Results 1  10
of
17
Model Checking for Programming Languages using VeriSoft
 IN PROCEEDINGS OF THE 24TH ACM SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 1997
"... Verification by statespace exploration, also often referred to as "model checking", is an effective method for analyzing the correctness of concurrent reactive systems (e.g., communication protocols). Unfortunately, existing modelchecking techniques are restricted to the verification of properties ..."
Abstract

Cited by 369 (12 self)
 Add to MetaCart
Verification by statespace exploration, also often referred to as "model checking", is an effective method for analyzing the correctness of concurrent reactive systems (e.g., communication protocols). Unfortunately, existing modelchecking techniques are restricted to the verification of properties of models, i.e., abstractions, of concurrent systems. In this paper, we discuss how model checking can be extended to deal directly with "actual" descriptions of concurrent systems, e.g., implementations of communication protocols written in programming languages such as C or C++. We then introduce a new search technique that is suitable for exploring the state spaces of such systems. This algorithm has been implemented in VeriSoft, a tool for systematically exploring the state spaces of systems composed of several concurrent processes executing arbitrary C code. As an example of application, we describe how VeriSoft successfully discovered an error in a 2500line C program controlling rob...
Automatic Verification of the SCI Cache Coherence Protocol
 In Correct Hardware Design and Verification Methods: IFIP WG10.5 Advanced Research Working Conference Proceedings
, 1995
"... . This paper describes an ongoing effort to verify the cache coherence protocol of the IEEE/ANSI Standard for Scalable Coherent Interface using the Mur' verification system. A model of the typical set protocol was constructed in the Mur' description language. This model was augmented with a specific ..."
Abstract

Cited by 42 (16 self)
 Add to MetaCart
. This paper describes an ongoing effort to verify the cache coherence protocol of the IEEE/ANSI Standard for Scalable Coherent Interface using the Mur' verification system. A model of the typical set protocol was constructed in the Mur' description language. This model was augmented with a specification of properties necessary for cache coherence. The Mur' verification system automatically checks if all reachable states in the model satisfy the given specification. Although verification is still under way, we have already found several errors in the Ccode defining the protocol. Finally, we elucidate the experiences gained in the verification project. 1 Introduction The IEEE/ANSI Standard for Scalable Coherent Interface (SCI) includes a cache coherence protocol for distributed sharedmemory multiprocessors. Designing a complex protocol  like this cache coherence protocol  is a challenging and difficult task. It is very hard for a designer to predict all possible interactions amon...
Verification Techniques for Cache Coherence Protocols.
, 1997
"... ion and Specification Using FSMs Although there is a variety of ways to specify a protocol model, we are interested in methodologies that employ finite state machines (FSMs) to form protocol models. Because cache protocols are essentially composed of component processes such as memory and cache cont ..."
Abstract

Cited by 38 (0 self)
 Add to MetaCart
ion and Specification Using FSMs Although there is a variety of ways to specify a protocol model, we are interested in methodologies that employ finite state machines (FSMs) to form protocol models. Because cache protocols are essentially composed of component processes such as memory and cache controllers that exchange messages and respond to "events" generated by processors, a finite state machine model with such "events" as its inputs is a natural model. Specifically, we focus on verifying cache protocols where the behavior of an individual protocol component C is modeled as a finite state machine [FSM.sub.c] and the protocol machine is composed of all [FSM.sub.c]s. Inputs to these machines are processorgenerated events and messages for maintaining data consistency. In general, the protocol models are abstracted representations. They are often kept simple to make the complexity of verification manageable, while preserving properties of interest. It is clear that the quality of a ve...
A Toolbox for the Verification of LOTOS Programs
, 1992
"... This paper presents the tools Ald' ebaran, Caesar, Caesar.adt and Cl' eop atre which constitute a toolbox for compiling and verifying Lotos programs. The principles of these tools are described, as well as their performances and limitations. Finally, the formal verification of the rel/REL atomic mu ..."
Abstract

Cited by 33 (4 self)
 Add to MetaCart
This paper presents the tools Ald' ebaran, Caesar, Caesar.adt and Cl' eop atre which constitute a toolbox for compiling and verifying Lotos programs. The principles of these tools are described, as well as their performances and limitations. Finally, the formal verification of the rel/REL atomic multicast protocol is given as an example to illustrate the practical use of the toolbox. Keywords: reliability, formal methods, Lotos, verification, validation, modelbased methods, modelchecking, transition systems, bisimulations, temporal logics, diagnostics Introduction There is an increasing need for reliable software, which is especially critical in some areas such as communication protocols, distributed systems, realtime control systems, and hardware synthesis systems. It is now agreed that reliability can only be achieved through the use of rigorous design techniques. This has motivated a lot of research on specification formalisms and associated verification methods and tools. Ver...
Symbolic Bisimulation Minimisation
 In Computer Aided Verification
"... We adapt the Coarsest Partition Refinement algorithm to its computation using the specific data structures of Binary Decision Diagrams. This allows to generate symbolically the set of equivalence classes of a finite automaton with respect to bisimulation, without constructing the automaton itself ..."
Abstract

