Results 1  10
of
49
Translation Validation
, 1998
"... We present the notion of translation validation as a new approach to the verification of translators (compilers, code generators). Rather than proving in advance that the compiler always produces a target code which correctly implements the source code (compiler verification), each individual transl ..."
Abstract

Cited by 181 (10 self)
 Add to MetaCart
(Show Context)
We present the notion of translation validation as a new approach to the verification of translators (compilers, code generators). Rather than proving in advance that the compiler always produces a target code which correctly implements the source code (compiler verification), each individual translation (i.e. a run of the compiler) is followed by a validation phase which verifies that the target code produced on this run correctly implements the submitted source program. Several ingredients are necessary to set up the  fully automatic  translation validation process, among which are: 1. A common semantic framework for the representation of the source code and the generated target code. 2. A formalization of the notion of "correct implementation" as a refinement relation. 3. A syntactic simulationbased proof method which allows to automatically verify that one model of the semantic framework, representing the produced target code, correctly implements another model which repres...
Efficient Model Checking Using Tabled Resolution
 Computer Aided Verification (CAV '97)
, 1997
"... We demonstrate the feasibility of using the XSB tabled logic programming system as a programmable fixedpoint engine for implementing efficient local model checkers. In particular, we present XMC, an XSBbased local model checker for a CCSlike valuepassing language and the alternationfree fragmen ..."
Abstract

Cited by 131 (33 self)
 Add to MetaCart
(Show Context)
We demonstrate the feasibility of using the XSB tabled logic programming system as a programmable fixedpoint engine for implementing efficient local model checkers. In particular, we present XMC, an XSBbased local model checker for a CCSlike valuepassing language and the alternationfree fragment of the modal mucalculus. XMC is written in under 200 lines of XSB code, which constitute a declarative specification of CCS and the modal mucalculus at the level of semantic equations. In order to gauge the performance of XMC as an algorithmic model checker, we conducted a series of benchmarking experiments designed to compare the performance of XMC with the local model checkers implemented in C/C++ in the Concurrency Factory and SPIN specification and verification environments. After applying certain newly developed logicprogrammingbased optimizations (along with some standard ones), XMC's performance became extremely competitive with that of the Factory and shows promise in its comparison with SPIN.
Synthesis of reactive(1) designs
 In Proc. Verification, Model Checking, and Abstract Interpretation (VMCAI’06
, 2006
"... Abstract. We consider the problem of synthesizing digital designs from their LTL specification. In spite of the theoretical double exponential lower bound for the general case, we show that for many expressive specifications of hardware designs the problem can be solved in time N 3, where N is the s ..."
Abstract

Cited by 114 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the problem of synthesizing digital designs from their LTL specification. In spite of the theoretical double exponential lower bound for the general case, we show that for many expressive specifications of hardware designs the problem can be solved in time N 3, where N is the size of the state space of the design. We describe the context of the problem, as part of the Prosyd European Project which aims to provide a propertybased development flow for hardware designs. Within this project, synthesis plays an important role, first in order to check whether a given specification is realizable, and then for synthesizing part of the developed system. The class of LTL formulas considered is that of Generalized Reactivity(1) (generalized Streett(1)) formulas, i.e., formulas of the form: ( p1 ∧ · · · ∧ pm) → ( q1 ∧ · · · ∧ qn) where each pi, qi is a boolean combination of atomic propositions. We also consider the more general case in which each pi, qi is an arbitrary past LTL formula over atomic propositions. For this class of formulas, we present an N 3time algorithm which checks whether such a formula is realizable, i.e., there exists a circuit which satisfies the formula under any set of inputs provided by the environment. In the case that the specification is realizable, the algorithm proceeds to construct an automaton which represents one of the possible implementing circuits. The automaton is computed and presented symbolically. 1
Symbolic model checking with rich assertional languages
 Theoretical Computer Science
, 1997
"... Abstract. The paper shows that, by an appropriate choice of a rich assertional language, it is possible to extend the utility of symbolic model checking beyond the realm of bddrepresented nitestate systems into the domain of in nitestate systems, leading to a powerful technique for uniform veri c ..."
Abstract

Cited by 114 (4 self)
 Add to MetaCart
Abstract. The paper shows that, by an appropriate choice of a rich assertional language, it is possible to extend the utility of symbolic model checking beyond the realm of bddrepresented nitestate systems into the domain of in nitestate systems, leading to a powerful technique for uniform veri cation of unbounded (parameterized) process networks. The main contributions of the paper are a formulation of a general framework for symbolic model checking of in nitestate systems, a demonstration that many individual examples of uniformly veri ed parameterized designs that appear in the literature are special cases of our general approach, verifying the correctness of the Futurebus+ design for all singlebus con gurations, extending the technique to tree architectures, and establishing that the presented method is a precise dual to the topdown invariant generation method used in deductive veri cation. 1
Smart PlayOut of Behavioral Requirements
 The Weizmann Institute of Science
, 2002
"... We describe a methodology for executing scenariobased requirements of reactive systems, focusing on "playingout" the behavior using formal verification techniques for driving the execution. The methodology is implemented in full in our playengine tool . The approach appears to be useful ..."
Abstract

Cited by 63 (40 self)
 Add to MetaCart
We describe a methodology for executing scenariobased requirements of reactive systems, focusing on "playingout" the behavior using formal verification techniques for driving the execution. The methodology is implemented in full in our playengine tool . The approach appears to be useful in many stages in the development of reactive systems, and might also pave the way to systems that are constructed directly from their requirements, without the need for intraobject or intracomponent modeling or coding.
Synthesis revisited: Generating statechart models from scenariobased requirements
 IN FORMAL METHODS IN SOFTWARE AND SYSTEMS MODELING
, 2005
"... Constructing a program from a specification is a longknown general and fundamental problem. Besides its theoretical interest, this question also has practical implications, since finding good synthesis algorithms could bring about a major improvement in the reliable development of complex systems. ..."
Abstract

