Results 1  10
of
94
Symbolic Boolean manipulation with ordered binarydecision diagrams
 ACM Computing Surveys
, 1992
"... Ordered BinaryDecision Diagrams (OBDDS) represent Boolean functions as directed acyclic graphs. They form a canonical representation, making testing of functional properties such as satmfiability and equivalence straightforward. A number of operations on Boolean functions can be implemented as grap ..."
Abstract

Cited by 996 (14 self)
 Add to MetaCart
Ordered BinaryDecision Diagrams (OBDDS) represent Boolean functions as directed acyclic graphs. They form a canonical representation, making testing of functional properties such as satmfiability and equivalence straightforward. A number of operations on Boolean functions can be implemented as graph algorithms on OBDD
LSCs: Breathing Life into Message Sequence Charts
, 2001
"... While message sequence charts (MSCs) are widely used in industry to document the interworking of processes or objects, they are expressively weak, being based on the modest semantic notion of a partial ordering of events as defined, e.g., in the ITU standard. A highly expressive and rigorously defin ..."
Abstract

Cited by 425 (71 self)
 Add to MetaCart
(Show Context)
While message sequence charts (MSCs) are widely used in industry to document the interworking of processes or objects, they are expressively weak, being based on the modest semantic notion of a partial ordering of events as defined, e.g., in the ITU standard. A highly expressive and rigorously defined MSC language is a must for serious, semantically meaningful tool support for usecases and scenarios. It is also a prerequisite to addressing what we regard as one of the central problems in behavioral specification of systems: relating scenariobased interobject specification to statemachine intraobject specification. This paper proposes an extension of MSCs, which we call live sequence charts (or LSCs), since our main extension deals with specifying "liveness", i.e., things that must occur. In fact, LSCs allow the distinction between possible and necessary behavior both globally, on the level of an entire chart and locally, when specifying events, conditions and progress over time within a chart. This makes it possible to specify forbidden scenarios, for example, and enables naturally specified structuring constructs such as subcharts, branching and iteration.
ModelChecking in Dense Realtime
 INFORMATION AND COMPUTATION
, 1993
"... Modelchecking is a method of verifying concurrent systems in which a statetransition graph model of the system behavior is compared with a temporal logic formula. This paper extends modelchecking for the branchingtime logic CTL to the analysis of realtime systems, whose correctness depends on t ..."
Abstract

Cited by 311 (7 self)
 Add to MetaCart
(Show Context)
Modelchecking is a method of verifying concurrent systems in which a statetransition graph model of the system behavior is compared with a temporal logic formula. This paper extends modelchecking for the branchingtime logic CTL to the analysis of realtime systems, whose correctness depends on the magnitudes of the timing delays. For specifications, we extend the syntax of CTL to allow quantitative temporal operators such as 93!5 , meaning "possibly within 5 time units." The formulas of the resulting logic, Timed CTL (TCTL), are interpreted over continuous computation trees, trees in which paths are maps from the set of nonnegative reals to system states. To model finitestate systems we introduce timed graphs  statetransition graphs annotated with timing constraints. As our main result, we develop an algorithm for modelchecking, for determining the truth of a TCTLformula with respect to a timed graph. We argue that choosing a dense domain instead of a discrete domain to mo...
Model Checking and Modular Verification
 ACM Transactions on Programming Languages and Systems
, 1991
"... We describe a framework for compositional verification of finite state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition; and a preorder on structures which captures the relation between a component and a system containing ..."
Abstract

Cited by 305 (11 self)
 Add to MetaCart
(Show Context)
We describe a framework for compositional verification of finite state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition; and a preorder on structures which captures the relation between a component and a system containing the component. Satisfaction of a formula in the logic corresponds to being below a particular structure (a tableau for the formula) in the preorder. We show how to do assumeguarantee style reasoning within this framework. In addition, we demonstrate efficient methods for model checking in the logic and for checking the preorder in several special cases. We have implemented a system based on these methods, and we use it to give a compositional verification of a CPU controller. 1 Introduction Temporal logic model checking procedures are useful tools for the verification of finite state systems [3, 12, 20]. However, these procedures have traditionally suffered from the state explosion proble...
Computing Simulations on Finite and Infinite Graphs
, 1996
"... . We present algorithms for computing similarity relations of labeled graphs. Similarity relations have applications for the refinement and verification of reactive systems. For finite graphs, we present an O(mn) algorithm for computing the similarity relation of a graph with n vertices and m edges ..."
Abstract

