That is, the parallel composition of CSP is the special case of the composition of Def. Constraint Generalization. The function generalize(C,P,Q, Φ,C) computes a maximal set that contains C, is contained in C, and allows only mappings satisfying Φ.

## 5 Implementation and Case Studies

*Implementation**Case Studies: OAuth Protocols**Formal Modeling**Results*

A typical OAuth 2.0 workflow, shown in Fig.3(a), starts with a user (AliceorEve) starting a new protocol session with Client(initiate). As in OAuth 2.0, a typical workflow in OAuth 1.0 (depicted in Fig.3(b)) starts with a user starting a new session with Client (initiating).

## 6 Related Work

These approaches include building an implementation Q that is a behavioral refinement of P; suchQ would conform in construction to the properties of P. In these works, given a pair of models M1 and M2, the aim is to construct M which is a behavioral refinement of both M1 and M2.

## 7 Conclusions

Thus, instead of behavioral refinement (which may be too challenging to achieve), we aim to preserve some critical propertyφwhen Pis is implemented with Q. The approach proposed in this paper differs in that (1) the mapping composition involves the merging a pair of events with separate alphabet labels into a single event that retains all those labels, and (2) the composite process (P mQ) need not be a behavioral refinement ofPorQ, as long as it satisfies propertyφ.

The images or other third-party material in this chapter are included in the chapter's Creative Commons license, unless otherwise indicated in a credit line for the material. The unfeasibility of a specification is often due to the assumption that the behavior of the environment is unconstrained.

## 1 Introduction

The arbitrator's goal is to ensure the classic property of mutual exclusion, by not granting access to the two clients at the same time. In Section 6, we define the approximate version of the problem and provide a synthesis procedure based on maximal model count.

## 2 Related Work

In Section 3, we define the synthesis problem for lasso-exact implementations, and describe an automaton theoretic synthesis algorithm. That is, including as an additional parameter to the synthesis problem a constraint on the state space of the environment.

## 3 Preliminaries

For a set of atomic propositions AP=O∪I, we say that a 2O-labeled 2I-transitive system T satisfies the formula LTL ϕ if and only if L(T)⊆L(ϕ), i.e. every trace of T satisfies ϕ. As usual, we denote the set of words accepted by a non-deterministic or deterministic terminal automaton by AbyL(A).

## 4 Synthesis of Lasso-Precise Implementations

### Lasso-Precise Implementations

The following theorem states the connection between LTL and alternating B¨uchi automata, namely that every LTL formula ϕ can be translated to an alternating B¨uchi automata with the same language and size linearly in the length of ϕ. 13] For every LTL formula ϕ there is an alternating B¨uchi automaton A of size O(|ϕ|) with L(A) =L(ϕ), where|ϕ| is the length of ϕ.

### Automata-Theoretic Synthesis of Lasso-Precise Implementations

States of the form (w·α·#m, t) with m ≥ 1 store the part of the input word read so far, for input words of length less than . That is, L consists of the words of length k, where the letters a with a|I =a appear in the last position and only in the last position.

## 5 Bounded Synthesis of Lasso-Precise Implementations

The following theorem is a consequence of the above and provides us with an automata-theoretic approach to solving the lasso exact synthesis problem. Line (10) handles the lasso loop transition and makes the lasso loop follow τ.

## 6 Synthesis of Approximate Implementations

### Symbolic Approach

For a specification ϕ, which does not constrain the length of the lassos and size of the system, respectively, we can compute a k-approximation for ϕ by applying a maximum model counting algorithm to the constraining system given below. To check the existence of a -k approximation, we maximize over the set of assignments to variables defining the transition system (line 11) and count over variables defining input sequences of the environment given by lassos of length k.

## 7 Experimental Results

Since two input lassos of the same length can induce the same infinite input sequence, we count over auxiliary variables representing unrolling of the lassos instead of counting over the input propositions themselves (line13). Inspection of the encoding constraints shows that the constraint for the specification accounts for more than 80% of the number of gates in the encoding.

