Integrating Topological Proofs with Model Checking to Instrument Iterative Design

System development is not a linear, one-shot process. It proceeds through refinements and revisions. To support assurance that the system satisfies its requirements, it is desirable that continuous verification can be performed after each refinement or revision step. To achieve practical adoption, formal verification must accommodate continuous verification efficiently and effectively. Model checking provides developers with information useful to improve their models only when a property is not satisfied, i.e., when a counterexample is returned. However, it is desirable to have some useful information also when a property is instead satisfied. To address this problem we propose TOrPEDO, an approach that supports verification in two complementary forms: model checking and proofs. While model checking is typically used to pinpoint model behaviors that violate requirements, proofs can instead explain why requirements are satisfied. In our work, we introduce a specific notion of proof, called Topological Proof. A topological proof produces a slice of the original model that justifies the property satisfaction. Because models can be incomplete, TOrPEDO supports reasoning on requirements satisfaction, violation, and possible satisfaction (in the case where satisfaction depends on unknown parts of the model). Evaluation is performed by checking how topological proofs support software development on 12 modeling scenarios and 15 different properties obtained from 3 examples from literature. Results show that: (i) topological proofs are \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\approx $$\end{document}60% smaller than the original models; (ii) after a revision, in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\approx $$\end{document}78% of cases, the property can be re-verified by relying on a simple syntactic check.


Introduction
One of the goals of software engineering and formal methods is to provide automated verification tools that support designers in producing models of an envisioned system, which follows a set of properties of interest.Many automated verification methods are available to help and guide the designer through this complex task.These methods include, among others, model checking and theorem proving.Typically, the designer benefits from automated support to understand why her system does not behave as expected (e.g., counterexamples), but she might find useful also information retrieved when the system already follows the specified requirements.While model checkers provide the former, theorem provers sustain the latter.These usually rely on some form of deductive mechanism that, given a set of axioms, iteratively applies a set of rules until a theorem is proved.The proof consists of the specific sequence of deductive rules applied to prove the theorem.In literature, many approaches have dealt with integration of model checking and theorem proving at various levels (e.g., [40,46,43,31]).These approaches are oriented to provide certified model checking procedures rather than tools which actually help the design process.Even when the idea is to provide a practically useful framework [41,42], the output consists of deductive proofs which are usually difficult to understand and hardly connectable with the designer's modeling choices.Moreover, verification techniques which only take into account completely specified designs do not comply with modern agile software design techniques.In a recent work ( [3,4]), we have considered cases in which a partial knowledge of the system model is available.However, the presented approach was mainly theoretical and lacked a practical implementation.
With the intent to provide a valuable support for a flexible design process, we formulate the initial problem on models that contain uncertain parts.Partial specification may be used, for instance, to represent the uncertainty of introducing, keeping, excluding particular portions of the design with respect to the complete model of the system.For this reason, we chose Partial Kripke Structures (PKSs) as a formalism to represent general models.PKSs are a standard formalism used to reason on incomplete systems.Among several applications, they have been used in requirement elicitation to reason about the system behavior from different points of view [16,7].Furthermore, other modeling formalisms such as Modal Transition Systems [32] (MTSs), can be converted into PKSs through a simple transformation [23].Thus, the proposed solution can also be easily applied on models specified using MTSs, which are commonly used in software development [20,48].Kripke Structures (KSs) are particular instances of PKSs used to represent complete models.Requirements on the model are expressed in Linear-time Temporal Logic (LTL).Verification techniques that consider PKSs return three alternative values: true if the property holds in the partial model, false if it does not hold, and maybe if the property possibly holds, i.e., its satisfaction depends on the parts that still need to be refined.
Methods for verifying partial models naturally fit in modern software design processes [36,20,48].In the iterative design process, the designer starts from a high level model of the system in which some portions can be left unspecified, representing design decisions that may be taken in later development steps.As development proceeds, the initial model can be refined, by filling parts that are left unspecified, or revised, by changing parts that were already specified.In a PKS a refinement is performed by associating a true/false value to previously unknown propositions, while revising may also involve adding or removing existing states or transitions, or changing values already assigned to propositions (i.e., a refinement is a type of revision).
A comprehensive integrated design framework able to support software designers in understanding why properties are (possibly) satisfied -as models are specified, refined, or revised -is still missing.
We tackle this problem by presenting TOrPEDO (TOpological Proof drivEn Development framewOrk), a novel automated verification framework, that: (i) supports a modeling formalism which allows a partial specification of the system design; (ii) allows performing analysis and verification in the context of systems in which "incompleteness" represents a conceptual uncertainty; (iii) provides guidance in the refinement process through complementary outputs: counterexamples and topological proofs; (iv) when the system is completely specified, allows understanding which changes impact or not on certain properties.
TOrPEDO is based on the novel notion of topological proof (TP), which tries to overcome the complexity of deductive proofs and is designed to make proofs understandable on the original system design.A TP is a slice of the original model that specifies which part of it influences the property satisfaction.If the slice defined by the TP is not preserved during a refinement or a revision, there is no assurance that the property holds (possibly holds) in the refined or revised model.This paper proposes an algorithm to compute topological proofs-which relies on the notion of unsatisfiable cores (UCs) [44]-and proves its correctness on PKSs.TOrPEDO has been implemented on top of NuSMV [13] and PLTL-MUP [45].The implementation has been used to evaluate how TOrPEDO helps software designers by considering a set of examples coming from literature including both completely specified and partially specified models.
The paper is structured as follows.Section 2 describes TOrPEDO.Section 3 discusses the background.Sections 4 and 5 present the theoretical results and the algorithms that support TOrPEDO.Section 6 evaluates the achieved results.Section 7 discusses related work.Section 8 concludes.

