Results 1  10
of
36
Model Checking for Programming Languages using VeriSoft
 IN PROCEEDINGS OF THE 24TH ACM SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 1997
"... Verification by statespace exploration, also often referred to as "model checking", is an effective method for analyzing the correctness of concurrent reactive systems (e.g., communication protocols). Unfortunately, existing modelchecking techniques are restricted to the verification of properties ..."
Abstract

Cited by 369 (12 self)
 Add to MetaCart
Verification by statespace exploration, also often referred to as "model checking", is an effective method for analyzing the correctness of concurrent reactive systems (e.g., communication protocols). Unfortunately, existing modelchecking techniques are restricted to the verification of properties of models, i.e., abstractions, of concurrent systems. In this paper, we discuss how model checking can be extended to deal directly with "actual" descriptions of concurrent systems, e.g., implementations of communication protocols written in programming languages such as C or C++. We then introduce a new search technique that is suitable for exploring the state spaces of such systems. This algorithm has been implemented in VeriSoft, a tool for systematically exploring the state spaces of systems composed of several concurrent processes executing arbitrary C code. As an example of application, we describe how VeriSoft successfully discovered an error in a 2500line C program controlling rob...
Smart cars on smart roads: Problems of control
 IEEE Transactions on Automatic Control
, 1993
"... have been inadvertently introduced. ..."
Verification Tools for FiniteState Concurrent Systems
"... Temporal logic model checking is an automatic technique for verifying finitestate concurrent systems. Specifications are expressed in a propositional temporal logic, and the concurrent system is modeled as a statetransition graph. An efficient search procedure is used to determine whether or not t ..."
Abstract

Cited by 117 (3 self)
 Add to MetaCart
Temporal logic model checking is an automatic technique for verifying finitestate concurrent systems. Specifications are expressed in a propositional temporal logic, and the concurrent system is modeled as a statetransition graph. An efficient search procedure is used to determine whether or not the statetransition graph satisfies the specification. When the technique was first developed ten years ago, it was only possible to handle concurrent systems with a few thousand states. In the last few years, however, the size of the concurrent systems that can be handled has increased dramatically. By representing transition relations and sets of states implicitly using binary decision diagrams, it is now possible to check concurrent systems with more than 10 120 states. In this paper we describe in detail how the new implementation works and
Efficient Generation of Counterexamples and Witnesses in Symbolic Model Checking
, 1994
"... Model checking is an automatic technique for verifying sequential circuit designs and protocols. An efficient search procedure is used to determine whether or not the specification is satisfied. If it is not satisfied, our technique will produce a counterexample execution trace that shows the cause ..."
Abstract

Cited by 48 (2 self)
 Add to MetaCart
Model checking is an automatic technique for verifying sequential circuit designs and protocols. An efficient search procedure is used to determine whether or not the specification is satisfied. If it is not satisfied, our technique will produce a counterexample execution trace that shows the cause of the problem. Although finding counterexamples is extremely important, there is no description of how to do this in the literature on model checking. We describe an efficient algorithm to produce counterexamples and witnesses for symbolic model checking algorithms. This algorithm is used in the SMV model checker and works quite well in practice. We also discuss how to extend our technique to more complicated specifications. This extension makes it possible to find counterexamples for verification procedures based on showing language containment between various types of omegaautomata.
Timing Verification by Successive Approximation
 INFORMATION AND COMPUTATION
, 1995
"... We present an algorithm for verifying that a model M with timing constraints satisfies a given temporal property T . The model M is given as a parallel composition of !automata P i , where each automaton P i is constrained by bounds on delays. The property T is given as an !automaton as well, and ..."
Abstract

Cited by 44 (11 self)
 Add to MetaCart
We present an algorithm for verifying that a model M with timing constraints satisfies a given temporal property T . The model M is given as a parallel composition of !automata P i , where each automaton P i is constrained by bounds on delays. The property T is given as an !automaton as well, and the verification problem is posed as a language inclusion question L(M ) ` L(T ). In constructing the composition M of the constrained automata P i , one needs to rule out the behaviors that are inconsistent with the delay bounds, and this step is (provably) computationally expensive. We propose an iterative solution which involves generating successive approximations M j to M , with containment L(M ) ` L(M j ) and monotone convergence L(M j ) ! L(M ) within a bounded number of steps. As the succession progresses, the approximations M j become more complex. At any step of the iteration one may get a proof or a counterexample to the original language inclusion question. The described algori...
BDD variable ordering for interacting finite state machines
 IN PROC. OF THE DESIGN AUTOMATION CONF
, 1994
"... We address the problem of obtaining good variable orderings for the BDD representation of a system of interacting finite state machines (FSMs). Orderings are derived from the communication structure of the system. Communication complexity arguments are used to prove upper bounds on the size of the B ..."
Abstract

