# Silvio GhilardiUniversity of Milan | UNIMI · Department of Mathematics

Silvio Ghilardi

full professor

## About

174

Publications

7,948

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

3,168

Citations

Citations since 2017

## Publications

Publications (174)

Modeling and verification of dynamic systems operating over a relational representation of states are increasingly investigated problems in AI, Business Process Management, and Database Theory. To make these systems amenable to verification, the amount of information stored in each relational state needs to be bounded, or restrictions are imposed o...

Uniform interpolants were largely studied in non-classical propositional logics since the nineties, and their connection to model completeness was pointed out in the literature. A successive parallel research line inside the automated reasoning community investigated uniform quantifier-free interpolants (sometimes referred to as “covers”) in first-...

We devise three strategies for recognizing admissibility of non-standard inference rules via interpolation, uniform interpolation, and model completions. We apply our machinery to the case of symmetric implication calculus S2IC, where we also supply a finite axiomatization of the model completion of its algebraic counterpart, via the equivalent the...

Interpolation is an essential tool in software verification, where first-order theories are used to constrain datatypes manipulated by programs. In this paper, we introduce the datatype theory of contiguous arrays with maxdiff, where arrays are completely defined in their allocation memory and for which maxdiff returns the max index where they diff...

The concept of uniform interpolant for a quantifier-free formula from a given
formula with a list of symbols, while well-known in the logic literature, has
been unknown to the formal methods and automated reasoning community for a long
time. This concept is precisely defined. Two algorithms for computing
quantifier-free uniform interpolants in the...

During the last decade, various approaches have been put forward to integrate business processes with different types of data. Each of these approaches reflects specific demands in the whole process-data integration spectrum. One particularly important point is the capability of these approaches to flexibly accommodate processes with multiple case...

In this survey, we report our recent work concerning combination results for interpolation and uniform interpolation in the context of quantifier-free fragments of first-order theories. We stress model-theoretic and algebraic aspects connecting this topic with amalgamation, strong amalgamation, and model-completeness. We give sufficient (and, in re...

We devise three strategies for recognizing admissibility of non-standard inference rules via interpolation, uniform interpolation, and model completions. We apply our machinery to the case of symmetric implication calculus $\mathsf{S^2IC}$, where we also supply a finite axiomatization of the model completion of its algebraic counterpart, via the eq...

Since the nineties, the Man-in-The-Middle (MITM) attack has been one of the most effective strategies adopted for compromising information security in network environments. In this paper, we focus our attention on ARP cache poisoning, which is one of the most well-known and more adopted techniques for performing MITM attacks in Ethernet local area...

Uniform interpolants have been largely studied in non-classical propositional logics since the nineties; a successive research line within the automated reasoning community investigated uniform quantifier-free interpolants (sometimes referred to as “covers”) in first-order theories. This further research line is motivated by the fact that uniform i...

The increasing recognition of the need for integrating data and processes, both at conceptual and system levels, raises a new demand in standard-friendly, verifiable data-aware process modelling languages. So far, a few proposals in the area have been largely focusing on either uncharted approaches or conceptual proposals that would lack in tool su...

We develop quantifier elimination procedures for fragments of higher order logic arising from the formalization of distributed systems (especially of fault-tolerant ones). Such procedures can be used in symbolic manipulations like the computation of pre/post images and of projections. We show in particular that our procedures are quite effective in...

In this paper, the theory of McCarthy’s extensional arrays enriched with a maxdiff operation (this operation returns the biggest index where two given arrays differ) is proposed. It is known from the literature that a diff operation is required for the theory of arrays in order to enjoy the Craig interpolation property at the quantifier-free level....

We prove that the variety of nuclear implicative semilattices is locally finite, thus generalizing Diego’s Theorem. The key ingredients of our proof include the coloring technique and construction of universal models from modal logic. For this we develop duality theory for finite nuclear implicative semilattices, generalizing Köhler duality. We pro...

We enrich the McCarthy theory of arrays with a maxdiff operation (this operation returns the biggest index where two given arrays differ). It is known from the literature that a diff operation is required for the theory of arrays in order to enjoy the Craig interpolation property at the quantifier-free level. However, the diff operation introduced...

