Results 1  10
of
77
Model checking large software specifications
 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING
, 1998
"... In this paper, we present our experiences in using symbolic model checking to analyze a specification of a software system for aircraft collision avoidance. Symbolic model checking has been highly successful when applied to hardware systems. We are interested in whether model checking can be effect ..."
Abstract

Cited by 117 (6 self)
 Add to MetaCart
In this paper, we present our experiences in using symbolic model checking to analyze a specification of a software system for aircraft collision avoidance. Symbolic model checking has been highly successful when applied to hardware systems. We are interested in whether model checking can be effectively applied to large software specifications. To investigate this, we translated a portion of the statebased system requirements specification of Traffic Alert and Collision Avoidance System II (TCAS II) into input to a symbolic model checker (SMV). We successfully used the symbolic model checker to analyze a number of properties of the system. We report on our experiences, describing our approach to translating the specification to the SMV language, explaining our methods for achieving acceptable performance, and giving a summary of the properties analyzed. Based on our experiences, we discuss the possibility of using model checking to aid specification development by iteratively applying the technique early in the development cycle. We consider the paper to be a data point for optimism about the potential for more widespread application of model checking to software systems.
Verification of Arithmetic Circuits with Binary Moment Diagrams
 IN PROCEEDINGS OF THE 32ND ACM/IEEE DESIGN AUTOMATION CONFERENCE
, 1995
"... Binary Moment Diagrams (BMDs) provide a canonical representations for linear functions similar to the way Binary Decision Diagrams (BDDs) represent Boolean functions. Within the class of linear functions, we can embed arbitrary functions from Boolean variables to integer values. BMDs can thus model ..."
Abstract

Cited by 93 (10 self)
 Add to MetaCart
Binary Moment Diagrams (BMDs) provide a canonical representations for linear functions similar to the way Binary Decision Diagrams (BDDs) represent Boolean functions. Within the class of linear functions, we can embed arbitrary functions from Boolean variables to integer values. BMDs can thus model the functionality of data path circuits operating over wordlevel data. Many important functions, including integer multiplication, that cannot be represented efficiently at the bit level with BDDs have simple representations at the word level with BMDs. Furthermore, BMDs can represent Boolean functions with around the same complexity as BDDs. We propose a hierarchical approach to verifying arithmetic circuits, wherecomponentmodulesare first shownto implement their wordlevel specifications. The overall circuit functionality is then verified by composing the component functions and comparing the result to the wordlevel circuit specification. Multipliers with word sizes of up to 256 bits hav...
ACL2 Theorems about Commercial Microprocessors
, 1996
"... ACL2 is a mechanized mathematical logic intended for use in specifying and proving properties of computing machines. In two independent projects, industrial engineers have collaborated with researchers at Computational Logic, Inc. (CLI), to use ACL2 to model and prove properties of stateoftheart ..."
Abstract

Cited by 68 (14 self)
 Add to MetaCart
ACL2 is a mechanized mathematical logic intended for use in specifying and proving properties of computing machines. In two independent projects, industrial engineers have collaborated with researchers at Computational Logic, Inc. (CLI), to use ACL2 to model and prove properties of stateoftheart commercial microprocessors prior to fabrication. In the first project, Motorola, Inc., and CLI collaborated to specify Motorola's complex arithmetic processor (CAP), a singlechip, digital signal processor (DSP) optimized for communications signal processing. Using the specification, we proved the correctness of several CAP microcode programs. The second industrial collaboration involving ACL2 was between Advanced Micro Devices, Inc. (AMD) and CLI. In this work we proved the correctness of the kernel of the floatingpoint division operation on AMD's first Pentiumclass microprocessor, the AMD5K 86. In this paper, we discuss ACL2 and these industrial applications, with particular attention ...
Markovian Analysis of Large Finite State Machines
 IEEE Transactions on CAD
, 1996
"... Regarding finite state machines as Markov chains facilitates the application of probabilistic methods to very large logic synthesis and formal verification problems. In this paper we present symbolic algorithms to compute the steadystate probabilities for very large finite state machines (up to 10 ..."
Abstract

