had experien ed many errors when designing the behavior of this model. In doing so, the analysis te hnique we suggested was mu h help to us. 6 Con lusion Currently, most of the resear hes about dynami systems fo us on the implementation or the behavioral spe i ation. We believe that the property spe i ation of dynami systems is also important be ause it onstitutes an inevitable part of the various analyses. To ta kle this problem, we propose HDTL to spe ify the general properties of dynami systems. We adopted the freeze quanti er that is originally introdu ed to represent and reason the real-time, to deal with the spe i ation of 18 dynami systems. We think this has resulted in a reasonable property spe i ation language for dynami systems. For the analysis, we tuned the existing tableau method to handle the dynami features of HDTL. We implemented a prototype tool for this method and ondu ted an experiment. There are some issues that are worth further resear h. We believe that there are possibilities of tuning up the analysis algorithm for eÆ ien y. An aid to the pro ess of writing down the spe i ation will be helpful. For that purpose, we are investigating how HDTL an be integrated with sequen e diagrams in UML. Be ause it is generally impossible to gather every tra es of a system, the analysis annot guarantee the orre tness of the system. Therefore, another important hallenge is to onstru t the dedu tive framework integrating HDTL and other operational languages, whi h will enable the proof of orre tness. Various formal modeling languages for dynami systems la k the veri ation methodology. The resear h about agent systems and mobile systems may bene t from this study. 19 Referen es [1℄ HAREL, D. : `On visual formalism,' Comm. of ACM, May, 1988, pp. 514530 [2℄ PETERSON, J. : `Petri-net theory and the modeling of systems, ' Prenti e Hall, 1981 [3℄ HOARE, C. A. R. : `Communi ating sequential pro esses,' Prenti e Hall, 1985. [4℄ HOLZMANN, G. : `The model he ker SPIN,' IEEE Trans. on SE, 1997, 23, (5), pp. 279-295 [5℄ M MILLAN, K. L. : `Symboli Model Che king,' Kluwer A ademi Publishers, 1993. [6℄ EMERSON, E. A. : `Temporal and model logi ,' Handbook of Theoreti al Computer S ien e, Chap 16, edited by J. van Leeuwen, Elesevier S ien e Publishers, 1990 [7℄ LUCKHAM, D. C. and VERA, J. : `An event-based ar hite ture de nition language,' IEEE Transa tions on Software Engineering, 1995, 21, (9), pp. 717-734 [8℄ ALUR, R. and HENZINGER, T.A.: `A teally temporal logi ,' The Journal of the ACM, 1994, 41, pp. 181-204 [9℄ DILLON, L.K. and RAMAKRISHNA, Y.S.: `Generating ora les from your favorite temporal logi spe i ations, ' 4th ACM SIGSOFT Symp. Foundations of Software Engineering, O tober 1996, San Fran is o, USA, pp. 106-117 [10℄ PNUELI, A.: `The temporal logi of programs,' 18th IEEE Symposium on Foundation of Computer S ien e, 1977. 20 [11℄ HAREL, D. and KUPFERMAN, O. : `On the inheritan e of state-based obje t-behavior,' TR. MCS99-12, Fa ulty of Mathemati s and Computer S ien e, The Weizmann Institute of S ien e, June 1999. [12℄ MANNA, Z. and PNUELI, A. : `The temporal logi of rea tive and onurrent systems Spe i ation,' Springer-Verlag, 1992. [13℄ SISTLA, A.P.: `Safety, liveness and fairness in temporal logi ,' Formal Aspe t of Computing, 1994, 6, pp.495-511 [14℄ LEE, J. S., MIN, S. Y. and BAE, D. H. : `Aspe t-oriented design (AOD) te hnique for developing distributed obje t-oriented systems over the internet,' 5th International Computer S ien e Conferen e, 1999. [15℄ KRAMER, J. and MAGEE, J. : `The evolving philosopers problem: dynami hange management,' IEEE Transa tions on Software Engineering, 1990, 16, (11). 21 A Semanti s De nition of HDTL Let be a tra e and E : V ! E an environment for variables. The pair ( ; E) satis es the HDTL formula if and only if j=E , where the satisfa tion relation j= is indu tively de ned as follows: j=E 1 = 2 i E( 1) = E( 2) 2E false j=E 1 ! 2 i j=E 1 ! j=E 2 j=E i j j> 1! 1 j=E j=E J i j j> 1 ^ 1 j=E j=E 1U 2 i { i j=E 2 for some i 0; and j j=E 1 for all j, s.t., 0 j < i j=E 1U 2 i { j j=E 1 for all j 0; or { i j=E 2 for some i 0; and j j=E 1 for all j, s.t., 0 j < i j=E x: i j=E[x:= 0℄ where E(f(x)) = f(E(x)), E(l) = l and E [x := i℄ denotes the environment that maps x to i and the others to the same values as E . 22 List of Figures 1 Dynami Analysis Algorithm . . . . . . . . . . . . . . . . . . . . 25 2 Flow tree of level 1 for the formula 1 . . . . . . . . . . . . . . . . 26 3 Flow tree of level 2 for the formula 1 . . . . . . . . . . . . . . . . 27 4 State diagram for a parti ipant . . . . . . . . . . . . . . . . . . . 27 23 [r^℄ (f1 ^ f2)E ! hff1E ; f2Egi [r_℄ (f1 _ f2)E ! hff1Eg; ff2Egi [r )℄ (f1 ) f2)E ! hf(:f1)Eg; ff2Egi [r2℄ (2f)E ! hffE ; ( 2f)Egi [r3℄ (3f)E ! hffEg; f(J3f)Egi [rU ℄ (f1Uf2)E ! hff2Eg; ff1E ; (J(f1Uf2))Egi [rP℄ (f1Pf2)E ! hff1E ; (:f2)Eg; f(:f2)E ; ( (f1Pf2)Egi [rU℄ (f1Uf2)E ! hff2Eg; ff1E ; ( (f1Uf2))Egi [rP ℄ (f1Pf2)E ! hff1E ; (:f2)Eg; f(:f2)E ; (J(f1Pf2)Egi [rfrz℄ (x:f)E ! hffE [x := 0℄gi Table 1: Splitting rules for tableau onstru tion 24 fun tion monitor( : event, B : lo ation) begin redu ed := ?; B0 := ?; forall bj 2 B begin redu ed := redu ed [ apply rules(bj, ) end; forall disjun t 2 redu ed begin a := atomi -part(disjun t); n := next-part(disjun t); if evaluate(a, ) then B0 := B0 [ remove next(n) ; end; return B0 end Figure 1: Dynami Analysis Algorithm 25