Results 1  10
of
19
Quantitative languages
"... Quantitative generalizations of classical languages, which assign to each word a real number instead of a boolean value, have applications in modeling resourceconstrained computation. We use weighted automata (finite automata with transition weights) to define several natural classes of quantitativ ..."
Abstract

Cited by 36 (14 self)
 Add to MetaCart
Quantitative generalizations of classical languages, which assign to each word a real number instead of a boolean value, have applications in modeling resourceconstrained computation. We use weighted automata (finite automata with transition weights) to define several natural classes of quantitative languages over finite and infinite words; in particular, the real value of an infinite run is computed as the maximum, limsup, liminf, limit average, or discounted sum of the transition weights. We define the classical decision problems of automata theory (emptiness, universality, language inclusion, and language equivalence) in the quantitative setting and study their computational complexity. As the decidability of the languageinclusion problem remains open for some classes of weighted automata, we introduce a notion of quantitative simulation that is decidable and implies language inclusion. We also give a complete characterization of the expressive power of the various classes of weighted automata. In particular, we show that most classes of weighted
How vacuous is vacuous
 In Proc. 10th TACAS, LNCS 2988
, 2004
"... Abstract. Modelchecking gained wide popularity for analyzing software and hardware systems. However, even when the desired property holds, the property or the model may still require fixing. For example, a property ϕ: “on all paths, a request is followed by an acknowledgment”, may hold because no r ..."
Abstract

Cited by 17 (8 self)
 Add to MetaCart
Abstract. Modelchecking gained wide popularity for analyzing software and hardware systems. However, even when the desired property holds, the property or the model may still require fixing. For example, a property ϕ: “on all paths, a request is followed by an acknowledgment”, may hold because no requests have been generated. Vacuity detection has been proposed to address the above problem. This technique is able to determine that the above property ϕ is satisfied vacuously in systems where requests are never sent. Recent work in this area enabled the computation of interesting witnesses for the satisfaction of properties (in our case, those that satisfy ϕ and contain a request) and vacuity detection with respect to subformulas with single and multiple subformula occurrences. Often, the answer “vacuous ” or “not vacuous”, provided by existing techniques, is insufficient. Instead, we want to identify all subformulas of a given CTL formula that cause its vacuity, or better, identify all maximal such subformulas. Further, these subformulas may be mutually vacuous. In this paper, we propose a framework for identifying a variety of degrees of vacuity, including mutual vacuity between different subformulas. We also cast vacuity detection as a multivalued modelchecking problem. 1
Why Waste a Perfectly Good Abstraction
 In Proceedings of the 12th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’06
, 2006
"... Abstract. Software modelchecking based on the CEGAR framework can be made more precise by separating nondeterminism from the lack of information due to abstraction. The two can be modeled individually using fourvalued Belnap logic. In addition, this logic allows reasoning about negations effectiv ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
Abstract. Software modelchecking based on the CEGAR framework can be made more precise by separating nondeterminism from the lack of information due to abstraction. The two can be modeled individually using fourvalued Belnap logic. In addition, this logic allows reasoning about negations effectively and thus enables checking of full CTL. In this paper, we present YASM – a new symbolic software modelchecker. Preliminary experience with YASM shows that our implementation can effectively construct and analyze Belnap models without a substantial overhead when compared to its classical counterparts. 1
Extending extended vacuity
 In 5th FMCAD, LNCS 2212
, 2004
"... Abstract. There has been a growing interest in detecting whether a logic specification holds in the system vacuously. For example, a specification ”every request is eventually followed by an acknowledgment ” holds vacuously on those systems that never generate requests. In a recent paper, Armoni et ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
Abstract. There has been a growing interest in detecting whether a logic specification holds in the system vacuously. For example, a specification ”every request is eventually followed by an acknowledgment ” holds vacuously on those systems that never generate requests. In a recent paper, Armoni et al. have argued against previous definitions of vacuity, defined as sensitivity with respect to syntactic perturbation. They suggested that vacuity should be robust, i.e., insensitive to trivial changes in the logic and in the model, and is better described as sensitivity with respect to semantic perturbation, represented by universal propositional quantification. In this paper, we extend the above suggestion by giving a formal definition of robust vacuity that allows us to define and detect vacuous satisfaction and vacuous failure for arbitrary CTL * properties, even with respect to multiple occurrences of subformulas. We discuss complexity of our approaches and study the relationship between vacuity and abstraction. 1
A Practical Approach to Partial Functions in CVC Lite
, 2004
"... Most verification approaches assume a mathematical formalism in which functions are total, even though partial functions occur naturally in many applications. Furthermore, although there have been various proposals for logics of partial functions, there is no consensus on which is "the right" logic ..."
Abstract

