Volume 2, Number 4 Published by the Association for Computing Machinery Special Interest Group on Logic and Computation October 2015 SIGLOG news

TABLE OF CONTENTS

General Information 1 From the Editor Andrzej Murawski 2 Chair's Letter Prakash Panangaden

Technical Columns 3 Automata Mikołaj Bojańczyk 16 Verication Neha Rungta

Announcements 26 Gödel Prize - Call for Nominations 28 SIGLOG Monthly 175

SIGLOG NEWS Published by the ACM Special Interest Group on Logic and Computation

SIGLOG Executive Committee Chair Prakash Panangaden McGill University Vice-Chair Luke Ong University of Oxford Treasurer Natarajan Shankar SRI International Secretary Alexandra Silva Radboud University Nijmegen Catuscia Palamidessi INRIA and LIX, Ecole´ Polytechnique EACSL President Anuj Dawar University of Cambridge EATCS President Luca Aceto Reykjavik University ACM ToCL E-in-C Dale Miller INRIA and LIX, Ecole´ Polytechnique Andrzej Murawski University of Warwick Veronique´ Cortier CNRS and LORIA, Nancy

ADVISORY BOARD Mart´ın Abadi Google and UC Santa Cruz Phokion Kolaitis University of California, Santa Cruz Dexter Kozen Cornell University Gordon Plotkin University of Edinburgh Moshe Vardi Rice University

COLUMN EDITORS Automata Mikołaj Bojanczyk´ University of Warsaw Complexity Neil Immerman University of Massachusetts Amherst Security and Privacy Matteo Maffei CISPA, Saarland University Semantics Mike Mislove Tulane University Verification Neha Rungta SGT Inc. and NASA Ames

Notice to Contributing Authors to SIG Newsletters By submitting your article for distribution in this Special Interest Group publication, you hereby grant to ACM the following non-exclusive, perpetual, worldwide rights: — to publish in print on condition of acceptance by the editor — to digitize and post your article in the electronic version of this publication — to include the article in the ACM Digital Library and in any Digital Library related services — to allow users to make a personal copy of the article for noncommercial, educational or research purposes However, as a contributing author, you retain copyright to your article and ACM will refer requests for republication directly to you.

SIGLOG News (ISSN 2372-3491) is an electronic quarterly publication by the Associa- tion for Computing Machinery. From the Editor

Welcome to another issue of SIGLOG News!

In this issue

– SIGLOG’s Chair Prakash Panangaden announces an election and reports on the out- come of a recent meeting of the SIG Governing Board.

– Mikołaj Bojanczyk´ investigates boundedness in the Automata Column.

– Darren Cofer writes about certifying avionics software in Neha Rungta’s column on Verification.

– And, as usual, there are numerous calls for papers and participation in our monthly bulletin, prepared by Daniela Petris¸an.

SIGLOG News is still looking for more volunteers for coordinating sections on confe- rence reports and book reviews. Please email [email protected] if you are interested.

Enjoy!

Andrzej Murawski University of Warwick SIGLOG News Editor

ACM SIGLOG News 1 October 2015, Vol. 2, No. 4 Chair’s Letter

First, a major piece of good news. The SIG Governing Board of ACM has approved SIGLOG and moved us out of the probationary status that we were in. Every four years a SIG is subjected to a viability review. As we were just started in 2014 we were assessed in 18 months and passed with flying colours. Congratulations to the members for making SIGLOG a flourishing organization. We will be evaluated again in two years, instead of the usual four, because we are still in the start up phase.

Election fever is upon us! No, I am not referring to the US Presidential election nor the Canadian Federal election but to the election of new office holders for SIGLOG along with members-at-large to serve on the executive committee. The chair of the nominating committee is Dale Miller, who will ensure that we have a full slate of can- didates by December. In January the candidates will publish their vision statements in the SIGLOG Newsletter and the elections will take place in 2016. Any professional member of the ACM who is a member of SIGLOG can run for office. Please do contact Dale (before he twists your arm!) if you would like to run in the election.

Prakash Panangaden McGill University ACM SIGLOG Chair

ACM SIGLOG News 2 October 2015, Vol. 2, No. 4 AUT

AUTOMATA COLUMN

MIKOŁAJ BOJANCZYK´ , University of Warsaw [email protected]

U MIKOŁAJ BOJANCZYK,´ University of Warsaw

This is a survey of extensions of logics and automata which talk about boundedness. A typical property of interest is the set of !-words which satisfy “there exists some k, such that every a letter is followed by a b letter in at most k steps”. The main points of interest are the logic MSO+U, its fragments and related automata models, as well as the regular cost functions of Colcombet.

To begin our discussion of boundedness, consider one of the archetypical liveness properties, namely “every a event is followed by a b event in a finite number steps”. In the syntax of linear temporal logic LTL, this property is written as G a Fb . ) What could be more natural than asking for the b to appear in a bounded number of steps? Adding such boundedness constraints is the idea behind prompt LTL, a logic introduced in [Kupferman et al. 2009]. In prompt LTL, one writes formulas like k k N G a F b , 9 2 ) k where F means “in at most k steps”. Assuming that we are talking about languages of !-words over the alphabet a, b , the language that corresponds to the above formula { } of prompt LTL is an1 ban2 ban3 b :limsupn < . { ··· i 1} This language will be our running example. The goal of this paper is to discuss logics and automata which describe the running example and its variants. There are three sources of motivation. A richer modelling language. The first source of motivation, highlighted by the prompt LTL example, is that boundedness is one of the most basic kinds of asymptotic properties, and it is therefore unsurprising that it has found its way into formalisms expressing properties of infinite computation. For example, one can consider variants of parity games (and Streett, etc.) where the winning condition requires that some- thing good happens in a bounded amount of time [Chatterjee et al. 2009; Bloem et al. 2009; Fijalkow and Zimmermann 2014]. A new tool in a logician’s toolbox. The second source motivation is that boundedness questions appear implicitly when solving problems without an explicit boundedness character. A famous example is the star height problem. As discovered by Hashigu- chi [Hashiguchi 1988], this problem can be solved by reducing it to a decidable boun-

ACM SIGLOG News 3 October 2015, Vol. 2, No. 4 dedness problem, to be discussed later in this paper. Other problems in formal lan- guage theory that reduce to boundedness questions include the star height problem for regular tree languages [Colcombet and Loding¨ 2008a], or the Mostowski index pro- blem for automata on infinite trees [Colcombet and Loding¨ 2008b], although in the latter case, both the Mostowski index problem and its corresponding boundedness pro- blem remain open, see [Fijalkow et al. 2015] for recent developments. Another example of a problem that reduces to a boundedness question is the finite satisfiability problem for fixpoint logics such as: the modal µ-calculus with backward modalities [Bojanczyk´ 2002], guarded fixpoint logic [Bar´ any´ and Bojanczyk´ 2012] or guarded negation lo- gic [Bar´ any´ et al. 2015]. Other examples where boundedness questions arise include: a question about eliminating fixpoint operators in [Blumensath et al. 2014c], a satis- fiability question for a variant of CTL* in [Carapelle et al. 2013], or a characterisation of behaviours of communicating timed automata [Aminof et al. 2015]. Understanding regularity. A third source of motivation is the quest for understan- ding “regular languages” for infinite objects, such as !-words. Consider the language in the running example. Is it a “regular language”? It is not regular in the accepted sense, i.e. it is not recognised by any nondeterministic Buchi¨ automaton (a straightforward pumping argument), and therefore it is also not definable by any formula of monadic second-order logic MSO. Nevertheless, the language looks innocent enough, and one may wonder whether it might belong to some class of languages with a simple defini- tion, maybe of a logical character, and with good closure and decidability properties. The main topic of this paper is to survey several proposals for such classes. Counting without actually counting. The motivation of “understanding regularity” also limits the scope of logics studied in this paper. We would like the languages to resemble “regular” languages in some way. For example, for languages of !-words, at the very least we require every language L A! to have finitely many equivalence ✓ classes for the Myhill-Nerode equivalence relation on finite words w, v A⇤ defined by 2 w v if u A! wu L vu L. ⇠L 8 2 2 () 2 Such a restriction means that any counting can only be done in some asymptotic way. This excludes all sort of boundedness questions where precise counting is involved, e.g. the rich body of literature on boundedness for vector addition systems.

1. AUTOMATA WITH COUNTERS To the author’s knowledge, the first deeper study of boundedness in automata and logic was in the context of the star height problem. We begin our story with these automata.

1.1. Automata for star height Distance automata. A distance automaton is the same as a nondeterministic auto- maton over finite words, except that it has a distinguished subset of transitions, which are assumed to be “costly”. Another view on distance automata, which will be used in this paper, is that a distance automaton is a very restricted kind of counter automa- ton, which has a single counter that is incremented whenever a costly transition is encountered. Yet another view on distance automata is that they are the same thing as a weighted automaton in the min-plus semiring, also known as the tropical semi- ring. The main problem studied for distance automata is the following boundedness problem: given a distance automaton, decide if there is some k N such that every input word admits some run that uses at most k costly transitions.2 This bounded- ness problem was first intensively studied in connection with the star height problem from formal language theory. In [Hashiguchi 1988], it was shown that for every regu- lar language L and number n N, one can compute a distance automaton such that 2

ACM SIGLOG News 4 October 2015, Vol. 2, No. 4 the distance automaton is bounded if and only if the regular language can be defined by a regular expression which nests the Kleene star at most n times. In other words, the star height problem reduces to boundedness of distance automata. Hashiguchi’s reduction was extremely challenging. Nested distance desert automata. A second decidability argument for the star height problem was given in [Kirsten 2005]. Like Hashiguchi, Kirsten also reduces the star height problem to a boundedness problem, but the reduction is much simpler at the cost of a slightly harder boundedness problem (and therefore, the whole proof is much simpler). The slightly harder boundedness problem concerns nested distance desert au- tomata, which are a generalisation of distance automata where several counters are allowed, and the counters can be reset. Building on the ideas of Leung and Simon, Kir- sten showed that emptiness for such automata is decidable, in fact PSPACE-complete.

1.2. !B- and !S-automata. Soon after Kirsten, but independently, similar automata models appeared in [Bojanczyk´ and Colcombet 2006], and [Abdulla et al. 2008]. In both cases, the auto- mata had several counters, and the questions studied concerned boundedness. In this survey, we will focus more on the former paper, because of the duality result that it contains, which is presented in Theorem 1.1, and which will be of later interest when talking about regular cost functions. The paper [Bojanczyk´ and Colcombet 2006] intro- duces two types of automata, which are called, for no good reason, !B-automata and !S-automata. Both kinds of automata have the same syntax, defined as follows1. There is a nondeterministic finite state automaton, with initial states but without accepting states, a finite set of counters that store natural numbers, and a function which maps each transition to a finite sequence of operations from the following toolkit: (1) reset counter c to zero; (2) increment counter c; (3) check2 Both !B- and !S-automata are evaluated on !-words, unlike the finite words used in the automata for the star height problem. (In a single finite word, every counter is bo- unded by the length of the word, and therefore meaningful boundedness questions only make sense for sets of finite words.) A run of an !S-automaton is defined to be accep- ting if every counter is checked infinitely often, and its values have infinite lim inf.A run of an !B-automaton is defined to be accepting if every counter is checked infinitely often, and its values are bounded (i.e. have finite lim sup). Cis B ¨uchi. To get a feeling for the model, let us see how both kinds of automata can simulate Buchi¨ automata, at least in the presence of nondeterminism. The simu- lation works already with one counter. To do this with an !B-automaton, the counter is never incremented or reset, and it is checked whenever the simulated Buchi¨ auto- maton reaches an accepting state. This simulation simply uses the Buchi¨ condition which is implicit in the semantics, where the counters are required to be checked infi- nitely often. To simulate a Buchi¨ automaton with an !S-automaton, we do essentially the same thing, only we increment the counter in every step without ever resetting it, so that it has infinite lim inf. As shown in [Skrzypczak 2014], simulating a Buchi¨ automaton is the only kind of thing that can be done by both !B- and !S-automata in the following sense: a language is recognised by a nondeterministic Buchi¨ automaton

1This is essentially the same syntax as for the automata used by Kirsten. 2The original paper used a slightly different model, without checks, but which has the same expressive power. The check operation was introduced in [Colcombet and Loding¨ 2008a].

