
2017 
T. Mancini, F. Mari, A. Massini, I. Melatti, I. Salvo, and E. Tronci. "On minimising the maximum expected verification time." Inf. Process. Lett. (2017). DOI: 10.1016/j.ipl.2017.02.001.


2016 
B. P. Hayes, I. Melatti, T. Mancini, M. Prodanovic, and E. Tronci. "Residential Demand Management using Individualised Demand Aware Price Policies." IEEE Transactions On Smart Grid PP, no. 99 (2016). DOI: 10.1109/TSG.2016.2596790.


T. Mancini. "Now or Never: Negotiating Efficiently with Unknown or Untrusted Counterparts." Fundam. Inform. 149, no. 12 (2016): 61–100. DOI: 10.3233/FI20161443.


T. Mancini, F. Mari, A. Massini, I. Melatti, and E. Tronci. "Anytime system level verification via parallel random exhaustive hardware in the loop simulation." Microprocessors and Microsystems 41 (2016): 12–28. ISSN: 01419331. DOI: 10.1016/j.micpro.2015.10.010.
Abstract: Abstract System level verification of cyberphysical systems has the goal of verifying that the whole (i.e., software + hardware) system meets the given specifications. Model checkers for hybrid systems cannot handle system level verification of actual systems. Thus, Hardware In the Loop Simulation (HILS) is currently the main workhorse for system level verification. By using model checking driven exhaustive HILS, System Level Formal Verification (SLFV) can be effectively carried out for actual systems. We present a parallel random exhaustive HILS based model checker for hybrid systems that, by simulating all operational scenarios exactly once in a uniform random order, is able to provide, at any time during the verification process, an upper bound to the probability that the System Under Verification exhibits an error in a yettobesimulated scenario (Omission Probability). We show effectiveness of the proposed approach by presenting experimental results on SLFV of the Inverted Pendulum on a Cart and the Fuel Control System examples in the Simulink distribution. To the best of our knowledge, no previously published model checker can exhaustively verify hybrid systems of such a size and provide at any time an upper bound to the Omission Probability.
Keywords: Model Checking of Hybrid Systems; Model checking driven simulation; Hardware in the loop simulation


T. Mancini, F. Mari, A. Massini, I. Melatti, and E. Tronci. "SyLVaaS: System Level Formal Verification as a Service." Fundam. Inform. 149, no. 12 (2016): 101–132. DOI: 10.3233/FI20161444.


2015 
V. Alimguzhin, F. Mari, I. Melatti, E. Tronci, E. Ebeid, S. A. Mikkelsen, R. H. Jacobsen, J. K. Gruber, B. Hayes, F. Huerta et al. "A Glimpse of SmartHG Project Testbed and Communication Infrastructure." In Digital System Design (DSD), 2015 Euromicro Conference on, 225–232., 2015. DOI: 10.1109/DSD.2015.106.
Keywords: Batteries; Control systems; Databases; Production; Sensors; Servers; Smart grids; Grid State Estimation; Peak Shaving; Policy Robustness Verification; Price Policy Synthesis


R. Ehrig, T. Dierkes, S. Schaefer, S. Roeblitz, E. Tronci, T. Mancini, I. Salvo, V. Alimguzhin, F. Mari, I. Melatti et al. "An integrative approach for model driven computation of treatments in reproductive medicine." In Proceedings of the 15th International Symposium on Mathematical and Computational Biology (BIOMAT 2015), Rorkee, India., 2015. DOI: 10.1142/9789813141919_0005.


T. Mancini. "Now or Never: negotiating efficiently with unknown counterparts." In proceedings of the 22nd RCRA International Workshop. Ferrara, Italy. CEUR, 2015 (Colocated with the 14th Conference of the Italian Association for Artificial Intelligence (AI*IA 2015)). (2015).


T. Mancini, F. Mari, I. Melatti, I. Salvo, E. Tronci, J. K. Gruber, B. Hayes, M. Prodanovic, and L. Elmegaard. "User Flexibility Aware Price Policy Synthesis for Smart Grids." In Digital System Design (DSD), 2015 Euromicro Conference on, 478–485., 2015. DOI: 10.1109/DSD.2015.35.
Keywords: Contracts; Current measurement; Load management; Power demand; Power measurement; State estimation; Substations; Grid State Estimation; Peak Shaving; Policy Robustness Verification; Price Policy Synthesis


Toni Mancini, Federico Mari, Annalisa Massini, Igor Melatti, and Enrico Tronci. "Simulator Semantics for System Level Formal Verification." In Proceedings Sixth International Symposium on Games, Automata, Logics and Formal Verification (GandALF 2015),., 2015. DOI: 10.4204/EPTCS.193.7.


Toni Mancini, Federico Mari, Annalisa Massini, Igor Melatti, and Enrico Tronci. "SyLVaaS: System Level Formal Verification as a Service." In Proceedings of the 23rd Euromicro International Conference on Parallel, Distributed and Networkbased Processing (PDP 2015), special session on Formal Approaches to Parallel and Distributed Systems (4PAD)., 2015. DOI: 10.1109/PDP.2015.119.


Toni Mancini, Enrico Tronci, Ivano Salvo, Federico Mari, Annalisa Massini, and Igor Melatti. "Computing Biological Model Parameters by Parallel Statistical Model Checking." International Work Conference on Bioinformatics and Biomedical Engineering (IWBBIO 2015) 9044 (2015): 542–554. DOI: 10.1007/9783319164809_52.


2014 
Toni Mancini, Federico Mari, Annalisa Massini, Igor Melatti, and Enrico Tronci. "System Level Formal Verification via Distributed MultiCore Hardware in the Loop Simulation." In Proc. of the 22nd Euromicro International Conference on Parallel, Distributed and NetworkBased Processing. IEEE Computer Society, 2014. DOI: 10.1109/PDP.2014.32.


Toni Mancini, Federico Mari, Annalisa Massini, Igor Melatti, and Enrico Tronci. "Anytime System Level Verification via Random Exhaustive Hardware In The Loop Simulation." In In Proceedings of 17th EuroMicro Conference on Digital System Design (DSD 2014)., 2014. DOI: 10.1109/DSD.2014.91.


Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "Model Based Synthesis of Control Software from System Level Formal Specifications." ACM TRANSACTIONS ON SOFTWARE ENGINEERING AND METHODOLOGY 23, no. 1 (2014): Article 6. ACM. ISSN: 1049331X. DOI: 10.1145/2559934.


E. Tronci, T. Mancini, F. Mari, I. Melatti, R. H. Jacobsen, E. Ebeid, S. A. Mikkelsen, M. Prodanovic, J. K. Gruber, and B. Hayes. "SmartHG: Energy Demand Aware Open Services for Smart Grid Intelligent Automation." In Proceedings of the Work in Progress Session of SEAA/DSD 2014., 2014. ISBN: 9783902457400.


E. Tronci, T. Mancini, F. Mari, I. Melatti, I. Salvo, M. Prodanovic, J. K. Gruber, B. Hayes, and L. Elmegaard. "DemandAware Price Policy Synthesis and Verification Services for Smart Grids." In Proceedings of Smart Grid Communications (SmartGridComm), 2014 IEEE International Conference On., 2014. DOI: 10.1109/SmartGridComm.2014.7007745.


E. Tronci, T. Mancini, I. Salvo, F. Mari, I. Melatti, A. Massini, S. Sinisi, F. Davì, T. Dierkes, R. Ehrig et al. "PatientSpecific Models from InterPatient Biological Models and Clinical Records." In Formal Methods in ComputerAided Design (FMCAD)., 2014. DOI: 10.1109/FMCAD.2014.6987615.


2013 
Vadim Alimguzhin, Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "A MapReduce Parallel Approach to Automatic Synthesis of Control Software." In Proc. of International SPIN Symposium on Model Checking of Software (SPIN 2013), 43–60. Lecture Notes in Computer Science 7976. Springer  Verlag, 2013. ISSN: 03029743. ISBN: 9783642391750. DOI: 10.1007/9783642391767_4.


Vadim Alimguzhin, Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "OntheFly Control Software Synthesis." In Proc. of International SPIN Symposium on Model Checking of Software (SPIN 2013), 61–80. Lecture Notes in Computer Science 7976. Springer  Verlag, 2013. ISSN: 03029743. ISBN: 9783642391750. DOI: 10.1007/9783642391767_5.


Giuseppe Della Penna, Benedetto Intrigila, Daniele Magazzeni, Igor Melatti, and Enrico Tronci. "CGMurphi: Automatic synthesis of numerical controllers for nonlinear hybrid systems." European Journal of Control 19, no. 1 (2013): 14–36. Elsevier NorthHolland, Inc.. ISSN: 09473580. DOI: 10.1016/j.ejcon.2013.02.001.


Toni Mancini, Federico Mari, Annalisa Massini, Igor Melatti, Fabio Merli, and Enrico Tronci. "System Level Formal Verification via Model Checking Driven Simulation." In Proceedings of the 25th International Conference on Computer Aided Verification. July 1319, 2013, Saint Petersburg, Russia, 296–312. Lecture Notes in Computer Science 8044. Springer  Verlag, 2013. ISSN: 03029743. ISBN: 9783642397981. DOI: 10.1007/9783642397998_21.


Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "Linear Constraints and Guarded Predicates as a Modeling Language for Discrete Time Hybrid Systems." International Journal on Advances in Software vol. 6, nr 1&2 (2013): 155–169. IARIA. ISSN: 19422628.
Abstract: Model based design is particularly appealing in
software based control systems (e.g., embedded
software) design, since in such a case system
level specifications are much easier to define
than the control software behavior itself. In
turn, model based design of embedded systems
requires modeling both continuous subsystems
(typically, the plant) as well as discrete
subsystems (the controller). This is typically
done using hybrid systems. Mixed Integer Linear
Programming (MILP) based abstraction techniques
have been successfully applied to automatically
synthesize correctbyconstruction control
software for discrete time linear hybrid systems,
where plant dynamics is modeled as a linear
predicate over state, input, and next state
variables. Unfortunately, MILP solvers require
such linear predicates to be conjunctions of
linear constraints, which is not a natural way of
modeling hybrid systems. In this paper we show
that, under the hypothesis that each variable
ranges over a bounded interval, any linear
predicate built upon conjunction and disjunction
of linear constraints can be automatically
translated into an equivalent conjunctive
predicate. Since variable bounds play a key role
in this translation, our algorithm includes a
procedure to compute all implicit variable bounds
of the given linear predicate. Furthermore, we
show that a particular form of linear predicates,
namely guarded predicates, are a natural and
powerful language to succinctly model discrete
time linear hybrid systems dynamics. Finally, we
experimentally show the feasibility of our
approach on an important and challenging case
study taken from the literature, namely the
multiinput Buck DCDC Converter. As an example,
the guarded predicate that models (with 57
constraints) a 6inputs Buck DCDC Converter is
translated in a conjunctive predicate (with 102
linear constraints) in about 40 minutes.
Keywords: Modelbased software design; Linear predicates; Hybrid systems


Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. Model Based Synthesis of Control Software from System Level Formal Specifications. Vol. abs/1107.5638. CoRR, Technical Report, 2013. http://arxiv.org/abs/1107.5638 (accessed March 26, 2017).
Abstract: Many Embedded Systems are indeed Software Based Control Systems, that is control systems whose controller consists of control software running on a microcontroller device. This motivates investigation on Formal Model Based Design approaches for automatic synthesis of embedded systems control software.
We present an algorithm, along with a tool QKS implementing it, that from a formal model (as a Discrete Time Linear Hybrid System) of the controlled system (plant), implementation specifications (that is, number of bits in the AnalogtoDigital, AD, conversion) and System Level Formal Specifications (that is, safety and liveness requirements for the closed loop system) returns correctbyconstruction control software that has a Worst Case Execution Time (WCET) linear in the number of AD bits and meets the given specifications.
We show feasibility of our approach by presenting experimental results on using it to synthesize control software for a buck DCDC converter, a widely used mixedmode analog circuit, and for the inverted pendulum.