## 8 Conclusion

V: Proceedings of the 18th Annual Symposium on Foundations of Computer Science, SFCS 1977, Washington, DC, USA, 1977. V: Proceedings of the 15th Conference on Formal Methods in Computer-aided Design (FMCAD 2015), pp.

## Synthesis

While related work is discussed in detail later in the paper (Section 6), it should be noted that syntactic guidance is crucial in helping us overcome many of the limitations of other techniques for checking string manipulation programs. Our main contributions are then presented in Section 3 (main algorithm) and Section 4 (important design choices).

## 2 Background

### Programs as Constrained Horn Clauses

Finally, the program calculates the sums of all elements in Band requires us to prove that sis is never negative. In the paper, we assume that a relation given by an interpretation is represented by a formula on the freest variables.

Illustrating Example

## 3 Invariants via Enumerative Search

### Quantifier-Free Invariants

Its key insight is the automatic construction of a set of formal grammars G(inv) for each inv∈R based on the source code, program behavior, or both. The seed set can then optionally be supplemented with a set of behavioral seeds and limited evidence.

### Quantified Candidates from Quantifier-Free Grammars

It then generates range formulas based on the results of the analysis (line 6), such that: (1) the range formula itself is an inductive invariant of inv, and (2) the range formula is expressed over the initial values of counters of invand the countert itself . So the only part of the candidate formula where the numerator can appear is the range formula.

## 4 Design Choices

*Discovery of Progress Lemmas**SMT-Based Inductiveness Checking**Strategy of Lemma Propagation**Weakening Strategy**Learning from Sub-ranges*

Often a prerequisite for success is a common access function f between the applicant and the CHC authority. Thus, from a failed proof of the inductivity of the finalized candidate, it does not follow that the regressive candidate is not inductive; and it makes sense to try to prove it in the next iteration.

## 5 Evaluation

There are a number of approaches that verify matrix programs without explicitly inferring quantized invariants. Alternatively, there are approaches that use sufficiently expressive propositions to infer quantified invariants over sets [5,21,27].

## 7 Conclusion

Alternatively, [36] choose a template in advance and renovate it with constants or coefficients that appear in the program source. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by law or exceeds the permitted use, you must obtain permission directly from the copyright holder.

## Constraints

The primary bottleneck of ciphers is the number of expensive calls to the synthesizer, which is apparently exponential in the size of the sample set. On the theoretical side, we present a detailed analysis of ciphers and prove that it requires only a polynomial number of invocations of the synthesizer, explaining that the strong empirical performance of the algorithm is not only due to the heuristics presented in [1] (Sect. .3) .

## 2 An Overview of DIGITS

*Probabilistic Synthesis Problem**A Naive DIGITS Algorithm**Convergence Guarantees**Understanding Convergence*

However, the naive version described here is sufficient to discuss the convergence properties of the full algorithm. In fact, this observation is exactly the core of the PAC learning argument: having an ε-net exactly guarantees the approximate learnability.

## 3 The Eﬃciency of Trie-Based Search

### The Trie-Based Search Strategy of DIGITS

Explore” rules are then applied twice to build the children of the root: the child following the 0 branch must map 0.4 →0, which is [0,0.3]. At this point we've exhausted depth 1 (middle figure), so "Deep" applies again, maybe 0.6 with the sample set.

### Polynomial Bound on the Number of Synthesis Queries

When numbers end using a sample set S, it has considered all the dichotomies of S: the programs it enumerated correspond exactly to extensions of the realizable dichotomies ΠP(S). In fact, each run of the algorithm on these programs will perform exactly 12m(m+ 1) many queries.).

## 4 Property-Directed τ -DIGITS

*Algorithm Description**Analyzing Failure Probability with Thresholding**Adaptive Threshold**Synthetic Benchmarks**Original DIGITS Benchmarks**Thermostat Controller*

In: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, Portland, OR, USA, 15-17 June 2015, pp. In: Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp .

## Hybrid Automata

Moreover, the proposed synthesis algorithm is complete for a general class of hybrid linear automata, i.e., the algorithm can synthesize any given model from this class. As the main contributions, (1) we present an online algorithm for the automatic synthesis of hybrid linear automata from data that is robust, i.e., guarantees that the generated model approximates the data up to a user-defined threshold, correct, i.e. The model is tight and complete for a general class.

