client/server implementation of an atl model checker using web services

Client/Server Implementation of an ATL Model Checker Using Web

Services

LAURA FLORENTINA STOICA, FLORIN STOICA, DANA SIMIAN

Department of Computer Science

―Lucian Blaga‖ University of Sibiu, Faculty of Sciences

Str. Dr. Ion Ratiu 5-7, 550012, Sibiu

ROMANIA

[email protected], [email protected], [email protected]

Abstract: - Alternating-Time Temporal Logic (ATL) is widely used to capture compositions of open systems.

An open system interacts with its environment and its behaviour depends on the state of the system as well as

the behaviour of the environment. The ATL logic is interpreted over concurrent game structures, considered as

natural models for compositions of open systems. An ATL model checker tool allows designers to

automatically verify that systems satisfy specifications expressed in the language of alternating-time temporal

logic. In this paper we present a new ATL model checker implemented in client-server paradigm: ATL

Designer, the client tool, allows an interactive construction of the concurrent game structures as a directed

multi-graphs and the ATL Checker, which represents the server part and is published as Web service. The ATL

Checker receives from the user a concurrent game structures embedded into a XML document and an ATL

formula, and return to client the set of stated in which the formula is satisfied.

Key-Words: - ATL model checking, Web services, ANTLR, algebraic compiler

1 Introduction Model checking is a technology often used for the

automated system verification. The problem of

model checking is to verify if a finite-state

abstraction of a reactive system satisfies a temporal-

logic specification. A Computation Tree Logic

(CTL) specification is interpreted over Kripke

structures. CTL provide a model for the

computations of a closed system [5]. An open

system is a system that interacts with its

environment and whose behaviour depends on the

state of the system as well as the behaviour of the

environment. In order to construct models suitable

for open systems, was defined the Alternating-time

Temporal Logic (ATL) [1], an extension of CTL,

which is interpreted over concurrent game

structures. We will show in this paper how our

original ANTLR-based model checker for CTL

presented in [3] can be modified to check an ATL

specification, using a data structure suitable for

multi-graph representation of a concurrent game

structure. We also provide a .NET GUI client which

has capability to design interactive graphical

specifications of the ATL models.

The paper is organized as follows. In section 2

we present the definition of the concurrent game

structure. In section 3 is presented the

implementation of an algebraic compiler used by

our tool to verify satisfiability of ATL formulas for

given models. Invocation of the compiler will be

accomplished through a Web service described in

section 4. The client component of our tool, named

ATL Designer, is presented in section 5. In section 6

we test a study case for the new model checking

tool. Conclusions are presented in section 7.

2 The concurrent game structure A concurrent game structure is defined in [1] as a

tuple S= k,Q, , ,d , wi th the fol lowing

components: k 1 the number of players from the

set ; Q a finite set of states; a finite set of

propositions (or observables); the labelling (or

observation) function; d the counting alternatives

function and the transition function. For each

state qQ, (q) is the set of propositions true at

q. For each player a{1,…,k} and each state qQ,

the counting alternatives function d: ×Q

associates the number of available moves of agent a

at state q. In the following, the number d(a,q) will

be denoted by da(q). Thus, the moves of player a at

state q are denoted by 1, .., da(q). For each state

qQ, a tuple j1,…,jk such that 1ja da(q) for each

player a, represents a move vector at q. We define

the move function D : Q P(M), with M the

set of all move vectors such that

Recent Researches in Communications and Computers

ISBN: 978-1-61804-109-8 359

D(q){1,…,d1(q)}×…×{1,…, dk(q)is the set of

move vectors at q.

The transition function (q,j1,…,jk), associates to

each state qQ and each move vector j1,…,jk

D(q) the state that results from state q if every

player a{1,…,k} choose move ja.

A computation of S is an infinite sequence =q0,

q1,…such thatqi+1 is the successor of qi , i ≥ 0 [1].

A q-computation is a computation starting at state q.

For a computation and a position i ≥0, we

denote by [i ], [0,i ], and [i,∞] the i-th state of

, the finite prefix q0, q1,…,qi of , and the infinite

suffix qi , qi+1 … of , respectively [1].

