Results 1  10
of
240
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 3229 (69 self)
 Add to MetaCart
(Show Context)
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Interface Automata
 Proceedings of the Ninth Annual Symposium on Foundations of Software Engineering (FSE), ACM
, 2001
"... Conventional type systems specify interfaces in terms of values and domains. ..."
Abstract

Cited by 455 (23 self)
 Add to MetaCart
Conventional type systems specify interfaces in terms of values and domains.
Computing Simulations on Finite and Infinite Graphs
, 1996
"... . We present algorithms for computing similarity relations of labeled graphs. Similarity relations have applications for the refinement and verification of reactive systems. For finite graphs, we present an O(mn) algorithm for computing the similarity relation of a graph with n vertices and m edges ..."
Abstract

Cited by 186 (6 self)
 Add to MetaCart
(Show Context)
. We present algorithms for computing similarity relations of labeled graphs. Similarity relations have applications for the refinement and verification of reactive systems. For finite graphs, we present an O(mn) algorithm for computing the similarity relation of a graph with n vertices and m edges (assuming m n). For effectively presented infinite graphs, we present a symbolic similaritychecking procedure that terminates if a finite similarity relation exists. We show that 2D rectangular automata, which model discrete reactive systems with continuous environments, define effectively presented infinite graphs with finite similarity relations. It follows that the refinement problem and the 8CTL modelchecking problem are decidable for 2D rectangular automata. 1 Introduction A labeled graph G = (V; E;A; hh\Deltaii) consist of a (possibly infinite) set V of vertices, a set E ` V 2 of edges, a set A of labels, and a function hh\Deltaii : V ! A that maps each vertex v to a label hh...
Alternating refinement relations
 In Proceedings of the Ninth International Conference on Concurrency Theory (CONCUR’98), volume 1466 of LNCS
, 1998
"... Abstract. Alternating transition systems are a general model for composite systems which allow the study of collaborative as well as adversarial relationships between individual system components. Unlike in labeled transition systems, where each transition corresponds to a possible step of the syste ..."
Abstract

Cited by 164 (20 self)
 Add to MetaCart
(Show Context)
Abstract. Alternating transition systems are a general model for composite systems which allow the study of collaborative as well as adversarial relationships between individual system components. Unlike in labeled transition systems, where each transition corresponds to a possible step of the system (which may involve some or all components), in alternating transition systems, each transition corresponds to a possible move in a game between the components. In this paper, we study refinement relations between alternating transition systems, such as “Does the implementation refine the set £ of specification components without constraining the components not in £? ” In particular, we generalize the definitions of the simulation and trace containment preorders from labeled transition systems to alternating transition systems. The generalizations are called alternating simulation and alternating trace containment. Unlike existing refinement relations, they allow the refinement of individual components within the context of a composite system description. We show that, like ordinary simulation, alternating simulation can be checked in polynomial time using a fixpoint computation algorithm. While ordinary trace containment is PSPACEcomplete, we establish alternating trace containment to be EXPTIMEcomplete. Finally, we present logical characterizations for the two preorders in terms of ATL, a temporal logic capable of referring to games between system components. 1
Property preserving abstractions for the verification of concurrent systems
 FORMAL METHODS IN SYSTEM DESIGN, VOL 6, ISS
, 1995
"... We study property preserving transformations for reactive systems. The main idea is the use of simulations parameterized by Galois connections ( �), relating the lattices of properties of two systems. We propose and study a notion of preservation of properties expressed by formulas of a logic, by a ..."
Abstract

Cited by 152 (6 self)
 Add to MetaCart
(Show Context)
We study property preserving transformations for reactive systems. The main idea is the use of simulations parameterized by Galois connections ( �), relating the lattices of properties of two systems. We propose and study a notion of preservation of properties expressed by formulas of a logic, by a function mapping sets of states of a system S into sets of states of a system S'. We give results on the preservation of properties expressed in sublanguages of the branching timecalculus when two systems S and S' are related via h � isimulations. They can be used to verify a property for a system by verifying the same property on a simpler system which is an abstraction of it. We show also under which conditions abstraction of concurrent systems can be computed from the abstraction of their components. This allows a compositional application of the proposed verification method. This is a revised version of the papers [2] and [16] � the results are fully developed in [27].
Efficient Büchi Automata from LTL Formulae
 CAV 2000, LNCS 1855:247–263
, 2000
"... We present an algorithm to generate small Büchi automata for LTL formulae. We describe a heuristic approach consisting of three phases: rewriting of the formula, an optimized translation procedure, and simplification of the resulting automaton. We present a translation procedure that is optimal w ..."
Abstract

