Results 1  10
of
58
Composing Specifications
 ACM TRANSACTIONS ON PROGRAMMING LANGUAGES AND SYSTEMS
, 1993
"... ..."
(Show Context)
You Assume, We Guarantee: Methodology and Case Studies
, 1998
"... Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large ..."
Abstract

Cited by 105 (15 self)
 Add to MetaCart
Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large verification problems, we therefore attempted to make use of both techniques. We soon found that rather than o ering instant solutions, the success of assumeguarantee reasoning depends critically on the construction of suitable abstraction modules, and the success of refinement checking depends critically on the construction of suitable witness modules. Moreover, as abstractions need to be witnessed, and witnesses abstracted, the process must be iterated. We present here the main lessons we learned from our experiments, in form of a systematic and structured discipline for the compositional verification of reactive modules. An infrastructure to support this discipline, and automate parts of the verification, has been implemented in the tool Mocha.
Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control
, 2006
"... Permission is hereby granted to make and distribute verbatim copies of this document without royalty or fee. Permission is granted to quote excerpts from this documented provided the original source is properly cited. ii When separately written programs are composed so that they may cooperate, they ..."
Abstract

Cited by 90 (10 self)
 Add to MetaCart
(Show Context)
Permission is hereby granted to make and distribute verbatim copies of this document without royalty or fee. Permission is granted to quote excerpts from this documented provided the original source is properly cited. ii When separately written programs are composed so that they may cooperate, they may instead destructively interfere in unanticipated ways. These hazards limit the scale and functionality of the software systems we can successfully compose. This dissertation presents a framework for enabling those interactions between components needed for the cooperation we intend, while minimizing the hazards of destructive interference. Great progress on the composition problem has been made within the object paradigm, chiefly in the context of sequential, singlemachine programming among benign components. We show how to extend this success to support robust composition of concurrent and potentially malicious components distributed over potentially malicious machines. We present E, a distributed, persistent, secure programming language, and CapDesk, a virussafe desktop built in E, as embodiments of the techniques we explain.
Symbolic compositional verification by learning assumptions
 In CAV
, 2005
"... Abstract. The verification problem for a system consisting of components can be decomposed into simpler subproblems for the components using assumeguarantee reasoning. However, such compositional reasoning requires user guidance to identify appropriate assumptions for components. In this paper, we ..."
Abstract

Cited by 57 (7 self)
 Add to MetaCart
(Show Context)
Abstract. The verification problem for a system consisting of components can be decomposed into simpler subproblems for the components using assumeguarantee reasoning. However, such compositional reasoning requires user guidance to identify appropriate assumptions for components. In this paper, we propose an automated solution for discovering assumptions based on the L \Lambda algorithm for active learning of regular languages. We present a symbolic implementation of the learning algorithm, and incorporate it in the model checker NuSMV. Our experiments demonstrate significant savings in the computational requirements of symbolic model checking.
Hybrid Systems in TLA+
, 1993
"... . TLA + is a general purpose, formal specification language based on the Temporal Logic of Actions, with no builtin primitives for specifying realtime properties. Here, we use TLA + to define operators for specifying the temporal behavior of physical components obeying integral equations of ev ..."
Abstract

Cited by 53 (6 self)
 Add to MetaCart
. TLA + is a general purpose, formal specification language based on the Temporal Logic of Actions, with no builtin primitives for specifying realtime properties. Here, we use TLA + to define operators for specifying the temporal behavior of physical components obeying integral equations of evolution. These operators, together with previously defined operators for describing timing constraints, are used to specify a toy gas burner introduced by Ravn, Rischel, and Hansen. The burner is specified at three levels of abstraction, each of the two lowerlevel specifications implementing the next higherlevel one. Correctness proofs are sketched. 1 Introduction TLA + is a formal specification language based on TLA, the Temporal Logic of Actions [5]. We use TLA + to specify and verify a toy hybrid systema gas burner described by Ravn, Rischel, and Hansen (RRH) [8]. The TLA + specification and proof can be compared with the one by RRH that uses the Duration Calculus. We do not e...
The Theory of Timed I/O Automata
, 2003
"... This paper presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed systems. An important feature of this model is its support for decomposing timed system descriptions. In particular, the framework includes a no ..."
Abstract