ACM SIGLOG News 5 October 2015, Vol. 2, No. 4 if and only if it is recognised by some nondeterministic !B-automaton and by some nondeterministic !S-automaton. Trans B ¨uchi. The simulation of Buchi¨ automata discussed above did not use the full power of the counters. Here is an example which does. The recognised language is our running example an1 ban2 ban3 b :limsupn < . { ··· i 1} To recognise this language, one uses an !B automaton that has one state and one counter, and the counter is incremented when reading a’s and reset when reading b’s. The example above is deterministic, but typically one uses nondeterministic automata, as is the case for the complement of the above language, which is ! n n n a, b ⇤a a 1 ba 2 ba 3 b :limsupn = { } [ { ··· i 1} To recognise this language, one needs a nondeterministic !S-automaton. The automa- ton has one counter. It nondeterministically guesses if the word will have finitely many b’s, or if the size of a blocks will have infinite lim sup. In the first case, it uses the same trick as for simulating Buchi¨ automata. In the second case, a subsequence of the blocks must have lengths with infinite lim inf, and these blocks are chosen using nondetermi- nism. This language is not recognised by any deterministic !S-automaton, and in fact there is no known deterministic model (with maybe more fancy acceptance conditions) that is equivalent to nondeterministic !S-automata. Algorithmic questions. Usually the point of using automata is that algorithmic qu- estions are easy for automata, and the proof burden is moved to showing that things can be done with automata. The !B- and !S-automata are no exception, in particu- lar their emptiness problems are quite easy to solve. Let us show that emptiness for !B-automata is decidable. The reason is that for an !B-automaton, the following con- ditions are equivalent: (1) there exists an accepting run; (2) there exists a run where for every counter, a check appears infinitely often and infinitely many increments imply infinitely many resets. Clearly (1) implies (2). To prove the converse implication, we observe that the property of runs mentioned in condition (2) is an !-regular property. Since !-regular languages must contain ultimately periodic words, if (2) holds, then there exists some ultimately periodic run where every counter is checked infinitely often, and infinitely many in- crements imply infinitely many resets. Such ultimately periodic runs have counters bounded by the length of the period. For !S-automata, a slightly more challenging but still simple argument is used, although ultimately periodic runs are no longer the relevant object. The duality theorem. The main theorem about !B- and !S-automata is the following duality result. THEOREM 1.1. [Boja ´nczykand Colcombet 2006] For every !B-automaton one can compute an !S-automaton recognising its complement language, and vice versa. A crucial part of the above theorem is the Factorisation Forest Theorem from [Simon 1990]. Deciding star height. As an application of the above duality theorem, let us use it to decide boundedness of distance automata. (The proof also works for the model used in Kirsten’s proof, which has multiple counters.) Suppose that we want to know if nested distance automaton is bounded, i.e. it has a common upper bound on the counter values

ACM SIGLOG News 6 October 2015, Vol. 2, No. 4 needed to accept all finite words. We will solve the problem using double negation. A counterexample to boundedness is an !-word w #w #w # 1 2 3 ··· such that no finite counter size is sufficient to accept all words w1,w2,..., assuming that # is some fresh symbol not in the alphabet of the original distance automaton. The set of !-words that are not counterexamples is recognised by an !B-automaton, which has essentially the same structure as the original distance automaton, except that it resets all counters whenever it sees a # separator. By Theorem 1.1, the set of counterexamples is recognised by an !S-automaton, which can be effectively com- puted. Therefore, boundedness, which is the lack of counterexamples, reduces to the decidable problem of testing an !S-automaton for emptiness.

2. COST FUNCTIONS A problem with !B- and !S-automata is that they define two classes of languages, which albeit dual, are not the same. A solution to this, called cost functions, was pro- posed by Thomas Colcombet in [Colcombet 2009]. Beyond yes and no. In cost functions, the automata produce numbers instead of ac- cepting or rejecting an input3. On its own, the idea of producing numbers alone is not new. It dates back at least to weighted automata [Schutzenberger¨ 1961]. It was also mentioned in our discussion of distance automata, since the semantics of a distance automaton over input alphabet ⌃ can be viewed as a function

[[ ]] : ⌃⇤ N , A ! [ {1} which maps an input word to the minimum, ranging over accepting runs, of costly transitions used by the run, with is used for words that do not have any accepting runs. The new idea of Colcombet1 was to consider only the asymptotic behaviours of these number valued functions. Undecidability. With automata that produce numbers, it is easy to run against un- decidability. For example, as shown in [Krob 1992], it is undecidable whether or not two given distance automata define the same function from words to numbers. To escape this undecidability, Colcombet proposes to consider functions only with re- spect to their asymptotic behaviour, in the following sense. Consider two functions f,g : X N . In the current discussion, X is the set of all finite words over a given alphabet,! [ { but1} it may very well be other things, like infinite trees. We say that g dominates f if for every subset Y X of arguments, boundedness of g implies bo- undedness of f. Call functions domination✓ equivalent if they dominate each other. For example, a function is bounded if and only if it is dominated by, and therefore domina- tion equivalent to, the constant zero function. As it turns out, the undecidability proof of Krob relies on keeping track of exact values produced by distance automata, and no longer works when functions are considered only up to domination equivalence. In [Colcombet 2009] it is shown that all the undecidability problems go away when considering functions up to domination equivalence, in particular the domination or- dering is decidable for distance automata, and even Kirsten’s nested distance desert automata. Actually, Colcombet does more than this: he proves that there is a class of functions which has very robust closure properties and multiple characterisations when considered up to domination equivalence. These functions are called regular cost functions, and are described below in some more detail.

3One does feel some influence of the evil one, see Matthew 5:37.

ACM SIGLOG News 7 October 2015, Vol. 2, No. 4 B- and S-automata. One definition of regular cost functions is via an automaton model. There are actually two models, called B- and S-automata. These have the same syntax, which is also the same as the syntax for !B- and !S-automata. There is only one difference in the syntax: in the B- and S-automata, as opposed to the !B- and !S-automata, there is also a distinguished set of accepting states. The semantics are defined as follows. The automata input finite words and ouptut numbers in N . For a B-automaton , the value for an input word w is defined by [ {1} A [[ ]] ( w)=minmax n A ⇢ n where ⇢ ranges over runs on w that begin in an initial and end in a finite state, while n ranges over values checked by ⇢, regardless of the counter. For an S-automaton, the value for an input word is [[ ]] ( w) = max min n, A ⇢ n with ⇢ and n having the same ranges as in the B case. Duality. The main result about B- and S-automata is the following beautiful and deep duality theorem. THEOREM 2.1. [Colcombet 2009] For every B-automaton one can compute a domi- nation equivalent S-automaton and vice versa. The concepts used when proving the above theorem are similar to those in The- orem 1.1. However, Theorem 2.1 seems to be a more fundamental result, e.g. a good way to prove Theorem 1.1 is to deduce it from Theorem 2.1. Regular cost functions. Define a regular cost function to be a function defined by a B-automaton, modulo domination equivalence. By Theorem 2.1, when defining regu- lar cost functions, we could have also used S-automata. The equivalence of the two models is a very important result, because some things are easy for B-automata, and some things are easy for S-automata. For example, testing boundedness is difficult for B-automata (this is essentially the heart of the star height problem), while testing boundedness for S-automata is easy (one searches for a certain kind of cycles in the transition graph). Using the duality result in Theorem 2.1, one can go beyond testing boundedness and even decide the domination order on regular cost functions; the re- ason is that deciding domination is relatively straightforward when is an S-automaton and is an B-automaton.S B S B Cost MSO. Another corollary of the duality theorem is that the class of regular cost functions is closed under min (thanks to the B-automata description) and under max (thanks to the S-automata description). This suggests some kind of logic. There is in- deed such a logic, and it is called cost MSO [Colcombet 2013b]. (There is also an alge- braic characterisation, in terms of stabilisation semigroups, but we omit it here.) The syntax of cost MSO is the same as for MSO, except that one can also used a predicate “X is small”. The additional predicate “X is small” is second-order in the sense that X is a set variable; furthermore there is a syntactic restriction that it can only be used positively. The semantics of a cost MSO formula is a function, which inputs a model and outputs the smallest k N which makes the formula true, assuming that “X is small” is replaced by X k.2 The special case of k = is used in case no such k exists. In the context of regular| |  cost functions over finite1 words, we are interested in formulas of cost MSO that are evaluated over finite words, and which can access the order and labelling of the input word. For example, the formula XXis small 8

ACM SIGLOG News 8 October 2015, Vol. 2, No. 4 maps a word to its length, while the formula X ( xx X a(x)) X is small Y ( yy Y b(y)) Y is small , 8 8 2 ) ) ^88 2 ) ) maps a word to the number of a’s or the number of b’s, whichever is bigger. If the alpahbet is only a, b , then both formulas are domination equivalent. A relatively straightforward corollary{ } of the duality result in Theorem 2.1 is that, up to domina- tion equivalence, cost MSO has exactly the same expressive power as B-automata (and therefore also S-automata).

THEOREM 2.2. [Colcombet 2013b] For every formula of cost MSO, one can compute a domination equivalent B-automaton, and vice versa. Beyond finite words. The robustness of cost functions for finite words is also wit- nessed by Schutzenberger¨ style theorems that characterise first-order fragments of cost MSO, see [Kuperberg 2011; Kuperberg and Vanden Boom 2012]. Furthermore, the concept of cost functions generalises very well beyond finite words. There are cost functions for finite trees [Colcombet and Loding¨ 2010], !-words [Kuperberg and Van- den Boom 2012], and infinite trees, the latter being implicit already in [Colcombet and Loding¨ 2008b]. In the case of finite trees and infinite words, duality theorems are proved, and in particular the domination order on formulas of cost MSO is decidable. For infinite trees, decidability of cost MSO is not yet known, even the special case of deciding if a formula is bounded, see [Fijalkow et al. 2015] and the references the- rein for a discussion of this issue. Decidability of boundedness for cost MSO on infinite trees would solve, among others, the long standing open problem of computing the parity rank for languages of infinite trees [Colcombet and Loding¨ 2008b]. There are, however, fragments of cost MSO that are known to have decidable properties, which are mainly obtained by restricting set quantification to finite sets, see [Vanden Boom 2011; Kuperberg and Vanden Boom 2011; Blumensath et al. 2014b], and these decida- ble fragments can be used to compute the parity rank in restricted cases [Colcombet et al. 2013].

2.1. Back to Boolean For cost functions, the object that is being implicitly talked about is not a single word, but an infinite sequence of words (e.g. a witness of unboundedness or a counterexam- ple to domination), which makes some statements and proofs more cumbersome. A solution to this difficulty was proposed in [Torunczyk´ 2012]. The idea is to use profi- nite words. A profinite word is defined to be the “limit” of an infinite sequence of finite words, which must be convergent in some sense (every regular language must select finitely many, or co-finitely many, words in the sequence). A classical example of a profinite word is the word a!, which is the profinite limit of the sequence

a1,a2!,a3!,...

This particular profinite word is a witness of unboundedness for the B-automaton which computes the length of the word; in general every unbounded B-automaton has a witness for unboundedness in a profinite word. In [Torunczyk´ 2012], cost functions are recast as languages of profinite words i.e. instead of mapping finite words to numbers, one maps profinite words to Boolean values. The advantage of the profinite perspective is that some results of the theory of cost functions are easier to state and prove, and one can also give additional characterisations of cost functions (as the unique langu- ages of profinite words that satisfy certain properties, of which one is being an open set in the topology over profinite words).

ACM SIGLOG News 9 October 2015, Vol. 2, No. 4 Magnitude MSO. The idea to use limit objects also appears in [Colcombet 2013a]. Here, a richer limit structure is used, namely internal set theory. One can think of the difference as follows: profinite words are sequences of finite words that are convergent with respect to regular properties, while in internal set theory one considers limits of sets with respect to properties definable in set theory. Using internal set theory, Colcombet proves decidability for a logic called magnitude MSO, which is an extension of cost MSO where one can talk about several different kinds of bounds at the same time.

