Results 1  10
of
15
Forward and backward simulations for timingbased systems
 In de Bakker et al
, 1991
"... A general automaton model for timingbased systems is presented and is used as the context for developing a variety of simulation proof techniques for such systems. As a first step, a comprehensive overview of simulation techniques for simple untimed automata is given. In particular, soundness and ..."
Abstract

Cited by 63 (16 self)
 Add to MetaCart
(Show Context)
A general automaton model for timingbased systems is presented and is used as the context for developing a variety of simulation proof techniques for such systems. As a first step, a comprehensive overview of simulation techniques for simple untimed automata is given. In particular, soundness and completeness results for (1) refinements, (2) forward and backward simulations, (3) forwardbackward and backwardforward simulations, and (4) history and prophecy relations are given. History and prophecy relations are new and are abstractions of the history variables of Owicki and Gries and the prophecy variables of Abadi and Lamport, respectively. As a subsequent step, it is shown how most of the results for untimed automata can be carried over to the setting of timed automata. In fact, many of the results for the timed case are obtained as consequences of the analogous results for the untimed case.
Control and Data Abstraction: The Cornerstones of Practical Formal Verification.
 Software Tools for Technology Transfer
, 2000
"... ion: The Cornerstones of Practical Formal Verification. Yonit Kesten 1 , Amir Pnueli 2 1 Dept. of Communication Systems Engineering, Ben Gurion University, BeerSheva, Israel, email: ykesten@bgumail.bgu.ac.il 2 Dept. of Applied Mathematics and Computer Science, the Weizmann Institute of S ..."
Abstract

Cited by 33 (9 self)
 Add to MetaCart
(Show Context)
ion: The Cornerstones of Practical Formal Verification. Yonit Kesten 1 , Amir Pnueli 2 1 Dept. of Communication Systems Engineering, Ben Gurion University, BeerSheva, Israel, email: ykesten@bgumail.bgu.ac.il 2 Dept. of Applied Mathematics and Computer Science, the Weizmann Institute of Science, Rehovot, Israel, email: amir@wisdom.weizmann.ac.il The date of receipt and acceptance will be inserted by the editor Abstract. In spite of the impressive progress in the development of the two main methods for formal verification of reactive systems  Symbolic Model Checking and Deductive Verification, they are still limited in their ability to handle large systems. It is generally recognized that the only way these methods can ever scale up is by the extensive use of abstraction and modularization, which break the task of verifying a large system into several smaller tasks of verifying simpler systems. In this paper, we review the two main tools of compositionality and abstrac...
Proving refinement using transduction
 Distributed Computing
, 1999
"... Summary. When designing distributed systems, one is faced with the problem of verifying a refinement between two specifications, given at different levels of abstraction. Suggested verification techniques in the literature include refinement mappings and various forms of simulation. We present a ver ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
Summary. When designing distributed systems, one is faced with the problem of verifying a refinement between two specifications, given at different levels of abstraction. Suggested verification techniques in the literature include refinement mappings and various forms of simulation. We present a verification method, in which refinement between two systems is proven by constructing a transducer that inputs a computation of a concrete system and outputs a matching computation of the abstract system. The transducer uses a FIFO queue that holds segments of the concrete computation that have not been matched yet. This allows a finite delay between the occurrence of a concrete event and the determination of the corresponding abstract event. This delay often makes the use of prophecy variables or backward simulation unnecessary. An important generalization of the method is to prove refinement modulo some transformation on the observed sequences of events. The method is adapted by replacing the FIFO queue by a component that allows the appropriate transformation on sequences of events. A particular case is partialorder refinement, i.e., refinement that preserves only a subset of the orderings between events of a system. Examples are sequential consistency and serializability. The case of sequential consistency is illustrated on a proof of sequential consistency of a cache protocol.
System Specification and Refinement in Temporal Logic
 Proceedings of Foundations of Software Technology and Theoretical Computer Science, volume 652 of LNCS
, 1995
"... . We consider two types of specifications of reactive systems: requirement specification which lists properties the system should satisfy, and System specification which describes the response of the system to each incoming input. Some of the differences between these two styles of specification ar ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
. We consider two types of specifications of reactive systems: requirement specification which lists properties the system should satisfy, and System specification which describes the response of the system to each incoming input. Some of the differences between these two styles of specification are analyzed with the conclusion that both types are needed in an orderly system development. Traditionally, temporal logic was used for requirement specification while process algebras, such as csp and ccs, were used for system specification. Recent developments, mainly represented in Lamport's temporal logic of actions (tla), demonstrated that temporal logic can be used effectively also for system specification. This paper explores the use of temporal logic for systems specification, evaluates some of the advantages and disadvantages of such a use, and demonstrates the use of temporal logic for refinement and systematic development of systems. To allow simulation of a single high level step ...
