Results 1  10
of
39
Symbolic model checking with rich assertional languages
 Theoretical Computer Science
, 1997
"... Abstract. The paper shows that, by an appropriate choice of a rich assertional language, it is possible to extend the utility of symbolic model checking beyond the realm of bddrepresented nitestate systems into the domain of in nitestate systems, leading to a powerful technique for uniform veri c ..."
Abstract

Cited by 89 (4 self)
 Add to MetaCart
Abstract. The paper shows that, by an appropriate choice of a rich assertional language, it is possible to extend the utility of symbolic model checking beyond the realm of bddrepresented nitestate systems into the domain of in nitestate systems, leading to a powerful technique for uniform veri cation of unbounded (parameterized) process networks. The main contributions of the paper are a formulation of a general framework for symbolic model checking of in nitestate systems, a demonstration that many individual examples of uniformly veri ed parameterized designs that appear in the literature are special cases of our general approach, verifying the correctness of the Futurebus+ design for all singlebus con gurations, extending the technique to tree architectures, and establishing that the presented method is a precise dual to the topdown invariant generation method used in deductive veri cation. 1
Automatic Verification of Parameterized Synchronous Systems (Extended Abstract)
 In Proc. 8th Int'l. Conference on ComputerAided Verification (CAV
, 1996
"... ) E. Allen Emerson and Kedar S. Namjoshi Department of Computer Sciences, The University of Texas at Austin, U.S.A. Abstract. Systems with an arbitrary number of homogeneous processes occur in many applications. The Parameterized Model Checking Problem (PMCP) is to determine whether a temporal pro ..."
Abstract

Cited by 56 (6 self)
 Add to MetaCart
) E. Allen Emerson and Kedar S. Namjoshi Department of Computer Sciences, The University of Texas at Austin, U.S.A. Abstract. Systems with an arbitrary number of homogeneous processes occur in many applications. The Parameterized Model Checking Problem (PMCP) is to determine whether a temporal property is true of every size instance of the system. We consider systems formed by a synchronous parallel composition of a single control process with an arbitrary number of homogeneous user processes, and show that the PMCP is decidable for properties expressed in an indexed propositional temporal logic. While the problem is in general PSPACEcomplete, our initial experimental results indicate that the method is usable in practice. 1 Introduction Systems with an arbitrary number of homogeneous processes occur in many contexts, especially in protocols for data communication, cache coherence, and classical synchronization problems. Current verification work on such systems has focussed mostly...
Reducing model checking of the many to the few
 In 17th International Conference on Automated Deduction (CADE17
, 2000
"... Abstract. Systems with an arbitrary number of homogeneous processes occur in many applications. The Parametrized Model Checking Problem (PMCP) is to determine whether a temporal property is true for every size instance of the system. Unfortunately, it is undecidable in general. We are able to establ ..."
Abstract

Cited by 48 (6 self)
 Add to MetaCart
Abstract. Systems with an arbitrary number of homogeneous processes occur in many applications. The Parametrized Model Checking Problem (PMCP) is to determine whether a temporal property is true for every size instance of the system. Unfortunately, it is undecidable in general. We are able to establish, nonetheless, decidability of the PMCP in quite a broad framework. We consider asynchronous systems comprised of an arbitrary number ¢ of homogeneous copies of a generic process template. The process template is represented as a synchronization skeleton while correctness properties are expressed using Indexed CTL* £ X. We reduce model checking for systems of arbitrary size ¢ to model checking for systems of size (up to) a small cutoff size ¤. This establishes decidability of PMCP as it is only necessary model check a finite number of relatively small systems. The results generalize to systems comprised of multiple heterogeneous classes of processes, where each class is instantiated by many homogenous copies of the class template (e.g., ¥ readers and ¢ writers). 1
Verifying Systems with Replicated Components in Murφ
, 1997
"... An extension to the Murphi verifier is presented to verify systems with replicated identical components. Although most systems are finitestate in nature, many of them are also designed to be scalable, so that a description gives a family of systems, each member of which has a different number of re ..."
Abstract