## 2 Preliminaries

From Time-Series Data topwlFunctions. Experimental data usually comes as time series, i.e. data is only available at sampled time points. Since the lha model contains piecewise-linear executions, we focus on piecewise-linear approximation of the data.

## 3 Synthesis of Linear Hybrid Automata

### Synchronous Switching Specification

Thus, a minimal number of modes can be achieved by minimizing the number of different slopes in γ. By fixing a number of different slopes, we encode the existence of γ as a logical formula φf,ε, which will be satisfiable if and only if there exists a suitable function γ.

### Asynchronous Switching Specification

The above synthesis algorithm works well with short and low-dimensional pwlfunctions, but does not scale to realistic problem sizes due to the heavy use of partitions. Note that ε-capture compares functions to automaton executions, while ε-precision compares functions to the state space of the automaton.

## 4 Membership-based Synthesis Approach

### Membership-based Synthesis Algorithm

When finding a pathπ that satisfies the previous constraints, Membership(f,H, ε) returns True as an answer, along with the path π. Once the path π is constructed, the adjustment of the lha H is performed relative to π.

### Discussion

The algorithm increases the mode invariant q1 by computing the convex hull of the old invariant[2,2]ε and the array[1,1]ε. Considering the fluxes in q1 and q0, the next accessible commutation group P1π is the projection of the group Q into the state x.

### Theoretical Properties of the Membership-based Synthesis The following theorem asserts that Algorithm 1 solves Problem 3

In the simple case that F contains only afﬃne functions with the same slope, all models resulting from different processing commands will consist of a single mode with the same current, and the invariant bounds differ by at most ε. An extension of our approach to using polyhedral differential inclusions (also called linear envelopes) is to merge forms of "similar" dynamics.

## 5 Experimental Results

In the second case, some parts of the state space are explored less frequently by sampled implementations. After an additional 90 iterations, the remaining parts of the state space were visited, which is reflected in the exact boundaries of the resulting model.

## 6 Conclusion

We note an increase in the number of rounds for 27% of the degraded performance cases. In the ith round, the current set of input examples Ei is used together with the grammar - in this case G2 - and the specification of the desired behavior - ψmax2(f, x, y), to create a candidate program P[G2, Ei].

## Analysis for Compact SMT Encodings

Relationship analysis identifies pairs of events that can affect a memory model constraint. Dartagnan encodes the semantics of the given program according to the given memory model in an SMT formula.

## 2 Input, Functionality, and Implementation

Our relationship analysis identifies strong edges—edges that can have an impact on a memory model constraint. It encodes this acyclic program along with the memory model into an SMT formula and passes it to Z3solver.

## 3 Relation Analysis

To improve the accuracy of the forloc,co,andrf sets, our fixed point calculation includes amay-alias analysis. A minset is a union of minsets for subrelations, shown with colored (dotted and solid) edges.

## 4 Experiments

Designing protocols for multi-agent interaction that achieve the desired behavior is a challenging and error-prone process. In this paper, we begin by providing an overview of the protocol and its original "proof" of correctness, which represents standard practice in multi-agent protocol design.

## 2 Decentralized Perimeter Surveillance System (DPSS)

Due to incorrect "left" coordination variables, UAV N -1 and UAV N may think that their shared segment boundary is infinitely close to the left endpoint. The left UAV 1 learns the true location of the left perimeter endpoint and this information will be passed to the other UAVs as they meet, but the information will have to travel through the perimeter again to reach the right UAVN around time 3T.

## 3 Formal Models

However, since UAV N thinks its segment boundary is close to the left endpoint, it ends its escort and goes right without knowing the true location of the left perimeter endpoint. The AGREE DPSS three-UAV model consists of a single top-level system model, which we refer to as “System”, and a component-level UAV model instantiated three times, which we refer to as “UAV(s)”. The system essentially coordinates a discrete simulation of a UAV event when running the DPSS protocol, where events include a UAV reaching a perimeter endpoint or two UAVs starting or stopping an escort.