During the last decade, various approaches have been put forward to integrate business processes with different types of data. Each of these approaches reflects specific demands in the whole process-data integration spectrum. One particularly important point is the capability of these approaches to flexibly accommodate processes with multiple cases...

Uniform interpolants were largely studied in non-classical propositional logics since the nineties, and their connection to model completeness was pointed out in the literature. A successive parallel research line inside the automated reasoning community investigated uniform quantifier-free interpolants (sometimes referred to as “covers”) in first-...

During the last decade, various approaches have been put forward to integrate business processes with different types of data. Each of such approaches reflects specific demands in the whole process-data integration spectrum. One particular important point is the capability of these approaches to flexibly accommodate processes with multiple cases th...

In recent times, satisfiability modulo theories (SMT) techniques gained increasing attention and obtained remarkable success in model-checking infinite-state systems. Still, we believe that whenever more expressivity is needed in order to specify the systems to be verified, more and more support is needed from mathematical logic and model theory. T...

The concept of a uniform interpolant for a quantifier-free formula from a given formula with a list of symbols, while well-known in the logic literature, has been unknown to the formal methods and automated reasoning community. This concept is precisely defined. Two algorithms for computing the uniform interpolant of a quantifier-free formula in EU...

We prove that the variety of nuclear implicative semilattices is locally finite, thus generalizing Diego's Theorem. The key ingredients of our proof include the coloring technique and construction of universal models from modal logic. For this we develop duality theory for finite nuclear implicative semilattices, generalizing K\"ohler duality. We p...

Ruitenburg’s Theorem says that every endomorphism f of a finitely generated free Heyting algebra is ultimately periodic if f fixes all the generators but one. More precisely, there is N ≥ 0 such that fN +2 = fN , thus the period equals 2. We give a semantic proof of this theorem, using duality techniques and bounded bisimulation ranks. By the same...

In ESOP 2008, Gulwani and Musuvathi introduced a notion of cover and exploited it to handle infinite-state model checking problems. Motivated by applications to the verification of data-aware processes, we proved in a previous paper that covers are strictly related to model completions, a well-known topic in model theory. In this paper we investiga...

EXISTENTIALLY CLOSED BROUWERIAN SEMILATTICES - LUCA CARAI, SILVIO GHILARDI

It follows from known results in the literature that least and greatest fixed-points of monotone polynomials on Heyting algebras—that is, the algebraic models of the Intuitionistic Propositional Calculus—always exist, even when these algebras are not complete as lattices. The reason is that these extremal fixed-points are definable by formulas of t...

In ESOP 2008, Gulwani and Musuvathi introduced a notion of cover and exploited it to handle infinite-state model checking problems. Motivated by applications to the verification of data-aware processes, we show how covers are strictly related to model completions, a well-known topic in model theory. We also investigate the computation of covers wit...

We propose DAB – a data-aware extension of BPMN where the process operates over case and persistent data (partitioned into a read-only database called catalog and a read-write database called repository). The model trades off between expressiveness and the possibility of supporting parameterized verification of safety properties on top of it. Speci...

Model Completeness is a classical topic in model-theoretic algebra, and its inspiration sources are areas like algebraic geometry and field theory. Yet, recently, there have been remarkable applications in computer science: these applications range from combined decision procedures for satisfiability and interpolation, to connections between tempor...

We propose DAB -- a data-aware extension of BPMN where the process operates over case and persistent data (partitioned into a read-only database called catalog and a read-write database called repository). The model trades off between expressiveness and the possibility of supporting parameterized verification of safety properties on top of it. Spec...

We propose DAB -- a data-aware extension of the BPMN de-facto standard with the ability of operating over case and persistent data (partitioned into a read-only catalog and a read-write repository), and that balances between expressiveness and the possibility of supporting parameterized verification of safety properties on top of it. In particular,...

Ruitenburg's Theorem says that every endomorphism f of a finitely generated free Heyting algebra is ultimately periodic if f fixes all the generators but one. More precisely, there is N $\ge$ 0 such that f N +2 = f N , thus the period equals 2. We give a semantic proof of this theorem, using duality techniques and bounded bisimulation ranks. By the...

