Results 1  10
of
28
The synchronous dataflow programming language LUSTRE
 Proceedings of the IEEE
, 1991
"... This paper describes the language Lustre, which is a dataflow synchronous language, designed for programming reactive systems  such as automatic control and monitoring systems  as well as for describing hardware. The dataflow aspect of Lustre makes it very close to usual description tools in t ..."
Abstract

Cited by 621 (51 self)
 Add to MetaCart
(Show Context)
This paper describes the language Lustre, which is a dataflow synchronous language, designed for programming reactive systems  such as automatic control and monitoring systems  as well as for describing hardware. The dataflow aspect of Lustre makes it very close to usual description tools in these domains (blockdiagrams, networks of operators, dynamical samplessystems, etc: : : ), and its synchronous interpretation makes it well suited for handling time in programs. Moreover, this synchronous interpretation allows it to be compiled into an efficient sequential program. Finally, the Lustre formalism is very similar to temporal logics. This allows the language to be used for both writing programs and expressing program properties, which results in an original program verification methodology. 1 Introduction Reactive systems Reactive systems have been defined as computing systems which continuously interact with a given physical environment, when this environment is unable to sy...
Verification of RealTime Systems using Linear Relation Analysis
 FORMAL METHODS IN SYSTEM DESIGN
, 1997
"... Linear Relation Analysis [CH78] is an abstract interpretation devoted to the automatic discovery of invariant linear inequalities among numerical variables of a program. In this paper, we apply such an analysis to the verification of quantitative time properties of two kinds of systems: synchronous ..."
Abstract

Cited by 131 (11 self)
 Add to MetaCart
Linear Relation Analysis [CH78] is an abstract interpretation devoted to the automatic discovery of invariant linear inequalities among numerical variables of a program. In this paper, we apply such an analysis to the verification of quantitative time properties of two kinds of systems: synchronous programs and linear hybrid systems.
Synchronous Observers and the Verification of Reactive Systems
 Third Int. Conf. on Algebraic Methodology and Software Technology, AMAST'93, Twente
, 1993
"... This paper is a survey of our specification and verification techniques, in a very general, language independent, framework. Section 1 introduces a simple model of synchronous input/output machines, which will be used throughout the paper. In section 2, we show how such a machine can be designed to ..."
Abstract

Cited by 122 (14 self)
 Add to MetaCart
(Show Context)
This paper is a survey of our specification and verification techniques, in a very general, language independent, framework. Section 1 introduces a simple model of synchronous input/output machines, which will be used throughout the paper. In section 2, we show how such a machine can be designed to check the satisfaction of a safety property, and we discuss the use of such an observer in program verification. In section 3, we use an observer to restrict the behavior of a machine. This is the basic way for representing assumptions about the environment. Applications to modular and inductive verification are considered. In modular verification, one has to find, by intuition, a property of a subprogram that is strong enough to allow the verification of the whole program without fully considering the subprogram. In section 4, we consider the automatic synthesis of such a property, and in section 5, we investigate the possibility of deducing the subprogram from such a synthesized specification.
Symbolic model checking with rich assertional languages
 Theoretical Computer Science
, 1997
"... Abstract. The paper shows that, by an appropriate choice of a rich assertional language, it is possible to extend the utility of symbolic model checking beyond the realm of bddrepresented nitestate systems into the domain of in nitestate systems, leading to a powerful technique for uniform veri c ..."
Abstract

Cited by 114 (4 self)
 Add to MetaCart
Abstract. The paper shows that, by an appropriate choice of a rich assertional language, it is possible to extend the utility of symbolic model checking beyond the realm of bddrepresented nitestate systems into the domain of in nitestate systems, leading to a powerful technique for uniform veri cation of unbounded (parameterized) process networks. The main contributions of the paper are a formulation of a general framework for symbolic model checking of in nitestate systems, a demonstration that many individual examples of uniformly veri ed parameterized designs that appear in the literature are special cases of our general approach, verifying the correctness of the Futurebus+ design for all singlebus con gurations, extending the technique to tree architectures, and establishing that the presented method is a precise dual to the topdown invariant generation method used in deductive veri cation. 1
Automatic Deductive Verification with Invisible Invariants
, 2001
"... The paper presents a method for the automatic verification of a certain class of parameterized systems. These are boundeddata systems consisting of N processes (N being the parameter), where each process is finitestate. First, we show that if we use the standard deductive inv rule for proving inva ..."
Abstract

Cited by 96 (11 self)
 Add to MetaCart
(Show Context)
The paper presents a method for the automatic verification of a certain class of parameterized systems. These are boundeddata systems consisting of N processes (N being the parameter), where each process is finitestate. First, we show that if we use the standard deductive inv rule for proving invariance properties, then all the generated verification conditions can be automatically resolved by finitestate (bddbased) methods with no need for interactive theorem proving. Next, we show how to use modelchecking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Combining this automatic computation of invariants with the previously mentioned resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying boundeddata parameterized systems. The generated invariants can be transferred to the VCvalidation phase without ever been examined by the user, which explains why we refer to them as "invisible". We illustrate the method on a nontrivial example of a cache protocol, provided by Steve German.
Programming and verifying realtime systems by means of the synchronous dataflow language LUSTRE
, 1994
"... We investigate the benefits of using a synchronous dataflow language for programming critical realtime systems. These benefits concern ergonomy  since the dataflow approach meets traditional description tools used in this domain , and ability to support formal design and verification methods ..."
Abstract