3. MSO+U Let us come back to languages of !-words, as in the case of !B- and !S-automata. The main problem with these automata is that one cannot combine them. For example, taking the intersection of an !B-automaton with an !S-automaton can lead outside these two classes. An ad hoc solution is to combine both of the counter mechanisms into one (formally, counters are paritioned into B and S types, with B counters ha- ving finite lim sup and S counters having infinite lim inf), but this combination, called !BS-automata, does not have many closure properties, e.g. it is not closed under com- plement, nor does it have any machine independent characterisations which would suggest that it is a fundamental model worth studying. The obvious way to get a robust class of languages is to use a logic, which by its very definition gives closure properties such as union, intersection or complementation. Of course the problem then shifts to the satisfiabilty algorithm. Let us now present such a logic, which is called MSO+U and which was introduced in [Bojanczyk´ 2004]. Definition of the logic. The logic MSO+U is obtained by taking MSO and adding an additional quantifier U. The name stands for Unbounded. The quantifier binds a set variable, and its semantics are defined by: UX '(X) def= X '(X) n< X < . 9 ^ | | 1 n N ^2 The quantified formula says that property ' is true for sets X of arbitrarily large finite size. As usual with quantifiers, the property ' might have free variables other than X. In the general logic, there are no restrictions on positivity of the additional quantifier. Note that over finite objects, e.g. finite logics, the logic is not meaningful, because any formula UX'(X) can be simply replaced by false. Some examples. Here, we are mainly interested in the logic MSO+U for defining pro- perties of !-words. When defining properties of !-words, formulas have access to the order and labelling on positions. To get a feeling for MSO+U, let us define the language of !-words used in the running example: an1 ban2 ban3 b :limsupn < . { ··· i 1} We first say that there are infinitely many b’s: x y y>x b(y) . 8 9 ^ Then we say that one cannot find arbitrarily large blocks of a’s, by writing UX'(X), ¬ where ' says that X is an interval that contains only positions with label a, i.e. xx X a(x) x y z (x

ACM SIGLOG News 10 October 2015, Vol. 2, No. 4 Consider now the language an1 ban2 ban3 b :liminfn = , { ··· i 1} which can be recognised by an !S-automaton as defined in Section 1.2. To define this language, one uses the observation that a sequence of natural numbers has infinite lim inf if and only if one cannot choose an infinite subsequence with finite lim sup. This can be expressed using set quantification: for every infinite set X of a’s, the blocks of a’s that intersect X have unbounded size. As a final example, which can be defined by neither an !B- nor an !S-automaton, n1 n2 consider the set of !-words a ba b such that the sequence ni has infinitely many numbers appearing infinitely often.··· To define this this language, we observe that a sequence does not have infinitely many numbers appearing infinitely often if and only if it can be split into two infinite subsequences, one with finite lim sup and the other with infinite lim inf. The latter property can be expressed in MSO+U. One can come up with even fancier properties. For example, in [Hummel and Skrzyp- czak 2012] it is shown that MSO+U can define languages of !-words which do not belong to the Borel hierarchy from descriptive set theory. For comparison, the Borel hierarchy contains all of the above examples, as it does any language recognised by !B- and !S-automata.

Undecidability. Languages definable in MSO+U are a robust class by definition, e.g. the class is closed under Boolean operations and projections (an operation cor- responding to existential set quantification). The logic also generalises most known formalisms for describing boundedness, including !B- and !S-automata, as well as other models to be described later in this paper. The problem is that satisfiability is undecidable, as shown in an unpublished manuscript [Bojanczyk´ et al. 2015]. THEOREM 3.1. The MSO+U theory of (N,<) is undecidable. The theorem says that there is no algorithm that inputs a sentence of MSO+U over a vocabulary containing only the order relation <, and which says whether or not this sentence is true in the natural numbers. The natural numbers can be seen as a special case of an !-word over a one letter alphabet where there is no need to use the label predicate. Therefore, another way of stating the theorem is that MSO+U satisfiability is undecidable over !-words; this is because a sentence of MSO+U can use existential set quantification to guess a labelling in an !-word. Theorem 3.1 improves on a previous undecidability result from [Bojanczyk´ et al. 2014], which used the infinite binary tree ( 0, 1 ⇤, ) and had its statement weakened in the following strange way: there exist { }  models of set theory where the MSO+U theory of the infinite binary tree is undecidable.

Beyond MSO+U. The undecidability result from Theorem 3.1 transfers to two other logics, called quantitative counting MSO and asymptotic MSO. Consider first quantitative counting MSO from [Kaiser et al. 2015]. The difference with respect to MSO is that subformulas are evaluated to numbers in N . The connectives and are interpreted as max and min, while quantifiers are[ interpreted{1} as suprema and_ infinima^ over the quantified domains. One can write atomic formula of the form X , which evaluate to the size of the set. The standard predicates, like x

ACM SIGLOG News 11 October 2015, Vol. 2, No. 4 weight function that maps positions to natural numbers. There are three kinds of va- riables, each of which can be universally or existentially quantified, corresponding to: positions, sets of positions, and weights. The first two kinds are as usual in MSO, while a weight variable ranges over natural numbers (but the numbers for positions and the numbers for weights should not be confused). One can compare positions for the order, and one can ask if a position x has weight at least / at most r, with r being a weight va- riable. To give the logic an asymptotic character and avoid the obvious undecidability proofs, there is a restriction: if a weight k is quantified existentially, then one can only write “position x has weight at most k” (assuming that negation is pushed to the le- aves), and if k is quantified universally, then one can only write “position x has weight at least x”. A corollary of this restriction is that if all the weights in a weighted !-word are incremented (or squared, or any other domination equivalent modification), then the truth value of the formula remains the same. In [Blumensath et al. 2014a] it is shown that over !-words, the satisfiability problems for MSO+U and asymptotic MSO reduce to each other, and therefore both are undecidable. The optimistic perspective on the undecidability result is that one should simply search for decidable fragments. In the following section, we will do this for MSO+U. An advantage of the quantitative counting and asymptotic variants of MSO, as com- pared to MSO+U, is that they have a richer syntax and semantics, which might make it easier to search for interesting decidable fragments. One example fragment is the weak fragment of asymptotic MSO, whose decidability is an open problem.

4. WEAK LOGICS The reason for undecidability of MSO+U is the interaction of the U quantifier with quantification over infinite sets. Therefore, it is natural to consider the weak fragment of the logic, where set quantification is allowed only over finite sets. Define WMSO+U to be the logic with the same syntax as MSO+U, but with the semantics altered so that X and X quantify over finite sets. 9 8 Over !-words and without the quantifier U, the weak version of MSO has the same expressive power as MSO. The left-to-right inclusion is because one express the pro- perty “X is a finite set” in MSO, while the right-to-left inclusion is a corollary of McNau- ghton’s determinisation theorem. In the presence of the quantifier U, this equivalence no longer holds, i.e. WMSO+U ( MSO+U holds for languages of !-words. One argument for the inequality uses descriptive set theory. The left side is contained in the Borel hierarchy, because all quantifiers involve range over countable objects. The right side can define non-Borel sets, as mentioned before. Actually, as will follow from an automata characterisation of WMSO+U given below, languages definable in WMSO+U are Boolean combinations of sets on the second level of the Borel hierarchy. In particular, even the language an1 ban2 ban3 b :liminfn = . { ··· i 1} cannot be definable in WMSO+U, because it is complete for level ⇧3 of the Borel hierar- chy. A more in-depth discussion of the topological complexity of languages definable in the logics WMSO+U and MSO+U is in [Cabessa et al. 2009; Hummel and Skrzypczak 2012]. Decidability. As shown in [Bojanczyk´ 2011], restricting MSO+U to its weak fragment allows one to recover decidability. THEOREM 4.1. The following problem is decidable: given a formla of WMSO+U, decide if it is true in some ! word.

ACM SIGLOG News 12 October 2015, Vol. 2, No. 4 Stated differently, the natural numbers (N, ) have a decidable theory for existential  WMSO+U, where “existential” means that one can equip WMSO+U formulas with a prefix of existential quantifiers ranging over infinite sets (standing for the labelling in the !-word). An alternative approach to decidability of WMSO+U, using the composition method from logic, is given in [Ganzow and Kaiser 2010]. This alternative method works for the WMSO+U theory of (N, ), without the existential prefix. The proof of Theorem 4.1 uses the automata method, i.e. the logic is shown equiva- lent to a certain kind of automata, and these automaton have decidable emptiness. The automaton model is called max-automata. A max-automaton has several counters storing natural numbers, and these counter can be manipulated using the following operations: — increment counter c; — reset counter c; — set counter c to the maximum of counters d, e. The reset operation is actually redundant, since it can be simulated by the third ope- ration, with d, e being some counter that has value zero throughout the run because it is never incremented. (If the automaton is equipped with !-regular lookahead, then the maximum operation can also be eliminated, but then reset is no longer redundant). The acceptance condition of the automaton is a Boolean combination of statements of the form “counter c is bounded throughout the run”. As shown in [Bojanczyk´ 2011], deterministic max-automata have effectively the same expressive power as WMSO+U, and therefore satisfiability of the logic reduces to emptiness for the automaton. Emp- tiness for max-automata can be decided without much difficulty, by searching for cer- tain kinds of cycles in the transition graph. An alternative emptiness algorithm is this: using the duality result from Theorem 1.1, one can show that deterministic (even non- deterministic) max-automata can be effectively converted into !BS-automata, and the latter have decidable emptiness. The automata method also works for other weak variants of MSO+U, e.g. a logic called WMSO+R which corresponds to a dual variant of max-automata where min is used instead of max, see [Bojanczyk´ and Torunczyk´ 2009]. Beyond !-words. Theorem 4.1 can be extended to infinite trees [Bojanczyk´ and Torunczyk´ 2012], even after extending the logic with quantification over infinite pa- ths in the tree [Bojanczyk´ 2014]. All of these results use the automata method. What is peculiar about both of the tree results is that the challenging part is not the transla- tion from logic to automata, but the emptiness procedure for the automata, which uses profinite methods.

5. CONCLUDING REMARKS My personal belief is that the study of boundedness, in the context of logic and games, is not over. There is a lot of space between the decidability and undecidability results. This space is occupied by logics which can be used to solve important open problems, such as computing the parity index of automata on infinite trees.

References Parosh Aziz Abdulla, Pavel Krcal,´ and Wang Yi. 2008. R-Automata. In CONCUR 2008 - Concurrency Theory, 19th International Conference, CONCUR 2008, Toronto, Canada, August 19-22, 2008. Proceedings. 67– 81. Benjamin Aminof, Sasha Rubin, Florian Zuleger, and Francesco Spegni. 2015. Liveness of Parameterized Timed Networks. In Automata, Languages, and Programming - 42nd International Colloquium, ICALP 2015, Kyoto, Japan, July 6-10, 2015, Proceedings, Part II. 375–387.