In this paper we present a new ATL model

checker implemented in client-server paradigm.

ATL allows a natural description of the

computations of the open systems. In order to model

the composition of open systems, we consider multi-

player games. The set of players represents different

component of the system and the environment.

2.1. ATL syntax

We denote by FS(A) the set of all syntactically

correct ATL formulas, defined over a concurrent

game structure S and a set of agents A .

Each formula from FS(A) can be obtained using

the following rules:

(R1) if p then p FS(A);

(R2) if {φ, φ1, φ2} FS(A) then {⌐ φ, φ1φ2}

FS(A);

(R3) if {φ, φ1, φ2} FS(A) then {A ○ φ,

A □ φ, A φ1 U φ2} FS(A).

The logic ATL is similar to the branching time

temporal logic CTL, with difference that path

quantifiers are parameterized by sets of players from

. The operator is a path quantifier, and ○

(‗next‘), □ (‗always‘), (‗future‘) and U (‗until‘) are

temporal operators. A formula A φ expresses that

the team A has a collective strategy to enforce φ.

Boolean connectives can be defined from ⌐ and in

the usual way. The ATL formula A φ is

equivalent with A true U φ.

2.2. ATL semantics

Consider a game structure S=k,Q,,,d, and

={1,…,k} the set of players.

A strategy for player a is a function fa: Q+

N that maps every nonempty finite state sequence

=q0q1…qn, n≥0, to a natural number such that

fa(){1,…,da(qn)}. Thus, the strategy fa determines

for every finite prefix of a computation a move

fa() for player a in the last state of .

Given a set A{1,…,k} of players, the set of all

strategies of agents from A is denoted by FA={ fa |

aA}. The outcome of FA is defined as : Q

P(Q+), where

represents q-computations

that the players from A are enforcing when they

follow the strategies from FA. In the following, for

we will use the notation . A

computation =q0,q1,q2,… is in out(q,FA) if q0=q

and for all positions i0, there is a move vector

j1,…,jk D(qi) such that [1]:

ja=fa([0,i]) for all players aA, and

(qi, j1,…,jk)= qi+1

For a game structure S, we write q⊨ to indicate

that the formula is satisfied in the state q of the

structure S.

For each state q of S, the satisfaction relation ⊨

is defined inductively as follows:

for p, q⊨p p(q)

q⊨ q⊭

q⊨12 q⊨1 or q⊨2

q⊨A ○ φ there exists a set FA of strategies,

such that for all computations out(q, FA), we

have [1] ⊨ (the formula is satisfied in the

successor of q within computation ).

q⊨A □ φ there exists a set FA of strategies,

such that for all computations out(q, FA), and

all positions i0, we have [i] ⊨ (the formula

is satisfied in all states of computation ).

q⊨A φ1 U φ2 there exists a set FA of

strategies, such that for all computations out(q,

FA), there exists a position i0 such that [i] ⊨ 2

and for all positions 0j<i, we have [j] ⊨ 1.

The path quantifiers A, E of CTL can be

expressed in ATL with ∅, respectively.

3 Implementation of a model checker

in ANTLR A model checking tool can be used to verify if a

given system satisfies a temporal logic formula.

The algebraic methodology is used in order to

generate an ATL model checker from its algebraic

specification. In paper [5] we showed in detail how

this algebraic approach can be used to develop a

specification of an ATL model checker.

We define the ATL language as a – language

[5]. The operator scheme atl is defined as a triple

Satl,Oatl,atl where set Satl contains the

representations of the ATL formulas, Oatl = {, ,

,, , ○, □, U} is the set of temporal operators,

and the atl:Oatl→Satl

∗×Satl is a function which

defines the signature of the operators. The ATL


ISBN: 978-1-61804-109-8 360

model checker can be defined as the atl - language

given in the form Latl=Sematl, Synatl,

atl:SematlSynatl. Sematl represents the ATL

semantic algebra defined over the set of ATL

formulas defined for the model S. Synatl is the word

algebra of the operator scheme atl generated by the

operations from Oatl and from a finite set of

variables, representing atomic propositions, denoted

by AP.