TOrPEDO
TOrPEDO is a proof based development framework which allows verifying initial designs and evaluating their revisions.To illustrate TOrPEDO, we use an example: a designer needs to develop a simple vacuum-cleaner robot which has to satisfy the requirements in Table 1, specified through LTL formulae and plain English text.These are simple requirements that will be used for illustration purposes.Informally, when turned on, the vacuum-cleaner agent can move with the purpose to reach a site which may be cleaned in case it is dirty.
The TOrPEDO framework is illustrated in Fig. 2 and it is made of four phases: initial design, analysis, revision, and re-check.Dashed boxes marked with the person icon represent phases performed manually by the designer, while dashed boxes marked with the gears icon contain phases operated using automated support.
Initial design.This phase concerns the initial definition of the model of the system, formalized as a PKS (marked in Fig. 2 with 1 ) along with the property of interest, in LTL ( 2 ).
In the vacuum-cleaner example, the designer has identified two actions the robot can perform: move, i.e., the agent travels to the cleaning site; suck , i.e., the agent is drawing the dust.She has also identified two conditions that can Textual requirements φ1: the robot is drawing dust (suck ) only if it reached the cleaning site.φ2: the robot must be turned on before it can move.φ3: if the robot is on and stationary (¬move), it must be drawing dust (suck ).φ4: the robot must move before it is allowed to draw dust (suck ).
trigger actions: on, true when the robot is turned on; reached , true when the robot has reached the cleaning site.These actions and conditions determine the designer description of the preliminary model presented in Fig. 1.The model is made by four states representing the configuration of the vacuum-cleaner robot.The state OFF represents the robot being shut down, IDLE the robot being tuned in w.r.t. a cleaning call, MOVING the robot reaching the cleaning site, and CLEANING the robot performing its duty.
Each state is labeled with the actions and conditions that are true in that state.Given an action or condition α and a state s, we use the notation: α = to indicate that α occurs when the robot is in state s; α = ⊥ to indicate that α does not occur when the robot is in state s; α =? to indicate that there is uncertainty on whether α occurs when the robot is in state s.In the first two cases the designer is sure that an action must (must not) be performed or a condition must be true (false) in a state; in the third case the designer is uncertain about the design.Specifically, she does not know whether the robot should perform an action or whether a condition should be true in order for a state to be entered.
Analysis.TOrPEDO assists the designer with an automated analysis, which includes the following elements: (i) information about what is wrong in the current design.This information includes a definitive-counterexample, which indicates a behavior that depends on already performed design choices and violates the properties of interest.The definitive-counterexample (i.e., Def-CE 3 ) can be used to improve M and produce a revised version M that satisfies or possibly satisfies the property of interest.

Initial design
The image part with relationship ID rId3 was not found in the file.In the following we will use the notation x-topological proofs or x-TP to indicate arbitrarily definitive-topological or possible-topological proofs.
In the vacuum-cleaner example, the designer analyzes her proposed design using TOrPEDO.
Property φ 1 is possibly satisfied.TOrPEDO returns the possiblecounterexample OFF , IDLE , (MOVING) ω .This possible-counterexample shows a run that violates the property of interest.TOrPEDO also returns a possibletopological proof showing that the property remains possibly satisfied given that OFF remains the only initial state, reached still holds in CLEANING, and suck does not hold in OFF and IDLE , while unknown in MOVING (note that, if suck was set to ⊥ in this state we would indeed obtain a proof).In addition, all transitions must be preserved.
Property φ 2 is satisfied.TOrPEDO returns the definitive-topological proof, which shows that the property remains satisfied given that OFF remains the only initial state, on still holds in MOVING and CLEANING, and move does not hold in OFF and IDLE .In addition, all transitions must be preserved.Property φ 3 is not satisfied.TOrPEDO returns a definitive-counterexample, e.g., OFF , IDLE ω .The counterexample shows that it is not true that always a robot which is operative and not moving is drawing dust.Property φ 4 is possibly satisfied.TOrPEDO returns the possible-counterexample OFF , (IDLE , MOVING, CLEANING, IDLE , OFF ) ω , which specifies a sample run for which it is not true that the robot is only moving (and not cleaning) before it can draw dust.The topological proof shows that the property remains possibly satisfied given that the following characteristics of the model are preserved: from the only initial state OFF one can loop or move to IDLE , from which one can loop, return to OFF , or go to MOVING; in addition move must hold in MOVING and suck must not occur in OFF and IDLE , while unknown in MOVING.
Revision.As development proceeds, the designer may want to revise the existing model by changing some of its parts: adding/removing states and transitions or by changing propositions labelling inside states.Revision may include refinement, i.e., replacing with and ⊥ some unknown values in the atomic propositions.The inputs of this phase are the initial model M ( 1 ), or an already revised model ( 7), and the x-TP that can be used by the designer as a guideline for the revision ( 9).The output is another revised model M ( 8 ).
Revision 1.The designer would like her model to not violate any property of interest.She examines the counterexample of φ 3 to understand why it is not satisfied and envisions a revised model that could satisfy the property.She also consults the x-TPs of properties φ 1 , φ 2 , and φ 4 in order to be sure to preserve their verification results.She thus decides to change the value of move in state IDLE from ⊥ to .Since she foresees φ 3 is now satisfied, she reruns the analysis for this property.TOrPEDO provides the corresponding x-TP.
Revision 2. The designer decides to further improve her model by proposing a refinement: move becomes in state CLEANING and reached becomes ⊥ in state IDLE .Since φ 1 , φ 2 , φ 3 , and φ 4 were previously not violated, TOrPEDO performs the re-check phase for each property.
Re-check.The automated verification tool provided by TOrPEDO checks whether all the changes in the current model revision ( 8) are compliant with the x-TPs ( 10 ), i.e., changes applied to the revised model do not include parts that had to be preserved according to the proof.If a property of interest is (possibly) satisfied in a previous model ( 1), and the revision of the model is compliant with the property x-TP, the designer has the guarantee that the property is (possibly) satisfied in the revision.Thus, she can perform another model revision round ( 12) or approve the current design ( 13 ).Otherwise, TOrPEDO re-executes the analysis ( 11 ).
In the vacuum-cleaner case, the second revision passes the re-check and the designer proceeds to a new revision phase.

