client/server implementation of an atl model checker using web services
DESCRIPTION
L.F. Stoica, F. Stoica, D. Simian, Client/Server Implementation of an ATL Model Checker Using Web Services, Proceedings of the 16th WSEAS International Conference on Computers, Kos Island, Greece, pages 359–364, July 14-17, 2012. ISBN: 978-1-61804-109-8.TRANSCRIPT
Client/Server Implementation of an ATL Model Checker Using Web
Services
LAURA FLORENTINA STOICA, FLORIN STOICA, DANA SIMIAN
Department of Computer Science
―Lucian Blaga‖ University of Sibiu, Faculty of Sciences
Str. Dr. Ion Ratiu 5-7, 550012, Sibiu
ROMANIA
[email protected], [email protected], [email protected]
Abstract: - Alternating-Time Temporal Logic (ATL) is widely used to capture compositions of open systems.
An open system interacts with its environment and its behaviour depends on the state of the system as well as
the behaviour of the environment. The ATL logic is interpreted over concurrent game structures, considered as
natural models for compositions of open systems. An ATL model checker tool allows designers to
automatically verify that systems satisfy specifications expressed in the language of alternating-time temporal
logic. In this paper we present a new ATL model checker implemented in client-server paradigm: ATL
Designer, the client tool, allows an interactive construction of the concurrent game structures as a directed
multi-graphs and the ATL Checker, which represents the server part and is published as Web service. The ATL
Checker receives from the user a concurrent game structures embedded into a XML document and an ATL
formula, and return to client the set of stated in which the formula is satisfied.
Key-Words: - ATL model checking, Web services, ANTLR, algebraic compiler
1 Introduction Model checking is a technology often used for the
automated system verification. The problem of
model checking is to verify if a finite-state
abstraction of a reactive system satisfies a temporal-
logic specification. A Computation Tree Logic
(CTL) specification is interpreted over Kripke
structures. CTL provide a model for the
computations of a closed system [5]. An open
system is a system that interacts with its
environment and whose behaviour depends on the
state of the system as well as the behaviour of the
environment. In order to construct models suitable
for open systems, was defined the Alternating-time
Temporal Logic (ATL) [1], an extension of CTL,
which is interpreted over concurrent game
structures. We will show in this paper how our
original ANTLR-based model checker for CTL
presented in [3] can be modified to check an ATL
specification, using a data structure suitable for
multi-graph representation of a concurrent game
structure. We also provide a .NET GUI client which
has capability to design interactive graphical
specifications of the ATL models.
The paper is organized as follows. In section 2
we present the definition of the concurrent game
structure. In section 3 is presented the
implementation of an algebraic compiler used by
our tool to verify satisfiability of ATL formulas for
given models. Invocation of the compiler will be
accomplished through a Web service described in
section 4. The client component of our tool, named
ATL Designer, is presented in section 5. In section 6
we test a study case for the new model checking
tool. Conclusions are presented in section 7.
2 The concurrent game structure A concurrent game structure is defined in [1] as a
tuple S= k,Q, , ,d , wi th the fol lowing
components: k 1 the number of players from the
set ; Q a finite set of states; a finite set of
propositions (or observables); the labelling (or
observation) function; d the counting alternatives
function and the transition function. For each
state qQ, (q) is the set of propositions true at
q. For each player a{1,…,k} and each state qQ,
the counting alternatives function d: ×Q
associates the number of available moves of agent a
at state q. In the following, the number d(a,q) will
be denoted by da(q). Thus, the moves of player a at
state q are denoted by 1, .., da(q). For each state
qQ, a tuple j1,…,jk such that 1ja da(q) for each
player a, represents a move vector at q. We define
the move function D : Q P(M), with M the
set of all move vectors such that
Recent Researches in Communications and Computers
ISBN: 978-1-61804-109-8 359
D(q){1,…,d1(q)}×…×{1,…, dk(q)is the set of
move vectors at q.
The transition function (q,j1,…,jk), associates to
each state qQ and each move vector j1,…,jk
D(q) the state that results from state q if every
player a{1,…,k} choose move ja.
A computation of S is an infinite sequence =q0,
q1,…such thatqi+1 is the successor of qi , i ≥ 0 [1].
A q-computation is a computation starting at state q.
