Results 1  10
of
218
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 2407 (62 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
MOCHA: Modularity in Model Checking
, 1998
"... this paper, we describe the toolkit MOCHA in which the proposed approach is being implemented. The input language of MOCHA is a machine readable variant of reactive modules. The following functionalities are currently being supported: ..."
Abstract

Cited by 158 (20 self)
 Add to MetaCart
this paper, we describe the toolkit MOCHA in which the proposed approach is being implemented. The input language of MOCHA is a machine readable variant of reactive modules. The following functionalities are currently being supported:
Computing Simulations on Finite and Infinite Graphs
, 1996
"... . We present algorithms for computing similarity relations of labeled graphs. Similarity relations have applications for the refinement and verification of reactive systems. For finite graphs, we present an O(mn) algorithm for computing the similarity relation of a graph with n vertices and m edges ..."
Abstract

Cited by 147 (6 self)
 Add to MetaCart
. We present algorithms for computing similarity relations of labeled graphs. Similarity relations have applications for the refinement and verification of reactive systems. For finite graphs, we present an O(mn) algorithm for computing the similarity relation of a graph with n vertices and m edges (assuming m n). For effectively presented infinite graphs, we present a symbolic similaritychecking procedure that terminates if a finite similarity relation exists. We show that 2D rectangular automata, which model discrete reactive systems with continuous environments, define effectively presented infinite graphs with finite similarity relations. It follows that the refinement problem and the 8CTL modelchecking problem are decidable for 2D rectangular automata. 1 Introduction A labeled graph G = (V; E;A; hh\Deltaii) consist of a (possibly infinite) set V of vertices, a set E ` V 2 of edges, a set A of labels, and a function hh\Deltaii : V ! A that maps each vertex v to a label hh...
Bounded Model Checking Using Satisfiability Solving
 Formal Methods in System Design
, 2001
"... The phrase model checking refers to algorithms for exploring the state space of a transition system to determine if it obeys a specification of its intended behavior. These algorithms can perform exhaustive verification in a highly automatic manner, and, thus, have attracted much interest in indus ..."
Abstract

Cited by 139 (1 self)
 Add to MetaCart
The phrase model checking refers to algorithms for exploring the state space of a transition system to determine if it obeys a specification of its intended behavior. These algorithms can perform exhaustive verification in a highly automatic manner, and, thus, have attracted much interest in industry. Model checking programs are now being commercially marketed. However, model checking has been held back by the state explosion problem, which is the problem that the number of states in a system grows exponentially in the number of system components. Much research has been devoted to ameliorating this problem.
Property preserving abstractions for the verification of concurrent systems
 FORMAL METHODS IN SYSTEM DESIGN, VOL 6, ISS
, 1995
"... We study property preserving transformations for reactive systems. The main idea is the use of simulations parameterized by Galois connections ( �), relating the lattices of properties of two systems. We propose and study a notion of preservation of properties expressed by formulas of a logic, by a ..."
Abstract

Cited by 136 (4 self)
 Add to MetaCart
We study property preserving transformations for reactive systems. The main idea is the use of simulations parameterized by Galois connections ( �), relating the lattices of properties of two systems. We propose and study a notion of preservation of properties expressed by formulas of a logic, by a function mapping sets of states of a system S into sets of states of a system S'. We give results on the preservation of properties expressed in sublanguages of the branching timecalculus when two systems S and S' are related via h � isimulations. They can be used to verify a property for a system by verifying the same property on a simpler system which is an abstraction of it. We show also under which conditions abstraction of concurrent systems can be computed from the abstraction of their components. This allows a compositional application of the proposed verification method. This is a revised version of the papers [2] and [16] � the results are fully developed in [27].
Verification Tools for FiniteState Concurrent Systems
"... Temporal logic model checking is an automatic technique for verifying finitestate concurrent systems. Specifications are expressed in a propositional temporal logic, and the concurrent system is modeled as a statetransition graph. An efficient search procedure is used to determine whether or not t ..."
Abstract