Background
We present some background and notation necessary to understand the rest of the paper.First, we describe how to model the system under development and its properties.Then, we present the unsatisfiable core which is the element upon which our algorithm for computing topological proofs is based.

Modeling systems and properties
We first describe Partial Kripke Structures (PKS) and Kripke Structures (KS), formalisms that allow modeling the systems under development.Then, we briefly introduce the semantics for LTL properties on PKSs and KSs and how to perform model checking on these structures.
PKS are a modeling formalism that can be adopted when the value of some propositions is uncertain on selected states.

Definition 1 ([8]
).A Partial Kripke Structure M is a tuple S, R, S 0 , AP, L , where: S is a set of states; R ⊆ S ×S is a left-total transition relation on S; S 0 is a set of initial states; AP is a set of atomic propositions; L : S ×AP → { , ?, ⊥} is a function that, for each state in S, associates a truth value to every atomic proposition in AP .
Informally, a PKS represents a system as a set of states and transitions between these states.Uncertainty on the AP is represented through the value ?.The model of the vacuum-cleaner agent presented in Fig. 1 is a PKS where propositions in AP are used to model actions and conditions.

Definition 2 ([30]
).A Kripke Structure M is a PKS S, R, S 0 , AP, L , where PKSs can be related to other PKSs or to KSs respectively through refinement and completion.
We indicate that M is a refinement of M using the notation M M .Intuitively, the notion of refinement allows assigning a or a ⊥ value to an atomic proposition α in a state s s.t.L (s, α) =?.

Definition 4 ([9]
).Let M be a PKS and let M be a KS.Then M is a completion of M if and only if M M .
Intuitively, a completion of a PKS is a KS obtained by assigning a or a ⊥ value to every atomic propositions α and state s s.t.L (s, α) =?.
Semantics of LTL properties.For KSs we consider the classical LTL semantics [M |= φ] over infinite words that associates to a model M and a formula φ a truth value in the set {⊥, }.The interested reader may refer, for example, to [2].Let M be a KS and φ be an LTL property.We assume that the function Check, such that res, c = Check(M , φ), returns a tuple res, c , where res is the model checking result in { , ⊥} and, if res = ⊥, c is the counterexample.
Instead, when the satisfaction of LTL over PKSs is of interest, two semantics can be considered: the three-valued or the thorough semantics.
The three-valued LTL semantics [8] [M |= 3 φ] associates to a model M and a formula φ a truth value in the set {⊥, ?, } and is defined based on the information ordering > ?> ⊥, i.e., on the assumption that "provides more information" than ?and ?"provides more information" than ⊥ [8].The threevalued LTL semantics is defined by considering paths of the model M .A path π is a sequence of states s 0 , s 1 , . . .such that, for all i ≥ 0, (s i , s i+1 ) ∈ R. Definition 5 ([8]).Let M = S, R, S 0 , AP, L be a PKS, let π = s 0 , s 1 , . . .be a path, and let φ be an LTL formula.Then, the three-valued semantics [(M, π) |= 3 φ] is defined inductively as follows: The conjunction (resp.disjunction) is defined as the minimum (resp.maximum) of its arguments, following the order ⊥ < ?< .These functions are extended to sets with min(∅)= and max(∅)=⊥.The comp operator maps to ⊥, ⊥ to , and ? to ?Definition 6 ( [8]).Let M = S, R, S 0 , AP, L be a PKS, s be a state of M and φ be an LTL formula.Then [(M, s) Intuitively this means that, given a formula φ, each state s of M is associated with the minimum of the values obtained considering the LTL semantics over any path π that starts in s.
When the three-valued semantics is considered, if [M |= 3 φ] = then in every completion of M formula φ is true and if [M |= 3 φ] = ⊥, then in every completion of M formula φ is false.In general, when [M |= 3 φ] =?, there exist both completions of M that satisfy and do not satisfy φ.However, there are cases in which all the completions of M satisfy (or do not satisfy) φ.For this reason, the alternative thorough LTL semantics [9] has been proposed ([M |= T φ]).
The thorough LTL semantics [9] dictates that [M |= T φ] = if in every completion of M formula φ is true and [M |= T φ] = ⊥ if in every completion of M formula φ is false.This ensures that, when [M |= T φ] =?, there exist both completions of M that satisfy φ and completions of M that do not satisfy φ.