Federico Mari, Igor Melatti, Enrico Tronci, and Alberto Finzi. "A multihop advertising discovery and delivering protocol for multi administrative domain MANET." Mobile Information Systems 3, no. 9 (2013): 261–280. IOS Press. ISSN: 1574017x (Print) 1875905X (Online). DOI: 10.3233/MIS130162.


2012 
Vadim Alimguzhin, Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. A MapReduce Parallel Approach to Automatic Synthesis of Control Software. Vol. abs/1210.2276. CoRR, Technical Report, 2012. http://arxiv.org/abs/1210.2276 (accessed March 26, 2017).
Abstract: Many Control Systems are indeed Software Based Control Systems, i.e. control systems whose controller consists of control software running on a microcontroller device. This motivates investigation on Formal Model Based Design approaches for automatic synthesis of control software.
Available algorithms and tools (e.g., QKS) may require weeks or even months of computation to synthesize control software for largesize systems. This motivates search for parallel algorithms for control software synthesis.
In this paper, we present a mapreduce style parallel algorithm for control software synthesis when the controlled system (plant) is modeled as discrete time linear hybrid system. Furthermore we present an MPIbased implementation PQKS of our algorithm. To the best of our knowledge, this is the first parallel approach for control software synthesis.
We experimentally show effectiveness of PQKS on two classical control synthesis problems: the inverted pendulum and the multiinput buck DC/DC converter. Experiments show that PQKS efficiency is above 65%. As an example, PQKS requires about 16 hours to complete the synthesis of control software for the pendulum on a cluster with 60 processors, instead of the 25 days needed by the sequential algorithm in QKS.


Vadim Alimguzhin, Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "Automatic Control Software Synthesis for Quantized Discrete Time Hybrid Systems." In Proceedings of the 51th IEEE Conference on Decision and Control, CDC 2012, December 1013, 2012, Maui, HI, USA, 6120–6125. IEEE, 2012. ISBN: 9781467320658. Notes: Techreport version can be found at http://arxiv.org/abs/1207.4098. DOI: 10.1109/CDC.2012.6426260.


Vadim Alimguzhin, Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. Automatic Control Software Synthesis for Quantized Discrete Time Hybrid Systems. Vol. abs/1207.4098. CoRR, Technical Report, 2012. http://arxiv.org/abs/1207.4098 (accessed March 26, 2017).
Abstract: Many Embedded Systems are indeed Software Based Control Systems, that is control systems whose controller consists of control software running on a microcontroller device. This motivates investigation on Formal Model Based Design approaches for automatic synthesis of embedded systems control software. This paper addresses control software synthesis for discrete time nonlinear systems. We present a methodology to overapproximate the dynamics of a discrete time nonlinear hybrid system H by means of a discrete time linear hybrid system L(H), in such a way that controllers for L(H) are guaranteed to be controllers for H. We present experimental results on the inverted pendulum, a challenging and meaningful benchmark in nonlinear Hybrid Systems control.


Vadim Alimguzhin, Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "On Model Based Synthesis of Embedded Control Software." In Proceedings of the 12th International Conference on Embedded Software, EMSOFT 2012, part of the Eighth Embedded Systems Week, ESWeek 2012, Tampere, Finland, October 712, 2012, edited by Ahmed Jerraya and Luca P. Carloni and Florence Maraninchi and John Regehr, 227–236. ACM, 2012. ISBN: 9781450314251. Notes: Techreport version can be found at arxiv.org. DOI: 10.1145/2380356.2380398.


Vadim Alimguzhin, Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. On Model Based Synthesis of Embedded Control Software. Vol. abs/1207.4474. CoRR, Technical Report, 2012. http://arxiv.org/abs/1207.4474 (accessed March 26, 2017).
Abstract: Many Embedded Systems are indeed Software Based Control Systems (SBCSs), that is control systems whose controller consists of control software running on a microcontroller device. This motivates investigation on Formal Model Based Design approaches for control software. Given the formal model of a plant as a Discrete Time Linear Hybrid System and the implementation specifications (that is, number of bits in the AnalogtoDigital (AD) conversion) correctbyconstruction control software can be automatically generated from System Level Formal Specifications of the closed loop system (that is, safety and liveness requirements), by computing a suitable finite abstraction of the plant.
With respect to given implementation specifications, the automatically generated code implements a time optimal control strategy (in terms of setup time), has a Worst Case Execution Time linear in the number of AD bits $b$, but unfortunately, its size grows exponentially with respect to $b$. In many embedded systems, there are severe restrictions on the computational resources (such as memory or computational power) available to microcontroller devices.
This paper addresses model based synthesis of control software by trading system level nonfunctional requirements (such us optimal setup time, ripple) with software nonfunctional requirements (its footprint). Our experimental results show the effectiveness of our approach: for the inverted pendulum benchmark, by using a quantization schema with 12 bits, the size of the small controller is less than 6% of the size of the time optimal one.


Ed Kuijpers, Luigi Carotenuto, Jean Cristophe Malapert, Daniela MarkovVetter, Igor Melatti, Andrea Orlandini, and Ranni Pinchuk. "Collaboration on ISS Experiment Data and Knowledge Representation." In Proc. of IAC 2012. Vol. D.5.11., 2012.


Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "Synthesizing Control Software from Boolean Relations." International Journal on Advances in Software vol. 5, nr 3&4 (2012): 212–223. IARIA. ISSN: 19422628.
Abstract: Many software as well digital hardware automatic
synthesis methods define the set of
implementations meeting the given system
specifications with a boolean relation K. In
such a context a fundamental step in the software
(hardware) synthesis process is finding effective
solutions to the functional equation defined by
K. This entails finding a (set of) boolean
function(s) F (typically represented using
OBDDs, Ordered Binary Decision Diagrams)
such that: 1) for all x for which K is
satisfiable, K(x, F(x)) = 1 holds; 2) the
implementation of F is efficient with respect
to given implementation parameters such as code
size or execution time. While this problem has
been widely studied in digital hardware synthesis,
little has been done in a software synthesis
context. Unfortunately, the approaches developed
for hardware synthesis cannot be directly used in
a software context. This motivates investigation
of effective methods to solve the above problem
when F has to be implemented with software. In
this paper, we present an algorithm that, from an
OBDD representation for K, generates a C code
implementation for F that has the same size as
the OBDD for F and a worst case execution time
linear in nr, being n = x the number of
input arguments for functions in F and r the
number of functions in F. Moreover, a formal
proof of the proposed algorithm correctness is
also shown. Finally, we present experimental
results showing effectiveness of the proposed
algorithm.
Keywords: Control Software Synthesis; Embedded Systems; Model Checking


Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "Control Software Visualization." In Proceedings of INFOCOMP 2012, The Second International Conference on Advanced Communications and Computation, 15–20. ThinkMind, 2012. ISSN: 9781612082264.


Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "Linear Constraints as a Modeling Language for Discrete Time Hybrid Systems." In Proceedings of ICSEA 2012, The Seventh International Conference on Software Engineering Advances, 664–671. ThinkMind, 2012.


Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "Undecidability of Quantized State Feedback Control for Discrete Time Linear Hybrid Systems." In Theoretical Aspects of Computing – ICTAC 2012, edited by A. Roychoudhury and M. D'Souza, 243–258. Lecture Notes in Computer Science 7521. Springer Berlin Heidelberg, 2012. ISBN: 9783642329425. DOI: 10.1007/9783642329432_19.


Verzino Giovanni, Federico Cavaliere, Federico Mari, Igor Melatti, Giovanni Minei, Ivano Salvo, Yuri Yushtein, and Enrico Tronci. "Model checking driven simulation of sat procedures." In Proc. of 12th International Conference on Space Operations (SpaceOps 2012)., 2012. DOI: 10.2514/6.20121275611.


2011 
Federico Cavaliere, Federico Mari, Igor Melatti, Giovanni Minei, Ivano Salvo, Enrico Tronci, Giovanni Verzino, and Yuri Yushtein. "Model Checking Satellite Operational Procedures." In DAta Systems In Aerospace (DASIA), Org. EuroSpace, Canadian Space Agency, CNES, ESA, EUMETSAT. San Anton, Malta, EuroSpace., 2011.
Abstract: We present a model checking approach for the automatic verification of satellite operational procedures (OPs). Building a model for a complex system as a satellite is a hard task. We overcome this obstruction by using a suitable simulator (SIMSAT) for the satellite. Our approach aims at improving OP quality assurance by automatic exhaustive exploration of all possible simulation scenarios. Moreover, our solution decreases OP verification costs by using a model checker (CMurphi) to automatically drive the simulator. We model OPs as userexecuted programs observing the simulator telemetries and sending telecommands to the simulator. In order to assess feasibility of our approach we present experimental results on a simple meaningful scenario. Our results show that we can save up to 90% of verification time.


Amedeo Cesta, Simone Fratini, Andrea Orlandini, Alberto Finzi, and Enrico Tronci. "Flexible Plan Verification: Feasibility Results." Fundamenta Informaticae 107, no. 2 (2011): 111–137. DOI: 10.3233/FI2011397.


Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. From Boolean Functional Equations to Control Software. Vol. abs/1106.0468. CoRR, Technical Report, 2011. http://arxiv.org/abs/1106.0468 (accessed March 26, 2017).
Abstract: Many software as well digital hardware automatic synthesis methods define the set of implementations meeting the given system specifications with a boolean relation K. In such a context a fundamental step in the software (hardware) synthesis process is finding effective solutions to the functional equation defined by K. This entails finding a (set of) boolean function(s) F (typically represented using OBDDs, Ordered Binary Decision Diagrams) such that: 1) for all x for which K is satisfiable, K(x, F(x)) = 1 holds; 2) the implementation of F is efficient with respect to given implementation parameters such as code size or execution time. While this problem has been widely studied in digital hardware synthesis, little has been done in a software synthesis context. Unfortunately the approaches developed for hardware synthesis cannot be directly used in a software context. This motivates investigation of effective methods to solve the above problem when F has to be implemented with software. In this paper we present an algorithm that, from an OBDD representation for K, generates a C code implementation for F that has the same size as the OBDD for F and a WCET (Worst Case Execution Time) at most O(nr), being n = x the number of arguments of functions in F and r the number of functions in F.


Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "From Boolean Relations to Control Software." In Proceedings of ICSEA 2011, The Sixth International Conference on Software Engineering Advances, 528–533. ThinkMind, 2011. ISSN: 9781612081656. Notes: Best Paper Award.
Abstract: Many software as well digital hardware automatic synthesis methods define the set of implementations meeting the given system specifications with a boolean relation K. In such a context a fundamental step in the software (hardware) synthesis process is finding effective solutions to the functional equation defined by K. This entails finding a (set of) boolean function(s) F (typically represented using OBDDs, Ordered Binary Decision Diagrams) such that: 1) for all x for which K is satisfiable, K(x, F(x)) = 1 holds; 2) the implementation of F is efficient with respect to given implementation parameters such as code size or execution time. While this problem has been widely studied in digital hardware synthesis, little has been done in a software synthesis context. Unfortunately the approaches developed for hardware synthesis cannot be directly used in a software context. This motivates investigation of effective methods to solve the above problem when F has to be implemented with software. In this paper we present an algorithm that, from an OBDD representation for K, generates a C code implementation for F that has the same size as the OBDD for F and a WCET (Worst Case Execution Time) linear in nr, being n = x the number of input arguments for functions in F and r the number of functions in F.


Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. Quantized Feedback Control Software Synthesis from System Level Formal Specifications for Buck DC/DC Converters. Vol. abs/1105.5640. CoRR, Technical Report, 2011. http://arxiv.org/abs/1105.5640 (accessed March 26, 2017).
Abstract: Many Embedded Systems are indeed Software Based Control Systems (SBCSs), that is control systems whose controller consists of control software running on a microcontroller device. This motivates investigation on Formal Model Based Design approaches for automatic synthesis of SBCS control software. In previous works we presented an algorithm, along with a tool QKS implementing it, that from a formal model (as a Discrete Time Linear Hybrid System, DTLHS) of the controlled system (plant), implementation specifications (that is, number of bits in the AnalogtoDigital, AD, conversion) and System Level Formal Specifications (that is, safety and liveness requirements for the closed loop system) returns correctbyconstruction control software that has a Worst Case Execution Time (WCET) linear in the number of AD bits and meets the given specifications. In this technical report we present full experimental results on using it to synthesize control software for two versions of buck DCDC converters (singleinput and multiinput), a widely used mixedmode analog circuit.


2010 
Amedeo Cesta, Alberto Finzi, Simone Fratini, Andrea Orlandini, and Enrico Tronci. "Validation and verification issues in a timelinebased planning system." The Knowledge Engineering Review 25, no. 03 (2010): 299–318. Cambridge University Press. DOI: 10.1017/S0269888910000160.
Abstract: One of the key points to take into account to foster effective introduction of AI planning and scheduling systems in real world is to develop end user trust in the related technologies. Automated planning and scheduling systems often brings solutions to the users which are neither â€œobviousâ€ nor immediately acceptable for them. This is due to the ability of these tools to take into account quite an amount of temporal and causal constraints and to employ resolution processes often designed to optimize the solution with respect to non trivial evaluation functions. To increase technology trust, the study of tools for verifying and validating plans and schedules produced by AI systems might be instrumental. In general, validation and verification techniques represent a needed complementary technology in developing domain independent architectures for automated problem solving. This paper presents a preliminary report of the issues concerned with the use of two software tools for formal verification of finite state systems to the validation of the solutions produced by MrSPOCK, a recent effort for building a timeline based planning tool in an ESA project.


Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. "Synthesis of Quantized Feedback Control Software for Discrete Time Linear Hybrid Systems." In Computer Aided Verification, edited by T. Touili, B. Cook and P. Jackson, 180–195. Lecture Notes in Computer Science 6174. Springer Berlin / Heidelberg, 2010. DOI: 10.1007/9783642142956_20.
Abstract: We present an algorithm that given a Discrete Time Linear Hybrid System returns a correctbyconstruction software implementation K for a (near time optimal) robust quantized feedback controller for along with the set of states on which K is guaranteed to work correctly (controllable region). Furthermore, K has a Worst Case Execution Time linear in the number of bits of the quantization schema.


2009 
Andrea Bobbio, Ester Ciancamerla, Saverio Di Blasi, Alessandro Iacomini, Federico Mari, Igor Melatti, Michele Minichino, Alessandro Scarlatti, Enrico Tronci, Roberta Terruggia et al. "Risk analysis via heterogeneous models of SCADA interconnecting Power Grids and Telco networks." In Proceedings of Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS), 90–97., 2009. DOI: 10.1109/CRISIS.2009.5411974.
Abstract: The automation of power grids by means of supervisory control and data acquisition (SCADA) systems has led to an improvement of power grid operations and functionalities but also to pervasive cyber interdependencies between power grids and telecommunication networks. Many power grid services are increasingly depending upon the adequate functionality of SCADA system which in turn strictly depends on the adequate functionality of its communication infrastructure. We propose to tackle the SCADA risk analysis by means of different and heterogeneous modeling techniques and software tools. We demonstrate the applicability of our approach through a case study on an actual SCADA system for an electrical power distribution grid. The modeling techniques we discuss aim at providing a probabilistic dependability analysis, followed by a worst case analysis in presence of malicious attacks and a realtime performance evaluation.


Amedeo Cesta, Alberto Finzi, Simone Fratini, Andrea Orlandini, and Enrico Tronci. "Flexible Plan Verification: Feasibility Results." In 16th RCRA International Workshop on “Experimental evaluation of algorithms for solving problems with combinatorial explosion” (RCRA). Proceedings., 2009.


Amedeo Cesta, Alberto Finzi, Simone Fratini, Andrea Orlandini, and Enrico Tronci. "Flexible TimelineBased Plan Verification." In KI 2009: Advances in Artificial Intelligence, 32nd Annual German Conference on AI, Paderborn, Germany, September 1518, 2009. Proceedings, edited by Bärbel Mertsching, M. Hund and M. Z. Aziz, 49–56. Lecture Notes in Computer Science 5803. Springer, 2009. ISSN: 9783642046162. DOI: 10.1007/9783642046179_7.


Amedeo Cesta, Alberto Finzi, Simone Fratini, Andrea Orlandini, and Enrico Tronci. "Verifying Flexible Timelinebased Plans." In EProc. of ICAPS Workshop on Validation and Verification of Planning and Scheduling Systems., 2009.
Abstract: The synthesis of flexible temporal plans has demonstrated wide applications possibilities in heterogeneous domains. We are currently studying the connection between plan generation and execution from the particular perspective of verifying a flexible plan before actual execution. This paper explores how a modelchecking verification tool, based on UPPAALTIGA, is suitable for verifying flexible temporal plans. We first describe the formal model, the formalism, and the verification method. Furthermore we discuss our own approach and some preliminary empirical results using a realworld case study.


Federico Mari, Igor Melatti, Ivano Salvo, Enrico Tronci, Lorenzo Alvisi, Allen Clement, and Harry Li. "Model Checking Coalition Nash Equilibria in MAD Distributed Systems." In Stabilization, Safety, and Security of Distributed Systems, 11th International Symposium, SSS 2009, Lyon, France, November 36, 2009. Proceedings, edited by R. Guerraoui and F. Petit, 531–546. Lecture Notes in Computer Science 5873. Springer, 2009. DOI: 10.1007/9783642051180_37.
Abstract: We present two OBDD based model checking algorithms for the verification of Nash equilibria in finite state mechanisms modeling Multiple Administrative Domains (MAD) distributed systems with possibly colluding agents (coalitions) and with possibly faulty or malicious nodes (Byzantine agents). Given a finite state mechanism, a proposed protocol for each agent and the maximum sizes f for Byzantine agents and q for agents collusions, our model checkers return Pass if the proposed protocol is an εfqNash equilibrium, i.e. no coalition of size up to q may have an interest greater than ε in deviating from the proposed protocol when up to f Byzantine agents are present, Fail otherwise. We implemented our model checking algorithms within the NuSMV model checker: the first one explicitly checks equilibria for each coalition, while the second represents symbolically all coalitions. We present experimental results showing their effectiveness for moderate size mechanisms. For example, we can verify coalition Nash equilibria for mechanisms which corresponding normal form games would have more than $5 \times 10^21$ entries. Moreover, we compare the two approaches, and the explicit algorithm turns out to outperform the symbolic one. To the best of our knowledge, no model checking algorithm for verification of Nash equilibria of mechanisms with coalitions has been previously published.


Silvia Mazzini, Stefano Puri, Federico Mari, Igor Melatti, and Enrico Tronci. "Formal Verification at System Level." In In: DAta Systems In Aerospace (DASIA), Org. EuroSpace, Canadian Space Agency, CNES, ESA, EUMETSAT. Instanbul, Turkey, EuroSpace., 2009.
Abstract: System Level Analysis calls for a language comprehensible to experts with different background and yet precise enough to support meaningful analyses. SysML is emerging as an effective balance between such conflicting goals. In this paper we outline some the results obtained as for SysML based system level functional formal verification by an ESA/ESTEC study, with a collaboration among INTECS and La Sapienza University of Roma. The study focuses on SysML based system level functional requirements techniques.


Igor Melatti, Robert Palmer, Geoffrey Sawaya, Yu Yang, Robert Mike Kirby, and Ganesh Gopalakrishnan. "Parallel and distributed model checking in Eddy." Int. J. Softw. Tools Technol. Transf. 11, no. 1 (2009): 13–25. SpringerVerlag. ISSN: 14332779. DOI: 10.1007/s100090080094x.
Abstract: Model checking of safety properties can be scaled up by pooling the CPU and memory resources of multiple computers. As compute clusters containing 100s of nodes, with each node realized using multicore (e.g., 2) CPUs will be widespread, a model checker based on the parallel (shared memory) and distributed (message passing) paradigms will more efficiently use the hardware resources. Such a model checker can be designed by having each node employ two shared memory threads that run on the (typically) two CPUs of a node, with one thread responsible for state generation, and the other for efficient communication, including (1) performing overlapped asynchronous message passing, and (2) aggregating the states to be sent into larger chunks in order to improve communication network utilization. We present the design details of such a novel model checking architecture called Eddy. We describe the design rationale, details of how the threads interact and yield control, exchange messages, as well as detect termination. We have realized an instance of this architecture for the Murphi modeling language. Called Eddy_Murphi, we report its performance over the number of nodes as well as communication parameters such as those controlling state aggregation. Nearly linear reduction of compute time with increasing number of nodes is observed. Our thread task partition is done in such a way that it is modular, easy to port across different modeling languages, and easy to tune across a variety of platforms.


2008 
Amedeo Cesta, Alberto Finzi, Simone Fratini, Andrea Orlandini, and Enrico Tronci. "Merging Planning, Scheduling & Verification – A Preliminary Analysis." In In Proc. of 10th ESA Workshop on Advanced Space Technologies for Robotics and Automation (ASTRA)., 2008.


Amedeo Cesta, Alberto Finzi, Simone Fratini, Andrea Orlandini, and Enrico Tronci. "Validation and Verification Issues in a Timelinebased Planning System." In In EProc. of ICAPS Workshop on Knowledge Engineering for Planning and Scheduling., 2008.
Abstract: One of the key points to take into account to foster effective introduction of AI planning and scheduling systems in real world is to develop end user trust in the related technologies. Automated planning and scheduling systems often brings solutions to the users which are neither â€œobviousâ€ nor immediately acceptable for them. This is due to the ability of these tools to take into account quite an amount of temporal and causal constraints and to employ resolution processes often designed to optimize the solution with respect to non trivial evaluation functions. To increase technology trust, the study of tools for verifying and validating plans and schedules produced by AI systems might be instrumental. In general, validation and verification techniques represent a needed complementary technology in developing domain independent architectures for automated problem solving. This paper presents a preliminary report of the issues concerned with the use of two software tools for formal verification of finite state systems to the validation of the solutions produced by MrSPOCK, a recent effort for building a timeline based planning tool in an ESA project.


Flavio Chierichetti, Silvio Lattanzi, Federico Mari, and Alessandro Panconesi. "On Placing Skips Optimally in Expectation." In Web Search and Web Data Mining (WSDM 2008), edited by M. Najork, A. Z. Broder and S. Chakrabarti, 15–24. Acm, 2008. DOI: 10.1145/1341531.1341537.
Abstract: We study the problem of optimal skip placement in an inverted list. Assuming the query distribution to be known in advance, we formally prove that an optimal skip placement can be computed quite efficiently. Our best algorithm runs in time O(n log n), n being the length of the list. The placement is optimal in the sense that it minimizes the expected time to process a query. Our theoretical results are matched by experiments with a real corpus, showing that substantial savings can be obtained with respect to the tra ditional skip placement strategy, that of placing consecutive skips, each spanning sqrt(n) many locations.
Keywords: Information Retrieval


Giuseppe Della Penna, Daniele Magazzeni, Alberto Tofani, Benedetto Intrigila, Igor Melatti, and Enrico Tronci. "Automated Generation Of Optimal Controllers Through Model Checking Techniques." In Informatics in Control Automation and Robotics. Selected Papers from ICINCO 2006, 107–119. Springer, 2008. DOI: 10.1007/9783540791423_10.


