Results 1  10
of
88
Module Checking
, 1996
"... . In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of ..."
Abstract

Cited by 113 (12 self)
 Add to MetaCart
. In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of temporal logics to describe an ongoing interaction of a reactive program with its environment makes them particularly appropriate for the specification of open systems. Nevertheless, modelchecking algorithms used for the verification of closed systems are not appropriate for the verification of open systems. Correct model checking of open systems should check the system with respect to arbitrary environments and should take into account uncertainty regarding the environment. This is not the case with current modelchecking algorithms and tools. In this paper we introduce and examine the problem of model checking of open systems (mod ule checking, for short). We show that while module che...
Reasoning about Rings
, 1995
"... The ring is a useful means of structuring concurrent processes. Processes communicate by passing a token in a fixed direction; the process that possesses the token is allowed to perfrom certain actions. Usually, correctness properties are expected to hold irrespective of the size of the ring. We sho ..."
Abstract

Cited by 112 (9 self)
 Add to MetaCart
The ring is a useful means of structuring concurrent processes. Processes communicate by passing a token in a fixed direction; the process that possesses the token is allowed to perfrom certain actions. Usually, correctness properties are expected to hold irrespective of the size of the ring. We show that the problem of checking many useful correctness properties for rings of all sizes can be reduced to checking them on ring of sizes up to a small cutoff size. We apply our results to the verification of a mutual exclusion protocol and Milner's scheduler protocol. 1
Multiway Decision Graphs for Automated Hardware Verification
, 1996
"... Traditional ROBDDbased methods of automated verification suffer from the drawback that they require a binary representation of the circuit. To overcome this limitation we propose a broader class of decision graphs, called Multiway Decision Graphs (MDGs), of which ROBDDs are a special case. With MDG ..."
Abstract

Cited by 90 (15 self)
 Add to MetaCart
Traditional ROBDDbased methods of automated verification suffer from the drawback that they require a binary representation of the circuit. To overcome this limitation we propose a broader class of decision graphs, called Multiway Decision Graphs (MDGs), of which ROBDDs are a special case. With MDGs, a data value is represented by a single variable of abstract type, rather than by 32 or 64 boolean variables, and a data operation is represented by an uninterpreted function symbol. MDGs are thus much more compact than ROBDDs, and this greatly increases the range of circuits that can be verified. We give algorithms for MDG manipulation, and for implicit state enumeration using MDGs. We have implemented an MDG package and provide experimental results.
Automated Abstraction Refinement for Model Checking Large State Spaces Using SAT Based Conflict Analysis
 IN PROCEEDINGS OF FMCAD
, 2002
"... We introduce a SAT based auto338m abstraction refinement framework for model checking systems with several thomGG4 state variables in the com o influenceo f the specificatio8 The abstractmo del iscoK060mEN8 by designating a large numbero f state variables as invisible. In co trast to previoN wo rk ..."
Abstract

Cited by 81 (12 self)
 Add to MetaCart
We introduce a SAT based auto338m abstraction refinement framework for model checking systems with several thomGG4 state variables in the com o influenceo f the specificatio8 The abstractmo del iscoK060mEN8 by designating a large numbero f state variables as invisible. In co trast to previoN wo rk where invisible variables were treated as free inputs we describe a co06NGmEG7430m mo0 advantageo3 approF h in which the abstract transitio relatio isappro ximated by pre89889L6728 invisible variables during imageco8087FmEG0 The abstract co4 terexamplesorexamp fro mo delchecking the abstract mo del are symbo lically simulatedo the coG0K8K system using a stateoGNK7Kmo SAT checker. Ifno co43FK3 co4 terexample isfo640 a subseto f the invisible variables is reintro duced into the systemand thepro cess is repeated. The main co tributio o f this paper are two new algo37FmE fo identifying the relevant variablesto be reintro duced. Thesealgo78NNm mogo7 the SAT checking phase inom4F to analyze the impacto individual variables. Ourmetho d is co48NFF fo safetypro erties (AG p) in the sense that  perfoN06G0 permitting  a pro erty is either verifiedo dispro ved by aco4GKKm co4 terexample. Experimental results are givento demoGGmE40 the power of our method on realworld designs.
Verification of Infinite State Systems by Compositional Model Checking
 in CHARME
, 1999
"... . Compositional model checking methods can be used to reduce the formal verification of a complex system to model checking problems of tractably small size. However, such techniques are difficult to apply to systems that have large data types, such as memory addresses, or large data arrays such a ..."
Abstract

Cited by 79 (5 self)
 Add to MetaCart
(Show Context)
. Compositional model checking methods can be used to reduce the formal verification of a complex system to model checking problems of tractably small size. However, such techniques are difficult to apply to systems that have large data types, such as memory addresses, or large data arrays such as memories or FIFO buffers. They are also limited to the verification of systems with fixed finite resources. In this paper, a method of compositional verification is presented that uses the combination of temporal case splitting and data type reductions to reduce types of unbounded range to small finite types, and arrays of unbounded size to small fixedsize arrays. The method also supports the use of uninterpreted functions in a novel way, that allows model checking to be applied to systems with uninterpreted functions. These techniques are implemented in a proof assistant that also supports compositional reasoning and reductions via symmetry. Application of the method is illustrated...
Automatic Verification of Parameterized Synchronous Systems (Extended Abstract)
 In Proc. 8th Int'l. Conference on ComputerAided Verification (CAV
, 1996
"... ) E. Allen Emerson and Kedar S. Namjoshi Department of Computer Sciences, The University of Texas at Austin, U.S.A. Abstract. Systems with an arbitrary number of homogeneous processes occur in many applications. The Parameterized Model Checking Problem (PMCP) is to determine whether a temporal pro ..."
Abstract