We study verification over a general model of data-aware processes, to assess (parameterized) safety properties irrespectively of the initial database instance. We rely on an encoding into array-based systems, which allows us to check safety by adapting backward reachability, establishing for the first time a correspondence with model checking base...

Running verification tasks in database driven systems requires solving quantifier elimination problems (not including arithmetic) of a new kind. In this paper, we supply quantifier elimination algorithms based on Knuth-Bendix completions and begin studying the complexity of these problems, arguing that they are much better behaved than their arithm...

For a given intuitionistic propositional formula A and a propositional variable x occurring in it, define the infinite sequence of formulae { A \_i | i$\ge$1} by letting A\_1 be A and A\_{i+1} be A(A\_i/x). Ruitenburg's Theorem [8] says that the sequence { A \_i } (modulo logical equivalence) is ultimately periodic with period 2, i.e. there is N $\...

Wolter in [38] proved that the Craig interpolation property transfers to fusion of normal modal logics. It is well-known [21] that for such logics Craig interpolation corresponds to an algebraic property called superamalgamability. In this paper, we develop model-theoretic techniques at the level of first-order theories in order to obtain general c...

It is a consequence of existing literature that least and greatest fixed-points of monotone polynomials on Heyting algebras-that is, the alge- braic models of the Intuitionistic Propositional Calculus-always exist, even when these algebras are not complete as lattices. The reason is that these extremal fixed-points are definable by formulas of the...

Quite often, verification tasks for distributed systems are accomplished via counter abstractions. Such abstractions can sometimes be justified via simulations and bisimulations. In this work, we supply logical foundations to this practice, by a specifically designed technique for second order quantifier elimination. Our method, once applied to spe...

Enriching logic formalisms with counting capabilities is an important task in view of the needs of many application areas, ranging from database theory to formal verification. In this paper, we consider a very expressive language obtained by enriching linear integer arithmetic with free function symbols and cardinality constraints for interpreted s...

In this paper, we study the conditions under which existence of interpolants (for quantifier-free formulae) is modular, in the sense that it can be transferred from two first-order theories T1, T2 to their combination T1 ∪ T2. As a surprising application, we relate the Horn combinability criterion of this paper to super-amalgamability conditions kn...

In this paper, we study the conditions under which existence of interpolants (for quantifier-free formulae) is modular, in the sense that it can be transferred from two first-order theories T1, T2 to their combination T1 ∪ T2. As a surprising application, we relate the Horn combinability criterion of this paper to super-amalgamability conditions kn...

Internet protocols are intrinsically complex to understand and validate, due both to the potentially unbounded number of entities involved, and to the complexity of interactions amongst them. Yet, their safety is indispensable to guarantee the proper behavior of a number of critical applications.

We present our efforts on the formalization and automated formal verification of data-intensive applications based on the Storm technology, a well known and pioneering framework for developing streaming applications. The approach is based on the so-called array-based systems formalism, introduced by Ghilardi et al., a suitable abstraction of infini...

The variety of Brouwerian semilattices is amalgamable and locally finite, hence by well-known results due to W. H. Wheeler, it has a model completion (whose models are the existentially closed structures). In this paper, we supply for such a model completion a finite and rather simple axiomatization.

We investigate proof-theoretic properties of hypersequent calculi for intermediate logics using algebraic methods. More precisely, we consider a new weakly analytic subformula property (the bounded proof property) of such calculi. Despite being strictly weaker than both cut-elimination and the subformula property, this property is sufficient to ens...

The main focus of this paper is on bisimulation-invariant MSO, and more particularly on giving a novel model-theoretic approach to it. In model theory, a model companion of a theory is a first-order description of the class of models in which all potentially solvable systems of equations and non-equations have solutions. We show that bisimulation-i...

It is a consequence of existing literature that least and greatest fixed-points of monotone polynomials on Heyting algebras—that is, the algebraic models of the Intuitionistic Propositional Calculus—always exist, even when these algebras are not complete as lattices. The reason is that these extremal fixed-points are definable by formulas of the IP...