ACM SIGLOG News 13 October 2015, Vol. 2, No. 4 Vince Bar´ any´ and Mikołaj Bojanczyk.´ 2012. Finite satisfiability for guarded fixpoint logic. Inf. Process. Lett. 112, 10 (2012), 371–375. Vince Bar´ any,´ Balder ten Cate, and Luc Segoufin. 2015. Guarded Negation. J. ACM 62, 3 (2015), 22. Roderick Bloem, Krishnendu Chatterjee, Thomas A. Henzinger, and Barbara Jobstmann. 2009. Better Qu- ality in Synthesis through Quantitative Objectives. In Computer Aided Verification, 21st International Conference, CAV 2009, Grenoble, France, June 26 - July 2, 2009. Proceedings. 140–156. Achim Blumensath, Olivier Carton, and Thomas Colcombet. 2014a. Asymptotic Monadic Second-Order Lo- gic. In Mathematical Foundations of Computer Science 2014 - 39th International Symposium, MFCS 2014, Budapest, Hungary, August 25-29, 2014. Proceedings, Part I. 87–98. Achim Blumensath, Thomas Colcombet, Denis Kuperberg, Paweł Parys, and Michael Vanden Boom. 2014b. Two-way cost automata and cost logics over infinite trees. In Joint Meeting of the Twenty-Third EACSL Annual Conference on Computer Science Logic (CSL) and the Twenty-Ninth Annual ACM/IEEE Sympo- sium on Logic in Computer Science (LICS), CSL-LICS ’14, Vienna, Austria, July 14 - 18, 2014. 16:1–16:9. Achim Blumensath, Martin Otto, and Mark Weyer. 2014c. Decidability Results for the Boundedness Pro- blem. Logical Methods in Computer Science 10, 3 (2014). Mikołaj Bojanczyk.´ 2002. Two-Way Alternating Automata and Finite Models. In Automata, Languages and Programming, 29th International Colloquium, ICALP 2002, Malaga, Spain, July 8-13, 2002, Proce- edings. 833–844. Mikołaj Bojanczyk.´ 2004. A Bounding Quantifier. In Computer Science Logic, 18th International Workshop, CSL 2004, 13th Annual Conference of the EACSL, Karpacz, Poland, September 20-24, 2004, Proceedings. 41–55. Mikołaj Bojanczyk.´ 2011. Weak MSO with the Unbounding Quantifier. Theory Comput. Syst. 48, 3 (2011), 554–576. Mikołaj Bojanczyk.´ 2014. Weak MSO+U with Path Quantifiers over Infinite Trees. In Automata, Languages, and Programming - 41st International Colloquium, ICALP 2014, Copenhagen, Denmark, July 8-11, 2014, Proceedings, Part II. 38–49. Mikołaj Bojanczyk´ and Thomas Colcombet. 2006. Bounds in w-Regularity. In 21th IEEE Symposium on Logic in Computer Science (LICS 2006), 12-15 August 2006, Seattle, WA, USA, Proceedings. 285–296. Mikołaj Bojanczyk,´ Tomasz Gogacz, Henryk Michalewski, and Michał Skrzypczak. 2014. On the Decida- bility of MSO+U on Infinite Trees. In Automata, Languages, and Programming - 41st International Colloquium, ICALP 2014, Copenhagen, Denmark, July 8-11, 2014, Proceedings, Part II. 50–61. Mikołaj Bojanczyk,´ Paweł Parys, and Szymon Torunczyk.´ 2015. The MSO+U theory of (N, <) is undecidable. CoRR abs/1502.04578 (2015). Mikołaj Bojanczyk´ and Szymon Torunczyk.´ 2009. Deterministic Automata and Extensions of Weak MSO. In IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2009, December 15-17, 2009, IIT Kanpur, India. 73–84. Mikołaj Bojanczyk´ and Szymon Torunczyk.´ 2012. Weak MSO+U over infinite trees. In 29th International Symposium on Theoretical Aspects of Computer Science, STACS 2012, February 29th - March 3rd, 2012, Paris, France. 648–660. Jer´ emie´ Cabessa, Jacques Duparc, Alessandro Facchini, and Filip Murlak. 2009. The Wadge Hierarchy of Max-Regular Languages. In IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2009, December 15-17, 2009, IIT Kanpur, India. 121–132. Claudia Carapelle, Alexander Kartzow, and Markus Lohrey. 2013. Satisfiability of CTL* with Constraints. In CONCUR 2013 - Concurrency Theory - 24th International Conference, CONCUR 2013, Buenos Aires, Ar- gentina, August 27-30, 2013. Proceedings. 455–469. DOI:http://dx.doi.org/10.1007/978-3-642-40184-8 32 Krishnendu Chatterjee, Thomas A. Henzinger, and Florian Horn. 2009. Finitary winning in omega-regular games. ACM Trans. Comput. Log. 11, 1 (2009). Thomas Colcombet. 2009. The Theory of Stabilisation Monoids and Regular Cost Functions. In Automata, Languages and Programming, 36th Internatilonal Collogquium, ICALP 2009, Rhodes, greece, July 5-12, 2009, Proceedings, Part II. 139–150. Thomas Colcombet. 2013a. Magnitude Monadic Logic over Words and the Use of Relative Internal Set The- ory. In 28th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2013, New Orleans, LA, USA, June 25-28, 2013. 123. Thomas Colcombet. 2013b. Regular Cost Functions, Part I: Logic and Algebra over Words. Logical Methods in Computer Science 9, 3 (2013). Thomas Colcombet, Denis Kuperberg, Christof Loding,¨ and Michael Vanden Boom. 2013. Deciding the weak definability of Buchi¨ definable tree languages. In Computer Science Logic 2013 (CSL 2013), CSL 2013, September 2-5, 2013, Torino, Italy. 215–230.

ACM SIGLOG News 14 October 2015, Vol. 2, No. 4 Thomas Colcombet and Christof Loding.¨ 2008a. The Nesting-Depth of Disjunctive µ-Calculus for Tree Lan- guages and the Limitedness Problem. In Computer Science Logic, 22nd International Workshop, CSL 2008, 17th Annual Conference of the EACSL, Bertinoro, Italy, September 16-19, 2008. Proceedings. 416– 430. Thomas Colcombet and Christof Loding.¨ 2008b. The Non-deterministic Mostowski Hierarchy and Distance- Parity Automata. In Automata, Languages and Programming, 35th International Colloquium, ICALP 2008, Reykjavik, Iceland, July 7-11, 2008, Proceedings, Part II - Track B: Logic, Semantics, and Theory of Programming & Track C: Security and Cryptography Foundations. 398–409. Thomas Colcombet and Christof Loding.¨ 2010. Regular Cost Functions over Finite Trees. In Proceedings of the 25th Annual IEEE Symposium on Logic in Computer Science, LICS 2010, 11-14 July 2010, Edin- burgh, United Kingdom. 70–79. Nathanael¨ Fijalkow, Florian Horn, Denis Kuperberg, and Michał Skrzypczak. 2015. Trading Bounds for Memory in Games with Counters. In Automata, Languages, and Programming - 42nd International Colloquium, ICALP 2015, Kyoto, Japan, July 6-10, 2015, Proceedings, Part II. 197–208. Nathanael¨ Fijalkow and Martin Zimmermann. 2014. Cost-Parity and Cost-Streett Games. Logical Methods in Computer Science 10, 2 (2014). Tobias Ganzow and Łukasz Kaiser. 2010. New Algorithm for Weak Monadic Second-Order Logic on In- ductive Structures. In Computer Science Logic, 24th International Workshop, CSL 2010, 19th Annual Conference of the EACSL, Brno, Czech Republic, August 23-27, 2010. Proceedings. 366–380. Kosaburo Hashiguchi. 1988. Algorithms for Determining Relative Star Height and Star Height. Inf. Comput. 78, 2 (1988), 124–169. Szczepan Hummel and Michał Skrzypczak. 2012. The Topological Complexity of MSO+U and Related Auto- mata Models. Fundam. Inform. 119, 1 (2012), 87–111. Łukasz Kaiser, Martin Lang, Simon Leßenich, and Christof Loding.¨ 2015. A Unified Approach to Boun- dedness Properties in MSO. In 24th EACSL Annual Conference on Computer Science Logic, CSL 2015, September 7-10, 2015, Berlin, Germany. 441–456. Daniel Kirsten. 2005. Distance desert automata and the star height problem. ITA 39, 3 (2005), 455–509. Daniel Krob. 1992. The Equality Problem for Rational Series with Multiplicities in the Tropical Semiring is Undecidable. In Automata, Languages and Programming, 19th International Colloquium, ICALP92, Vienna, Austria, July 13-17, 1992, Proceedings. 101–112. Denis Kuperberg. 2011. Linear temporal logic for regular cost functions. In 28th International Symposium on Theoretical Aspects of Computer Science, STACS 2011, March 10-12, 2011, Dortmund, Germany. 627–636. Denis Kuperberg and Michael Vanden Boom. 2011. Quasi-Weak Cost Automata: A New Variant of Weakness. In IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2011, December 12-14, 2011, Mumbai, India. 66–77. Denis Kuperberg and Michael Vanden Boom. 2012. On the Expressive Power of Cost Logics over Infinite Words. In Automata, Languages, and Programming - 39th International Colloquium, ICALP 2012, War- wick, UK, July 9-13, 2012, Proceedings, Part II. 287–298. Orna Kupferman, Nir Piterman, and Moshe Y. Vardi. 2009. From liveness to promptness. Formal Methods in System Design 34, 2 (2009), 83–103. Marcel Paul Schutzenberger.¨ 1961. On the Definition of a Family of Automata. Information and Control 4, 2-3 (1961), 245–270. Imre Simon. 1990. Factorization Forests of Finite Height. Theor. Comput. Sci. 72, 1 (1990), 65–94. DOI:http://dx.doi.org/10.1016/0304-3975(90)90047-L Michał Skrzypczak. 2014. Separation Property for wB- and wS-regular Languages. Logical Methods in Com- puter Science 10, 1 (2014). Szymon Torunczyk.´ 2012. Languages of Profinite Words and the Limitedness Problem. In Automata, Langu- ages, and Programming - 39th International Colloquium, ICALP 2012, Warwick, UK, July 9-13, 2012, Proceedings, Part II. 377–389. DOI:http://dx.doi.org/10.1007/978-3-642-31585-5 35 Michael Vanden Boom. 2011. Weak Cost Monadic Logic over Infinite Trees. In Mathematical Foundations of Computer Science 2011 - 36th International Symposium, MFCS 2011, Warsaw, Poland, August 22-26, 2011. Proceedings. 580–591.

ACM SIGLOG News 15 October 2015, Vol. 2, No. 4 VER

VERIFICATION COLUMN

NEHA RUNGTA, SGT Inc./NASA Ames Research Center [email protected]

The technical column on verification presents an invited contribution by Darren Cofer (Rockwell Collins Advanced Technology Center) titled “You Keep Using That Word” in this issue of the SIGLOG newsletter. The “Word” refers to certification of software for commercial aircraft. Papers on formal methods and other software veri- fication techniques often use the need to verify safety critical software as motivation for the work. The certifying authority in the US for commercial airline software is the Federal Aviation Administration (FAA), which recently released DO-178B titled Software considerations in airborne systems and equipment certification—an official guideline for certifying avionics software. The article provides an overview of the DO- 178B document and the accompanying Formal Methods Supplement DO-333, which lay out the conditions under which tools based on formal methods can be leveraged to certify avionics software. This article provides an introduction to these documents for the formal methods audience, which I believe to be extremely timely.

I thank Darren Cofer for writing the article.

ACM SIGLOG News 16 October 2015, Vol. 2, No. 4 You Keep Using That Word

Darren Cofer, Rockwell Collins Advanced Technology Center

Formal methods tools have been shown to be effective at finding defects in and verifying the correctness of safety-critical systems such as avionics systems. The recent release of DO-178C and the accompanying Formal Methods Supplement DO-333 will make it easier for developers of software for commercial aircraft to obtain certification credit for the use of formal methods. However, most developers of avionics systems are unfamiliar with formal methods, and most developers of formal methods tools are unfamiliar with cer- tification requirements and processes. This article provides a brief overview of the certification process for commercial aircraft, as well as some of the issues related to the use of formal methods tools in this context.

1. INTRODUCTION Certification. Verification. Qualification. These are words that may appear in computer science and software publications. For example, there is active research related to certified compilers [Leroy 2006] and certifying model checkers [Drager¨ et al. 2010]. In these instances, the word certifica- tion is used in connection with the production of a proof certificate which may serve as evidence corroborating a specific analysis result or showing the correctness of a transformation. In other cases, certification may actually refer to a legal or regula- tory process related to product acceptance or licensing by the government. Similarly, in some contexts verification is used to mean a formal proof of correctness, while in other contexts verification implies a manual code review or requirements-based test- ing. And qualification sounds like a straightfoward concept, but has a specific technical meaning in certain contexts. So these words can have different meanings or implications in different contexts, which is fine, until these contexts overlap. In fact, this is exactly what is happening as we work toward greater adoption of formal methods tools in the development of safety- critical embedded systems. We may soon be using a certifying model checker to satisfy certification objectives for a flight control system, so we need to be careful about our definitions. Otherwise, we run the risk of looking like Vizzini in The Princess Bride [IMDB 1987], who repeatedly exclaims “Inconceivable!” unitl Inigo Montoya finally replies “You keep using that word. I do not think it means what you think it means.” There are a number of issues to be addressed before formal verification tools can be fully integrated into the design process for safety-critical systems. For example, most developers of avionics systems are unfamiliar with which formal methods tools are most appropriate for different problem domains. Different levels of expertise are necessary to use these tools effectively and correctly. Evidence must be provided of a formal method’s soundness, a concept that is not well understood by most practic- ing engineers. Similarly, most developers of formal methods tools are unfamiliar with certification requirements and processes. DO-178C [RTCA 2011a] requires that a tool used to meet its objectives must be qualified in accordance with the tool qualifica- tion document DO-330 [RTCA 2011b]. The qualification of formal verification tools will likely pose unique challenges.

