Results 1  10
of
93
Pushdown Processes: Games and Model Checking
, 1996
"... Games given by transition graphs of pushdown processes are considered. It is shown that ..."
Abstract

Cited by 136 (4 self)
 Add to MetaCart
Games given by transition graphs of pushdown processes are considered. It is shown that
Using model checking to generate tests from specifications
 In Proceedings of the Second IEEE International Conference on Formal Engineering Methods (ICFEM’98
, 1998
"... Abstract We apply a model checker to the problem of test generation using a new application of mutation analysis. We define syntactic operators, each of which produces a slight variation on a given model. The operators define a form of mutation analysis at the level of the model checker specificatio ..."
Abstract

Cited by 120 (13 self)
 Add to MetaCart
Abstract We apply a model checker to the problem of test generation using a new application of mutation analysis. We define syntactic operators, each of which produces a slight variation on a given model. The operators define a form of mutation analysis at the level of the model checker specification. A model checker generates counterexamples which distinguish the variations from the original specification. The counterexamples can easily be turned into complete test cases, that is, with inputs and expected output. We define two classes of operators: those that produce test cases from which a correct implementation must differ, and those that produce test cases with which it must agree. There are substantial advantages to combining a model checker with mutation analysis. First, the generation of test cases is automatic; each counterexample serves as a complete test case. Second, in sharp contrast to programbased mutation analysis, the identification of equivalent mutants is also automatic; the model checker simply reports that the mutant satisfies the constraints, and hence no counterexample is produced. We apply our method to an example specification and evaluate the resulting test sets with coverage metrics on a corresponding implementation in Java. 1 Introduction The use of formal methods has been widely advocated to reduce the likelihood of errors in the early stages of system development. Some of the chief drawbacks to applying formal methods is the difficulty of conducting formal analysis [5] and the perceived or actual payoff in project budget. Testing is an expensive part of the software budget, and formal methods offer an opportunity to significantly reduce the testing costs. We have developed an innovative combination of mutation analysis, model checking, and test generation which solves some problems previously plaguing these approaches and automatically produces good sets of tests from formal specifications. This section reviews the formal methods and approaches we use.
Another Look at LTL Model Checking
 Formal Methods in System Design
, 1994
"... We show how LTL model checking can be reduced to CTL model checking with fairness constraints. Using this reduction, we also describe how to construct a symbolic LTL model checker that appears to be quite efficient in practice. In particular, we show how the SMV model checking system developed by Mc ..."
Abstract

Cited by 111 (11 self)
 Add to MetaCart
We show how LTL model checking can be reduced to CTL model checking with fairness constraints. Using this reduction, we also describe how to construct a symbolic LTL model checker that appears to be quite efficient in practice. In particular, we show how the SMV model checking system developed by McMillan [16] can be extended to permit LTL specifications. The results that we have obtained are quite surprising. For the examples we considered, the LTL model checker required at most twice as much time and space as the CTL model checker. Although additional examples still need to be tried, it appears that efficient LTL model checking is possible when the specifications are not excessively complicated. This research was sponsored in part by the Avionics Laboratory, Wright Research and Development Center, Aeronautical Systems Division (AFSC), U.S. Air Force, WrightPatterson AFB, Ohio 454336543 under Contract F3361590C1465, ARPA Order No. 7597 and in part by the National Science foundat...
Module Checking
, 1996
"... . In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of ..."
Abstract

Cited by 79 (11 self)
 Add to MetaCart
. In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of temporal logics to describe an ongoing interaction of a reactive program with its environment makes them particularly appropriate for the specification of open systems. Nevertheless, modelchecking algorithms used for the verification of closed systems are not appropriate for the verification of open systems. Correct model checking of open systems should check the system with respect to arbitrary environments and should take into account uncertainty regarding the environment. This is not the case with current modelchecking algorithms and tools. In this paper we introduce and examine the problem of model checking of open systems (mod ule checking, for short). We show that while module che...
Semantic Issues in the Verification of Agent Communication Languages
 Autonomous Agents and MultiAgent Systems
, 1999
"... This article examines the issue of developing semantics for agent communication languages. In particular, it considers the problem of giving a verifiable semantics for such languages  a semantics where conformance (or otherwise) to the semantics could be determined by an independent observer. The ..."
Abstract

Cited by 69 (3 self)
 Add to MetaCart
This article examines the issue of developing semantics for agent communication languages. In particular, it considers the problem of giving a verifiable semantics for such languages  a semantics where conformance (or otherwise) to the semantics could be determined by an independent observer. These problems are precisely dened in an abstract formal framework. Using this framework, a number of example agent communication frameworks are defined. A discussion is then presented, of the various options open to designers of agent communication languages, with respect the problem of verifying conformance.
Vacuity Detection in Temporal Model Checking
, 1999
"... One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelcheckin ..."
Abstract

