FLCHECK is a decision procedure for Fusion Logic
************************************************


Copyright (C) 2009-2025  Antonio Cau, Ben Moszkowski and Helge Janicke
 
This program is free software: you can redistribute it 
and/or modify it under the terms of the GNU Lesser General
Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later
version.
 
This program is distributed in the hope that it will be useful, 
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.
 
Contact Antonio Cau (cau.researcher@gmail.com)
 
Version: 2.0pre3 
 
It is written in Tcl/Tk [1] and uses the CUDD bdd library [2] of
Fabio Somenzi and the BuDDy library package of Jorn Lind-Nielsen [3].
Swig [4] is used to write the Tcl/Tk interface to both CUDD and BuDDy. The
first version of the fusion logic decision procedure was written by
Ben Moszkowski using perldDD [5] (perl [6] interface to CUDD) and clisp[7]. 

The formal details of the decision procedure are in [8,9,10]. The
enforcement technique is described in [11]. 

Syntax of Fusion Logic

variable   

  v ::= [A-Z]+[_A-Z]*

state formula  

  w ::= v | true | false | w or w | w and w | ( w ) | not w
          | w equiv w | w imp w

future transition formula  
  ft ::= v | true | false | ft or ft | ft and ft | ( ft ) | not ft | next w
           | ft equiv ft | ft imp ft

past transition formula  
  pt ::= v | true | false | pt or pt | pt and pt | ( pt ) | not pt | prev w
          | pt equiv pt | pt imp pt

future fusion expression   
  
  fe ::= chopstar fe | step ft | test w | fe or fe | fe ; fe | ( fe ) |
         w iand fe | w fand fe | init w | fin w

past fusion expression   
  
  pe ::= pchopstar pe | pstep pt | test w | pe or pe | pe ; pe | ( pe ) |
         pe andi w | pe andf w | pinit w | pfin w

fusion logic formula 

  f ::= w | f or f | f and f | not f | ( f ) | f equiv f | f imp f |
        <fe> f | f until f | next f | f <pe> | f since f | prev f 
          

Precedence of operators:
(from lowest to highest)
until
since
or (fusion logic formula)
and (fusion logic formula)
equiv (fusion logic formula)
imp (fusion logic formula)
or (state formula)
and (state formula)
equiv (state formula)
imp (state formula)
or (future/past transition formula)
and (future/past transition formula)
equiv (future/past transition formula)
imp (future/past transition formula)
or (fusion expression)
iand (future fusion expression)
fand (future fusion expression)
andi (past fusion expression)
andf (past fusion expression)
< >  (future/past fusion logic chop)
;    (future/past fusion expression chop)
chopstar
pchopstar
test
step
pstep
next
prev
not



Using TCL syntax to define abbreviations

TCL variables holds as values strings

assignment of string "not A" to TCL variable y is as follows

set y "not A"

To refer to the value of TCL variable y is as follows

set z "$y or B"

The value of TCL variable z is then

"not A or B"

Using TCL syntax to define derived operators

Let f_1 and f_2 be two fusion logic formulae then

`f_1 imp f_2' denotes the derived fusion logic formula

`not ( f_1 ) or f_2'

The following TCL code 

proc imp {a b} {
    return "(not($a) or $b)"
}

defines the derived fusion logic operator `imp'

The derived fusion logic operator `imp' is used as follows

set x "[imp A B]"

The value of the TCL variable x:

"( not ( A ) or B )"


The following derived operators are defined
(see fusion_logic_derived.tcl for their definitions) 
  

[and f1 f2]  [or f1 f2]  [imp f1 f2]  [equiv f1 f2]   

[true]  [false]  [not f]  [l_and flist]  [l_or flist] 


future fusion expressions (n integer, e future fusion expression): 

 
[len_e n]  [keep_e e]  [stable_e e]

[len_r_e n]  [keep_r_e e]  [stable_r_e e]

[len_eq_e n]  [keep_eq_e n e]  [stable_eq_e n e]  [stable_ge_e n e]

[len_r_eq_e n]  [keep_r_eq_e n e]  [stable_r_eq_e n e]  [stable_r_ge_e n e]

[len_le_e n]  [len_lt_e n]  [len_ge_e n] [len_gt_e n]

[len_r_le_e n]  [len_r_lt_e n]  [len_r_ge_e n] [len_r_gt_e n]