ACM SIGLOG News 17 October 2015, Vol. 2, No. 4 Fig. 1. Certification! I do not think it means what you think it means.

This article provides an overview of the concepts of certification, verification, and qualification, and how they relate to the use of formal methods tools. As a practical matter, we will focus on the civil aviation domain since there are published standards addressing the use of formal methods in the certification process. Similar notions of certification, software verification, and tool qualification are also found in the railway, nuclear, and medical device domains. Much of the certification material that follows is adapted from [?]. Additional infor- mation on formal methods and certification in commercial aircraft can be found on our research group’s web site, Loonwerks.com.

2. CERTIFICATION Certification is defined in DO-178C as legal recognition by the relevant certification authority that a product, service, organization, or person complies with its require- ments. In the context of commercial aircraft, the relevant certification authority is the FAA in the U.S. or EASA in Europe. The requirements referred to are the government regulations regarding the airworthiness of aircraft operating in the National Airspace System (NAS). In practice, certification consists primarily of convincing representa- tives of a government agency that all required steps have been taken to ensure the safety, reliability, and integrity of the aircraft. Type certification refers to approval of the aircraft design. Each aircraft manufac- tured is also individually certified to comply with its certified type design. Note that software itself is not certified in isolation, but only as part of an aircraft. Certification differs from verification in that it focuses on evidence provided to a third party to demonstrate that the required activities were performed completely and correctly, rather on performance of the activities themselves. Also note that certifica- tion connects a product or design to legal requirements for its safety. Therefore, it is possible for a design to be safe but not certifiable. For example, the certification author- ity may for some reason not be convinced of the adequacy of the evidence provided.

2.1. Airworthiness Requirements In the U.S., the legal requirements for aircraft operating in the NAS are defined in the Code of Federal Regulations, Title 14 (14CFR), Aeronautics and Space. The purpose of certification is to ensure that these legal requirements have been met.

ACM SIGLOG News 18 October 2015, Vol. 2, No. 4 Airworthiness standards for transport class aircraft are specified in Part 25 and standards for smaller aircraft are specified in Part 23. Parts 27 and 29 apply to ro- torcraft and Part 33 to engines. Part 25 covers topics including Flight, Structure, De- sign and Construction, Powerplant, Equipment, Operating Limitations, and Electrical Wiring. Some of the requirements are quite detailed. For example, Subpart B (Flight) provides formulas and a detailed procedure for computing reference stall speed. It also provides requirements for controllability, trim conditions, and stability. Subpart D (Design and Construction) includes requirements for Control Systems related to stabil- ity augmentation, trim systems, and limit load static tests. Some requirements cover items that no longer apply to modern aircraft (cables and pulleys).

2.2. Certification Process The stakeholders in the civil aviation domain (FAA, airframers, equipment manufac- turers) have developed a collection of documents defining a certification process which has been accepted as the standard means to comply with federal regulations. The pro- cess includes system development, safety assessment, and design assurance. These documents and their relationships are shown in Figure 2.

Fig. 2. Relationship among key documents in the certification process

The intended function, or requirements, for a new aircraft are the starting point for the process. These requirements are the basis for the aircraft system design that is produced in accordance with ARP4754A [SAE 2010], the guidelines for the system development process. The system design along with the aircraft requirements and its operating context are used to conduct a safety assessment in accordance with ARP4761 [SAE 1996]. The safety assessment determines, among other things, the criticality of system com- ponents as they contribute to the safety of the overall system. The system development process allocates functions and requirements to hardware and software components in

ACM SIGLOG News 19 October 2015, Vol. 2, No. 4 the system, along with their assigned criticality from the safety assessment process. This information is used to develop the individual components and functions. The de- sign assurance documents DO-178C (for software), DO-254 (for programmable hard- ware), and DO-297 (for integrated modular avionics) provide guidance for ensuring that these components satisfy the requirements that come from the system develop- ment process.

2.3. Safety Assessment Safety assessment is performed in accordance with ARP4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equip- ment. This document describes guidelines and methods for performing the safety assessment for certification of civil aircraft and is a means of showing compliance with the safety requirements of 14CFR. These requirements are hidden in Subpart F (Equipment) section 25.1309 with the unlikely title “Equipment, systems, and in- stallations.” This section states that the equipment, systems, and installations required in an aircraft must be designed to ensure that they perform their intended functions under any foreseeable operating condition. The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that: — The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and — The occurrence of any other failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable. The section goes on to state that warning information must be provided to alert the crew to unsafe system operating conditions, and that systems, controls, and associ- ated monitoring and warning means must be designed to minimize crew errors which could create additional hazards. Compliance must be shown by analysis or testing that considers possible modes of failure (including malfunctions and damage from external sources), the probability of multiple failures and undetected failures, the resulting effects on the airplane and occupants, and the crew warning cues, corrective action required, and the capability of detecting faults.

2.4. System Development Aircraft system development is described in ARP4754A, Guidelines for Development of Civil Aircraft and Systems. This document discusses the development of aircraft systems, taking into account the overall aircraft operating environment and functions. This includes validation of requirements and verification of the design implementation for certification and product assurance. It provides practices for showing compliance with the regulations. ARP4754A provides guidance for creating plans for the system development and eight integral processes which span all of the system development activities. The integral processes are safety assessment, assurance level assignment, requirements capture, requirements validation, implementation verification, configuration manage- ment, process assurance, and certification and regulatory authority coordination. The system development process allocates functionality and defines requirements for com- ponents, both hardware and software. It invokes the safety assessment process and ensures that the system design satisfies safety requirements for the aircraft. It also guides developers in allocating system requirements to hardware and software compo- nents and in determining the criticality level for those components.

ACM SIGLOG News 20 October 2015, Vol. 2, No. 4 3. VERIFICATION The software assurance process makes sure that components are developed to meet their requirements without any unintended functionality. This means that the process will include activities specifically designed to provide evidence that the software does only what its requirements specify and nothing else. For software in commercial aircraft, the relevant guidance is found in DO-178C, Software Considerations in Airborne Systems and Equipment Certification. Certifica- tion authorities in North American and Europe have agreed that an applicant (aircraft manufacturer) can use this guidance as a means of compliance with the regulations governing aircraft certification. The original version of the document, DO-178, was approved in 1982 and consisted largely of a description of best practices for software development. It was revised in 1985 as DO-178A, adding definitions of three levels of software criticality, with de- velopment and verification processes described in more detail. DO-178B, approved in 1992, defined five levels of software criticality (A – E, with level A being the most critical) with specific objectives, activities, and evidence required for each level. The processes and objectives in the document assume a traditional development process with test-based verification. In 2005, the publishers of DO-178 initiated work on a revision to be known as DO- 178C. A committee was chartered to draft the new document, with the objectives of minimizing changes to the core document, yet updating it to accommodate approxi- mately 15 years of progress in software engineering. Guidance specific to new soft- ware technologies was to be contained in supplements which could add, modify, or re- place objectives in the core document. New supplements were developed in the areas of object-oriented design, model-based development, and formal methods, as well as an additional document containing new guidance on tool qualification. DO-178C and its associated documents were published in 2011 and accepted by the FAA as a means of compliance in 2013.

3.1. Software Development DO-178C does not prescribe a specific development process, but instead identifies im- portant activities and design considerations throughout a development process and defines objectives for each of these activities. It assumes a traditional development process that can be decomposed as follows:

— Software Requirements Process. Develops High Level Requirements (HLR) from the output of the system design process. — Software Design Process. Develops Low Level Requirements (LLR) and Software Ar- chitecture from the HLR. — Software Coding Process. Develops source code from the Software Architecture and the LLR. — Software Integration Process. Combines executable object code modules with the tar- get hardware for hardware/software integration.

Each of these processes produces or updates a collection of artifacts, culminating in an integrated executable (see Figure 3).

3.2. Software Verification The results of these processes are verified through the verification process. The veri- fication process consists of review, analysis, and test activities that must provide evi- dence of the correctness of the development activities.

ACM SIGLOG News 21 October 2015, Vol. 2, No. 4 Fig. 3. DO-178C certification activities required for Level A code.

In general, verification has two complementary objectives. One objective is to demon- strate that the software satisfies its requirements. The second objective is to demon- strate with a high degree of confidence that errors which could lead to unacceptable failure conditions, as determined by the system safety assessment process, have been removed. One of the foundational principles of DO-178C is requirements-based testing. This means that the verification activities are centered around explicit demonstration that each requirement has been met. A second principle is complete coverage, both of the requirements and of the code that implements them. This means that every requirement and every line of code will be examined in the verification process. Furthermore, several metrics are defined

ACM SIGLOG News 22 October 2015, Vol. 2, No. 4 which specify the degree of structural coverage that must be obtained in the verifica- tion process, depending on the criticality of the software being verified. A third principle is traceability among all of the artifacts produced in the develop- ment process. This means that: — Every requirement must have one or more associated test cases. All testing must trace to a specific requirement. — Every requirement must be traceable to code that implements it. Every line of code must be traceable to a requirement. — Every line of code (and, in some cases, every branch and condition in the code) must be exercised by a test case. Together, these objectives provide evidence that all requirements are correctly im- plemented and that no unintended function has been implemented. Of particular interest is DO-333, the Formal Methods Supplement to DO-178C [RTCA 2011c]. DO-333 extends the guidance provided in DO-178C and describes how formal methods may be used to satisfy its certification objectives. Several case studies showing examples of how to use different formal verification tools to satisfy various cer- tification objectives are available in [Cofer and Miller 2014]. DO-333 generally allows the testing described above to be replaced by a comparable formal analysis. However, even when formal methods are used some on-target testing is still required. One constraint imposed by ARP4754A (and DO-178C) is that requirements must be verifiable, which in the past has meant testable. This meant that in practice there could be no negative requirements such those related to safety (e.g., “The system can never enter an unsafe state.”) However, with the advent of DO-333, such requirements can now be addressed analytically and may be very useful in demonstrating the safety of a complex avionics system.

4. QUALIFICATION Tool qualification is the process by which certification credit may be claimed for the use of a software tool. Qualification is required whenever a certification process is eliminated, reduced, or automated by a software tool without its output being verified. The purpose of tool qualification is to ensure that the tool provides confidence at least equivalent to that of the process it eliminates, reduces, or automates. Tool qualification is, therefore, a significant aspect of any certification effort. Software tools are used in development processes to automate life cycle activities that are complex and error-prone if performed by humans. The use of such tools should, in principle, be encouraged from a certification perspective to provide confidence in the correctness of the software product. Therefore, we should avoid unnecessary barriers to tool qualification which may inadvertently reduce the use of tools that would otherwise enhance software quality and confidence. Formal methods tools have matured to the point where they are capable of ana- lyzing software systems of practical size, and their effectiveness in finding errors has been demonstrated repeatedly [Woodcock et al. 2009], [Miller et al. 2010]. Commer- cial tools used in aerospace and other safety-critical domains are beginning to include formal verification capabilities. For example, MATLAB now markets both Simulink Design Verifier, a model checker, and Polyspace, an abstract interpretation tool. Es- terel Technologies includes a model checker, Design Verifier, as part of their SCADE Suite toolset. If formal verification is used to satisfy DO-178C objectives, DO-333 requires the ap- plicant to provide evidence that the underlying method is sound, i.e., it will never prove a property to be true when it is actually false. In addition, if the formal verification is to be implemented in a software tool, the tool must be qualified in accordance with

ACM SIGLOG News 23 October 2015, Vol. 2, No. 4 DO-330. While clearly related, the concepts of tool qualification and soundness of the underlying method were intentionally kept separate by the standards’ authors. DO-330 defines five tool qualification levels (TQL) ranging from TQL-1 for software development tools that generate Level A source code to TQL-5 for software verification tools. The TQL is determined both by the criticality of the software the tool is being used on and the impact of the tool on the software development process. A strong dis- tinction is made between a development that could potentially insert an error into the embedded software, and a verification tool that could fail to detect an error. A trusted compiler or code generator would be classified as TQL-1 through 4, depending on the criticality of the code it is used to generate. Formal verification tools are classified as TQL-4 or TQL-5. Despite the additional guidance provided in DO-178C, DO-330, and DO-333, there are still many questions to be addressed. For one thing, most practicing engineers are unaware of how to apply different categories of formal verification tools. Even within a particular category, there are a wide variety of tools, often based on fundamentally different approaches, each with its own strengths and weaknesses. For example, an explicit state model checker operates in a fundamentally different way from an SMT (Satisfiability Modulo Theories) based model checker. Typically, a tool will be shown to meet its requirements through testing, analysis, and reviews, just as for airborne or ground-based software developed in accordance with DO-178C. However, formal verification tools differ from many tools in that they are typically “exhaustive” and cover all combinations of inputs and state. Development of the tool operational requirements and test cases for such tools may pose unique challenges. Using a formal verification tool to meet DO-178C objectives may require more than just qualification of the tool itself. For example, it is frequently necessary to trans- late a software model (e.g., a Simulink model) to the input language of the verification tool. In such cases, consideration must be given as to why that translation is to be trusted. Is the translation included as part of the tool operational requirements and verified as part of the tool qualification, or are the translator and the verification tool regarded as two separate entities? Outputs of the formal verification tool often need to be translated back to a representation the system developers can understand and sim- ilar questions apply to why this translation can be trusted. Potential user errors must be considered. Are the users allowed to introduce assumptions about the environment of the unit being checked, and if so, are these clearly identified and validated? Are there tool configuration settings or modes of operation that can cause it to generate unsound results? All ways in which use of the tool might provide false confidence need to be identified and accounted for. At the same time, it is also important to not make the cost of qualification of for- mal methods tools so great as to discourage their use. While it is tempting to hold formal verification tools to a higher standard than other software tools, making their qualification unnecessarily expensive could do more harm than good.