Cited by 171 (6 self)
 Add to MetaCart
(Show Context)
. We present algorithms for computing similarity relations of labeled graphs. Similarity relations have applications for the refinement and verification of reactive systems. For finite graphs, we present an O(mn) algorithm for computing the similarity relation of a graph with n vertices and m edges (assuming m n). For effectively presented infinite graphs, we present a symbolic similaritychecking procedure that terminates if a finite similarity relation exists. We show that 2D rectangular automata, which model discrete reactive systems with continuous environments, define effectively presented infinite graphs with finite similarity relations. It follows that the refinement problem and the 8CTL modelchecking problem are decidable for 2D rectangular automata. 1 Introduction A labeled graph G = (V; E;A; hh\Deltaii) consist of a (possibly infinite) set V of vertices, a set E ` V 2 of edges, a set A of labels, and a function hh\Deltaii : V ! A that maps each vertex v to a label hh...
Another Look at LTL Model Checking
 FORMAL METHODS IN SYSTEM DESIGN
, 1994
"... We show how LTL model checking can be reduced to CTL model checking with fairness constraints. Using this reduction, we also describe how to construct a symbolic LTL model checker that appears to be quite efficient in practice. In particular, we show how the SMV model checking system developed by Mc ..."
Abstract

Cited by 114 (11 self)
 Add to MetaCart
(Show Context)
We show how LTL model checking can be reduced to CTL model checking with fairness constraints. Using this reduction, we also describe how to construct a symbolic LTL model checker that appears to be quite efficient in practice. In particular, we show how the SMV model checking system developed by McMillan [16] can be extended to permit LTL specifications. The results that we have obtained are quite surprising. For the examples we considered, the LTL model checker required at most twice as much time and space as the CTL model checker. Although additional examples still need to be tried, it appears that efficient LTL model checking is possible when the specifications are not excessively complicated.
Symbolic Verification of Communication Protocols with Infinite State Spaces using QDDs (Extended Abstract)
 In CAV'96. LNCS 1102
"... ) Bernard Boigelot Universit'e de Li`ege Institut Montefiore, B28 4000 Li`ege SartTilman, Belgium Email: boigelot@montefiore.ulg.ac.be Patrice Godefroid Lucent Technologies  Bell Laboratories 1000 E. Warrenville Road Naperville, IL 60566, U.S.A. Email: god@belllabs.com Abstract We study ..."
Abstract

Cited by 94 (7 self)
 Add to MetaCart
(Show Context)
) Bernard Boigelot Universit'e de Li`ege Institut Montefiore, B28 4000 Li`ege SartTilman, Belgium Email: boigelot@montefiore.ulg.ac.be Patrice Godefroid Lucent Technologies  Bell Laboratories 1000 E. Warrenville Road Naperville, IL 60566, U.S.A. Email: god@belllabs.com Abstract We study the verification of properties of communication protocols modeled by a finite set of finitestate machines that communicate by exchanging messages via unbounded FIFO queues. It is wellknown that most interesting verification problems, such as deadlock detection, are undecidable for this class of systems. However, in practice, these verification problems may very well turn out to be decidable for a subclass containing most "real" protocols. Motivated by this optimistic (and, we claim, realistic) observation, we present an algorithm that may construct a finite and exact representation of the state space of a communication protocol, even if this state space is infinite. Our algorithm performs a loo...
Programming and verifying realtime systems by means of the synchronous dataflow language LUSTRE
, 1994
"... We investigate the benefits of using a synchronous dataflow language for programming critical realtime systems. These benefits concern ergonomy  since the dataflow approach meets traditional description tools used in this domain , and ability to support formal design and verification methods ..."
Abstract

Cited by 88 (12 self)
 Add to MetaCart
We investigate the benefits of using a synchronous dataflow language for programming critical realtime systems. These benefits concern ergonomy  since the dataflow approach meets traditional description tools used in this domain , and ability to support formal design and verification methods. We show, on a simple example, how the language Lustre and its associated verification tool Lesar, can be used to design a program, to specify its critical properties, and to verify these properties. As the language Lustre and its use have been already published in several papers (e.g., [11, 18]), we put particular emphasis on program verification. A preliminary version of this paper has been published in [28]. 1 Introduction It is useless to repeat why realtime programs are among those in which errors can have the most dramatic consequences. Thus, these programs constitute a domain where there is a special need of rigorous design methods. We advocate a "language approach" to this problem...
Compiling RealTime Specifications into Extended Automata
 IEEE Transactions on Software Engineering
, 1992
"... We propose a method for the implementation and analysis of realtime systems, based on the compilation of specifications into extended automata. Such a method has been already adopted for the so called "synchronous" realtime programming languages. ..."
Abstract

Cited by 80 (8 self)
 Add to MetaCart
We propose a method for the implementation and analysis of realtime systems, based on the compilation of specifications into extended automata. Such a method has been already adopted for the so called "synchronous" realtime programming languages.
Planning as Model Checking for Extended Goals in NonDeterministic Domains
, 2001
"... Recent research has addressed the problem of planning in nondeterministic domains. Classical planning has also been extended to the case of goals that can express temporal properties. However, the combination of these two aspects is not trivial. In nondeterministic domains, goals should take ..."
Abstract

Cited by 79 (15 self)
 Add to MetaCart
Recent research has addressed the problem of planning in nondeterministic domains. Classical planning has also been extended to the case of goals that can express temporal properties. However, the combination of these two aspects is not trivial. In nondeterministic domains, goals should take into account the fact that a plan may result in many possible different executions and that some requirements can be enforced on all the possible executions, while others may be enforced only on some executions. In this paper we address this problem.