[keep_le_e n e]  [keep_lt_e n e]  [keep_ge_e n e]  [keep_gt_e n e]

[keep_r_le_e n e]  [keep_r_lt_e n e]  [keep_r_ge_e n e]  [keep_r_gt_e n e]

[true_e]  [sometimes_e e]  [skip_e]  [empty_e]

[true_r_e]  [sometimes_r_e e]  [skip_r_e]  [empty_r_e]

[star_e e]  [star_eq_e n e]  [star_le_e n e]
[star_lt_e n e]  [star_ge_e n e]  [star_gt_e n e]

[star_r_e e]  [star_r_eq_e n e]  [star_r_le_e n e]
[star_r_lt_e n e]  [star_r_ge_e n e]  [star_r_gt_e n e]


past fusion expressions (n an integer, e past expression): 

 
[len_l_e n]  [keep_l_e e]  [stable_l_e e]

[len_l_eq_e n]  [keep_l_eq_e n e]  [stable_l_eq_e n e]  [stable_l_ge_e n e] 

[len_l_le_e n]  [len_l_lt_e n]  [len_l_ge_e n] [len_l_gt_e n] 

[keep_l_le_e n e]  [keep_l_lt_e n e]  [keep_l_ge_e n e]  [keep_l_gt_e n e] 

[true_l_e]  [sometimes_l_e e]  [skip_l_e]  [empty_l_e]

[star_l_e e]  [star_l_eq_e n e]  [star_l_le_e n e]
[star_l_lt_e n e]  [star_l_ge_e n e]  [star_l_gt_e n e]


future fusion formulae
(n is integer, e is future fusion expression, f is fusion formula, w is state formula): 


[next_r f]  [next f]  [next_eq_r n f]
[next_ge_r n f]  [next_gt_r n f]   [next_le_r n f]  [next_lt_r n f] 

[sometimes_r f]  [sometimes_u f]  [diamond f]  [diamond_r f]

[always_r f]  [always_u f]  [box f] [box_r f] 

[diamondplus f] [diamondplus_r f]

[more_r] [more]  [empty_r]  [empty]

[box_m f]  [box_m_r f] [diamond_m f]  [diamond_m_r f]

[di_fin_r w]  [di_e_r e]  [bi_fin_r w]  [bi_e_r e]

[skip_r]  [skip]

[gets_r f1 f2]  [assign f1 f2] [assign_r f1 f2]

[finite_r ] [finite_u]

[fin_r f]  [sfin_r f]

[dd_r e f]  [bb_r e f]

[sometimes_plus_r f]  [sometimes_m_r f]

[weaknext_r f]  [weaknext f]

[weaknext_eq_r n f]  [weaknext_ge_r n f]  [weaknext_gt_r n f] 

[weaknext_le_r n f]  [weaknext_lt_r n f] 

[weakuntil f1 f2]

[len_r n] [len_eq_r n] 

[len_ge_r n]  [len_gt_r n]  [len_le_r n]  [len_lt_r n] (

[while_r w e]  [keep_r e]

[keep_eq_r n e] [keep_le_r n e] [keep_lt_r n e] [keep_ge_r n e] [keep_gt_r n e]

[keepnow_r e]  [stablenow_r f]

[sfin_r f]  [sfin_u f]

[stable_r e]  [stable_eq_r n e]  [stable_ge_r n e] 


past fusion logic:
(n is integer, e is past fusion expression, f is fusion formula, w is state formula): 


[prev_l f]  [prev f]  [prev_eq_l n f]
[prev_ge_l n f]  [prev_gt_l n f]   [prev_le_l n f]  [prev_lt_l n f] 

[sometimes_l f]  [sometimes_s f]  [diamond_l f]  [diamondplus_l f]

[always_l f]  [always_s f]  [box_l f] 

[more_l]  [empty_l] [first] [skip_l] 

[box_m_l f]  [diamond_m_l f] 

[di_fin_l w]  [di_e_l e]  [bi_fin_l w]  [bi_e_l e]

[gets_l f1 f2]  [assign_l f1 f2]

[fin_l f]  [sfin_l f]

[dd_l e f]  [bb_l e f]

[sometimes_plus_l f]  [sometimes_m_l f]

[weakprev_l f]  [weakprev f]

