Heuristics to Verify LTL Properties of Hierarchical Systems

Hierarchical automata are used to model hierarchical systems. The semantics used is the Kripke structure where states are valued by atomic propositions. This structure can be large in number of states. This paper presents some heuristics to check properties expressed in LTL logic ( Linear Temporal Logic ). Hierarchical systems are defined in an hierarchical way by a set of subsystems by decomposing every time one or more states in a set of automata. To cope with the combinatorial explosion problem and the check of properties, we consider only the sub-systems concerned by the property to verify and we then deduct its check from it on the global system.


MOTIVATIONS
Our work revolves around the specification and verification of hierarchical systems from works on StateCharts [7] and Unified Modeling Language (UML) [5].This model has, in addition, concepts such refinement of states by a set of automata, transitions which have multiple source states, multiple target states (Interlevel Transitions) and the priority between transitions.
Various techniques have been introduced to verify linear properties by model-checking on the hierarchical models [4].In [11], the authors show how StateCharts can be translated into Promela (the specification language which uses SPIN) by using the hierarchical automata as intermediate format to verify linear properties [12].
The verification techniques used are algorithmic and are often based on the detection of cycles to show satisfaction or not of a property by making the synchronous product between the model and the negation of the property given in the form of a B üchi automaton.Properties are expressed using a LTL (Linear Temporal Logic) [9].The main problem is in the complexity of the decision procedures and the combinatorial explosion of the number of states.A comparison of different approaches proposed to verify StateCharts by model-checking can be found in [3].
In this paper we propose to use verification on modules or sub-structures.This method can be used to verify largesized systems.The model is cut into a set of sub-models and to determine whether a property is satisfied on each sub-model.The verification is allowing separetely on each sub-models [10].
The choice of the properties and the method of cutting are two very important points.It is not always true that : if a property ϕ is satisfied on all the sub-models then it is satisfied on the whole model.
In this work, we are interesting only to a local properties describing the behavior of a part of the system and which are linked to the sub-models introduced during the process of refinement of states.We call this part of system a Kripke sub-structure, denoted KSS.Each Kripke sub-structure represents a flattening part of a system represented by a set of automata associated with a state.Property ϕ is only concerned by the Kripke sub-structure KSS associated with states refined by these automata.If KSS satisfies the property ϕ then the whole Kripke structure KS, associated to the hierachical automaton, also satisfied it.Formally, for all refined state s, if KSS s |= ϕ then KS |= ϕ.This paper is organized as follows : in the second section, we present the basic concepts in particular sequential automata, hierarchical automata and their semantics with Kripke structure.In section three, we present the process of verifying properties on each of the sub-model.Thus, we express two patterns of properties, then we give the corresponding algorithms of verification.In the section four, we plan some perspectives in this work.
Throughout this paper, we illustrate our comments by the example of the Automated Teller Machine (ATM).

Introduction
Hierarchical automaton (HA) is built as parallel and/or hierarchical composition of sequential automata.HA have maximal parallelism semantics, i.e. parallel automata execute their transitions synchronously.Hierarchical composition means mapping states of a sequential automaton to another automaton or parallel composition of automata.We start by defining the notion of sequential automata.

Sequential automata
In the following, s, s 0 , s 1 , . . .denote states and V is a set of variables {x 1 , x 2 , . . .x n } of type Dom(x i ), which is a finite set.
We call AP V def = {ap, ap 0 , ap 1 , . . .} the set of atomic propositions over the set of variables V where ap is a formula Definition 1 An automaton A labelled over a set of variables V ranging on finite domains is defined by 5-tuple S, s 0 , Σ, −→, L where : is the state labelling function where AP V is the set of propositions.
A path σ of an automaton A is a finite or an infinite sequence of states and actions s 0 We denote P ath(A) the set of paths of A. The trace of a path σ, denoted tr(σ), is a sequence of labels of the transitions : tr(σ) = a 1 .a 2 . . .a i . . .

We call cy
−→ s n is a finite sequence of states and actions, s n = s 0 and for all i, such as Let A = S, s 0 , Σ, −→, L be a sequential automaton, in the following, S A denote the set of states of A, s 0A its initial state, −→ A to refer to the transition relation of A and Σ A to refer to the actions of A.