Definition 7 ([9]
).Let M be a PKS and let φ be an LTL formula.Then, Note that, when a PKS is a KS, [M Lemma 1 ( [24]).Let M be a PKS and let φ be an LTL formula.Then That is, a formula which is true (false) under the three-valued semantics is also true (false) under the thorough semantics.
There exists a subset of LTL formulae, known in the literature as selfminimizing [21], such that the two semantics coincide, i.e., given a model M and a self-minimizing LTL property φ, then [M |= 3 φ] = [M |= T φ].It has been observed that most practically useful LTL formulae belong to this subset [21].
Model checking.Checking KSs with respect to LTL properties can be done by using classical model checking procedures.For example, the model checking problem of property φ on a KS M can be reduced to the satisfiability problem of the LTL formula Φ M ∧ ¬φ, where Φ M represents the behaviors of model Checking a PKS M with respect to an LTL property φ considering the threevalued semantics can be done by performing twice the classical model checking procedure for KSs [9], one considering an optimistic approximation M opt and one considering a pessimistic approximation M pes .These two procedures consider the LTL formula φ = F(φ), where F transforms φ with the following steps: (i) negate φ; (ii) convert ¬φ in negation normal form3 ; (iii) replace every subformula ¬α, where α is an atomic proposition, with a new atomic proposition α.
To create the optimistic and pessimistic approximations M opt and M pes , the PKS M = S, R, S 0 , AP, L is first converted into its complement-closed version M c = S, R, S 0 , AP c , L c where the set of atomic propositions AP c = AP ∪ AP is such that AP = {α | α ∈ AP }.Atomic propositions in AP are called complement-closed propositions.Function L c is such that for all s ∈ S and α ∈ AP , L c (s, α) = L(s, α) and for all s ∈ S and α ∈ AP , L c (s, p) = comp(L(s, p)).For example, the complement-closed PKS of the vacuum-cleaner agent in Fig. 1, in the state IDLE presents eight propositional assignments: move = ⊥, move = , suck = ⊥, suck = , on = , on = ⊥, reached =?, and reached =?.
The two model checking runs for a PKS M = S, R, S 0 , AP, L are based respectively on an optimistic (M opt = S, R, S 0 , AP c , L opt ) and a pessimistic (M pes = S, R, S 0 , AP c , L pes ) approximation of M 's relative complement-closed , and for all s ∈ S, α ∈ AP c , and Let A be a KS and φ be an LTL formula, A |= * φ is true if no path that satisfies the formula F(φ) is present in A.
Theorem 1 ([8]).Let φ be an LTL formula, let M = S, R, S 0 , AP, L be a PKS, and let M pes and M opt be the pessimistic and optimistic approximations of M 's relative complement-closed M c .Then We assume that the function Check * computes the result of operator |= * .It takes as input either M pes or M opt and the property F(φ), and returns a tuple res, c , where res is the model checking result in { , ⊥}, and c can be an empty set (when M satisfies φ), a definitive-counterexample (when M violates φ), or a possible-counterexample (when M possibly-satisfies φ).

Unsatisfiable core
Given a set of atomic propositions AP , AP L is the minimum set of elements such that for all p ∈ AP , the following holds: p ∈ AP L and (¬p) ∈ AP L .Definition 8 ( [44]).Let AP be a set of atomic propositions.A Separated Normal Form (SNF) clause is an LTL formula, which is either an SNF initial clause, an SNF global clause or an SNF eventuality clause, where: an SNF initial clause In the following we assume that the property φ is an LTL formula in SNF since any LTL formula can be transformed in an equally satisfiable SNF formula (for example, by using the procedure in [19]).

Definition 10 ([44]
).Let C be a set of SNF clauses.Then C is unsatisfiable if the corresponding SNF formula η(C) is unsatisfiable.Definition 11 ([44]).Let C be an unsatisfiable set of SNF clauses and let C uc be an unsatisfiable subset of C. Then C uc is an Unsatisfiable Core (UC) of C.