Federico Mari, Igor Melatti, Ivano Salvo, Enrico Tronci, Lorenzo Alvisi, Allen Clement, and Harry Li. "Model Checking Nash Equilibria in MAD Distributed Systems." In FMCAD '08: Proceedings of the 2008 International Conference on Formal Methods in ComputerAided Design, edited by A. Cimatti and R. Jones, 1–8. Piscataway, NJ, USA: IEEE Press, 2008. ISSN: 9781424427352. DOI: 10.1109/FMCAD.2008.ECP.16.
Abstract: We present a symbolic model checking algorithm for verification of Nash equilibria in finite state mechanisms modeling Multiple Administrative Domains (MAD) distributed systems. Given a finite state mechanism, a proposed protocol for each agent and an indifference threshold for rewards, our model checker returns PASS if the proposed protocol is a Nash equilibrium (up to the given indifference threshold) for the given mechanism, FAIL otherwise. We implemented our model checking algorithm inside the NuSMV model checker and present experimental results showing its effectiveness for moderate size mechanisms. For example, we can handle mechanisms which corresponding normal form games would have more than $10^20$ entries. To the best of our knowledge, no model checking algorithm for verification of mechanism Nash equilibria has been previously published.
Keywords: Model Checking, MAD Distributed System, Nash Equilibrium


2007 
Francesco Brizzolari, Igor Melatti, Enrico Tronci, and Giuseppe Della Penna. "Disk Based Software Verification via Bounded Model Checking." In APSEC '07: Proceedings of the 14th AsiaPacific Software Engineering Conference, 358–365. Washington, DC, USA: IEEE Computer Society, 2007. ISSN: 0769530575. DOI: 10.1109/APSEC.2007.43.
Abstract: One of the most successful approach to automatic software verification is SAT based bounded model checking (BMC). One of the main factors limiting the size of programs that can be automatically verified via BMC is the huge number of clauses that the backend SAT solver has to process. In fact, because of this, the SAT solver may easily run out of RAM. We present two disk based algorithms that can considerably decrease the number of clauses that a BMC backend SAT solver has to process in RAM. Our experimental results show that using our disk based algorithms we can automatically verify programs that are out of reach for RAM based BMC.


Giuseppe Della Penna, Daniele Magazzeni, Alberto Tofani, Benedetto Intrigila, Igor Melatti, and Enrico Tronci. "Automatic Synthesis of Robust Numerical Controllers." In Icas '07, 4. IEEE Computer Society, 2007. ISSN: 0769528595. DOI: 10.1109/CONIELECOMP.2007.59.
Abstract: A major problem of numerical controllers is their robustness, i.e. the state read from the plant may not be in the controller table, although it may be close to some states in the table. For continuous systems, this problem is typically handled by interpolation techniques. Unfortunately, when the plant contains both continuous and discrete variables, the interpolation approach does not work well. To cope with this kind of systems, we propose a general methodology that exploits explicit model checking in an innovative way to automatically synthesize a (time) optimal numerical controller from a plant specification and apply an optimized strengthening algorithm only on the most significant states, in order to reach an acceptable robustness degree. We implemented all the algorithms within our CGMurphi tool, an extension of the wellknown CMurphi verifier, and tested the effectiveness of our approach by applying it to the wellknown truck and trailer obstacles avoidance problem.


Benedetto Intrigila, Igor Melatti, Alberto Tofani, and Guido Macchiarelli. "Computational models of myocardial endomysial collagen arrangement." Computer Methods and Programs in Biomedicine 86, no. 3 (2007): 232–244. Elsevier NorthHolland, Inc.. ISSN: 01692607. DOI: 10.1016/j.cmpb.2007.03.004.
Abstract: Collagen extracellular matrix is one of the factors related to high passive stiffness of cardiac muscle. However, the architecture and the mechanical aspects of the cardiac collagen matrix are not completely known. In particular, endomysial collagen contribution to the passive mechanics of cardiac muscle as well as its micro anatomical arrangement is still a matter of debate. In order to investigate mechanical and structural properties of endomysial collagen, we consider two alternative computational models of some specific aspects of the cardiac muscle. These two models represent two different views of endomysial collagen distribution: (1) the traditional view and (2) a new view suggested by the data obtained from scanning electron microscopy (SEM) in NaOH macerated samples (a method for isolating collagen from the other tissue). We model the myocardial tissue as a net of spring elements representing the cardiomyocytes together with the endomysial collagen distribution. Each element is a viscous elastic spring, characterized by an elastic and a viscous constant. We connect these springs to imitate the interconnections between collagen fibers. Then we apply to the net of springs some external forces of suitable magnitude and direction, obtaining an extension of the net itself. In our setting, the ratio forces magnitude /net extension is intended to model the stress /strain ratio of a microscopical portion of the myocardial tissue. To solve the problem of the correct identification of the values of the different parameters involved, we use an artificial neural network approach. In particular, we use this technique to learn, given a distribution of external forces, the elastic constants of the springs needed to obtain a desired extension as an equilibrium position. Our experimental findings show that, in the model of collagen distribution structured according to the new view, a given stress /strain ratio (of the net of springs, in the sense specified above) is obtained with much smaller (w.r.t. the other model, corresponding to the traditional view) elasticity constants of the springs. This seems to indicate that by an appropriate structure, a given stiffness of the myocardial tissue can be obtained with endomysial collagen fibers of much smaller size.


Federico Mari, and Enrico Tronci. "CEGAR Based Bounded Model Checking of Discrete Time Hybrid Systems." In Hybrid Systems: Computation and Control (HSCC 2007), edited by A. Bemporad, A. Bicchi and G. C. Buttazzo, 399–412. Lecture Notes in Computer Science 4416. Springer, 2007. DOI: 10.1007/9783540714934_32.
Abstract: Many hybrid systems can be conveniently modeled as Piecewise Affine Discrete Time Hybrid Systems PADTHS. As well known Bounded Model Checking (BMC) for such systems comes down to solve a Mixed Integer Linear Programming (MILP) feasibility problem. We present a SAT based BMC algorithm for automatic verification of PADTHSs. Using Counterexample Guided Abstraction Refinement (CEGAR) our algorithm gradually transforms a PADTHS verification problem into larger and larger SAT problems. Our experimental results show that our approach can handle PADTHSs that are more then 50 times larger than those that can be handled using a MILP solver.
Keywords: Model Checking, Abstraction, CEGAR, SAT, Hybrid Systems, DTHS


2006 
Novella Bartolini, and Enrico Tronci. "On Optimizing Service Availability of an Internet Based Architecture for Infrastructure Protection." In Cnip., 2006.


Giuseppe Della Penna, Antinisca Di Marco, Benedetto Intrigila, Igor Melatti, and Alfonso Pierantonio. "Interoperability mapping from XML schemas to ER diagrams." Data Knowl. Eng. 59, no. 1 (2006): 166–188. Elsevier Science Publishers B. V.. ISSN: 0169023x. DOI: 10.1016/j.datak.2005.08.002.
Abstract: The eXtensible Markup Language (XML) is a de facto standard on the Internet and is now being used to exchange a variety of data structures. This leads to the problem of efficiently storing, querying and retrieving a great amount of data contained in XML documents. Unfortunately, XML data often need to coexist with historical data. At present, the best solution for storing XML into preexisting data structures is to extract the information from the XML documents and adapt it to the data structuresâ€™ logical model (e.g., the relational model of a DBMS). In this paper, we introduce a technique called Xere (XML entityÂ–relationship exchange) to assist the integration of XML data with other data sources. To this aim, we present an algorithm that maps XML schemas into entityÂ–relationship diagrams, discuss its soundness and completeness and show its implementation in XSLT.


Giuseppe Della Penna, Benedetto Intrigila, Igor Melatti, Enrico Tronci, and Marisa Venturini Zilli. "Finite horizon analysis of Markov Chains with the Mur$\varphi$ verifier." Int. J. Softw. Tools Technol. Transf. 8, no. 4 (2006): 397–409. SpringerVerlag. ISSN: 14332779. DOI: 10.1007/s1000900502167.
Abstract: In this paper we present an explicit diskbased verification algorithm for Probabilistic Systems defining discrete time/finite state Markov Chains. Given a Markov Chain and an integer k (horizon), our algorithm checks whether the probability of reaching an error state in at most k steps is below a given threshold. We present an implementation of our algorithm within a suitable extension of the Mur$\varphi$ verifier. We call the resulting probabilistic model checker FHPMur$\varphi$ (Finite Horizon Probabilistic Mur$\varphi$). We present experimental results comparing FHPMur$\varphi$ with (a finite horizon subset of) PRISM, a stateoftheart symbolic model checker for Markov Chains. Our experimental results show that FHPMur$\varphi$ can handle systems that are out of reach for PRISM, namely those involving arithmetic operations on the state variables (e.g. hybrid systems).


Giuseppe Della Penna, Daniele Magazzeni, Alberto Tofani, Benedetto Intrigila, Igor Melatti, and Enrico Tronci. "Automated Generation of Optimal Controllers through Model Checking Techniques." In IcincoIcso, edited by J. AndradeCetto, J.  L. Ferrier, J. M. C. D. Pereira and J. Filipe, 26–33. INSTICC Press, 2006. ISSN: 9728865597. DOI: 10.1007/9783540791423.
Abstract: We present a methodology for the synthesis of controllers, which exploits (explicit) model checking techniques. That is, we can cope with the systematic exploration of a very large state space. This methodology can be applied to systems where other approaches fail. In particular, we can consider systems with an highly nonlinear dynamics and lacking a uniform mathematical description (model). We can also consider situations where the required control action cannot be specified as a local action, and rather a kind of planning is required. Our methodology individuates first a raw optimal controller, then extends it to obtain a more robust one. A case study is presented which considers the well known trucktrailer obstacle avoidance parking problem, in a parking lot with obstacles on it. The complex nonlinear dynamics of the trucktrailer system, within the presence of obstacles, makes the parking problem extremely hard. We show how, by our methodology, we can obtain optimal controllers with different degrees of robustness.


Giuseppe Della Penna, Alberto Tofani, Marcello Pecorari, Orazio Raparelli, Benedetto Intrigila, Igor Melatti, and Enrico Tronci. "A Case Study on Automated Generation of Integration Tests." In Fdl, 278–284. Ecsi, 2006. ISSN: 9783000197109.


Igor Melatti, Robert Palmer, Geoffrey Sawaya, Yu Yang, Robert Mike Kirby, and Ganesh Gopalakrishnan. "Parallel and Distributed Model Checking in Eddy." In Model Checking Software, 13th International SPIN Workshop, Vienna, Austria, March 30 – April 1, 2006, Proceedings, edited by A. Valmari, 108–125. Lecture Notes in Computer Science 3925. Springer  Verlag, 2006. ISSN: 03029743. ISBN: 9783540331025. DOI: 10.1007/11691617_7.
Abstract: Model checking of safety properties can be scaled up by pooling the CPU and memory resources of multiple computers. As compute clusters containing 100s of nodes, with each node realized using multicore (e.g., 2) CPUs will be widespread, a model checker based on the parallel (shared memory) and distributed (message passing) paradigms will more efficiently use the hardware resources. Such a model checker can be designed by having each node employ two shared memory threads that run on the (typically) two CPUs of a node, with one thread responsible for state generation, and the other for efficient communication, including (i) performing overlapped asynchronous message passing, and (ii) aggregating the states to be sent into larger chunks in order to improve communication network utilization. We present the design details of such a novel model checking architecture called Eddy. We describe the design rationale, details of how the threads interact and yield control, exchange messages, as well as detect termination. We have realized an instance of this architecture for the Murphi modeling language. Called Eddy_Murphi, we report its performance over the number of nodes as well as communication parameters such as those controlling state aggregation. Nearly linear reduction of compute time with increasing number of nodes is observed. Our thread task partition is done in such a way that it is modular, easy to port across different modeling languages, and easy to tune across a variety of platforms.