We identify a fragment of Presburger arithmetic enriched with free function symbols and cardinality constraints for interpreted sets, which is amenable to automated analysis. We establish decidability and complexity results for such a fragment and we implement our algorithms. The experiments run in discharging proof obligations coming from invarian...

We establish the dichotomy property for stable canonical multi-conclusion
rules for IPC, K4, and S4. This yields an alternative proof of existence of explicit bases of admissible rules for these logics.

It is a consequence of existing literature that least and greatest
fixed-points of monotone polynomials on Heyting algebras-that is, the algebraic
models of the Intuitionistic Propositional Calculus-always exist, even when
these algebras are not complete as lattices. The reason is that these extremal
fixed-points are definable by formulas of the IP...

This paper presents an acceleration-based combination framework for checking the satisfiability of classes of quantified formulae of the theory of arrays. We identify sufficient conditions for which an ‘acceleratability’ result can be used as a black-box module inside such satisfiability procedures. Besides establishing new decidability results and...

We present new decidability results for quantified fragments of theories of arrays. Our decision procedures are parametric in the theories of indexes and elements and orthogonal with respect to known results. We show that transitive closures (’acceleratio’) of relation expressing certain array updates produce formulas inside our fragment; this obse...

Monadic second order logic and linear temporal logic are two logical formalisms that can be used to describe classes of infinite words, i.e., first-order models based on the natural numbers with order, successor, and finitely many unary predicate symbols.
Monadic second order logic over infinite words (S1S) can alternatively be described as a first...

The paper introduces semantic and algorithmic methods for establishing a variant of the analytic subformula property (called ‘the bounded proof property’, bpp) for modal propositional logics. The bpp is much weaker property than full cut-elimination, but it is nevertheless sufficient for establishing decidability results. Our methodology originated...

Monotonic abstraction is a technique introduced in model checking
parameterized distributed systems in order to cope with transitions containing
global conditions within guards. The technique has been re-interpreted in a
declarative setting in previous papers of ours and applied to the verification
of fault tolerant systems under the so-called "sto...

We present Booster, a new framework developed for verifiying programs handling arrays. Booster integrates new acceleration features with standard verification techniques, like Lazy Abstraction with Interpolants (extended to arrays). The new acceleration features are the key for scaling-up in the verification of programs with arrays, allowing Booste...

The present chapter is aimed at giving a conceptual exposition of the mathematical principles underlying Sahlqvist correspondence theory. These principles are argued to be inherently algebraic and order-theoretic. They translate naturally on relational structures thanks to Stone-type duality theory. The availability of this analysis in the setting...

Lazy abstraction with interpolation-based refinement has been shown to be a powerful technique for verifying imperative programs. In presence of arrays, however, the method suffers from an intrinsic limitation, due to the fact that invariants needed for verification usually contain universally quantified variables, which are not present in program...

We introduce the system K4De. It is obtained by weakening the reflexivity axiom to the density axiom in the standard axiom set for S4. We analyze K4De both from the semantic and the proof theoretic side, giving in particular a cut-free system of rules for it.

We review the step-by-step method of constructing finitely generated free modal algebras. First we discuss the global step-by-step method, which works well for rank one modal logics. Next we refine the global step-by-step method to obtain the local step-by-step method, which is applicable beyond rank one modal logics. In particular, we show that it...

The use of interpolants in verification is gaining more and more importance. Since theories used in applications are usually obtained as (disjoint) combinations of simpler theories, it is important to modularly reuse interpolation algorithms for the component theories. We show that a sufficient and necessary condition to do this for quantifier-free...

We investigate proof theoretic properties of logical systems via algebraic methods. We introduce a calculus for deriving multiple-conclusion rules and show that it is a Hilbert style counterpart of hypersequent calculi. Using step-algebras we develop a criterion establishing the bounded proof property and finite model property for these systems. Fi...

We present our tool, developed for the analysis and verification of parameterized infinite-state systems. The framework has been successfully applied in the verification of programs handling unbounded data-structures. In such application domain, being able to infer quantified invariants is a mandatory requirement for successful results. We will des...