Revising and refining models
First, we define how models can be revised and refined.Then, we define the notion of topological proof, that is used to describe why a property φ is satisfied in a KS M .Furthermore, we describe how the defined notion of proof can be exploited to show why a property is satisfied or possibly satisfied in a PKS.
Revisions and refinements.During a revision, a designer can add and remove states and transitions or change the labeling of the atomic propositions in some of the states of the structure.Definition 12. Let M = S, R, S 0 , AP, L and M = S , R , S 0 , AP , L be two PKSs.Then M is a revision of M if and only if AP ⊆ AP .
Informally, the only constraint the designer has to respect during a revision is not to remove propositions from the set of atomic propositions.Lemma 2. Let M = S, R, S 0 , AP, L be a PKS and let M = S, R, S 0 , AP, L be a refinement of M .Then M is a revision of M .
Topological proofs.The pursued proof is made of a set of clauses specifying certain topological properties of M , which ensure that the property is satisfied.Definition 13.Let M = S, R, S 0 , AP, L be a PKS.A topological proof clause (TP-clause) γ for M is either: a topological proof propositional clause (TPP-clause), i.e., a triad s, α, v where s ∈ S, α ∈ AP , and v ∈ { , ?, ⊥}; a topological proof transitions-from-state clause (TPT-clause), i.e., an element s, T , such that s ∈ S, T ⊆ S; a topological proof initial-states clause (TPI-clause), i.e., an element S 0 .
These clauses indicate topological properties of a PKS M .Informally, TPP-, TPT-, and TPI-clauses describe how states are labeled, how states are connected, and from which states the runs on the model begin, respectively.Definition 14.Let M = S, R, S 0 , AP, L be a PKS and let Γ be a set of TPclauses for M .Then a Γ -related PKS is a PKS M = S , R , S 0 , AP , L , such that the following conditions hold: Intuitively, a Γ -related PKS of M is a PKS obtained from M by changing any topological aspect that does not impact on the set of TP-clauses Γ .Any transition whose source state is not the source state of a transition included in the TPT-clauses can be added or removed from the PKS and any value of a proposition that is not constrained by a TPP-clause can be changed.States can be always added and they can be removed if they do not appear in any TPT-, TPP-, or TPI-clause.Initial states cannot be changed if Γ contains a TPI-clause.
Note that, in this definition-and in the rest of the paper, when not differently specified-|= indicates either |= 3 or |= T .
Intuitively, an x-topological proof is a set Ω such that every PKS M that satisfies the conditions specified in Definition 14 is such that [M |= φ] ≥ x.We call -TP a definitive-topological proof and ?-TP a possible-topological proof.In Definition 15 the operator ≥, assumes that values , ?, ⊥ are ordered considering the classical information ordering > ?> ⊥ among the truth values [8].
A ?-TP for the PKS in Fig. 1 and property φ 4 is composed by the TP-clauses shown in Table 2.
Definition 16.Let M and M be two PKSs, let φ be an LTL property, and let Ω be an x-TP.Then M is an M , it is obtained by changing the model M while preserving the statements that are specified in the x-TP.A revision M of M is compliant with the x-TP for a property φ in M if it is an Ω x -revision of M .Lemma 3. Let M be a PKS, let φ be an LTL property such that [M |= φ] = , and let Ω be a -TP.Then every Ω -revision M is such that [M |= φ] = .Let M be a PKS, let φ be an LTL property such that [M |= φ] =?, and let Ω be an ?-TP.Then every Ω ?-revision M is such that [M |= φ] ∈ { , ?}.
Proof.We prove the first statement of the Lemma; the proof of the second statement is obtained by following the same steps.If Ω is a -TP, it is a -TP for φ in M , since M is an Ω -revision of M (by Definition 16).Since Ω is a -TP for φ in M , then [M |= φ] ≥ (by Definition 15).

TOrPEDO automated support
This section describes the algorithms that support the analysis and re-check phases of TOrPEDO.Analysis.To analyze a PKS M = S, R, S 0 , AP, L , TOrPEDO uses the three-valued model checking framework based on Theorem 1.The model checking result is provided as output by the analysis phase of TOrPEDO, whose Algorithm 1 The algorithm that supports the analysis phase.
C uc = GetUC(η(C)) 4: T P = GetTP(M, C uc ) 5: return T P 6: end function behavior is described in Algorithm 1. Specifically, the algorithm returns a tuple x, y , where x is the verification result and y is a set containing the counterexample, the topological proof or both of them.The algorithm first checks whether the optimistic approximation M opt of the PKS M satisfies property φ (Line 2).If this is not the case, the property is violated by the PKS and the definitive-counterexample c is returned (Line 3).Then, it checks whether the pessimistic approximation M pes of the PKS M satisfies property φ (Line 5).If this is the case, the property is satisfied and the value is returned along with the definitive-topological proof ( -TP) computed by the CTP KS procedure applied on the pessimistic approximation M pes and the property F(φ).If this is not the case, the property is possibly satisfied and the value ? is returned along with the possible-counterexample c and the possible-topological proof (?-TP) computed by the CTP KS procedure applied to M opt and F(φ).
The procedure CTP KS (Compute Topological Proofs) to compute x-TPs is described in Algorithm 2. It takes as input a PKS M , its optimistic/pessimistic approximation, i.e., the KS A, and an LTL formula ψ-satisfied in A-corresponding to the transformed property F(φ).The three steps are described in the following.
Sys2Snf.Encoding of the KS A and the LTL ψ formula into an LTL formula in SNF η(C).The KS A and the LTL formula ψ are used to generate an SNF formula η(C A ∪ C ψ ), where C A and C ψ are sets of SNF clauses obtained from the KS A and the LTL formula ψ.The clauses in C ψ are computed from ψ as specified in [44].The set of clauses that encodes the KS is