Enrico Tronci. "Introductory Paper." Sttt 8, no. 45 (2006): 355–358. DOI: 10.1007/s100090050212y.
Abstract: In todayâ€™s competitive market designing of digital systems (hardware as well as software) faces tremendous challenges. In fact, notwithstanding an ever decreasing project budget, time to market and product lifetime, designers are faced with an ever increasing system complexity and customer expected quality. The above situation calls for better and better formal verification techniques at all steps of the design flow. This special issue is devoted to publishing revised versions of contributions first presented at the 12th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME) held 21Â–24 October 2003 in Lâ€™Aquila, Italy. Authors of well regarded papers from CHARMEâ€™03 were invited to submit to this special issue. All papers included here have been suitably extended and have undergone an independent round of reviewing.


2005 
Andrea Bobbio, Ester Ciancamerla, Michele Minichino, and Enrico Tronci. "Functional analysis of a telecontrol system and stochastic measures of its GSM/GPRS connections." Archives of Transport – International Journal of Transport Problems 17, no. 3–4 (2005).


Edoardo Campagnano, Ester Ciancamerla, Michele Minichino, and Enrico Tronci. "Automatic Analysis of a Safety Critical Tele Control System." In 24th International Conference on: Computer Safety, Reliability, and Security (SAFECOMP), edited by R. Winther, B. A. Gran and G. Dahll, 94–107. Lecture Notes in Computer Science 3688. Fredrikstad, Norway: Springer, 2005. ISSN: 3540292004. DOI: 10.1007/11563228_8.
Abstract: We show how the Mur$\varphi$ model checker can be used to automatically carry out safety analysis of a quite complex hybrid system telecontrolling vehicles traffic inside a safety critical transport infrastructure such as a long bridge or a tunnel. We present the Mur$\varphi$ model we developed towards this end as well as the experimental results we obtained by running the Mur$\varphi$ verifier on our model. Our experimental results show that the approach presented here can be used to verify safety of critical dimensioning parameters (e.g. bandwidth) of the telecommunication network embedded in a safety critical system.


Giuseppe Della Penna, Benedetto Intrigila, Igor Melatti, and Enrico Tronci. "Exploiting Hub States in Automatic Verification." In Automated Technology for Verification and Analysis: Third International Symposium, ATVA 2005, Taipei, Taiwan, October 47, 2005, Proceedings, edited by D.A. Peled and Y.K. Tsay, 54–68. Lecture Notes in Computer Science 3707. Springer, 2005. ISSN: 3540292098. DOI: 10.1007/11562948_7.
Abstract: In this paper we present a new algorithm to counteract state explosion when using Explicit State Space Exploration to verify protocollike systems. We sketch the implementation of our algorithm within the Caching Mur$\varphi$ verifier and give experimental results showing its effectiveness. We show experimentally that, when memory is a scarce resource, our algorithm improves on the time performances of Caching Mur$\varphi$ verification algorithm, saving between 16% and 68% (45% on average) in computation time.


Benedetto Intrigila, Daniele Magazzeni, Igor Melatti, and Enrico Tronci. "A Model Checking Technique for the Verification of Fuzzy Control Systems." In CIMCA '05: Proceedings of the International Conference on Computational Intelligence for Modelling, Control and Automation and International Conference on Intelligent Agents, Web Technologies and Internet Commerce Vol1 (CIMCAIAWTIC'06), 536–542. Washington, DC, USA: IEEE Computer Society, 2005. ISSN: 076952504001. DOI: 10.1109/CIMCA.2005.1631319.
Abstract: Fuzzy control is well known as a powerful technique for designing and realizing control systems. However, statistical evidence for their correct behavior may be not enough, even when it is based on a large number of samplings. In order to provide a more systematic verification process, the celltocell mapping technology has been used in a number of cases as a verification tool for fuzzy control systems and, more recently, to assess their optimality and robustness. However, celltocell mapping is typically limited in the number of cells it can explore. To overcome this limitation, in this paper we show how model checking techniques may be instead used to verify the correct behavior of a fuzzy control system. To this end, we use a modified version of theMurphi verifier, which ease the modeling phase by allowing to use finite precision real numbers and external C functions. In this way, also already designed simulators may be used for the verification phase. With respect to the cell mapping technique, our approach appears to be complementary; indeed, it explores a much larger number of states, at the cost of being less informative on the global dynamic of the system.


2004 
Giuseppe Della Penna, Benedetto Intrigila, Igor Melatti, Enrico Tronci, and Marisa Venturini Zilli. "Bounded Probabilistic Model Checking with the Mur$\varphi$ Verifier." In Formal Methods in ComputerAided Design, 5th International Conference, FMCAD 2004, Austin, Texas, USA, November 1517, 2004, Proceedings, edited by A. J. Hu and A. K. Martin, 214–229. Lecture Notes in Computer Science 3312. Springer, 2004. ISSN: 3540237380. DOI: 10.1007/9783540304944_16.
Abstract: In this paper we present an explicit verification algorithm for Probabilistic Systems defining discrete time/finite state Markov Chains. We restrict ourselves to verification of Bounded PCTL formulas (BPCTL), that is, PCTL formulas in which all Until operators are bounded, possibly with different bounds. This means that we consider only paths (system runs) of bounded length. Given a Markov Chain $\cal M$ and a BPCTL formula Φ, our algorithm checks if Φ is satisfied in $\cal M$. This allows to verify important properties, such as reliability in Discrete Time Hybrid Systems. We present an implementation of our algorithm within a suitable extension of the Mur$\varphi$ verifier. We call FHPMur$\varphi$ (Finite Horizon Probabilistic Mur$\varphi$) such extension of the Mur$\varphi$ verifier. We give experimental results comparing FHPMur$\varphi$ with (a finite horizon subset of) PRISM, a stateoftheart symbolic model checker for Markov Chains. Our experimental results show that FHPMur$\varphi$ can effectively handle verification of BPCTL formulas for systems that are out of reach for PRISM, namely those involving arithmetic operations on the state variables (e.g. hybrid systems).


Giuseppe Della Penna, Benedetto Intrigila, Igor Melatti, Enrico Tronci, and Marisa Venturini Zilli. "Exploiting Transition Locality in Automatic Verification of Finite State Concurrent Systems." Sttt 6, no. 4 (2004): 320–341. DOI: 10.1007/s1000900401496.
Abstract: In this paper we show that statistical properties of the transition graph of a system to be verified can be exploited to improve memory or time performances of verification algorithms. We show experimentally that protocols exhibit transition locality. That is, with respect to levels of a breadthfirst state space exploration, state transitions tend to be between states belonging to close levels of the transition graph. We support our claim by measuring transition locality for the set of protocols included in the Mur$\varphi$ verifier distribution. We present a cachebased verification algorithm that exploits transition locality to decrease memory usage and a diskbased verification algorithm that exploits transition locality to decrease disk read accesses, thus reducing the time overhead due to disk usage. Both algorithms have been implemented within the Mur$\varphi$ verifier. Our experimental results show that our cachebased algorithm can typically save more than 40% of memory with an average time penalty of about 50% when using (Mur$\varphi$) bit compression and 100% when using bit compression and hash compaction, whereas our diskbased verification algorithm is typically more than ten times faster than a previously proposed diskbased verification algorithm and, even when using 10% of the memory needed to complete verification, it is only between 40 and 530% (300% on average) slower than (RAM) Mur$\varphi$ with enough memory to complete the verification task at hand. Using just 300 MB of memory our diskbased Mur$\varphi$ was able to complete verification of a protocol with about $10^9$ reachable states. This would require more than 5 GB of memory using standard Mur$\varphi$.


Roberto Gorrieri, Ruggero Lanotte, Andrea MaggioloSchettini, Fabio Martinelli, Simone Tini, and Enrico Tronci. "Automated analysis of timed security: a case study on web privacy." International Journal of Information Security 2, no. 34 (2004): 168–186. DOI: 10.1007/s1020700400379.
Abstract: This paper presents a case study on an automated analysis of realtime security models. The case study on a web system (originally proposed by Felten and Schneider) is presented that shows a timing attack on the privacy of browser users. Three different approaches are followed: LHTimed Automata (analyzed using the model checker HyTech), finitestate automata (analyzed using the model checker NuSMV), and process algebras (analyzed using the model checker CWBNC). A comparative analysis of these three approaches is given.


Ruggero Lanotte, Andrea MaggioloSchettini, Simone Tini, Angelo Troina, and Enrico Tronci. "Automatic Analysis of the NRL Pump." Electr. Notes Theor. Comput. Sci. 99 (2004): 245–266. DOI: 10.1016/j.entcs.2004.02.011.
Abstract: We define a probabilistic model for the NRL Pump and using FHPmur$\varphi$ show experimentally that there exists a probabilistic covert channel whose capacity depends on various NRL Pump parameters (e.g. buffer size, number of samples in the moving average, etc).


Ruggero Lanotte, Andrea MaggioloSchettini, Simone Tini, Angelo Troina, and Enrico Tronci. "Automatic Covert Channel Analysis of a Multilevel Secure Component." In Information and Communications Security, 6th International Conference, ICICS 2004, Malaga, Spain, October 2729, 2004, Proceedings, edited by J. Lopez, S. Qing and E. Okamoto, 249–261. Lecture Notes in Computer Science 3269. Springer, 2004. DOI: 10.1007/b101042.
Abstract: The NRL Pump protocol defines a multilevel secure component whose goal is to minimize leaks of information from high level systems to lower level systems, without degrading average time performances. We define a probabilistic model for the NRL Pump and show how a probabilistic model checker (FHPmur$\varphi$) can be used to estimate the capacity of a probabilistic covert channel in the NRL Pump. We are able to compute the probability of a security violation as a function of time for various configurations of the system parameters (e.g. buffer sizes, moving average size, etc). Because of the model complexity, our results cannot be obtained using an analytical approach and, because of the low probabilities involved, it can be hard to obtain them using a simulator.


Marco Martinelli, Enrico Tronci, Giovanni Dipoppa, and Claudio Balducelli. "Electric Power System Anomaly Detection Using Neural Networks." In 8th International Conference on: KnowledgeBased Intelligent Information and Engineering Systems (KES), edited by M. G. Negoita, R. J. Howlett and L. C. Jain, 1242–1248. Lecture Notes in Computer Science 3213. Wellington, New Zealand: Springer, 2004. ISSN: 3540233180.
Abstract: The aim of this work is to propose an approach to monitor and protect Electric Power System by learning normal system behaviour at substations level, and raising an alarm signal when an abnormal status is detected; the problem is addressed by the use of autoassociative neural networks, reading substation measures. Experimental results show that, through the proposed approach, neural networks can be used to learn parameters underlaying system behaviour, and their output processed to detecting anomalies due to hijacking of measures, changes in the power network topology (i.e. transmission lines breaking) and unexpected power demand trend.


2003 
"Charme." In Lecture Notes in Computer Science, edited by D. Geist and E. Tronci. Vol. 2860. Springer, 2003. ISSN: 354020363X. DOI: 10.1007/b93958.