Cited by 121 (13 self)
 Add to MetaCart
We present an algorithm to generate small Büchi automata for LTL formulae. We describe a heuristic approach consisting of three phases: rewriting of the formula, an optimized translation procedure, and simplification of the resulting automaton. We present a translation procedure that is optimal within a certain class of translation procedures. The simplification algorithm can be used for Buchi automata in general. It reduces the number of states and transitions, as well as the number and size of the accepting setspossibly reducing the strength of the resulting automaton. This leads to more efficient model checking of lineartime logic formulae. We compare our method to previous work, and show that it is significantly more efficient for both random formulae, and formulae in common use and from the literature.
Safety verification of hybrid systems by constraint propagation based abstraction refinement
, 2005
"... This paper deals with the problem of safety verification of nonlinear hybrid systems. We start from a classical method that uses interval arithmetic to check whether trajectories can move over the boundaries in a rectangular grid. We put this method into an abstraction refinement framework and impr ..."
Abstract

Cited by 75 (11 self)
 Add to MetaCart
(Show Context)
This paper deals with the problem of safety verification of nonlinear hybrid systems. We start from a classical method that uses interval arithmetic to check whether trajectories can move over the boundaries in a rectangular grid. We put this method into an abstraction refinement framework and improve it by developing an additional refinement step that employs interval constraint propagation to add information to the abstraction without introducing new grid elements. Moreover, the resulting method allows switching conditions, initial states and unsafe states to be described by complex constraints instead of sets that correspond to grid elements. Nevertheless, the method can be easily implemented since it is based on a welldefined set of constraints, on which one can run any constraint propagation based solver. Tests of such an implementation are promising.
Ownership Confinement Ensures Representation Independence for ObjectOriented Programs
, 2002
"... This paper formulates representation independence for classes, in an imperative, objectoriented language with pointers, subclassing and dynamic dispatch, class oriented visibility control, recursive types and methods, and a simple form of module. An instance of a class is considered to implement an ..."
Abstract

Cited by 72 (32 self)
 Add to MetaCart
This paper formulates representation independence for classes, in an imperative, objectoriented language with pointers, subclassing and dynamic dispatch, class oriented visibility control, recursive types and methods, and a simple form of module. An instance of a class is considered to implement an abstraction using private fields and socalled representation objects. Encapsulation of representation objects is expressed by a restriction, called confinement, on aliasing. Representation independence is proved for programs satisfying the confinement condition. A static analysis is given for confinement that accepts common designs such as the observer and factory patterns. The formalization takes into account not only the usual interface between a client and a class that provides an abstraction but also the interface (often called "protected") between the class and its subclasses
Kit: A Study in Operating System Verification
, 1989
"... Kernel Implements Processes The relationship between the abstract kernel and an individual task is pictured in Figure 4, and is formalized by the theorem AKIMPLEMENTSPARALLELTASKS. Intuitively, this theorem says that for a given good abstract kernel state AK and abstract kernel oracle ORACLE, th ..."
Abstract

Cited by 63 (0 self)
 Add to MetaCart
Kernel Implements Processes The relationship between the abstract kernel and an individual task is pictured in Figure 4, and is formalized by the theorem AKIMPLEMENTSPARALLELTASKS. Intuitively, this theorem says that for a given good abstract kernel state AK and abstract kernel oracle ORACLE, the final state reached by task I can equivalently be achieved by running TASKPROCESSOR on the initial task state, with an oracle constructed by the function CONTROLORACLE. The oracle constructed for TASKPROCESSOR accounts for the precise sequence of delays to task I in the abstract kernel. Task project AK Figure 4: AK Implements Parallel Tasks THEOREM AKIMPLEMENTSPARALLELTASKS (IMPLIES (AND (GOODAK AK) (FINITENUMBERP I (LENGTH (AKPSTATES AK)))) (EQUAL (PROJECT I (AKPROCESSOR AK ORACLE)) (TASKPROCESSOR (PROJECT I AK) I (CONTROLORACLE I AK ORACLE)))) 6. The Target Machine The target machine TM is a simple von Neumann computer. It is not based on an existing physical machine becaus...
Fair Simulation
 Information and Computation
, 1997
"... The simulation preorder for labeled transition systems is defined locally as a game that relates states with their immediate successor states. Simulation enjoys many appealing properties. First, simulation has a fully abstract semantics: system S simulates system I iff every computation tree embedd ..."
Abstract

Cited by 59 (19 self)
 Add to MetaCart
The simulation preorder for labeled transition systems is defined locally as a game that relates states with their immediate successor states. Simulation enjoys many appealing properties. First, simulation has a fully abstract semantics: system S simulates system I iff every computation tree embedded in the unrolling of I can be embedded also in the unrolling of S. Second, simulation has a logical characterization: S simulates I iff every universal branchingtime formula satisfied by S is satisfied also by I. It follows that simulation is a suitable notion of implementation, and it is the coarsest abstraction of a system that preserves universal branchingtime properties. Third, based on its local definition, simulation between finitestate systems can be checked in polynomial time. Finally, simulation implies tracecontainment, which cannot be defined locally and requires polynomial space for verification. Hence simulation is widely used both in manual and in automatic verification. ...