Results 1  10
of
127
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 2407 (62 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
An OldFashioned Recipe for Real Time
, 1993
"... this paper appeared in ACM Transactions on Programming Languages and Systems 16, 5 (September 1994) 1543 1571. The appendix was published electronically by the ACM. Contents ..."
Abstract

Cited by 211 (18 self)
 Add to MetaCart
this paper appeared in ACM Transactions on Programming Languages and Systems 16, 5 (September 1994) 1543 1571. The appendix was published electronically by the ACM. Contents
Separation and Information Hiding
, 2004
"... We investigate proof rules for information hiding, using the recent formalism of separation logic. In essence, we use the separating conjunction to partition the internal resources of a module from those accessed by the module's clients. The use of a logical connective gives rise to a form of dynami ..."
Abstract

Cited by 165 (22 self)
 Add to MetaCart
We investigate proof rules for information hiding, using the recent formalism of separation logic. In essence, we use the separating conjunction to partition the internal resources of a module from those accessed by the module's clients. The use of a logical connective gives rise to a form of dynamic partitioning, where we track the transfer of ownership of portions of heap storage between program components. It also enables us to enforce separation in the presence of mutable data structures with embedded addresses that may be aliased.
Smallfoot: Modular automatic assertion checking with separation logic
 In International Symposium on Formal Methods for Components and Objects
, 2005
"... Abstract. Separation logic is a program logic for reasoning about programs that manipulate pointer data structures. We describe Smallfoot, a tool for checking certain lightweight separation logic specifications. The assertions describe the shapes of data structures rather than their detailed content ..."
Abstract

Cited by 114 (5 self)
 Add to MetaCart
Abstract. Separation logic is a program logic for reasoning about programs that manipulate pointer data structures. We describe Smallfoot, a tool for checking certain lightweight separation logic specifications. The assertions describe the shapes of data structures rather than their detailed contents, and this allows reasoning to be fully automatic. The presentation in the paper is tutorial in style. We illustrate what the tool can do via examples which are oriented toward novel aspects of separation logic, namely: avoidance of frame axioms (which say what a procedure does not change); embracement of “dirty ” features such as memory disposal and address arithmetic; information hiding in the presence of pointers; and modular reasoning about concurrent programs. 1
Types as Models: Model Checking MessagePassing Programs
 In Principles of Programming Languages (POPL
, 2001
"... Abstraction and composition are the fundamental issues in making model checking viable for software. This paper proposes new techniques for automating abstraction and decomposition using source level type information provided by the programmer. Our system includes two novel components to achieve thi ..."
Abstract

Cited by 83 (3 self)
 Add to MetaCart
Abstraction and composition are the fundamental issues in making model checking viable for software. This paper proposes new techniques for automating abstraction and decomposition using source level type information provided by the programmer. Our system includes two novel components to achieve this end: (1) a new behavioral typeandeffect system for the picalculus, which extracts sound models as types, and (2) a new assumeguarantee proof rule for carrying out compositional model checking on the types. Open simulation between CCS processes is used as both the subtyping relation in the type system and the abstraction relation for compositional model checking. We have implemented these ideas in a tool  Piper. Piper exploits type signatures provided by the programmer to partition the model checking problem, and emit model checking obligations that are discharged using the Spin model checker. We present the details on applying Piper on two examples: (1) the SIS standard for managing trouble tickets across multiple organizations and (2) a file reader from the pipelined implementation of a web server.
A General Composition Theorem for Secure Reactive Systems
 In TCC 2004
, 2004
"... We consider compositional properties of reactive systems that are secure in a cryptographic sense. We follow the wellknown simulatability approach of modern cryptography, i.e., the specification is an ideal system and a real system should in some sense simulate this ideal one. We show that if a ..."
Abstract