Cited by 65 (7 self)
 Add to MetaCart
) E. Allen Emerson and Kedar S. Namjoshi Department of Computer Sciences, The University of Texas at Austin, U.S.A. Abstract. Systems with an arbitrary number of homogeneous processes occur in many applications. The Parameterized Model Checking Problem (PMCP) is to determine whether a temporal property is true of every size instance of the system. We consider systems formed by a synchronous parallel composition of a single control process with an arbitrary number of homogeneous user processes, and show that the PMCP is decidable for properties expressed in an indexed propositional temporal logic. While the problem is in general PSPACEcomplete, our initial experimental results indicate that the method is usable in practice. 1 Introduction Systems with an arbitrary number of homogeneous processes occur in many contexts, especially in protocols for data communication, cache coherence, and classical synchronization problems. Current verification work on such systems has focussed mostly...
RuleBase: an IndustryOriented Formal Verification Tool
 In 33rd Design Automation Conference
, 1996
"... RuleBase is a formal verification tool, developed by the IBM Haifa Research Laboratory. It is the result of three years of experience in practical formal verification of hardware which, we believe, has been a key factor in bringing the tool to its current level of maturity. We present the tool, incl ..."
Abstract

Cited by 64 (12 self)
 Add to MetaCart
(Show Context)
RuleBase is a formal verification tool, developed by the IBM Haifa Research Laboratory. It is the result of three years of experience in practical formal verification of hardware which, we believe, has been a key factor in bringing the tool to its current level of maturity. We present the tool, including several unique features, and summarize our usage experience.
A Methodology for Hardware Verification Using Compositional Model Checking
, 1999
"... A methodology for systemlevel hardware verification based on compositional model checking is described. This methodology relies on a simple set of proof techniques, and a domain specific strategy for applying them. The goal of this strategy is to reduce the verification of a large system to fini ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
A methodology for systemlevel hardware verification based on compositional model checking is described. This methodology relies on a simple set of proof techniques, and a domain specific strategy for applying them. The goal of this strategy is to reduce the verification of a large system to finite state subgoals that are tractable in both size and number. These subgoals are then discharged by model checking. The proof strategy uses proof techniques for design refinement, temporal case splitting, data type reduction and the exploitation of symmetry. Uninterpreted functions can be used to abstract operations on data. A proof system supporting this approach generates verification subgoals to be discharged by the SMV symbolic model checker. Application of the methodology is illustrated using an implementation of Tomasulo's algorithm, a packet buffering device and a cache coherence protocol as examples. c fl1999 Cadence Berkeley Labs, Cadence Design Systems. 1 1 Introduction F...
Ordered Binary Decision Diagrams and the DavisPutnam Procedure
 IN PROC. OF THE 1ST INTERNATIONAL CONFERENCE ON CONSTRAINTS IN COMPUTATIONAL LOGICS
, 1994
"... We compare two prominent decision procedures for propositional logic: Ordered Binary Decision Diagrams (obdds) and the DavisPutnam procedure. Experimental results indicate that the DavisPutnam procedure outperforms obdds in hard constraintsatisfaction problems, while obdds are clearly superior for ..."
Abstract

Cited by 49 (1 self)
 Add to MetaCart
We compare two prominent decision procedures for propositional logic: Ordered Binary Decision Diagrams (obdds) and the DavisPutnam procedure. Experimental results indicate that the DavisPutnam procedure outperforms obdds in hard constraintsatisfaction problems, while obdds are clearly superior for Boolean functional equivalence problems from the circuit domain, and, in general, problems that require the schematization of a large number of solutions that share a common structure. The two methods illustrate the different and often complementary strengths of constraintoriented and searchoriented procedures.
Efficient Detection of Vacuity in ACTL Formulas
 FMSD
, 1997
"... Propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is true trivially because the precondition of the implication is not satisfiable. In other words, the postcondition of the implication does not affect the truth value of the formula. We ca ..."
Abstract

Cited by 48 (4 self)
 Add to MetaCart
(Show Context)
Propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is true trivially because the precondition of the implication is not satisfiable. In other words, the postcondition of the implication does not affect the truth value of the formula. We call this a vacuous pass, and extend the definition of vacuity to cover other kinds of trivial passes in temporal logic. We define wACTL, a subset of CTL and show by construction that for every wACTL formula \phi there is a formula w(\phi), such that: both \phi and w(\phi) are true in some model M iff \phi passes vacuously. A useful sideeffect of w(\phi) is that if false, any counterexample is also a nontrivial witness of the original formula \phi.