Results 1  10
of
13
Counterexampleguided Abstraction Refinement
, 2000
"... We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techn ..."
Abstract

Cited by 602 (60 self)
 Add to MetaCart
We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques which analyze such counterexamples and refine the abstract model correspondingly.
An Overview of SAL
 LFM 2000: Fifth NASA Langley Formal Methods Workshop
, 2000
"... To become practical for assurance formal methods must be made more costeffective and must contribute to both debugging and certification. Furthermore, the style of interaction must reflect the concerns of a designer rather than the peculiarities of a prover. SAL (Symbolic Analysis Laboratory) attem ..."
Abstract

Cited by 39 (5 self)
 Add to MetaCart
To become practical for assurance formal methods must be made more costeffective and must contribute to both debugging and certification. Furthermore, the style of interaction must reflect the concerns of a designer rather than the peculiarities of a prover. SAL (Symbolic Analysis Laboratory) attempts to address these issues. It is a framework for combining different tools to calculate properties (i.e., performing symbolic analysis) of concurrent systems. The heart of SAL is a language, developed in collaboration with Stanford, Berkeley, and Verimag, for specifying concurrent systems in a compositional way. Our instantiation of the SAL framework augments PVS with tools for abstraction, invariant generation, program analysis (such as slicing), theorem proving, and model checking to calculate properties (i.e., perform symbolic analysis) of concurrent systems. We describe the motivation, the language, the tools, and their integration in SAL/PVS, and some preliminary experience of their use. ...
Automatic verification of timed concurrent constraint programs
 TPLP
, 2006
"... The language Timed Concurrent Constraint (tccp) is the extension over time of the Concurrent Constraint Programming (cc) paradigm that allows us to specify concurrent systems where timing is critical, for example reactive systems. Systems which may have an infinite number of states can be specified ..."
Abstract

Cited by 20 (8 self)
 Add to MetaCart
The language Timed Concurrent Constraint (tccp) is the extension over time of the Concurrent Constraint Programming (cc) paradigm that allows us to specify concurrent systems where timing is critical, for example reactive systems. Systems which may have an infinite number of states can be specified in tccp. Model checking is a technique which is able to verify finitestate systems with a huge number of states in an automatic way. In the last years several studies have investigated how to extend model checking techniques to systems with an infinite number of states. In this paper we propose an approach which exploits the computation model of tccp. Constraint based computations allow us to define a methodology for applying a model checking algorithm to (a class of) infinitestate systems. We extend the classical algorithm of model checking for LTL to a specific logic defined for the verification of tccp and to the tccp Structure which we define in this work for modeling the program behavior. We define a restriction on the time in order to get a finite model and then we develop some illustrative examples. To the best of our knowledge this is the first approach that defines a model checking methodology for tccp.
Partial completeness of abstract fixpoint checking
 PROC. 4 TH INT. SYMP. SARA’2000. HORSESHOE BAY, TX, US, LNAI 1864. SPRINGERVERLAG
, 2000
"... Abstract interpretation is used in program static analysis and model checking to cope with infinite state spaces and/or with computer fixpoints for specifications. The abstraction is partially complete when the checking algorithm is exact in that, if the algorithm ever terminates, its answer is alw ..."
Abstract