For some classes of guarded ground assignments for arrays, we show that accelerations (i.e., transitive closures) are definable in the theory of arrays via ∃ * ∀ * -first order formulae. We apply this result to model checking of unbounded array programs, where the computation of such accelerations can be used to prevent divergence of reachability a...

The longstanding research line investigating free algebra constructions in modal logic from an algebraic and coalgebraic point of view recently lead to the notion of a one-step frame [14], [8]. A one-step frame is a two-sorted structure which admits interpretations of modal formulae without nested modal operators. In this paper, we exploit the pote...

Abstraction (in its various forms) is a powerful established technique in
model-checking; still, when unbounded data-structures are concerned, it cannot
always cope with divergence phenomena in a satisfactory way. Acceleration is an
approach which is widely used to avoid divergence, but it has been applied
mostly to integer programs. This paper add...

We present SAFARI, a model checker designed to prove (possibly universally quantified) safety properties of imperative programs with arrays of unknown length. SAFARI is based on an extension of lazy abstraction capable of handling existentially quantified formulæ for symbolically representing states. A heuristics, called term abstraction, favors th...

The use of interpolants in model checking is becoming an enabling technology
to allow fast and robust verification of hardware and software. The application
of encodings based on the theory of arrays, however, is limited by the
impossibility of deriving quantifier- free interpolants in general. In this
paper, we show that it is possible to obtain q...

Deadlock-free algorithms that ensure mutual exclusion crucially depend on timing assumptions. In this paper, we describe our experience in automatically verifying mutual-exclusion and deadlock-freedom of the Fischer and Lynch-Shavit algorithms, using the model checker modulo theories mcmt. First, we explain how to specify timing-based algorithms in...

The goal of CEDAR was to bring together researchers interested in problems at the interface between automated reasoning and computational complexity, in particular in: – identifying (fragments of) logical theories which are decidable, resp. have low complexity, and analyzing possibilities of obtaining optimal complexity results with uniform tools;...

The use of interpolants in verification is gaining more and more importance.
Since theories used in applications are usually obtained as (disjoint)
combinations of simpler theories, it is important to modularly re-use
interpolation algorithms for the component theories. We show that a sufficient
and necessary condition to do this for quantifier-fre...

Lazy abstraction with interpolants has been shown to be a powerful technique for verifying imperative programs. In presence of arrays, however, the method shows an intrinsic limitation, due to the fact that successful invariants usually contain universally quantified variables, which are not present in the program specification. In this work we pre...

Model Checking Modulo Theories is a recent approach for the automated verification of safety properties of a class of infinite state systems manipulating arrays, called array-based systems. The idea is to repeatedly compute pre-images of a set of (unsafe) states by using certain classes of first-order formulae representing sets of states and transi...

Unification was originally introduced in automated deduction and term rewriting, but has recently also found applications
in other fields. In this article, we give a survey of the results on unification obtained in two closely related, yet different,
application areas of unification: description logics and modal logics.

The use of interpolants in model checking is progressively gaining importance. The application of encodings based on the theory of arrays, however, is limited by the impossibility of deriving quantifierfree interpolants in general. To overcome this problem, we have recently proposed a quantifier-free interpolation solver for a natural variant of th...

We identify sufficient conditions to automatically establish the termination of a backward reachability procedure for infinite state systems by using well-quasi-orderings. Besides showing that backward reachability succeeds on many instances of problems covered by general termination results, we argue that it could predict termination also On inter...

We prove that if a modal formula is refuted on a wK4-algebra
(B,□), then it is refuted on a finite wK4-algebra which is
isomorphic to a subalgebra of a relativization of (B,□). As an
immediate consequence, we obtain that each subframe and cofinal subframe logic
over wK4 has the finite model property. On the one hand, this provides a
purely algebrai...

The use of interpolants in model checking is becoming an enabling technology to allow fast and robust verification of hardware and software. The application of encodings based on the theory of arrays, however, is limited by the impossibility of deriving quantifier-free interpolants in general. In this paper, we show that, with a minor extension to...