Antonio Bucciarelli, Adolfo Piperno, and Ivano Salvo. "Intersection types and λdefinability." Mathematical Structures in Computer Science 13, no. 1 (2003): 15–53. Cambridge University Press. ISSN: 09601295. DOI: 10.1017/S0960129502003833.
Abstract: This paper presents a novel method for comparing computational properties of λterms that are typeable with intersection types, with respect to terms that are typeable with Curry types. We introduce a translation from intersection typing derivations to Curry typeable terms that is preserved by βreduction: this allows the simulation of a computation starting from a term typeable in the intersection discipline by means of a computation starting from a simply typeable term. Our approach proves strong normalisation for the intersection system naturally by means of purely syntactical techniques. The paper extends the results presented in Bucciarelli et al. (1999) to the whole intersection type system of Barendregt, Coppo and Dezani, thus providing a complete proof of the conjecture, proposed in Leivant (1990), that all functions uniformly definable using intersection types are already definable using Curry types.


Ester Ciancamerla, Michele Minichino, Stefano Serro, and Enrico Tronci. "Automatic Timeliness Verification of a Public Mobile Network." In 22nd International Conference on Computer Safety, Reliability, and Security (SAFECOMP), edited by S. Anderson, M. Felici and B. Littlewood, 35–48. Lecture Notes in Computer Science 2788. Edinburgh, UK: Springer, 2003. ISSN: 9783540201267. DOI: 10.1007/9783540398783_4.
Abstract: This paper deals with the automatic verification of the timeliness of Public Mobile Network (PMN), consisting of Mobile Nodes (MNs) and Base Stations (BSs). We use the Mur$\varphi$ Model Checker to verify that the waiting access time of each MN, under different PMN configurations and loads, and different inter arrival times of MNs in a BS cell, is always below a preassigned threshold. Our experimental results show that Model Checking can be successfully used to generate worst case scenarios and nicely complements probabilistic methods and simulation which are typically used for performance evaluation.


Mario Coppo, Mariangiola DezaniCiancaglini, Elio Giovannetti, and Ivano Salvo. "Mobility Types for Mobile Processes in Mobile Ambients." Electr. Notes Theor. Comput. Sci. 78 (2003). DOI: 10.1016/S15710661(04)810119.
Abstract: We present an ambientlike calculus in which the open capability is dropped, and a new form of â€œlightweightâ€ process mobility is introduced. The calculus comes equipped with a type system that allows the kind of values exchanged in communications and the access and mobility properties of processes to be controlled. A type inference procedure determines the â€œminimalâ€ requirements to accept a system or a component as well typed. This gives a kind of principal typing. As an expressiveness test, we show that some well known calculi of concurrency and mobility can be encoded in our calculus in a natural way.


Giuseppe Della Penna, Antinisca Di Marco, Benedetto Intrigila, Igor Melatti, and Alfonso Pierantonio. "Xere: Towards a Natural Interoperability between XML and ER Diagrams." In Fundamental Approaches to Software Engineering, 6th International Conference, FASE 2003, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2003, Warsaw, Poland, April 711, 2003, Proceedings, edited by M. Pezzè, 356–371. Lecture Notes in Computer Science 2621. Springer, 2003. ISSN: 3540008993. DOI: 10.1007/3540365788_25.
Abstract: XML (eXtensible Markup Language) is becoming the standard format for documents on Internet and is widely used to exchange data. Often, the relevant information contained in XML documents needs to be also stored in legacy databases (DB) in order to integrate the new data with the preexisting ones. In this paper, we introduce a technique for the automatic XMLDB integration, which we call Xere. In particular we present, as the first step of Xere, the mapping algorithm which allows the translation of XML Schemas into EntityRelationship diagrams.


Giuseppe Della Penna, Benedetto Intrigila, Igor Melatti, Michele Minichino, Ester Ciancamerla, Andrea Parisse, Enrico Tronci, and Marisa Venturini Zilli. "Automatic Verification of a Turbogas Control System with the Mur$\varphi$ Verifier." In Hybrid Systems: Computation and Control, 6th International Workshop, HSCC 2003 Prague, Czech Republic, April 35, 2003, Proceedings, edited by O. Maler and A. Pnueli, 141–155. Lecture Notes in Computer Science 2623. Springer, 2003. ISSN: 3540009132. DOI: 10.1007/354036580X.
Abstract: Automatic analysis of Hybrid Systems poses formidable challenges both from a modeling as well as from a verification point of view. We present a case study on automatic verification of a Turbogas Control System (TCS) using an extended version of the Mur$\varphi$ verifier. TCS is the heart of ICARO, a 2MW Cogenerative Electric Power Plant. For large hybrid systems, as TCS is, the modeling effort accounts for a significant part of the whole verification activity. In order to ease our modeling effort we extended the Mur$\varphi$ verifier by importing the C language long double type (finite precision real numbers) into it. We give experimental results on running our extended Mur$\varphi$ on our TCS model. For example using Mur$\varphi$ we were able to compute an admissible range of values for the variation speed of the user demand of electric power to the turbogas.


Giuseppe Della Penna, Benedetto Intrigila, Igor Melatti, Enrico Tronci, and Marisa Venturini Zilli. "Finite Horizon Analysis of Markov Chains with the Mur$\varphi$ Verifier." In Correct Hardware Design and Verification Methods, 12th IFIP WG 10.5 Advanced Research Working Conference, CHARME 2003, L'Aquila, Italy, October 2124, 2003, Proceedings, edited by D. Geist and E. Tronci, 394–409. Lecture Notes in Computer Science 2860. Springer, 2003. ISSN: 354020363X. DOI: 10.1007/9783540397243_34.
Abstract: In this paper we present an explicit disk based verification algorithm for Probabilistic Systems defining discrete time/finite state Markov Chains. Given a Markov Chain and an integer k (horizon), our algorithm checks whether the probability of reaching an error state in at most k steps is below a given threshold. We present an implementation of our algorithm within a suitable extension of the Mur$\varphi$ verifier. We call the resulting probabilistic model checker FHPMur$\varphi$ (Finite Horizon Probabilistic Mur$\varphi$). We present experimental results comparing FHPMur$\varphi$ with (a finite horizon subset of) PRISM, a stateoftheart symbolic model checker for Markov Chains. Our experimental results show that FHPMur$\varphi$ can handle systems that are out of reach for PRISM, namely those involving arithmetic operations on the state variables (e.g. hybrid systems).


Giuseppe Della Penna, Benedetto Intrigila, Igor Melatti, Enrico Tronci, and Marisa Venturini Zilli. "Finite Horizon Analysis of Stochastic Systems with the Mur$\varphi$ Verifier." In Theoretical Computer Science, 8th Italian Conference, ICTCS 2003, Bertinoro, Italy, October 1315, 2003, Proceedings, edited by C. Blundo and C. Laneve, 58–71. Lecture Notes in Computer Science 2841. Springer, 2003. ISSN: 3540202161. DOI: 10.1007/9783540452089_6.
Abstract: Many reactive systems are actually Stochastic Processes. Automatic analysis of such systems is usually very difficult thus typically one simplifies the analysis task by using simulation or by working on a simplified model (e.g. a Markov Chain). We present a Finite Horizon Probabilistic Model Checking approach which essentially can handle the same class of stochastic processes of a typical simulator. This yields easy modeling of the system to be analyzed together with formal verification capabilities. Our approach is based on a suitable disk based extension of the Mur$\varphi$ verifier. Moreover we present experimental results showing effectiveness of our approach.


Giuseppe Della Penna, Benedetto Intrigila, Igor Melatti, Enrico Tronci, and Marisa Venturini Zilli. "Integrating RAM and Disk Based Verification within the Mur$\varphi$ Verifier." In Correct Hardware Design and Verification Methods, 12th IFIP WG 10.5 Advanced Research Working Conference, CHARME 2003, L'Aquila, Italy, October 2124, 2003, Proceedings, edited by D. Geist and E. Tronci, 277–282. Lecture Notes in Computer Science 2860. Springer, 2003. ISSN: 354020363X. DOI: 10.1007/9783540397243_25.
Abstract: We present a verification algorithm that can automatically switch from RAM based verification to disk based verification without discarding the work done during the RAM based verification phase. This avoids having to choose beforehand the proper verification algorithm. Our experimental results show that typically our integrated algorithm is as fast as (sometime faster than) the fastest of the two base (i.e. RAM based and disk based) verification algorithms.


Giuseppe Della Penna, Benedetto Intrigila, Enrico Tronci, and Marisa Venturini Zilli. "Synchronized regular expressions." Acta Inf. 39, no. 1 (2003): 31–70.
Abstract: Text manipulation is one of the most common tasks for everyone using a computer. The increasing number of textual information in electronic format that every computer user collects everyday also increases the need of more powerful tools to interact with texts. Indeed, much work has been done to provide simple and versatile tools that can be useful for the most common text manipulation tasks. Regular Expressions (RE), introduced by Kleene, are well known in the formal language theory. RE have been extended in various ways, depending on the application of interest. In almost all the implementations of RE search algorithms (e.g. the egrep [15] UNIX command, or the Perl [20] language pattern matching constructs) we find backreferences, i.e. expressions that make reference to the string matched by a previous subexpression. Generally speaking, it seems that all kinds of synchronizations between subexpressions in a RE can be very useful when interacting with texts. In this paper we introduce the Synchronized Regular Expressions (SRE) as an extension of the Regular Expressions. We use SRE to present a formal study of the already known backreferences extension, and of a new extension proposed by us, which we call the synchronized exponents. Moreover, since we are dealing with formalisms that should have a practical utility and be used in real applications, we have the problem of how to present SRE to the final users. Therefore, in this paper we also propose a userfriendly syntax for SRE to be used in implementations of SREpowered search algorithms.


Marco Gribaudo, Andras Horváth, Andrea Bobbio, Enrico Tronci, Ester Ciancamerla, and Michele Minichino. "Fluid Petri Nets and hybrid model checking: a comparative case study." Int. Journal on: Reliability Engineering & System Safety 81, no. 3 (2003): 239–257. Elsevier. DOI: 10.1016/S09518320(03)000899.
Abstract: The modeling and analysis of hybrid systems is a recent and challenging research area which is actually dominated by two main lines: a functional analysis based on the description of the system in terms of discrete state (hybrid) automata (whose goal is to ascertain conformity and reachability properties), and a stochastic analysis (whose aim is to provide performance and dependability measures). This paper investigates a unifying view between formal methods and stochastic methods by proposing an analysis methodology of hybrid systems based on Fluid Petri Nets (FPNs). FPNs can be analyzed directly using appropriate tools. Our paper shows that the same FPN model can be fed to different functional analyzers for model checking. In order to extensively explore the capability of the technique, we have converted the original FPN into languages for discrete as well as hybrid as well as stochastic model checkers. In this way, a first comparison among the modeling power of well known tools can be carried out. Our approach is illustrated by means of a â€™real worldâ€™ hybrid system: the temperature control system of a cogenerative plant.


2002 
Franco Barbanera, Mariangiola DezaniCiancaglini, Ivano Salvo, and Vladimiro Sassone. "A Type Inference Algorithm for Secure Ambients." Electronic Notes in Theoretical Computer Science 62 (2002): 83–101. Elsevier. Notes: TOSCA 2001, Theory of Concurrency, Higher Order Languages and Types. DOI: 10.1016/S15710661(04)003214.
Abstract: We consider a type discipline for the Ambient Calculus that associates ambients with security levels and constrains them to be traversed by or opened in ambients of higher security clearance only. We present a bottomup algorithm that, given an untyped process P, computes a minimal set of constraints on security levels such that all actions during runs of P are performed without violating the security level priorities. Such an algorithm appears to be a prerequisite to use type systems to ensure security properties in the web scenario.


