Results 1  10
of
37
Counterexampleguided Abstraction Refinement
, 2000
"... We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symb ..."
Abstract

Cited by 848 (71 self)
 Add to MetaCart
We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques which analyze such counterexamples and refine the abstract model correspondingly.
Abstract interpretation of reactive systems: Abstractions preserving 8CTL , 9CTL and CTL
 Proceedings of the IFIP WG2.1/WG2.2/WG2.3 Working Conference on Programming Concepts, Methods and Calculi (PROCOMET), IFIP Transactions
, 1994
"... The advent of ever more complex reactive systems in increasingly critical areas calls for the development of automated verification techniques. Model checking is one such technique, which has proven quite successful. However, the state explosion problem remains the stumbling block in many situations ..."
Abstract

Cited by 276 (13 self)
 Add to MetaCart
(Show Context)
The advent of ever more complex reactive systems in increasingly critical areas calls for the development of automated verification techniques. Model checking is one such technique, which has proven quite successful. However, the state explosion problem remains the stumbling block in many situations. Recent experience indicates that solutions are to be found in the application of techniques for property preserving abstraction and successive approximation of models. Most such applications have so far been based on the propertypreserving characteristics of simulation relations. A major drawback of all these results is that they do not offer a satisfactory formalization of the notions of precision and optimality of abstractions. Furthermore, the use of simulation relations poses difficulties when formalizing the preservation of both existential and universal properties over the same abstract domain. The theory of Abstract Interpretation offers a framework for the definition and justification of property preserving abstractions. Furthermore, it provides a method for the effective computation of abstract models directly from the text of a program, thereby avoiding the need for intermediate storage of a fullblown model. Finally, it formalizes the notion of optimality, while allowing
Computing abstractions of infinite state systems compositionally and automatically
 PROCEEDINGS OF CAV ’98
, 1998
"... We present a method for computing abstractions of infinite state systems compositionally and automatically. Given a concrete system S = S1 k \Delta \Delta \Delta k Sn of programs and given an abstraction function ff, using our method one can compute an abstract system S a = Sa 1 k \Delta \Delta \Del ..."
Abstract

Cited by 108 (6 self)
 Add to MetaCart
(Show Context)
We present a method for computing abstractions of infinite state systems compositionally and automatically. Given a concrete system S = S1 k \Delta \Delta \Delta k Sn of programs and given an abstraction function ff, using our method one can compute an abstract system S a = Sa 1 k \Delta \Delta \Delta k S a n such that S simulates S a. A distinguishing feature of our method is that it does not produce a single abstract state graph but rather preserves the structure of the concrete system. This feature is a prerequisite to benefit from the techniques developed in the context of modelchecking for mitigating the state explosion. Moreover, our method has the advantage that the process of constructing the abstract system does not depend on whether the computation model is synchronous or asynchronous.
Utilizing Symmetry when Model Checking under Fairness Assumptions: An Automatatheoretic Approach
, 1999
"... ..."
Compositional Minimisation of Finite State Systems Using Interface Specifications
, 1996
"... We present a method for the compositional construction of the minimal transition system that represents the semantics of a given distributed system. Our aim is to control the state explosion caused by the interleavings of actions of communicating parallel components by reduction steps that exploit g ..."
Abstract

Cited by 39 (7 self)
 Add to MetaCart
We present a method for the compositional construction of the minimal transition system that represents the semantics of a given distributed system. Our aim is to control the state explosion caused by the interleavings of actions of communicating parallel components by reduction steps that exploit global communication constraints given in terms of interface specifications. The effect of the method, which is developed for bisimulation semantics here, depends on the structure of the distributed system under consideration, and the accuracy of the interface specifications. However, its correctness is independent of the correctness of the interface specifications provided by the program designer.
Partial Model Checking (Extended Abstract)
 In Proceedings, Tenth Annual IEEE Symposium on Logic in Computer Science
, 1995
"... ) Henrik Reif Andersen Department of Computer Science Technical University of Denmark Building 344, DK2800 Lyngby, Denmark. Abstract A major obstacle in applying finitestate model checking to the verification of large systems is the combinatorial explosion of the state space arising when many ..."
Abstract

