1 Introduction

Software systems, such as medical systems, are increasingly required to comply with laws and regulations aimed at ensuring safety, security, and data privacy [1, 36]. The properties stipulated by these laws and regulations – which we refer to as legal properties (LP) hereafter – typically involve reasoning about actions, ordering and time. As an example, consider the following LP, P1, derived from a health-data regulation (s.11, PHIPA [20]): “If personal health information is not accurate or not up-to-date, it should not be accessed”. In this property, the accuracy and the freshness of the data depend on how and when the data was collected and updated before being accessed. Specifically, this property constrains the data action access to have accurate and up-to-date data values, which further constrains the order and time of \(\textit{access}\) with respect to other data actions.

System compliance with LPs can be checked on the system design or on an operational model of a system implementation. In this paper, we focus on the early stage, where one can check whether a formalization of the system requirements satisfies an LP. The formalization can be done using a descriptive formalism like temporal logic  [24, 35]. For instance, the requirement (req\(_0\)) of a data collection system: “no data can be accessed prior to 15 days after the data has been collected” needs to be formalized for verifying compliance of P1. It is important to formalize the data and time constraints of both the system requirements and LPs, such as the ones of P1 and req\(_0\).

Metric first-order temporal logic (MFOTL) enables the specification of data and time constraints [3] and has an expressive formalism for capturing LPs and the related system requirements that constrain data and time [1]. Existing work on MFOTL verification focuses on detecting violations at run-time through monitoring [1, 19], with MFOTL formulas being checked on execution logs. There is an unmet need for determining the satisfiability of MFOTL specifications, i.e., looking for LP violations possible in MFOTL specification. This is important for designing systems that comply with their legal requirements.

MFOTL satisfiability checking is generally undecidable since MFOTL is an extension of first-order logic (FOL). Restrictions are thus necessary for making the problem decidable. In this paper, we restrict ourselves to safety properties. For safety properties, LP violations are finite sequences of data actions, captured via a finite-length counterexample. For example, a possible violation of P1 is a sequence consisting of storing a value v in a variable d, updating d’s value to \(v'\), then reading d again and not obtaining \(v'\). Since we are interested in finite counterexamples, bounded verification is a natural strategy to pursue for achieving decidability. SAT solvers have been previously used for bounded satisfiability checking of metric temporal logic (MTL) [24, 35]. However, MTL cannot effectively capture quantified data constraints in LPs, hence the solution is not applicable directly. As an extension to MTL, MFOTL can effectively capture data constraints used in LP. Yet, to the best of our knowledge, there has not been any prior work on bounded MFOTL satisfiability checking.

To establish a bound in bounded verification, researchers have predominantly relied on bounding the size of the universe [13]. Bounding the universe would be too restrictive because LPs routinely refer to variables with large ranges, e.g., timed actions spanning several years. Instead, we bound the number of data actions in a run, which bounds the number of actions in the counterexample.

Equipped with our proposed notion of a bound, we develop an incremental approach (\(\textsc {IBS} \)) for bounded satisfiability checking of MFOTL. We first translate the MFOTL property and requirements into first-order logic formulas with quantified relational objects (FOL\(^*\)). We then incrementally ground the FOL\(^*\) constraints to eliminate the quantifiers by considering an increasing number of relational objects. Subsequently, we check the satisfiability of the resulting constraints using an SMT solver. Specifically, we make the following contributions: (1) we propose a translation of MFOTL formulas to FOL\(^*\); (2) we provide a novel bounded satisfiability checking solution, \(\textsc {IBS} \), for the translated FOL\(^*\) formulas with incremental and counterexample-guided over/ under-approximation. Note that while our solution to MFOTL satisfibility checking can be applied to a broader set of applications, in this paper we focus on the legal domain. We empirically evaluate \(\textsc {IBS} \) on five case studies with a total of 24 properties showing that it can effectively and efficiently find LP violations or prove satisfiability.

The rest of this paper is organized as follows. Sect. 2 provides background and establishes our notation. Sect. 3 defines the bounded satisfiability checking (BSC) problem. Sect. 4 provides an overview of our solution and the translation of MFOTL to FOL\(^*\). Sect. 5 presents our solution; proofs of soundness, termination and optimality are available in the extended version [11]. Sect. 6 reports on the experiments performed to validate our bounded satisfiability checking solution for MFOTL. Sect. 7 discusses related work. Sect. 8 concludes the paper.

2 Preliminaries

In this section, we describe metric first-order temporal logic (MFOTL) [3].

Fig. 1.
figure 1

Example requirements and legal property P1 of DCC, with signature \(S_{data} =(\emptyset , \{\textit{Collect}, \; \textit{Update}, \; \textit{Access}\}, \iota _{data})\), where \(\iota _{data}(\textit{Collect}) = \iota _{data}(\textit{Update}) = \iota _{data}(\textit{Access}) = 2\).

Full size image
Fig. 2.
figure 2

Five traces from the DCC example.

Full size image

Syntax. Let \(\mathbb {I}\) be a set of non-empty intervals over \(\mathbb {N}\). An interval \(I \in \mathbb {I}\) can be expressed as \([b, b')\) where \(b \in \mathbb {N}\) and \(b' \in \mathbb {N} \cup \infty \). A signature S is a tuple \((C, R, \iota )\), where C is a set of constants and R is a finite set of predicate symbols (for relation), respectively. Without loss of generality, we assume all constants are from the integer domain \(\mathbb {Z}\) where the theory of linear integer arithmetic (LIA) holds. The function \(\iota : R \rightarrow \mathbb {N}\) associates each predicate symbol \(r \in R\) with an arity \(\iota (r) \in \mathbb {N}\). Let \(Var \) be a countable infinite set of variables from domain \(\mathbb {Z}\) and a term t is defined inductively as \(t: \, c \, | \, v \, | \, t + t \, | \, c \times t\). We denote \(\bar{t}\) as a vector of terms and \(\bar{t}^{\;k}_{x}\) as the vector that contains x at index k. The syntax of MFOTL formulas is defined as follows: (1) \(\top \) and \(\bot \), representing values “true” and “false”; (2) \(t = t'\) and \(t > t'\), for terms t and \(t'\); (3) \(r(t_1 ... t_{\iota (r)})\) for \(r \in R\) and terms \(t_1 ... t_{\iota (r)}\); (4) \(\phi \wedge \psi \), \(\lnot \phi \) for MFOTL formulas \(\phi \) and \(\psi \); (5) \(\exists x . (r(\bar{t}^{\;k}_{x}) \wedge \phi )\) for MFOTL formula \(\phi \), relation symbol \(r \in R\), variable \(x \in Var \) and a vector of terms \(\bar{t}^{k}_{x}\) s.t. \(x = \bar{t}^{k}_{x}[k]\); and (6) \(\phi ~\mathcal {U}_{I}~\psi \) (until), \(\phi ~\mathcal {S}_{I}~\psi \) (since), \(\Circle _{I}~\phi \) (next), \(\CIRCLE _{I}~\phi \) (previous) for MFOTL formulas \(\phi \) and \(\psi \), and an interval \(I \in \mathbb {I}\).

We consider a restricted form of quantification (syntax rule (5), above) similar to guarded quantification [18]. Every existentially quantified variable x must be guarded by some relation r (i.e., for some \(\bar{t}\), \(r(\bar{t})\) holds and x appears in \(\bar{t}\)). Similarly, universal quantification must be guarded as \(\forall x . (r(\bar{t}) \Rightarrow \phi )\) where \(x \in \bar{t}\). Thus, \(\lnot \exists x . \lnot r(x)\) (and \(\forall x . r(x))\) are not allowed.

The temporal operators \(\mathcal {U}_I\), \(\mathcal {S}_I\), \(\CIRCLE _I\) and \(\Circle _I\) require the satisfaction of the formula within the time interval given by I. We write [b, ) as a shorthand for \([b, \infty )\); if I is omitted, then the interval is assumed to be \([0, \infty )\). Other classical unary temporal operators \(\lozenge _I\) (eventually), \(\square _I\) (always), and \(\blacklozenge _I\) (once) are defined as follows: \(\lozenge _{I}~\phi = \top ~\mathcal {U}_{I}~\phi \), \(\square _{I}~\phi = \lnot \lozenge _{I}~\lnot \phi \), and \(\blacklozenge _{I}~\phi = \top ~\mathcal {S}_{I}~\phi \). Other common logical operator such as \(\vee \) (disjunction) and \(\forall \) (universal quantification) are expressed through negation of \(\wedge \) and \(\exists \), respectively.

