Results 1  10
of
50
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 2426 (62 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
The Linear TimeBranching Time Spectrum II  The semantics of sequential systems with silent moves
, 1993
"... ion Rule (KFAR) (Baeten, Bergstra & Klop [3]), expresses a global fairness assumption. It says that when possible a system will escape from any cycle of internal actions. Some form of KFAR is crucial for many protocal verifications with unreliable channels, and for that reason preorders and equivale ..."
Abstract

Cited by 290 (17 self)
 Add to MetaCart
ion Rule (KFAR) (Baeten, Bergstra & Klop [3]), expresses a global fairness assumption. It says that when possible a system will escape from any cycle of internal actions. Some form of KFAR is crucial for many protocal verifications with unreliable channels, and for that reason preorders and equivalences that satisfy KFAR are of special interest. Must preorders and divergence sensitive ones cannot satisfy KFAR. In Bergstra, Klop & Olderog [7] it is shown that the combination of KFAR with failure semantics is inconsistent, but they formulate a weaker version of KFAR that is satisfied in failure maysemantics. Still the combination of KFAR \Gamma and the liveness requirement appears to require global testing, and is only satisfied in the semantics between contrasimulation (C) and stability respecting branching bisimulation (BB s ). These requirements would reduce the number of suitable preorders to 18. It is in general a good strategy to do your verifications using the finest preorde...
The ProofTheory and Semantics of Intuitionistic Modal Logic
, 1994
"... Possible world semantics underlies many of the applications of modal logic in computer science and philosophy. The standard theory arises from interpreting the semantic definitions in the ordinary metatheory of informal classical mathematics. If, however, the same semantic definitions are interpret ..."
Abstract

Cited by 100 (0 self)
 Add to MetaCart
Possible world semantics underlies many of the applications of modal logic in computer science and philosophy. The standard theory arises from interpreting the semantic definitions in the ordinary metatheory of informal classical mathematics. If, however, the same semantic definitions are interpreted in an intuitionistic metatheory then the induced modal logics no longer satisfy certain intuitionistically invalid principles. This thesis investigates the intuitionistic modal logics that arise in this way. Natural deduction systems for various intuitionistic modal logics are presented. From one point of view, these systems are selfjustifying in that a possible world interpretation of the modalities can be read off directly from the inference rules. A technical justification is given by the faithfulness of translations into intuitionistic firstorder logic. It is also established that, in many cases, the natural deduction systems induce wellknown intuitionistic modal logics, previously given by Hilbertstyle axiomatizations. The main benefit of the natural deduction systems over axiomatizations is their
Model Checking Partial State Spaces with 3Valued Temporal Logics (Extended Abstract)
 In Proceedings of the 11th Conference on Computer Aided Verification
, 1999
"... ) Glenn Bruns and Patrice Godefroid Bell Laboratories, Lucent Technologies fgrb,godg@belllabs.com Abstract. We address the problem of relating the result of model checking a partial state space of a system to the properties actually possessed by the system. We represent incomplete state space ..."
Abstract

Cited by 95 (7 self)
 Add to MetaCart
) Glenn Bruns and Patrice Godefroid Bell Laboratories, Lucent Technologies fgrb,godg@belllabs.com Abstract. We address the problem of relating the result of model checking a partial state space of a system to the properties actually possessed by the system. We represent incomplete state spaces as partial Kripke structures, and give a 3valued interpretation to modal logic formulas on these structures. The third truth value ? means "unknown whether true or false". We define a preorder on partial Kripke structures that reflects their degree of completeness. We then provide a logical characterization of this preorder. This characterization thus relates properties of less complete structures to properties of more complete structures. We present similar results for labeled transition systems and show a connection to intuitionistic modal logic. We also present a 3valued CTL model checking algorithm, which returns ? only when the partial state space lacks information needed ...
TableauBased Model Checking in the Propositional MuCalculus
 Acta Informatica
, 1990
"... This paper describes a procedure, based around the construction of tableau proofs, for determining whether finitestate systems enjoy properties formulated in the propositional mucalculus. It presents a tableaubased proof system for the logic and proves it sound and complete, and it discusses tech ..."
Abstract