Formal Verification of TCP and T/TCP
, 1997
"... In this thesis we present a formal abstract specification for TCP/IP transport level protocols and formally verify that TCP satisfies this specification. We first verify a formal model of TCP where we assume it has unbounded counters. With bounded counters, TCP requires several timing mechanisms to ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
In this thesis we present a formal abstract specification for TCP/IP transport level protocols and formally verify that TCP satisfies this specification. We first verify a formal model of TCP where we assume it has unbounded counters. With bounded counters, TCP requires several timing mechanisms to function correctly. We also model TCP with these timing mechanisms and verify that it also satisfies our specification. We also present a formal description of an experimental protocol called T/TCP which is designed to provide the same service as TCP, but with optimizations to make it efficient for transactions. Even with unbounded counters this protocol does not provide the same service as TCP as it may deliver the same message twice. Even though the service provide by T/TCP is not exactly the same as TCP, its behavior may be acceptable for some applications. Therefore, we define a weaker specification that captures this behavior of T/TCP while maintaining the other correctness properties of our initial specification. We then verify that T/TCP satisfies this weaker specification. Our
A Compositional World a survey of recent works on compositionality in formal methods
, 2005
"... We survey the most significant literature about compositional techniques for concurrent and realtime system verification. We especially focus on abstract frameworks for rely/guarantee compositionality that handles circularity, but also consider different developments. ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
(Show Context)
We survey the most significant literature about compositional techniques for concurrent and realtime system verification. We especially focus on abstract frameworks for rely/guarantee compositionality that handles circularity, but also consider different developments.
F.W.: A theory of normed simulations
 ACM Trans. Comput. Log
, 2004
"... In existing simulation proof techniques, a single step in a lowerlevel specification may be simulated by an extended execution fragment in a higherlevel one. As a result, it is cumbersome to mechanize these techniques using general purpose theorem provers. Moreover, it is undecidable whether a giv ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
In existing simulation proof techniques, a single step in a lowerlevel specification may be simulated by an extended execution fragment in a higherlevel one. As a result, it is cumbersome to mechanize these techniques using general purpose theorem provers. Moreover, it is undecidable whether a given relation is a simulation, even if tautology checking is decidable for the underlying specification logic. This paper studies various types of normed simulations. In a normed simulation, each step in a lowerlevel specification can be simulated by at most one step in the higherlevel one, for any related pair of states. In earlier work we demonstrated that normed simulations are quite useful as a vehicle for the formalization of refinement proofs via theorem provers. Here we show that normed simulations also have pleasant theoretical properties: (1) under some reasonable assumptions, it is decidable whether a given relation is a normed forward simulation, provided tautology checking is decidable for the underlying logic; (2) at the semantic level, normed forward and backward simulations together form a complete proof method for establishing behavior inclusion, provided that the higherlevel
Experiences with Combining Formalisms in VVSL
 Algebraic Methods II: Theory, Tools and Applications
, 1991
"... This paper primarily reports on semantic aspects of how a formal specification of the PCTE interfaces has been achieved in a situation where only a combination of existing formalisms could meet the needs. The motivations for combining a VDM specification language with a language of temporal logic, f ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
This paper primarily reports on semantic aspects of how a formal specification of the PCTE interfaces has been achieved in a situation where only a combination of existing formalisms could meet the needs. The motivations for combining a VDM specification language with a language of temporal logic, for translating the resulting language, called VVSL, to an extended COLDK and for translating it also (partially) to the language of the logic MPL! are briefly outlined. The main experiences from this work on combination and transformation of formalisms are presented. Some important experiences with the application of VVSL to the formal specification of the PCTE interfaces and otherwise are also mentioned. Keywords & Phrases: formal specification languages, modeloriented specification, pre and postconditions, interconditions, temporal logic, transformational semantics, logical semantics. 1987 CR Categories: D.2.1, D.2.2, D.3.1, F.3.1, F.3.2, F.4.1 1 Introduction A large software syst...
Formalising Dijkstra's Development Strategy within Stark's Formalism
, 1992
"... Dijkstra introduced an enticing development strategy in a paper addressing the readers/ writers problem. This strategy is as follows: one starts with some \stupid" (in the sense that it allows undesirable computations) rst try and then tries in subsequent steps to \rene" this stupid try in ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Dijkstra introduced an enticing development strategy in a paper addressing the readers/ writers problem. This strategy is as follows: one starts with some \stupid" (in the sense that it allows undesirable computations) rst try and then tries in subsequent steps to \rene" this stupid try into a better one by eliminating (some) undesirable computations. In a number of steps one strives to get a good (in the sense that it no longer contains undesirable computations) implementation for the problem. Unfortunately this strategy is not very formal. In this paper we try to make it more formal by using Stark's temporal logic based rely/guarantee formalism. We use this formalism in a special way in order to describe Dijkstra's development strategy: the part intended to describe the liveness condition is used for the more general purpose of disallowing the undesirable sequences. 1 Introduction Current formal methods are far from solving the problems in software development. The simplest view o...