Results 1  10
of
91
Model checking of message sequence charts
, 1999
"... Scenariobased specifications such as message sequence charts (MSC) or an intuitive and visual way of describing design requirements. Such specifications focus on message exchanges among communicating entities in distributed software systems. Structured specifications such as MSCgraphs and Hierarch ..."
Abstract

Cited by 148 (6 self)
 Add to MetaCart
(Show Context)
Scenariobased specifications such as message sequence charts (MSC) or an intuitive and visual way of describing design requirements. Such specifications focus on message exchanges among communicating entities in distributed software systems. Structured specifications such as MSCgraphs and Hierarchical MSCgraphs (HMSC) allow convenient expression of multiple scenarios, and can be viewed as an early model of the system. In this paper, we present a comprehensive study of the problem of verifying whether this model satisfies a temporal requirement given by an automaton, by developing algorithms for the different cases along with matching lower bounds. When the model is given as an MSC, model checking can be done by constructing a suitable automaton for the linearizations of the partial order specified by the MSC, and the problem is coNPcomplete. When the model is given by an MSCgraph, we consider two possible semantics depending on the synchronous or asynchronous interpretation of concatenating two MSCs. For synchronous model checking of MSCgraphs and HMSCs, we present algorithms whose time complexity is proportional to the product of the size of the description and the cost of processing MSCs at individual vertices. Under the asynchronous interpretation, we prove undecidability of the model checking problem. We, then, identify a natural requirement of boundedness, give algorithms to check boundedness, and establish asynchronous model checking to be Pspacecomplete for bounded MSCgraphs and Expspacecomplete for bounded HMSCs.
Analysis of Recursive State Machines
 In Proceedings of CAV 2001
, 2001
"... . Recursive state machines (RSMs) enhance the power of ordinary state machines by allowing vertices to correspond either to ordinary states or to potentially recursive invocations of other state machines. RSMs can model the control flow in sequential imperative programs containing recursive proc ..."
Abstract

Cited by 128 (26 self)
 Add to MetaCart
(Show Context)
. Recursive state machines (RSMs) enhance the power of ordinary state machines by allowing vertices to correspond either to ordinary states or to potentially recursive invocations of other state machines. RSMs can model the control flow in sequential imperative programs containing recursive procedure calls. They can be viewed as a visual notation extending Statechartslike hierarchical state machines, where concurrency is disallowed but recursion is allowed. They are also related to various models of pushdown systems studied in the verification and program analysis communities. After introducing RSMs, we focus on whether statespace analysis can be performed efficiently for RSMs. We consider the two central problems for algorithmic analysis and model checking, namely, reachability (is a target state reachable from initial states) and cycle detection (is there a reachable cycle containing an accepting state). We show that both these problems can be solved in time O(n` 2 ) and space O(n`), where n is the size of the recursive machine and ` is the maximum, over all component state machines, of the minimum of the number of entries and the number of exits of each component. We also study the precise relationship between RSMs and closely related models. 1
Recursive Markov chains, stochastic grammars, and monotone systems of nonlinear equations
 IN STACS
, 2005
"... We define Recursive Markov Chains (RMCs), a class of finitely presented denumerable Markov chains, and we study algorithms for their analysis. Informally, an RMC consists of a collection of finitestate Markov chains with the ability to invoke each other in a potentially recursive manner. RMCs offer ..."
Abstract

Cited by 76 (11 self)
 Add to MetaCart
(Show Context)
We define Recursive Markov Chains (RMCs), a class of finitely presented denumerable Markov chains, and we study algorithms for their analysis. Informally, an RMC consists of a collection of finitestate Markov chains with the ability to invoke each other in a potentially recursive manner. RMCs offer a natural abstract model for probabilistic programs with procedures. They generalize, in a precise sense, a number of well studied stochastic models, including Stochastic ContextFree Grammars (SCFG) and MultiType Branching Processes (MTBP). We focus on algorithms for reachability and termination analysis for RMCs: what is the probability that an RMC started from a given state reaches another target state, or that it terminates? These probabilities are in general irrational, and they arise as (least) fixed point solutions to certain (monotone) systems of nonlinear equations associated with RMCs. We address both the qualitative problem of determining whether the probabilities are 0, 1 or inbetween, and
Branching vs. Linear Time: Final Showdown
 Proceedings of the 2001 Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2001 (LNCS Volume 2031
, 2001
"... The discussion of the relative merits of linear versus branchingtime frameworks goes back to early 1980s. One of the beliefs dominating this discussion has been that "while specifying is easier in LTL (lineartemporal logic), verification is easier for CTL (branchingtemporal logic)". ..."
Abstract

Cited by 75 (8 self)
 Add to MetaCart
(Show Context)
The discussion of the relative merits of linear versus branchingtime frameworks goes back to early 1980s. One of the beliefs dominating this discussion has been that "while specifying is easier in LTL (lineartemporal logic), verification is easier for CTL (branchingtemporal logic)". Indeed, the restricted syntax of CTL limits its expressive power and many important behaviors (e.g., strong fairness) can not be specified in CTL. On the other hand, while model checking for CTL can be done in time that is linear in the size of the specification, it takes time that is exponential in the specification for LTL. Because of these arguments, and for historical reasons, the dominant temporal specification language in industrial use is CTL.
Bogor: An Extensible and HighlyModular Software Model Checking Framework
"... Model checking is emerging as a popular technology for reasoning about behavior properties of a wide variety of software artifacts including: requirements models, architectural descriptions, designs, implementations, and process models. The complexity of model checking is wellknown, yet costeffecti ..."
Abstract

