Results 1  10
of
12
Combining Partial Order Reductions with Onthefly Modelchecking
, 1994
"... Abstract Partial order modelchecking is an approach to reduce time and memory in modelchecking concurrent programs. Onthefly modelchecking is a technique to eliminate part of the search by intersecting an automaton representing the (negation of the) checked property with the state space during i ..."
Abstract

Cited by 191 (14 self)
 Add to MetaCart
Abstract Partial order modelchecking is an approach to reduce time and memory in modelchecking concurrent programs. Onthefly modelchecking is a technique to eliminate part of the search by intersecting an automaton representing the (negation of the) checked property with the state space during its generation. We prove conditions under which these two methods can be combined in order to gain reduction from both methods. An extension of the modelchecker SPIN, which implements this combination, is studied, showing substantial reduction over traditional search, not only in the number of reachable states, but directly in the amount of memory and time used. We also describe how to apply partialorder modelchecking under given fairness assumptions.
All from one, one for all: on model checking using representatives
 LNCS
, 1993
"... Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequences, based ..."
Abstract

Cited by 155 (6 self)
 Add to MetaCart
Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequences, based on infinite traces such that for each equivalence class, either all or none of the sequences satisfy the checked formula. We present an algorithm for constructing a state graph that contains at least one representative sequence for each equivalence class. This allows applying existing model checking algorithms to the reduced state graph rather than on the larger full state graph of the program. It also allows model checking under fairness assumptions, and exploits these assumptions to obtain smaller state graphs. A formula rewriting technique is presented to allow coarser equivalence relation among sequences, such that less representatives are needed. 1
Relaxed Visibility Enhances Partial Order Reduction
, 2000
"... Statespace explosion is a central problem in the automatic verification (modelchecking) of concurrent systems. Partial order reduction is a method that was developed to try to cope with the statespace explosion. Based on the observation that the order of execution of concurrent (independent) ato ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Statespace explosion is a central problem in the automatic verification (modelchecking) of concurrent systems. Partial order reduction is a method that was developed to try to cope with the statespace explosion. Based on the observation that the order of execution of concurrent (independent) atomic actions is in many cases unimportant for the checked property, it allows reducing the state space by exploring fewer execution sequences. However, in order to guarantee that the reduced state space preserves the correctness of the checked property, the partial order reductions put constraints about commuting the order of atomic actions that may change the value of propositions appearing in the checked specification. In this paper we relax this constraint, allowing a weaker requirement to be imposed, and thus achieving a better reduction. We demonstrate the benefits of our improved reduction with experimental results.
Contoz. Full simulation coverage for SystemC transactionlevel models of systemsonachip
 Formal Methods in System Design, 35(Number 2):pages 152–189
"... Abstract. TransactionLevel Models (TLM) are used for the early validation of embedded software. A TL model is a virtual prototype of the hardware part of a SystemonaChip (SoC). When using SystemC for transaction level modeling, the main parallel entities of the hardware platform (processors, DMA ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. TransactionLevel Models (TLM) are used for the early validation of embedded software. A TL model is a virtual prototype of the hardware part of a SystemonaChip (SoC). When using SystemC for transaction level modeling, the main parallel entities of the hardware platform (processors, DMAs, bus arbiters, etc.) are modeled by asynchronous processes, which are scheduled at simulation time. The specification of this scheduling mechanism is nondeterministic; the set of all possible schedulings of the parallel activities represents the physical parallelism faithfully. Moreover TL models may contain loose timing annotations (intervals for instance), and the set of all possible values of time in these intervals is also meant to represent the hardware behaviors faithfully. However, any simulation engine is built on a deterministic scheduler, and at runtime will use specific values in the time intervals. This means that only a very small subset of all the possible schedulings and timings are exhibited during simulation. Some bugs may be missed if they are due to some behaviors of the hardware that are represented by other schedulings or timings. For a given finite test scenario, the set of valid schedulings and timings of a model is finite, but far too large to be explored fully. We present a solution to cover the set of schedulings and timings efficiently. Our solution is based on dynamic partial order reduction and constraint solving techniques. It gives a complete scheduling and timing set, which guarantees the detection of all local errors and deadlocks for a fixed test scenario. 1
On Combining the Stubborn Set Method with the Sleep Set Method
 Proceedings of the 15th International Conference on Application and Theory of Petri Nets
, 1994
"... Reachability analysis is a powerful formal method for analysis of concurrent and distributed finite state systems. It suffers from the state space explosion problem, however: the state space of a system can be far too large to be completely generated. This paper considers two promising methods, Valm ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Reachability analysis is a powerful formal method for analysis of concurrent and distributed finite state systems. It suffers from the state space explosion problem, however: the state space of a system can be far too large to be completely generated. This paper considers two promising methods, Valmari's stubborn set method and Godefroid's sleep set method, to avoid generating all of the state space when searching for undesirable reachable terminal states, also called deadlocks. These methods have been combined by Godefroid, Pirottin, and Wolper to further reduce the number of inspected states. However, the combination presented by them places assumptions on the stubborn sets used. This paper shows that at least in place/transition nets, the stubborn set method can be combined with the sleep set method in such a way that all reachable terminal states are found, without having to place any assumption on the stubborn sets used. This result is shown by showing a more general result which...