[weakprev_eq_l n f]  [weakprev_ge_l n f]  [weakprev_gt_l n f] 

[weakprev_le_l n f]  [weakprev_lt_l n f] 

[weaksince f1 f2]

[len_l n] [len_eq_l n] 

[len_ge_l n]  [len_gt_l n]  [len_le_l n]  [len_lt_l n] (

[while_l w e]  [keep_l e]

[keep_eq_l n e] [keep_le_l n e] [keep_lt_l n e] [keep_ge_l n e] [keep_gt_l n e]

[keepnow_l e]  [stablenow_l f]

[sfin_s f]

[stable_l e]  [stable_eq_l n e]  [stable_ge_l n e]




Checking Validity and Satisfiability

check fusion logic formula f for validity with finite time

  vld f 

check fusion logic formula f for satisfiability with finite time

  sat f 
check fusion logic formula f for validity with infinite time

  vld_i f  

check fusion logic formula f for satisfiability with infinite time

  sat_i f  

Checking Enforcement

enforce  fusion logic formula f wrt a given input 

Let TCL variable INPUT be the input for which enforcement of f is
checked  

  enf f   

interactive enforce fusion logic formula f

  i_enf f 

You will be prompted for the input trace state by state where `end' will
denote end of the input.

Command line options

flcheck.tcl without command line options will start the graphical user
interface.  In the FLCHECK tab window of the GUI one can type the
check ones want to perform, for instance, vld (A or B). The output of the
decision procedure is the shown. The history of the checks
performed can be accessed by using the up and down cursor keys.


The following command line options are available:

flcheck.tcl [-buddy] [-dbg] [-showhelp] [-file <filename> ] [-stdio]
            [ ( -enf | -i_enf ) "formula" ]

-buddy:
  use the BuDDY bdd library instead of the CUDD bdd library

-dbg:
  print debugging information

-showhelp:
  show this help on stdout.

-file <filename>:
  use definitions in the file <filename>

-stdio:
  Reads input from stdin and writes output to stdout without GUI.
  For example:
   ./flcheck -file test-flux.tcl -stdio < stdio-test.in 
   where stdio-test is a file with contents:
    sat [x_0]
    sat_i [x_0]
    sat [and [more] [len_r 4]]
    load "example-small.tcl"
    sat [test_formula]
    exit
 
   The output of these checks is then shown on stdout.

   Note: one can use, in the input, the command 'exit' to terminate and
   command 'load "some file"' to load a file. 


-enf   "formula":
  check the enforcement of fusion "formula" without GUI (finite time)

-i_enf "formula":
  check interactively the enforcement of fusion "formula" without GUI (finite time)



References


[1] Tcl Developer Xchange.
    https://www.tcl-lang.org/

[2] CUDD library. 
    Fabio Somenzi
    University of Colorado at Boulder
    https://vlsi.colorado.edu/~fabio (dead link)
    archived versions at
    https://github.com/davidkebo/cudd/tree/main/cudd_versions
    

[3] BuDDy library package.
    Jorn Lind-Nielsen
    https://sourceforge.net/projects/buddy/

[4] Simplified Wrapper and Interface Generator.
    https://www.swig.org/

[5] perldDD.
    Fabio Somenzi
    University of Colorado at Boulder.
    https://vlsi.colorado.edu/~fabio (dead link)

[6] The Perl language.
    https://www.perl.org/

[7] Gnu ANSI Common Lisp implementation. 
    https://clisp.sourceforge.io/

[8] Ben Moszkowski. 
    A Hierarchical Analysis of Propositional Temporal Logic based on Intervals.
    We Will Show Them: Essays in Honour of Dov Gabbay, p. 371--440. 
    College Publications (formerly KCL Publications), 2005. 

[9] Ben Moszkowski.
    A Hierarchical Completeness Proof for Propositional Interval Temporal
    Logic with Finite Time.
    Journal of Applied Non-Classical Logics, V 14:1--2, p. 55--104, 2004.

[10] Antonio Cau, Helge Janicke and Ben Moszkowski.
    A Decision Procedure for Fusion Logic. Seminar talk slides, see
    file itl-fl.pdf.

[11] Antonio Cau, Helge Janicke and Ben Moszkowski.
    Verification and Enforcement of Access Control Policies. 
    Formal Methods in System Design, 43.3, (2013).
 

