Results 1  10
of
206
Automatic Verification of Parameterized Cache Coherence Protocols
, 2000
"... We propose a new method for the verification of parameterized cache coherence protocols. Cache coherence protocols are used to maintain data consistency in commercial multiprocessor systems equipped with local fast caches. In our approach we use arithmetic constraints to model possibly infinite sets ..."
Abstract

Cited by 75 (5 self)
 Add to MetaCart
We propose a new method for the verification of parameterized cache coherence protocols. Cache coherence protocols are used to maintain data consistency in commercial multiprocessor systems equipped with local fast caches. In our approach we use arithmetic constraints to model possibly infinite sets of global states of a multiprocessor system with many identical caches. In preliminary experiments using symbolic model checkers for infinitestate systems based on real arithmetics (HyTech [HHW97] and DMC [DP99]) we have automatically verified safety properties for parameterized versions of widely implemented writeinvalidate and writeupdate cache coherence policies like the Mesi, Berkeley, Illinois, Firey and Dragon protocols [Han93]. With this application, we show that symbolic model checking tools originally designed for hybrid and concurrent systems can be applied successfully to a new class of infinitestate systems of practical interest.
On the Verification of Broadcast Protocols
 In Proc. 14th Annual Symp. on Logic in Computer Science (LICS'99
, 1999
"... We analyze the modelchecking problems for safety and liveness properties in parameterized broadcast protocols, a model introduced in [5]. We show that the procedure suggested in [5] for safety properties may not terminate, whereas termination is guaranteed for the procedure of [1] based on upward c ..."
Abstract

Cited by 74 (12 self)
 Add to MetaCart
We analyze the modelchecking problems for safety and liveness properties in parameterized broadcast protocols, a model introduced in [5]. We show that the procedure suggested in [5] for safety properties may not terminate, whereas termination is guaranteed for the procedure of [1] based on upward closed sets. We show that the modelchecking problem for liveness properties is undecidable. In fact, even the problem of deciding if a broadcast protocol may exhibit an infinite behavior is undecidable.
On the decidability of metric temporal logic
 In Proc. LICS
, 2005
"... Metric Temporal Logic (MTL) is a prominent specification formalism for realtime systems. In this paper, we show that the satisfiability problem for MTL over finite timed words is decidable, with nonprimitive recursive complexity. We also consider the modelchecking problem for MTL: whether all w ..."
Abstract

Cited by 53 (10 self)
 Add to MetaCart
Metric Temporal Logic (MTL) is a prominent specification formalism for realtime systems. In this paper, we show that the satisfiability problem for MTL over finite timed words is decidable, with nonprimitive recursive complexity. We also consider the modelchecking problem for MTL: whether all words accepted by a given AlurDill timed automaton satisfy a given MTL formula. We show that this problem is decidable over finite words. Over infinite words, we show that model checking the safety fragment of MTL—which includes invariance and timebounded response properties—is also decidable. These results are quite surprising in that they contradict various claims to the contrary that have appeared in the literature. The question of the decidability of MTL over infinite words remains open. 1.
A classification of symbolic transition systems
 ACM TRANSACTIONS ON COMPUTATIONAL LOGIC
, 2005
"... We define five increasingly comprehensive classes of infinitestate systems, called STS1STS5, whose state spaces have finitary structure. For four of these classes, we provide examples from hybrid systems.STS1 These are the systems with finite bisimilarity quotients. They can be analyzed symbolica ..."
Abstract

Cited by 47 (5 self)
 Add to MetaCart
We define five increasingly comprehensive classes of infinitestate systems, called STS1STS5, whose state spaces have finitary structure. For four of these classes, we provide examples from hybrid systems.STS1 These are the systems with finite bisimilarity quotients. They can be analyzed symbolically by iteratively applying predecessor and Boolean operations on state sets, starting from a finite number of observable state sets. Any such iteration is guaranteed to terminate in that only a finite number of state sets can be generated. This enables model checking of the μcalculus.STS2 These are the systems with finite similarity quotients. They can be analyzed symbolically by iterating the predecessor and positive Boolean operations. This enables model checking of the existential and universal fragments of the μcalculus.STS3 These are the systems with finite traceequivalence quotients. They can be analyzed symbolically by iterating the predecessor operation and a restricted form of positive Boolean operations (intersection is restricted to intersection with observables). This enables model checking of all ωregular properties, including linear temporal logic.STS4 These are the systems with finite distanceequivalence quotients (two states are equivalent if for every distance d, the same observables can be reached in d transitions). The systems in this class can be analyzed symbolically by iterating the predecessor operation and terminating when no new state sets are generated. This enables model checking of the existential conjunctionfree and universal disjunctionfree fragments of the μcalculus.STS5 These are the systems with finite boundedreachability quotients (two states are equivalent if for every distance d, the same observables can be reached in d or fewer transitions). The systems in this class can be analyzed symbolically by iterating the predecessor operation and terminating when no new states are encountered (this is a weaker termination condition than above). This enables model checking of reachability properties.
As Cheap as Possible: Efficient CostOptimal Reachability for Priced Timed Automata
, 2001
"... In this paper we present an algorithm for efficiently computing optimal cost of reaching a goal state in the model of Linearly Priced Timed Automata (LPTA). In recent papers, this problem have been shown to be computable using a priced extention of the traditional notion of regions for timed automat ..."
Abstract