Hierarchical automata
Hierarchical automaton is a set of sequential automata which are dependent between them by a composition function (γ).
Definition 2 HA is a tuple F, E, γ where : For notational convenience we write s ∈ χ(s) whenever s is a state of the direct child automaton of s.Furthermore, we define χ + to be the irreflexive transitive closure, χ * to be reflexive transitive closure of χ.The ancestor composition function γ − * describes a link between a state s and its ancestor automaton.
Let HA = F, E, γ be a hierarchical automaton.The restriction of the composition function γ to states of some A ∈ F yields a sub-hierarchical automaton HA A = F A , E A , γ A where : We consider A as the root automaton of HA A .

Configuration
A configuration (C) denotes a global state of the hierarchical automaton.It describes which states of sequential automata of a hierarchical automaton are simultaneously active.Every sequential automaton can contribute at most one state to a configuration.
For each hierarchical automaton HA A , A ∈ F , the set of all configurations of HA A is denoted by Conf A .

Extended transitions
In order to represent statecharts diagrams using hierarchical automata, Mikk and al. [11] have added two labels in HA which are sr (source restriction) and td (target determinator).The aim of the two labels is to preserve the information of the interlevel transitions (the multiple-source and multiple-target transitions).
Thus, the label of a transition t in a sequential automaton A ∈ F is described as sr is a set of configurations of the sub-hierarchical automaton HA γ(s) and td is a set of configurations of the sub-hierarchical automaton HA γ(s ) .Let s and s be two states of an automaton A ∈ F and t = s sr,a,td −→ s a transition in A. sr is used to determine in which configuration t is enabled and td is used to determine which states are entered simultaneously when entering the target state s .If s is refined by one or more automata and sr = ∅, then t is enabled from all states of the subautomata of s.If s is refined by one or more automata and td = ∅, then target states of t are the initial states of the sub-automata of s.

Example
Automated Teller Machine (ATM) is a computerized telecommunications device that provides the customers of a bank with access to financial transactions in a public space without the need for a human clerk or bank teller.On most modern ATMs, the customer is identified by inserting a plastic ATM card with a magnetic stripe or a plastic smartcard with a chip, that contains a unique card number and some security information, such as an expiration date.Security is provided by the customer entering a personal identification number (PIN or Code).Using an ATM, customers can access their bank accounts in order to make cash withdrawals (or credit card cash advances) and check their account balances.Customers must have a credit card valid.Initially, the ATM is idle.In this state, it may be in a state of waiting for insertion of a card or in maintenance.After insertion of a card, the ATM becomes active and authenticates certain information.
When the customer inserts his card, the ATM verify certain information concerning its validity.After validation, the customer selects an operation of retreat and the ATM processes it.Then, the customer can ask for the printing of a ticket.
We begining with a simplified model of this system.Figure 1 presents an abstract model of ATM described by an hierarchical automaton.We have χ(s 0 ) = {s 2 , s 3 }.

Flattening of hierarchical automata
In this section, we introduce the operational semantics of an hierarchical automaton defined as a Kripke structure [11], this allows us to verify the hierarchical systems with finite number of states by model-checking.
A Kripke structure is defined by a set of configurations with transition.If sr = ∅ then the transition t is enabled from all the configurations which contain the state s.Definition 5 Kripke structure.Let HA = F, E, γ be an hierarchical automaton, Kripke structure associated to HA is denoted by KS = Conf, C 0 , −→ K , E, LK where: is the initial configuration of the hierarchical sub-automaton HA A .

Refinement of hierarchical automata
In this section, we present a refinement relation between two hierarchical automata which is inspired from refinement relation between transition systems [14].The basic states of hierarchical model can be decomposed by one or several parallel automata.It allows to see in detail the behavior of system in these states.
Let HA i = F i , E i , γ i be the specification of an hierarchical system over a set of variables V i .Subsequently HA 1 and KS 1 indicate the abstract system and HA 2 and KS 2 indicate their refinement.Refinement consists in developing the basic states, of an abstract system, into a set of new automata denoted A τ .The transitions of A τ are designed by τ .We consider The principal characteristics of our refinement are : • introduction of new automata with new actions : • introduction of a gluing invariant I 12 which expresses the relation between the variables of V 1 and those of V 2 , • no new deadlocks introduced, • no livelocks introduced by new actions.
In example of ATM, We will detail the specification of two states V alidation and Impression of hierarchical automaton HA 1 .Concerning the validation of the card, the customer can enter twice the code.If the first input is good, the machine treats his operation.Otherwise, he can input the code a second time.In case of a mistake, the card can be ejected or cancelled.In this level of refinement, it means decomposing the state s 4 by the automaton T estCode and the state s 7 by three automata (T icket, Cards, M oneys).The figure 2 represent the second level of refinement of the refined hierarchical automaton of abstract ATM.