Giuseppe Della Penna, Benedetto Intrigila, Enrico Tronci, and Marisa Venturini Zilli. "Exploiting Transition Locality in the Disk Based Mur$\varphi$ Verifier." In 4th International Conference on Formal Methods in ComputerAided Design (FMCAD), edited by M. Aagaard and J. W. O'Leary, 202–219. Lecture Notes in Computer Science 2517. Portland, OR, USA: Springer, 2002. ISSN: 3540001166. DOI: 10.1007/354036126X_13.
Abstract: The main obstruction to automatic verification of Finite State Systems is the huge amount of memory required to complete the verification task (state explosion). This motivates research on distributed as well as disk based verification algorithms. In this paper we present a disk based Breadth First Explicit State Space Exploration algorithm as well as an implementation of it within the Mur$\varphi$ verifier. Our algorithm exploits transition locality (i.e. the statistical fact that most transitions lead to unvisited states or to recently visited states) to decrease disk read accesses thus reducing the time overhead due to disk usage. A disk based verification algorithm for Mur$\varphi$ has been already proposed in the literature. To measure the time speed up due to locality exploitation we compared our algorithm with such previously proposed algorithm. Our experimental results show that our disk based verification algorithm is typically more than 10 times faster than such previously proposed disk based verification algorithm. To measure the time overhead due to disk usage we compared our algorithm with RAM based verification using the (standard) Mur$\varphi$ verifier with enough memory to complete the verification task. Our experimental results show that even when using 1/10 of the RAM needed to complete verification, our disk based algorithm is only between 1.4 and 5.3 times (3 times on average) slower than (RAM) Mur$\varphi$ with enough RAM memory to complete the verification task at hand. Using our disk based Mur$\varphi$ we were able to complete verification of a protocol with about $10^9$ reachable states. This would require more than 5 gigabytes of RAM using RAM based Mur$\varphi$.


Giuseppe Della Penna, Benedetto Intrigila, Enrico Tronci, and Marisa Venturini Zilli. "Synchronized Regular Expressions." Electr. Notes Theor. Comput. Sci. 62 (2002): 195–210. Notes: TOSCA 2001, Theory of Concurrency, Higher Order Languages and Types.
Abstract: Text manipulation is one of the most common tasks for everyone using a computer. The increasing number of textual information in electronic format that every computer user collects everyday stresses the need of more powerful tools to interact with texts. Indeed, much work has been done to provide nonprogramming tools that can be useful for the most common text manipulation issues. Regular Expressions (RE), introduced by Kleene, are wellÂ–known in the formal language theory. RE received several extensions, depending on the application of interest. In almost all the implementations of RE search algorithms (e.g. the egrep [A] UNIX command, or the Perl [17] language pattern matching constructs) we find backreferences (as defind in [1]), i.e. expressions that make reference to the string matched by a previous subexpression. Generally speaking, it seems that all the kinds of synchronizations between subexpressions in a RE can be very useful when interacting with texts. Therefore, we introduce the Synchronized Regular Expressions (SRE) as a derivation of the Regular Expressions. We use SRE to present a formal study of the already known backreferences extension, and of a new extension proposed by us, which we call the synchronized exponents. Moreover, since we are talking about formalisms that should have a practical utility and can be used in the real world, we have the problem of how to present SRE to the final users. Therefore, in this paper we also propose a userÂ–friendly syntax for SRE to be used in implementations of SREÂ–powered search algorithms.


Riccardo Focardi, Roberto Gorrieri, Ruggero Lanotte, Andrea MaggioloSchettini, Fabio Martinelli, Simone Tini, and Enrico Tronci. "Formal Models of Timing Attacks on Web Privacy." Electronic Notes in Theoretical Computer Science 62 (2002): 229–243. Notes: TOSCA 2001, Theory of Concurrency, Higher Order Languages and Types. DOI: 10.1016/S15710661(04)003299.
Abstract: We model a timing attack on web privacy proposed by Felten and Schneider by using three different approaches: HLTimed Automata, SMV model checker, and tSPA Process Algebra. Some comparative analysis on the three approaches is derived.


Marco Gribaudo, Andras Horváth, Andrea Bobbio, Enrico Tronci, Ester Ciancamerla, and Michele Minichino. "ModelChecking Based on Fluid Petri Nets for the Temperature Control System of the ICARO Cogenerative Plant." In 21st International Conference on Computer Safety, Reliability and Security (SAFECOMP), edited by S. Anderson, S. Bologna and M. Felici, 273–283. Lecture Notes in Computer Science 2434. Catania, Italy: Springer, 2002. ISSN: 3540441573. DOI: 10.1007/3540457321_27.
Abstract: The modeling and analysis of hybrid systems is a recent and challenging research area which is actually dominated by two main lines: a functional analysis based on the description of the system in terms of discrete state (hybrid) automata (whose goal is to ascertain for conformity and reachability properties), and a stochastic analysis (whose aim is to provide performance and dependability measures). This paper investigates a unifying view between formal methods and stochastic methods by proposing an analysis methodology of hybrid systems based on Fluid Petri Nets (FPN). It is shown that the same FPN model can be fed to a functional analyser for model checking as well as to a stochastic analyser for performance evaluation. We illustrate our approach and show its usefulness by applying it to a â€œreal worldâ€ hybrid system: the temperature control system of a cogenerative plant.


2001 
Andrea Bobbio, Sandro Bologna, Michele Minichino, Ester Ciancamerla, Piero Incalcaterra, Corrado Kropp, and Enrico Tronci. "Advanced techniques for safety analysis applied to the gas turbine control system of Icaro co generative plant." In X Convegno Tecnologie e Sistemi Energetici Complessi, 339–350. Genova, Italy, 2001.
Abstract: The paper describes two complementary and integrable approaches, a probabilistic one and a deterministic one, based on classic and advanced modelling techniques for safety analysis of complex computer based systems. The probabilistic approach is based on classical and innovative probabilistic analysis methods. The deterministic approach is based on formal verification methods. Such approaches are applied to the gas turbine control system of ICARO co generative plant, in operation at ENEA CR Casaccia. The main difference between the two approaches, behind the underlining different theories, is that the probabilistic one addresses the control system by itself, as the set of sensors, processing units and actuators, while the deterministic one also includes the behaviour of the equipment under control which interacts with the control system. The final aim of the research, documented in this paper, is to explore an innovative method which put the probabilistic and deterministic approaches in a strong relation to overcome the drawbacks of their isolated, selective and fragmented use which can lead to inconsistencies in the evaluation results.


V. Bono, and I. Salvo. "A CuCh Interpretation of an ObjectOriented Language." Electronic Notes in Theoretical Computer Science 50, no. 2 (2001): 159–177. Elsevier. Notes: BOTH 2001, Bohmâ€™s theorem: applications to Computer Science Theory (Satellite Workshop of ICALP 2001). DOI: 10.1016/S15710661(04)001719.
Abstract: CuCh machine extends pure lambdaÂ–calculus with algebraic data types and provides a the possibility of defining functions over the disjoint sum of algebras. We exploit such natural form of overloading to define a functional interpretation of a simple, but significant fragment of a typical objectoriented language.


G. Dipoppa, G. D'Alessandro, R. Semprini, and E. Tronci. "Integrating Automatic Verification of Safety Requirements in Railway Interlocking System Design." In High Assurance Systems Engineering, 2001. Sixth IEEE International Symposium on, 209–219. Albuquerque, NM, USA: IEEE Computer Society, 2001. ISSN: 0769512755. DOI: 10.1109/HASE.2001.966821.
Abstract: A railway interlocking system (RIS) is an embedded system (namely a supervisory control system) that ensures the safe, operation of the devices in a railway station. RIS is a safety critical system. We explore the possibility of integrating automatic formal verification methods in a given industry RIS design flow. The main obstructions to be overcome in our work are: selecting a formal verification tool that is efficient enough to solve the verification problems at hand; and devising a cost effective integration strategy for such tool. We were able to devise a successful integration strategy meeting the above constraints without requiring major modification in the preexistent design flow nor retraining of personnel. We run verification experiments for a RIS designed for the Singapore Subway. The experiments show that the RIS design flow obtained from our integration strategy is able to automatically verify real life RIS designs.


Benedetto Intrigila, Ivano Salvo, and Stefano Sorgi. "A characterization of weakly ChurchRosser abstract reduction systems that are not ChurchRosser." Information and Computation 171, no. 2 (2001): 137–155. Academic Press, Inc.. ISSN: 08905401. DOI: 10.1006/inco.2001.2945.
Abstract: Basic properties of rewriting systems can be stated in the framework of abstract reduction systems (ARS). Properties like confluence (or ChurchRosser, CR) and weak confluence (or weak ChurchRosser, WCR) and their relationships can be studied in this setting: as a matter of fact, wellknown counterexamples to the implication WCR CR have been formulated as ARS. In this paper, starting from the observation that such counterexamples are structurally similar, we set out a graphtheoretic characterization of WCR ARS that is not CR in terms of a suitable class of reduction graphs, such that in every WCR not CR ARS, we can embed at least one element of this class. Moreover, we give a tighter characterization for a restricted class of ARS enjoying a suitable regularity condition. Finally, as a consequence of our approach, we prove some interesting results about ARS using the mathematical tools developed. In particular, we prove an extension of the Newmanâ€™s lemma and we find out conditions that, once assumed together with WCR property, ensure the unique normal form property. The Appendix treats two interesting examples, both generated by graphrewriting rules, with specific combinatorial properties.


Enrico Tronci, Giuseppe Della Penna, Benedetto Intrigila, and Marisa Venturini Zilli. "A Probabilistic Approach to Automatic Verification of Concurrent Systems." In 8th AsiaPacific Software Engineering Conference (APSEC), 317–324. Macau, China: IEEE Computer Society, 2001. ISSN: 0769514081. DOI: 10.1109/APSEC.2001.991495.
Abstract: The main barrier to automatic verification of concurrent systems is the huge amount of memory required to complete the verification task (state explosion). In this paper we present a probabilistic algorithm for automatic verification via model checking. Our algorithm trades space with time. In particular, when memory is full because of state explosion our algorithm does not give up verification. Instead it just proceeds at a lower speed and its results will only hold with some arbitrarily small error probability. Our preliminary experimental results show that by using our probabilistic algorithm we can typically save more than 30% of RAM with an average time penalty of about 100% w.r.t. a deterministic state space exploration with enough memory to complete the verification task. This is better than giving up the verification task because of lack of memory.


Enrico Tronci, Giuseppe Della Penna, Benedetto Intrigila, and Marisa Venturini Zilli. "Exploiting Transition Locality in Automatic Verification." In 11th IFIP WG 10.5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME), edited by T. Margaria and T. F. Melham, 259–274. Lecture Notes in Computer Science 2144. Livingston, Scotland, UK: Springer, 2001. ISSN: 3540425411. DOI: 10.1007/3540447989_22.
Abstract: In this paper we present an algorithm to contrast state explosion when using Explicit State Space Exploration to verify protocols. We show experimentally that protocols exhibit transition locality. We present a verification algorithm that exploits transition locality as well as an implementation of it within the Mur$\varphi$ verifier. Our algorithm is compatible with all Breadth First (BF) optimization techniques present in the Mur$\varphi$ verifier and it is by no means a substitute for any of them. In fact, since our algorithm trades space with time, it is typically most useful when one runs out of memory and has already used all other state reduction techniques present in the Mur$\varphi$ verifier. Our experimental results show that using our approach we can typically save more than 40% of RAM with an average time penalty of about 50% when using (Mur$\varphi$) bit compression and 100% when using bit compression and hash compaction.


2000 
Michele Cecconi, and Enrico Tronci. "Requirements Formalization and Validation for a Telecommunication Equipment Protection Switcher." In Hase. IEEE Computer Society, 2000. ISSN: 0769509274. DOI: 10.1109/HASE.2000.895456.