Example 1

Suppose a data collection centre (DCC) collects and accesses personal data information with three requirements: \(req_0\) stating that no data is allowed to be accessed before the data ID has been collected for 15 days (360 hours); \(req_1\): data can only be updated after having been collected or last updated for more than a week (168 hours); and \(req_2\): data value can only be accessed if the value has been collected or updated within a week (168 hours). The signature \(S_{data}\) for DCC contains three binary relations (\(R_{data}\)): Collect, Update, and Access, such that Collect(d, v), Update(d, v) and Access(d, v) hold at a given time point if and only if data at id d is collected, updated, and accessed with value v at this time point, respectively. The MFOTL formulas for P1, \(req_0\), \(req_1\) and \(req_2\) are shown in Fig. 1. For instance, the formula \(req_0\) specifies that if a data value stored at id d is accessed, then some data must have been collected and stored at id d at least 360 hours ago (\(\blacklozenge _{[360, )}]\)).

Semantics. A first-order (FO) structure D over the signature \(S = (C, R, \iota )\) is comprised of a non-empty domain \(\textit{dom}(D) \ne \emptyset \) and an interpretation for \(c^D \in \textit{dom}(D)\) and \(r^D \subseteq \textit{dom}(D)^{\iota (r)}\) for each \(c \in C\) and \(r \in R\). The semantics of MFOTL formulas is defined over a sequence of FO structures \(\bar{D}= (D_0,D_1, \ldots )\) and a sequence of natural numbers representing time \(\bar{\tau } = (\tau _0, \tau _1, \ldots )\), where (a) \(\bar{\tau }\) is a monotonically increasing sequence; (b) \(\textit{dom}(D_i) = \textit{dom}(D_{i+1})\) for all \(i \ge 0\) (all \(D_i\) have a fixed domain); and (c) each constant symbol \(c \in C\) has the same interpretation across \(\bar{D}\) (i.e., \(c^{D_i} = c^{D_{i+1}})\). Property (a) ensures that time never decreases as the sequence progresses; and (b) ensures that the domain is fixed (referred to as \(\textit{dom}(\bar{D})\)) \(\bar{D}\) is similar to timed words in metric time logic (MTL), but instead of associating a set of propositions with each time point, MFOTL uses a structure D to interpret the symbols in the signature S. The semantics of MFOTL is defined over a trace of timed first-order structures \(\sigma = (\bar{D}, \bar{\tau })\), where every structure \(D_i \in \bar{D}\) specifies the set of tuples (\(r^{D_i}\)) that hold for every relation r at time \(\tau _i \in \bar{\tau }\). Let \((\bar{D}, \bar{\tau })\) denote an MFOTL trace.

Example 2

Consider the signature \(S_{data}\) in the DCC example. Let \(\tau _1 = 0\) and \(\tau _2 =361\), and let \(D_1\) and \(D_2\) be two first-order structures with \(r^{D_1} = \textit{Collect}(0, 0)\) and \(r^{D_2} = \textit{Access}(0, 0)\), respectively. The trace \(\sigma _1 = ((D_1, D_2), (\tau _1, \tau _2))\) is a valid trace shown in Fig. 2 and representing two timed relations: (1) data value 0 collected and stored at id 0 at hour 0 and (2) data value 0 is read by accessing id 0 at hour 361.

A valuation function \(v:\! Var \rightarrow \! \textit{dom}(\bar{D})\) maps a set \(Var \) of variables to their interpretations in the domain \(\textit{dom}(\bar{D})\). For vectors \(\bar{x}\! =\! (x_1,\! \ldots ,\! x_n)\) and \(\bar{d}\! =\! (d_1,\! \ldots ,\! d_n) \in \textit{dom}(\bar{D})^n\), the update operation \(v[\bar{x} \rightarrow \bar{d}]\) produces a new valuation function \(v'\) s.t. \(v'(x_i) = d_i\) for \( 1 \le i \le n\), and \(v(x') = v'(x')\) for every \(x' \notin \bar{x}\). For any constant c, \(v(c) = c^D\). Let \(\bar{D}\) be a sequence of FO structures over signature \(S = (C, R, \iota )\) and \(\bar{\tau }\) be a sequence of natural numbers. Let \(\phi \) be an MFOTL formula over S, v be a valuation function and \(i \in \mathbb {N}\). A fragment of the relation \((\bar{D}, \bar{\tau }, v, i) \models \phi \) is defined in Fig. 3.

The operators \(\CIRCLE _I\), \(\Circle _I\), \(\mathcal {U}_I\) and \(\mathcal {S}_I\) are augmented with an interval \(I\in \mathbb {I}\) which defines the satisfaction of the formula within a time range specified by I relative to the current time at step i, i.e., \(\tau _i\).

Fig. 3.
figure 3

MFOTL semantics.

Full size image

Definition 1

(MFOTL Satisfiability). An MFOTL formula \(\phi \) is satisfiable if there exists a sequence of FO structures \(\bar{D}\) and natural numbers \(\bar{\tau }\), and a valuation function v such that \((\bar{D}, \bar{\tau }, v, 0) \models \phi \). \(\phi \) is unsatisfiable otherwise.

Example 3

In the DCC example, the MFOTL formula \(req_{0}\) is satisfiable because \((\bar{D}, \bar{\tau }, v, 0) \models req_{0}\) (where \(\sigma _1 = (\bar{D}, \bar{\tau })\) in Fig. 2). Let \(req_{0}'\) be another MFOTL formula: \(\lozenge _{[0, 359]}~\exists j . (\textit{Access}(0, j))\). The formula \(req_{0}' \wedge req_{0}\) is unsatisfiable because if data stored at id 0 is accessed between 0 and 359 hours, then it is impossible to collect the data at least 360 hours prior to its access.

3 Bounded Satisfiability Checking Problem

The satisfiability of MFOTL properties is generally undecidable since MFOTL is expressive enough to describe the blank tape problem [31] (which has been shown to be undecidable). Despite the undecidability result, we can derive a bounded version of the problem, bounded satisfiability checking (BSC), for which a sound and complete decision procedure exists. When facing a hard instance for satisfiability checking, the solution to BSC provides bounded guarantees (i.e., whether a solution exists within a given bound). In this section, we first define satisfiability checking and then the BSC problem for MFOTL formulas. Satisfiability checking [32] is a verification technique that extends model checking by replacing a state transition system with a set of temporal logic formulas. In the following, we define satisfiability checking of MFOTL formulas.

Definition 2

(Satisfiability Checking of MFOTL Formulas). Let P be an MFOTL formula over a signature \(S = (C, R, \iota )\), and let \(\textit{Reqs}\) be a set of MFOTL requirements over S. \(\textit{Reqs}\) complies with P (denoted as \(\textit{Reqs}\Rightarrow P) \) iff \(\bigwedge _{\psi \in \textit{Reqs}} \psi \wedge \lnot P\) is unsatisfiable. We call a solution to \(\bigwedge _{\psi \in \textit{Reqs}} \psi \wedge \lnot P\), if one exists, a counterexample to \(\textit{Reqs}\Rightarrow P\).

Example 4

Consider our DCC system requirements and the privacy data property P1 stating that if personal health information is not accurate or not up-to-date, it should not be accessed (see Fig. 1). P1 is not respected by the set of DCC requirements \(\{req_0, req_1, req_2\}\) because \(\lnot P1 \wedge req_0 \wedge req_1 \wedge req_2\) is satisfiable. The counterexample \(\sigma _2\) (shown in Fig. 2) indicates that data can be re-collected, and the re-collection does not have the same time restriction as the updates. If a fourth policy requirement \(req_3\) (Fig. 1) is added to prohibit re-collection of collected data, then property P1 would be respected (i.e., \(\{req_0, req_1, req_2, req_3\} \Rightarrow P1\)).

Definition 3

(Finite trace and bounded trace). Given a trace \(\sigma = (\bar{D}, \bar{\tau }, v)\), we use \(vol(\sigma )\) (the volume of \(\sigma \)), to denote the total number of times that any relation holds across all FO structures in \(\bar{D}\) (i.e., \(\sum _{r \in R}\sum _{D_i \in \bar{D}} (|r^{D_i}|)\)). The trace \(\sigma \) is finite if \(vol(\sigma )\) is finite. The trace is bounded by volume \(vb\in \mathbb {N}\) if and only if \(vol(\sigma ) \le vb\).

Example 5

The volume of trace \(\sigma _3\) in Fig. 2, \(vol(\sigma _3) = 3 \) since there are three relations: Collect(1, 15), Update(1, 0), and Access(1, 15). Note that the volume is the total number of tuples that hold for any relation across all time points; multiple tuples can thus hold for multiple relations for a single time point.