For a computation and a position i ≥0, we
denote by [i ], [0,i ], and [i,∞] the i-th state of
, the finite prefix q0, q1,…,qi of , and the infinite
suffix qi , qi+1 … of , respectively [1].
In this paper we present a new ATL model
checker implemented in client-server paradigm.
ATL allows a natural description of the
computations of the open systems. In order to model
the composition of open systems, we consider multi-
player games. The set of players represents different
component of the system and the environment.
2.1. ATL syntax
We denote by FS(A) the set of all syntactically
correct ATL formulas, defined over a concurrent
game structure S and a set of agents A .
Each formula from FS(A) can be obtained using
the following rules:
(R1) if p then p FS(A);
(R2) if {φ, φ1, φ2} FS(A) then {⌐ φ, φ1φ2}
FS(A);
(R3) if {φ, φ1, φ2} FS(A) then {A ○ φ,
A □ φ, A φ1 U φ2} FS(A).
The logic ATL is similar to the branching time
temporal logic CTL, with difference that path
quantifiers are parameterized by sets of players from
. The operator is a path quantifier, and ○
(‗next‘), □ (‗always‘), (‗future‘) and U (‗until‘) are
temporal operators. A formula A φ expresses that
the team A has a collective strategy to enforce φ.
Boolean connectives can be defined from ⌐ and in
the usual way. The ATL formula A φ is
equivalent with A true U φ.
2.2. ATL semantics
Consider a game structure S=k,Q,,,d, and
={1,…,k} the set of players.
A strategy for player a is a function fa: Q+
N that maps every nonempty finite state sequence
=q0q1…qn, n≥0, to a natural number such that
fa(){1,…,da(qn)}. Thus, the strategy fa determines
for every finite prefix of a computation a move
fa() for player a in the last state of .
Given a set A{1,…,k} of players, the set of all
strategies of agents from A is denoted by FA={ fa |
aA}. The outcome of FA is defined as : Q
P(Q+), where
represents q-computations
that the players from A are enforcing when they
follow the strategies from FA. In the following, for
we will use the notation . A
computation =q0,q1,q2,… is in out(q,FA) if q0=q
and for all positions i0, there is a move vector
j1,…,jk D(qi) such that [1]:
ja=fa([0,i]) for all players aA, and
(qi, j1,…,jk)= qi+1
For a game structure S, we write q⊨ to indicate
that the formula is satisfied in the state q of the
structure S.
For each state q of S, the satisfaction relation ⊨
is defined inductively as follows:
for p, q⊨p p(q)
q⊨ q⊭
q⊨12 q⊨1 or q⊨2
q⊨A ○ φ there exists a set FA of strategies,
such that for all computations out(q, FA), we
have [1] ⊨ (the formula is satisfied in the
successor of q within computation ).
q⊨A □ φ there exists a set FA of strategies,
such that for all computations out(q, FA), and
all positions i0, we have [i] ⊨ (the formula
is satisfied in all states of computation ).
q⊨A φ1 U φ2 there exists a set FA of
strategies, such that for all computations out(q,
FA), there exists a position i0 such that [i] ⊨ 2
and for all positions 0j<i, we have [j] ⊨ 1.
The path quantifiers A, E of CTL can be
expressed in ATL with ∅, respectively.
3 Implementation of a model checker
in ANTLR A model checking tool can be used to verify if a
given system satisfies a temporal logic formula.
The algebraic methodology is used in order to
generate an ATL model checker from its algebraic
specification. In paper [5] we showed in detail how
this algebraic approach can be used to develop a
specification of an ATL model checker.
We define the ATL language as a – language
[5]. The operator scheme atl is defined as a triple
Satl,Oatl,atl where set Satl contains the
representations of the ATL formulas, Oatl = {, ,
,, , ○, □, U} is the set of temporal operators,
and the atl:Oatl→Satl
∗×Satl is a function which
defines the signature of the operators. The ATL
Recent Researches in Communications and Computers
ISBN: 978-1-61804-109-8 360
model checker can be defined as the atl - language
given in the form Latl=Sematl, Synatl,
atl:SematlSynatl. Sematl represents the ATL
semantic algebra defined over the set of ATL
formulas defined for the model S. Synatl is the word
algebra of the operator scheme atl generated by the
operations from Oatl and from a finite set of
variables, representing atomic propositions, denoted
by AP.