5. CONCLUSION Formal methods tools have the potential to ensure the quality of safety-critical systems by providing comprehensive evaluation of the behavior of complex embedded software. They have also been shown to reduce costs through the early detection and elimina- tion of design errors. Improved communication between formal methods researchers, software developers, and certification authorities will be an important enabler in the continued adoption of formal methods in industries such as aerospace that have strong certification requirements. With a shared understanding of this context, our expecta-

ACM SIGLOG News 24 October 2015, Vol. 2, No. 4 tions for the use of formal methods to satisfy certification objectives are changing from “Inconceivable!” to “Of course!”

ACKNOWLEDGMENTS Thanks to Deb Turcio at DebbieDrawsFunny.com for permission to use the drawing in Figure 1.

REFERENCES Darren Cofer and Steven P. Miller. 2014. Formal Methods Case Studies for DO-333. Technical Report NASA/CR-2014-218244. NASA Contractor Report. Klaus Drager,¨ Andrey Kupriyanov, Bernd Finkbeiner, and Heike Wehrheim. 2010. SLAB: A Certifying Model Checker for Infinite-State Concurrent Systems. In Tools and Algorithms for the Construction and Analysis of Systems, 16th International Conference, TACAS 2010, Paphos, Cyprus, March 20-28, 2010. Proceedings. 271–274. IMDB. 1987. The Princess Bride. (1987). http://www.imdb.com/title/tt0093779/ Xavier Leroy. 2006. Formal Certification of a Compiler Back-end or: Programming a Compiler with a Proof Assistant. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Program- ming Languages, POPL 2006, Charleston SC, USA, January 11-13, 2006. 42–54. Steven P. Miller, Michael W. Whalen, and Darren D. Cofer. 2010. Software model checking takes off. Com- mun. ACM 53, 2 (2010), 58–64. RTCA. 2011a. DO-178C, Software Considerations in Airborne Systems and Equipment Certification. (2011). RTCA. 2011b. DO-330, Software Tool Qualification Considerations. (2011). RTCA. 2011c. DO-333, Formal Methods Supplement to DO-178C and DO-278A. (2011). SAE. 1996. ARP4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Air- borne Systems and Equipment. (1996). SAE. 2010. ARP4754A, Guidelines For Development Of Civil Aircraft and Systems on Civil Airborne Systems and Equipment. (2010). Jim Woodcock, Peter Gorm Larsen, Juan Bicarregui, and John S. Fitzgerald. 2009. Formal Methods: Practice and Experience. ACM Comput. Surv. 41, 4 (2009).

ACM SIGLOG News 25 October 2015, Vol. 2, No. 4 CFP

CALLS

The Godel¨ Prize 2016 – Call for Nominations Deadline: January 31, 2016

The Godel¨ Prize for outstanding papers in the area of theoretical computer science is sponsored jointly by the European Association for Theoretical Computer Science (EATCS) and the Association for Computing Machinery, Special Interest Group on Al- gorithms and Computation Theory (ACM SIGACT). The award is presented annually, with the presentation taking place alternately at the International Colloquium on Au- tomata, Languages, and Programming (ICALP) and the ACM Symposium on Theory of Computing (STOC). The 24th Godel¨ Prize will be awarded at the 43rd Internatio- nal Colloquium on Automata, Languages and Programming, 11-15 July 2016 in Rome, Italy. The Prize is named in honor of Kurt Godel¨ in recognition of his major contributions to mathematical logic and of his interest, discovered in a letter he wrote to John von Neumann shortly before von Neumann’s death, in what has become the famous “P versus NP” question. The Prize includes an award of USD 5,000. Award Committee. The winner of the Prize is selected by a committee of six mem- bers. The EATCS President and the SIGACT Chair each appoint three members to the committee, to serve staggered three-year terms. The committee is chaired alterna- tely by representatives of EATCS and SIGACT. The 2016 Award Committee consists of Moses Charikar (Stanford University), Orna Kupferman (Hebrew University), Kurt Mehlhorn (Max Planck Institute), Joseph Mitchell (State University of New York at Stony Brook), Andrew Pitts (chair, University of Cambridge) and Madhu Sudan (Ha- rvard University). Eligibility. The 2016 Prize rules are given below and they supersede any different interpretation of the generic rule to be found on websites of both SIGACT and EATCS. Any research paper or series of papers by a single author or by a team of authors is deemed eligible if - the paper was published in a recognized refereed journal no later than December 31, 2015; - the main results were not published (in either preliminary or final form) in a journal or conference proceedings before January 1st, 2003. The research work nominated for the award should be in the area of theoretical com- puter science. Nominations are encouraged from the broadest spectrum of the theore- tical computer science community so as to ensure that potential award winning papers are not overlooked. The Award Committee shall have the ultimate authority to decide whether a particular paper is eligible for the Prize. Nominations. Nominations for the award should be submitted by email to the Award Committee Chair: [email protected]. Please make sure that the Subject line of all nominations and related messages begin with Goedel Prize 2016. To be consi- dered, nominations for the 2016 Prize must be received by January 31, 2016.

ACM SIGLOG News 26 October 2015, Vol. 2, No. 4 Any member of the scientific community can make nominations. The Award Com- mittee may actively solicit nominations. A nomination should contain a brief summary of the technical content of the paper(s) and a brief explanation of its significance. A printable copy of the research paper or papers should accompany the nomination. The nomination must state the date and venue of the first conference or workshop publica- tion, or state that no such publication has occurred. The work may be in any language. However, if it is not in English, a more extended summary written in English should be enclosed. To be considered for the award, the paper or series of papers must be recommen- ded by at least two individuals, either in the form of distinct nominations, or one no- mination including recommendations from at least two different people. Additional recommendations may also be enclosed and are generally useful. The Award Commit- tee encourages recommendation and support letters to be mailed separately, without being necessarily shared with the nominator(s). The rest of the nomination package should be sent in a single email whenever possible. Those intending to submit a no- mination should contact the Award Committee Chair by email well in advance. The Chair will answer questions about eligibility, encourage coordination among different nominators for the same paper(s), and also accept informal proposals of potential no- minees or tentative offers to prepare formal nominations. The committee maintains a database of past nominations for eligible papers, but fresh nominations for the same papers (especially if they highlight new evidence of impact) are always welcome. Selection Process. The Award Committee is free to use any other sources of informa- tion in addition to the ones mentioned above. It may split the award among multiple papers, or declare no winner at all. All matters relating to the selection process left unspecified in this document are left to the discretion of the Award Committee. Recent Winners. (All winners since 1993 are listed at http://www.sigact.org/ Prizes/Godel/) 2015: Dan Spielman and Shang-Hua Teng, Nearly-linear time algorithms for graph partitioning, graph sparsification, and solving linear systems, Proc. 36th ACM Sympo- sium on Theory of Computing, pp. 81–90, 2004; Spectral sparsification of graphs, SIAM J. Computing 40:981–1025, 2011; A local clustering algorithm for massive graphs and its application to nearly linear time graph partitioning, SIAM J. Computing 42:1–26, 2013; Nearly linear time algorithms for preconditioning and solving symmetric, diago- nally dominant linear systems, SIAM J. Matrix Anal. Appl. 35:835–885, 2014. 2014: Ronald Fagin, Amnon Lotem, and Moni Naor, Optimal Aggregation Algorithms for Middleware, Journal of Computer and System Sciences 66(4): 614–656, 2003. 2013: Antoine Joux, A one round protocol for tripartite Diffie-Hellman, J. Cryptology 17(4): 263–276, 2004. Dan Boneh and Matthew K. Franklin, Identity-Based Encryption from the Weil pairing, SIAM J. Comput. 32(3): 586–615, 2003. 2012: Elias Koutsoupias and Christos Papadimitriou, Worst-case equilibria, Compu- ter Science Review 3(2): 65–69, 2009. Tim Roughgarden and Eva´ Tardos, How bad is selfish routing?, Journal of the ACM 49(2): 236–259, 2002. Noam Nisan and Amir Ro- nen, Algorithmic mechanism design, Games and Economic Behavior 35(1–2): 166–196, 2001. 2011: Johan Hastad,˚ Some optimal inapproximability results, Journal of the ACM 48: 798–859, 2001.

ACM SIGLOG News 27 October 2015, Vol. 2, No. 4 SIGLOG Monthly 175 October 1, 2015

******************************************************************* * Past issues of the newsletter are available at http://lii.rwth-aachen.de/lics/newsletters/ * Instructions for submitting an announcement to the newsletter can be found at http://lii.rwth-aachen.de/lics/newsletters/inst.html *******************************************************************

TABLE OF CONTENTS * NEWS ACM SIGLOG Announcement The Godel Prize 2016 - Call for Nominations * DEADLINES Forthcoming Deadlines * CALLS HaPoC 2015 - Call For Participation CPS 2016 - Call for workshop and tutorial proposals PODS 2016 - Call for Papers ETAPS 2016 - Call for Papers ATVA 2015 - Call for Participation CMCS 2016 - Call for Papers FSCD’16 - Call for papers ABZ 2016 - Call for Papers, Answers to the case study, Workshops, Tutorials ISAIM 2016 - Call for Papers KR 2016 - Call for Papers COMPLEXITY 2016 - Call for Participation * JOB ANNOUNCEMENTS

ACM SIGLOG ANNOUNCEMENT http://siglog.acm.org * The ACM has recently chartered a Special Interest Group on Logic and Computation (ACM SIGLOG). Its first Chair is Prakash Panangaden, the other officers are Luke Ong (vice-Chair), Natarajan Shankar (Treasurer) and Alexandra Silva (Secretary). * The ACM-IEEE Symposium on Logic in Computer Science is the flagship conference of SIGLOG. SIGLOG will also actively seek association agreements with other conferences in the field. A SIGLOG newsletter (SIGLOG News) is also published quarterly in an electronic format with community news, technical columns, members’ feedback, conference reports, book reviews and other items of interest to the community. * One can join SIGLOG by visiting https://campus.acm.org/public/qj/gensigqj/siglist/gensigqj˙siglist.cfm It is possible to join SIGLOG without joining ACM (the SIGLOG membership fee is $25 and $15 for students).