A Comparison of Confluence and Ample Sets in Probabilistic and NonProbabilistic Branching Time
, 2013
"... Confluence reduction and partial order reduction by means of ample sets are two different techniques for state space reduction in both traditional and probabilistic model checking. This paper provides an extensive comparison between these two methods, and answers the question how they relate in term ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Confluence reduction and partial order reduction by means of ample sets are two different techniques for state space reduction in both traditional and probabilistic model checking. This paper provides an extensive comparison between these two methods, and answers the question how they relate in terms of reduction power when preserving branching time properties. We prove that, while both preserve the same properties, confluence reduction is strictly more powerful than partial order reduction: every reduction that can be obtained with partial order reduction can also be obtained with confluence reduction, but the converse is not true. The main challenge for the comparison is that confluence reduction was defined in an actionbased setting, whereas ample set reduction is often defined in a statebased setting. We therefore redefine confluence reduction in the statebased setting of Markov decision processes, and provide a nontrivial proof of its correctness. Additionally, we pinpoint precisely in what way confluence reduction is more general, and provide conditions under which the two notions coincide. The results we present also hold for nonprobabilistic models, as they can just as well be applied in a context where all transitions are nonprobabilistic. To discuss the practical applicability of our results, we adapt a state space generation technique based on representative states, already known in combination with confluence reduction, so that it can also be applied to ample sets.
Why Confluence is More Powerful than Ample Sets in Probabilistic and NonProbabilistic Branching Time
, 2012
"... Confluence reduction and partial order reduction by means of ample sets are two different techniques for state space reduction in both traditional and probabilistic model checking. This presentation provides an extensive comparison between these two methods, answering the longstanding question of h ..."
Abstract
 Add to MetaCart
Confluence reduction and partial order reduction by means of ample sets are two different techniques for state space reduction in both traditional and probabilistic model checking. This presentation provides an extensive comparison between these two methods, answering the longstanding question of how they relate. We show that, while both preserve branching time properties, confluence reduction is strictly more powerful than partial order reduction: every reduction that can be obtained with partial order reduction can also be obtained with confluence reduction, but the converse is not true. A core problem in the comparison is that confluence reduction was defined in an actionbased setting, whereas partial order reduction was defined in a statebased setting. We therefore redefine confluence reduction in the statebased setting of Markov decision processes, and discuss a nontrivial proof of its correctness. Additionally, we pinpoint precisely in what way confluence reduction is more general, and provide a restricted variant of confluence and relaxed variant of partial order reduction that exactly coincide. The results we present also hold for nonprobabilistic models, as they can just as well be applied in a context where all transitions are nonprobabilistic. To show the practical applicability of our results, we adapt a state space generation technique based on representative states, already known in combination with confluence reduction, so that it can also be applied with partial order reduction.
EFFICIENT DETECTION OF DEADLOCKS IN PETRI NETS Licentiate's thesis Kimmo Varpaaniemi
, 1993
"... ..."
All from One, One for All: on Model Checking Using Representatives
"... Abstract Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequenc ..."
Abstract
 Add to MetaCart
Abstract Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequences, based on infinite traces such that for each equivalence class, either all or none of the sequences satisfy the checked formula. We present an algorithm for constructing a state graph that contains at least one representative sequence for each equivalence class. This allows applying existing model checking algorithms to the reduced state graph rather than on the larger full state graph of the program. It also allows model checking under fairness assumptions, and exploits these assumptions to obtain smaller state graphs. A formula rewriting technique is presented to allow coarser equivalence relation among sequences, such that less representatives are needed. 1 Introduction When a program allows concurrent or independent activities, their executions are interleaved in many possible orders. It is often the case that a formula ' is insensitive to reordering some of the concurrent activities of the program, i.e., that any two sequences that are obtained from each other by such reordering, either both satisfy ' or both satisfy:'. This phenomenon allows reducing the state graph used for model checking by constructing a smaller state graph that represents only a subset of the interleaving sequences.
Path Exploration Tool
 In Proc. of Tools and Algorithms for the Construction and Analysis of Systems (TACAS'99), Amsterdam, The Netherlands, LNCS 1579
, 1999
"... While verification methods are becoming more frequently integrated into software development projects, software testing is still the main method used to search for programming errors. Software testing approaches focus on methods for covering different execution paths of a program, e.g., covering ..."
Abstract
 Add to MetaCart
While verification methods are becoming more frequently integrated into software development projects, software testing is still the main method used to search for programming errors. Software testing approaches focus on methods for covering different execution paths of a program, e.g., covering all the statements, or covering all the possible tests. Such coverage criteria are usually approximated using some addhoc heuristics. We present a tool for testing execution paths in sequential and concurrent programs. The tool, path exploration tool (Pet), visualizes concurrent code as flow graphs, and allows the user to interactively select an (interleaved) execution path. It then calculates and displays the condition to execute such a path, and allows the user to easily modify the selection in order to cover additional related paths. We describe the design and architecture of this tool and suggest various extensions. 1 Introduction Software testing techniques [4] are frequentl...