Results 1  10
of
19
Module Checking
, 1996
"... . In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of ..."
Abstract

Cited by 114 (12 self)
 Add to MetaCart
. In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of temporal logics to describe an ongoing interaction of a reactive program with its environment makes them particularly appropriate for the specification of open systems. Nevertheless, modelchecking algorithms used for the verification of closed systems are not appropriate for the verification of open systems. Correct model checking of open systems should check the system with respect to arbitrary environments and should take into account uncertainty regarding the environment. This is not the case with current modelchecking algorithms and tools. In this paper we introduce and examine the problem of model checking of open systems (mod ule checking, for short). We show that while module che...
Vacuity Detection in Temporal Model Checking
, 1999
"... One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelcheckin ..."
Abstract

Cited by 79 (15 self)
 Add to MetaCart
One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a sy...
Module checking revisited
 In Proc. 9th CAV, LNCS 1254
, 1997
"... Abstract. When we verify the correctness of an open system with respect to a desired requirement, we should take into consideration the different environments with which the system may interact. Each environment induces a different behavior of the system, and we want all these behaviors to satisfy t ..."
Abstract

Cited by 44 (6 self)
 Add to MetaCart
(Show Context)
Abstract. When we verify the correctness of an open system with respect to a desired requirement, we should take into consideration the different environments with which the system may interact. Each environment induces a different behavior of the system, and we want all these behaviors to satisfy the requirement. Module checking is an algorithmic method that checks, given an open system (modeled as a finite structure) and a desired requirement (specified by a temporallogic formula), whether the open system satisfies the requirement with respect to all environments. In this paper we extend the modulechecking method with respect to two orthogonal issues. Both issues concern the fact that often we are not interested in satisfaction of the requirement with respect to all environments, but only with respect to these that meet some restriction. We consider the case where the environment has incomplete information about the system; i.e., when the system has internal variables, which are not readable by its environment, and the case where some assumptions are known about environment; i.e., when the system is guaranteed to satisfy the requirement only when its environment satisfies certain assumptions. We study the complexities of the extended modulechecking problems. In particular, we show that for universal temporal logics (e.g., LTL, ¥ CTL, and ¥ CTL ¦), module checking with incomplete information coincides with module checking, which by itself coincides with model checking. On the other hand, for nonuniversal temporal logics (e.g., CTL and CTL ¦), module checking with incomplete information is harder than module checking, which is by itself harder than model checking. 1
AssumeGuarantee Model Checking of Software: A Comparative Case Study
 In Theoretical and Practical Aspects of SPIN Model Checking, volume 1680 of Lecture Notes in Computer Science
, 1999
"... . A variety of assumeguarantee model checking approaches have been proposed in the literature. In this paper, we describe several possible implementations of those approaches for checking properties of software components (units) using SPIN and SMV model checkers. Model checking software units ..."
Abstract

Cited by 41 (3 self)
 Add to MetaCart
. A variety of assumeguarantee model checking approaches have been proposed in the literature. In this paper, we describe several possible implementations of those approaches for checking properties of software components (units) using SPIN and SMV model checkers. Model checking software units requires, in general, the definition of an environment which establishes the runtime context in which the unit executes. We describe how implementations of such environments can be synthesized from specifications of assumed environment behavior written in LTL. Those environments can then be used to check properties that the software unit must guarantee which can be written in LTL or ACTL. We report on several experiments that provide evidence about the relative performance of the different assumeguarantee approaches. 1 Introduction Model checking is maturing into an effective technique for validating and verifying properties of complex systems and is beginning to be included as pa...
On the completeness of compositional reasoning
 Computer Aided Verification, 12th International Conference, CAV 2000
"... ..."
Relating Linear and Branching Model Checking
 In IFIP Working Conference on Programming Concepts and Methods
, 1996
"... The difference in the complexity of branching and linear model checking has been viewed as an argument in favor of the branching paradigm. In particular, the computational advantage of CTL model checking over LTL model checking makes CTL a popular choice, leading to efficient modelchecking tools fo ..."
Abstract

