Results 1  10
of
59
Module Checking
, 1996
"... . In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of ..."
Abstract

Cited by 79 (11 self)
 Add to MetaCart
. In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of temporal logics to describe an ongoing interaction of a reactive program with its environment makes them particularly appropriate for the specification of open systems. Nevertheless, modelchecking algorithms used for the verification of closed systems are not appropriate for the verification of open systems. Correct model checking of open systems should check the system with respect to arbitrary environments and should take into account uncertainty regarding the environment. This is not the case with current modelchecking algorithms and tools. In this paper we introduce and examine the problem of model checking of open systems (mod ule checking, for short). We show that while module che...
The ForSpec Temporal Logic: A New Temporal PropertySpecification Language
, 2001
"... In this paper we describe the ForSpec Temporal Logic (FTL), the new temporal propertyspecification logic of ForSpec, Intel's new formal specification language. The key features of FTL are as follows: it is a linear temporal logic, based on Pnueli's LTL, it is based on a rich set of logical and a ..."
Abstract

Cited by 78 (21 self)
 Add to MetaCart
In this paper we describe the ForSpec Temporal Logic (FTL), the new temporal propertyspecification logic of ForSpec, Intel's new formal specification language. The key features of FTL are as follows: it is a linear temporal logic, based on Pnueli's LTL, it is based on a rich set of logical and arithmetical operations on bit vectors to describe state properties, it enables the user to define temporal connectives over time windows, it enables the user to define regular events, which are regular sequences of Boolean events, and then relate such events via special connectives, it enables the user to express properties about the past, and it includes constructs that enable the user to model multiple clock and reset signals, which is useful in the verification of hardware design.
DataFlow Analysis of Program Fragments
"... Traditional interprocedural dataflow analysis is performed on whole programs; however, such whoZeprogram analysis is not feasible for large or incomplete programs. We propose fragment dataflow analysis as an alternative approach which computes dataflow information for a specific program fragmen ..."
Abstract

Cited by 43 (9 self)
 Add to MetaCart
Traditional interprocedural dataflow analysis is performed on whole programs; however, such whoZeprogram analysis is not feasible for large or incomplete programs. We propose fragment dataflow analysis as an alternative approach which computes dataflow information for a specific program fragment. The analysis is parameterized by the additional information available about the rest of the program. We describe two frameworks for interprocedural flowsensitive fragment analysis, the relationship between fragment analysis and wholeprogram analysis, and the requirements ensuring fragment analysis safety and feasibility. We propose an application of fragment analysis as a second analysis phase after an inexpensive flowinsensitive wholeprogram analysis, in order to obtain better information for important program fragments. We also describe the design of two fragment analyses derived from an already existing wholeprogram flow and contextsensitive pointer alias analysis for C programs and present empirical evaluation of their cost and precision. Our experiments show evidence of dramatically better precision obtainable at a practical cost.
The Common Fragment of CTL and LTL
 In IEEE Symposium on Foundations of Computer Science
, 2000
"... It is wellknown that CTL and LTL have incomparable expressive power. In this paper, we give an inductive definition of those ACTL formulas that can be expressed in LTL. In addition, we obtain a procedure to decide whether an ACTL formula lies in LTL, and show that this problem is PSPACE complete. B ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
It is wellknown that CTL and LTL have incomparable expressive power. In this paper, we give an inductive definition of those ACTL formulas that can be expressed in LTL. In addition, we obtain a procedure to decide whether an ACTL formula lies in LTL, and show that this problem is PSPACE complete. By omitting path quantifiers, we get an inductive definition of the LTL formulas expressible in ACTL. We can show that the fragment defined by our logic represents exactly those LTL formulas the negation of which can be represented by a 1weak Büchi automaton and that for this fragment, the representing automaton can be chosen to be of size linear in the size of the formula.
An automatatheoretic approach to reasoning about infinitestate systems
 LNCS
, 2000
"... Abstract. We develop an automatatheoretic framework for reasoning about infinitestate sequential systems. Our framework is based on the observation that states of such systems, which carry a finite but unbounded amount of information, can be viewed as nodes in an infinite tree, and transitions betw ..."
Abstract