## 4 Formal Analysis Results

Then they separate and UAV 1 learns where the endpoint of the left perimeter actually is, but UAV 2 does not. Then they separate and UAV 3 learns where the endpoint of the correct perimeter is, but UAV 2 does not.

## 5 Discussion and Conclusions

Feiler, P.H., Lewis, B.A., Vestal, S.: SAE Architectural Analysis and Design Language (AADL): A Standard for Engineering Performance Critical Systems. Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution, and reproduction in any medium or form. , provided you give proper credit to the original author(s) and source, provide a link to the Creative Commons license, and indicate whether changes have been made.

## Systems and Timed Temporal Properties

Support for temporal properties has been extended to include MTL0,∞ formulas with parametric intervals [3,4]. Therefore, NUXMV now supports model checking of invariant, LTL, and MTL0,∞ properties over (symbolic) time-distributed transient systems, as well as validity/satisfiability checking of LTL and MTL0,∞ formulas.

## 2 Software Architecture

We have extended the parser to allow the user to choose the temporal semantics to use for the read model. We have extended the traces for NUXMV to support time traces (hairpin traces where some clock variables can vary).

## 3 Language Extensions

They are always FALSE in discrete steps and hold in time if the argument holds in the open interval immediately after/before (respectively) the current step. They return the value of the expression at the next and the last time, respectively, when the formula is true.

## 4 Extending Traces

In fact, this is particularly important for time-lapse systems, which have a hairpin-shaped trace due to the presence of an ever-diverging variable time. The above definition requires the existence of functions fy to compute the updates of diverging variables.

## 5 Related Work

The correctness of the encoding depends on the safe choice of the Y set, which reverts to the imperfect hairpin case when some syntactic constraints on expressions containing hours are not met (see the Appendix for more details).

## 6 Experimental Evaluation

In: Proceedings of the ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications. In: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, p.

In the field of hybrid falsification - and more generally in search-based testing - the following problem is widely recognized. We identify an instance of the MAB problem in choosing the formula (from ϕ1, ϕ2) to try to falsify by hill climbing.

## 2 Preliminaries: Hill Climbing-Guided Falsification

### Robust Semantics for STL

This research direction is perpendicular to ours; we intend to explore the use of such logic in our current framework. Finally, interest in the use of deep neural networks is increasing in the field of counterfeiting (as well as in many other fields).

### Hill Climbing-Guided Falsification

It follows from the definition that the robustness for the ultimate modality is given by,♦[a,b](x >0)=. Our choice of spatial robustness in this paper is for the sake of simplicity, and is therefore not essential.

## 3 Our Multi-armed Bandit-Based Falsification Algorithm

*Conjunctive and Disjunctive Safety Properties**The Multi-Armed Bandit (MAB) Problem**Our MAB-Guided Algorithm I: Conjunctive Safety Properties**Our MAB-Guided Algorithm II: Disjunctive Safety Properties*

In the case of the mountain climbing algorithm CMA-ES we use, it is in fact guaranteed). The numerator max-rb(i, k−1)−last-rb(i, k−1) then represents how much robustness we have reduced so far by hill climbing - hence the name "hill climbing gain." The denominator max-rb(i, k−1) is there for normalization.

## 4 Experimental Evaluation

### Evaluation

In RQ2, we checked whether the proposed approach is capable of addressing the scaling problem for which it was designed. This means that the proposed approach can also handle specifications that do not suffer from the scaling problem, and thus can be used with any kind of specification.

## 5 Conclusion and Future Work

Dreossi, T., Dang, T., Donz´e, A., Kapinski, J., Jin, X., Deshmukh, J.V.: Efficient guidance strategies for testing the transient properties of hybrid systems. In: Proceedings of the 20th International Conference on Hybrid Systems: Computation and Control, HSCC 2017, pp.

The basis for the framework is RTLola, an extension of the Lola Steam-based runtime verification language. Of course, not all RTLola specifications can be monitored with constant memory since the rates of the input streams are unknown, an arbitrary number of events can occur in the space of a fixed real-time unit.

2 Real-Time Lola