Cited by 70 (0 self)
 Add to MetaCart
Model checking is emerging as a popular technology for reasoning about behavior properties of a wide variety of software artifacts including: requirements models, architectural descriptions, designs, implementations, and process models. The complexity of model checking is wellknown, yet costeffective analyses have been achieved by exploiting, for example, naturally occurring abstractions and semantic properties of a target software artifact. Adapting a model checking tool to exploit this kind of domain knowledge often requires indepth knowledge of the tool’s implementation. We believe that with appropriate tool support, domain experts will be able to develop efficient model checkingbased analyses for a variety of softwarerelated models. To explore this hypothesis, we have developed Bogor, a model checking framework with an extensible input language for defining domainspecific constructs and a modular interface design to ease the optimization of domainspecific statespace encodings, reductions and search algorithms. We present the patternoriented design of Bogor and discuss our experiences adapting it to efficiently model check Java programs and eventdriven componentbased designs.
Verifying aspect advice modularly
 In FSE ’04
"... Aspectoriented programming has become an increasingly important means of expressing crosscutting program abstractions. Despite this, aspects lack support for computeraided verification. We present a technique for verifying aspectoriented programs (expressed as state machines). Our technique assum ..."
Abstract

Cited by 61 (1 self)
 Add to MetaCart
(Show Context)
Aspectoriented programming has become an increasingly important means of expressing crosscutting program abstractions. Despite this, aspects lack support for computeraided verification. We present a technique for verifying aspectoriented programs (expressed as state machines). Our technique assumes that the set of pointcut designators is known statically, but that the actual advice can vary. This calls for a modular technique that does not require repeated analysis of the entire system every time a developer changes advice. We present such an analysis, addressing several subtleties that arise. We also present an important optimization for handling multiple pointcut designators. We have implemented a prototype verifier and applied it to some simple but interesting cases.
Model Checking of Unrestricted Hierarchical State Machines
, 2001
"... . Hierarchical State Machines (HSMs) are a natural model for representing the behavior of software systems. In this paper, we investigate a variety of modelchecking problems for an extension of HSMs in which state machines are allowed to call each other recursively. 1 ..."
Abstract

Cited by 46 (6 self)
 Add to MetaCart
. Hierarchical State Machines (HSMs) are a natural model for representing the behavior of software systems. In this paper, we investigate a variety of modelchecking problems for an extension of HSMs in which state machines are allowed to call each other recursively. 1
Verifying CrossCutting Features as Open Systems
, 2002
"... Featureoriented software designs capture many interesting notions of crosscutting, and o#er a powerful method for building productline architectures. Each crosscutting feature is an independent module that fundamentally yields an open system from a verification perspective. We describe desiderat ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
Featureoriented software designs capture many interesting notions of crosscutting, and o#er a powerful method for building productline architectures. Each crosscutting feature is an independent module that fundamentally yields an open system from a verification perspective. We describe desiderata for verifying such modules through model checking and find that existing work on the verification of open systems fails to address most of the concerns that arise from featureoriented systems. We therefore provide a new methodology for verifying such systems. To validate this new methodology, we have implemented it and applied it to a suite of modules that exhibit feature interaction problems. Our model checker was able to automatically locate ten problems previously found through a laborious simulationbased e#ort.
Communicating hierarchical state machines
 Proceedings of the 26th International Colloquium on Automata, Languages and Programming
, 1999
"... Abstract. Hierarchical state machines are nite state machines whose states themselves can be other machines. In spite of their popularity in many modeling tools for software design, very little is known concerning their complexity and expressiveness. In this paper, we study these questions for hier ..."
Abstract

Cited by 38 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Hierarchical state machines are nite state machines whose states themselves can be other machines. In spite of their popularity in many modeling tools for software design, very little is known concerning their complexity and expressiveness. In this paper, we study these questions for hierarchical state machines as well as for communicating hierarchical state machines, that is, nite state machines extended with both hierarchy and concurrency. We present a comprehensive set of results characterizing (1) the complexity of the reachability, emptiness and universality problems, (2) the complexity of the language inclusion and equivalence problems, and (3) the succinctness relationships between different types of machines. 1
DemandDriven Alias Analysis for C
, 2007
"... This paper presents a demanddriven, flowinsensitive analysis algorithm for answering mayalias queries. We formulate the computation of alias queries as a CFLreachability problem, and use this formulation to derive a demanddriven analysis algorithm. The analysis uses a worklist algorithm that gr ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
(Show Context)
This paper presents a demanddriven, flowinsensitive analysis algorithm for answering mayalias queries. We formulate the computation of alias queries as a CFLreachability problem, and use this formulation to derive a demanddriven analysis algorithm. The analysis uses a worklist algorithm that gradually explores the program structure and stops as soon as enough evidence is gathered to answer the query. Unlike existing techniques, our approach does not require building or intersecting pointsto sets. Experiments show that our technique is effective at answering alias queries accurately and efficiently in a demanddriven fashion. For a set of alias queries from the SPEC2000 benchmarks, our analysis is able to accurately answer 97 % of the queries in less than 1 millisecond per query. Compared to a demanddriven pointsto analysis that constructs and intersects pointsto sets onthefly, our alias analysis is more than two times faster. 1