p(s)
The KS is initially in one of its initial states.
If the KS is in state s in the current time instant, in the next time instant it is in one of its successors s of s. are defined as specified in Table 3.Note that the clauses in C A are defined on the set of atomic propositions AP S = AP A ∪ {p(s)|s ∈ S A }, i.e., AP S includes an additional atomic proposition p(s) for each state s, which is true when the KS is in state s.
GetUC.Computation of the unsatisfiable core (UC) C uc of C. Since the property ψ is satisfied on A, as recalled in Section 3, η(C A ∪ C ψ ) is unsatisfiable and the computation of its UC core is performed as specified in [44].The procedure returns an SNF formula η( GetTP.Analysis of the UC C uc and extraction of the topological proof.Formula η(C A ∪ C ψ ), where C A = C KS ∪ C REG , contains clauses regarding the KS (C KS ), the fact that the model is a KS (C REG ), and the property of interest (C ψ ) that made the formula η(C A ∪ C ψ ) unsatisfiable.Since we are interested in clauses related to the KS that caused unsatisfiability, we extract the topological proof Ω, whose topological proof clauses are obtained from the clauses in C KS as specified in Table 4. Since the set of atomic propositions of A is AP A = AP ∪AP , in the table we use α for propositions in AP and α for propositions in AP .
Note that elements in C REG are not considered in the TP computation.Indeed, given an SNF clause G(¬p(s) ∨ ¬p(s )), either state s or s is included in other SNF clauses, thus it will be mapped on TP-clauses that will be preserved in the model revisions.
Lemma 4. Let A be a KS and let ψ be an LTL property.Let also η(C A ∪ C ψ ) be the SNF formula computed in the step Sys2Snfof the algorithm, where C A = C REG ∪C KS , and let C A ∪C ψ be an unsatisfiable core, where ) there exists an SNF clause in C KS that predicates on state s (or on state s ); Table 4: Rules to extract the TP-clauses from the UC SNF formula.
Proof.We indicate G(¬p(s) ∨ ¬p(s )) as τ (s, s ).Assume per absurdum that conditions (i) and (ii) are violated, i.e., no SNF clause in C KS predicates on state s or s and )} must also be satisfiable.Indeed, it does not exist any SNF clause that predicates on state s (or on state s ) and, in order to generate a contradiction, the added SNF clause must generate it with the SNF clauses obtained from the LTL property ψ.This is a contradiction.Thus, conditions (i) and (ii) must be satisfied.
The Analyze procedure in Algorithm 1 has shown how we obtain a TP for a PKS by first computing the related optimistic or pessimistic approximation (i.e., a KS) and then exploiting the computation of the TP for this KS.
Theorem 2. Let M = S, R, S 0 , AP, L be a PKS, let φ be an LTL property, and let x ∈ { , ?} be an element such that [M |= 3 φ] = x.If the procedure Analyze applied to the PKS M and the LTL property φ, returns a TP Ω, this is an x-TP for φ in M .
Proof.Assume that the Analyze procedure returns the value and a -TP.We show that every Ω-related PKS M is such that [M |= φ] ≥ x (Definition 15).If Analyze returns the value , it must be that M pes |= * φ by Lines 5 and 6 of Algorithm 1. Furthermore, by Line 6, ψ = F(φ) and A = M pes .Let N = S N , R N , S 0,N , AP N , L N be a PKS Ω-related to M .Let η(C A ∪ C ψ ) be the SNF formula associated with A and ψ and let η(C B ∪ C ψ ) be the SNF formula associated with B = N pes and ψ.Let us consider an UC • if c = c i then, by the rules in Table 4, there is a TPI-clause {S 0 } ∈ Ω.By Definition 14, S 0 = S 0 .Thus, 4, there is a TPT-clause s, T ∈ Ω where s ∈ S and T ⊆ R. By Definition 14, 4, there is a TPP-clause s, α, L(s, α) ∈ Ω where s ∈ S and α ∈ AP .By Definition 14, L (s, α) = L(s, α).
The proof from the case in which Analyze procedure returns the value ?and a ?-TP can be derived from the first case.
Re-check.Let M be a PKS.The re-check algorithm verifies whether a revision M of M is an Ω-revision.Let M = S, R, S 0 , AP, L be a PKS, let Ω be an x-TP for φ in M , and let M = S , R , S 0 , AP , L be a revision of M .The re-check algorithm returns true if and only if the following holds: -AP ⊆ AP ; for every TPP-clause s, α, v ∈ Ω, v = L (s, α); for every TPT-clause s, T ∈ Ω, T = {s ∈ S |(s, s ) ∈ R }; for every TPI-clause S 0 ∈ Ω, S 0 = S 0 .Lemma 5. Let M = S, R, S 0 , AP, L and M = S , R , S 0 , AP , L be two PKSs and let Ω be an x-TP.The re-check algorithm returns true if and only if M is Ω-related to M .
Proof.Since M is Ω-related to M , the conditions of Definition 14 hold.Each of these conditions corresponds to a condition of the re-check algorithm.Thus, if M is Ω-related to M , the re-check returns true.Conversely, if re-check returns true, each condition of the algorithm is satisfied and, since each of this conditions is mapped to a condition of Definition 14, M is Ω-related to M .Theorem 3. Let M be a PKS, let φ be a property, let Ω be an x-TP for φ in M where x ∈ { , ?}, and let M be a revision of M .The re-check algorithm returns true if and only if M is an Ω-revision of M .Proof.By applying Lemma 5, the re-check algorithm returns true if and only if M is Ω-related to M .By Definition 16, since Ω is an x-TP, the re-check algorithm returns true if and only if M is an Ω-revision of M .
The analysis and re-check algorithms assume that the three-valued LTL semantics is considered.Indeed, the algorithm upon which the proof generation framework is developed is the three-valued model checking algorithm [9].However, the proposed results are also valid considering the thorough semantics if the properties of interest are self-minimizing.This is not a strong limitation since, as shown in [21], most practically useful LTL formulae are self-minimizing.Future work will consider how to extend the analysis and re-check to completely support the thorough LTL semantics.