Cited by 36 (10 self)
 Add to MetaCart
In this paper we present an algorithm for efficiently computing optimal cost of reaching a goal state in the model of Linearly Priced Timed Automata (LPTA). In recent papers, this problem have been shown to be computable using a priced extention of the traditional notion of regions for timed automata. However, for efficiency it is imperative that the computation is based on socalled zones (i.e. convex set of clock valuations) rather than regions. The central contribution of this paper is a priced extension of zones. This, together with a notion of facets of a zone, allows the entire machinery for symbolic reachability in terms of zones to be lifted to costoptimal reachability using priced zones. We report on experiments with a costoptimizing extension of Uppaal on a number of examples, including a range of aircraft landing problems.
Symbolic Reachability Analysis Using Narrowing and its Application to Verification of Cryptographic Protocols
 Journal of HigherOrder and Symbolic Computation
, 2004
"... Narrowing was introduced, and has traditionally been used, to solve equations in initial and free algebras modulo a set of equations E. This paper proposes a generalization of narrowing which can be used to solve reachability goals in initial and free models of a rewrite theory R. We show that narro ..."
Abstract

Cited by 33 (13 self)
 Add to MetaCart
Narrowing was introduced, and has traditionally been used, to solve equations in initial and free algebras modulo a set of equations E. This paper proposes a generalization of narrowing which can be used to solve reachability goals in initial and free models of a rewrite theory R. We show that narrowing is sound and weakly complete (i.e., complete for normalized solutions) under reasonable executability assumptions about R. We also show that in general narrowing is not strongly complete, that is, not complete when some solutions can be further rewritten by R. We then identify several large classes of rewrite theories, covering many practical applications, for which narrowing is strongly complete. Finally, we illustrate an application of narrowing to analysis of cryptographic protocols.
Coverability of reset Petri nets and other wellstructured transition systems by partial deduction
 Proceedings of the International Conference on Computational Logic (CL’2000), LNAI 1861
, 2000
"... Abstract. In recent work it has been shown that infinite state model checking can be performed by a combination of partial deduction of logic programs and abstract interpretation. It has also been shown that partial deduction is powerful enough to mimic certain algorithms to decide coverability prop ..."
Abstract

Cited by 28 (15 self)
 Add to MetaCart
Abstract. In recent work it has been shown that infinite state model checking can be performed by a combination of partial deduction of logic programs and abstract interpretation. It has also been shown that partial deduction is powerful enough to mimic certain algorithms to decide coverability properties of Petri nets. These algorithms are forward algorithms and hard to scale up to deal with more complicated systems. Recently, it has been proposed to use a backward algorithm scheme instead. This scheme is applicable to so–called well–structured transition systems and was successfully used, e.g., to solve coverability problems for reset Petri nets. In this paper, we discuss how partial deduction can mimic many of these backward algorithms as well. We prove this link in particular for reset Petri nets and Petri nets with transfer and doubling arcs. We thus establish a surprising link between algorithms in Petri net theory and program specialisation, and also shed light on the power of using logic program specialisation for infinite state model checking. 1
Nets with tokens which carry data
 In Proc. 28th International Conference on Application and Theory of Petri Nets (ICATPN’07), volume 4546 of Lecture Notes in Computer Science
, 2007
"... Abstract. We study data nets, a generalisation of Petri nets in which tokens carry data from linearlyordered infinite domains and in which wholeplace operations such as resets and transfers are possible. Data nets subsume several known classes of infinitestate systems, including multiset rewritin ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
Abstract. We study data nets, a generalisation of Petri nets in which tokens carry data from linearlyordered infinite domains and in which wholeplace operations such as resets and transfers are possible. Data nets subsume several known classes of infinitestate systems, including multiset rewriting systems and polymorphic systems with arrays. We show that coverability and termination are decidable for arbitrary data nets, and that boundedness is decidable for data nets in which wholeplace operations are restricted to transfers. By providing an encoding of lossy channel systems into data nets without wholeplace operations, we establish that coverability, termination and boundedness for the latter class have nonprimitive recursive complexity. The main result of the paper is that, even for unordered data domains (i.e., with only the equality predicate), each of the three verification problems for data nets without wholeplace operations has nonelementary complexity. 1
Parameterized Verification of Multithreaded Software Libraries
 In TACAS 01: Tools and Algorithms for Construction and Analysis of Systems, LNCS 2031
, 2001
"... The growing popularity of multithreading has led to a great number of software libraries that support access by multiple threads. We present Local/Global Finite State Machines (LGFSMs) as a model for a certain class of multithreaded libraries. We have developed a tool called Beacon that does parame ..."
Abstract

Cited by 27 (5 self)
 Add to MetaCart
The growing popularity of multithreading has led to a great number of software libraries that support access by multiple threads. We present Local/Global Finite State Machines (LGFSMs) as a model for a certain class of multithreaded libraries. We have developed a tool called Beacon that does parameterized model checking of LGFSMs. We demonstrate the expressiveness of LGFSMs as models, and the effectiveness of Beacon as a model checking tool by (1) modeling a multithreaded memory manager Rockall developed at Microsoft Research as an LGFSM, and (2) using Beacon to check a critical safety property of Rockall.