Results 1  10
of
10
Model Checking and Modular Verification
 ACM Transactions on Programming Languages and Systems
, 1991
"... We describe a framework for compositional verification of finite state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition; and a preorder on structures which captures the relation between a component and a system containing ..."
Abstract

Cited by 271 (11 self)
 Add to MetaCart
We describe a framework for compositional verification of finite state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition; and a preorder on structures which captures the relation between a component and a system containing the component. Satisfaction of a formula in the logic corresponds to being below a particular structure (a tableau for the formula) in the preorder. We show how to do assumeguarantee style reasoning within this framework. In addition, we demonstrate efficient methods for model checking in the logic and for checking the preorder in several special cases. We have implemented a system based on these methods, and we use it to give a compositional verification of a CPU controller. 1 Introduction Temporal logic model checking procedures are useful tools for the verification of finite state systems [3, 12, 20]. However, these procedures have traditionally suffered from the state explosion proble...
Compositional Minimization of Finite State Systems
 IN PROC. 2ND INTERNATIONAL CONFERENCE OF COMPUTERAIDED VERIFICATION
, 1991
"... In this paper we develop a compositional method for the construction of the minimal transition system that represents the semantics of a given reactive system. The point of this method is that it exploits structural properties of the reactive system in order to avoid the consideration of large inter ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
In this paper we develop a compositional method for the construction of the minimal transition system that represents the semantics of a given reactive system. The point of this method is that it exploits structural properties of the reactive system in order to avoid the consideration of large intermediate representations. Central is the use of interface specifications here, which express constraints on the components' communication behaviour, and therefore to control the state explosion caused by the interleavings of actions of communicating parallel components. The effect of the method, which is developed for bisimulation semantics here, depends on the structure of the reactive system under consideration, in particular on the accuracy of the interface specifications. However, its correctness does not: every "successful" construction is guaranteed to yield the desired minimal transition system, independently of the correctness of the interface specifications provided by the designer.
Methodology and System for Practical Formal Verification of Reactive Hardware
 In Proc. 6th Conference on Computer Aided Verification, volume 818 of Lecture Notes in Computer Science
, 1994
"... Making formal verification a practicality in industrial environments is still difficult. The capacity of most verification tools is too small, their integration in a design process is difficult and the methodology that should guide their usage is unclear. ..."
Abstract

Cited by 32 (3 self)
 Add to MetaCart
Making formal verification a practicality in industrial environments is still difficult. The capacity of most verification tools is too small, their integration in a design process is difficult and the methodology that should guide their usage is unclear.
Compositional Minimisation of Finite State Systems Using Interface Specifications
, 1996
"... We present a method for the compositional construction of the minimal transition system that represents the semantics of a given distributed system. Our aim is to control the state explosion caused by the interleavings of actions of communicating parallel components by reduction steps that exploit g ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
We present a method for the compositional construction of the minimal transition system that represents the semantics of a given distributed system. Our aim is to control the state explosion caused by the interleavings of actions of communicating parallel components by reduction steps that exploit global communication constraints given in terms of interface specifications. The effect of the method, which is developed for bisimulation semantics here, depends on the structure of the distributed system under consideration, and the accuracy of the interface specifications. However, its correctness is independent of the correctness of the interface specifications provided by the program designer.
Characterization of a Sequentially Consistent Memory and Verification of a Cache Memory by Abstraction
 Distributed Computing
, 1995
"... ion ? Susanne Graf VERIMAG ?? , Avenue de la Vignate, F38610 Gi`eres ? ? ? Abstract. The contribution of the paper is twofold. We give a set of properties expressible as temporal logic formulas such that any system satisfying them is a sequentially consistent memory, and which is sufficiently ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
ion ? Susanne Graf VERIMAG ?? , Avenue de la Vignate, F38610 Gi`eres ? ? ? Abstract. The contribution of the paper is twofold. We give a set of properties expressible as temporal logic formulas such that any system satisfying them is a sequentially consistent memory, and which is sufficiently precise such that every reasonable concrete system that implements a sequentially consistent memory satisfies these properties. Then, we verify these properties on a distributed cache memory system by means of a verification method, based on the use of abstract interpretation which has been presented in previous papers and so far applied to finite state systems. The motivation for this paper was to show that it can also be successfully applied to systems with an infinite state space. This is a revised and extended version of [Gra94]. 1 Introduction We propose to verify the distributed cache memory presented in [ABM93] and [Ger94] by using the verification method proposed in [BBLS92,LGS +...