Cited by 68 (7 self)
 Add to MetaCart
Regarding finite state machines as Markov chains facilitates the application of probabilistic methods to very large logic synthesis and formal verification problems. In this paper we present symbolic algorithms to compute the steadystate probabilities for very large finite state machines (up to 10 27 states). These algorithms, based on Algebraic Decision Diagrams (ADDs)  an extension of BDDs that allows arbitrary values to be associated with the terminal nodes of the diagrams  determine the steadystate probabilities by regarding finite state machines as homogeneous, discreteparameter Markov chains with finite state spaces, and by solving the corresponding ChapmanKolmogorov equations. We first consider finite state machines with state graphs composed of a single terminal strongly connected component; for this type of systems we have implemented two solution techniques: One is based on the GaussJacobi iteration, the other one is based on simple matrix multiplication. Then we...
Hybrid decision diagrams  overcoming the limitations of MTBDDs and BMDs
 In Int'l Conf. on CAD
, 1995
"... e�mail � emc�cs.cmu.edu e�mail � masahiro�eecs.berkeley.edu e�mail � xzhao�cs.cmu.edu Abstract � Functions that map boolean vectors into the in� tegers are important for the design and veri�cation of arith� metic circuits. MTBDDs and BMDs have been proposed for representing this class of functions. ..."
Abstract

Cited by 55 (3 self)
 Add to MetaCart
e�mail � emc�cs.cmu.edu e�mail � masahiro�eecs.berkeley.edu e�mail � xzhao�cs.cmu.edu Abstract � Functions that map boolean vectors into the in� tegers are important for the design and veri�cation of arith� metic circuits. MTBDDs and BMDs have been proposed for representing this class of functions. We discuss the relation� ship between these methods and describe a generalization called hybrid decision diagrams which is often much more concise. We show how to implement arithemetic operations e�ciently for hybrid decision diagrams. In practice � this is one of the main limitations of BMDs since performing arith� metic operations on functions expressed in this notation can be very expensive. In order to extend symbolic model check� ing algorithms to handle arithmetic properties � it is essential to be able to compute the BDD for the set of variable as� signments that satisfy an arithmetic relation. In our paper� we give an e�cient algorithm for this purpose. Moreover� we prove that for the class of linear expressions � the time complexity of our algorithm is linear in the number of vari� ables. 1
Boolean Expression Diagrams
, 1997
"... This paper presents a new data structure called Boolean Expression Diagrams (BEDs) for representing and manipulating Boolean functions. BEDs are a generalization of Binary Decision Diagrams (BDDs) which can represent any Boolean circuit in linear space and still maintain many of the desirable proper ..."
Abstract

Cited by 46 (5 self)
 Add to MetaCart
This paper presents a new data structure called Boolean Expression Diagrams (BEDs) for representing and manipulating Boolean functions. BEDs are a generalization of Binary Decision Diagrams (BDDs) which can represent any Boolean circuit in linear space and still maintain many of the desirable properties of BDDs. Two algorithms are described for transforming a BED into a reduced ordered BDD. One is a generalized version of the BDD applyoperator while the other can exploit the structural information of the Boolean expression. This ability is demonstrated by verifying that two di erent circuit implementations of a 16bit multiplier implement the same Boolean function. Using BEDs, this veri cation problem is solved in less than a second, while using standard BDD techniques this problem is infeasible. Generally, BEDs are useful in applications, for example tautology checking, where the endresult as a reduced ordered BDD is small.
A Lower Bound For Integer Multiplication With ReadOnce Branching Programs
 Proceedings of the 27th STOC
, 1998
"... . We prove that readonce branching programs computing integer multiplication require size 2 ## # n) . This is the first nontrivial lower bound for multiplication on branching programs that are not oblivious. By the appropriate problem reductions, we obtain the same lower bound for other arithmeti ..."
Abstract

