We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.

Conventional type systems specify interfaces in terms of values and domains.

We study property preserving transformations for reactive systems. The main idea is the use of simulations parameterized by Galois connections ( �), relating the lattices of properties of two systems. We propose and study a notion of preservation of properties expressed by formulas of a logic, by a function mapping sets of states of a system S into sets of states of a system S'. We give results on the preservation of properties expressed in sublanguages of the branching time-calculus when two systems S and S' are related via h � i-simulations. They can be used to verify a property for a system by verifying the same property on a simpler system which is an abstraction of it. We show also under which conditions abstraction of concurrent systems can be computed from the abstraction of their components. This allows a compositional application of the proposed verification method. This is a revised version of the papers [2] and [16] � the results are fully developed in [27].

. We present algorithms for computing similarity relations of labeled graphs. Similarity relations have applications for the refinement and verification of reactive systems. For finite graphs, we present an O(mn) algorithm for computing the similarity relation of a graph with n vertices and m edges (assuming m n). For effectively presented infinite graphs, we present a symbolic similarity-checking procedure that terminates if a finite similarity relation exists. We show that 2D rectangular automata, which model discrete reactive systems with continuous environments, define effectively presented infinite graphs with finite similarity relations. It follows that the refinement problem and the 8CTL model-checking problem are decidable for 2D rectangular automata. 1 Introduction A labeled graph G = (V; E;A; hh\Deltaii) consist of a (possibly infinite) set V of vertices, a set E ` V 2 of edges, a set A of labels, and a function hh\Deltaii : V ! A that maps each vertex v to a label hh...

Abstract. Alternating transition systems are a general model for composite systems which allow the study of collaborative as well as adversarial relationships between individual system components. Unlike in labeled transition systems, where each transition corresponds to a possible step of the system (which may involve some or all components), in alternating transition systems, each transition corresponds to a possible move in a game between the components. In this paper, we study refinement relations between alternating transition systems, such as “Does the implementation refine the set £ of specification components without constraining the components not in £? ” In particular, we generalize the definitions of the simulation and trace containment preorders from labeled transition systems to alternating transition systems. The generalizations are called alternating simulation and alternating trace containment. Unlike existing refinement relations, they allow the refinement of individual components within the context of a composite system description. We show that, like ordinary simulation, alternating simulation can be checked in polynomial time using a fixpoint computation algorithm. While ordinary trace containment is PSPACE-complete, we establish alternating trace containment to be EXPTIME-complete. Finally, we present logical characterizations for the two preorders in terms of ATL, a temporal logic capable of referring to games between system components. 1

We present an algorithm to generate small Büchi automata for LTL formulae. We describe a heuristic approach consisting of three phases: rewriting of the formula, an optimized translation procedure, and simplification of the resulting automaton. We present a translation procedure that is optimal within a certain class of translation procedures. The simplification algorithm can be used for Buchi automata in general. It reduces the number of states and transitions, as well as the number and size of the accepting sets---possibly reducing the strength of the resulting automaton. This leads to more efficient model checking of lineartime logic formulae. We compare our method to previous work, and show that it is significantly more efficient for both random formulae, and formulae in common use and from the literature.

This paper formulates representation independence for classes, in an imperative, object-oriented language with pointers, subclassing and dynamic dispatch, class oriented visibility control, recursive types and methods, and a simple form of module. An instance of a class is considered to implement an abstraction using private fields and so-called representation objects. Encapsulation of representation objects is expressed by a restriction, called confinement, on aliasing. Representation independence is proved for programs satisfying the confinement condition. A static analysis is given for confinement that accepts common designs such as the observer and factory patterns. The formalization takes into account not only the usual interface between a client and a class that provides an abstraction but also the interface (often called "protected") between the class and its subclasses

Kernel Implements Processes The relationship between the abstract kernel and an individual task is pictured in Figure 4, and is formalized by the theorem AK-IMPLEMENTS-PARALLEL-TASKS. Intuitively, this theorem says that for a given good abstract kernel state AK and abstract kernel oracle ORACLE, the final state reached by task I can equivalently be achieved by running TASK-PROCESSOR on the initial task state, with an oracle constructed by the function CONTROL-ORACLE. The oracle constructed for TASK-PROCESSOR accounts for the precise sequence of delays to task I in the abstract kernel. Task project AK Figure 4: AK Implements Parallel Tasks THEOREM AK-IMPLEMENTS-PARALLEL-TASKS (IMPLIES (AND (GOOD-AK AK) (FINITE-NUMBERP I (LENGTH (AK-PSTATES AK)))) (EQUAL (PROJECT I (AK-PROCESSOR AK ORACLE)) (TASK-PROCESSOR (PROJECT I AK) I (CONTROL-ORACLE I AK ORACLE)))) 6. The Target Machine The target machine TM is a simple von Neumann computer. It is not based on an existing physical machine becaus...

ion and Regular Languages ? E. M. Clarke 1 and O. Grumberg 2 and S. Jha 1 1 Carnegie Mellon University, Pittsburgh, PA 15213 2 Computer Science Dept, The Technion, Haifa 32000, Israel Abstract. This paper describes a technique based on network grammars and abstraction to verify families of state-transition systems. The family of state-transition systems is represented by a context-free network grammar. Using the structure of the network grammar our technique constructs an invariant which simulates all the state-transition systems in the family. A novel idea used in this paper is to use regular languages to express state properties. We have implemented our techniques and verified two non-trivial examples. 1 Introduction Automatic verification of state-transition systems using temporal logic model checking has been investigated by numerous authors [3, 4, 5, 12, 16]. The basic model checking problem is easy to state Given a state-transition system P and a temporal formula f , de...

The simulation preorder for labeled transition systems is defined locally as a game that relates states with their immediate successor states. Simulation enjoys many appealing properties. First, simulation has a fully abstract semantics: system S simulates system I iff every computation tree embedded in the unrolling of I can be embedded also in the unrolling of S. Second, simulation has a logical characterization: S simulates I iff every universal branching-time formula satisfied by S is satisfied also by I. It follows that simulation is a suitable notion of implementation, and it is the coarsest abstraction of a system that preserves universal branching-time properties. Third, based on its local definition, simulation between finite-state systems can be checked in polynomial time. Finally, simulation implies trace-containment, which cannot be defined locally and requires polynomial space for verification. Hence simulation is widely used both in manual and in automatic verification. ...