Cited by 68 (8 self)
 Add to MetaCart
We consider compositional properties of reactive systems that are secure in a cryptographic sense. We follow the wellknown simulatability approach of modern cryptography, i.e., the specification is an ideal system and a real system should in some sense simulate this ideal one. We show that if a system consists of a polynomial number of arbitrary ideal subsystems such that each of them has a secure implementation in the sense of blackbox simulatability, then one can securely replace all ideal subsystems with their respective secure counterparts without destroying the blackbox simulatability relation. We further prove our theorem for universal simulatability by showing that blackbox simulatability implies universal simulatability under reasonable assumptions. We show all our results with concrete security.
Component Based Design of Multitolerant Systems
 IEEE Transactions on Software Engineering
, 1998
"... The concept of multitolerance abstracts problems in system dependability and provides a basis for improved design of dependable systems. In the abstraction, each source of undependability in the system is represented as a class of faults, and the corresponding ability of the system to deal with t ..."
Abstract

Cited by 54 (10 self)
 Add to MetaCart
The concept of multitolerance abstracts problems in system dependability and provides a basis for improved design of dependable systems. In the abstraction, each source of undependability in the system is represented as a class of faults, and the corresponding ability of the system to deal with that undependability source is represented as a type of tolerance. Multitolerance thus refers to the ability of the system to tolerate multiple faultclasses, each in a possibly different way. In this paper, we present a component based method for designing multitolerance. Two types of components are employed by the method, namely detectors and correctors. A theory of detectors, correctors, and their interferencefree composition with intolerant programs is developed, that enables stepwise addition of components to provide tolerance to a new faultclass while preserving the tolerances to the previously added faultclasses. We illustrate the method by designing a fully distributed, mul...
A Proof Technique for Rely/Guarantee Properties
 In Proceedings of the 5th Conference on Foundations of Software Technology and Theoretical Computer Science, Lecture Notes in Computer Science 206
, 1986
"... A rely/guarantee specification for a program P is a specification of the form R oe G (R implies G), where R is a rely condition and G is a guarantee condition. A rely condition expresses the conditions that P relies on its environment to provide, and a guarantee condition expresses what P guarantees ..."
Abstract

Cited by 54 (0 self)
 Add to MetaCart
A rely/guarantee specification for a program P is a specification of the form R oe G (R implies G), where R is a rely condition and G is a guarantee condition. A rely condition expresses the conditions that P relies on its environment to provide, and a guarantee condition expresses what P guarantees to provide in return. This paper presents a proof technique that permits us to infer that a program P satisfies a rely/guarantee specification R oe G, given that we know P satisfies a finite collection of rely/guarantee specifications R i oe G i ; (i 2 I). The utility of the proof technique is illustrated by using it to derive global liveness properties of a system of concurrent processes from a collection of local liveness properties satisfied by the component processes. The use of the proof rule as a design principle, and the possibility of its incorporation into a formal logic of rely/guarantee assertions, is also discussed. 1 Introduction A rely/guarantee specification for a program P...
Hybrid Systems in TLA+
, 1993
"... . TLA + is a general purpose, formal specification language based on the Temporal Logic of Actions, with no builtin primitives for specifying realtime properties. Here, we use TLA + to define operators for specifying the temporal behavior of physical components obeying integral equations of ev ..."
Abstract

Cited by 51 (8 self)
 Add to MetaCart
. TLA + is a general purpose, formal specification language based on the Temporal Logic of Actions, with no builtin primitives for specifying realtime properties. Here, we use TLA + to define operators for specifying the temporal behavior of physical components obeying integral equations of evolution. These operators, together with previously defined operators for describing timing constraints, are used to specify a toy gas burner introduced by Ravn, Rischel, and Hansen. The burner is specified at three levels of abstraction, each of the two lowerlevel specifications implementing the next higherlevel one. Correctness proofs are sketched. 1 Introduction TLA + is a formal specification language based on TLA, the Temporal Logic of Actions [5]. We use TLA + to specify and verify a toy hybrid systema gas burner described by Ravn, Rischel, and Hansen (RRH) [8]. The TLA + specification and proof can be compared with the one by RRH that uses the Duration Calculus. We do not e...