Cited by 50 (25 self)
 Add to MetaCart
(Show Context)
This paper presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed systems. An important feature of this model is its support for decomposing timed system descriptions. In particular, the framework includes a notion of external behavior for a timed I/O automaton, which captures its discrete interactions with its environment. The framework also denes what it means for one TIOA to implement another, based on an inclusion relationship between their external behavior sets, and de nes notions of simulations, which provide sucient conditions for demonstrating implementation relationships. The framework includes a composition operation for TIOAs, which respects external behavior, and a notion of receptiveness, which implies that a TIOA does not block the passage of time. The TIOA framework supports the statement and verication of safety and liveness properties for timed systems. It denes what it means for a property to be a safety or a liveness property, includes basic results about safetyliveness classication, and
Threadmodular verification for sharedmemory programs
 In Proc. 2002 European Symposium on Programming
, 2002
"... Abstract. Ensuring the reliability of multithreaded software systems is difficult due to the interaction between threads. This paper describes the design and implementation of a static checker for such systems. To avoid considering all possible thread interleavings, the checker uses assumeguarantee ..."
Abstract

Cited by 42 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Ensuring the reliability of multithreaded software systems is difficult due to the interaction between threads. This paper describes the design and implementation of a static checker for such systems. To avoid considering all possible thread interleavings, the checker uses assumeguarantee reasoning, and relies on the programmer to specify an environment assumption that constrains the interaction between threads. Using this environment assumption, the checker reduces the verification of the original multithreaded program to the verification of several sequential programs, one for each thread. These sequential programs are subsequently analyzed using extended static checking techniques (based on verification conditions and automatic theorem proving). Experience indicates that the checker is capable of handling a range of synchronization disciplines. In addition, the required environment assumptions are simple and intuitive for common synchronization idioms. 1
A Logical View of Composition
 THEORETICAL COMPUTER SCIENCE
, 1993
"... We define two logics of safety specifications for reactive systems. The logics provide a setting for the study of composition rules. The two logics arise naturally from extant specification approaches; one of the logics is intuitionistic, while the other one is linear. ..."
Abstract

Cited by 38 (8 self)
 Add to MetaCart
We define two logics of safety specifications for reactive systems. The logics provide a setting for the study of composition rules. The two logics arise naturally from extant specification approaches; one of the logics is intuitionistic, while the other one is linear.
Automating Modular Verification
, 1999
"... Modular techniques for automatic verification attempt to overcome the stateexplosion problem by exploiting the modular structure naturally present in many system designs. Unlike other tasks in the verification of finitestate systems, current modular techniques rely heavily on user guidance. In par ..."
Abstract

Cited by 36 (9 self)
 Add to MetaCart
Modular techniques for automatic verification attempt to overcome the stateexplosion problem by exploiting the modular structure naturally present in many system designs. Unlike other tasks in the verification of finitestate systems, current modular techniques rely heavily on user guidance. In particular, the user is typically required to construct module abstractions that are neither too detailed as to render insufficient benefits in state exploration, nor too coarse as to invalidate the desired system properties. In this paper, we construct abstract modules automatically, using reachability and controllability information about the concrete modules. This allows us to leverage automatic verification techniques by applying them in layers: first we compute on the state spaces of system components, then we use the results for constructing abstractions, and finally we compute on the abstract state space of the system. Our experimental results indicate that if reachability and controllab...
Compositional verification for componentbased systems and application
 in Proc. ATVA
, 2008
"... We present a compositional method for the verification of componentbased systems described in a subset of the BIP language encompassing multiparty interaction without data transfer. The method is based on the use of two kinds of invariants. Component invariants are overapproximations of component ..."
Abstract

Cited by 27 (18 self)
 Add to MetaCart
(Show Context)
We present a compositional method for the verification of componentbased systems described in a subset of the BIP language encompassing multiparty interaction without data transfer. The method is based on the use of two kinds of invariants. Component invariants are overapproximations of components ’ reachability sets. Interaction invariants are global constraints on the states of components involved in interactions. The method has been implemented in the DFinder tool and has been applied for checking deadlockfreedom. The experimental results on nontrivial examples show that our method allow either to prove deadlockfreedom or to identify very few deadlock configurations that can be analyzed by using state space exploration. 1