Cited by 91 (7 self)
 Add to MetaCart
This paper describes a procedure, based around the construction of tableau proofs, for determining whether finitestate systems enjoy properties formulated in the propositional mucalculus. It presents a tableaubased proof system for the logic and proves it sound and complete, and it discusses techniques for the efficient construction of proofs that states enjoy properties expressed in the logic. The approach is the basis of an ongoing implementation of a model checker in the Concurrency Workbench, an automated tool for the analysis of concurrent systems. 1 Introduction One area of program verification that has proven amenable to automation involves the analysis of finitestate processes. While computer systems in general are not finitestate, many interesting ones, including a variety of communication protocols and hardware systems, are, and their finitary nature enables the development and implementation of decision procedures that test for various properties. Model checking has p...
Using Typed Lambda Calculus to Implement Formal Systems on a Machine
 Journal of Automated Reasoning
, 1992
"... this paper and the LF. In particular the idea of having an operator T : Prop ! Type appears already in De Bruijn's earlier work, as does the idea of having several judgements. The paper [24] describes the basic features of the LF. In this paper we are going to provide a broader illustration of its a ..."
Abstract

Cited by 83 (14 self)
 Add to MetaCart
this paper and the LF. In particular the idea of having an operator T : Prop ! Type appears already in De Bruijn's earlier work, as does the idea of having several judgements. The paper [24] describes the basic features of the LF. In this paper we are going to provide a broader illustration of its applicability and discuss to what extent it is successful. The analysis (of the formal presentation) of a system carried out through encoding often illuminates the system itself. This paper will also deal with this phenomenon.
Generalized Model Checking: Reasoning about Partial State Spaces
, 2000
"... We discuss the problem of model checking temporal properties on partial Kripke structures, which were used in [BG99] to represent incomplete state spaces. We first extend the results of [BG99] by showing that the modelchecking problem for any 3valued temporal logic can be reduced to two modelchec ..."
Abstract

Cited by 74 (6 self)
 Add to MetaCart
We discuss the problem of model checking temporal properties on partial Kripke structures, which were used in [BG99] to represent incomplete state spaces. We first extend the results of [BG99] by showing that the modelchecking problem for any 3valued temporal logic can be reduced to two modelchecking problems for the corresponding 2valued temporal logic. We then introduce a new semantics for 3valued temporal logics that can give more definite answers than the previous one. With this semantics, the evaluation of a formula OE on a partial Kripke structure M returns the third truth value? (read "unknown") only if there exist Kripke structures M1 and M2 that both complete M and such that M1 satisfies OE while M2 violates OE, hence making the value of OE on M truly unknown. The partial Kripke structure M can thus be viewed as a partial solution to the satisfiability problem which reduces the solution space to complete Kripke structures that are more complete than M wit...
Model Checking Mobile Processes
, 1993
"... We introduce a temporal logic for the polyadic ßcalculus based on fixed point extensions of HennessyMilner logic. Features are added to account for parametrisation, generation, and passing of names, including the use, following Milner, of dependent sum and product to account for (unlocalised) inpu ..."
Abstract

Cited by 63 (11 self)
 Add to MetaCart
We introduce a temporal logic for the polyadic ßcalculus based on fixed point extensions of HennessyMilner logic. Features are added to account for parametrisation, generation, and passing of names, including the use, following Milner, of dependent sum and product to account for (unlocalised) input and output, and explicit parametrisation on names using lambdaabstraction and application. The latter provides a single name binding mechanism supporting all parametrisation needed. A proof system and decision procedure is developed based on Stirling and Walker's approach to model checking the modal ¯calculus using constants. One difficulty, for both conceptual and efficiencybased reasons, is to avoid the explicit use of the !rule for parametrised processes. A key idea, following Hennessy and Lin's approach to deciding bisimulation for certain types of valuepassing processes, is the relativisation of correctness assertions to conditions on names. Based on this idea a proof system and ...
Compositional Minimization of Finite State Systems
 IN PROC. 2ND INTERNATIONAL CONFERENCE OF COMPUTERAIDED VERIFICATION
, 1991
"... In this paper we develop a compositional method for the construction of the minimal transition system that represents the semantics of a given reactive system. The point of this method is that it exploits structural properties of the reactive system in order to avoid the consideration of large inter ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
In this paper we develop a compositional method for the construction of the minimal transition system that represents the semantics of a given reactive system. The point of this method is that it exploits structural properties of the reactive system in order to avoid the consideration of large intermediate representations. Central is the use of interface specifications here, which express constraints on the components' communication behaviour, and therefore to control the state explosion caused by the interleavings of actions of communicating parallel components. The effect of the method, which is developed for bisimulation semantics here, depends on the structure of the reactive system under consideration, in particular on the accuracy of the interface specifications. However, its correctness does not: every "successful" construction is guaranteed to yield the desired minimal transition system, independently of the correctness of the interface specifications provided by the designer.