this paper.

This paper summarizes our experience with IF, an open validation environment for distributed software systems. Indeed, face to the increasing complexity of such systems, none of the existing tools can cover by itself the whole validation process. The IF environment was built upon an expressive intermediate language and allows to connect several validation tools, providing most of the advanced techniques currently available. The results obtained on several large case-studies, including telecommunication protocols and embedded software systems, confirm the practical interest of this approach.

: This paper presents the results of an industrial case-study concerning the use of formal methods for the validation of hardware design. The case-study focuses on PowerScale TM , a multiprocessor architecture based on PowerPC TM micro-processors and used in Bull's Escala TM series of servers and workstations x . The specification language Lotos (Iso International Standard 8807) was used to describe formally the main components of this architecture (processors, memory controller and bus arbiter). Four correctness properties were identified, which express the essential requirements for a proper functioning of the arbitration algorithm, and formalized in terms of bisimulation relations (modulo abstractions) between finite labelled transition systems. Using the compositional and on-the-fly model-checking techniques implemented in the Cadp (Caesar/Ald' ebaran) toolbox, the correctness of the arbitration algorithm was established automatically in a few minutes. Key-words: Formal me...

. In this paper, we describe a case study on the verification of a real industrial protocol for wireless atm, called mascara. Several tools have been used: sdl has been chosen as the specification language and the commercial tool Objectgeode has been used for creating and maintaining sdl descriptions. The if tool-set has been used for generation, minimization and comparison of system models and verification of expected properties. All specification and verification tools are connected via the if language, which has been defined as an intermediate representation for timed asynchronous systems as well as an open validation environment. Due to the complexity of the protocol, static analysis techniques, such as live variable analysis and program slicing, were the key to the success of this case study. The results obtained give some hints concerning a methodology for the formal verification of real systems. 1 Introduction Model checking [CE81,QS82] is by now a well established m...

We study both the expressive and the distinguishing powers of at temporal logics. These are fragments obtained by restricting the rst argument of the Until operator to propositional formulae. Both the linear-time and the branching-time cases are considered. Keywords: temporal logic, LTL, CTL, expressiveness, bisimulation 1 Introduction Temporal logic lies at the basis of several specication formalisms that are widely used in practice. For a large part, this acceptance stems from the availability of software tools for automated verication, that allow to prove or disprove the satisfaction of a temporal property interpreted over a model of the system under consideration. Model checking is such an approach, that has proven successful in the debugging and verication of hardware circuitry and communication protocols for example. Being based on an exhaustive inspection of the state space of the model, the scalability of model checking is limited, which is referred to as the state expl...

This paper describes decision procedures for bisimulation and simulation relations between two transition systems. The algorithms proposed here do not need to previously construct them: the verification can be performed during their generation. In addition, a diagnosis is computed when the two transitions systems are not equivalent. 1 Introduction One of the successful approaches used for the verification of systems of communicating processes is provided by behavioral equivalence and preorder relations, which allow to compare different descriptions of a given system. More precisely, if we note S (Specification) the most abstract description of the system and I (Implementation) the most detailed one, it is possible to check whether I is in fact an implementation of S in the following manner: from S and I , generate two Labeled Transition Systems (LTS for short) S 1 and S 2 . Let R be an appropriate equivalence relation or preorder relation on LTS. Then, I implements S if and only if S ...

This paper deals with verification methods based on equivalence relations between labeled transition systems. More precisely, we are concerned by two practical needs: how to efficiently minimize and compare labeled transition systems with respect to bisimulation or simulation-based equivalence relations. First, we recall the principle of the classical algorithms for the existing equivalence relations, which are based on successive partition refinements of the state space of the labeled transition systems under consideration. However, in spite of their theoretical efficiency, the main drawback of these algorithms is that they require to generate and to store in memory the whole labeled transition systems to be compared or minimized. Therefore, the size of the systems which can be handled in practice remains limited. We propose here another approach, allowing to combine the generation and the verification phases, which is based on two algorithms respectively devoted to the comparison ("o...

In this paper we use the formal language LOTOS to specify the Equicrypt protocol and verify its robustness to attacks by an intruder. We use the model-based CADP verification tools from the Eucalyptus toolbox to discover some successful attacks against this protocol. 1. Introduction The Equicrypt protocol is a conditional access protocol under design in the European ACTS OKAPI project [GBM96]. It allows users to subscribe to multimedia services such as video on demand. Equicrypt is designed to be equitable, meaning that any user or service provider can potentially enter the system provided that it complies with this minimal protocol. This contrasts with proprietary systems which all use different conditional access protocols and thus oblige users to implement almost as many protocols as there are different service providers, which is a severe limitation. After a brief description of the protocol and its modelling in the formal language LOTOS [ISO 8807, BoB87], we will describe the ver...

We extend the Alpern and Schneider linear time characterization of safety and liveness properties to branching time, where properties are sets of trees. We define two closure operators that give rise to the following four extremal types of properties: universally safe, existentially safe, universally live, and existentially live. The distinction between universal and existential properties captures the difference between the CTL path quantifiers A (for all paths) and E (there is a path). We show that every branching time property is the intersection of an existentially safe property and an existentially live property, a universally safe property and a universally live property, and an existentially safe property and a universally live property. We also examine how our closure operators behave on linear time properties. We then focus on sets of finitely branching trees and show that our closure operators agree on linear time safety properties. Furthermore, if a set of trees is given implicitly as a Rabin tree automaton, B, we show that it is possible to compute the Rabin automata corresponding to the closures of the language of B. This allows us to effectively compute B safe and B live such that the language of B is the intersection of the languages of B safe and B live . As above, B safe and B live can be chosen so that their languages are existentially safe and existentially live, universally safe and universally live, or existentially safe and universally live.

In model checking for temporal logic, the correctness of a (concurrent) system with respect to a desired behavior is verified by checking whether a structure that models the system satisfies a formula describing the behaviour. Most existing verification techniques, and in particular those defined for concurrent calculi like as CCS, are based on a representation of the concurrent system by means of a labelled transition system. In this approach to verification, state explosion is one of the most serious problems. In this paper we present a new temporal logic, the selective mu-calculus, with the property that only the actions occurring in a formula are relevant to check the formula itself. We prove that the selective mu-calculus is as powerful as the mu-calculus. We define the notion of ae-bisimulation between transition systems: given a set of actions ae, a transition system ae-bisimulates another one if they have the same behaviour with respect to the actions in ae. We prove that, if t...