Definition 4

(Bounded satisfiability checking of MFOTL properties). Let P be an MFOTL property, \(\textit{Reqs}\) be a set of MFOTL requirements, and \(vb\) be a natural number. The bounded satisfiability checking problem determines the existence of a counterexample \(\sigma \) to \(\textit{Reqs}\Rightarrow P\) such that \(vol(\sigma ) \le vb\).

4 Checking Bounded Satisfiability

In this section, we present an overview of the bounded satisfiability checking (BSC) process that translates the MFOTL formula into first-order logic with relational objects (FOL\(^*\)) formulas, and looks for a satisfying solution for the FOL\(^*\) formulas. Then, we provide the translation of MFOTL formulas to FOL\(^*\) and discuss the process complexity.

4.1 Overview of BSC for MFOTL Formulas

We aim to address the bounded satisfiability checking problem (Definition 4), looking for a satisfying run \(\sigma \) within a given volume bound \(vb\) that limits the number of relations in \(\sigma \). First, we \(\textsc {translate}\) the MFOTL formulas to FOL\(^*\) formulas. The considered constraints in the formulas include those of the system requirements and the legal property, and optional data constraints specifying the data value constraint for a datatype. The data constraints can be defined as a range, a “small” data set, or the union/intersection of other data constraints. If data constraints are not specified, then the data value comes from the domain \(\mathbb {Z}\). Note that the optional data constraints do not affect the complexity of BSC, but they do help prune unrealistic counterexamples. Second, we \(\textsc {search}\) for a satisfying solution to the FOL\(^*\) formula; an SMT solver is used here to determine the satisfiability of the FOL\(^*\) constraints and the data domain constraints. The answer from the SMT solver is analyzed to return an answer to the satisfiability checking problem (a counterexample \(\sigma \), or”bounded-UNSAT”).

Fig. 4.
figure 4

Overview of the naive and our incremental (\(\textsc {IBS} \)) MFOTL bounded satisfiability checking approaches. Solid boxes and arrows are shared between the two approaches. Blue dashed arrow is specific to the naive approach. Red dotted arrows and the additional red output in bracket are specific to \(\textsc {IBS} \). (Color figure online)

Full size image

4.2 Translation of MFOTL to First-Order Logic

In this section, we describe the translation target FOL\(^*\), the translation rules and prove their correctness.

FOL with Relational Object (FOL*). We start by introducing the syntax of FOL\(^*\). A signature S is a tuple \((C, R, \iota )\), where C is a set of constants, R is a set of relation symbols, and \(\iota : R \rightarrow \mathbb {N} \) is a function that maps a relation to its arity. We assume that the domain of constant C is \(\mathbb {Z}\), which matches the one for MFOTL, where the theory of linear integer arithmetic (LIA) holds. Let \(Var \) be a set of variables in the domain \(\mathbb {Z}\). A relational object o of class \(r \in R\) (denoted as o : r) is an object with \(\iota (r)\) regular attributes and two special attributes, where every attribute is a variable. We assume that all regular attributes are ordered and denote o[i] to be the ith attribute of o. Some attributes are named, and o.x refers to o’s attribute with the name ‘x’. Each relational object o has two special attributes o.ext and o.time. The former is a boolean variable indicating whether o exists in a solution, and the latter is a variable representing the occurrence time of o. For convenience, we define a function \(\textsc {cls}\)(o) to return the relational object’s class. Let a FOL\(^*\)term t be defined inductively as \(t: \; c \; | \; v \; | \; o[k] \; | \; o.x \; | \; t + t \; | \; c \times t\) for any constant \(c \in C\), any variable \(v \in Var \), any relational object o : r, any index \(k \in [1, \iota (r)]\) and any valid attribute name x. Given a signature S, the syntax of the FOL\(^*\) formulas is defined as follows: (1) \(\top \) and \(\bot \), representing values “true” and “false”; (2) \(t = t'\) and \(t > t'\), for term t and \(t'\); (3) \(\phi _f \wedge \psi _f\), \(\lnot \phi _f\) for FOL\(^*\) formulas \(\phi _f\) and \({\psi _f}\); (4) \(\exists o:r \cdot \, (\phi _f)\) for an FOL\(^*\) formula \(\phi _f\) and a class r; (5) \(\forall o:r \cdot \, (\phi _f)\) for an FOL\(^*\) formula \(\phi _f\) and a class r. The quantifiers for FOL\(^*\) formulas are limited to relational objects, as shown by rules (4) & (5). Operators \(\vee \) and \(\forall \) can be defined in FOL\(^*\) as follows: \(\phi _f \vee \psi _f = \lnot (\lnot \phi _f \wedge \lnot \psi _f)\) and \(\forall o:r \cdot \phi _f = \exists o:r \cdot \lnot \phi _f\). We say an FOL\(^*\) formula is in a negation normal form (NNF) if negations (\(\lnot \)) do not appear in front of \(\lnot \), \(\wedge \), \(\vee \), \(\exists \) and \(\forall \). For the rest of the paper, we assume that every FOL\(^*\) \(\phi \) is in NNF.

Given a signature S, a domain \(D\) is a finite set of relational objects. An FOL\(^*\) formula grounded in the domain \(D\) (denoted by \(\phi _{D}\)) is a quantifier-free FOL formula that eliminates quantifiers on relational objects using the following rules: (1) \(\exists o: r \cdot \, (\phi _f)\) to \( \bigvee _{{o':r} \in D} (o'.ext \wedge \phi _f [o \leftarrow o'])\) and (2) \(\forall o:r \cdot \, (\phi _f)\) to \(\bigwedge _{{o':r} \in D} (o'.ext \Rightarrow \phi _f [o \leftarrow o'])\). An FOL\(^*\) formula \(\phi _f\) is satisfiable in \(D\) if there exists a variable assignment v that evaluates \(\phi _{D}\) to \(\top \) according to the standard semantics of FOL. An FOL\(^*\) formula \(\phi _f\) is satisfiable if there exists a finite domain \(D\) such that \(\phi _f\) is satisfiable in \(D\). We call \(\sigma = (D, v)\) a satisfying solution to \(\phi _f\), denoted as \(\sigma \models \phi _f\). Given a solution \(\sigma = (D, v)\), we say a relational object o is in \(\sigma \), denoted as \(o \in \sigma \), if \(o \in D\) and v(o.ext) is true. The volume of the solution, denoted as \(vol(\sigma )\), is \(|\{o \mid o \in \sigma \}|\).

Example 6

Let a be a relational object of class \(\textit{A}\) with attribute name val. The formula \(\forall a: A.\, (\exists a':A \cdot \, (a.val < a'.val) \wedge \exists a:A \cdot \, a.val = 0) \) has no satisfying solutions in any finite domain. On the other hand, the formula \(\forall a:A \cdot \, (\exists a', a'':A \cdot \, (a.val = a'.val + a''.val) \wedge \exists a:A \cdot \, a.val = 5) \) has a solution \(\sigma = (D, v)\) of volume 2, with the domain \(D= (a_1, a_2)\) and the value function \(v(a_1.val) = 5\), \(v(a_2.val) = 0\) because if \(a \leftarrow a_1\) then the formula is satisfied by assigning \(a' \leftarrow a_1, \;a'' \leftarrow a_2\); and if \(a \leftarrow a_2\), then the formula is satisfied by assigning \(a' \leftarrow a_2, \;a'' \leftarrow a_2\).

From MFOTL Formulas to FOL\(^{\textbf {*}}\) Formulas. We now discuss the translation rule from the MFOTL formulas to FOL\(^*\) formulas. Recall that MFOTL semantics is defined for a time point i on a trace \(\sigma = (\bar{D}, \bar{\tau }, v, i)\), where \(\bar{D} = (D_1, D_2, \ldots )\) is a sequence of FO structures and \(\bar{\tau } = (\tau _1,\tau _2,\ldots )\) is a sequence of time values. The time value of the time point i is given by \(\tau _i\), and if i is not specified, then \(i = 1\). The semantics of the FOL\(^*\) formulas is defined for a domain \(D\) where the information of time is associated with relational objects in the domain. Therefore, the time point i (and its time value \(\tau _i\)) should be considered during the translation from MFOTL to FOL\(^*\) since the same MFOTL formula at different time points represents different constraints on the trace \(\sigma \). Formally, our translation function \(\textsc {translate}\), abbreviated as T, translates an MFOTL formula \(\phi \) into a function \(f: \tau \rightarrow \phi _{f}\), where \(\tau \in \mathbb {N}\) and \(\phi _{f}\) is an FOL\(^*\) formula. The translation rules are stated in Fig. 5.