Evaluation
To evaluate how TOrPEDO supports designers, we implemented TOrPEDO as a Scala stand alone application which is available at http://goo.gl/V4fSjG.Specifically, we considered the following research questions: RQ1: How does the analysis help in creating models revisions?RQ2: How does the re-check help in creating models revisions?Evaluation setup.To answer RQ1 and RQ2 we considered a set of example PKSs proposed in literature to evaluate the χChek [17] model checker.These examples are divided into three categories.Each category represents an aspect of a phone call, i.e., the callee, caller, and caller-callee categories include PKSs modeling respectively the callee process, the caller process, and the overall calleer-callee process.To simulate iterative design performed using the TOrPEDO framework all examples were slightly modified.Uncertainty on the transitions was removed in all the PKSs of the considered examples.In addition, the examples in the callee category were modified such that the designer iteratively generates refinements of PKSs, i.e., ? is assigned to atomic propositions to generate abstractions of the final KS callee-4.Instead, the examples in the caller-callee category were modified since the original examples were proposed to evaluate designer disagreement about the value to assign to a proposition in a state [12].Thus, in a state s a proposition could be assigned to multiple values in the set { , ?, ⊥}.To generate a PKS useful for our evaluation, we used the following transformations: when, in a state s, a proposition was assigned to the values { , ⊥}, { , ?}, or {⊥, ?} these values were replaced with ?; when, in a state s, a proposition was assigned values { , } (resp.{⊥, ⊥}), these values were replaced with (resp.⊥).
We defined a set of properties based on well known LTL property patterns [15].This choice was motivated by the fact that the original properties used in the examples were specified in Computation Tree Logic (CTL), which is not supported by TOrPEDO.
The defined properties were inspired by the original properties from the examples and are listed in Table 5.
RQ1.To answer RQ1 we checked how the proofs output by the analysis algorithm were useful in producing PKSs revisions.To evaluate the usefulness we checked how easy it was to analyze the property satisfaction on the proofs w.r.t. the original models.This was done by comparing the size of the proofs and the size of the original models the considered LTL property and x indicates whether p is satisfied (x = ) or possibly satisfied (x =?).Cells labeled with the symbol × indicate that a property was not satisfied in that model and thus a proof was not produced by the analysis algorithm.It can be observed that the size of the proof was always lower than the size of the initial model.This is an indicator that shows that proofs are easier to understand than the original models, since they include a subset of the elements of the models that ensure that a property is satisfied (resp.possibly satisfied).
RQ2.To answer RQ2 we checked how the results produced by the re-check algorithm were useful in producing PKSs revisions.To evaluate the usefulness we assumed that, for each category of examples, the designer produced revisions following the order specified in Table 6.The columns under the label 'RQ2' contain the different properties that have been analyzed for each category.A cell contains if the re-check was passed by the considered revised model, i.e., a true value was returned by the re-check algorithm, otherwise.The dash symbolis used when the model of the correspondent line is not a revision (i.e., the first model of each category) or when the observed property was false in the previous model, i.e., an x-TP was not produced.We inspect results produced by the re-check algorithm to evaluate their utility in verifying if revisions were violating the proofs.A careful observation of Table 6 reveals that, in many cases, the TOrPEDO re-check notifies the designer that the proposed revision violates some of the clauses contained in the Ω-proof.This suggests that the re-check is effective in helping the designer in creating model revisions.
Threats to validity.The changes applied to the existing models are a threat to construct validity since they may generate models which are not realistic.To mitigate this threat, we referred to textual explanations in the papers in which the examples were presented to generate reasonable revisions.Biases in the creation of PKSs are a threat to internal validity.To mitigate this threat, we designed our models starting from already existing models.The limited number of examples is a threat to external validity.To mitigate this threat, we verified that all the possible output cases of TOrPEDO were obtained at least once.
Scalability.Three-valued model checking is as expensive as classical model checking [8], which is commonly employed in real world problems analysis [51].Unsatisfiability checking and UCs computation has been employed to verify digital hardware and software systems [29].The analysis phase of TOrPEDO simply combines three-valued model checking and UCs computation, therefore its scalability improves as the performance of the employed integrated frameworks enhances.Future investigation may evaluate if the execution of the re-check algorithm (which is a simple syntactic check) speeds up the verification framework by avoiding the re-execution of the analysis algorithm in the cases in which revisions satisfy the proofs.