Cited by 33 (4 self)
 Add to MetaCart
Abstract. We develop an automatatheoretic framework for reasoning about infinitestate sequential systems. Our framework is based on the observation that states of such systems, which carry a finite but unbounded amount of information, can be viewed as nodes in an infinite tree, and transitions between states can be simulated by finitestate automata. Checking that the system satisfies a temporal property can then be done by an alternating twoway tree automaton that navigates through the tree. As has been the case with finitestate systems, the automatatheoretic framework is quite versatile. We demonstrate it by solving several versions of the modelchecking problem for §calculus specifications and prefixrecognizable systems, and by solving the realizability and synthesis problems for §calculus specifications with respect to prefixrecognizable environments. 1
Module checking revisited
 In Proc. 9th CAV, LNCS 1254
, 1997
"... Abstract. When we verify the correctness of an open system with respect to a desired requirement, we should take into consideration the different environments with which the system may interact. Each environment induces a different behavior of the system, and we want all these behaviors to satisfy t ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
Abstract. When we verify the correctness of an open system with respect to a desired requirement, we should take into consideration the different environments with which the system may interact. Each environment induces a different behavior of the system, and we want all these behaviors to satisfy the requirement. Module checking is an algorithmic method that checks, given an open system (modeled as a finite structure) and a desired requirement (specified by a temporallogic formula), whether the open system satisfies the requirement with respect to all environments. In this paper we extend the modulechecking method with respect to two orthogonal issues. Both issues concern the fact that often we are not interested in satisfaction of the requirement with respect to all environments, but only with respect to these that meet some restriction. We consider the case where the environment has incomplete information about the system; i.e., when the system has internal variables, which are not readable by its environment, and the case where some assumptions are known about environment; i.e., when the system is guaranteed to satisfy the requirement only when its environment satisfies certain assumptions. We study the complexities of the extended modulechecking problems. In particular, we show that for universal temporal logics (e.g., LTL, ¥ CTL, and ¥ CTL ¦), module checking with incomplete information coincides with module checking, which by itself coincides with model checking. On the other hand, for nonuniversal temporal logics (e.g., CTL and CTL ¦), module checking with incomplete information is harder than module checking, which is by itself harder than model checking. 1
A Fast Bisimulation Algorithm
 PROC. OF INT. CONFERENCE ON COMPUTER AIDED VERIFICATION (CAV’01), VOLUME 2102 OF LNCS
, 2000
"... In this paper we propose an efficient algorithmic solution to the problem of determining a Bisimulation Relation on a finite structure. ..."
Abstract

Cited by 29 (15 self)
 Add to MetaCart
In this paper we propose an efficient algorithmic solution to the problem of determining a Bisimulation Relation on a finite structure.
Compositional verification for componentbased systems and application
 in Proc. ATVA
, 2008
"... We present a compositional method for the verification of componentbased systems described in a subset of the BIP language encompassing multiparty interaction without data transfer. The method is based on the use of two kinds of invariants. Component invariants are overapproximations of component ..."
Abstract

Cited by 21 (11 self)
 Add to MetaCart
We present a compositional method for the verification of componentbased systems described in a subset of the BIP language encompassing multiparty interaction without data transfer. The method is based on the use of two kinds of invariants. Component invariants are overapproximations of components ’ reachability sets. Interaction invariants are global constraints on the states of components involved in interactions. The method has been implemented in the DFinder tool and has been applied for checking deadlockfreedom. The experimental results on nontrivial examples show that our method allow either to prove deadlockfreedom or to identify very few deadlock configurations that can be analyzed by using state space exploration. 1
On the Complexity of Branching Modular Model Checking (Extended Abstract)
, 1995
"... In modular verification the specification of a module consists of two parts. One part describes the guaranteed behavior of the module. The other part describes the assumed behavior of the system in which the module is interacting. This is called the assumeguarantee paradigm. In this paper we consid ..."
Abstract

Cited by 19 (9 self)
 Add to MetaCart
In modular verification the specification of a module consists of two parts. One part describes the guaranteed behavior of the module. The other part describes the assumed behavior of the system in which the module is interacting. This is called the assumeguarantee paradigm. In this paper we consider assumeguarantee specifications in which the assumptions and the guarantees are specified by universal branching temporal formulas (i.e., all path quantifiers are universal). Verifying modules with respect to such specifications is called the branching modular modelchecking problem. We consider both ACTL and ACTL*, the universal fragments of CTL and CTL*. We develop two fundamental techniques: building max...
Relating Linear and Branching Model Checking
 In IFIP Working Conference on Programming Concepts and Methods
, 1996
"... The difference in the complexity of branching and linear model checking has been viewed as an argument in favor of the branching paradigm. In particular, the computational advantage of CTL model checking over LTL model checking makes CTL a popular choice, leading to efficient modelchecking tools fo ..."
Abstract

Cited by 19 (8 self)
 Add to MetaCart
The difference in the complexity of branching and linear model checking has been viewed as an argument in favor of the branching paradigm. In particular, the computational advantage of CTL model checking over LTL model checking makes CTL a popular choice, leading to efficient modelchecking tools for this logic. Can we use these tools in order to verify linear properties? In this paper we relate branching and linear model checking. With each LTL formula /, we associate a CTL formula /A that is obtained from / by preceding each temporal operator by the universal path quantifier A. We first describe a number of attempts to utilize the tight syntactic relation between / and /A in order to use CTL modelchecking tools in the process of checking the formula /. Neither attempt, however, suggests a method that is guaranteed to perform better than usual LTL model checkers. We then claim that, in practice, LTL model checkers perform nicely on formulas with equivalences of CTL. In fact, they oft...