\(\underline{\text {Representing time points in FOL}^{*}.}\) Since FOL\(^*\) quantifiers are limited to relational objects, to quantify over time points (which is necessary to capture the semantics of MFOTL temporal operators such as \(\mathcal {U}\)), the translated FOL\(^*\) formulas use a special internal class of relational objects \(\textsc {TP}\) (e.g., \(\exists o:\textsc {TP}\)). Relational objects of class \(\textsc {TP}\) capture all possible time points in a trace, and they have two attributes, ext and time, to record the existence and the value of the time point, respectively. To ensure that every time value in a solution is represented by some relational object of \(\textsc {TP}\), we introduce the time coverage FOL\(^*\) axiom.

Axiom 1

(Time coverage). Let \(\phi _f\) be an FOL\(^*\) formula and let \(\sigma \) be its solution. For every relational object \(o \in \sigma \), there exists an object \(o'\) of class \(\textsc {TP}\) s.t. o and \(o'\) share the same time value. Formally, \(\forall o \cdot (\exists o': \textsc {TP}\cdot o.time = o'.time)\).

The translation of \(\Circle _{I}~\phi \) uses function \(\textsc {Next}(t_1, t_2)\) to assert that \(t_1\) is the next time value of \(t_2\). Formally, \(\textsc {Next}(t_1, t_2) = \forall o: \textsc {TP}\cdot o.time > t_2 \Rightarrow t_1 \le o.time\). Function \(\textsc {Prev}(t_1, t_2)\) for translation of \(\CIRCLE _{I}~\phi \) is defined similarly.

Fig. 5.
figure 5

Translation rules from MFOTL to FOL\(^*\). \(\textsc {TP}\) is an internal class of relational objects used to represent time values at different time points. The predicate \(\textsc {Next}(t_1, t_2)\) (\(\textsc {Prev}(t_1, t_2)\)) asserts that \(t_1\) is the next (previous) time value of \(t_2\).

Full size image

Definition 5

(Mapping from MFOTL trace to FOL\(^*\) trace). Let an MFOTL trace \((\bar{D}, \bar{\tau })\) and a valuation function v be given. A function \(M ((\bar{D}, \bar{\tau }), v) \rightarrow (D, v')\) is a mapping between an MFOTL trace and an FOL\(^*\) trace if M satisfies the following rules: (1) for every \(\tau _i \in \bar{\tau }\), there exists a relational object \(o: \textsc {TP}\in D\) such that \(\tau _i = v'(o.time)\); (2) for every structure \(D_{i} \in \bar{D}\), if a tuple \(\bar{t}\) holds for a relation r, (i.e., \(\bar{t} \in r^{D_i}\)), then there exists a relational object o : r such that for \(j \in \iota (r)\), \(\bar{t}[j] = v'(o[j])\) and \(v'(o.time) = \tau _i \wedge v'(o.ext) = \top \); (3) for every term t defined for v, \(v(t) = v'(T(t, \tau _i))\).

The inverse of M, denoted as \(M^{-1}\), is defined as follows: (1) \(\bar{\tau } = \textsc {sort}(\{v'(o.time) \mid o : TP \in D \cdot v'(o.ext) \})\) and (2) for every relational object o : r, if \(v'(o.ext)\), then \((v'(o[1]) \ldots v'(o[\iota (r)])) \in r^{D_{i}}\), where i is the index of the time value \(v'(o.time)\) in \(\bar{\tau }\).

Lemma 1

Given an MFOTL formula \(\phi \), an MFOTL trace \((\bar{D}, \bar{\tau })\), a valuation function v, and a time point i, the relation \((\bar{D}, \bar{\tau }, v, i) \models \phi \) holds iff there exists a satisfying trace \(\sigma = (D, v')\) for the formula \(T(\phi , \tau _i)\).

Proof Sketch. In the proof, we use M and \(M^-1\) (see Definition 5) to transform an MFOTL solution into an FOL\(^*\) trace, and show that it is a solution to the translated FOL\(^*\) formula (and vice versa).

\(\implies \): if \((\bar{D}, \bar{\tau }, v, i) \models \phi \), then it is sufficient to show \((D, v') \leftarrow M(\bar{D}, \bar{\tau }, v)\) is an FOL\(^*\) solution. To prove \((D, v')\) is the solution to \(T(\phi , \tau _i)\), we consider all the translation rules in Fig. 5. The translated FOL\(^*\) matches the semantics (Fig. 3) of MFOTL except for the translation of temporal operators (e.g., T(\(\Circle _{I}~\phi , \tau _i)\) and \(T(\phi ~\mathcal {U}_{I}~\psi , \tau _i)\)) where instead of quantifying over time points (e.g., \(\exists j\) and \(\forall k\)), internal relational objects of class \(\textsc {TP}\) (\(o, o':\textsc {TP}\)) are quantified over. By rule (1) of Dec. 5, every time point and its time value are mapped to some relational object of class \(\textsc {TP}\). Therefore, the quantifiers on time points can be translated into the quantifiers on the relational objects of \(\textsc {TP}\). The mapped solution \((D, v')\) also satisfies Axiom 1 because if a tuple \(\bar{t}\) holds for some relation r at some time \(\tau \) in the MFOTL trace \((\bar{D}, \bar{\tau })\), then there exists a time point \(i \in [1, |\bar{\tau }|]\) such that \(\tau _i = \tau \). Therefore, by rule (1) of M, \(\tau _i\) is represented by some \(o :\textsc {TP}\).

\(\Longleftarrow \): if \((D, v') \models T(\phi , \tau _i)\), then it is sufficient to show that the MFOTL trace \((\bar{D}, \bar{\tau }, v) \leftarrow M^{-1}(D, v')\) satisfies \(\phi \) at point i (i.e., \((\bar{D}, \bar{\tau }, v, i) \models \phi \)). To prove \((\bar{D}, \bar{\tau }, v, i) \models \phi \), we consider all the translation rules in Fig. 5. The translated FOL\(^*\) formula matches the semantics of MFOTL (Fig. 3) except for the difference between the time points and the relational objects of class \(\textsc {TP}\). By Axiom 1, every relational object’s time is captured by some time point, and by rule (2) of \(M^-1\), every relational object is mapped onto some structure \(D_i\) at some time \(\tau _i\) by M. Therefore, \((\bar{D}, \bar{\tau }, v, i) \models \phi \).    \(\square \)

Theorem 1

(Translation Correctness). Given an MFOTL formula \(\phi \) and an MFOTL trace \(\sigma \), let \(M(\sigma )\) be the FOL\(^*\) solution mapped from \(\sigma \) using function M (Definition 5). Then (1) \(\sigma \models \phi \) if and only if \(M(\sigma ) \models T(\phi )\), and (2) \(vol(\sigma ) = vol(M(\sigma )) - |\{ o : \textsc {TP}\in M(\sigma ) \}|\), where \(|\{ o : \textsc {TP}\in M(\sigma ) \}|\) is the number of relational objects of the internal class \(\textsc {TP}\) in the solution \(M(\sigma )\).

Proof. Statement (1) of Thm. 1 is a direct consequence of Lemma 1. Statement (2) is the result of rule (2) in Definition 5 because every relational object in the FOL\(^*\) solution, except for the internal ones, i.e., \(o: \textsc {TP}\), has a one-to-one correspondence to tuples that hold for some relation in the MFOTL solution.    \(\square \)

For the rest of the paper, we assume that the internal relational objects of class \(\textsc {TP}\) do not count toward the volume of the FOL\(^*\) , i.e., \(vol(\sigma ) = vol(T(\sigma ))\).

Example 7

Consider a formula \(exp = \square _{}~\forall d \cdot (A(d) \implies \lozenge _{[5,10]}~B(d))\), where A and B are unary relations. The translated FOL\(^*\) formula T(exp) is: \(\forall o: \textsc {TP}\cdot \forall a : A \cdot (o.time = a.time \Rightarrow \exists o':\textsc {TP}\cdot b: B \cdot o'.time = b.time \wedge a[1] = b[1] \wedge \; o.time+5 \le o'.time \le o.time+10)\). Since \(o.time = a.time\) and \(o'.time = b.time\), we can substitute o.time and \(o'.time\) with a.time and b.time in T(exp), respectively. Then, the formula contains no reference to o and \(o'\), and we can safely drop the quantified o and \(o'\) (we can drop existential quantified \(\textsc {TP}\) relational object because of the time coverage axiom). The simplified formula is: \( \forall a : A \cdot \exists b: B \cdot a[1] = b[1] \wedge \; a.time+5 \le b.time \le a.time+10\).

This is important for designing system requirements that comply with LPs.