The evaluation function of the language atl is an homomorphism Eatl: Synatl → Sematl defined as
follows: if atl( ) is well defined then
Eatl( atl( )= , Sematl. Eatl is a mapping which
associates well-defined ATL formulas atl( ) with
the set of states in which these formulas are
satisfied: Q, = {q Q | q⊨ φ, φ atl( )}
Having well-defined the ATL language,
implementation of an ATL model checker will be
equated with an algebraic compiler which translates
formula φ of the ATL model to set of nodes Q' over
which formula f is satisfied.
Thus, from a formal point of view,
implementation of an ATL model checker will be
accomplished through implementation of an
algebraic compiler. The definition of sigma
algebras, sigma languages and also the definition of
sigma heterogenic homomorphism can be found in
detail in papers [2], [6].
In paper [3] it is mentioned that an algebraic
compiler can be defined using Σ – algebras and Σ–
heterogenic homomorphism as :Ls→Lt. Ls is the
source language. Lt is the target language. In our
case Ls is the language of ATL formulas, and Lt is a
language defined as {{ ⊨ } }, where
denote an ATL formula.
The implementation of the algebraic compiler is
made in two steps. First, we need a syntactic parser
to verify the syntactic correctness of a formula .
Second, we should deal with the semantics of the
ATL language (Sematl), respectively with the
implementation of the operators from extended set
Oatl={, , ,, , ○, □, U}.
The algebraic compiler C translates formula of
the ATL model to set of nodes Q' over which
formula is satisfied. That is, C()=Q' where
Q'={qQ| q⊨ }.
We choose the ANTLR (Another Tool for
Language Recognition) for implementation of the
algebraic compiler. ANTLR [4] is a compiler
generator which takes as input a grammar, and
generates a recognizer for the language defined by
the grammar.
The algebraic compiler C implements the
following ATL symbolic model checking algorithm
[5], [1]:
function EvalA() as set of states Q
case =p: return [p];
case = :
return Q\EvalA();
case =12:
return EvalA(1) EvalA(2);
case =12:
return EvalA(1) EvalA(2) );
case =12:
return ( Q\EvalA(1) ) EvalA(2);
case φ =A○:
return Pre(A,EvalA());
case φ =A□:
:=Q; := EvalA(); 0:= ;
while ⊈ do
:= ; :=Pre(A, )0; wend
return ;
case φ = A 1 U 2:
:=; := EvalA(2); 0:= EvalA(1);
while ⊈ do
:= ;
:=Pre(A, )0; wend
return ; end function
The set returned by the Pre(A,) function contains
state qQ if for every player aA there exists a
move ja{1,…,da(q)} such that for all players
b\A, whatever are their moves, we have (q,
j1,…, jk).
Translation of a formula of an ATL model to
the set of nodes Q' over which formula is satisfied
is accomplished by attaching of specific actions to
grammatical constructions within specification
grammar of ATL.
The actions are written in target language of the
generated parser. We use for implementation Java
language. These actions are incorporated in source
code of the parser and are activated whenever the
parser recognizes a valid syntactic construction in
the translated ATL formula. In case of the algebraic
compiler , the actions define the semantics of the
ATL model checker, i.e., the implementation of the
Oatl operators.
The model checker generated by ANTLR from
our ATL specification grammar, takes as input the
concurrent game structure S and the formula , and
Recent Researches in Communications and Computers
ISBN: 978-1-61804-109-8 361
provides as output Q'={qQ| q ⊨ } – the set of
states where the formula is satisfied.
The corresponding action included in the
ANTLR grammar of ATL language for
implementing the □ operator is [3]: ’<<A>> #’ f=formula
{
HashSet r=new HashSet(all_SetS);
HashSet p=$f.set;
while (!p.containsAll(r))
{
r=new HashSet(p);
p=Pre(r);
p.retainAll($f.set);
}
$set=r;
trace(”atlFormula”,4);
printSet(”<<A>>#”+$f.text,r);
}
For □ ATL operator we use in ANTLR the #
symbol. Also, we denote the ATL operator with ~
symbol and the ○ operator is replaced by @ symbol.
