Results 1  10
of
53
Symmetry and Model Checking
, 1994
"... We show how to exploit symmetry in model checking for concurrent systems containing many identical or isomorphic components. We focus in particular on those composed of many isomorphic processes. In many cases we are able to obtain significant, even exponential, savings in the complexity of model ch ..."
Abstract

Cited by 167 (15 self)
 Add to MetaCart
We show how to exploit symmetry in model checking for concurrent systems containing many identical or isomorphic components. We focus in particular on those composed of many isomorphic processes. In many cases we are able to obtain significant, even exponential, savings in the complexity of model checking. 1 Introduction In this paper, we show how to exploit symmetry in model checking. We focus on systems composed of many identical (isomorphic) processes. The global state transition graph M of such a system exhibits a great deal of symmetry, characterized by the group of graph automorphisms of M. The basic idea underlying our method is to reduce model checking over the original structure M, to model checking over a smaller quotient structure M, where symmetric states are identified. In the following paragraphs, we give a more detailed but still informal account of a "grouptheoretic" approach to exploiting symmetry. More precisely, the symmetry of M is reflected in the group, Aut M...
Reasoning about Rings
, 1995
"... The ring is a useful means of structuring concurrent processes. Processes communicate by passing a token in a fixed direction; the process that possesses the token is allowed to perfrom certain actions. Usually, correctness properties are expected to hold irrespective of the size of the ring. We sho ..."
Abstract

Cited by 83 (6 self)
 Add to MetaCart
The ring is a useful means of structuring concurrent processes. Processes communicate by passing a token in a fixed direction; the process that possesses the token is allowed to perfrom certain actions. Usually, correctness properties are expected to hold irrespective of the size of the ring. We show that the problem of checking many useful correctness properties for rings of all sizes can be reduced to checking them on ring of sizes up to a small cutoff size. We apply our results to the verification of a mutual exclusion protocol and Milner's scheduler protocol. 1
Automatic Deductive Verification with Invisible Invariants
, 2001
"... The paper presents a method for the automatic verification of a certain class of parameterized systems. These are boundeddata systems consisting of N processes (N being the parameter), where each process is finitestate. First, we show that if we use the standard deductive inv rule for proving inva ..."
Abstract

Cited by 73 (10 self)
 Add to MetaCart
The paper presents a method for the automatic verification of a certain class of parameterized systems. These are boundeddata systems consisting of N processes (N being the parameter), where each process is finitestate. First, we show that if we use the standard deductive inv rule for proving invariance properties, then all the generated verification conditions can be automatically resolved by finitestate (bddbased) methods with no need for interactive theorem proving. Next, we show how to use modelchecking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Combining this automatic computation of invariants with the previously mentioned resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying boundeddata parameterized systems. The generated invariants can be transferred to the VCvalidation phase without ever been examined by the user, which explains why we refer to them as "invisible". We illustrate the method on a nontrivial example of a cache protocol, provided by Steve German.
Parameterized Verification with Automatically Computed Inductive Assertions
, 2001
"... The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic mo ..."
Abstract

Cited by 63 (8 self)
 Add to MetaCart
The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic modelchecking techniques for both tasks. First, we show how to use modelchecking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Next, we show that the premises of the standard deductive inv rule for proving invariance properties can be automatically resolved by finitestate (bddbased) methods with no need for interactive theorem proving. Combining the automatic computation of invariants with the automatic resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying large classes of parameterized systems. The generated invariants can be transferred to the VCvalidation phase without ever been examined by the user, which explains why we refer to them as "invisible". The efficacy of the method is demonstrated by automatic verification of diverse parameterized systems in a fully automatic and efficient manner.
Proving Security Protocols With Model Checkers By Data Independence Techniques
, 1999
"... Model checkers such as FDR have been extremely effective in checking for, and finding, attacks on cryptographic protocols  see, for example [16, 20] and many of the papers in [7]. Their use in proving protocols has, on the other hand, generally been limited to showing that a given small instanc ..."
Abstract

Cited by 59 (9 self)
 Add to MetaCart
Model checkers such as FDR have been extremely effective in checking for, and finding, attacks on cryptographic protocols  see, for example [16, 20] and many of the papers in [7]. Their use in proving protocols has, on the other hand, generally been limited to showing that a given small instance, usually restricted by the finiteness of some set of resources such as keys and nonces, is free of attacks. While for specific protocols there are frequently good reasons for supposing that this will find any attack, it leaves a substantial gap in the method. The purpose of this paper is to show how techniques borrowed from data independence and related fields can be used to achieve the illusion that nodes can call upon an infinite supply of different nonces, keys, etc., even though the actual types used for these things remain finite. It is thus possible to create models of protocols in which nodes do not have to stop after a small number of runs, and to claim that a finitestate r...
Automatic Verification of Parameterized Synchronous Systems (Extended Abstract)
 In Proc. 8th Int'l. Conference on ComputerAided Verification (CAV
, 1996
"... ) E. Allen Emerson and Kedar S. Namjoshi Department of Computer Sciences, The University of Texas at Austin, U.S.A. Abstract. Systems with an arbitrary number of homogeneous processes occur in many applications. The Parameterized Model Checking Problem (PMCP) is to determine whether a temporal pro ..."
Abstract