Given an MFOTL property P and a set Reqs of MFOTL requirements, and a volume bound \(vb\), the BSC problem can be solved by searching for a satisfying solution \(v'\) for the FOL\(^*\) formula \(T(\lnot P) \bigwedge _{\psi \in Reqs} T(\psi )\) in a domain \(D\) with at most \(vb\) relational objects.

4.3 Checking MFOTL Satisfiability: A Naive Approach

Below, we define a naive procedure \(\textsc {NBS}\) (shown in Fig. 4) for checking satisfiability of MFOTL formulas translated into FOL\(^*\). We then discuss the complexity of this naive procedure. Even though we do not use \(\textsc {NBS}\) in this paper, its complexity constitutes an upper bound for our approach proposed in Sect. 5.

Searching for a satisfying solution. Let \(\phi _f\) be an FOL\(^*\) formula translated from an MFOTL formula \(\phi \), and let \(vb\) be the volume bound. \(\textsc {NBS}\) solves \(\phi _f\) via quantifier elimination. The number of relational objects in any satisfying solution of \(\phi _f\) should be at most \(vb\). Therefore, \(\textsc {NBS}\) grounds the FOL\(^*\) formulas within a domain of \(vb\) relational objects (see Sect. 4.2), and then uses an SMT solver to check satisfiability of the grounded formula. If the domain has multiple classes of relational objects, we can unify them by introducing a “superposition” class whose attributes are the union of the attributes of all classes and a special “name” attribute to indicate the class represented by the superposition.

Complexity. The size of the quantifier-free formula is \(O(vb^k)\), where k is the maximum depth of quantifier nesting. Since the background theory used in \(\phi \) is restricted to linear integer arithmetic, solving the formula is NP-hard [29]. Because T (Tab. 5) is linear in the size of the formula \(\phi \), \(\textsc {NBS}\) is NP-complete w.r.t. the size of the grounded formula, \(vb^k\).

5 Incremental Search for Bounded Counterexamples

The naive BSC approach (\(\textsc {NBS}\)) proposed in Sect. 4.3 is inefficient for solving the translated FOL\(^*\) formulas given a large bound n due to the size of the ground formula. Moreover, \(\textsc {NBS}\) cannot detect unbounded unsatisfiability, and cannot provide optimality guarantees on the volume of counterexamples which are important for establishing the proof of unbounded correctness and localizing faults [15], respectively. In this section, we propose an incremental procedure \(\textsc {IBS} \), which can detect unbounded unsatisfiability and provide the shortest counterexamples. An overview of \(\textsc {IBS} \) is given in Fig. 4.

\(\textsc {IBS} \) maintains an under-approximation of the search domain and the FOL\(^*\) constraints. It uses the search domain to ground the FOL\(^*\) constraints, and an SMT solver to determine the satisfiability of the grounded constraints. It analyzes the SMT result and accordingly either expands the search domain, refines the FOL\(^*\) constraints, or returns an answer to the satisfiability checking problem (a counterexample \(\sigma \), “bounded-UNSAT”, or “UNSAT”). The procedure continues until an answer is obtained (\(\sigma \) or UNSAT), or until the domain exceeds the bound \(vb\), in which case a “bounded-UNSAT” answer is returned.

In the following, we describe \(\textsc {IBS} \) in more detail. We explain the key component of \(\textsc {IBS} \), computing over- and under-approximation queries, in Sect. 5.1. We discuss the algorithm itself in Sect. 5.2 and illustrate it in Sect. 5.3. We prove its soundness, completeness, and solution optimality in the extended version [11].

5.1 Over- and Under-Approximation

\(\textsc {NBS}\) grounds the input FOL\(^*\) formulas in a fixed domain \(D\) (fixed by the bound \(vb\)). Instead, \(\textsc {IBS} \) under-approximates \(D\) to \(D_{\downarrow }\) such that \(D_{\downarrow }\subseteq D\). With \(D_{\downarrow }\), we can create an over- and an under-approximation query to the bounded satisfiability checking problem. Such queries are used to check the satisfiability of FOL\(^*\) formulas with domain \(D_{\downarrow }\). \(\textsc {IBS} \) starts with a small domain \(D_{\downarrow }\) and gradually expands it until either SAT or UNSAT is returned, or the domain size exceeds some limit (bounded-UNSAT).

Over-approximation. Let \(\phi _f\) be an FOL\(^*\) formula, and \(D_{\downarrow }\) be a domain of relation objects. The procedure Ground, \(G\)(\(\phi _f\), \(D_{\downarrow }\)), encodes \(\phi _f\) into a quantifier-free FOL formula \(\phi _g\) s.t. the unsatisfiability of \(\phi _g\) implies the unsatisfiability of \(\phi _f\). We call \(\phi _g\) an over-approximation of \(\phi _f\). The procedure \(G\) (Algorithm 2) recursively traverses the syntax tree of the input FOL\(^*\) formula from top to bottom.

To eliminate the existential quantifier in \(\exists o: r \cdot \phi '_f\) (L:1), \(G\) creates a new relational object \(o'\) of class r (L: 2), and replaces o with \(o'\) in \(\phi '_f\) (L:3). To eliminate the universal quantifier in \(\forall o: r \cdot \phi '_f\) (L: 4), \(G\) grounds the formula in \(D_{\downarrow }\). More specifically, \(G\) expands the quantifier into a conjunction of clauses where each clause is \(o'.ext \Rightarrow \phi '_f[o \leftarrow o']\) (i.e., o is replaced by \(o'\) in \(\phi '_f\)) for each relational object \(o'\) of class r in \(D_{\downarrow }\) (L: 5). Intuitively, an existentially quantified relational object is instantiated with a new relational object, and a universally quantified relational object is instantiated with every existing relational object of the same class in \(D_{\downarrow }\), which does not include the ones instantiated during \(G\).

Lemma 2

(Over-approximation Query). For an FOL\(^*\) formula \(\phi _f\), and a domain \(D_{\downarrow }\), if \(\phi _g = G(\phi _f, D_{\downarrow })\) is UNSAT, then so is \(\phi _f\).

Under-Approximation. Let \(\phi _f\) be an FOL\(^*\) formula, and \(D_{\downarrow }\) be a domain. The over-approximation \(\phi _g = G(\phi _f, D_{\downarrow })\) contains a set of new relational objects introduced by \(G\) (L:2), denoted by NewRs. Let NoNewR(NewRs, \(D_{\downarrow }\)) be constraints that enforce that every new relational object \(o_1\) in NewRs be semantically equivalent to some relational objects \(o_2\) in \(D_{\downarrow }\). Formally: the predicate \(\textsc {NoNewR}(NewRs, D_{\downarrow })\) is defined as \(\bigwedge _{o_1 \in NewRs} \bigvee _{o_2 \in D_{\downarrow }} (o_1 \equiv o_2)\), where the semantically equivalent relation between \(o_1\) and \(o_1\) (i.e., \(o_1 \equiv o_2\)) is defined as \(\textsc {cls}(o_1) = \textsc {cls}(o_2)\) and \(\bigwedge _{i=1}^{\iota (\textsc {cls}(o))}(o_1[i] = o_2[i]) \wedge o_1.ext = o_2.ext \wedge o_1.time = o_2.time\) (where the \(\textsc {cls}(o)\) returns the class of o). Let \(\phi _g^{\bot } = \phi _g \wedge \textsc {NoNewR}(NewRs, D_{\downarrow }).\) If \(\phi _g^{\bot }\) has a satisfying solution, then there is a solution for \(\phi _f\). We call \(\phi _g^{\bot }\) an under-approximation of \(\phi _f\) and denote the procedure for computing it by \(\textsc {UnderApprox}(\phi _f, D_{\downarrow })\).

Lemma 3

(Under-Approximation Query). For an FOL\(^*\) formula \(\phi _f\), and a domain \(D_{\downarrow }\), let \(\phi _g = G(\phi _f, D_{\downarrow })\) and \(\phi _g^{\bot } = \textsc {UnderApprox}(\phi _f, D_{\downarrow })\). If \(\sigma \) is a solution to \(\phi _g^{\bot }\), then there exists a solution to \(\phi _f\).

figure a
figure b

The proofs of Lemma 2 and  3 are in the extended version [11].

Suppose, for some domain \(D_{\downarrow }\), that an over-approximation query \(\phi _g\) for an FOL\(^*\) formula \(\phi _f\) is satisfiable while the under-approximation query \(\phi _g^{\bot }\) is UNSAT. Then, the solution to \(\phi _g\) provides hints on how to expand \(D_{\downarrow }\) to potentially obtain a satisfying solution for \(\phi _f\), as captured in Corollary 1.