In our implementation the all_Set is Q, and
means all states of the model. The formula
represents a term from a production of the ATL
grammar, and p, r, f variables are sets used in
internal implementation of the algebraic compiler.
The Pre(r) is a function that returns the set of
states p such that from p, the players from A can
cooperate and enforce the next state to be in r.
The algebraic compiler implementation
process, based on our specification grammar of ATL
language is presented in figure 1.
Fig. 1 Algebraic compiler implementation
4 Publishing the ATL model checker
as a Web service Web services represent a standardized way for
applications to expose their functionality over the
Web or communicate with other applications over a
network, regardless of the platform or operating
system upon which the service or the client is
implemented. A Web service is accessible on the
Web through an URL, and use a XML file, written
using Web Service Definition Language (WSDL),
to define its interfaces and bindings.
We choose to publish our implementation of
algebraic compiler it as a Web service in order to
make the core of out tool accessible to various
clients.
Other reason for the deployment of ATL
Checker on server side is represented by the internal
implementation of the Pre() function.
We made a formalization of the Pre() function
using relational algebra expressions and schemas,
and from that point, the concrete implementation in
SQL was straightforward.
Thus, our Web service is using GlassFish as a
Web container, and MySQL as a database server.
The architecture of the Web service
implementation is represented in figure 2.
Fig 2. The architecture of the ATL model checker
Web Service
The Web service will receive from a client the
XML representation of a ATL model S and a ATL
formula . The original form of the ATL model S is
passed then to the algebraic compiler generated
by ANTLR using our ATL extended grammar. For a
syntactically correct formula , the compiler will
return as result C()={qQ| q ⊨ }, the set of states
in which the formula is satisfied.
In order to notify the client about possible
syntactical errors from formula , we must override
the default behavior of the ANTLR error-handling.
We install our error-handling in lexer and parser:
@Override
public void reportError(RecognitionException re) {
throw new RuntimeException
("Lexical or Syntactical error!”); }
and finally instruct ANTLR to throw the error,
allowing the Web service to send it to the client:
@rulecatch {
catch (RecognitionException err) {
throw err; }}
Recent Researches in Communications and Computers
ISBN: 978-1-61804-109-8 362
In conclusion, for a given ATL model
(concurrent game structure) and an ATL formula ,
the Web service will parse the formula and will
return to client the set of states in which the formula
is satisfied if formula is syntactically correct, or an
message describing the error from an erroneous
formula.
As we can see from the figure 2, the transport
protocol used by the Web Service enables clients to
invoke its methods through firewalls.
5 The C# client The model checking tool is based on a C# GUI
client who allows interactive graphical development
of the ATL models.
Fig 3. ATL Designer - the C# client in action
All facilities are accessible through a right-click
contextual menu: adding nodes, labeling nodes,
deleting nodes, adding arcs, display nodes numbers,
etc.
Fig 4. ATL Designer – interactive design of a
concurrent game structure
The model is sent as a XML document to the
Web service, together with the formula to be
verified. The response from server is displayed in a
separate window, as we will see in the following
section.
6 An ATL Model for a turn-based
synchronous game structure Formally, a game structure S=k,Q,,,d, is turn-
based synchronous if for every state q from Q, there
exist a player a{1,…,k} such that db(q) = 1 for all
players b{1,…,k}\{a}. State q is the turn of player
a.
Consider a system with two components, User
and Admin. The Slog_pg=k,Q,,,d, describes a
protocol for a user who wanted to login into a web
site. If user hasn‘t an account, it must make a
request to administrator for creating one and
registration into the website. If the user already has
an account, it will make a simple login request.
We model the turn-based synchronous game
structure by the Slog_pg=k,Q,,,d,:
k=2 (player 1 represents the user, player 2
represents the admin)
Q = {q0,q1,q2,q3,q4} – q0 means sing out; q1 means
request for create an account and registration into
web site; q2 means request for login into account;
q3 means that user is registered and have granted
access if the username and password are correct;
q4 means sign_in into account.
={sign_in, req_register, req_login, sign_out,
registered, grant}
(q0)={sign_out},(q1)={sign_out, req_register},
(q2)={ sign_out, req_login},
(q3)={registered, grant}, (q4)={sign_in}
d1(q0)=3, d2(q0)=1. At q0 state, the player 1 has
three moves, and the player 2 has one move.