Cited by 41 (7 self)
 Add to MetaCart
We address the problem of obtaining good variable orderings for the BDD representation of a system of interacting finite state machines (FSMs). Orderings are derived from the communication structure of the system. Communication complexity arguments are used to prove upper bounds on the size of the BDD for the transition relation of the product machine in terms of the communication graph, and optimal orderings are exhibited for a variety of regular systems. Based on the bounds we formulate algorithms for variable ordering. We perform reached state analysis on a number of standard verification benchmarks to test the effectiveness of our ordering strategy; experimental results demonstrate the e cacy of our approach. The algorithms described in this paper have been implemented in HSIS, a hierarchical synthesis and verification tool currently under development at Berkeley.
Model checking TLA+ specifications
 Correct Hardware Design and Verification Methods
, 1999
"... Abstract. TLA+ is a specification language for concurrent and reactive systems that combines the temporal logic TLA with full firstorder logic and ZF set theory. TLC is a new model checker for debugging a TLA+ specification by checking invariance properties of a finitestate model of the specificat ..."
Abstract

Cited by 38 (5 self)
 Add to MetaCart
Abstract. TLA+ is a specification language for concurrent and reactive systems that combines the temporal logic TLA with full firstorder logic and ZF set theory. TLC is a new model checker for debugging a TLA+ specification by checking invariance properties of a finitestate model of the specification. It accepts a subclass of TLA+ specifications that should include most descriptions of real system designs. It has been used by engineers to find errors in the cache coherence protocol for a new Compaq multiprocessor. We describe TLA+ specifications and their TLC models, how TLC works, and our experience using it. 1 Introduction Model checkers are usually judged by the size of system they can handle and the class of properties they can check [3, 16, 4]. The system is generally described in either a hardwaredescription language or a language tailored to the needs of the model checker. The criteria that inspired the model checker TLC are completely different. TLC checks specifications written in TLA+, a rich language with a welldefined semantics that was designed for expressiveness and ease of formal reasoning, not model checking. Two main goals led us to this approach: The systems that interest us are too large and complicated to be completely
A Building Block Approach to Detecting and Resolving Feature Interactions
 In Feature Interactions in Telecommunications Systems
, 1994
"... . This paper presents a methodology we envision for detecting and resolving feature interactions. The methodology is based on a building block approach, in which features and their operating contexts are building blocks that can be composed in any combination to detect and resolve their interactions ..."
Abstract

Cited by 37 (1 self)
 Add to MetaCart
. This paper presents a methodology we envision for detecting and resolving feature interactions. The methodology is based on a building block approach, in which features and their operating contexts are building blocks that can be composed in any combination to detect and resolve their interactions. This methodology is applicable to the phases in the software life cycle that address the creation of new features such as requirements, specification, and verification. By creating a well defined process for determining feature compatibility, with clearly defined steps and appropriate techniques/tools, it will then be possible to systematically model features, and detect and resolve interactions among features. The primary goal is to provide a support environment which feature designers can use to specify and verify the requirements of a feature, detect its possible interactions with other features, and finally verify the resolution of any detected interactions. As an ongoing effort at Bel...
Verification of a Multiplier: 64 Bits and beyond
, 1993
"... Verifying a 64bit multiplier has a computational complexity that puts it beyond the grasp of current finitestate algorithms, including those based upon homomorphic reduction, the induction principle, and bdd fixedpoint algorithms. Theorem proving, while not bound by the same computational constra ..."
Abstract

Cited by 35 (6 self)
 Add to MetaCart
Verifying a 64bit multiplier has a computational complexity that puts it beyond the grasp of current finitestate algorithms, including those based upon homomorphic reduction, the induction principle, and bdd fixedpoint algorithms. Theorem proving, while not bound by the same computational constraints, may not be feasible for routinely coping with the complex, lowlevel details of a real multiplier. We show how to verify such a multiplier by applying COSPAN, a modelchecking algorithm, to verify local properties of the complex lowlevel circuit, and using TLP, a theorem prover based on the Temporal Logic of Actions, to prove that these properties imply the correctness of the multiplier. Both verification steps are automated, and we plan to mechanize the translation between the languages of TLP and COSPAN.
Model checking electronic commerce protocols
 In Proc. of the USENIX 1996 Workshop on Electronic Commerce
, 1996
"... The paper develops model checking techniques to examine NetBill and Digicash. We show how model checking can verify atomicity properties by analyzing simpli ed versions of these protocols that retain crucial security constraints. For our analysis we used the FDR model checker. 1 Atomicity Properties ..."
Abstract

Cited by 28 (4 self)
 Add to MetaCart
The paper develops model checking techniques to examine NetBill and Digicash. We show how model checking can verify atomicity properties by analyzing simpli ed versions of these protocols that retain crucial security constraints. For our analysis we used the FDR model checker. 1 Atomicity Properties Correctness is a prime concern for electronic commerce protocols. How can we show that a given protocol is safe for use? Here we show how to use model checking to test whether electronic commerce protocols satisfy some given atomicity properties. For verifying properties of protocols, model checking is a dramatic improvement over doing hand proofs, because it is mechanizable � it is a dramatic improvement over using stateoftheart theorem provers because it is automatic, fast, and requires no human interaction. Moreover, we found a number of problems in proposed electronic commerce protocols using model checking. Model checking allows us to focus on just those aspects of the protocol necessary to guarantee desired properties. In doing so, we can gain a better understanding of why the protocol works and often can identify places of optimizing it. For this paper, we have chosen to check atomicity properties. [2] argue that these properties are central to electronic commerce protocols. In an atomic protocol, an electronic purchase either aborts with no transfer of money and goods � or