Cited by 118 (3 self)
 Add to MetaCart
Temporal logic model checking is an automatic technique for verifying finitestate concurrent systems. Specifications are expressed in a propositional temporal logic, and the concurrent system is modeled as a statetransition graph. An efficient search procedure is used to determine whether or not the statetransition graph satisfies the specification. When the technique was first developed ten years ago, it was only possible to handle concurrent systems with a few thousand states. In the last few years, however, the size of the concurrent systems that can be handled has increased dramatically. By representing transition relations and sets of states implicitly using binary decision diagrams, it is now possible to check concurrent systems with more than 10 120 states. In this paper we describe in detail how the new implementation works and
Learning assumptions for compositional verification
, 2003
"... Abstract. Compositional verification is a promising approach to addressing the state explosion problem associated with model checking. One compositional technique advocates proving properties of a system by checking properties of its components in an assumeguarantee style. However, the application ..."
Abstract

Cited by 105 (16 self)
 Add to MetaCart
Abstract. Compositional verification is a promising approach to addressing the state explosion problem associated with model checking. One compositional technique advocates proving properties of a system by checking properties of its components in an assumeguarantee style. However, the application of this technique is difficult because it involves nontrivial human input. This paper presents a novel framework for performing assumeguarantee reasoning in an incremental and fully automated fashion. To check a component against a property, our approach generates assumptions that the environment needs to satisfy for the property to hold. These assumptions are then discharged on the rest of the system. Assumptions are computed by a learning algorithm. They are initially approximate, but become gradually more precise by means of counterexamples obtained by model checking the component and its environment, alternately. This iterative process may at any stage conclude that the property is either true or false in the system. We have implemented our approach in the LTSA tool and applied it to a NASA system.
You Assume, We Guarantee: Methodology and Case Studies
, 1998
"... Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large ..."
Abstract

Cited by 95 (14 self)
 Add to MetaCart
Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large verification problems, we therefore attempted to make use of both techniques. We soon found that rather than o ering instant solutions, the success of assumeguarantee reasoning depends critically on the construction of suitable abstraction modules, and the success of refinement checking depends critically on the construction of suitable witness modules. Moreover, as abstractions need to be witnessed, and witnesses abstracted, the process must be iterated. We present here the main lessons we learned from our experiments, in form of a systematic and structured discipline for the compositional verification of reactive modules. An infrastructure to support this discipline, and automate parts of the verification, has been implemented in the tool Mocha.
Verification of an implementation of Tomasulo’s algorithm by compositional model checking
, 1998
"... Abstract. An implementation of an outoforder processing unit based on Tomasulo’s algorithm is formally verified using compositional model checking techniques. This demonstrates that finitestate methods can be applied to such algorithms, without recourse to higherorder proof systems. The paper in ..."
Abstract

Cited by 90 (4 self)
 Add to MetaCart
Abstract. An implementation of an outoforder processing unit based on Tomasulo’s algorithm is formally verified using compositional model checking techniques. This demonstrates that finitestate methods can be applied to such algorithms, without recourse to higherorder proof systems. The paper introduces a novel compositional system that supports cyclic environment reasoning and multiple environment abstractions per signal. A proof of Tomasulo’s algorithm is outlined, based on refinement maps, and relying on the novel features of the compositional system. This proof is fully verified by the SMV verifier, using symmetry to reduce the number of assertions that must be verified. 1
Module Checking
, 1996
"... . In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of ..."
Abstract

Cited by 79 (11 self)
 Add to MetaCart
. In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of temporal logics to describe an ongoing interaction of a reactive program with its environment makes them particularly appropriate for the specification of open systems. Nevertheless, modelchecking algorithms used for the verification of closed systems are not appropriate for the verification of open systems. Correct model checking of open systems should check the system with respect to arbitrary environments and should take into account uncertainty regarding the environment. This is not the case with current modelchecking algorithms and tools. In this paper we introduce and examine the problem of model checking of open systems (mod ule checking, for short). We show that while module che...