Results 1  10
of
43
You Assume, We Guarantee: Methodology and Case Studies
, 1998
"... Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large ..."
Abstract

Cited by 97 (14 self)
 Add to MetaCart
Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large verification problems, we therefore attempted to make use of both techniques. We soon found that rather than o ering instant solutions, the success of assumeguarantee reasoning depends critically on the construction of suitable abstraction modules, and the success of refinement checking depends critically on the construction of suitable witness modules. Moreover, as abstractions need to be witnessed, and witnesses abstracted, the process must be iterated. We present here the main lessons we learned from our experiments, in form of a systematic and structured discipline for the compositional verification of reactive modules. An infrastructure to support this discipline, and automate parts of the verification, has been implemented in the tool Mocha.
Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control
, 2006
"... Permission is hereby granted to make and distribute verbatim copies of this document without royalty or fee. Permission is granted to quote excerpts from this documented provided the original source is properly cited. ii When separately written programs are composed so that they may cooperate, they ..."
Abstract

Cited by 81 (9 self)
 Add to MetaCart
Permission is hereby granted to make and distribute verbatim copies of this document without royalty or fee. Permission is granted to quote excerpts from this documented provided the original source is properly cited. ii When separately written programs are composed so that they may cooperate, they may instead destructively interfere in unanticipated ways. These hazards limit the scale and functionality of the software systems we can successfully compose. This dissertation presents a framework for enabling those interactions between components needed for the cooperation we intend, while minimizing the hazards of destructive interference. Great progress on the composition problem has been made within the object paradigm, chiefly in the context of sequential, singlemachine programming among benign components. We show how to extend this success to support robust composition of concurrent and potentially malicious components distributed over potentially malicious machines. We present E, a distributed, persistent, secure programming language, and CapDesk, a virussafe desktop built in E, as embodiments of the techniques we explain.
Symbolic compositional verification by learning assumptions
 In CAV
, 2005
"... Abstract. The verification problem for a system consisting of components can be decomposed into simpler subproblems for the components using assumeguarantee reasoning. However, such compositional reasoning requires user guidance to identify appropriate assumptions for components. In this paper, we ..."
Abstract

Cited by 52 (7 self)
 Add to MetaCart
Abstract. The verification problem for a system consisting of components can be decomposed into simpler subproblems for the components using assumeguarantee reasoning. However, such compositional reasoning requires user guidance to identify appropriate assumptions for components. In this paper, we propose an automated solution for discovering assumptions based on the L \Lambda algorithm for active learning of regular languages. We present a symbolic implementation of the learning algorithm, and incorporate it in the model checker NuSMV. Our experiments demonstrate significant savings in the computational requirements of symbolic model checking.
Hybrid Systems in TLA+
, 1993
"... . TLA + is a general purpose, formal specification language based on the Temporal Logic of Actions, with no builtin primitives for specifying realtime properties. Here, we use TLA + to define operators for specifying the temporal behavior of physical components obeying integral equations of ev ..."
Abstract

Cited by 49 (6 self)
 Add to MetaCart
. TLA + is a general purpose, formal specification language based on the Temporal Logic of Actions, with no builtin primitives for specifying realtime properties. Here, we use TLA + to define operators for specifying the temporal behavior of physical components obeying integral equations of evolution. These operators, together with previously defined operators for describing timing constraints, are used to specify a toy gas burner introduced by Ravn, Rischel, and Hansen. The burner is specified at three levels of abstraction, each of the two lowerlevel specifications implementing the next higherlevel one. Correctness proofs are sketched. 1 Introduction TLA + is a formal specification language based on TLA, the Temporal Logic of Actions [5]. We use TLA + to specify and verify a toy hybrid systema gas burner described by Ravn, Rischel, and Hansen (RRH) [8]. The TLA + specification and proof can be compared with the one by RRH that uses the Duration Calculus. We do not e...
The Theory of Timed I/O Automata
, 2003
"... This paper presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed systems. An important feature of this model is its support for decomposing timed system descriptions. In particular, the framework includes a no ..."
Abstract

