2023, Bauer-Marquart, Fabian, Leue, Stefan, Schilling, Christian

We present symQV, a symbolic execution framework for writing and verifying quantum computations in the quantum circuit model. symQV can automatically verify that a quantum program complies with a first-order specification. We formally introduce a symbolic quantum program model. This allows to encode the verification problem in an SMT formula, which can then be checked with a δ-complete decision procedure. We also propose an abstraction technique to speed up the verification process. Experimental results show that the abstraction improves symQV ’s scalability by an order of magnitude to quantum programs with 24 qubits (a 2²⁴-dimensional state space).

2021, Kölbl, Martin, Leue, Stefan, Wies, Thomas

We present algorithms and techniques for the repair of timed system models, given as networks of timed automata (NTA). The repair is based on an analysis of timed diagnostic traces (TDTs) that are computed by real-time model checking tools, such as UPPAAL, when they detect the violation of a timed safety property. We present an encoding of TDTs in linear real arithmetic and use the MaxSMT capabilities of the SMT solver Z3 to suggest a minimal number of possible syntactic repairs of the analyzed model. The suggested repairs include modified values for clock bounds in location invariants and transition guards, adding or removing clock resets, etc. We then present an admissibility criterion, called functional equivalence, which ensures that the proposed repair preserves the functional behavior of the considered NTA. We discuss a proof-of-concept tool called TarTar that we have developed, implementing the repair and admissibility analysis, and give insights into its design and architecture. We evaluate the proposed repair technique on faulty mutations generated from a diverse suite of case studies taken from the literature. We show that TarTar can admissibly repair for 69–88% of the seeded errors in the considered system models.

2020-07-14, Kölbl, Martin, Leue, Stefan, Wies, Thomas

We present TarTar, an automatic repair analysis tool that, given a timed diagnostic trace (TDT) obtained during the model checking of a timed automaton model, suggests possible syntactic repairs of the analyzed model. The suggested repairs include modified values for clock bounds in location invariants and transition guards, adding or removing clock resets, etc. The proposed repairs guarantee that the given TDT is no longer feasible in the repaired model, while preserving the overall functional behavior of the system. We give insights into the design and architecture of TarTar, and show that it can successfully repair 69% of the seeded errors in system models taken from a diverse suite of case studies.

2019, Caltais, Georgiana, Guetlein, Sophie Linnea, Leue, Stefan

In this paper we provide a notion of causality for the violation of general Linear Temporal Logic (LTL) properties. The current work is a natural extension of the previously proposed approach handling causality in the context of LTL-definable safety properties. The major difference is that now, counterexamples of general LTL properties are not merely finite traces, but infinite lasso-shaped traces. We analyze such infinite counterexamples and identify the relevant ordered occurrences of causal events, obtained by unfolding the looping part of the lasso shaped counterexample sufficiently many times. The focus is on LTL properties from practical considerations: the current results are to be implemented in QuantUM, a tool for causality checking, that exploits explicit state LTL model checking.

2022, Bauer-Marquart, Fabian, Boetius, David, Leue, Stefan, Schilling, Christian

Deep neural networks (DNNs) are increasingly applied in safety-critical domains, such as self-driving cars, unmanned aircraft, and medical diagnosis. It is of fundamental importance to certify the safety of these DNNs, i.e. that they comply with a formal safety specification. While safety certification tools exactly answer this question, they are of no help in debugging unsafe DNNs, requiring the developer to iteratively verify and modify the DNN until safety is eventually achieved. Hence, a repair technique needs to be developed that can produce a safe DNN automatically. To address this need, we present SpecRepair, a tool that efficiently eliminates counter-examples from a DNN and produces a provably safe DNN without harming its classification accuracy. SpecRepair combines specification-based counter-example search and resumes training of the DNN, penalizing counter-examples and certifying the resulting DNN. We evaluate SpecRepair’s effectiveness on the ACAS Xu benchmark, a DNN-based controller for unmanned aircraft, and two image classification benchmarks. The results show that SpecRepair is more successful in producing safe DNNs than comparable methods, has a shorter runtime, and produces safe DNNs while preserving their classification accuracy.

2021, Kölbl, Martin, Leue, Stefan

Causality Checking [LL13] computes a causal explanation in the form of minimal action traces that lead to the violations of a reachability property. Causality Checking is implemented in the tool QuantUM [LFL11] that currently only depicts in a fault tree the causal actions in the action traces that lead to a property violation, but not the possible order of these actions. We present an analysis to compute the strict partial order of actions in action traces and succinctly depict these orders by a fault tree. We implemented the analysis in the tool QuantUM. We assess the performance of our algorithm by applying it to several models of different size. The results show that the analysis can compute the action order for thousands of action traces.

2020, Caltais, Georgiana, Leue, Stefan, Singh, Hargurbir

In this paper we discuss the correctness of an ATL-based model transformation from the systems engineering modelling language SysML into Promela, the input language of the SPIN model checker. More precisely, we reduce showing the correctness of the transformation to showing a notion of what we refer to as observational equivalence of the SysML and the generated Promela models, respectively. This paves the way to a proof technique that could be further exploited in order to argue the correctness of model transformations from SysML to various model checkers, based on the observable actions generated by the systems under analysis.

2022, Khoja, Alan, Kölbl, Martin, Leue, Stefan, Wilhelmi, Rüdiger

Contracts in business life, and in particular company purchase agreements, often comprise a large number of provisions and are correspondingly long and complex. In practice, it is therefore a great challenge to keep track of their regulatory context and to identify and avoid inconsistencies in such contracts. Against this background, we propose a semi-formal as well as a formal logical modeling of this type of contracts, using decidable first-order theories. We also present the tool ContractCheck, which performs fully automated inconsistency analyses on the considered contracts using Satisfiability Modulo Theories (SMT) solving.

2020-08-25, Kölbl, Martin, Leue, Stefan, Schmid, Robert

When a real-time model checker detects the violation of a timed reachability property for a given Timed Automata model it returns a counterexample, here referred to as a Timed Diagnostic Trace (TDT). In this paper, we present a TDT analysis that computes actual dynamic causes in terms of delay ranges that can be considered causal for the violation of the property. The determination of actual causes can help in system analysis as well as design space exploration. The causal analysis is based on counterfactual reasoning and encoded in linear real arithmetic. We apply an implementation of the analysis in the tool CaTiRA to a number of Timed Automata models taken from the literature.

2019-07-12, Kölbl, Martin, Leue, Stefan, Wies, Thomas

We present algorithms and techniques for the repair of timed system models, given as networks of timed automata (NTA). The repair is based on an analysis of timed diagnostic traces (TDTs) that are computed by real-time model checking tools, such as UPPAAL, when they detect the violation of a timed safety property. We present an encoding of TDTs in linear real arithmetic and use the MaxSMT capabilities of the SMT solver Z3 to compute possible repairs to clock bound values that minimize the necessary changes to the automaton. We then present an admissibility criterion, called functional equivalence, that assesses whether a proposed repair is admissible in the overall context of the NTA. We have implemented a proof-of-concept tool called TarTar for the repair and admissibility analysis. To illustrate the method, we have considered a number of case studies taken from the literature and automatically injected changes to clock bounds to generate faulty mutations. Our technique is able to compute a feasible repair for 91% of the faults detected by UPPAAL in the generated mutants.