Cited by 23 (8 self)
 Add to MetaCart
(Show Context)
The difference in the complexity of branching and linear model checking has been viewed as an argument in favor of the branching paradigm. In particular, the computational advantage of CTL model checking over LTL model checking makes CTL a popular choice, leading to efficient modelchecking tools for this logic. Can we use these tools in order to verify linear properties? In this paper we relate branching and linear model checking. With each LTL formula /, we associate a CTL formula /A that is obtained from / by preceding each temporal operator by the universal path quantifier A. We first describe a number of attempts to utilize the tight syntactic relation between / and /A in order to use CTL modelchecking tools in the process of checking the formula /. Neither attempt, however, suggests a method that is guaranteed to perform better than usual LTL model checkers. We then claim that, in practice, LTL model checkers perform nicely on formulas with equivalences of CTL. In fact, they oft...
An AutomataTheoretic Approach to Modular Model Checking
, 1998
"... this paper we consider assumeguarantee specifications in which the guarantee is specified by branching temporal formulas. We distinguish between two approaches. In the first approach, the assumption is specified by branching temporal formulas too. In the second approach, the assumption is specified ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
this paper we consider assumeguarantee specifications in which the guarantee is specified by branching temporal formulas. We distinguish between two approaches. In the first approach, the assumption is specified by branching temporal formulas too. In the second approach, the assumption is specified by linear temporal logic. We consider guarantees in 8CTL and 8CTL
HardwareSoftware Coverification of Concurrent Embedded RealTime Systems
 in Proc. Euromicro RTS
, 1999
"... Hardwaresoftware codesign results of c~ncurrcnt embedded realtime systems are often not easily verifiable. The main difficulty lies inthe different timescales df the embedded hardware, of thk embedded software, and of the environment. This rate difference cawes statespace explosions and hence co ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
Hardwaresoftware codesign results of c~ncurrcnt embedded realtime systems are often not easily verifiable. The main difficulty lies inthe different timescales df the embedded hardware, of thk embedded software, and of the environment. This rate difference cawes statespace explosions and hence coverification has been mostly restricted t0 the initial system specifications. Currently, most codesign tools or methodologies only support validation in the form of cosimulation and testing. Here, we propose a new formal coverification method based on linear hybrid automam. The basic problems found in nm~t coveritication tasks are presented and solved. For complex systems, a simplification strategy is proposed to attack statespace explosions in formal covedtication. Experimental results show the feasibility of our approach and the increase in verification scalability through the application of the proposed method. 1
A SpaceEfficient Onthefly Algorithm for RealTime Model Checking
 In Proceedings of CONCUR'96, Volume 1119 of LNCS
"... . In temporallogic model checking, we verify the correctness of a program with respect to a desired behavior by checking whether a structure that models the program satisfies a temporallogic formula that specifies the behavior. The main practical limitation of model checking is caused by the size ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
(Show Context)
. In temporallogic model checking, we verify the correctness of a program with respect to a desired behavior by checking whether a structure that models the program satisfies a temporallogic formula that specifies the behavior. The main practical limitation of model checking is caused by the size of the state space of the program, which grows exponentially with the number of concurrent components. This problem, known as the stateexplosion problem, becomes more difficult when we consider realtime model checking, where the program and the specification involve quantitative references to time. In particular, when use timed automata to describe realtime programs and we specify timed behaviors in the logic TCTL, a realtime extension of the temporal logic CTL with clock variables, then the state space under consideration grows exponentially not only with the number of concurrent components, but also with the number of clocks and the length of the clock constraints used in the program a...
Bisimulation Minimization in an AutomataTheoretic Verification Framework
 In Formal Methods in ComputerAided Design (FMCAD
, 1998
"... Bisimulation is a seemingly attractive statespace minimization technique because it can be computed automatically and yields the smallest model preserving all ¯calculus formulas. It is considered impractical for symbolic model checking, however, because the required BDDs are prohibitively large fo ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
(Show Context)
Bisimulation is a seemingly attractive statespace minimization technique because it can be computed automatically and yields the smallest model preserving all ¯calculus formulas. It is considered impractical for symbolic model checking, however, because the required BDDs are prohibitively large for most designs. We revisit bisimulation minimization, this time in an automatatheoretic framework. Bisimulation has potential in this framework because after intersecting the design with the negation of the property, minimization can ignore most of the atomic propositions. We compute bisimulation using an algorithm due to Lee and Yannakakis that represents bisimulation relations by their equivalence classes and only explores reachable classes. This greatly improves on the time and memory usage of naive algorithms. We demonstrate that bisimulation is practical for many designs within the automatatheoretic framework. In most cases, however, the cost of performing this reduction still outweigh...