Corollary 1

(Necessary relational objects). For an FOL\(^*\) formula \(\phi _f\) and a domain \(D_{\downarrow }\), let \(\phi _g\) and \(\phi _g^{\bot }\) be the over- and under-approximation queries of \(\phi _f\) based on \(D_{\downarrow }\), respectively. Suppose \(\phi _g\) is satisfiable and \(\phi _g^{\bot }\) is UNSAT, then every solution to \(\phi _f\) contains some relational object in formula \(\phi _g\) but not in \(D_{\downarrow }\).

5.2 Counterexample-Guided Constraint Solving Algorithm

Let an MFOTL formula \(\lnot P\) (to find a satisfiable counterexample to P), a set of MFOTL requirements \(\textit{Reqs}\), an optional volume bound \(vb\), and optionally a set of FOL\(^*\) data domain constraints \(T_{data}\) be given. \(\textsc {IBS} \), shown in Algorithm 1, searches for a solution \(\sigma \) to \(\lnot P\wedge \bigwedge _{\psi \in \textit{Reqs}} \psi \) (with respect to \(T_{data}\)) bounded by \(vb\), as a counter-example to \(\bigwedge _{\psi \in \textit{Reqs}} \psi \Rightarrow P\) (Definition 2). bounded by \(vb\). If no such solution is possible regardless of the bound, \(\textsc {IBS} \) returns UNSAT. If no solution can be found within the given bound, but a solution may exist for a larger bound, then \(\textsc {IBS} \) returns bounded-UNSAT. If \(vb\) is not specified, \(\textsc {IBS} \) will perform the search unboundedly until a solution or UNSAT is returned.

\(\textsc {IBS} \) first translates \(\lnot P\) and every \(\psi \in \textit{Reqs}\) into FOL\(^*\) formulas in \(\textit{Reqs}_f\), denoted by \(\lnot P_f\) and \(\psi _f\), respectively. Then \(\textsc {IBS} \) searches for a satisfying solution to \(\lnot P_f\wedge \bigwedge _{\psi _f \in \textit{Reqs}_f} \psi _f\) in the domain \(D\) of volume, which is at most \(vb\). Instead of searching in \(D\) directly, \(\textsc {IBS} \) searches for a solution to \(\lnot P_f\wedge \bigwedge _{\psi _f \in \textit{Reqs}_{\downarrow }} \psi _f\) in \(D_{\downarrow }\) (denoted by \(\phi _\downarrow \)) where \(\textit{Reqs}_{\downarrow }\subseteq \textit{Reqs}_f\) and \(D_{\downarrow }\subseteq D\). \(\textsc {IBS} \) initializes \(\textit{Reqs}_{\downarrow }\) and \(D_{\downarrow }\) as empty sets (LL:3-4). Then, for the FOL\(^*\) formula \(\phi _\downarrow \), \(\textsc {IBS} \) creates an over- and under-approximation query \(\phi _g\) (L:7) and \(\phi _g^{\bot }\) (L:8), respectively (described in Sect. 5.1). \(\textsc {IBS} \) first solves the over-approximation query \(\phi _g\) by querying an SMT solver (L:9). If \(\phi _g\) is unsatisfiable, then \(\phi _\downarrow \) is unsatisfiable (Lemma 2), and \(\textsc {IBS} \) returns UNSAT (L:10).

If \(\phi _g\) is satisfiable, then \(\textsc {IBS} \) solves the under-approximation query \(\phi _g^{\bot }\) (L:11). If \(\phi _g^{\bot }\) is unsatisfiable, then the current domain \(D_{\downarrow }\) is too small, and \(\textsc {IBS} \) expands it (LL:12-18). This is because the satisfiability of \(\phi _g\) indicates the possibility of finding a satisfying solution after adding at least one of the new relational objects in the solution to \(\phi _g\) to \(D_{\downarrow }\) (Corollary 1). The domain \(D_{\downarrow }\) is expanded by adding all relational objects \(o'\) in the minimum (in terms of volume) solution \(\sigma _{min}\) to \(\phi _g\) (L:13). To obtain \(\sigma _{min}\), we follow MaxRes [28] methods: we analyze the UNSAT core of \(\phi _g^{\bot }\) and incrementally weaken \(\phi _g^{\bot }\) towards \(\phi _g\) (i.e., the weakened query \(\phi _g^{\bot '}\) is an “over-under approximation” that satisfies \(\phi _g^{\bot } \Rightarrow \phi _g^{\bot '} \Rightarrow \phi _g\)) until a satisfying solution \(\sigma _{min}\) is obtained for the weakened query. However, if the volume of \(\sigma _{min}\) exceeds \(vb\) (L:16), then bounded-UNSAT is returned (L:17). UNSAT core-guided domain expansion has also been explored for unfolding the definition of recursive functions [30, 37].

On the other hand, if \(\phi _{g}^{\bot }\) yields a solution \(\sigma \), then \(\sigma \) is checked on \(\textit{Reqs}_f\) (L:19). If \(\sigma \) satisfies every \(\psi _f\) in \(\textit{Reqs}_f\), then \(\sigma \) is returned (L:20). If \(\sigma \) violates some requirements in \(\textit{Reqs}_f\), then the violating requirement \(\textit{lesson}\) is added to \(\textit{Reqs}_{\downarrow }\) to be considered in the search for the next solutions (L:23).

If \(\textsc {IBS} \) does not find a solution or does not return UNSAT, it means that no solution is found because \(D_{\downarrow }\) is too small or \(\textit{Reqs}_{\downarrow }\) are too weak. \(\textsc {IBS} \) then restarts with the expanded domain \(D_{\downarrow }\) or the refined set of requirements \(\textit{Reqs}_{\downarrow }\). It computes the over- and under-approximation queries (\(\phi _g\) and \(\phi _g^{\bot })\) again, and repeats the steps. See Sect. 5.3 for an illustration of \(\textsc {IBS} \).

Remark 1

\(\textsc {IBS} \) finds the optimal solution because it looks for the minimum solution \(\sigma _{min}\) to the over-approximation query \(\phi _g\) (L:13) and uses it for domain expansion (L:15). However, looking for \(\sigma _{min}\) adds cost. If solution optimality is not required, \(\textsc {IBS} \) can be configured to heuristically find a solution \(\sigma \) to \(\phi _g\) such that \(vol(\sigma ) \le vb\). The greedy best-first search (gBFS) finds a solution to \(\phi _g\) that minimizes the number of relational objects that are not already in \(D_{\downarrow }\), and then uses it to expand \(D_{\downarrow }\). We configured a non-optimal version of \(\textsc {IBS} \) (\(\text {nop}\)) that uses gBFS heuristics and evaluated its performance in Sect. 6.

5.3 Illustration of IBS

Suppose a data collection centre (DCC) collects and accesses personal data information with two requirements: \(\textit{req}_1\): data value can only be updated after having been collected or last updated for more than a week (168 hours); and \(\textit{req}_2\): data can only be accessed if has been collected or updated within a week (168 hours). The signature \(S_{\textit{data}}\) for DCC contains three binary relations (\(R_{\textit{data}}\)): Collect, Update, and Access, such that Collect(d, v), Update(d, v) and Access(d, v) hold at a given time point if and only if data at ID d is collected, updated, and accessed with value v at this time point, respectively. The MFOTL formulas for P1, \(\textit{req}_1\) and \(\textit{req}_2\) are shown in Fig. 1. Suppose \(\textsc {IBS} \) is invoked to find a counterexample for property P1 (shown in Fig. 1) subject to requirements \(\textit{Reqs}= \{\textit{req}_1, \textit{req}_2\}\) with the bound \(vb= 4\). \(\textsc {IBS} \) translates the requirements and the property to FOL\(^*\) and initializes \(\textit{Reqs}_{\downarrow }\) and \(D_{\downarrow }\) to empty sets. For each iteration, we use \(\phi _g\) and \(\phi _g^{\bot }\) to represent the over- and under-approximation queries computed on LL:7-8, respectively.

1st iteration: \(D_{\downarrow }= \emptyset \) and \(\textit{Reqs}_{\downarrow }= \emptyset \). Three new relational objects are introduced to \(\phi _g\) (due to \(\lnot P1\)): \(\textit{access}_1\), \(\textit{collect}_1\), and \(\textit{update}_1\) such that: (C1) \(\textit{access}_1\) occurs after \(\textit{collect}_1\) and \(\textit{update}_1\);(C2) \(\textit{access}_1.d = \textit{collect}_1.d = \textit{update}_1.d\);(C3) \(\textit{access}_1.v \ne \textit{collect}_1.v \wedge \textit{access}_1.v \ne \textit{update}_1.v\); and (C4) either \(\textit{collect}_1\) or \(\textit{update}_1\) must be in the solution. \(\phi _g\) is satisfiable, but \(\phi _{g}^{\bot }\) is UNSAT since \(D_{\downarrow }\) is an empty set. We assume \(D_{\downarrow }\) is expanded by adding \(\textit{access}_1\) and \(\textit{update}_1\).