Cited by 56 (7 self)
 Add to MetaCart
Constructing a program from a specification is a longknown general and fundamental problem. Besides its theoretical interest, this question also has practical implications, since finding good synthesis algorithms could bring about a major improvement in the reliable development of complex systems. In this paper we describe a methodology for synthesizing statechart models from scenariobased requirements. The requirements are given in the language of live sequence charts (LSCs), and may be played in directly from the GUI, and the resulting statecharts are of the objectoriented variant, as adopted in the UML. We have implemented our algorithms as part of the PlayEngine tool and the generated statechart model can then be executed using existing UML case tools.
Verification Support for Workflow Design with UML Activity Graphs
, 2002
"... We describe a tool that supports verification of workflow models specified in UML activity graphs. The tool translates an activity graph into an input format for a model checker according to a semantics we published earlier. With the model checker arbitrary propositional requirements can be checked ..."
Abstract

Cited by 54 (6 self)
 Add to MetaCart
We describe a tool that supports verification of workflow models specified in UML activity graphs. The tool translates an activity graph into an input format for a model checker according to a semantics we published earlier. With the model checker arbitrary propositional requirements can be checked against the input model. If a requirement fails to hold an error trace is returned by the model checker. The tool automatically translates such an error trace into an activity graph trace by highlighting a corresponding path in the activity graph. One of the problems that is dealt with is that model checkers require a finite state space whereas workflow models in general have an infinite state space. Another problem is that strong fairness is necessary to obtain realistic results. Only model checkers that use a special model checking algorithm for strong fairness are suitable for verifying workflow models. We analyse the structure of the state space. We illustrate our approach with some example verifications.
Tool Support for Verifying UML Activity Diagrams
 IEEE Transactions on Software Engineering
, 2004
"... We describe a tool that supports verification of workflow models specified in UML activity diagrams. The tool translates an activity diagram into an input format for a model checker according to a mathematical semantics. With the model checker, arbitrary propositional requirements can be checked a ..."
Abstract

Cited by 52 (2 self)
 Add to MetaCart
(Show Context)
We describe a tool that supports verification of workflow models specified in UML activity diagrams. The tool translates an activity diagram into an input format for a model checker according to a mathematical semantics. With the model checker, arbitrary propositional requirements can be checked against the input model. If a requirement fails to hold, an error trace is returned by the model checker, which our tool presents by highlighting a corresponding path in the activity diagram. We summarize our formal semantics, discuss the techniques used to reduce an infinite state space to a finite one, and motivate the need for strong fairness constraints to obtain realistic results. We define requirementpreserving rules for state space reduction. Finally, we illustrate the whole approach with a few example verifications.
Symbolic Model Checking of UML Activity Diagrams
 ACM Transactions on Software Engineering and Methodology
, 2006
"... Two translations from activity diagrams to the input language of NuSMV, a symbolic model verifier, are presented. Both translations map an activity diagram into a finite state machine and are inspired by existing statechart semantics. The requirementslevel translation defines state machines that ca ..."
Abstract

Cited by 34 (1 self)
 Add to MetaCart
(Show Context)
Two translations from activity diagrams to the input language of NuSMV, a symbolic model verifier, are presented. Both translations map an activity diagram into a finite state machine and are inspired by existing statechart semantics. The requirementslevel translation defines state machines that can be efficiently verified, but are a bit unrealistic since they assume the perfect synchrony hypothesis. The implementationlevel translation defines state machines that cannot be verified so efficiently, but that are more realistic since they do not use the perfect synchrony hypothesis. To justify the use of the requirementslevel translation, we show that for a large class of activity diagrams and certain properties, both translations are equivalent: regardless of which translation is used, the outcome of model checking is the same. Moreover, for linear stutteringclosed properties, the implementationlevel translation is equivalent to a slightly modified version of the requirementslevel translation. We use the two translations to model check data integrity constraints for an activity diagram and a set of class diagrams that specify the data manipulated in the activities. Both translations have been implemented in two tools. We discuss our experiences in applying both translations to model check some large example activity diagrams.
Control and Data Abstraction: The Cornerstones of Practical Formal Verification.
 Software Tools for Technology Transfer
, 2000
"... ion: The Cornerstones of Practical Formal Verification. Yonit Kesten 1 , Amir Pnueli 2 1 Dept. of Communication Systems Engineering, Ben Gurion University, BeerSheva, Israel, email: ykesten@bgumail.bgu.ac.il 2 Dept. of Applied Mathematics and Computer Science, the Weizmann Institute of S ..."
Abstract

Cited by 33 (9 self)
 Add to MetaCart
(Show Context)
ion: The Cornerstones of Practical Formal Verification. Yonit Kesten 1 , Amir Pnueli 2 1 Dept. of Communication Systems Engineering, Ben Gurion University, BeerSheva, Israel, email: ykesten@bgumail.bgu.ac.il 2 Dept. of Applied Mathematics and Computer Science, the Weizmann Institute of Science, Rehovot, Israel, email: amir@wisdom.weizmann.ac.il The date of receipt and acceptance will be inserted by the editor Abstract. In spite of the impressive progress in the development of the two main methods for formal verification of reactive systems  Symbolic Model Checking and Deductive Verification, they are still limited in their ability to handle large systems. It is generally recognized that the only way these methods can ever scale up is by the extensive use of abstraction and modularization, which break the task of verifying a large system into several smaller tasks of verifying simpler systems. In this paper, we review the two main tools of compositionality and abstrac...