Cited by 20 (13 self)
 Add to MetaCart
Abstract interpretation is used in program static analysis and model checking to cope with infinite state spaces and/or with computer fixpoints for specifications. The abstraction is partially complete when the checking algorithm is exact in that, if the algorithm ever terminates, its answer is always affirmative for correct specifications. We characterize partially complete abstractions for various abstract fixpoint checking algorithms, including new ones, and show that the computation of complete abstract domains is essentially equivalent to invariance proofs that is to concrete fixpoint checking.
Automatically verifying concurrent queue algorithms
 Electr. Notes Theor. Comput. Sci
, 2003
"... Concurrent FIFO queues are a common component of concurrent systems. Using a single shared lock to prevent concurrent manipulations of queue contents reduces system concurrency. Therefore, many algorithms were suggested to increase concurrency while maintaining the correctness of queue manipulations ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
Concurrent FIFO queues are a common component of concurrent systems. Using a single shared lock to prevent concurrent manipulations of queue contents reduces system concurrency. Therefore, many algorithms were suggested to increase concurrency while maintaining the correctness of queue manipulations. This paper shows how to automatically interpretation techniques. In particular, we verify all the safety properties originally specified for two concurrent queue algorithms without imposing an a priori bound on the number of allocated objects and threads. 1
Parametric Verification of a Group Membership Algorithm
 Proceedings of the 7th International Symposium on Formal Techniques in RealTime and Fault Tolerant Systems
, 2002
"... We address the problem of verifying clique avoidance in the TTP protocol. TTP allows several stations embedded in a car to communicate. ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
We address the problem of verifying clique avoidance in the TTP protocol. TTP allows several stations embedded in a car to communicate.
Modelling and Analysis of Broadcasting Embedded Control Systems
, 1998
"... This paper introduces a framework for the development, modelling and analysis of distributed, realtime control systems which communicate using the deterministic broadcast communication protocol, CAN. We adopt a hierarchical approach in which system designs are expressed in the highlevel, Adalike, ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
This paper introduces a framework for the development, modelling and analysis of distributed, realtime control systems which communicate using the deterministic broadcast communication protocol, CAN. We adopt a hierarchical approach in which system designs are expressed in the highlevel, Adalike, language, CANDLE, which is given a timed transition semantics by translation to a base language, bCANDLE (pronounced `basic candle') which is a simple but expressive process language with a valuepassing, broadcast communication primitive, message priorities and an explicit time construct. The formal semantics of bCANDLE can be found in [6]. Broadcasting...
Verifying Transaction Ordering Properties in Unbounded Bus Networks Through Combined Deductive/algorithmic Methods
"... . Previously [MHG98,MHJG00], we reported our efforts to verify the producer/consumer transaction ordering property for the PCI 2.1 protocol extended with local master IDs. Although our efforts were met with some success, we were unable to show that all execution traces of all acyclic PCI networks sa ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
. Previously [MHG98,MHJG00], we reported our efforts to verify the producer/consumer transaction ordering property for the PCI 2.1 protocol extended with local master IDs. Although our efforts were met with some success, we were unable to show that all execution traces of all acyclic PCI networks satisfy this transaction ordering property. In this paper, we present a verification technique based on network symmetry classes along with a manually derived abstraction that allows us to show, at the bus/bridge level, that all execution traces of all acyclic PCI networks satisfy the transaction ordering property. This now completed case study (modulo the validity of the axioms used to characterized the abstraction) suggests several avenues for further work in combining modelchecking (algorithmic methods) and theoremproving (deductive methods) in judicious ways to solve infinitestate verification problems at the bus/interconnect level. It is a concrete illustration of partitioning concerns...
On setdriven combination of logics and verifiers
, 2009
"... Abstract. We explore the problem of automated reasoning about the nondisjoint combination of logics that share set variables and operations. We prove a general combination theorem, and apply it to show the decidability for the quantifierfree combination of formulas in WS2S, twovarible logic with c ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We explore the problem of automated reasoning about the nondisjoint combination of logics that share set variables and operations. We prove a general combination theorem, and apply it to show the decidability for the quantifierfree combination of formulas in WS2S, twovarible logic with counting, and Boolean Algebra with Presburger Arithmetic. Furthermore, we present an overapproximating algorithm that uses such combined logics to synthesize universally quantified invariants of infinitestate systems. The algorithm simultaneously synthesizes loop invariants of interest, and infers the relationships between sets to exchange the information between logics. We have implemented this algorithm and used it to prove detailed correctness properties of operations of linked data structure implementations. 1
Lfm2000: Fifth NASA Langley Formal Methods Workshop
, 2000
"... This paper introduces the use of abstraction relationships for timed automata. Abstraction relations make it possible to determine when one specification implements another, i.e. when they have the same set of computations. The approach taken herepermits the hiding of internal events and takes into ..."
Abstract
 Add to MetaCart
This paper introduces the use of abstraction relationships for timed automata. Abstraction relations make it possible to determine when one specification implements another, i.e. when they have the same set of computations. The approach taken herepermits the hiding of internal events and takes into account the timedbehavior of the specification. A new representation of the semantics of a specification is introduced. This representation, minmax automata is morecompact than other types of finite state automata typically usedtorepresent realtime systems, and can beused to define a variety of abstraction relationships. 1 Introduction This paper describes the use of minmax automata to specify the behavior of realtime systems compactly. Originally developed [2] as an alternative representation of timed behavior for the Modechart language[12], in order to support the evaluation of abstraction relationships between Modechart specifications, minmax automata are a general construct for re...