2nd iteration: \(D_{\downarrow }= \{\textit{access}_1, \textit{update}_1\}\) and \(\textit{Reqs}_{\downarrow }= \emptyset \). The over-approximation \(\phi _{g}\) stays the same, but \(\phi _g^{\bot }\) becomes satisfiable since \(\textit{access}_1\) and \(\textit{update}_1\) are in \(D_{\downarrow }\). Suppose the solution is \(\sigma _4\) (see Fig. 2). However, \(\sigma _4\) violates \(\textit{req}_2\), so \(\textit{req}_2\) is added to \(\textit{Reqs}_{\downarrow }\).

3rd iteration: \(D_{\downarrow }= \{\textit{access}_1, \textit{update}_1\}\) and \(\textit{Reqs}_{\downarrow }= \{\textit{req}_2\}\). Two new relational objects are introduced in \(\phi _g\) (due to \(\textit{req}_2\)): \(\textit{collect}_2\) and \(\textit{update}_2\) such that (C5) \(\textit{collect}_2.time \le \textit{access}_1.time \le \textit{collect}_2.time + 168\); (C6) \(\textit{update}_2.time \le \textit{access}_1.time \le \textit{update}_2.time + 168\); (C7) \(\textit{access}_1.d = \textit{collect}_2.d = \textit{update}_2.d\); (C8) \(\textit{access}_1.v = \textit{collect}_2.v = \textit{update}_2.v\); and (C9) \(\textit{collect}_2\) or \(\textit{update}_2\) is in the solution. The new \(\phi _g\) is satisfiable, but \(\phi _g^{\bot }\) is UNSAT because \(\textit{update}_2 \not \in D_{\downarrow }\) and \(\textit{update}_1 \ne \textit{update}_2\) (C8 conflicts with C3). Therefore, \(D_{\downarrow }\) needs to be expanded. Assume \(\textit{collect}_2\) is added to \(D_{\downarrow }\).

4th iteration: \(D_{\downarrow }= \{\textit{access}_1, \textit{update}_1, \textit{collect}_2\}\) and \(\textit{Reqs}_{\downarrow }= \{\textit{req}_2\}\). The over-approximation \(\phi _g\) stays the same, but \(\phi _g^{\bot }\) becomes satisfiable since \(\textit{collect}_2\) is in \(D_{\downarrow }\). Suppose the solution is \(\sigma _3\) (see Fig. 2). Since \(\sigma _3\) violates \(\textit{req}_1\), \(\textit{req}_1\) is added to \(\textit{Reqs}_{\downarrow }\).

5th iteration: \(D_{\downarrow }= \{\textit{access}_1, \textit{update}_1, \textit{collect}_2\}\) and \(\textit{Reqs}_{\downarrow }= \{\textit{req}_1, \textit{req}_2\}\). The following constraints are added to \(\phi _g\) (due to \(\textit{req}_1\)): (C9) \(\lnot (\textit{update}_2.time -168 \le \textit{collect}_1.time \le \textit{update}_2.time)\). Since (C9) conflicts with (C8), (C7) and (C1), \(\textit{update}_2\) cannot be in the solution to \(\phi _g\). The over-approximation \(\phi _g\) is satisfiable if \(\textit{collect}_1\) (introduced in the 1st iteration) or \(\textit{update}_2\) (3rd iteration) are in the solution. However, \(\phi _g^{\bot }\) is UNSAT since \(D_{\downarrow }\) does not contain \(\textit{collect}_1\) or \(\textit{update}_2\). Thus, \(D_{\downarrow }\) is expanded. Assume \(\textit{update}_2\) is added to \(D_{\downarrow }\).

6th iteration: \(D_{\downarrow }= \{\textit{access}_1, \textit{update}_1, \textit{collect}_2, \textit{update}_2\}\), \(\textit{Reqs}_{\downarrow }= \{\textit{req}_1, \textit{req}_2\}\). The following constraints are added to \(\phi _g\) (C10) \(\textit{update}_2.time \ge \textit{update}_1.time + 168\) (due to \(req_1\)) and (C11) \(\textit{update}_2.time \le \) \(\textit{update}_1.time\) (due to \(\lnot P\)). Since (C10) conflicts with (C11), \(\textit{update}_2\) cannot be in the solution to \(\phi _g\). Thus, \(\phi _g\) is satisfiable only if \(\textit{collect}_1\) is in the solution. However, \(\phi _g^{\bot }\) is UNSAT because \(\textit{collect}_1 \not \in D_{\downarrow }\). Therefore, \(D_{\downarrow }\) is expanded by adding \(\textit{collect}_1\).

final iteration: \(D_{\downarrow }= \{\textit{access}_1, \textit{update}_1, \textit{collect}_2, \textit{update}_2,\) \(\textit{collect}_1\}\) and \(\textit{Reqs}_{\downarrow }= \{\textit{req}_1, \textit{req}_2\}\). The under-approximation \(\phi _{g}^{\bot }\) becomes satisfiable, and yields the solution \(\sigma _5\) in Fig. 2 which satisfies both \(\textit{req}_1\) and \(\textit{req}_2\).

6 Evaluation

To evaluate our approach, we developed a prototype tool, called LEGOS, that implements our MFOTL bounded satisfiability checking algorithm, \(\textsc {IBS} \) (Algorithm 1). It includes Python API for specifying system requirements and MFOTL safety properties. We use pySMT [14] to formulate SMT queries and Z3 [8] to check their satisfiability. The implementation and the evaluation artifacts are included in the supplementary material [12]. In this section, we evaluate the effectiveness of our approach using five case studies, aiming to answer the following research question: How effective is our approach at determining the bounded satisfiability of MFOTL formulas? We measure effectiveness in terms of the ability to determine satisfiability (i.e., the satisfying solution and its volume, UNSAT, or bounded UNSAT), and performance, i.e., time and memory usage.

Cases studies. The five case studies considered in this paper are summarized below: (1) PHIM (derived from [1, 10]): a computer system for keeping track of personal health information with cost management; (2) CF@HFootnote 1: a system for monitoring COVID patients at home and enabling doctors to monitor patient data; (3) PBC [4]: an approval policy for publishing business reports within a company; (4) BST [4]: a banking system that processes customer transactions; and (5) NASA [26]: an automated air-traffic control system design that aims to avoid aircraft collisions.Footnote 2 Table 1 gives their statistics. For each case study, we record the number of requirements, relations, relation arguments, and properties, denoted as \(\#reqs\), \(\#rels\), \(\#args\), and \(\#props\), respectively. Additionally, Table 1 shows initial configurations used in our experiments, with number of custodians (\(\#c\)), patients (\(\#p\)), and data (\(\#d\)) for PHIM; number of users (\(\#u\)), and data (\(\#d\)) for CF@H and PBC; number of employees (\(\#e\)), customers (\(\#c\)), transactions (\(\#t\)), and the maximum amount for a transaction (\(\textit{sup}\)) for BST; number of ground-separated (\(\#GSEP\)) and of the self-separating aircraft (\(\#SSEP\)) for NASA.

Table 1. Case study statistics.
Full size table
Table 2. Performance comparison between \(\textsc {IBS} \) and nuXmv on case study NASA.
Full size table

Case studies were selected for (i) the purpose of comparison with existing works (i.e., NASA); (ii) checking whether our approach scales with case studies involving data/time constraints (PBC, BST, PHIM and CF@H); or (iii) evaluating the applicability of our approach with real-word case studies (CF@H and NASA). In addition to prior case studies, we include PHIM and CF@H which have complex data/time constraints. The number of requirements for the five case studies ranges between ten (BST) and 194 (NASA). The number of relations present in the MFOTL requirements ranges from three (BST) to 28 (CF@H), and the number of arguments in these relations ranges from 1 (PHM, PBC, and BST) to 79 (NASA).