Cited by 56 (6 self)
 Add to MetaCart
) E. Allen Emerson and Kedar S. Namjoshi Department of Computer Sciences, The University of Texas at Austin, U.S.A. Abstract. Systems with an arbitrary number of homogeneous processes occur in many applications. The Parameterized Model Checking Problem (PMCP) is to determine whether a temporal property is true of every size instance of the system. We consider systems formed by a synchronous parallel composition of a single control process with an arbitrary number of homogeneous user processes, and show that the PMCP is decidable for properties expressed in an indexed propositional temporal logic. While the problem is in general PSPACEcomplete, our initial experimental results indicate that the method is usable in practice. 1 Introduction Systems with an arbitrary number of homogeneous processes occur in many contexts, especially in protocols for data communication, cache coherence, and classical synchronization problems. Current verification work on such systems has focussed mostly...
Symmetric Spin
, 2000
"... We give a detailed description of SymmSpin, a symmetryreduction package for Spin. It oers four strategies for statespace reduction, based on the heuristic that we presented in [3], and a fth mode for reference. A series of new experiments is described, underlining the effectiveness of the heur ..."
Abstract

Cited by 34 (0 self)
 Add to MetaCart
We give a detailed description of SymmSpin, a symmetryreduction package for Spin. It oers four strategies for statespace reduction, based on the heuristic that we presented in [3], and a fth mode for reference. A series of new experiments is described, underlining the effectiveness of the heuristic and demonstrating the generalisation of the implementation to multiple scalar sets, multiple process families, as well as almost the full Promela language.
An Algebraic Approach to Abstraction in Reinforcement Learning
, 2003
"... To operate e#ectively in complex environments learning agents have to selectively ignore irrelevant details by forming useful abstractions. In this article we outline a formulation of abstraction for reinforcement learning approaches to stochastic sequential decision problems modeled as semiMarkov D ..."
Abstract

Cited by 34 (1 self)
 Add to MetaCart
To operate e#ectively in complex environments learning agents have to selectively ignore irrelevant details by forming useful abstractions. In this article we outline a formulation of abstraction for reinforcement learning approaches to stochastic sequential decision problems modeled as semiMarkov Decision Processes (SMDPs). Building on existing algebraic approaches, we propose the concept of SMDP homomorphism and argue that it provides a useful tool for a rigorous study of abstraction for SMDPs. We apply this framework to di#erent classes of abstractions that arise in hierarchical systems and discuss relativized options, a framework for compactly specifying a related family of temporallyextended actions. Additional details of this work are described in refs. [1, 2, 3].
OntheFly Model checking under Fairness that Exploits Symmetry
 CAV97, LNCS 1254
, 1997
"... . An onthefly algorithm for model checking under fairness is presented. The algorithm utilizes symmetry in the program to reduce the state space, and employs novel techniques that make the onthefly model checking feasible. The algorithm uses state symmetry and eliminates parallel edges in the re ..."
Abstract

Cited by 30 (4 self)
 Add to MetaCart
. An onthefly algorithm for model checking under fairness is presented. The algorithm utilizes symmetry in the program to reduce the state space, and employs novel techniques that make the onthefly model checking feasible. The algorithm uses state symmetry and eliminates parallel edges in the reachability graph. Experimental results demonstrating dramatic reductions in both the running time and memory usage are presented. Keywords: Model checking, State explosion, Symmetry reduction, Automata, Verification 1. Introduction The state explosion problem is one of the major bottlenecks in temporal logic model checking. Many techniques have been proposed in the literature [6, 5, 9, 8, 13, 11, 12, 16, 17] for combating this problem. Among these, symmetry based techniques have been proposed in [5, 9, 13]. In these methods the state space of a program is collapsed by identifying states that are equivalent under symmetry and model checking is performed on the reduced graph. Although the ini...
From Asymmetry to Full Symmetry: New Techniques for Symmetry Reduction in Model Checking
 In Conference on Correct Hardware Design and Verification Methods
, 1999
"... It is often the case that systems are "nearly" symmetric; they exhibit symmetry in a part of their description but are nevertheless globally asymmetric. We formalize a notion of near symmetry and show how to obtain the benefits of symmetry reduction when applied to asymmetric systems which are nea ..."
Abstract

Cited by 27 (4 self)
 Add to MetaCart
It is often the case that systems are "nearly" symmetric; they exhibit symmetry in a part of their description but are nevertheless globally asymmetric. We formalize a notion of near symmetry and show how to obtain the benefits of symmetry reduction when applied to asymmetric systems which are nearly symmetric. We show that the near symmetry reduced system is bisimilar (up to permutation) to the original system. By further relaxing our notion of near symmetry we show how to generate a reduced structure from an asymmetric program such that the program simulates (up to permutation) the reduced structure.