Results 1  10
of
35
Smart cars on smart roads: Problems of control
 IEEE Transactions on Automatic Control
, 1993
"... have been inadvertently introduced. ..."
Combining Partial Order Reductions with Onthefly Modelchecking
, 1994
"... Abstract Partial order modelchecking is an approach to reduce time and memory in modelchecking concurrent programs. Onthefly modelchecking is a technique to eliminate part of the search by intersecting an automaton representing the (negation of the) checked property with the state space during i ..."
Abstract

Cited by 191 (14 self)
 Add to MetaCart
Abstract Partial order modelchecking is an approach to reduce time and memory in modelchecking concurrent programs. Onthefly modelchecking is a technique to eliminate part of the search by intersecting an automaton representing the (negation of the) checked property with the state space during its generation. We prove conditions under which these two methods can be combined in order to gain reduction from both methods. An extension of the modelchecker SPIN, which implements this combination, is studied, showing substantial reduction over traditional search, not only in the number of reachable states, but directly in the amount of memory and time used. We also describe how to apply partialorder modelchecking under given fairness assumptions.
You Assume, We Guarantee: Methodology and Case Studies
, 1998
"... Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large ..."
Abstract

Cited by 95 (14 self)
 Add to MetaCart
Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large verification problems, we therefore attempted to make use of both techniques. We soon found that rather than o ering instant solutions, the success of assumeguarantee reasoning depends critically on the construction of suitable abstraction modules, and the success of refinement checking depends critically on the construction of suitable witness modules. Moreover, as abstractions need to be witnessed, and witnesses abstracted, the process must be iterated. We present here the main lessons we learned from our experiments, in form of a systematic and structured discipline for the compositional verification of reactive modules. An infrastructure to support this discipline, and automate parts of the verification, has been implemented in the tool Mocha.
An Efficient Implementation of Reactivity for Modeling Hardware in the Scenic Design Environment
, 1997
"... Reactivity is one of the key features of hardware description languages. We present an efficient implementation of reactivity in the Scenic framework that allows the system designer to model hardware blocks. Scenic allows the designer to use C++ to model mixed hardwaresoftware systems with a C++ c ..."
Abstract

Cited by 71 (7 self)
 Add to MetaCart
Reactivity is one of the key features of hardware description languages. We present an efficient implementation of reactivity in the Scenic framework that allows the system designer to model hardware blocks. Scenic allows the designer to use C++ to model mixed hardwaresoftware systems with a C++ compiler and a small library and without the need of a complex eventdriven runtime kernel often found embedded in hardware description languages (HDL) such as VHDL and Verilog. Moreover, Scenic hardware descriptions can be easily mapped to HDL and synthesized into hardware implementations using commercially available tools. In this paper we present Scenic's implementation of concurrency (signals and processes) and reactivity (waiting and watching). When C++ is used as an HDL, contextswitching overhead can become a significant performance issue during simulation. We introduce the notion of delayed expression objects, or lambdas, to reduce contextswitching. Examples and experimental results ...
Combining Model Checking and Deduction for I/OAutomata
"... We propose a combination of model checking and interactive theorem proving where the theorem prover is used to represent finite and infinite state systems, reason about them compositionally and reduce them to small finite systems by verified abstractions. As an example we verify a version of the Alt ..."
Abstract

Cited by 45 (3 self)
 Add to MetaCart
We propose a combination of model checking and interactive theorem proving where the theorem prover is used to represent finite and infinite state systems, reason about them compositionally and reduce them to small finite systems by verified abstractions. As an example we verify a version of the Alternating Bit Protocol with unbounded lossy and duplicating channels: the channels are abstracted by interactive proof and the resulting finite state system is model checked.
Timing Verification by Successive Approximation
 INFORMATION AND COMPUTATION
, 1995
"... We present an algorithm for verifying that a model M with timing constraints satisfies a given temporal property T . The model M is given as a parallel composition of !automata P i , where each automaton P i is constrained by bounds on delays. The property T is given as an !automaton as well, and ..."
Abstract

Cited by 44 (11 self)
 Add to MetaCart
We present an algorithm for verifying that a model M with timing constraints satisfies a given temporal property T . The model M is given as a parallel composition of !automata P i , where each automaton P i is constrained by bounds on delays. The property T is given as an !automaton as well, and the verification problem is posed as a language inclusion question L(M ) ` L(T ). In constructing the composition M of the constrained automata P i , one needs to rule out the behaviors that are inconsistent with the delay bounds, and this step is (provably) computationally expensive. We propose an iterative solution which involves generating successive approximations M j to M , with containment L(M ) ` L(M j ) and monotone convergence L(M j ) ! L(M ) within a bounded number of steps. As the succession progresses, the approximations M j become more complex. At any step of the iteration one may get a proof or a counterexample to the original language inclusion question. The described algori...
Verifying Temporal Properties without Temporal Logic
, 1989
"... this paper were first presented at the "IEEE Symposium on Logic in Computer Science," Ithaca, New York, June 1987 ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
this paper were first presented at the "IEEE Symposium on Logic in Computer Science," Ithaca, New York, June 1987
Verification of a Multiplier: 64 Bits and beyond
, 1993
"... Verifying a 64bit multiplier has a computational complexity that puts it beyond the grasp of current finitestate algorithms, including those based upon homomorphic reduction, the induction principle, and bdd fixedpoint algorithms. Theorem proving, while not bound by the same computational constra ..."
Abstract

Cited by 36 (7 self)
 Add to MetaCart
Verifying a 64bit multiplier has a computational complexity that puts it beyond the grasp of current finitestate algorithms, including those based upon homomorphic reduction, the induction principle, and bdd fixedpoint algorithms. Theorem proving, while not bound by the same computational constraints, may not be feasible for routinely coping with the complex, lowlevel details of a real multiplier. We show how to verify such a multiplier by applying COSPAN, a modelchecking algorithm, to verify local properties of the complex lowlevel circuit, and using TLP, a theorem prover based on the Temporal Logic of Actions, to prove that these properties imply the correctness of the multiplier. Both verification steps are automated, and we plan to mechanize the translation between the languages of TLP and COSPAN.
A language for compositional specification and verification of finite state hardware controllers
 Proceedings of the IEEE
, 1991
"... Abstract SML is a language for describing complex finitestate hardware controllers. It provides many of the standard control structures found in modern programming languages. The state tables produced by the SML compiler can be used as input to a temporal logic model checker that can automatically ..."
Abstract

Cited by 36 (2 self)
 Add to MetaCart
Abstract SML is a language for describing complex finitestate hardware controllers. It provides many of the standard control structures found in modern programming languages. The state tables produced by the SML compiler can be used as input to a temporal logic model checker that can automatically determine whether a specification in the logic CTL is satisfied. We describe extensions to SML for the design of modular controllers. These extensions allow a compositional approach to model checking which can substantially reduce its complexity. To demonstrate our methods, we discuss the specification and verification of a simple CPU controller. 0