Experimental setup. Given a set of requirements, data constraints and properties of interest for each case study, we measured the run-time (time) and peak memory usage (mem.) of performing bounded satisfiability checking of MFOTL properties, and the volume \(vol_\sigma \) (the number of relational objects) of the solution (\(\sigma \)) with (\(\text {op}\)) and without (\(\text {nop}\)) the optimality guarantees (see Remark 1 for finding non-optimal solutions). We conduct two experiments: the first one evaluates the efficiency and scalability of our approach; the second one compares our approach with satisfiability checking. Since there is no existing work for checking MFOTL satisfiability, we compared with LTL satisfiability checking because MFOTL subsumes LTL. To study the scalability of our approach, our first experiment considers four different configurations obtained by increasing the data constraints of the case-study requirements. The initial configuration (small) is described in Table 1 and the initial bound is 10. The medium and large configurations are obtained by multiplying the initial data constraints and volume bound by ten and hundred, respectively. The last (unbounded) configuration does not bound either the data domain or the volume. As we noted earlier in Sect. 4, the purpose of adding data constraints is to avoid unrealistic counterexamples. For example, the NASA case study uses a data set for specifying the possible system control modes and uses data ranges to restrict the possible measures from the aircraft (e.g., aircraft’s trajectory). In the other case studies, data constraints are realistic data ranges (e.g., a patient’s account balance should be non-negative). To study the performance of our approach relative to existing work, our second experiment considers two configurations of the NASA case study verified in [24] using the state-of-the-art symbolic model checker nuXmv [6]Footnote 3. We compare our approach’s result against the reproduced result of nuXmv verification. For both experiments, we report the analysis outcomes, i.e., the volume of the satisfying solution (if one exists), UNSAT, or bounded UNSAT; and performance, i.e., time and memory usage. The experiments were conducted using a ThinkPad X1 Carbon with an Intel Core i7 1.80 GHz processor, 8 GB of RAM, and running 64-bit Ubuntu GNU/Linux 8.

Table 3. Run-time performance for four case studies and 18 properties. We record the outcome (out.) of the algorithm with (\(\text {op}\)) or without (\(\text {nop}\)) the optimal solution guarantee: UNSAT (U), bounded-UNSAT (b-U), or the volume of the counterexample \(\sigma \) (a natural number, corresponding to vol\(_\sigma \)). We consider four different configurations: small (see Tab. 6), medium (x10), big (x100), and unbounded (\(\infty \)) data domain constraints and volume bound. Volume differences between \(\text {op}\) and \(\text {nop}\) are bolded.
Full size table

Results of the first experiment are summarized in Table 3. Out of the 72 trials, our approach found 31 solutions. It also returned five bounded-UNSAT answers, and 36 UNSAT answers. The results show that our approach is effective in checking satisfiability of case studies with different sizes. More precisely, we observe that it takes under three seconds to return UNSAT and between .04 seconds (\(bs_2\):medium) and 32 min (\(ph_7\):medium:\(\text {op}\)) to return a solution. In the worst case, \(\text {op}\) took 32 min for checking \(ph_7\) where the property and requirements contain complex constraints. Effectively, \(ph_7\) requires the deletion of data stored at id 10, while the cost of deletion increases over time under PHIM’s requirements. Therefore, the user has to perform a number of actions to obtain a sufficient balance to delete the data. Additionally, each action that increases the user’s balance has its own preconditions, effects, and time cost, making the process of choosing the sequence of actions to meet the increasing deletion cost non-trivial.

We can see a difference in time between cf2 ‘big’ and ‘unbounded’, this is because the domain expansion followed two different paths and one produces significantly easier SMT queries. Since our approach is guided by counterexamples (i.e., the path is guided by the solution from the SMT solver (Algorithm1-L:13)), our approach does not have direct control over the exact path selection. In future work, we aim to add optimizations to avoid/backtrack from hard paths.

We observe that the data-domain constraint and volume bound used in different configurations do not affect the performance of \(\textsc {IBS} \) when the satisfiability of the instances does not depend on them, which is the case for all the instances except for \(ph_{6-7}\):small, \(cf_{1-3}\):small, and \(bs_3\):small. As mentioned in Sect. 4, the data-domain constraint ensures that satisfying solutions have realistic data values. For \(ph1-ph4\), the bound used in the small, medium and large configurations creates additional constraints in the SMT queries for each relational object, and therefore results in a larger peak memory than the unbounded configuration.

Finding the optimal solution (by \(\text {op}\)), in contrast to finding a satisfying solution without the optimal guarantee (by \(\text {nop}\)), imposes a substantial computational cost while rarely achieving a volume reduction. The non-optimal heuristic \(\text {nop}\) often outperformed the optimal approach for satisfiable instances. Out of 31 satisfiable instances, \(\text {nop}\) solved 12 instances 3 times faster, 10 instances 10 times faster and seven instances 20 times faster than \(\text {op}\). Compared to the non-optimal solution, the optimal solution reduced the volume for only two instances: \(ph_7\):large and \(ph_7\):unbounded by one (3%) and three (9%), respectively. On all other satisfying instances, \(\text {op}\) and \(\text {nop}\) both find the optimal solutions. When there is no solution, both \(\text {op}\) and \(\text {nop}\) are equally efficient.

Results of the second experiment are summarized in Table 2. Our approach and nuXmv both correctly verified that all six properties were UNSAT in both NASA configurations. We observe that the performance of our approach is comparable to nuXmv for the first configuration with .10 to .20 seconds of difference on average. Yet, for the second configuration, our approach terminates in less than 0.20 seconds and nuXmv takes 1.50 seconds on average. We conclude that our approach’s performance is comparable to that of nuXmv for LTL satisfiability checking even though our approach is not specifically designed for LTL.

Summary. In summary, we have demonstrated that our approach is effective at determining the bounded satisfiability of MFOTL formulas using case studies with different sizes and from different application domains. When restricted to LTL, our approach is at least as effective as the existing work on LTL satisfiability checking which uses a state-of-the-art symbolic model checker. Importantly, \(\textsc {IBS} \) can often determine satisfiability of instances without reaching the volume bound, and its performance is not sensitive to the data domain. On the other hand, \(\textsc {IBS} \)’s optimal guarantee imposes a substantial computational cost while rarely achieving a volume reduction over non-optimal solutions obtained by \(\text {nop}\). We need to investigate the trade-off between optimality and efficiency, as well as evaluate the performance of \(\textsc {IBS} \) on a broader range of benchmarks.

7 Related Work

Below, we compare with the existing approaches that address the satisfiability checking of temporal logic and first-order logic.

Satisfiability checking of temporal properties. Temporal logic satisfiability checking has been studied for the verification of system designs. Satisfiability checking for Linear Temporal Logic (LTL) can be performed by reducing the problem to model checking [35], by applying automata-based techniques [25], or by SAT solving [5, 21,22,23]. Satisfiability checking for metric temporal logic (MTL) [32] and its variants, e.g., mission-time LTL [24] and signal temporal logic [2], has been studied for the verification of real-time system designs. These existing techniques are inadequate for our needs: LTL and MTL cannot effectively capture quantified data constraints commonly used in legal properties. MFOTL does not have such a limitation as it extends MTL and LTL with first-order quantifiers, thereby supporting the specification of data constraints.

Finite model finding for first-order logic. Finite-model finders [7, 33] look for a model by checking universal quantifiers exhaustively over candidate models with progressively larger domains; we look for finite-volume solutions using a similar approach. On the other hand, we consider an explicit bound on the volume of the solution, and are able to find the solution with the smallest volume. SMT solvers support quantifiers with quantifier instantiation heuristics [16, 17] such as E-matching  [9, 27] and conflict-based instantiation [34]. Quantifier instantiation heuristics are nonetheless generally incomplete, whereas, in our approach, we obtain completeness by bounding the volume of the satisfying solution.

8 Conclusion

In this paper, we proposed an incremental bounded satisfiability checking approach, called \(\textsc {IBS} \), aimed to enable verification of legal properties, expressed in MFOTL, against system requirements. \(\textsc {IBS} \) first translates MFOTL formulas to first-order logic with relational objects (FOL\(^*\)) and then searches for a satisfying solution to the translated FOL\(^*\) formulas in a bounded search space by deriving over- and under-approximating SMT queries. \(\textsc {IBS} \) starts with a small search space and incrementally expands it until an answer is returned or until the bound is exceeded. We implemented \(\textsc {IBS} \) on top of the SMT solver Z3. Experiments using five case studies showed that our approach is effective for identifying errors in requirements from different application domains. Our approach is currently limited to verifying safety properties. In the future, we plan to extend our approach so that it can handle a broader spectrum of property types, including liveness and fairness. \(\textsc {IBS} \)’s performance and scalability depend crucially on how the domain of relational objects is maintained and expanded. As future work, we would like to study the effectiveness of other heuristics to improve \(\textsc {IBS} \)’s scalability (e.g., random restart and expansion with domain-specific heuristics). We also aim to study how to learn/infer MFOTL properties during search to further improve the efficiency of our approach.