Cited by 32 (6 self)
 Add to MetaCart
We adapt the Coarsest Partition Refinement algorithm to its computation using the specific data structures of Binary Decision Diagrams. This allows to generate symbolically the set of equivalence classes of a finite automaton with respect to bisimulation, without constructing the automaton itself. These equivalence classes represent of course the (new) states of the canonical minimal automaton bisimilar to the early one. The method works from labeled synchronised vectors of automata as the distributed system description. We report on performances of Hoggar, a tool implementing our method. 1 Introduction Bisimulation is a central notion in the domain of verification of concurrent systems [18]. It was introduced as the major behavioural equivalence in the setting of process algebras [18, 2], but works at the interpretation level of labeled transition systems. Algorithmic properties of bisimulation in the finite state case have been widely studied [16, 20, 11], leading to a lar...
On the Costs and Benefits of using PartialOrder Methods for the Verification of Concurrent Systems
 Proceedings of DIMACS Workshop on PartialOrder Methods in Verification
, 1997
"... Verification by statespace exploration is one of the most successful strategies for analyzing the correctness of finitestate concurrent reactive systems. Partialorder methods are algorithms for dynamically pruning the state space of such systems without incurring the risk of any incompleteness in ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
Verification by statespace exploration is one of the most successful strategies for analyzing the correctness of finitestate concurrent reactive systems. Partialorder methods are algorithms for dynamically pruning the state space of such systems without incurring the risk of any incompleteness in the verification results. This paper presents results of experiments performed with these algorithms on real protocol examples, and discusses the practical significance of partialorder methods. 1. Introduction Statespace exploration is one of the most successful strategies for checking the correctness of finitestate concurrent reactive systems. It consists in exploring a global state graph, called the state space, representing the combined behavior of all concurrent components in the system. Many different types of properties of a system can be checked by exploring its state space: deadlocks, dead code, unspecified receptions, violations of userspecified assertions, etc. Moreo...
State Reduction Using Reversible Rules
, 1996
"... We reduce the state explosion problem in automatic verification of finitestate systems by automatically collapsing subgraphs of the state graph into abstract states. The key idea of the method is to identify state generation rules that can be inverted. It can be used for verification of deadlockfr ..."
Abstract

Cited by 12 (7 self)
 Add to MetaCart
We reduce the state explosion problem in automatic verification of finitestate systems by automatically collapsing subgraphs of the state graph into abstract states. The key idea of the method is to identify state generation rules that can be inverted. It can be used for verification of deadlockfreedom, error and invariant checking and stutteringinvariant CTL model checking.
A Tool Set for deciding Behavioral Equivalences
 In Proceedings of CONCUR'91
, 1991
"... This paper deals with verification methods based on equivalence relations between labeled transition systems. More precisely, we are concerned by two practical needs: how to efficiently minimize and compare labeled transition systems with respect to bisimulation or simulationbased equivalence relat ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
This paper deals with verification methods based on equivalence relations between labeled transition systems. More precisely, we are concerned by two practical needs: how to efficiently minimize and compare labeled transition systems with respect to bisimulation or simulationbased equivalence relations. First, we recall the principle of the classical algorithms for the existing equivalence relations, which are based on successive partition refinements of the state space of the labeled transition systems under consideration. However, in spite of their theoretical efficiency, the main drawback of these algorithms is that they require to generate and to store in memory the whole labeled transition systems to be compared or minimized. Therefore, the size of the systems which can be handled in practice remains limited. We propose here another approach, allowing to combine the generation and the verification phases, which is based on two algorithms respectively devoted to the comparison ("o...
Selective mucalculus: New Modal Operators for Proving Properties on Reduced Transition Systems
 In Proceedings of FORTE X/PSTV XVII '97. Chapman
, 1997
"... In model checking for temporal logic, the correctness of a (concurrent) system with respect to a desired behavior is verified by checking whether a structure that models the system satisfies a formula describing the behaviour. Most existing verification techniques, and in particular those defined fo ..."
Abstract

Cited by 8 (7 self)
 Add to MetaCart
In model checking for temporal logic, the correctness of a (concurrent) system with respect to a desired behavior is verified by checking whether a structure that models the system satisfies a formula describing the behaviour. Most existing verification techniques, and in particular those defined for concurrent calculi like as CCS, are based on a representation of the concurrent system by means of a labelled transition system. In this approach to verification, state explosion is one of the most serious problems. In this paper we present a new temporal logic, the selective mucalculus, with the property that only the actions occurring in a formula are relevant to check the formula itself. We prove that the selective mucalculus is as powerful as the mucalculus. We define the notion of aebisimulation between transition systems: given a set of actions ae, a transition system aebisimulates another one if they have the same behaviour with respect to the actions in ae. We prove that, if t...
Space Efficient Reachability Analysis Through Use of PseudoRoot States
 Proceedings of Third International Workshop on Tools and Algorithms for the Construction and Analysis of Systems, TACAS’97
, 1997
"... . This paper presents a novel reachability analysis technique which, while still maintaining a set of reached states, significantly reduces the size of this set through excluding a specific subset of those states, referred to as pseudoroot states. Pseudoroot states are states which are not reachab ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
. This paper presents a novel reachability analysis technique which, while still maintaining a set of reached states, significantly reduces the size of this set through excluding a specific subset of those states, referred to as pseudoroot states. Pseudoroot states are states which are not reachable from the unexplored state space of the finite model. Such states may be safely discarded from state storage. The modified reachability analysis algorithm identifies and discards pseudoroot states at each iteration of the state search. For a set of three example problems, the presented algorithm results in 2 to 16 fold improvements in space requirements, while increasing the run time at most twice. 1 Introduction Exhaustive exploration of a finite state model is a key part of most automatic verification algorithms, which rely on checking all reachable states of the model against a specification of desired properties. Conventional algorithms for traversing the model starting from its init...