Cited by 34 (0 self)
 Add to MetaCart
. We prove that readonce branching programs computing integer multiplication require size 2 ## # n) . This is the first nontrivial lower bound for multiplication on branching programs that are not oblivious. By the appropriate problem reductions, we obtain the same lower bound for other arithmetic functions. Key words. multiplication, readonce, branching programs, BDD, verification AMS subject classifications. 68Q05, 68Q25, 68M15 PII. S0097539795290349 1. Introduction and background. It is well known that many functions, some of them very simple, cannot be computed by readonce branching programs of polynomial size [We88, Za84, Du85, We87, BHST87, Ju88, Kr88]. Interest in whether integer multiplication can be so computed has been created by recent developments in the field of digital design and hardware verification. 1.1. Hardware verification and branching programs. The central problem of verification is to check whether a combinational hardware circuit has been correctly designe...
Bisimulation Algorithms for Stochastic Process Algebras and their BDDbased Implementation
 In ARTS, LNCS 1601
, 1999
"... . Stochastic process algebras have been introduced in order to enable compositional performance analysis. The size of the state space is a limiting factor, especially if the system consists of many cooperating components. To fight state space explosion, various proposals for compositional aggregatio ..."
Abstract

Cited by 27 (13 self)
 Add to MetaCart
. Stochastic process algebras have been introduced in order to enable compositional performance analysis. The size of the state space is a limiting factor, especially if the system consists of many cooperating components. To fight state space explosion, various proposals for compositional aggregation have been made. They rely on minimisation with respect to a congruence relation. This paper addresses the computational complexity of minimisation algorithms and explains how efficient, BDDbased data structures can be employed for this purpose. 1 Introduction Compositional application of stochastic process algebras (SPA) is particularly successful if the system structure can be exploited during Markov chain generation. For this purpose, congruence relations have been developed which justify minimisation of components without touching behavioural properties. Examples of such relations are strong equivalence [22], (strong and weak) Markovian bisimilarity [16] and extended Markovian bisimi...
Symbolic Trajectory Evaluation
 Formal Hardware Verification
, 1996
"... ion The main problem with model checking is the state explosion problem  the state space grows exponentially with system size. Two methods have some popularity in attacking this problem: compositional methods and abstraction. While they cannot solve the problem in general, they do offer significa ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
ion The main problem with model checking is the state explosion problem  the state space grows exponentially with system size. Two methods have some popularity in attacking this problem: compositional methods and abstraction. While they cannot solve the problem in general, they do offer significant improvements in performance. The direct method of verifying that a circuit has a property f is to show the model M satisfies f . The idea behind abstraction is that instead of verifying property f of model M , we verify property f A of model MA and the answer we get helps us answer the original problem. The system MA is an abstraction of the system M . One possibility is to build an abstraction MA that is equivalent (e.g. bisimilar [48]) to M . This sometimes leads to performance advantages if the state space of MA is smaller than M . This type of abstraction would more likely be used in model comparison (e.g. as in [38]). Typically, the behaviour of an abstraction is not equivalent...
Composite Model Checking: Verification with TypeSpecific Symbolic Representations
 ACM Transactions on Software Engineering and Methodology
, 2000
"... In recent years, there has been a surge of progress in automated verification methods based on state exploration. In areas like hardware design, these technologies are rapidly augmenting key phases of testing and validation. To date, one of the most successful of these methods has been symbolic mode ..."
Abstract

Cited by 24 (7 self)
 Add to MetaCart
In recent years, there has been a surge of progress in automated verification methods based on state exploration. In areas like hardware design, these technologies are rapidly augmenting key phases of testing and validation. To date, one of the most successful of these methods has been symbolic model checking, in which large finitestate machines are encoded into compact data structures such as binary decision diagrams (BDDs)  and are then checked for safety and liveness properties. However, these techniques have not realized the same success on software systems. One limitation is their inability to deal with infinitestate programs  even those with a single unbounded integer. A second problem is that of finding efficient representations for various variable types. We recently proposed a model checker for integerbased systems that uses arithmetic constraints as the underlying state representation. While this approach easily verified some subtle, infinitestate concurrency problems...