KRIPKE SUB-STRUCTURES AND PROPERTIES
Some properties can be verified only on the refined system, it is the case of new properties relative to the new automata introduced by the refinement.For example, the property: the process of selection comes after validation of the code can not be verified on the abstract model.
In this paper we are concerned with the verification of new properties expressed in LTL1 on hierarchical systems.In this section, we present an approach to modular verification of a class of properties.
The method of cutting induced by the refinement of states allows us to verify effectively that : if a property is verified on all the sub-models then it is also on the whole model of the system.

The KSS Associated with the new automata
Let The Kripke sub-structure KSS s represents the flattening of the sub-automata of the state s and the outgoing transitions of s belonging to the ancestors automata of s.KSS s is defined by a subset of configurations KS 2 and a set of transitions between these configurations.• Conf s is a subset of configurations of KS 2 , as : C is a configuration in Conf s if the state s is in the configuration C where C is a configuration obtained from a state s, • C 0s is the initial configuration such as all the initial states of sub-automata of s owned to C 0s , The Kripke sub-structure KSS associated to the hierarchical automaton HA 2 is represented in figure 4.
The Kripke sub-structure KSS s4 associated to the s 4 consists of 08 configurations and 13 transitions.Transitions labelled by the action annulation are transitions of the ancestor AT M , outgoing of the state s 4 .The transition labelled by the action V code is a transition of the father automaton Active, outgoing of the state s 4 .Other are transitions of the child automaton T estCode of s 4 .
The Kripke sub-structure KSS s7 associated to a state s 7 consists of 09 configurations and 21 transitions.
The transitions labelled by actions annulation and endOperation are transitions of the ancestor automaton AT M , outgoing from the state s 7 .Other transitions are transitions of automata T icket, Card and M oneys child of s 7 .

Patterns of properties
We propose two patterns of properties which can be verified only on Kripke sub-structures associated with fathers states of the new automata.Patterns of properties on KSS are as: A property related to the explosion of the basic state is as follows: The KSS s decor configurations produced by the new automata of s contains that of the father state s.
Let s a state of S τ and F τ the set of sub-automata.We denote AP τ the set of atomic propositions on variables of F τ , p is a proposition expressed on AP τ ((see the figure 5) and q is a proposition expressed on AP V , where AP V is the set of atomic propositions on variables of HA 2 .We express a class of properties which we are verifying in a modular way.
Theorem : 1 Let p and q be two propositions with p a proposition expressed on AP τ .Let ϕ a LTL formula as (p ⇒ q), (p ⇒ ♦q).If all Kripke sub-structures satisfy ϕ, then KS 2 satisfies ϕ.
The proof uses results of the work presented in [1].It is necessary to show at first that KSS well cover the space of states of KS 2 .The first formula is not a problem particularly because transitions are labelled by p and q in KSS.The second formula of liveliness reflects the fact that there should not have cycles that take control indefinitely.In other words, there is always an exit of cycle which takes a priority transition to reach a state valuated by q.
The property "Operation selection comes after the validation code" is expressed in LTL in the following form: This property is to be verified only on the Kripke sub-structure KSS s 4 because Code = Error is an atomic proposition expressed only on the variables of the new automaton T estCode.Others KSS are not concerned by ϕ and thus we can conclude that ϕ is satisfied on KS 2 of the ATM.The verification of these properties can be done using the model-checking.As we least wish to use it, we exploit the refinement of states to make the check by means of simple algorithms which are linear in number of states.

Algorithms
In tis section, we propose algorithms to verify the two following properties on KSS : (p ⇒ q), (p ⇒ ♦q).These algorithms take in input a Kripke sub-structure KSS and two atomic propositions p and q.They use a transversal graphs visiting all the configurations of KSS.The first algorithm is simple and is to visit the successor configurations of a given configuration.The second algorithm uses a procedure of cycles detection (the strongly connected components algorithm by Tarjan) to consider the priority of transitions (transitions of the father automaton).We could use a transversal graph by depth to visit cycles and see if for each cycle detected, there is a transition priority.If Satisf action = true, this means that the property is true on KSS.If Satisf action = true on all KSS, then the property is satisfied on KS 2 .On the other hand, if it is false on a KSS, then it is false on KS 2 .This algorithm works for any structure of Kripke, it uses a function successor to visit the reachable configurations of a given configuration.A transversal graphs in width is enough.The complexity is of the order O(| −→ |) where −→ is the set of transitions of KSS s .