The evaluation function of the language atl is an homomorphism Eatl: Synatl → Sematl defined as

follows: if atl( ) is well defined then

Eatl( atl( )= , Sematl. Eatl is a mapping which

associates well-defined ATL formulas atl( ) with

the set of states in which these formulas are

satisfied: Q, = {q Q | q⊨ φ, φ atl( )}

Having well-defined the ATL language,

implementation of an ATL model checker will be

equated with an algebraic compiler which translates

formula φ of the ATL model to set of nodes Q' over

which formula f is satisfied.

Thus, from a formal point of view,

implementation of an ATL model checker will be

accomplished through implementation of an

algebraic compiler. The definition of sigma

algebras, sigma languages and also the definition of

sigma heterogenic homomorphism can be found in

detail in papers [2], [6].

In paper [3] it is mentioned that an algebraic

compiler can be defined using Σ – algebras and Σ–

heterogenic homomorphism as :Ls→Lt. Ls is the

source language. Lt is the target language. In our

case Ls is the language of ATL formulas, and Lt is a

language defined as {{ ⊨ } }, where

denote an ATL formula.

The implementation of the algebraic compiler is

made in two steps. First, we need a syntactic parser

to verify the syntactic correctness of a formula .

Second, we should deal with the semantics of the

ATL language (Sematl), respectively with the

implementation of the operators from extended set

Oatl={, , ,, , ○, □, U}.

The algebraic compiler C translates formula of

the ATL model to set of nodes Q' over which

formula is satisfied. That is, C()=Q' where

Q'={qQ| q⊨ }.

We choose the ANTLR (Another Tool for

Language Recognition) for implementation of the

algebraic compiler. ANTLR [4] is a compiler

generator which takes as input a grammar, and

generates a recognizer for the language defined by

the grammar.

The algebraic compiler C implements the

following ATL symbolic model checking algorithm

[5], [1]:

function EvalA() as set of states Q

case =p: return [p];

case = :

return Q\EvalA();

case =12:

return EvalA(1) EvalA(2);

case =12:

return EvalA(1) EvalA(2) );

case =12:

return ( Q\EvalA(1) ) EvalA(2);

case φ =A○:

return Pre(A,EvalA());

case φ =A□:

:=Q; := EvalA(); 0:= ;

while ⊈ do

:= ; :=Pre(A, )0; wend

return ;

case φ = A 1 U 2:

:=; := EvalA(2); 0:= EvalA(1);

while ⊈ do

:= ;

:=Pre(A, )0; wend

return ; end function

The set returned by the Pre(A,) function contains

state qQ if for every player aA there exists a

move ja{1,…,da(q)} such that for all players

b\A, whatever are their moves, we have (q,

j1,…, jk).

Translation of a formula of an ATL model to

the set of nodes Q' over which formula is satisfied

is accomplished by attaching of specific actions to

grammatical constructions within specification

grammar of ATL.

The actions are written in target language of the

generated parser. We use for implementation Java

language. These actions are incorporated in source

code of the parser and are activated whenever the

parser recognizes a valid syntactic construction in

the translated ATL formula. In case of the algebraic

compiler , the actions define the semantics of the

ATL model checker, i.e., the implementation of the

Oatl operators.

The model checker generated by ANTLR from

our ATL specification grammar, takes as input the

concurrent game structure S and the formula , and


ISBN: 978-1-61804-109-8 361

provides as output Q'={qQ| q ⊨ } – the set of

states where the formula is satisfied.

The corresponding action included in the

ANTLR grammar of ATL language for

implementing the □ operator is [3]: ’<<A>> #’ f=formula

{

HashSet r=new HashSet(all_SetS);

HashSet p=$f.set;

while (!p.containsAll(r))

{

r=new HashSet(p);

p=Pre(r);

p.retainAll($f.set);

}

$set=r;

trace(”atlFormula”,4);

printSet(”<<A>>#”+$f.text,r);

}

For □ ATL operator we use in ANTLR the #

symbol. Also, we denote the ATL operator with ~

symbol and the ○ operator is replaced by @ symbol.

