Results 1  10
of
41
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 2395 (62 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Counterexampleguided Abstraction Refinement
, 2000
"... We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techn ..."
Abstract

Cited by 598 (60 self)
 Add to MetaCart
We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques which analyze such counterexamples and refine the abstract model correspondingly.
Property preserving abstractions for the verification of concurrent systems
 FORMAL METHODS IN SYSTEM DESIGN, VOL 6, ISS
, 1995
"... We study property preserving transformations for reactive systems. The main idea is the use of simulations parameterized by Galois connections ( �), relating the lattices of properties of two systems. We propose and study a notion of preservation of properties expressed by formulas of a logic, by a ..."
Abstract

Cited by 136 (4 self)
 Add to MetaCart
We study property preserving transformations for reactive systems. The main idea is the use of simulations parameterized by Galois connections ( �), relating the lattices of properties of two systems. We propose and study a notion of preservation of properties expressed by formulas of a logic, by a function mapping sets of states of a system S into sets of states of a system S'. We give results on the preservation of properties expressed in sublanguages of the branching timecalculus when two systems S and S' are related via h � isimulations. They can be used to verify a property for a system by verifying the same property on a simpler system which is an abstraction of it. We show also under which conditions abstraction of concurrent systems can be computed from the abstraction of their components. This allows a compositional application of the proposed verification method. This is a revised version of the papers [2] and [16] � the results are fully developed in [27].
Model Checking Partial State Spaces with 3Valued Temporal Logics (Extended Abstract)
 In Proceedings of the 11th Conference on Computer Aided Verification
, 1999
"... ) Glenn Bruns and Patrice Godefroid Bell Laboratories, Lucent Technologies fgrb,godg@belllabs.com Abstract. We address the problem of relating the result of model checking a partial state space of a system to the properties actually possessed by the system. We represent incomplete state space ..."
Abstract

Cited by 95 (7 self)
 Add to MetaCart
) Glenn Bruns and Patrice Godefroid Bell Laboratories, Lucent Technologies fgrb,godg@belllabs.com Abstract. We address the problem of relating the result of model checking a partial state space of a system to the properties actually possessed by the system. We represent incomplete state spaces as partial Kripke structures, and give a 3valued interpretation to modal logic formulas on these structures. The third truth value ? means "unknown whether true or false". We define a preorder on partial Kripke structures that reflects their degree of completeness. We then provide a logical characterization of this preorder. This characterization thus relates properties of less complete structures to properties of more complete structures. We present similar results for labeled transition systems and show a connection to intuitionistic modal logic. We also present a 3valued CTL model checking algorithm, which returns ? only when the partial state space lacks information needed ...
Reliable Hashing without Collision Detection
 IN COMPUTER AIDED VERIFICATION. 5TH INTERNATIONAL CONFERENCE
, 1993
"... Thanks to a variety of new techniques, statespace exploration is becoming an increasingly effective method for the verification of concurrent programs. One of these techniques, hashing without collision detection, was proposed by Holzmann as a waytovastly reduce the amount of memory needed to s ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
Thanks to a variety of new techniques, statespace exploration is becoming an increasingly effective method for the verification of concurrent programs. One of these techniques, hashing without collision detection, was proposed by Holzmann as a waytovastly reduce the amount of memory needed to store the explored state space. Unfortunately, this reduction in memory use comes at the price of a high probability of ignoring part of the state space and hence of missing existing errors. In this paper, we carefully analyze this method and show that, by using a modified strategy, it is possible to reduce the risk of error to a negligible amount while maintaining the memory use advantage of Holzmann's technique. Our proposed strategy has been implemented and we describe experiments that confirm the excellent expected results.
An Overview of SAL
 LFM 2000: Fifth NASA Langley Formal Methods Workshop
, 2000
"... To become practical for assurance formal methods must be made more costeffective and must contribute to both debugging and certification. Furthermore, the style of interaction must reflect the concerns of a designer rather than the peculiarities of a prover. SAL (Symbolic Analysis Laboratory) attem ..."
Abstract