1999 
Antonio Bucciarelli, Silvia de Lorenzis, Adolfo Piperno, and Ivano Salvo. "Some Computational Properties of Intersection Types (Extended Abstract)." (1999): 109–118. IEEE Computer Society. DOI: 10.1109/LICS.1999.782598.
Abstract: This paper presents a new method for comparing computationproperties of λterms typeable with intersection types with respect to terms typeable with Curry types. In particular, strong normalization and λdefinability are investigated. A translation is introduced from intersection typing derivations to Curry typeable terms; the main feature of the proposed technique is that the translation is preserved by βreduction. This allows to simulate a computation starting from a term typeable in the intersection discipline by means of a computation starting from a simply typeable term. Our approach naturally leads to prove strong normalization in the intersection system by means of purely syntactical techniques. In addition, the presented method enables us to give a proof of a conjecture proposed by Leivant in 1990, namely that all functions uniformly definable using intersection types are already definable using Curry types.
Keywords: lambda calculusCurry types, intersection types, lambdadefinability, lambdaterms, strong normalization


Enrico Tronci. "Automatic Synthesis of Control Software for an Industrial Automation Control System." In Proc.of: 14th IEEE International Conference on: Automated Software Engineering (ASE), 247–250. Cocoa Beach, Florida, USA, 1999. DOI: 10.1109/ASE.1999.802292.
Abstract: We present a case study on automatic synthesis of control software from formal specifications for an industrial automation control system. Our aim is to compare the effectiveness (i.e. design effort and controller quality) of automatic controller synthesis from closed loop formal specifications with that of manual controller design, followed by automatic verification. Our experimental results show that for industrial automation control systems, automatic synthesis is a viable and profitable (especially as far as design effort is concerned) alternative to manual design, followed by automatic verification.


Enrico Tronci. "Formally Modeling a Metal Processing Plant and its Closed Loop Specifications." In 4th IEEE International Symposium on HighAssurance Systems Engineering (HASE), 151. Washington, D.C, USA: IEEE Computer Society, 1999. ISSN: 0769504183. DOI: 10.1109/HASE.1999.809490.
Abstract: We present a case study on automatic synthesis of control software from formal specifications for an industrial automation control system. Our aim is to compare the effectiveness (i.e. design effort and controller quality) of automatic controller synthesis from closed loop formal specifications with that of manual controller design followed by automatic verification. The system to be controlled (plant) models a metal processing facility near Karlsruhe. We succeeded in automatically generating C code implementing a (correct by construction) embedded controller for such a plant from closed loop formal specifications. Our experimental results show that for industrial automation control systems automatic synthesis is a viable and profitable (especially as far as design effort is concerned) alternative to manual design followed by automatic verification.


1998 
Antonio Bucciarelli, and Ivano Salvo. "Totality, Definability and Boolean Circuits." 1443 (1998): 808–819. Springer. DOI: 10.1007/BFb0055104.
Abstract: In the type frame originating from the flat domain of boolean values, we single out elements which are hereditarily total. We show that these elements can be defined, up to total equivalence, by sequential programs. The elements of an equivalence class of the totality equivalence relation (totality class) can be seen as different algorithms for computing a given settheoretic boolean function. We show that the bottom element of a totality class, which is sequential, corresponds to the most eager algorithm, and the top to the laziest one. Finally we suggest a link between size of totality classes and a well known measure of complexity of boolean functions, namely their sensitivity.


Alessandro Fantechi, Stefania Gnesi, Franco Mazzanti, Rosario Pugliese, and Enrico Tronci. "A Symbolic Model Checker for ACTL." In International Workshop on Current Trends in Applied Formal Method (FMTrends), edited by D. Hutter, W. Stephan, P. Traverso and M. Ullmann, 228–242. Lecture Notes in Computer Science 1641. Boppard, Germany: Springer, 1998. ISSN: 3540664629. DOI: 10.1007/3540482571_14.
Abstract: We present SAM, a symbolic model checker for ACTL, the actionbased version of CTL. SAM relies on implicit representations of Labeled Transition Systems (LTSs), the semantic domain for ACTL formulae, and uses symbolic manipulation algorithms. SAM has been realized by translating (networks of) LTSs and, possibly recursive, ACTL formulae into BSP (Boolean Symbolic Programming), a programming language aiming at defining computations on boolean functions, and by using the BSP interpreter to carry out computations (i.e. verifications).


Enrico Tronci. "Automatic Synthesis of Controllers from Formal Specifications." In Proc of 2nd IEEE International Conference on Formal Engineering Methods (ICFEM), 134–143. Brisbane, Queensland, Australia, 1998. DOI: 10.1109/ICFEM.1998.730577.
Abstract: Many safety critical reactive systems are indeed embedded control systems. Usually a control system can be partitioned into two main subsystems: a controller and a plant. Roughly speaking: the controller observes the state of the plant and sends commands (stimulus) to the plant to achieve predefined goals. We show that when the plant can be modeled as a deterministic finite state system (FSS) it is possible to effectively use formal methods to automatically synthesize the program implementing the controller from the plant model and the given formal specifications for the closed loop system (plant+controller). This guarantees that the controller program is correct by construction. To the best of our knowledge there is no previously published effective algorithm to extract executable code for the controller from closed loop formal specifications. We show practical usefulness of our techniques by giving experimental results on their use to synthesize C programs implementing optimal controllers (OCs) for plants with more than 109 states.


1997 
Enrico Tronci. "On Computing Optimal Controllers for Finite State Systems." In CDC '97: Proceedings of the 36th IEEE International Conference on Decision and Control. Washington, DC, USA: IEEE Computer Society, 1997.


1996 
Rosario Pugliese, and Enrico Tronci. "Automatic Verification of a Hydroelectric Power Plant." In Third International Symposium of Formal Methods Europe (FME), CoSponsored by IFIP WG 14.3, edited by M.  C. Gaudel and J. Woodcock, 425–444. Lecture Notes in Computer Science 1051. Oxford, UK: Springer, 1996. ISSN: 3540609733. DOI: 10.1007/3540609733_100.
Abstract: We analyze the specification of a hydroelectric power plant by ENEL (the Italian Electric Company). Our goal is to show that for the specification of the plant (its control system in particular) some given properties hold. We were provided with an informal specification of the plant. From such informal specification we wrote a formal specification using the CCS/Meije process algebra formalism. We defined properties using μcalculus. Automatic verification was carried out using model checking. This was done by translating our process algebra definitions (the model) and μcalculus formulas into BDDs. In this paper we present the informal specification of the plant, its formal specification, some of the properties we verified and experimental results.


Enrico Tronci. "Equational Programming in LambdaCalculus via SLSystems. Part 1." Theoretical Computer Science 160, no. 1&2 (1996): 145–184. DOI: 10.1016/03043975(95)001050.


Enrico Tronci. "Equational Programming in LambdaCalculus via SLSystems. Part 2." Theoretical Computer Science 160, no. 1&2 (1996): 185–216. DOI: 10.1016/03043975(95)001069.


Enrico Tronci. "Optimal Finite State Supervisory Control." In CDC '96: Proceedings of the 35th IEEE International Conference on Decision and Control. Washington, DC, USA: IEEE Computer Society, 1996.
Abstract: Supervisory Controllers are Discrete Event Dynamic Systems (DEDSs) forming the discrete core of a Hybrid Control System. We address the problem of automatic synthesis of Optimal Finite State Supervisory Controllers (OSCs). We show that Boolean First Order Logic (BFOL) and Binary Decision Diagrams (BDDs) are an effective methodological and practical framework for Optimal Finite State Supervisory Control. Using BFOL programs (i.e. systems of boolean functional equations) and BDDs we give a symbolic (i.e. BDD based) algorithm for automatic synthesis of OSCs. Our OSC synthesis algorithm can handle arbitrary sets of final states as well as plant transition relations containing loops and uncontrollable events (e.g. failures). We report on experimental results on the use of our OSC synthesis algorithm to synthesize a C program implementing a minimum fuel OSC for two autonomous vehicles moving on a 4 x 4 grid.


1995 
Enrico Tronci. "Defining Data Structures via BöhmOut." J. Funct. Program. 5, no. 1 (1995): 51–64. DOI: 10.1017/S0956796800001234.
Abstract: We show that any recursively enumerable subset of a data structure can be regarded as the solution set to a B??hmout problem.


Enrico Tronci. "Hardware Verification, Boolean Logic Programming, Boolean Functional Programming." In Tenth Annual IEEE Symposium on Logic in Computer Science (LICS), 408–418. San Diego, California: IEEE Computer Society, 1995. DOI: 10.1109/LICS.1995.523275.
Abstract: One of the main obstacles to automatic verification of finite state systems (FSSs) is state explosion. In this respect automatic verification of an FSS M using model checking and binary decision diagrams (BDDs) has an intrinsic limitation: no automatic global optimization of the verification task is possible until a BDD representation for M is generated. This is because systems and specifications are defined using different languages. To perform global optimization before generating a BDD representation for M we propose to use the same language to define systems and specifications. We show that first order logic on a Boolean domain yields an efficient functional programming language that can be used to represent, specify and automatically verify FSSs, e.g. on a SUN Sparc Station 2 we were able to automatically verify a 64 bit commercial multiplier.


1991 
Corrado Böhm, and Enrico Tronci. "About Systems of Equations, XSeparability, and LeftInvertibility in the lambdaCalculus." Inf. Comput. 90, no. 1 (1991): 1–32. DOI: 10.1016/08905401(91)900579.


Enrico Tronci. "Equational Programming in lambdacalculus." In Sixth Annual IEEE Symposium on Logic in Computer Science (LICS), 191–202. Amsterdam, The Netherlands: IEEE Computer Society, 1991. DOI: 10.1109/LICS.1991.151644.


1990 
Adolfo Piperno, and Enrico Tronci. "Regular Systems of Equations in λcalculus." Int. J. Found. Comput. Sci. 1, no. 3 (1990): 325–340. DOI: 10.1142/S0129054190000230.
Abstract: Many problems arising in equational theories like Lambdacalculus and Combinatory Logic can be expressed by combinatory equations or systems of equations. However, the solvability problem for an arbitrarily given class of systems is in general undecidable. In this paper we shall focus our attention on a decidable class of systems, which will be called regular systems, and we shall analyse some classical problems and wellknown properties of Lambdacalculus that can be described and solved by means of regular systems. The significance of such class will be emphasized showing that for slight extensions of it the solvability problem turns out to be undecidable.


1989 
Corrado Böhm, Adolfo Piperno, and Enrico Tronci. "Solving Equations in λcalculus." In Proc. of: Logic Colloquium 88. Padova  Italy, 1989.


Adolfo Piperno, and Enrico Tronci. "Regular Systems of Equations in λcalculus." In Ictcs. Mantova  Italy, 1989. DOI: 10.1142/S0129054190000230.
Abstract: Many problems arising in equational theories like Lambdacalculus and Combinatory Logic can be expressed by combinatory equations or systems of equations. However, the solvability problem for an arbitrarily given class of systems is in general undecidable. In this paper we shall focus our attention on a decidable class of systems, which will be called regular systems, and we shall analyse some classical problems and wellknown properties of Lambdacalculus that can be described and solved by means of regular systems. The significance of such class will be emphasized showing that for slight extensions of it the solvability problem turns out to be undecidable.


1987 
Corrado Böhm, and Enrico Tronci. "XSeparability and LeftInvertibility in lambdacalculus." In Symposium on Logic in Computer Science (LICS), 320–328. Ithaca, New York, USA: IEEE Computer Society, 1987.


Corrado Böhm, and Enrico Tronci. "Xseparability and leftinvertibility in the λcalculus (extended abstract, invited paper)." In Proceedings of: Temi e prospettive della Logica e della Filosofia della Scienza contemporanea. Cesena  Italy, 1987.


