Results 1  10
of
88
Alternatingtime Temporal Logic
 Journal of the ACM
, 1997
"... Temporal logic comes in two varieties: lineartime temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branchingtime temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general var ..."
Abstract

Cited by 448 (47 self)
 Add to MetaCart
Temporal logic comes in two varieties: lineartime temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branchingtime temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic: alternatingtime temporal logic offers selective quantification over those paths that are possible outcomes of games, such as the game in which the system and the environment alternate moves. While lineartime and branchingtime logics are natural specification languages for closed systems, alternatingtime logics are natural specification languages for open systems. For example, by preceding the temporal operator "eventually" with a selective path quantifier, we can specify that in the game between the system and the environment, the system has a strategy to reach a certain state. Also the problems of receptiveness, realizability, and controllability can be formulated as modelchecking problems for alternatingtime formulas.
Modelchecking algorithms for continuoustime Markov chains
 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING
, 2003
"... Continuoustime Markov chains (CTMCs) have been widely used to determine system performance and dependability characteristics. Their analysis most often concerns the computation of steadystate and transientstate probabilities. This paper introduces a branching temporal logic for expressing realt ..."
Abstract

Cited by 128 (26 self)
 Add to MetaCart
Continuoustime Markov chains (CTMCs) have been widely used to determine system performance and dependability characteristics. Their analysis most often concerns the computation of steadystate and transientstate probabilities. This paper introduces a branching temporal logic for expressing realtime probabilistic properties on CTMCs and presents approximate model checking algorithms for this logic. The logic, an extension of the continuous stochastic logic CSL of Aziz et al., contains a timebounded until operator to express probabilistic timing properties over paths as well as an operator to express steadystate probabilities. We show that the model checking problem for this logic reduces to a system of linear equations (for unbounded until and the steadystate operator) and a Volterra integral equation system (for timebounded until). We then show that the problem of modelchecking timebounded until properties can be reduced to the problem of computing transient state probabilities for CTMCs. This allows the verification of probabilistic timing properties by efficient techniques for transient analysis for CTMCs such as uniformization. Finally, we show that a variant of lumping equivalence (bisimulation), a wellknown notion for aggregating CTMCs, preserves the validity of all formulas in the logic.
Design of Embedded Systems: Formal Models, Validation, and Synthesis
 PROCEEDINGS OF THE IEEE
, 1999
"... This paper addresses the design of reactive realtime embedded systems. Such systems are often heterogeneous in implementation technologies and design styles, for example by combining hardware ASICs with embedded software. The concurrent design process for such embedded systems involves solving the ..."
Abstract

Cited by 106 (9 self)
 Add to MetaCart
This paper addresses the design of reactive realtime embedded systems. Such systems are often heterogeneous in implementation technologies and design styles, for example by combining hardware ASICs with embedded software. The concurrent design process for such embedded systems involves solving the specification, validation, and synthesis problems. We review the variety of approaches to these problems that have been taken.
Symbolic model checking with rich assertional languages
 Theoretical Computer Science
, 1997
"... Abstract. The paper shows that, by an appropriate choice of a rich assertional language, it is possible to extend the utility of symbolic model checking beyond the realm of bddrepresented nitestate systems into the domain of in nitestate systems, leading to a powerful technique for uniform veri c ..."
Abstract

Cited by 89 (4 self)
 Add to MetaCart
Abstract. The paper shows that, by an appropriate choice of a rich assertional language, it is possible to extend the utility of symbolic model checking beyond the realm of bddrepresented nitestate systems into the domain of in nitestate systems, leading to a powerful technique for uniform veri cation of unbounded (parameterized) process networks. The main contributions of the paper are a formulation of a general framework for symbolic model checking of in nitestate systems, a demonstration that many individual examples of uniformly veri ed parameterized designs that appear in the literature are special cases of our general approach, verifying the correctness of the Futurebus+ design for all singlebus con gurations, extending the technique to tree architectures, and establishing that the presented method is a precise dual to the topdown invariant generation method used in deductive veri cation. 1
Visual Verification of Reactive Systems
, 1997
"... We describe diagrambased formal methods for verifying temporal properties of finite and infinitestate reactive systems. These methods, which share a common background and tools, differ in the way they use automatic procedures within an interactive setting based on deduction. They can be used to ..."
Abstract