Compositional Minimization of Finite State Systems Using Interface Specifications
, 1995
"... In this paper we present a method for the compositional construction of the minimal transition system that represents the semantics of a given distributed system. Our aim is to control the state explosion caused by the interleavings of actions of communicating parallel components by reduction steps ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
In this paper we present a method for the compositional construction of the minimal transition system that represents the semantics of a given distributed system. Our aim is to control the state explosion caused by the interleavings of actions of communicating parallel components by reduction steps that exploit global communication constraints given in terms of interface specifications. The effect of the method, which is developed for bisimulation semantics here, depends on the structure of the distributed system under consideration, and the accuracy of the interface specifications. However, its correctness does not: every "successful" construction is guaranteed to yield the desired minimal transition system, independent of the correctness of the interface specifications provided by the program designer.
Breaking Up is Hard to Do: An Evaluation of Automated AssumeGuarantee Reasoning
"... Finitestate verification techniques are often hampered by the stateexplosion problem. One proposed approach for addressing this problem is assumeguarantee reasoning, where a system under analysis is partitioned into subsystems and these subsystems are analyzed individually. By composing the resul ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Finitestate verification techniques are often hampered by the stateexplosion problem. One proposed approach for addressing this problem is assumeguarantee reasoning, where a system under analysis is partitioned into subsystems and these subsystems are analyzed individually. By composing the results of these analyses, it can be determined whether or not the system satisfies a property. Because each subsystem is smaller than the whole system, analyzing each subsystem individually may reduce the overall cost of verification. Often the behavior of a subsystem is dependent on the subsystems with which it interacts, and thus it is usually necessary to provide assumptions about the environment in which a subsystem executes. Because developing assumptions has been a difficult manual task, the evaluation of assumeguarantee reasoning has been limited. Using recent advances for automatically generating assumptions, we undertook a study to determine if assumeguarantee reasoning provides an advantage over monolithic verification. In this study, we considered all twoway decompositions for a set of systems and properties, using two different verifiers, FLAVERS and LTSA. By increasing the number of repeated tasks in these systems, we evaluated the decompositions as they were scaled. We found that in only a few cases can assumeguarantee reasoning verify properties on larger systems than monolithic verification can, and in these cases the systems that can be analyzed are only a few sizes larger. Although these results are discouraging, they provide insight about research directions that should be pursued and highlight the importance of experimental evaluation in this area.
Optimizing Model Checking Based on BDD Characterization
, 1999
"... Symbolic model checking has been successfully applied in verification of various finite state systems, ranging from hardware circuits to software protocols. A core technology underlying this success is the Binary Decision Diagram (BDD) representation. Given the importance of BDDs in model checking, ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Symbolic model checking has been successfully applied in verification of various finite state systems, ranging from hardware circuits to software protocols. A core technology underlying this success is the Binary Decision Diagram (BDD) representation. Given the importance of BDDs in model checking, it is surprising that there has been little or no work on studying BDD computations in the context of model checking. As a result, the computational aspects of BDDs are not well understood and many BDDbased algorithms tend to be unstable in terms of performance. This thesis addresses the performance instability issue both by developing a general evaluation methodology for studying BDD computations and by proposing new BDDbased optimizations to stabilize and to improve the overall performance. The evaluation methodology consists of two parts: (1) a set of evaluation metrics characterizing key components of BDD computations, and (2) a tracebased evaluation platform for generating realistic ...
Establishing PCI Compliance using Formal Verification: a Case Study
 Intl. Phoenix Conf. on Comp. and Comm
, 1995
"... This paper presents a case study in the practical application of formal verification. Specifically, we describe our experience in applying the formal verification technique of symbolic model checking to the ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
This paper presents a case study in the practical application of formal verification. Specifically, we describe our experience in applying the formal verification technique of symbolic model checking to the
Checking Synchronous Programs using Automatic Abstraction, Modular Verification and Assumption Discharge
 GMD, Schloss Birlinghoven, D53754 Sankt Augustin
, 1996
"... ion, Modular Verification and Assumption Discharge A. Merceron GMD  SETEES, SchloBirlinghoven, D53754 Sankt Augustin email: merceron@gmd.de Abstract We verify synchronous programs using model checking. To cope with data and big programs, we use an automatic abstraction mechanism as well as m ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
ion, Modular Verification and Assumption Discharge A. Merceron GMD  SETEES, SchloBirlinghoven, D53754 Sankt Augustin email: merceron@gmd.de Abstract We verify synchronous programs using model checking. To cope with data and big programs, we use an automatic abstraction mechanism as well as modular verification. Both are proved to be conservative for the logic 8CTL . Model checking an abstract module M 1 may lead to the formulation of some assumption on some module M 2 . Assumption are discharged using model checking or theorem proving or combining both, depending on which data of M 2 have to be taken into account. We applied our method to a mediumscale industrial example, a Lock system for contactless transponder keys. 1 Introduction Model checking is a well known approach to formal verification. A main advantage of this approach is that it is automatic. A major drawback is that it requires finite state systems that do not explode. In this paper we propose abstraction and m...