**Specification (in MFOTL)**

ALWAYS FORALL c, t, a.

trans(c,t,a) AND 2000 < a IMPLIES EVENTUALLY[0,6) report(t)

**Informal explanation**

The property requires that executed transactions t of any customer cmust be reported within at most 5 days if the transferred money aexceeds a given threshold of $2,000.

The event trans(c,t,a) denotes that the client c performs thetransaction t, transferring the amount a. The report(t) event denotesthat the transaction t is reported.

**Verdict**

The property is not satisfied. In particular, there are two violations, namely :

@92 (time-point 320423): (3196,26167,2120)

@92 (time-point 320424): (2552,4409,2151)

The first one reads as follows: At timestamp 92 the transaction 26167 of the client 3196 transferring the amount $2,120 does not satisfy the requirement.

All properties are specified in metric first-order temporal logic (MFOTL), or in its extension to aggregation operators and function symbols.

Thus, any line in a CSV formatted trace file from these benchmarks has the form

*p,tp=i,ts=t,f1=v1,f2=v2,...,fn=vn*

where p is the event name, i is its time point, t is the timestamp of its occurrence, and v1,...,vn are the values of its parameters.

Events that have the same time point are assumed to be unordered. However, events with different time points are assumed to be ordered, even if they have the same timestamps.

]]>**Specification (in MFOTL)**

*ALWAYS FORALL c, t, a.**trans(c,t,a) AND 2000 < a IMPLIES ONCE[2,21) EXISTS e. auth(e,t)*

**Informal explanation**

The property requires that executed transactions t of any customer cmust be reported within at most 5 days if the transferred money aexceeds a given threshold of $2,000.

The event trans(c,t,a) denotes that the client c performs thetransaction t, transferring the amount a. The report(t) event denotesthat the transaction t is reported.

**Verdict**

The property is not satisfied. In particular, there are twoviolations, namely :

*@92 (time-point 323302): (807,17368,2495)*

*@92 (time-point 323303): (3196,26167,2120)*

*@92 (time-point 323304): (2552,4409,2151)*

The first one reads as follows: At timestamp 92 the transaction 26167of the client 3196 transferring the amount $2,120 does not satisfy the requirement.

]]>**Specification (in MFOTL)**

ALWAYS FORALL a, f.

publish(a,f) IMPLIES

(NOT acc_F(a) SINCE[0,*) acc_S(a))

AND

ONCE[0,10] EXISTS m.

(NOT mgr_F(m,a) SINCE[0,*) mgr_S(m,a)) AND approve(m,f)

**Informal explanation**

The property requires that any report must be approved prior to itspublication. Furthermore, the property asks that the person whopublishes the report must be an accountant and the person who approvesthe publication must be the accountant’s manager. Finally, theapproval must happen within at most 10 days before the publication.

The event publish(a,f) denotes the publication of the report f by theaccountant a. The event approve(m,f) denotes the publishing approvalof the report f by the manager m. The event mgr_S (m,a) marks the timewhen m starts being a’s manager and the event mgr_F (m,a) marks thecorresponding finishing time. Analogously, acc_S(a) and acc_F(a) markthe starting and finishing times when a is an accountant.

**Verdict**

The property is not satisfied. In particular, there are twoviolations, namely :

@91 (time-point 57347): (93,25218)

@91 (time-point 57348): (51,7848)

@91 (time-point 57350): (35,19053)

@91 (time-point 57351): (88,17294)

The first one reads as follows: At timestamp 91, the accountant 93published the report 25218 without satisfying the approval policy.

]]>**Specification (in MFOTL)**

ALWAYS FORALL s, u.

(s <- SUM a;u ONCE[0,28] withdraw(u,a) AND tp(i)) IMPLIES s <= 10000

**Informal explanation**

The property requires that the sum of withdrawals of each user in thelast 28 days does not exceed the limit of $10,000.

The event withdraw(u,a) denotes the withdrawal of the amount a by theuser u. The event tp(i) denotes that the current time point is i. Thisevent is used in the formalization to distinguish different events withdraw(u,a) with the same values for u and a in the relevant time window.

**Verdict**

The property is not satisfied. In particular, there are the following violations:

@29 (time-point 28): (10013,u324)

@32 (time-point 31): (10023,u324)

@39 (time-point 38): (10015,u761)

@40 (time-point 39): (10125,u761) (10215,u744)

@41 (time-point 40): (10334,u761) (10405,u744)

@42 (time-point 41): (10311,u744) (10357,u761) (10363,u977)

@43 (time-point 42): (10034,u761) (10372,u977)

@44 (time-point 43): (10375,u761) (10642,u977)

@45 (time-point 44): (10340,u761) (10961,u977)

@46 (time-point 45): (10304,u761) (10999,u977)

@47 (time-point 46): (10020,u503) (10187,u761) (11160,u977)

@48 (time-point 47): (10585,u977)

@49 (time-point 48): (10209,u977)

@51 (time-point 50): (10057,u977)

@52 (time-point 51): (10095,u977)

@53 (time-point 52): (10022,u977) (10193,u744)

@57 (time-point 56): (10114,u181)

@58 (time-point 57): (10203,u181)

The first one reads as follows: At timestamp 29, the user u324 hadwithdrawn a total amount of $10,013 in the last 28 days, and thusviolates the requirement.