Files
*****
flcheck.tcl:
  FLCHECK gui functions, command line options processing and
  FL Reduction functions.
  
flcheck_linux64:
  pre-compiled Linux executable (64 bits)
  
flcheck.exe:
  pre-compiled Windows executable
  
flcheck_macosx:
  pre-compiled MacOSX executable
  
buddy.tcl:
  BDD step and enforcement functions using the BuDDy library package
  
cudd.tcl :
  BDD step and enforcement functions using the CUDD library package
  
fusion_logic.tac:
  FL grammar file used to generate FL parser
  
fusion_logic.tcl:
  autogenerated file from fusion_logic.tac containing the FL parser
  
scanner_fusion_logic.fcl:
  FL scanner definition file used to generate the scanner
  
scanner_fusion_logic.tcl:
  autogenerated file from scanner_fusion_logic.fcl containing FL scanner
  
fusion_logic_commands.tcl:
  Internal FL definitions used by the parser
  
fusion_logic_derived.tcl:
  Derived FL operators
  
buddy_tcl.i:
  SWIG definition file used to generate TCL equivalent BuDDy commands
  
buddy_tcl.c:
  autogenerated file by SWIG using buddy_tcl.i
  
cudd_tcl.i:
  SWIG definition file used to generate TCL equivalent CUDD commands
  
cudd_tcl.c:
  autogenerated file by SWIG using cudd_tcl.i
  
cuddDot.c, cuddDot.h:
  slightly adapted Dot function, used to output BDD graphs
  
policy_library.tcl:
  policy library written in FL
  
example-policy-keys-left-new.tcl:
  example of enforcement of history based access control policies
  using past fusion logic
  
example-policy-keys-left.tcl:
  example of enforcement of history based access control policies
  using past fusion logic
  
example-policy-keys-right.tcl:
  example of enforcement of history based access control policies
  using future fusion logic
  
example-policy-keys-left-1.tcl:
  example of enforcement of history (at least 2 states) based
  access control policies using past fusion logic
  
example-policy-keys-right-1.tcl:
  example of enforcement of history (at least 2 states) based
  access control policies using future fusion logic
  
example-policy-verification-left.tcl:
  example of verification of properties for access control
  policies using past fusion logic
  
example-policy-verification-right.tcl:
  example of verification of properties for access control
  policies using future fusion logic
  
example-policy-enforcement-left.tcl:
  example of enforcement of access control policies using
  past fusion logic
  
example-policy-enforcement-right.tcl:
  example of enforcement of access control policies using
  future fusion logic
  
example-small.tcl:
  future fusion logic verification examples

example-small-past.tcl:
  past fusion logic verification examples
  
example-policy-rule.tcl:
  example of policy rule

test-flux.tcl:
  examples of validity and satisfaction of future fusion logic
  with infinite and finite time

stdio-test.in,
stdion-flux.in,
stdio-policy-enf-left.in,
stdio-policy-enf-right.in, 
stdio-policy-keys-left-1.in, 
stdio-policy-keys-left-new.in, 
stdio-policy-keys-left.in, 
stdio-policy-keys-right-1.in,
stdio-policy-keys-right.in, 
stdio-policy-ver-left.in,
stdio-policy-ver-right.in, 
stdio-regression-past.in,
stdio-regression.in,
stdio-test.in:
  sample input file for FLCHECK in stdio mode

cudd-regression, buddy-regression:
  regression tests for CUDD and Buddy using above input files

out/ :
  directory containing outputs of above regression tests for comparison

itl-fl.pdf:
  A Decision Procedure for Fusion Logic using updated semantics. Seminar talk slides

itl-fl-old.pdf:
  Original slides of above.

Readme:
  this file
  
Makefile:
  used to generate parser, scanner, BuDDy and CUDD TCL
  library and generate FLCHECK distribution and executables
  
ChangeLog:
  File documenting changes
  
cudd-3.0.0/ :
  contains CUDD library files
  
buddy-2.4/ :
  contains BuDDy library files
  
linux64/ :
  contains precompiled CUDD and BuDDy library for 64 bit linux systems (Ubuntu 24)
  
win64/ :
  contains precompiled CUDD and BuDDy library for Windows systems
  
macos/ :
  contains precompiled CUDD and BuDDy library for MacOS systems
  