THE GODEL PRIZE 2016 - CALL FOR NOMINATIONS http://www.sigact.org/Prizes/Godel

ACM SIGLOG News 28 October 2015, Vol. 2, No. 4 * Deadline: January 31, 2016 * The Godel Prize for outstanding papers in the area of theoretical computer science is sponsored jointly by the European Association for Theoretical Computer Science (EATCS) and the Association for Computing Machinery, Special Interest Group on Algorithms and Computation Theory (ACM SIGACT). The award is presented annually, with the presentation taking place alternately at the International Colloquium on Automata, Languages, and Programming (ICALP) and the ACM Symposium on Theory of Computing (STOC). The 24th Godel Prize will be awarded at the 43rd International Colloquium on Automata, Languages and Programming, 11-15 July 2016 in Rome, Italy. * AWARD COMMITTEE The winner of the Prize is selected by a committee of six members. The EATCS President and the SIGACT Chair each appoint three members to the committee, to serve staggered three-year terms. The committee is chaired alternately by representatives of EATCS and SIGACT. The 2016 Award Committee consists of Moses Charikar (Stanford University), Orna Kupferman (Hebrew University), Kurt Mehlhorn (Max Planck Institute), Joseph Mitchell (State University of New York at Stony Brook), Andrew Pitts (chair, University of Cambridge) and Madhu Sudan (Harvard University). * NOMINATIONS Nominations for the award should be submitted by email to the Award Committee Chair [email protected]. Please make sure that the Subject line of all nominations and related messages begin with ”Goedel Prize 2016”. To be considered, nominations for the 2016 Prize must be received by January 31, 2016.

DATES * HaPoC 2015 Call for Participation Conference on October 8-11, 2015, Pisa, Italy * CPS WEEK Call for workshop and tutorial proposals Proposal submission deadline : October 1, 2015 April 11-14, 2016, Vienna, Austria http://www.cpsweek.org/2016/ * PODS 2016 Call for Research Papers (First submission cycle) June 27-29, 2016, San Francisco, California, USA Abstract submission: October 2, 2015 http://www.sigmod2016.org * ETAPS 2016 Call for papers Conferences: 2-8 April 2016, Eindhoven, The Netherlands Submission deadline for abstracts: 9 October 2015 http://www.etaps.org/2016 * ATVA 2015 Call for participation October 12-15, 2015, Shanghai, China http://atva2015.ios.ac.cn/

ACM SIGLOG News 29 October 2015, Vol. 2, No. 4 * CMCS 2016 Call for papers April 2-3 2016, Eindhoven, the Netherlands Abstract regular papers: 4 January 2016 Submission regular papers: 13 January 2016 http://www.coalg.org/cmcs16 * FSCD’16 Call for Papers June 22-26, 2016, Porto, Portugal http://fscd2016.dcc.fc.up.pt/ Abstract submission due: 29 January 2016 * ABZ 2016 Workshop proposal submissions: October 16, 2015 Workshop proposal notifications: November 6, 2015 Research paper and answers to case study submission: January 15, 2016 Short paper submission: February 4, 2016 Tutorial proposal submissions: February 15, 2016 http://www.cdcc.faw.jku.at/ABZ2016/ * ISAIM 2016 Call for Papers January 4-6, 2016, Fort Lauderdale FL, USA http://isaim2016.cs.virginia.edu * KR 2016 Call for papers Conference: Cape Town, South Africa, 25-29 April 2016 Submission of title and abstract deadline: 21 November 2015 http://kr.org/KR2016/ * SPECIAL SEMESTER ON COMPUTATIONAL COMPLEXITY AND PROOF COMPLEXITY 2016 April-June 2016 Chebyshev Laboratory at St.Petersburg State University Organized jointly with the Skolkovo Institute of Science and Technology. http://en.chebyshev.spb.ru/complexity2016

3RD INTERNATIONAL CONFERENCE ON THE HISTORY AND PHILOSOPHY OF COMPUTING (HaPoC 2015) First Call For Participation Conference: October 8-11, 2015, Pisa, Italy http://hapoc2015.di.unipi.it * AIMS The conference brings together researchers interested in the historical developments of computers and their sciences, as well as those reflecting on the sociological and philosophical issues springing from the rise and ubiquity of computing machines in the contemporary landscape. The conference is composed of 30 research presentations, with no parallels sessions, and 6 invited talks from renowned experts in the relevant fields. The conference will take place in Pisa, at the Museum of Computing Machinery. * PROGRAM The program is now available at http://goo.gl/QVJFqv * INVITED SPEAKERS Nicola Angius, Universita’ di Sassari

ACM SIGLOG News 30 October 2015, Vol. 2, No. 4 Lenore Blum, Carnegie Mellon University David Alan Grier, IEEE & George Washington University Furio Honsell, Universita’ di Udine Pierre Mounier-Kuhn, CNRS & Universite’ Paris-Sorbonne Franck Varenne, Universite’ de Rouen

CYBER-PHYSICAL SYSTEMS WEEK (CPS WEEK) Call for workshop and tutorial proposals April 11-14, 2016, Vienna, Austria http://www.cpsweek.org/2016/ * AIMS CPS Week is the premier event on Cyber-Physical Systems. It brings together four top conferences, HSCC, ICCPS, IPSN, and RTAS, 10-15 workshops, a localization competition, tutorials and various exhibitions from both industry and academia. Altogether the CPS Week program covers a multitude of complementary aspects of CPS, and reunites the leading researchers in this dynamic field. CPS Week 2016 in Vienna, Austria will host 10-15 workshops (subject to room availability) and 2-3 tutorials on Monday April 11 and is soliciting proposals for new and recurring workshops as well as for tutorials. We invite you to submit workshop proposals on any topic related to the broad set of research, education, and application areas in cyber-physical systems. * GUIDELINES FOR WORKSHOP PROPOSALS Proposals should be submitted at the latest by October 1, 2015 Detailed information available at http://www.cpsweek.org/2016/ws.html Notification of acceptance: October 15, 2015 * WORKSHOP AND TUTORIAL CO-CHAIRS Christoph Kirsch Ana Sokolova.

35TH ACM SIGMOD-SIGACT-SIGAI SYMPOSIUM ON PRINCIPLES OF DATABASE SYSTEMS (PODS 2016) Call for Research Papers (First submission cycle) June 27-29, 2016, San Francisco, California, USA http://www.sigmod2016.org * The PODS symposium series, held in conjunction with the SIGMOD conference series, provides a premier annual forum for the communication of new advances in the theoretical foundations of data management, traditional or non-traditional (see http://www.sigmod.org/the-pods-pages).For the 35th edition, PODS continues to aim to broaden its scope, and calls for research papers providing original, substantial contributions along one or more of the following aspects: - deep theoretical exploration of topical areas central to data management; - new formal frameworks that aim at providing the basis for deeper theoretical investigation of important emerging issues in data management; - validation of theoretical approaches from the lens of practical applicability in data management. * TOPICS that fit the interests of the symposium include the following:

ACM SIGLOG News 31 October 2015, Vol. 2, No. 4 - design, semantics, query languages - data models, data structures, algorithms for data management - concurrency and recovery, distributed and parallel databases, cloud computing - model theory, logics, algebras, computational complexity - graph databases and (semantic) Web data - data mining, information extraction, search - data streams - data-centric (business) process management, workflows, web services - incompleteness, inconsistency, uncertainty in databases - data and knowledge integration and exchange, data provenance, views and data warehouses, metadata management - domain-specific databases (multi-media, scientific, spatial, temporal, text) - deductive databases - data privacy and security * KEYNOTE SPEAKER Moshe Vardi (Rice University) * TUTORIAL SPEAKERS Sara Cohen (The Hebrew University of Jerusalem) Frank Neven (Hasselt University) * IMPORTANT DATES Dates for first submission cycle: - October 2, 2015, 4:59pm PST: Abstract submission - October 9, 2015, 4:59pm PST: Paper submission - December 18, 2015, 4:59pm PST: Accept/Reject/Revise notification - January 29, 2016, 4:59pm PST: Revised submission - March 4, 2016:, 4:59pm PST: Accept/Reject notification Dates for second submission cycle: - November 27, 2015, 4:59pm PST: Abstract submission - December 4, 2015, 4:59pm PST: Paper submission - March 4, 2016, 4:59pm PST: Accept/Reject notification

19TH EUROPEAN JOINT CONFERENCES ON THEORY AND PRACTICE OF SOFTWARE (ETAPS 2016) Call for papers Eindhoven, The Netherlands, 2-8 April 2016 http://www.etaps.org/2016 * OVERVIEW ETAPS is the primary European forum for academic and industrial researchers working on topics relating to software science. ETAPS, established in 1998, is a confederation of five main annual conferences, accompanied by satellite workshops. ETAPS 2016 is the nineteenth event in the series. * MAIN CONFERENCES (4-7 April) -- ESOP: European Symposium on Programming (PC chair Peter Thiemann, Universitat Freiburg, Germany) -- FASE: Fundamental Approaches to Software Engineering (PC chairs Perdita Stevens, University of Edinburgh, UK, and Andrzej Wasowski, IT University of Copenhagen, Denmark) -- FOSSACS: Foundations of Software Science and Computation Structures (PC chairs Bart Jacobs, Radboud Universiteit Nijmegen,

ACM SIGLOG News 32 October 2015, Vol. 2, No. 4 The Netherlands, and Christof Loding, RWTH Aachen, Germany) -- POST: Principles of Security and Trust (PC chairs Frank Piessens, Katholieke Universiteit Leuven, Belgium, and Luca Vigano, King’s College London, UK) -- TACAS: Tools and Algorithms for the Construction and Analysis of Systems (PC chairs Marsha Chechik, University of Toronto, Canada, and Jean-Francois Raskin (Universite Libre de Bruxelles, Belgium) -- TACAS ’16 hosts the 5th Competition on Software Verification (SV-COMP). * INVITED SPEAKERS -- Unifying speakers: Andrew D. Gordon (MSR Cambridge and University of Edinburgh, UK) Rupak Majumdar (MPI Kaiserslautern, Germany) -- ESOP invited speaker: Cristina Lopes (University of California at Irvine, USA) -- FASE invited speaker: Oscar Nierstrasz (Universitaet Bern, Switzerland) -- POST invited speaker: Vitaly Shmatikov (University of Texas at Austin, USA) * IMPORTANT DATES - 9 October 2015: Submission deadline for abstracts - 16 October 2015: Submission deadline for full papers - 2-4 December 2015: Author response period (ESOP and FoSSaCS only) - 18 December 2015: Notification of acceptance - 8 January 2016: Camera-ready versions due * SATELLITE EVENTS (2-3 April, 8 April) Around 20 satellite workshops will take place before and after the main conferences. * FURTHER INFORMATION Please do not hesitate to contact the organizers at [email protected], [email protected].

13TH INTERNATIONAL SYMPOSIUM ON AUTOMATED TECHNOLOGY FOR VERIFICATION AND ANALYSIS, ATVA 2015 Call for participation October 12-15, 2015, Shanghai, China http://atva2015.ios.ac.cn/ * CONTEXT ATVA promotes research on theoretical and practical aspects of automated analysis, verification and synthesis by providing a forum for interaction between the regional and the international research communities and industry in the field. The conference will be held at East China Normal University (old campus) in Shanghai. * KEYNOTES and TUTORIALS Dino Distefano (Facebook and Queen Mary University of London, UK) Martin Fraenzle (Carl von Ossietzky Universitaet, Oldenburg, Germany) Joost-Pieter Katoen (RWTH Aachen University, Germany) J Strother Moore (University of Texas-Austin, USA) * REGISTRATION Registration is open now.