Related work
Partial knowledge has been considered in requirement analysis and elicitation [39,38,33], in novel robotic planners [34,35], and in the production of software models that satisfy a set of desired properties [50,49,18,1].Several researchers analyzed the model checking problem for partially specified systems [37,11], some considering three-valued [32,22,8,9,24], others multivalued [26,10] scenarios.Other works apply model checking to incremental program development [27,5].However, all these model checking approaches do not provide an explanation on why a property is satisfied, by means of a certificate or proof.Although several works have tackled this problem [3,46,42,41,25,14], they aim mostly to automate proof reproducibility rather than actually helping the design process and they usually produce deductive proofs which are different from the topological proofs presented in this paper.
Tao and Li [47] propose a theoretical solution to a related issue: model repair is the problem of finding the minimum set of states in a KS which makes a formula satisfiable.However, this problem is diffenent than the one addressed in this paper.Furthermore, the framework is only theoretical an based on complete systems.
Witnesses have also been proposed in literature as an instrument to explain why a property is satisfied [6,28,40].Given an existential LTL formula and a model M , a witness is usually defined as a path that satisfies that formula.This is different than the notion of topological proof proposed in this work, where a proof is defined as a slice of the model M .
We are not aware of any work, except for [3], that combines model checking and proofs in a multi-valued context.Here the proposed proofs are verbose, obtained manually, and their effectiveness is not shown in practical applications.This paper extends [3] by defining topological proofs and model revisions, and by providing a working and practical environment.

Conclusions
We have proposed TOrPEDO, an integrated framework that allows a software designer to refine and revise her model proposal in a continuous verification setting.The framework, implemented in a tool for practical use, allows to specify partial models and properties to be verified.It checks these models against the requirements and provides a guide for the designer who wishes to preserve slices of her model that contribute to satisfy fundamental requirements while other components are modified.For these purposes, the novel notion of topological proof has been formally and algorithmically described.This corresponds to a set of constraints that, if kept when changing the proposed model, ensure that the behavior of the model w.r.t. the property of interest is preserved.TOrPEDO was evaluated by showing the effectiveness of the analysis and re-check algorithms included in the framework.Results showed that proofs are in general easier to understand than the original models and thus TOrPEDO can help the design process effectively.Future work will consider supporting LTL thorough semantics in all phases of the framework and providing a deeper evaluation to show the speed-up offered by the re-check phase w.r.t.analysis re-execution.

Fig. 2 :
Fig. 2: TOrPEDO structure.Continuous arrows represent inputs and outputs to phases.Circled numbers are used to reference the image in the text.
p∈P p where P ⊆ AP L ; an SNF global clause G( p∈P p ∨ X ( q∈Q q)) where P, Q ⊆ AP L ; an SNF eventuality clause G( p∈P p ∨ F(l)) where P ⊆ AP L , l ∈ AP L .Given a set C of LTL formulae we denote the LTL formula c∈C c with η(C).Definition 9 ([44]).Let C be a set of SNF clauses.Then the formula η(C) is in SNF.
the atomic proposition α is false.CREG = {G(¬p(s) ∨ ¬p(s )) | s, s ∈ SA and s = s }Ensures that the KS is in at most one state at any time.
the UC is also an UC for the SNF formula associated with the approximation B of the PKS N .-Cψ ⊆ C ψ istrivially verified since property ψ does not change.-C A ⊆ C B , i.e., (C KS ∪ C REG ) ⊆ C B .By Lemma 4 we can avoid considering C REG .By construction (see Line 2 of Algorithm 2) any clause c ∈ C KS belongs to one rule among CR, CL pes, , CL pes,⊥ or c = c i : . The size of a PKS M = S, R, S 0 , AP, L was defined as |M | = |AP | * |S| + |R| + |S 0 |.The size of a proof Ω was defined as |Ω| = c∈Ω |c| where: |c| = 1 if c = s, α, v ; |c| = |T | if c = s, T , and |c| = |S 0 | if c = S 0 .Table 6 summarizes the obtained results, indicated in the columns under the label 'RQ1'.We show the cardinalities |S|, |R| and |AP | of the sets of states, transitions, and atomic propositions of each considered PKS M , the number |?| of couples of a state s with an atomic proposition α such that L(s, α) =?, the total size |M | of the model, and the size |Ω p | x of the proofs, where p indicates

Table 2 :
An example of proof for the vacuum-cleaner example.TPP OFF , {OFF , IDLE } , IDLE , {OFF , IDLE , MOVING} TPT {OFF } TPI Definition 15.Let M = S, R, S 0 , AP, L be a PKS, let φ be an LTL property, let Ω be a set of TP-clauses, and let x be a truth value in { , ?}.A set of TPclauses Ω is an x-topological proof (or x-TP) OFF , suck , ⊥ , IDLE , suck , ⊥ , MOVING, suck , ? , MOVING, move,

Table 3 :
Rules to transform the KS in SNF formulae.

Table 5 :
Properties considered in the evaluation