In our implementation the all_Set is Q, and

means all states of the model. The formula

represents a term from a production of the ATL

grammar, and p, r, f variables are sets used in

internal implementation of the algebraic compiler.

The Pre(r) is a function that returns the set of

states p such that from p, the players from A can

cooperate and enforce the next state to be in r.

The algebraic compiler implementation

process, based on our specification grammar of ATL

language is presented in figure 1.

Fig. 1 Algebraic compiler implementation

4 Publishing the ATL model checker

as a Web service Web services represent a standardized way for

applications to expose their functionality over the

Web or communicate with other applications over a

network, regardless of the platform or operating

system upon which the service or the client is

implemented. A Web service is accessible on the

Web through an URL, and use a XML file, written

using Web Service Definition Language (WSDL),

to define its interfaces and bindings.

We choose to publish our implementation of

algebraic compiler it as a Web service in order to

make the core of out tool accessible to various

clients.

Other reason for the deployment of ATL

Checker on server side is represented by the internal

implementation of the Pre() function.

We made a formalization of the Pre() function

using relational algebra expressions and schemas,

and from that point, the concrete implementation in

SQL was straightforward.

Thus, our Web service is using GlassFish as a

Web container, and MySQL as a database server.

The architecture of the Web service

implementation is represented in figure 2.

Fig 2. The architecture of the ATL model checker

Web Service

The Web service will receive from a client the

XML representation of a ATL model S and a ATL

formula . The original form of the ATL model S is

passed then to the algebraic compiler generated

by ANTLR using our ATL extended grammar. For a

syntactically correct formula , the compiler will

return as result C()={qQ| q ⊨ }, the set of states

in which the formula is satisfied.

In order to notify the client about possible

syntactical errors from formula , we must override

the default behavior of the ANTLR error-handling.

We install our error-handling in lexer and parser:

@Override

public void reportError(RecognitionException re) {

throw new RuntimeException

("Lexical or Syntactical error!”); }

and finally instruct ANTLR to throw the error,

allowing the Web service to send it to the client:

@rulecatch {

catch (RecognitionException err) {

throw err; }}


ISBN: 978-1-61804-109-8 362

In conclusion, for a given ATL model

(concurrent game structure) and an ATL formula ,

the Web service will parse the formula and will

return to client the set of states in which the formula

is satisfied if formula is syntactically correct, or an

message describing the error from an erroneous

formula.

As we can see from the figure 2, the transport

protocol used by the Web Service enables clients to

invoke its methods through firewalls.

5 The C# client The model checking tool is based on a C# GUI

client who allows interactive graphical development

of the ATL models.

Fig 3. ATL Designer - the C# client in action

All facilities are accessible through a right-click

contextual menu: adding nodes, labeling nodes,

deleting nodes, adding arcs, display nodes numbers,

etc.

Fig 4. ATL Designer – interactive design of a

concurrent game structure

The model is sent as a XML document to the

Web service, together with the formula to be

verified. The response from server is displayed in a

separate window, as we will see in the following

section.

6 An ATL Model for a turn-based

synchronous game structure Formally, a game structure S=k,Q,,,d, is turn-

based synchronous if for every state q from Q, there

exist a player a{1,…,k} such that db(q) = 1 for all

players b{1,…,k}\{a}. State q is the turn of player

a.

Consider a system with two components, User

and Admin. The Slog_pg=k,Q,,,d, describes a

protocol for a user who wanted to login into a web

site. If user hasn‘t an account, it must make a

request to administrator for creating one and

registration into the website. If the user already has

an account, it will make a simple login request.

We model the turn-based synchronous game

structure by the Slog_pg=k,Q,,,d,:

k=2 (player 1 represents the user, player 2

represents the admin)

Q = {q0,q1,q2,q3,q4} – q0 means sing out; q1 means

request for create an account and registration into

web site; q2 means request for login into account;

q3 means that user is registered and have granted

access if the username and password are correct;

q4 means sign_in into account.