To verify if KSS s |= (p ⇒ ♦q)
/* For each path σ in a cycle c y there is an outgoing old transition.*/

Definition 4
Enabled transition.Let HA = F, E, γ be an hierarchical automaton, A an automaton in F , C a configuration in Conf A and a an action in E. We say that the transition t def = s sr, a, td −→ s of automaton A is enabled from configuraction C, denoted enable (C|t) ,if the state s is in the configuration C and C is a configuration in sr.

FIGURE 2 :
FIGURE 2: Refinement of ATM by decomposition of states

FIGURE 3 :Definition 6
FIGURE 3: Refinement and semantics of hierarchical automata

Proposition 1
Let s be a state of HA 2 and KSS s the Kripke sub-structure associated to s.If s |= p then KSS s |= p.

Figure 5
Figure 5 illustrates the atomic propositions p in KSS associated with new automata.

FIGURE 4 :Proposition 2
FIGURE 4: KSS associated to states S 4 and S 7

FIGURE 5 :
FIGURE 5: Illustration of p and q in KS2 and in KSSs s |= (p ⇒ q) /* This algorithm requires a transversal graph by depth of the reachable configurations of KSS.It's test if target configurations of outgoing transitions of the configuration C ∈ C satisf p satisfy q? */ C satisf p := {C |= p}; Satisf action := true;// boolean : true if there is satisfaction For each transition C a −→ C ∈−→ KSSs do Satisf action := Satisf action ∧ C |= q; End For (1)inition 3 Let S t be the set of the states of all the sequential automata in HA.A set C ⊆ S t is a configuration of HA if :(1)exactly one state of the root automaton A root is in the configuration : ∃!s.(s ∈ S A root ∧ s ∈ C) and (2) downward closure i.e. whenever a state is in the configuration and it is a non-basic state, each of its direct sub-automata must contribute to the configuration too : ∀s, A.(s is the transition relation of KS. enabled from the configuration C, the state s is in the configuration C and td ⊆ C where (td = ∅ and C 0A ⊆ C ).
International Workshop on Verification and Evaluation of Computer and Communication Systems VECoS 2008 Let t def = C e −→ C be a transition, t ∈−→ K if there is a transition t def = s sr,a,td −→ s of automaton A

•
The variable Code allows to indicate the state of test of the code, T estCode ∈ {Entry1, Entry2, T est1, T est2, Good}.•Thevariable T denote the state of the ticket printing, T ∈ {Impression, EndImpression, }. • C indicate the card position , C ∈ {In, Out}.•The variable B indicates the state of the distribution of moneys , B ∈ {Distribution, endDistribution}.To be in the context, we remind you the refinement and semantics of hierarchical automata, see figure3 annulation −→ s 0 is enabled from all states of automata Active and T estCode, but the transition s 1 endOperation −→ s 0 is enabled only from the configuration(s 7 , s 9 , s 11 , s 13 ).The transition s 4 V code −→ s 5 is enabled only from the state s 17 .International Workshop on Verification and Evaluation of Computer and Communication Systems VECoS 2008 γ 2 be two extended hierarchical automata as HA 2 Is obtained from HA 1 by refined states.Let KS 2 = Conf 2 , C 02 , −→ K2 , E 2 , LK 2 the Kripke structure associated to HA 2 .Let S τ the set of the refined states by the new automata.We associate for each state s of S τ a Kripke sub-structure, denoted KSS s , of whole Kripke structure KS 2 .
satisf p := {C |= p}; Satisf action := true;// boolean : true if there is a satisfaction H s2 ;// Set of the priorities transitionsFor each cycle cy= C i . ..C j reached from C Do If C k i≤k≤j ∈ C satisf p Then Satisf action := Satisf action ∧ ((∀C n i≤n≤j −→ C m ∈ H s2 ∧ C m ∈ C satisf q) ∨(∃C l k≤l≤j ∈ C satisf q∧ ∃C n k≤n≤l −→ C m ∈ H s2 ∧ C m ∈ C satisf q));End For If Satisf action = true, this means that the property is true on KSS.If Satisf action = true on all KSS, then the property is satisfied on KS 2 .Conversely, if Satisf action = f alse, it does not necessarily mean that the property is false, it is possible that it is true on the whole Kripke structure KS 2 .The complexity is in order to O(| −→ | + |Conf |) where −→ is the set of transitions of KSS s and |Conf | is the set of configurations of KSS s .