Cited by 42 (3 self)
 Add to MetaCart
An extension to the Murphi verifier is presented to verify systems with replicated identical components. Although most systems are finitestate in nature, many of them are also designed to be scalable, so that a description gives a family of systems, each member of which has a different number of replicated components. It is therefore desirable to be able to verify the entire family of systems, independent of the exact number of replicated components. The verification is performed by explicit state enumeration in an abstract state space where states do not record the exact numbers of components. We provide an extension to the existing Murphi language, by which a designer can easily specify a system in its concrete form. Through a new datatype, called RepetitiveID, a designer can suggest the use of this abstraction to verify a family of systems. First of all, Murphi automatically checks the soundness of this abstraction. Then it automatically translates the system description to an abstract ...
Automatic Verification of Parameterized Linear Networks of Processes
 IN 24TH ACM SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES, POPL'97
, 1997
"... This paper describes a method to verify safety properties of parameterized linear networks of processes. The method is based on the construction of a network invariant, defined as a fixpoint. Such invariants can often be automatically computed using heuristics based on Cousot's widening techniques. ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
This paper describes a method to verify safety properties of parameterized linear networks of processes. The method is based on the construction of a network invariant, defined as a fixpoint. Such invariants can often be automatically computed using heuristics based on Cousot's widening techniques. These techniques have been implemented and some nontrivial examples are presented.
Abstracting WS1S Systems to Verify Parameterized Networks
, 2000
"... We present a method that allows to verify parameterized networks of finite state processes. Our method is based on three main ideas. The first one consists in modeling an infinite family of networks by a single WS1S transition system, that is, a transition system whose variables are set (2ndorder) ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
We present a method that allows to verify parameterized networks of finite state processes. Our method is based on three main ideas. The first one consists in modeling an infinite family of networks by a single WS1S transition system, that is, a transition system whose variables are set (2ndorder) variables and whose transitions are described in WS1S. Then, we present methods that allow to abstract a WS1S system into a finite state system that can be modelchecked. Finally, in order to verify liveness properties, we present an algorithm that allows to enrich the abstract system with strong fairness conditions while preserving safety of the abstraction. We implemented our method in a tool, called pax, and applied it to several examples.
Handling Global Conditions in Parametrized System Verification
 In Proc. of CAV'99, LNCS 1633
, 1999
"... We consider symbolic verification for a class of parametrized systems, where a system consists of a linear array of processes, and where an action of a process may in general be guarded by both local conditions restricting the state of the process about to perform the action, and global conditions d ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
We consider symbolic verification for a class of parametrized systems, where a system consists of a linear array of processes, and where an action of a process may in general be guarded by both local conditions restricting the state of the process about to perform the action, and global conditions defining the context in which the action is enabled. Such a model captures the behaviour, e.g., of idealized versions of mutual exclusion protocols, such as the bakery and ticket algorithms by Lamport, Burn's protocol, Dijkstra's algorithm, and Szymanski's algorithm. The presence of both local and global conditions makes these protocols infeasible to analyze, using existing model checking methods for parametrized systems. In all these methods the actions are guarded only by local conditions involving the states of a finite set of processes. We perform verification using the standard symbolic reachability algorithm enhanced by an operation to speed up the search of the state space. The speed u...
Data Independent Induction over structured networks
 In International Conference on Parallel and Distributed Processing Techniques and Applications, Las Vegas
, 2000
"... We extend the classes of network which Data Independent Induction can be used to reason about. Through the use of constants and predicates in the data independent type we build proofs of structured networks' behaviours, where a network's topology need not be as regular as one might expect data indep ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
We extend the classes of network which Data Independent Induction can be used to reason about. Through the use of constants and predicates in the data independent type we build proofs of structured networks' behaviours, where a network's topology need not be as regular as one might expect data independence to imply. These properties hold true independent of the size of the type, and so for arbitrary network size. The inductions combine the use of the process algebra CSP to model systems and their specifications, and the FDR tool to discharge the various proof obligations.
Abstract interpretation of game properties
 In SAS 2000: Intertional Symposium on Static Analysis, Lecture Notes in Computer Science
, 2000
"... Abstract. We apply the theory of abstract interpretation to the veri cation of game properties for reactive systems. Unlike properties expressed in standard temporal logics, game properties can distinguish adversarial from collaborative relationships between the processes of a concurrent program, or ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
Abstract. We apply the theory of abstract interpretation to the veri cation of game properties for reactive systems. Unlike properties expressed in standard temporal logics, game properties can distinguish adversarial from collaborative relationships between the processes of a concurrent program, or the components of a parallel system. We consider twoplayer concurrent games say, component vs. environment  and specify properties of such games say, the component has a winning strategy to obtain a resource, no matter how the environment behaves in the alternatingtimecalculus (A). A sound abstraction of such a game must at the same time restrict the behaviors of the component and increase the behaviors of the environment: if a less powerful component can win against a more powerful environment, then surely the original component can win against the original environment. We formalize the concrete semantics of a concurrent game in terms of controllable and uncontrollable predecessor predicates, which su ce for
Verifying Determinism of Concurrent Systems Which Use Unbounded Arrays (Extended Abstract)
, 1998
"... ) Ranko Lazi'c y Bill Roscoe z To be presented at INFINITY '98 (Revised version. July 7, 1998.) Abstract Our main result says that determinism of a concurrent system which uses unbounded arrays (i.e. memories) can be verified by considering an appropriate finite array size. That is made po ..."
Abstract

Cited by 13 (7 self)
 Add to MetaCart
) Ranko Lazi'c y Bill Roscoe z To be presented at INFINITY '98 (Revised version. July 7, 1998.) Abstract Our main result says that determinism of a concurrent system which uses unbounded arrays (i.e. memories) can be verified by considering an appropriate finite array size. That is made possible by restricting the ways in which array indices and values can be used within the system. The restrictions are those of data independence: the system must not perform any operations on the indices and values, but it is only allowed to input them, store them, and output them. Equality tests between indices are also allowed. The restrictions are satisfied by many concurrent systems which use arrays to model memories or databases. As a case study, we have verified that a database system which allows users to lock, read and write records at multiple security levels is secure. 1 The Parameterised Verification Problem Concurrent systems are frequently infinitestate because they have...