Results 1  10
of
27
Hybrid I/O Automata
, 1996
"... Hybrid systems are systems that exhibit a combination of discrete and continuous behavior. Typical hybrid systems include computer components, which operate in discrete program steps, and realworld components, whose behavior over time intervals evolves according to physical constraints. Important e ..."
Abstract

Cited by 132 (23 self)
 Add to MetaCart
Hybrid systems are systems that exhibit a combination of discrete and continuous behavior. Typical hybrid systems include computer components, which operate in discrete program steps, and realworld components, whose behavior over time intervals evolves according to physical constraints. Important examples of hybrid systems include automated transportation systems, robotics systems, process control systems, systems of embedded devices, and mobile computing systems. Such systems can be very complex, and very dicult to describe and analyze.
Types as Models: Model Checking MessagePassing Programs
 In Principles of Programming Languages (POPL
, 2001
"... Abstraction and composition are the fundamental issues in making model checking viable for software. This paper proposes new techniques for automating abstraction and decomposition using source level type information provided by the programmer. Our system includes two novel components to achieve thi ..."
Abstract

Cited by 83 (3 self)
 Add to MetaCart
Abstraction and composition are the fundamental issues in making model checking viable for software. This paper proposes new techniques for automating abstraction and decomposition using source level type information provided by the programmer. Our system includes two novel components to achieve this end: (1) a new behavioral typeandeffect system for the picalculus, which extracts sound models as types, and (2) a new assumeguarantee proof rule for carrying out compositional model checking on the types. Open simulation between CCS processes is used as both the subtyping relation in the type system and the abstraction relation for compositional model checking. We have implemented these ideas in a tool  Piper. Piper exploits type signatures provided by the programmer to partition the model checking problem, and emit model checking obligations that are discharged using the Spin model checker. We present the details on applying Piper on two examples: (1) the SIS standard for managing trouble tickets across multiple organizations and (2) a file reader from the pipelined implementation of a web server.
The Theory of Timed I/O Automata
, 2003
"... This paper presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed systems. An important feature of this model is its support for decomposing timed system descriptions. In particular, the framework includes a no ..."
Abstract

