Results 1  10
of
45
Modularity for Timed and Hybrid Systems
, 1997
"... In a tracebased world, the modular specification, verification, and control of live systems require each module to be receptive; that is, each module must be able to meet its liveness assumptions no matter how the other modules behave. In a realtime world, liveness is automatically present in ..."
Abstract

Cited by 69 (19 self)
 Add to MetaCart
In a tracebased world, the modular specification, verification, and control of live systems require each module to be receptive; that is, each module must be able to meet its liveness assumptions no matter how the other modules behave. In a realtime world, liveness is automatically present in the form of diverging time. The receptiveness condition, then, translates to the requirement that a module must be able to let time diverge no matter how the environment behaves. We study the receptiveness condition for realtime systems by extending the model of reactive modules to timed and hybrid modules. We define the receptiveness of such a module as the existence of a winning strategy in a game of the module against its environment. By solving the game on region graphs, we present an (optimal) Exptime algorithm for checking the receptiveness of propositional timed modules. By giving a fixpoint characterization of the game, we present a symbolic procedure for checking the re...
A Methodology for Hardware Verification Using Compositional Model Checking
, 1999
"... A methodology for systemlevel hardware verification based on compositional model checking is described. This methodology relies on a simple set of proof techniques, and a domain specific strategy for applying them. The goal of this strategy is to reduce the verification of a large system to fini ..."
Abstract

Cited by 53 (1 self)
 Add to MetaCart
A methodology for systemlevel hardware verification based on compositional model checking is described. This methodology relies on a simple set of proof techniques, and a domain specific strategy for applying them. The goal of this strategy is to reduce the verification of a large system to finite state subgoals that are tractable in both size and number. These subgoals are then discharged by model checking. The proof strategy uses proof techniques for design refinement, temporal case splitting, data type reduction and the exploitation of symmetry. Uninterpreted functions can be used to abstract operations on data. A proof system supporting this approach generates verification subgoals to be discharged by the SMV symbolic model checker. Application of the methodology is illustrated using an implementation of Tomasulo's algorithm, a packet buffering device and a cache coherence protocol as examples. c fl1999 Cadence Berkeley Labs, Cadence Design Systems. 1 1 Introduction F...
Compositional Minimization of Finite State Systems
 IN PROC. 2ND INTERNATIONAL CONFERENCE OF COMPUTERAIDED VERIFICATION
, 1991
"... In this paper we develop a compositional method for the construction of the minimal transition system that represents the semantics of a given reactive system. The point of this method is that it exploits structural properties of the reactive system in order to avoid the consideration of large inter ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
In this paper we develop a compositional method for the construction of the minimal transition system that represents the semantics of a given reactive system. The point of this method is that it exploits structural properties of the reactive system in order to avoid the consideration of large intermediate representations. Central is the use of interface specifications here, which express constraints on the components' communication behaviour, and therefore to control the state explosion caused by the interleavings of actions of communicating parallel components. The effect of the method, which is developed for bisimulation semantics here, depends on the structure of the reactive system under consideration, in particular on the accuracy of the interface specifications. However, its correctness does not: every "successful" construction is guaranteed to yield the desired minimal transition system, independently of the correctness of the interface specifications provided by the designer.
Compositional Minimisation of Finite State Systems Using Interface Specifications
, 1996
"... We present a method for the compositional construction of the minimal transition system that represents the semantics of a given distributed system. Our aim is to control the state explosion caused by the interleavings of actions of communicating parallel components by reduction steps that exploit g ..."
Abstract

Cited by 32 (6 self)
 Add to MetaCart
We present a method for the compositional construction of the minimal transition system that represents the semantics of a given distributed system. Our aim is to control the state explosion caused by the interleavings of actions of communicating parallel components by reduction steps that exploit global communication constraints given in terms of interface specifications. The effect of the method, which is developed for bisimulation semantics here, depends on the structure of the distributed system under consideration, and the accuracy of the interface specifications. However, its correctness is independent of the correctness of the interface specifications provided by the program designer.
Circular Compositional Reasoning About Liveness
 Advances in Hardware Design and Verification: IFIP WG10.5 International Conference on Correct Hardware Design and Verification Methods (CHARME ’99), volume 1703 of Lecture Notes in Computer Science
, 1999
"... . Compositional proofs about systems of many components often involve apparently circular arguments. That is, correctness of component A must be assumed when verifying component B, and vice versa. The apparent circularity of such arguments can be resolved by induction over time. However, previous ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
. Compositional proofs about systems of many components often involve apparently circular arguments. That is, correctness of component A must be assumed when verifying component B, and vice versa. The apparent circularity of such arguments can be resolved by induction over time. However, previous methods for such circular compositional reasoning apply only to safety properties. This paper presents a method of circular compositional reasoning that applies to liveness properties as well. It is based on a new circular compositional rule implemented in the SMV proof assistant. The method is illustrated using Tomasulo's algorithm for outoforder instruction execution. An implementation is proved live for arbitrary resources using compositional model checking. c fl1999 Cadence Berkeley Labs, Cadence Design Systems. 1 Introduction Compositional methods are used in conjunction with model checking to reduce the verification of large systems to a number of smaller, localized verificat...
Characterization of a Sequentially Consistent Memory and Verification of a Cache Memory by Abstraction
 Distributed Computing
, 1995
"... ion ? Susanne Graf VERIMAG ?? , Avenue de la Vignate, F38610 Gi`eres ? ? ? Abstract. The contribution of the paper is twofold. We give a set of properties expressible as temporal logic formulas such that any system satisfying them is a sequentially consistent memory, and which is sufficiently ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
ion ? Susanne Graf VERIMAG ?? , Avenue de la Vignate, F38610 Gi`eres ? ? ? Abstract. The contribution of the paper is twofold. We give a set of properties expressible as temporal logic formulas such that any system satisfying them is a sequentially consistent memory, and which is sufficiently precise such that every reasonable concrete system that implements a sequentially consistent memory satisfies these properties. Then, we verify these properties on a distributed cache memory system by means of a verification method, based on the use of abstract interpretation which has been presented in previous papers and so far applied to finite state systems. The motivation for this paper was to show that it can also be successfully applied to systems with an infinite state space. This is a revised and extended version of [Gra94]. 1 Introduction We propose to verify the distributed cache memory presented in [ABM93] and [Ger94] by using the verification method proposed in [BBLS92,LGS +...
On the Complexity of Branching Modular Model Checking (Extended Abstract)
, 1995
"... In modular verification the specification of a module consists of two parts. One part describes the guaranteed behavior of the module. The other part describes the assumed behavior of the system in which the module is interacting. This is called the assumeguarantee paradigm. In this paper we consid ..."
Abstract