Cited by 14 (7 self)
 Add to MetaCart
Most verification approaches assume a mathematical formalism in which functions are total, even though partial functions occur naturally in many applications. Furthermore, although there have been various proposals for logics of partial functions, there is no consensus on which is "the right" logic to use for verification applications. In this paper, we propose using a threevalued Kleene logic, where partial functions return the "undefined" value when applied outside of their domains. The particular semantics are chosen according to the principle of least surprise to the user; if there is disagreement among the various approaches on what the value of the formula should be, its evaluation is undefined. We show that the problem of checking validity in the threevalued logic can be reduced to checking validity in a standard twovalued logic, and describe how this approach has been successfully implemented in our tool, CVC Lite.
Temporal Logic Query Checking: A Tool for Model Exploration
 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING
, 2003
"... Temporal logic query checking was first introduced by W. Chan in order to speed up design understanding by discovering properties not known a priori. A query is a temporal logic formula containing a special symbol?1, known as a placeholder. Given a Kripke structure and a propositional formula’, we ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
Temporal logic query checking was first introduced by W. Chan in order to speed up design understanding by discovering properties not known a priori. A query is a temporal logic formula containing a special symbol?1, known as a placeholder. Given a Kripke structure and a propositional formula’, we say that’satisfies the query if replacing the placeholder by’results in a temporal logic formula satisfied by the Kripke structure. A solution to a temporal logic query on a Kripke structure is the set of all propositional formulas that satisfy the query. Query checking helps discover temporal properties of a system and, as such, is a useful tool for model exploration. In this paper, we show that query checking is applicable to a variety of model exploration tasks, ranging from invariant computation to test case generation. We illustrate these using a Cruise Control System. Additionally, we show that query checking is an instance of a multivalued model checking of Chechik et al. This approach enables us to build an implementation of a temporal logic query checker, TLQSolver, on top of our existing multivalued model checker Chek. It also allows us to decide a large class of queries and introduce witnesses for temporal logic queries—an essential notion for effective model exploration.
Expressiveness and closure properties for quantitative languages
 In Proc. of LICS: Logic in Computer Science. IEEE Comp. Soc
, 2009
"... Abstract. Weighted automata are nondeterministic automata with numerical weights on transitions. They can define quantitative languages L that assign to each word w a real number L(w). In the case of infinite words, the value of a run is naturally computed as the maximum, limsup, liminf, limit avera ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
Abstract. Weighted automata are nondeterministic automata with numerical weights on transitions. They can define quantitative languages L that assign to each word w a real number L(w). In the case of infinite words, the value of a run is naturally computed as the maximum, limsup, liminf, limit average, or discounted sum of the transition weights. We study expressiveness and closure questions about these quantitative languages. We first show that the set of words with value greater than a threshold can be nonωregular for deterministic limitaverage and discountedsum automata, while this set is always ωregular when the threshold is isolated (i.e., some neighborhood around the threshold contains no word). In the latter case, we prove that the ωregular language is robust against small perturbations of the transition weights. We next consider automata with transition weights 0 or 1 and show that they are as expressive as general weighted automata in the limitaverage case, but not in the discountedsum case. Third, for quantitative languages L1 and L2, we consider the operations max(L1, L2), min(L1, L2), and 1−L1, which generalize the boolean operations on languages, as well as the sum L1 +L2. We establish the closure properties of all classes of quantitative languages with respect to these four operations. 1
How thorough is thorough enough
 in CHARME, ser. LNCS
, 2005
"... Abstract. Abstraction is the key for effectively dealing with the state explosion problem in modelchecking. Unfortunately, finding abstractions which are small and yet enable us to get conclusive answers about properties of interest is notoriously hard. Counterexampleguided abstraction refinement ..."
Abstract

Cited by 8 (6 self)
 Add to MetaCart
Abstract. Abstraction is the key for effectively dealing with the state explosion problem in modelchecking. Unfortunately, finding abstractions which are small and yet enable us to get conclusive answers about properties of interest is notoriously hard. Counterexampleguided abstraction refinement frameworks have been proposed to help build good abstractions iteratively. Although effective in many cases, such frameworks can include unnecessary refinement steps, leading to larger models, because the abstract verification step is not as conclusive as it can be in theory. Abstract verification can be supplemented by a more precise but much more expensive thorough check, but it is not clear how often this check really helps. In this paper, we study the relationship between modelchecking and thorough checking and identify practical cases where the latter is not necessary, and those where it can be performed efficiently. 1
Composition and Alternation for Weighted Automata
"... Abstract. Weighted automata are nondeterministic automata with numerical weights on transitions. They can be used to define quantitative languages L that assign to each (finite or infinite) word w a real number L(w). For instance, the value of an infinite run is computed as the maximum, limsup, limi ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
Abstract. Weighted automata are nondeterministic automata with numerical weights on transitions. They can be used to define quantitative languages L that assign to each (finite or infinite) word w a real number L(w). For instance, the value of an infinite run is computed as the maximum, limsup, liminf, limit average, or discounted sum of the transition weights. For quantitative languages L1, L2, we study the operations max(L1, L2), min(L1, L2), and 1 − L1 as natural generalizations of the boolean operations; we also consider the sum L1 + L2. We establish the closure properties of all classes of quantitative languages with respect to these four operations. We also introduce alternating weighted automata, give their closure properties, and compare the expressive power of the different classes of alternating and nondeterministic weighted automata. In particular, we show that alternation provides strictly more expressiveness than nondeterminism in the case of limitaverage and discountedsum automata. 1
Multivalued model checking games
 In Proc. 3rd ATVA, LNCS 3707
, 2005
"... Abstract. This work extends the gamebased framework of µcalculus model checking to the multivalued setting. In multivalued model checking a formula is interpreted over a Kripke structure defined over a lattice. The value of the formula is also an element of the lattice. We define a new game for ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. This work extends the gamebased framework of µcalculus model checking to the multivalued setting. In multivalued model checking a formula is interpreted over a Kripke structure defined over a lattice. The value of the formula is also an element of the lattice. We define a new game for this problem and derive from it a direct model checking algorithm that handles the multivalued structure without any reduction. We investigate the properties of the new game, both independently, and in comparison to the automatabased approach. We show that the usual resemblance between the two approaches does not hold in the multivalued setting and show how it can be regained by changing the nature of the game. 1