We propose a methodology to use the infinite state model checker MCMT, based on Satisfiability Modulo Theory techniques, for assisting in the design of fault tolerant algorithms. To prove the practical viability of our methodology, we apply it to formally check the agreement property of the reliable broadcast protocols of Chandra and Toueg.

These notes cover the content of a basic course in propositional algebraic logic given by the author at the italian School of Logic held in Cesena, September 18-23, 2000. They are addressed to people having few background in Symbolic Logic and they are mostly intended to develop algebraic methods for establishing basic metamathematical results (lik...

The safety of infinite state systems can be checked by a backward reachability procedure. For certain classes of systems, it is possible to prove the termination of the procedure and hence conclude the decidability of the safety problem. Although backward reachability is property-directed, it can unnecessarily explore (large) portions of the state...

The role played by continuous morphisms in propositional modal logic is investigated: it turns out that they are strictly related to filtrations and to suitable variants of the notion of a free algebra. We also employ continuous morphisms in incremental constructions of (standard) finitely generated free 𝕊4-algebras.

Background and motivations. Algorithms for ensuring fault tolerance are key ingredients in many applications such as avionics and networking. There is
an increasing demand to integrate (formal) validation in the design process of these algorithms as they are often part of
safety critical systems.When validation fails, the designer would benefit fro...

We describe mcmt, a fully declarative and deductive symbolic model checker for safety properties of infinite state systems whose state variables
are arrays. Theories specify the properties of the indexes and the elements of the arrays. Sets of states and transitions
of a system are described by quantified first-order formulae. The core of the syste...

We propose a methodology to use the infinite state model checker MCMT, based on Satisfiability Modulo Theory techniques, for assisting in the design of fault tolerant algorithms. To prove the practical viability of our methodology, we apply it to formally check the agreement property of the reliable broadcast protocols of Chandra and Toueg.

Globalization and its Discontents by Joseph Stiglitz (London, Allen Lane; New York, W.W. Norton, 2002), xxii + 282 pp., ISBN 0 713 99664 1.

Recently, the notion of an array-based system has been introduced as an abstraction of infinite state sys- tems (such as mutual exclusion protocols or sorting programs) which allows for model checking of invariant (safety) and recurrence (liveness) properties by Satisfiability Modulo Theories (SMT) techniques. Unfortu- nately, the use of quantified...

We are interested in automatically proving safety properties of innite state systems. We present a technique for invariant synthe- sis which can be incorporated in backward reachability analysis. The main theoretical result ensures that (under suitable hypotheses) our method is guaranteed to nd an invariant if one exists. We also discuss heuristics...

We investigate the introduction of the stopping failures model in order to treat universal guards in transitions of array-based systems. We conclude by some remarks explaining how the stopping failures model is implemented in the tool mcmt.

Motivated by applications in software verification, we explore automated reasoning about the non-disjoint combination of theories of infinitely many finite structures, where the theories share set variables and set operations. We prove a combination theorem and apply it to show the decidability of the satisfiability problem for a class of formulas...

We introduce the notion of array-based system as a suitable abstraction of infinite state systems such as broadcast protocols or sorting programs. By using a class of quantified-first order formulae to symbolically represent array-based systems, we propose methods to check safety (invariance) and liveness (recurrence) properties on top of Satisfiab...

We define a general notion of a fragment within higher-order type theory; a procedure for constraint satisfiability in combined fragments is outlined, following Nelson-Oppen schema. The procedure is in general only sound, but it becomes terminating and complete when the shared fragment enjoys suitable noetherianity conditions and admits an abstract...

Most of the research on temporalized Description Logics (DLs) has con- centrated on the case where temporal operators can occur within DL con- cept descriptions. In this setting, reasoning usually becomes quite hard if rigid roles, i.e., roles whose interpretation does not change over time, are available. In this paper, we consider the case where t...

First-order modal logics are modal logics in which the underlying propositional logic is replaced by a first-order predicate logic. They pose some of the most difficult mathematical challenges. This chapter surveys basic first-order modal logics and examines recent attempts to find a general mathematical setting in which to analyze them. A number o...