Cited by 19 (9 self)
 Add to MetaCart
In modular verification the specification of a module consists of two parts. One part describes the guaranteed behavior of the module. The other part describes the assumed behavior of the system in which the module is interacting. This is called the assumeguarantee paradigm. In this paper we consider assumeguarantee specifications in which the assumptions and the guarantees are specified by universal branching temporal formulas (i.e., all path quantifiers are universal). Verifying modules with respect to such specifications is called the branching modular modelchecking problem. We consider both ACTL and ACTL*, the universal fragments of CTL and CTL*. We develop two fundamental techniques: building max...
Automated AssumeGuarantee Reasoning for Simulation Conformance
 In Proc. of CAV’05, volume 3576 of LNCS
, 2005
"... Abstract. The applicability of assumeguarantee reasoning in practice has been limited since it requires the right assumptions to be constructed manually. In this article, we address the issue of efficiently automating assumeguarantee reasoning for simulation conformance between finite state system ..."
Abstract

Cited by 19 (5 self)
 Add to MetaCart
Abstract. The applicability of assumeguarantee reasoning in practice has been limited since it requires the right assumptions to be constructed manually. In this article, we address the issue of efficiently automating assumeguarantee reasoning for simulation conformance between finite state systems and specifications. We focus on a noncircular assumeguarantee proof rule, and show that there is a weakest assumption that can be represented canonically by a deterministic tree automata (DTA). We then present an algorithm L T that learns this DTA automatically in an incremental fashion, in time that is polynomial in the number of states in the equivalent minimal DTA. The algorithm assumes a teacher that can answer membership queries pertaining to the language of the unknown DTA, and can also test a conjecture and provide a counter example if the conjecture is false. We show how the teacher and its interaction with L T are implemented in a model checker. We have implemented this framework in the ComFoRT toolkit and we report encouraging results (up to 41 and 14 times improvement in memory and time consumption respectively) on nontrivial benchmarks.
Local liveness for compositional modeling of fair reactive systems
 CAV 95: Computeraided Verification, Lecture Notes in Computer Science 939
, 1995
"... Abstract. We argue that the standard constraints on liveness conditions in nonblocking trace modelsmachine closure for closed systems, and receptiveness for open systemsare unnecessarily weak and complex, and that liveness should, instead, be speci ed by augmenting transition systems with acceptan ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
Abstract. We argue that the standard constraints on liveness conditions in nonblocking trace modelsmachine closure for closed systems, and receptiveness for open systemsare unnecessarily weak and complex, and that liveness should, instead, be speci ed by augmenting transition systems with acceptance conditions that satisfy a locality constraint. First, locality implies machine closure and receptiveness, and thus permits the composition and modular veri cation of live transition systems. Second, while machine closure and receptiveness are based on in nite games, locality is based on repeated nite games, and thus easier to check. Third, no expressive power is lost by the restriction to local liveness conditions. We illustrate the appeal of local liveness using the model of Fair Reactive Systems, a nonblocking trace model of communicating processes. 1
Verification of Safety Properties for Concurrent Assembly Code
 IN PROC. 2004 ACM SIGPLAN INT’L CONF. ON FUNCTIONAL PROG
, 2004
"... Concurrency, as a useful feature of many modern programming languages and systems, is generally hard to reason about. Although existing work has explored the verification of concurrent programs using highlevel languages and calculi, the verification of concurrent assembly code remains an open probl ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
Concurrency, as a useful feature of many modern programming languages and systems, is generally hard to reason about. Although existing work has explored the verification of concurrent programs using highlevel languages and calculi, the verification of concurrent assembly code remains an open problem, largely due to the lack of abstraction at a lowlevel. Nevertheless, it is sometimes necessary to reason about assembly code or machine executables so as to achieve higher assurance. In this paper