Cited by 84 (6 self)
 Add to MetaCart
We describe diagrambased formal methods for verifying temporal properties of finite and infinitestate reactive systems. These methods, which share a common background and tools, differ in the way they use automatic procedures within an interactive setting based on deduction. They can be used to produce a static proof object, or to perform incremental analysis of systems and specifications.
On Model Checking for NonDeterministic InfiniteState Systems
, 1998
"... We demonstrate that many known algorithms for model checking infinitestate systems can be derived uniformly from a reachability procedure that generates a "covering graph", a generalization of the KarpMiller graph for Petri Nets. Each node of the covering graph has an associated nonempty set of re ..."
Abstract

Cited by 56 (4 self)
 Add to MetaCart
We demonstrate that many known algorithms for model checking infinitestate systems can be derived uniformly from a reachability procedure that generates a "covering graph", a generalization of the KarpMiller graph for Petri Nets. Each node of the covering graph has an associated nonempty set of reachable states, which makes it possible to model check safety properties of the system on the covering graph. For systems with a wellquasiordered simulation relation, each infinite fair computation has a finite witness, which may be detected using the covering graph and combinatorial properties of the specific infinite state system. These results explain many known decidability results in a simple, uniform manner. This is a strong indication that the covering graph construction is appropriate for the analysis of infinite state systems. We also consider the new application domain of parameterized broadcast protocols, and indicate how to apply the construction in this domain. This application is illustrated on an invalidationbased cache coherency protocol, for which many safety properties can be proved fully automatically for an arbitrary number of processes. 1
Fluent Model Checking for Eventbased Systems
 In Proceedings of FSE
, 2003
"... Model checking is an automated technique for verifying that a system satisfies a set of required properties. Such properties are typically expressed as temporal logic formulas, in which atomic propositions are predicates over state variables of the system. In eventbased system descriptions, states ..."
Abstract

Cited by 47 (6 self)
 Add to MetaCart
Model checking is an automated technique for verifying that a system satisfies a set of required properties. Such properties are typically expressed as temporal logic formulas, in which atomic propositions are predicates over state variables of the system. In eventbased system descriptions, states are not characterized by state variables, but rather by the behavior that originates in these states in terms of actions. In this context, it is natural for temporal formulas to be built from atomic propositions that are predicates on the occurrence of actions. The paper identifies limitations in this approach and introduces "fluent" propositions that permit formulas to naturally express properties that combine state and action. A fluent is a property of the world that holds after it is initiated by an action and ceases to hold when terminated by another action. The paper describes an approach to model checking fluentbased lineartemporal logic properties, with its implementation and application in the LTSA tool.
Computing Accumulated Delays in Realtime Systems
, 1993
"... . We present a verification algorithm for duration properties of realtime systems. While simple realtime properties constrain the total elapsed time between events, duration properties constrain the accumulated satisfaction time of state predicates. We formalize the concept of durations by introdu ..."
Abstract

Cited by 40 (6 self)
 Add to MetaCart
. We present a verification algorithm for duration properties of realtime systems. While simple realtime properties constrain the total elapsed time between events, duration properties constrain the accumulated satisfaction time of state predicates. We formalize the concept of durations by introducing duration measures for timed automata. A duration measure assigns to each finite run of a timed automaton a real number the duration of the run which may be the accumulated satisfaction time of a state predicate along the run. Given a timed automaton with a duration measure, an initial and a final state, and an arithmetic constraint, the durationbounded reachability problem asks if there is a run of the automaton from the initial state to the final state such that the duration of the run satisfies the constraint. Our main result is an (optimal) Pspace decision procedure for the durationbounded reachability problem. 1 Introduction Over the past decade, model checking [CE81, QS81]...
Formal Specification: a Roadmap
, 2000
"... Formal specifications have been a focus of software engineering research for many years and have been applied in a wide variety of settings. Their industrial use is still limited but has been steadily growing. After recalling the essence, role, usage, and pitfalls of formal specification, the pa ..."
Abstract

Cited by 34 (0 self)
 Add to MetaCart
Formal specifications have been a focus of software engineering research for many years and have been applied in a wide variety of settings. Their industrial use is still limited but has been steadily growing. After recalling the essence, role, usage, and pitfalls of formal specification, the paper reviews the main specification paradigms to date and discuss their evaluation criteria. It then provides a brief assessment of the current strengths and weaknesses of today's formal specification technology. This provides a basis for formulating a number of requirements for formal specification to become a core software engineering activity in the future.