Cited by 44 (24 self)
 Add to MetaCart
This paper presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed systems. An important feature of this model is its support for decomposing timed system descriptions. In particular, the framework includes a notion of external behavior for a timed I/O automaton, which captures its discrete interactions with its environment. The framework also denes what it means for one TIOA to implement another, based on an inclusion relationship between their external behavior sets, and de nes notions of simulations, which provide sucient conditions for demonstrating implementation relationships. The framework includes a composition operation for TIOAs, which respects external behavior, and a notion of receptiveness, which implies that a TIOA does not block the passage of time. The TIOA framework supports the statement and verication of safety and liveness properties for timed systems. It denes what it means for a property to be a safety or a liveness property, includes basic results about safetyliveness classication, and
Compositional Methods for Probabilistic Systems
, 2001
"... We present a compositional tracebased model for probabilistic systems. The behavior of a system with probabilistic choice is a stochastic process, namely, a probability distribution on traces, or "bundle." Consequently, the semantics of a system with both nondeterministic and probabilistic choice i ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
We present a compositional tracebased model for probabilistic systems. The behavior of a system with probabilistic choice is a stochastic process, namely, a probability distribution on traces, or "bundle." Consequently, the semantics of a system with both nondeterministic and probabilistic choice is a set of bundles. The bundles of a composite system can be obtained by combining the bundles of the components in a simple mathematical way. Re nement between systems is bundle containment. We achieve assumeguarantee compositionality for bundle semantics by introducing two scoping mechanisms. The first mechanism, which is standard in compositional modeling, distinguishes inputs from outputs and hidden state. The second mechanism, which arises in probabilistic systems, partitions the state into probabilistically independent regions.
A Behavioral Module System for the PiCalculus
 In Proc. of Static Analysis Symposium (SAS
, 2001
"... Distributed messagepassing based asynchronous systems are becoming increasingly important. Such systems are notoriously hard to design and test. A promising approach to help programmers design such programs is to provide a behavioral type system that checks for behavioral properties such as deadloc ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
Distributed messagepassing based asynchronous systems are becoming increasingly important. Such systems are notoriously hard to design and test. A promising approach to help programmers design such programs is to provide a behavioral type system that checks for behavioral properties such as deadlock freedom using a combination of type inference and model checking. The fundamental challenge in making a behavioral type system work for realistic concurrent programs is state explosion. This paper develops the theory to design a behavioral module system that permits decomposing the type checking problem, saving exponential cost in the analysis. Unlike module systems for sequential programming languages, a behavioral specification for a module typically assumes that the module operates in an appropriate concurrent context. We identify assumeguarantee reasoning as a fundamental principle in designing such a module system. Concretely, we propose a behavioral module system for picalculus programs. Types are CCS processes that correctly approximate the behavior of programs, and by applying model checking techniques to process types one can check many interesting program properties, including deadlockfreedom and communication progress. We show that modularity can be achieved in our type system by applying circular assumeguarantee reasoning principles whose soundness requires an induction over time. We state and prove an assumeguarantee rule for CCS. Our module system integrates this assumeguarantee rule into our behavioral type system.
AssumeGuarantee Based Compositional Reasoning for Synchronous Timing Diagrams
"... The explosion in the number of states due to several interacting components limits the application of model checking in practice. Compositional reasoning ameliorates this problem by reducing reasoning about the entire system to reasoning about individual components. Such reasoning is often carried o ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
The explosion in the number of states due to several interacting components limits the application of model checking in practice. Compositional reasoning ameliorates this problem by reducing reasoning about the entire system to reasoning about individual components. Such reasoning is often carried out in the assumeguarantee paradigm: each component guarantees certain properties based on assumptions about the other components. Naïve applications of this reasoning can be circular and, therefore, unsound. We present a new rule for assumeguarantee reasoning, which is sound and complete. We show how to apply it, in a fully automated manner, to properties specified as synchronous timing diagrams. We show that timing diagram properties have a natural decomposition into assumeguarantee pairs, and liveness restrictions that result in simple subgoals which can be checked efficiently. We have implemented our method in a timing diagram analysis tool, which carries out the compositional proof in a fully automated manner. Initial applications of this method have yielded promising results, showing substantial reductions in the space requirements for model checking.
Theorems about Composition
, 2000
"... Compositional designs require component specifications that can be composed: Designers have to be able to deduce system properties from components speci cations. On the other hand, components specifications should be abstract enough to allow component reuse and to hide substantial parts of correctne ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Compositional designs require component specifications that can be composed: Designers have to be able to deduce system properties from components speci cations. On the other hand, components specifications should be abstract enough to allow component reuse and to hide substantial parts of correctness proofs in components verifications. Part of the problem is that too abstract specifications do not contain enough information to be composed. Therefore, the right balance between abstraction and composability must be found. This paper explores the systematic construction of abstract specifications that can be composed through specific forms of composition called existential and universal.
The Control of Synchronous Systems
, 2000
"... . In the synchronous composition of processes, one process may prevent another process from proceeding unless compositions without a wellde ned product behavior are ruled out. They can be ruled out semantically, by insisting on the existence of certain xed points, or syntactically, by equipping ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
. In the synchronous composition of processes, one process may prevent another process from proceeding unless compositions without a wellde ned product behavior are ruled out. They can be ruled out semantically, by insisting on the existence of certain xed points, or syntactically, by equipping processes with types, which make the dependencies between input and output signals transparent. We classify various typing mechanisms and study their eects on the control problem. A static type enforces xed, acyclic dependencies between input and output ports. For example, synchronous hardware without combinational loops can be typed statically. A dynamic type may vary the dependencies from state to state, while maintaining acyclicity, as in levelsensitive latches. Then, two dynamically typed processes can be syntactically compatible, if all pairs of possible dependencies are compatible, or semantically compatible, if in each state the combined dependencies remain acyclic. For a given plant process and control objective, there may be a controller of a static type, or only a controller of a syntactically compatible dynamic type, or only a controller of a semantically compatible dynamic type. We show this to be a strict hierarchy of possibilities, and we present algorithms and determine the complexity of the corresponding control problems. Furthermore, we consider versions of the control problem in which the type of the controller (static or dynamic) is given. We show that the solution of these xedtype control problems requires the evaluation of partially ordered (Henkin) quantiers on boolean formulas, and is therefore harder (nondeterministic exponential time) than more traditional control questions. 1
On Unifying AssumptionCommitment Style Proof Rules for Concurrency
 In Proceedings of CONCUR 94
, 1994
"... . Assumption{Commitment paradigms for specication and verication of concurrent programs have been proposed in the past. We show that two typical parallel composition rules for shared variable and message passing programs [8,12] which hitherto required dierent formulations are instances of one genera ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
. Assumption{Commitment paradigms for specication and verication of concurrent programs have been proposed in the past. We show that two typical parallel composition rules for shared variable and message passing programs [8,12] which hitherto required dierent formulations are instances of one general rule mainly inspired by Abadi & Lamport's composition theorem [1]. 1 Introduction Compositional methods support the verifywhiledevelop paradigm (an interesting account is given in [15]). However, compared to sequential programs, concurrent programs are much harder to specify and verify. In order to obtain tractable proof rules for concurrency, assumption{commitment (sometimes also called rely{guarantee), as against monolithic, specication paradigms have been proposed, in which a component is veried to satisfy a commitment under the condition that the environment satises an assumption. Such proof systems have been studied for concurrent programs communicating through shared variabl...