Move 1 of player 1 means to stay as sign_out,
move 2 means to send a request for admin for
create an account and proceed to q1, and move 3 to
send a request for admin for login into account
and proceed to q2.
At q0 state, the player 2 waits for request.
d1(q1)=1, d2(q1)=3. At q1 state, the player 2 has
three moves, and the player 1 has one move.
Move 1 of player 2 means delay the handling of
the request, move 2 means deny the register
request, and move 3 means create an account and
register the user into web site.
At q1 state, the player 1 waits for answer.
d1(q2)=1, d2(q2)=3. At q2 state, the player 2 has
three moves, and the player 1 has one move.
Move 1 of player 2 means delay the handling of
the request, move 2 means deny the login request,
and move 3 means granted permission to sign_in.
At q2 state, the player 1 waits for answer.
d1(q3)=d2(q3)=1. At q3 state, both players have one
move. Move 1 of player 1 means to sign_in.
Because state q3 is the turn of player 1, the player
2 has no options.
Recent Researches in Communications and Computers
ISBN: 978-1-61804-109-8 363
d1(q4)=2,d2(q4)=1. At q4 state, the player 1 has two
moves. Move 1 means stay logged in and move 2
means the sign_out of the account.
State q0 has three successors: (q0,1,1)=q0,
(q0,2,1)=q1, (q0,3,1)=q2 etc.
Two states of the system, q1 and q2, are
controlled. When a computation is in one of these
states, the admin choose the next state. The other
three states are uncontrolled and the user chooses a
successor state.
Fig. 5 The Slog_pg - concurrent game structure
The game structure presented in figure 5
describes the turn-based synchronous game
structure presented above.
The following formula:
(<<A>> sign_out U (registered and grant))
affirm that user is in sign_out state until he is
registered and has permission to log in. This
behaviour implied that both agents must cooperate,
and for this reason A={1,2}.
As we can see in figure 6 the formula is satisfied in
states q0, q1, q2 and q3.
In figure 7 is presented the result of checking
formula: <<A>>~ sign_in
where A={1}. As we can see, the only states in
which the formula holds are q3 and q4, because from
other states there are moves of agent 2 which can
prevent the user to sign in.
Fig 6. Invoking the algebraic compiler (Web
service) from the ATL Designer (client)
Fig 7. States from which user can reach the sign_in
state regardless of moves of admin
7 Conclusions In this article we built an ATL model checking
tool, based on robust technologies (Java, .NET) and
well-known standards (XML, SOAP, HTTP).
The C# implementation of the client side of our
new tool (ATL Designer) allows an interactive
graphical specification of the ATL model.
The ATL algebraic compiler is based on Java
code generated by ANTLR using an original ATL
grammar and provides error-handling for eventual
lexical/syntax errors in formula to be analyzed.
The server side of our tool (ATL Checker) was
published as a Web service, exposing its
functionality through standard XML interfaces.
References: [1] R. Alur, T. A. Henzinger , O. Kupferman,
Alternating-Time Temporal Logic, Journal of the
ACM, Vol. 49, No. 5, September 2002, pp. 672–713
[2] P.J. Higgins. Algebras with scheme of operators.
Mathematische Nachrichten, No.27, 1963/64, pp.
115–132.
[3] Laura F. Cacovean, Florin Stoica, Dana Simian, A
New Model Checking Tool, Proceedings of the
European Computing Conference (ECC ‘11), Paris,
France, April 28-30, 2011, pp. 358-364, ISBN: 978-
960-474-297-4, ISSN: 2222-7342
[4] Terence Parr , The Definitive ANTLR Reference,
Building Domain-Specific Languages, version: 2007
[5] Laura Florentina Stoica, Florin Stoica -
Considerations about the implementation of an ATL
model checker, Second International Conference on
Modelling and Development of Intelligent Systems
– MDIS, Sibiu, Romania, September 29 - October
02, 2011, ISSN 2067-3965, ISBN 978-606-12-
0243-0
[6] E. Van Wyk, Specification Languages in Algebraic
Compilers, Theoretical Computer Science, 231(3),
2003, pp. 351—385.
Recent Researches in Communications and Computers
ISBN: 978-1-61804-109-8 364