Cited by 60 (14 self)
 Add to MetaCart
One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a sy...
Program analysis as model checking of abstract interpretations
, 1998
"... Abstract. This paper presents a collection of techniques, a methodology, in which abstract interpretation, flow analysis, and model checking are employed in the representation, abstraction, and analysis of programs. The methodology shows the areas of intersection of the different techniques as well ..."
Abstract

Cited by 60 (2 self)
 Add to MetaCart
Abstract. This paper presents a collection of techniques, a methodology, in which abstract interpretation, flow analysis, and model checking are employed in the representation, abstraction, and analysis of programs. The methodology shows the areas of intersection of the different techniques as well as the opportunites that exist when one technique is used in support of another. The methodology is presented as a threestep process: First, from a (smallstep) operational semantics definition and a program, one constructs a program model, which is a statetransition system that encodes the program’s executions. Second, abstraction upon the program model is performed, reducing the detail of information in the model’s nodes and arcs. Finally, the program model is analyzed for properties of its states and paths. 1
Implementation of Symbolic Model Checking for Probabilistic Systems
, 2002
"... In this thesis, we present ecient implementation techniques for probabilistic model checking, a method which can be used to analyse probabilistic systems such as randomised distributed algorithms, faulttolerant processes and communication networks. A probabilistic model checker inputs a probabilist ..."
Abstract

Cited by 50 (18 self)
 Add to MetaCart
In this thesis, we present ecient implementation techniques for probabilistic model checking, a method which can be used to analyse probabilistic systems such as randomised distributed algorithms, faulttolerant processes and communication networks. A probabilistic model checker inputs a probabilistic model and a speci cation, such as \the message will be delivered with probability 1", \the probability of shutdown occurring is at most 0.02" or \the probability of a leader being elected within 5 rounds is at least 0.98", and can automatically verify if the speci cation is true in the model.
Verification of PolyhedralInvariant Hybrid Automata Using Polygonal Flow Pipe Approximations
, 1999
"... . This paper presents a computational technique for verifying properties of hybrid systems with arbitrary continuous dynamics. The approach is based on the computation of approximating automata, which are finitestate approximations to the (possibly infinitestate) discretetrace transition system fo ..."
Abstract

Cited by 47 (4 self)
 Add to MetaCart
. This paper presents a computational technique for verifying properties of hybrid systems with arbitrary continuous dynamics. The approach is based on the computation of approximating automata, which are finitestate approximations to the (possibly infinitestate) discretetrace transition system for the hybrid system. The fundamental computation in the generation of approximating automata is the mapping of sets of continuous states to the boundaries of the location invariants. This mapping is computed by intersecting flow pipes, the sets of reachable states for continuous systems, with the invariant boundaries. Flow pipes are approximated by sequences of overlapping convex polygons. The paper presents an application of the computational procedure to a benchmark hybrid system, a batch evaporator. 1 Introduction Hybrid system behaviors can be described by an infinitestate transition system [7]. A standard approach to verifying properties of a hybrid system is to find an equivalent tra...
A classification of symbolic transition systems
 ACM TRANSACTIONS ON COMPUTATIONAL LOGIC
, 2005
"... We define five increasingly comprehensive classes of infinitestate systems, called STS1STS5, whose state spaces have finitary structure. For four of these classes, we provide examples from hybrid systems.STS1 These are the systems with finite bisimilarity quotients. They can be analyzed symbolica ..."
Abstract

Cited by 44 (5 self)
 Add to MetaCart
We define five increasingly comprehensive classes of infinitestate systems, called STS1STS5, whose state spaces have finitary structure. For four of these classes, we provide examples from hybrid systems.STS1 These are the systems with finite bisimilarity quotients. They can be analyzed symbolically by iteratively applying predecessor and Boolean operations on state sets, starting from a finite number of observable state sets. Any such iteration is guaranteed to terminate in that only a finite number of state sets can be generated. This enables model checking of the μcalculus.STS2 These are the systems with finite similarity quotients. They can be analyzed symbolically by iterating the predecessor and positive Boolean operations. This enables model checking of the existential and universal fragments of the μcalculus.STS3 These are the systems with finite traceequivalence quotients. They can be analyzed symbolically by iterating the predecessor operation and a restricted form of positive Boolean operations (intersection is restricted to intersection with observables). This enables model checking of all ωregular properties, including linear temporal logic.STS4 These are the systems with finite distanceequivalence quotients (two states are equivalent if for every distance d, the same observables can be reached in d transitions). The systems in this class can be analyzed symbolically by iterating the predecessor operation and terminating when no new state sets are generated. This enables model checking of the existential conjunctionfree and universal disjunctionfree fragments of the μcalculus.STS5 These are the systems with finite boundedreachability quotients (two states are equivalent if for every distance d, the same observables can be reached in d or fewer transitions). The systems in this class can be analyzed symbolically by iterating the predecessor operation and terminating when no new states are encountered (this is a weaker termination condition than above). This enables model checking of reachability properties.