Cited by 35 (6 self)
 Add to MetaCart
(Show Context)
) Henrik Reif Andersen Department of Computer Science Technical University of Denmark Building 344, DK2800 Lyngby, Denmark. Abstract A major obstacle in applying finitestate model checking to the verification of large systems is the combinatorial explosion of the state space arising when many loosely coupled parallel processes are considered. The problem also known as the stateexplosion problem has been attacked from various sides. This paper presents a new approach based on partial model checking: Parts of the concurrent system are gradually removed while transforming the specification accordingly. When the intermediate specifications constructed in this manner can be kept small, the stateexplosion problem is avoided. Experimental results with a prototype implemented in Standard ML, shows that for Milner's Scheduler  an often used benchmark  this approach improves on the published results on Binary Decision Diagrams and is comparable to results obtained using generalized...
FormulaDependent Equivalence for Compositional CTL Model Checking
, 1994
"... . We present a state equivalence that is defined with respect to a given CTL formula. Since it does not attempt to preserve all CTL formulas, like bisimulation does, we can expect to compute coarser equivalences. We use this equivalence to manage the size of the transition relations encountered when ..."
Abstract

Cited by 33 (4 self)
 Add to MetaCart
(Show Context)
. We present a state equivalence that is defined with respect to a given CTL formula. Since it does not attempt to preserve all CTL formulas, like bisimulation does, we can expect to compute coarser equivalences. We use this equivalence to manage the size of the transition relations encountered when model checking a system of interacting FSMs. Specifically, the equivalence is used to reduce the size of each component FSM, so that their product will be smaller. We show how to apply the method, whether an explicit representation is used for the FSMs, or BDDs are used. Also, we show that in some cases our approach can detect if a formula passes or fails, without composing all the component machines. The method is exact and fully automatic, and handles full CTL. 1 Introduction Formal design verification is the process of verifying that a design has certain properties that the designer intended. A well known verification technique is computation tree logic (CTL) model checking. In this app...
From bisimulation to simulation: coarsest partition problems
 J. Automated Reasoning
, 2003
"... Abstract. The notions of bisimulation and simulation are used for graph reduction and are widely employed in many areas: modal logic, concurrency theory, set theory, formal verification, and so forth. In particular, in the context of formal verification they are used to tackle the socalled stateex ..."
Abstract

Cited by 32 (1 self)
 Add to MetaCart
Abstract. The notions of bisimulation and simulation are used for graph reduction and are widely employed in many areas: modal logic, concurrency theory, set theory, formal verification, and so forth. In particular, in the context of formal verification they are used to tackle the socalled stateexplosion problem. The faster algorithms to compute the maximum bisimulation on a given labeled graph are based on the crucial equivalence between maximum bisimulation and relational coarsest partition problem. As far as simulation is concerned, many algorithms have been proposed that turn out to be relatively inexpensive in terms of either time or space. In this paper we first revisit the state of the art about bisimulation and simulation, pointing out the analogies and differences between the two problems. Then, we propose a generalization of the relational coarsest partition problem, which is equivalent to the simulation problem. Finally, we present an algorithm that exploits such a characterization and improves on previously proposed algorithms for simulation. Key words: bisimulation, simulation, partition refinement problems. 1.
An AutomataTheoretic Approach to Modular Model Checking
, 1998
"... this paper we consider assumeguarantee specifications in which the guarantee is specified by branching temporal formulas. We distinguish between two approaches. In the first approach, the assumption is specified by branching temporal formulas too. In the second approach, the assumption is specified ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
this paper we consider assumeguarantee specifications in which the guarantee is specified by branching temporal formulas. We distinguish between two approaches. In the first approach, the assumption is specified by branching temporal formulas too. In the second approach, the assumption is specified by linear temporal logic. We consider guarantees in 8CTL and 8CTL
On the Complexity of Branching Modular Model Checking (Extended Abstract)
, 1995
"... In modular verification the specification of a module consists of two parts. One part describes the guaranteed behavior of the module. The other part describes the assumed behavior of the system in which the module is interacting. This is called the assumeguarantee paradigm. In this paper we consid ..."
Abstract

Cited by 19 (9 self)
 Add to MetaCart
In modular verification the specification of a module consists of two parts. One part describes the guaranteed behavior of the module. The other part describes the assumed behavior of the system in which the module is interacting. This is called the assumeguarantee paradigm. In this paper we consider assumeguarantee specifications in which the assumptions and the guarantees are specified by universal branching temporal formulas (i.e., all path quantifiers are universal). Verifying modules with respect to such specifications is called the branching modular modelchecking problem. We consider both ACTL and ACTL*, the universal fragments of CTL and CTL*. We develop two fundamental techniques: building max...