Cited by 39 (5 self)
 Add to MetaCart
To become practical for assurance formal methods must be made more costeffective and must contribute to both debugging and certification. Furthermore, the style of interaction must reflect the concerns of a designer rather than the peculiarities of a prover. SAL (Symbolic Analysis Laboratory) attempts to address these issues. It is a framework for combining different tools to calculate properties (i.e., performing symbolic analysis) of concurrent systems. The heart of SAL is a language, developed in collaboration with Stanford, Berkeley, and Verimag, for specifying concurrent systems in a compositional way. Our instantiation of the SAL framework augments PVS with tools for abstraction, invariant generation, program analysis (such as slicing), theorem proving, and model checking to calculate properties (i.e., perform symbolic analysis) of concurrent systems. We describe the motivation, the language, the tools, and their integration in SAL/PVS, and some preliminary experience of their use. ...
A Tool for Symbolic Program Verification and Abstraction
 In Conference on Computer Aided Verification CAV 93, Heraklion Crete. LNCS 697
, 1993
"... We give the description of a verification tool taking boolean programs of guarded commands as input; internal representation of programs are sets of Binary Decision Diagrams (BDD) (one for each guarded command). It allows to construct an abstract program of the same form obtained using an abstractio ..."
Abstract

Cited by 34 (5 self)
 Add to MetaCart
We give the description of a verification tool taking boolean programs of guarded commands as input; internal representation of programs are sets of Binary Decision Diagrams (BDD) (one for each guarded command). It allows to construct an abstract program of the same form obtained using an abstraction relation given by a boolean expression on "concrete" and "abstract" variables. The tool allows the verification of CTL formulas on programs. We illustrate its possibilities on an example. 1 Introduction In the domain of program verification an obvious idea is to verify some abstract program instead of the complete specification (called concrete program) depending on the properties to be verified. The motivation is to make the representation of the program model smaller and this for two reasons: one is to make the verification faster; the other is that in most practical cases the model of the concrete program is too large to be verified, whereas an abstraction of it may be sufficiently sma...
On the Complexity of Verifying Concurrent Transition Systems
, 2000
"... In implementation verification, we check that an implementation is correct with respect to a specification by checking whether the behaviors of a transition system that models the program's implementation correlate with the behaviors of a transition system that models its specification. In this p ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
In implementation verification, we check that an implementation is correct with respect to a specification by checking whether the behaviors of a transition system that models the program's implementation correlate with the behaviors of a transition system that models its specification. In this paper, we investigate the effect of concurrency on the complexity of implementation verification. We consider tracebased and treebased approaches to the verification of concurrent transition systems, with and without fairness. Our results show that in almost all cases the complexity of the problem is exponentially harder than that of the sequential case. Thus, as in the modelchecking verification methodology, the stateexplosion problem cannot be avoided. A preliminary version of this work appeared in the proceedings of the 8th Conference on Concurrency Theory. y Department of Applied Mathematics & Computer Science, Weizmann institute, Rehovot 76100, Israel. Email: harel@wisdom.weizm...
Characterization of a Sequentially Consistent Memory and Verification of a Cache Memory by Abstraction
 Distributed Computing
, 1995
"... ion ? Susanne Graf VERIMAG ?? , Avenue de la Vignate, F38610 Gi`eres ? ? ? Abstract. The contribution of the paper is twofold. We give a set of properties expressible as temporal logic formulas such that any system satisfying them is a sequentially consistent memory, and which is sufficiently ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
ion ? Susanne Graf VERIMAG ?? , Avenue de la Vignate, F38610 Gi`eres ? ? ? Abstract. The contribution of the paper is twofold. We give a set of properties expressible as temporal logic formulas such that any system satisfying them is a sequentially consistent memory, and which is sufficiently precise such that every reasonable concrete system that implements a sequentially consistent memory satisfies these properties. Then, we verify these properties on a distributed cache memory system by means of a verification method, based on the use of abstract interpretation which has been presented in previous papers and so far applied to finite state systems. The motivation for this paper was to show that it can also be successfully applied to systems with an infinite state space. This is a revised and extended version of [Gra94]. 1 Introduction We propose to verify the distributed cache memory presented in [ABM93] and [Ger94] by using the verification method proposed in [BBLS92,LGS +...
Combining Theorem Proving and Model Checking through Symbolic Analysis
 In CONCUR 2000: Concurrency Theory, number 1877 in Lecture
, 2000
"... Automated verification of concurrent systems is hindered by the fact that the state spaces are either infinite or too large for model checking, and the case analysis usually defeats theorem proving. Combinations of the two techniques have been tried with varying degrees of success. We argue for a sp ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
Automated verification of concurrent systems is hindered by the fact that the state spaces are either infinite or too large for model checking, and the case analysis usually defeats theorem proving. Combinations of the two techniques have been tried with varying degrees of success. We argue for a specific combination where theorem proving is used to reduce verification problems to finitestate form, and model checking is used to explore properties of these reductions. This decomposition of the verification task forms the basis of the Symbolic Analysis Laboratory (SAL), a framework for combining different analysis tools for transition systems via a common intermediate language. We demonstrate how symbolic analysis can be an effective methodology for combining deduction and exploration.