Cited by 45 (24 self)
 Add to MetaCart
This paper presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed systems. An important feature of this model is its support for decomposing timed system descriptions. In particular, the framework includes a notion of external behavior for a timed I/O automaton, which captures its discrete interactions with its environment. The framework also denes what it means for one TIOA to implement another, based on an inclusion relationship between their external behavior sets, and de nes notions of simulations, which provide sucient conditions for demonstrating implementation relationships. The framework includes a composition operation for TIOAs, which respects external behavior, and a notion of receptiveness, which implies that a TIOA does not block the passage of time. The TIOA framework supports the statement and verication of safety and liveness properties for timed systems. It denes what it means for a property to be a safety or a liveness property, includes basic results about safetyliveness classication, and
Threadmodular verification for sharedmemory programs
 In Proc. 2002 European Symposium on Programming
, 2002
"... Abstract. Ensuring the reliability of multithreaded software systems is difficult due to the interaction between threads. This paper describes the design and implementation of a static checker for such systems. To avoid considering all possible thread interleavings, the checker uses assumeguarantee ..."
Abstract

Cited by 38 (5 self)
 Add to MetaCart
Abstract. Ensuring the reliability of multithreaded software systems is difficult due to the interaction between threads. This paper describes the design and implementation of a static checker for such systems. To avoid considering all possible thread interleavings, the checker uses assumeguarantee reasoning, and relies on the programmer to specify an environment assumption that constrains the interaction between threads. Using this environment assumption, the checker reduces the verification of the original multithreaded program to the verification of several sequential programs, one for each thread. These sequential programs are subsequently analyzed using extended static checking techniques (based on verification conditions and automatic theorem proving). Experience indicates that the checker is capable of handling a range of synchronization disciplines. In addition, the required environment assumptions are simple and intuitive for common synchronization idioms. 1
Automating Modular Verification
, 1999
"... Modular techniques for automatic verification attempt to overcome the stateexplosion problem by exploiting the modular structure naturally present in many system designs. Unlike other tasks in the verification of finitestate systems, current modular techniques rely heavily on user guidance. In par ..."
Abstract

Cited by 35 (8 self)
 Add to MetaCart
Modular techniques for automatic verification attempt to overcome the stateexplosion problem by exploiting the modular structure naturally present in many system designs. Unlike other tasks in the verification of finitestate systems, current modular techniques rely heavily on user guidance. In particular, the user is typically required to construct module abstractions that are neither too detailed as to render insufficient benefits in state exploration, nor too coarse as to invalidate the desired system properties. In this paper, we construct abstract modules automatically, using reachability and controllability information about the concrete modules. This allows us to leverage automatic verification techniques by applying them in layers: first we compute on the state spaces of system components, then we use the results for constructing abstractions, and finally we compute on the abstract state space of the system. Our experimental results indicate that if reachability and controllab...
A Logical View of Composition
 THEORETICAL COMPUTER SCIENCE
, 1993
"... We define two logics of safety specifications for reactive systems. The logics provide a setting for the study of composition rules. The two logics arise naturally from extant specification approaches; one of the logics is intuitionistic, while the other one is linear. ..."
Abstract

Cited by 34 (8 self)
 Add to MetaCart
We define two logics of safety specifications for reactive systems. The logics provide a setting for the study of composition rules. The two logics arise naturally from extant specification approaches; one of the logics is intuitionistic, while the other one is linear.
Parallel Composition of AssumptionCommitment Specifications  a Unifying Approach for Shared Variable and Distributed Message Passing Concurrency
, 1996
"... We unify the parallel composition rule of assumptioncommitment specifications for respectively statebased and messagebased concurrent processes. Without providing languagedependent definitions, we first assume that the model of a process can be given as a set of `sequences' (e.g., traces, state s ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
We unify the parallel composition rule of assumptioncommitment specifications for respectively statebased and messagebased concurrent processes. Without providing languagedependent definitions, we first assume that the model of a process can be given as a set of `sequences' (e.g., traces, state sequences). Then we assume the existence of a merging operator that captures the compositionality of that model. On this basis, we formulate a semantic parallel composition rule for assumptioncommitment specifications wherein the merging operator behaves as a parameter. Then, by providing suitable languagespecific definitions for the model of a process and the merging operator, we transform the semantic rule into syntactic ones, both for the statebased and messagebased approaches to concurrency. 1 Introduction In the concurrent programming community, communication between processes is usually modeled in two ways. The first one uses shared variables as a mean for communication and the oth...