={sign_in, req_register, req_login, sign_out,

registered, grant}

(q0)={sign_out},(q1)={sign_out, req_register},

(q2)={ sign_out, req_login},

(q3)={registered, grant}, (q4)={sign_in}

d1(q0)=3, d2(q0)=1. At q0 state, the player 1 has

three moves, and the player 2 has one move.

Move 1 of player 1 means to stay as sign_out,

move 2 means to send a request for admin for

create an account and proceed to q1, and move 3 to

send a request for admin for login into account

and proceed to q2.

At q0 state, the player 2 waits for request.



Move 1 of player 2 means delay the handling of

the request, move 2 means deny the register

request, and move 3 means create an account and

register the user into web site.

At q1 state, the player 1 waits for answer.



Move 1 of player 2 means delay the handling of

the request, move 2 means deny the login request,

and move 3 means granted permission to sign_in.

At q2 state, the player 1 waits for answer.

d1(q3)=d2(q3)=1. At q3 state, both players have one

move. Move 1 of player 1 means to sign_in.

Because state q3 is the turn of player 1, the player

2 has no options.


ISBN: 978-1-61804-109-8 363

d1(q4)=2,d2(q4)=1. At q4 state, the player 1 has two

moves. Move 1 means stay logged in and move 2

means the sign_out of the account.

State q0 has three successors: (q0,1,1)=q0,

(q0,2,1)=q1, (q0,3,1)=q2 etc.

Two states of the system, q1 and q2, are

controlled. When a computation is in one of these

states, the admin choose the next state. The other

three states are uncontrolled and the user chooses a

successor state.

Fig. 5 The Slog_pg - concurrent game structure

The game structure presented in figure 5

describes the turn-based synchronous game

structure presented above.

The following formula:

(<<A>> sign_out U (registered and grant))

affirm that user is in sign_out state until he is

registered and has permission to log in. This

behaviour implied that both agents must cooperate,

and for this reason A={1,2}.

As we can see in figure 6 the formula is satisfied in

states q0, q1, q2 and q3.

In figure 7 is presented the result of checking

formula: <<A>>~ sign_in

where A={1}. As we can see, the only states in

which the formula holds are q3 and q4, because from

other states there are moves of agent 2 which can

prevent the user to sign in.

Fig 6. Invoking the algebraic compiler (Web

service) from the ATL Designer (client)

Fig 7. States from which user can reach the sign_in

state regardless of moves of admin

7 Conclusions In this article we built an ATL model checking

tool, based on robust technologies (Java, .NET) and

well-known standards (XML, SOAP, HTTP).

The C# implementation of the client side of our

new tool (ATL Designer) allows an interactive

graphical specification of the ATL model.

The ATL algebraic compiler is based on Java

code generated by ANTLR using an original ATL

grammar and provides error-handling for eventual

lexical/syntax errors in formula to be analyzed.

The server side of our tool (ATL Checker) was

published as a Web service, exposing its

functionality through standard XML interfaces.

References: [1] R. Alur, T. A. Henzinger , O. Kupferman,

Alternating-Time Temporal Logic, Journal of the

ACM, Vol. 49, No. 5, September 2002, pp. 672–713

[2] P.J. Higgins. Algebras with scheme of operators.

Mathematische Nachrichten, No.27, 1963/64, pp.

115–132.

[3] Laura F. Cacovean, Florin Stoica, Dana Simian, A

New Model Checking Tool, Proceedings of the

European Computing Conference (ECC ‘11), Paris,

France, April 28-30, 2011, pp. 358-364, ISBN: 978-

960-474-297-4, ISSN: 2222-7342

[4] Terence Parr , The Definitive ANTLR Reference,

Building Domain-Specific Languages, version: 2007

[5] Laura Florentina Stoica, Florin Stoica -

Considerations about the implementation of an ATL

model checker, Second International Conference on

Modelling and Development of Intelligent Systems

– MDIS, Sibiu, Romania, September 29 - October

02, 2011, ISSN 2067-3965, ISBN 978-606-12-

0243-0

[6] E. Van Wyk, Specification Languages in Algebraic

Compilers, Theoretical Computer Science, 231(3),

2003, pp. 351—385.


ISBN: 978-1-61804-109-8 364