Cited by 88 (12 self)
 Add to MetaCart
We investigate the benefits of using a synchronous dataflow language for programming critical realtime systems. These benefits concern ergonomy  since the dataflow approach meets traditional description tools used in this domain , and ability to support formal design and verification methods. We show, on a simple example, how the language Lustre and its associated verification tool Lesar, can be used to design a program, to specify its critical properties, and to verify these properties. As the language Lustre and its use have been already published in several papers (e.g., [11, 18]), we put particular emphasis on program verification. A preliminary version of this paper has been published in [28]. 1 Introduction It is useless to repeat why realtime programs are among those in which errors can have the most dramatic consequences. Thus, these programs constitute a domain where there is a special need of rigorous design methods. We advocate a "language approach" to this problem...
Parameterized Verification with Automatically Computed Inductive Assertions
, 2001
"... The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic mo ..."
Abstract

Cited by 88 (9 self)
 Add to MetaCart
The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic modelchecking techniques for both tasks. First, we show how to use modelchecking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Next, we show that the premises of the standard deductive inv rule for proving invariance properties can be automatically resolved by finitestate (bddbased) methods with no need for interactive theorem proving. Combining the automatic computation of invariants with the automatic resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying large classes of parameterized systems. The generated invariants can be transferred to the VCvalidation phase without ever been examined by the user, which explains why we refer to them as "invisible". The efficacy of the method is demonstrated by automatic verification of diverse parameterized systems in a fully automatic and efficient manner.
Control and Data Abstraction: The Cornerstones of Practical Formal Verification.
 Software Tools for Technology Transfer
, 2000
"... ion: The Cornerstones of Practical Formal Verification. Yonit Kesten 1 , Amir Pnueli 2 1 Dept. of Communication Systems Engineering, Ben Gurion University, BeerSheva, Israel, email: ykesten@bgumail.bgu.ac.il 2 Dept. of Applied Mathematics and Computer Science, the Weizmann Institute of S ..."
Abstract

Cited by 33 (9 self)
 Add to MetaCart
(Show Context)
ion: The Cornerstones of Practical Formal Verification. Yonit Kesten 1 , Amir Pnueli 2 1 Dept. of Communication Systems Engineering, Ben Gurion University, BeerSheva, Israel, email: ykesten@bgumail.bgu.ac.il 2 Dept. of Applied Mathematics and Computer Science, the Weizmann Institute of Science, Rehovot, Israel, email: amir@wisdom.weizmann.ac.il The date of receipt and acceptance will be inserted by the editor Abstract. In spite of the impressive progress in the development of the two main methods for formal verification of reactive systems  Symbolic Model Checking and Deductive Verification, they are still limited in their ability to handle large systems. It is generally recognized that the only way these methods can ever scale up is by the extensive use of abstraction and modularization, which break the task of verifying a large system into several smaller tasks of verifying simpler systems. In this paper, we review the two main tools of compositionality and abstrac...
Abstracting WS1S Systems to Verify Parameterized Networks
, 2000
"... We present a method that allows to verify parameterized networks of finite state processes. Our method is based on three main ideas. The first one consists in modeling an infinite family of networks by a single WS1S transition system, that is, a transition system whose variables are set (2ndorder) ..."
Abstract

Cited by 31 (6 self)
 Add to MetaCart
We present a method that allows to verify parameterized networks of finite state processes. Our method is based on three main ideas. The first one consists in modeling an infinite family of networks by a single WS1S transition system, that is, a transition system whose variables are set (2ndorder) variables and whose transitions are described in WS1S. Then, we present methods that allow to abstract a WS1S system into a finite state system that can be modelchecked. Finally, in order to verify liveness properties, we present an algorithm that allows to enrich the abstract system with strong fairness conditions while preserving safety of the abstraction. We implemented our method in a tool, called pax, and applied it to several examples.
Automatic Verification of Parameterized Linear Networks of Processes
 IN 24TH ACM SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES, POPL'97
, 1997
"... This paper describes a method to verify safety properties of parameterized linear networks of processes. The method is based on the construction of a network invariant, defined as a fixpoint. Such invariants can often be automatically computed using heuristics based on Cousot's widening techniq ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
This paper describes a method to verify safety properties of parameterized linear networks of processes. The method is based on the construction of a network invariant, defined as a fixpoint. Such invariants can often be automatically computed using heuristics based on Cousot's widening techniques. These techniques have been implemented and some nontrivial examples are presented.