ACM SIGLOG News 33 October 2015, Vol. 2, No. 4 Early registration deadline: August 15, 2015 For details see http://atva2015.ios.ac.cn/participation.html#registration * GENERAL CHAIR Jifeng He (East China Normal University, China) * PROGRAMME CHAIRS Bernd Finkbeiner (Saarland University, Germany) Geguang Pu (East China Normal University, China) Lijun Zhang (Institute of Software, Chinese Academy of Sciences) * WORKSHOP CHAIR Jun Sun (Singapore University of Technology and Design, SG)

13TH INTERNATIONAL WORKSHOP ON COALGEBRAIC METHODS IN COMPUTER SCIENCE (CMCS’16) Call for papers 2-3 April 2016, Eindhoven, the Netherlands http://www.coalg.org/cmcs16 * OBJECTIVES AND SCOPE Established in 1998, the CMCS workshops aim to bring together researchers with a common interest in the theory of coalgebras, their logics, and their applications. As the workshop series strives to maintain breadth in its scope, areas of interest include neighbouring fields as well. Topics of interest include, but are not limited to, the following: - The theory of coalgebras (including set theoretic and categorical approaches) - Coalgebras as computational and semantical models (for programming languages, dynamical systems, term rewriting, etc.) - Coalgebras in (functional, object-oriented, concurrent, and constraint) programming - Model checking, theorem proving and deductive verification using coalgebraic techniques - Coalgebraic data types, type systems and behavioural typing - Proof principles and (coinductive) definitions for coalgebras (e.g. with bisimulations or invariants) - Coalgebras and algebras - Coalgebraic specification and verification - Coalgebras and (modal) logic - Coalgebra and control theory (notably of discrete event and hybrid systems) - Coalgebra in quantum computing - Coalgebra and game theory - Tools exploiting colgebraic techniques * VENUE AND EVENT CMCS’16 will be held in Eindhoven, the Netherlands, co-located with ETAPS 2016 on 2 - 3 April 2016. * KEYNOTE SPEAKER Jiri Adamek, Braunschweig University of Technology, Germany * INVITED SPEAKERS Andreas Abel, University of Gothenburg, Sweden Filippo Bonchi, CNRS/ENS Lyon, France * SPECIAL SESSION

ACM SIGLOG News 34 October 2015, Vol. 2, No. 4 There will be a special session on weighted automata, organized by Borja Balle, Lancaster University, United Kingdom Alexandra Silva, University College London, United Kingdom * PC CHAIR Ichiro Hasuo, University of Tokyo, Japan

FIRST INTERNATIONAL CONFERENCE ON FORMAL STRUCTURES FOR COMPUTATION AND DEDUCTION (FSCD’16) Call for Papers June 22-26, 2016, Porto, Portugal http://fscd2016.dcc.fc.up.pt/ * The FSCD conference series (http://fscdconference.org/) covers all aspects of formal structures for computation and deduction from theoretical foundations to applications. Building on two communities, RTA (Rewriting Techniques and Applications) and TLCA (Typed Lambda Calculi and Applications), FSCD embraces their core topics and broadens their scope to closely related areas in logics, proof theory and new emerging models of computation such as quantum computing and homotopy type theory. The name of the new conference comes from an unpublished but important book by Gerard Huet that strongly influenced many researchers in the area. * Suggested, but not exclusive, list of topics for submission are: 1. Calculi (Lambda calculus; Logics; Rewriting systems; Proof theory; Type theory and logical frameworks; Homotopy type theory) 2. Methods in Computation and Deduction (Type systems; Induction, coinduction; Matching; Unification; Completion; Orderings; Strategies; Tree automata; Model building and model checking; Proof search; Constraint solving and decision procedures) 3. Semantics (Operational semantics and abstract machines; Game Semantics and applications; Domain theory and categorical models; Quantitative models; Quantum computation and emerging models in computation) 4. Algorithmic Analysis and Transformations of Formal Systems (Type Inference and type checking; Abstract Interpretation; Complexity analysis and implicit computational complexity; Checking termination, confluence, derivational complexity and related properties; Symbolic computation) 5. Tools and Applications (Programming and proof environments; Verification tools; Libraries for proof assistants and interactive theorem provers; Case studies in proof assistants and interactive theorem provers; Certifications; Applications of formal systems inside and outside of CS) * Important dates: Abstract submission due: 29 January 2016; Paper Submission: 5 February 2016; Rebuttal: 21-23 March 2016; Notification: 6 April 2016

5TH INTERNATIONAL ABZ 2014 CONFERENCE (ASM, Alloy, B, TLA, VDM, Z) Call for Papers, Answers to the case study, Workshops, Tutorials May 23-27, 2016 Linz, Austria http://www.cdcc.faw.jku.at/ABZ2016/

ACM SIGLOG News 35 October 2015, Vol. 2, No. 4 * The ABZ conference is dedicated to the cross-fertilization of six related state-based and machine-based formal methods, Abstract State Machines (ASM), Alloy, B, TLA, VDM and Z. Contributions are solicited on all aspects of the theory and applications of ASMs, Alloy, B, TLA, VDM, Z approaches in software/hardware engineering, including the development of tools and industrial applications. * Types of submission: -- Research papers: full papers of not more than 14 pages in LNCS format, which have to be original, unpublished and not submitted elsewhere. -- Short presentations of work in progress, and tool demonstrations. An extended abstract of not more than 4 pages is expected and will be reviewed. -- Answers to case study papers: full papers of not more than 14 pages in LNCS format reporting on the experiments conducted with any of the state based techniques in the scope of ABZ 2014. -- Application in industry papers reporting on work or experiences on the application of state based formal methods in industry. An extended abstract of not more than 4 pages is expected and will be reviewed. * Submission site: https://easychair.org/conferences/?conf=abz2016 * Important Dates: Workshop proposal submission: October 16, 2015 Research paper, Answers to case study submission: January 15, 2016 Short and industry paper submission: February 4, 2016 Tutorial proposal submissions: February 15, 2016 Tutorial proposal notifications: March 14, 2016 * Detailed information can be found on the conference website * Contact: Klaus-Dieter SCHEWE ([email protected])

14th INTERNATIONAL SYMPOSIUM ON ARTIFICIAL INTELLIGENCE AND MATHEMATICS (ISAIM 2016) Call for Papers January 4-6, 2016, Fort Lauderdale FL, USA http://isaim2016.cs.virginia.edu * AIMS AND SCOPE The International Symposium on Artificial Intelligence and Mathematics (ISAIM) is a biennial meeting that fosters interactions between mathematics, theoretical computer science, and artificial intelligence. This is the fourteenth Symposium in the series, which is sponsored by Annals of Mathematics and Artificial Intelligence. We seek submissions of recent results with particular emphasis on the foundations of AI and mathematical methods used in AI. Papers describing applications are also encouraged, but the focus should be on principled lessons learned from the development of the application. Traditionally, the Symposium attracts participants from a variety of disciplines, thereby providing a unique forum for scientific exchange. The three-day Symposium includes invited speakers, presentations of technical papers, and special topic sessions. * SPECIAL TOPIC INVITED SESSIONS: - Boolean and pseudo-Boolean Functions, organized by Endre Boros, Rutgers University, and Yves Crama, University of Liege - Computational Approaches to Proof Construction, organized by Vijay Ganesh, University of Waterloo - Integrating Constraint Programming and Operations Research, organized by

ACM SIGLOG News 36 October 2015, Vol. 2, No. 4 John Hooker, Carnegie Mellon University - Mathematical Theories of Natural Language Processing, organized by Sean A. Fulop, California State University, Fresno * IMPORTANT DATES: - Paper submission: October 25, 2015 - Notification: November 22, 2015 - Final version due: December 14, 2015 - Workshop: January 4-6, 2016, Ft. Lauderdale, Florida * DETAILED CALL FOR PAPERS: http://isaim2016.cs.virginia.edu/cfps.html * INSTRUCTIONS FOR SUBMISSIONS: http://isaim2016.cs.virginia.edu/submissions.html * FURTHER INFORMATION: Send inquiries and requests to the program committee chairs (Francesca Rossi and Kristen Brent Venable) at the email address isaim2016 at wave DOT tulane DOT edu. Join [email protected] to receive announcements related to ISAIM.

15TH INTERNATIONAL CONFERENCE ON PRINCIPLES OF KNOWLEDGE REPRESENTATION AND REASONING (KR 2016) Call for papers Cape Town, South Africa, 25-29 April 2016 http://kr.org/KR2016/ Co-located with DL 2016 [http://www.dl.kr.org] and NMR 2016 [http://www.kr.org/NMR/] * KR 2016 IMPORTANT DATES -- Submission of title and abstract: 21 November 2015 -- Paper submission deadline: 28 November 2015 -- Notification of acceptance: 21 January 2016 -- Camera-ready papers due: 19 February 2016 -- Conference: 25-29 April 2016 * AIMS Knowledge Representation and Reasoning (KRR) is an exciting, well-established field of research. In KRR a fundamental assumption is that an agent’s knowledge is explicitly represented in a declarative form, suitable for processing by dedicated reasoning engines. This assumption, that much of what an agent deals with is knowledge-based, is common in many modern intelligent systems. Consequently, KRR has contributed to the theory and practice of various areas in AI, such as automated planning and natural language understanding, among others, as well as to fields beyond AI, including databases, software engineering, the semantic web, computational biology, and the development of software agents. * SUBMISSION INFORMATION For complete details, see the ’Submission information’ page at http://www.kr.org/KR2016 * CONFERENCE CHAIRS - General: Chitta Baral (Arizona State University, USA) - Program: James Delgrande (Simon Fraser University, Canada), Frank Wolter (University of Liverpool, UK) - Local Organization: Thomas Meyer (University of Cape Town and CAIR, South Africa) - Doctoral Consortium: Meghyn Bienvenu (CNRS, France), Joohyung Lee (Arizona State University, USA) - Sponsorship and Publicity: Ivan Varzinczak (Federal University of Rio de Janeiro, Brazil)

ACM SIGLOG News 37 October 2015, Vol. 2, No. 4 SPECIAL SEMESTER ON COMPUTATIONAL COMPLEXITY AND PROOF COMPLEXITY April-June 2016 * Chebyshev Laboratory at St.Petersburg State University Organized jointly with the Skolkovo Institute of Science and Technology. * Events include a WORKSHOP ON PROOF COMPLEXITY, May 17-20, 2016, St. Petersburg, organized by Sam Buss and Pavel Pudlak, keynote speaker Jan Krajicek; and a WORKSHOP ON LOW-DEPTH COMPLEXITY, May 23-25, 2016, St. Petersburg, organized by Ben Rossman and Rahul Santhanam, keynote speaker Ryan Williams. * Short courses will be held before each workshop. * Graduate student, postdocs and other researchers may apply for funding for both short or extended visits throughout the semester. * To inquire about participation, or apply for funding, please fill out the form on the web page or email the organizers directly. * Web page: http://en.chebyshev.spb.ru/complexity2016. * Organizers: Sam Buss and Edward A. Hirsch.

ACM SIGLOG News 38 October 2015, Vol. 2, No. 4 join today! SIGLOG & ACM siglog.acm.org www.acm.org

The Special Interest Group on Logic and Computation is the premier international community for the advancement of logic and computation, and formal methods in computer science, broadly defined.

The Association for Computing Machinery (ACM) is an educational and scientific computing society which works to advance computing as a science and a profession. Benefits include subscriptions to Communications of the ACM, MemberNet, TechNews and CareerNews, full and unlimited access to online courses and books, discounts on conferences and the option to subscribe to the ACM Digital Library.

❑ SIGLOG (ACM Member) ...... $ 25

❑ SIGLOG (ACM Student Member & Non-ACM Student Member) ...... $ 15

❑ SIGLOG (Non-ACM Member) ...... $ 25

❑ ACM Professional Membership ($99) & SIGLOG ($25) ...... $124

❑ ACM Professional Membership ($99) & SIGLOG ($25) & ACM Digital Library ($99) ...... $223

❑ ACM Student Membership ($19) & SIGLOG ($15) ...... $ 34 payment information Name ______Credit Card Type: ❏ AMEX ❏ VISA ❏ MC ACM Member # ______Credit Card # ______Mailing Address ______Exp. Date ______Signature______City/State/Province ______Make check or money order payable to ACM, Inc ZIP/Postal Code/Country______ACM accepts U.S. dollars or equivalent in foreign currency. Prices include Email ______surface delivery charge. Expedited Air Service, which is a partial air freight delivery service, is available outside North America. Contact ACM for Mobile Phone______more information. Fax ______

Mailing List Restriction Questions? Contact: ACM occasionally makes its mailing list available to computer-related ACM Headquarters Remit to: organizations, educational institutions and sister societies. All email 2 Penn Plaza, Suite 701 ACM addresses remain strictly confdential. Check one of the following if General Post Ofce you wish to restrict the use of your name: New York, NY 10121-0701 voice: 212-626-0500 P.O. Box 30777 ❏ ACM announcements only fax: 212-944-1318 New York, NY 10087-0777 ❏ ACM and other sister society announcements email: [email protected] ❏ ACM subscription and renewal notices only SIGAPP www.acm.org/joinsigs Advancing Computing as a Science & Profession