Results 1  10
of
38
The Linear TimeBranching Time Spectrum II  The semantics of sequential systems with silent moves
, 1993
"... ion Rule (KFAR) (Baeten, Bergstra & Klop [3]), expresses a global fairness assumption. It says that when possible a system will escape from any cycle of internal actions. Some form of KFAR is crucial for many protocal verifications with unreliable channels, and for that reason preorders and equivale ..."
Abstract

Cited by 290 (17 self)
 Add to MetaCart
ion Rule (KFAR) (Baeten, Bergstra & Klop [3]), expresses a global fairness assumption. It says that when possible a system will escape from any cycle of internal actions. Some form of KFAR is crucial for many protocal verifications with unreliable channels, and for that reason preorders and equivalences that satisfy KFAR are of special interest. Must preorders and divergence sensitive ones cannot satisfy KFAR. In Bergstra, Klop & Olderog [7] it is shown that the combination of KFAR with failure semantics is inconsistent, but they formulate a weaker version of KFAR that is satisfied in failure maysemantics. Still the combination of KFAR \Gamma and the liveness requirement appears to require global testing, and is only satisfied in the semantics between contrasimulation (C) and stability respecting branching bisimulation (BB s ). These requirements would reduce the number of suitable preorders to 18. It is in general a good strategy to do your verifications using the finest preorde...
Model Checking and Modular Verification
 ACM Transactions on Programming Languages and Systems
, 1991
"... We describe a framework for compositional verification of finite state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition; and a preorder on structures which captures the relation between a component and a system containing ..."
Abstract

Cited by 271 (11 self)
 Add to MetaCart
We describe a framework for compositional verification of finite state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition; and a preorder on structures which captures the relation between a component and a system containing the component. Satisfaction of a formula in the logic corresponds to being below a particular structure (a tableau for the formula) in the preorder. We show how to do assumeguarantee style reasoning within this framework. In addition, we demonstrate efficient methods for model checking in the logic and for checking the preorder in several special cases. We have implemented a system based on these methods, and we use it to give a compositional verification of a CPU controller. 1 Introduction Temporal logic model checking procedures are useful tools for the verification of finite state systems [3, 12, 20]. However, these procedures have traditionally suffered from the state explosion proble...
Decoding Choice Encodings
, 1999
"... We study two encodings of the asynchronous #calculus with inputguarded choice into its choicefree fragment. One encoding is divergencefree, but refines the atomic commitment of choice into gradual commitment. The other preserves atomicity, but introduces divergence. The divergent encoding is ..."
Abstract

Cited by 97 (5 self)
 Add to MetaCart
We study two encodings of the asynchronous #calculus with inputguarded choice into its choicefree fragment. One encoding is divergencefree, but refines the atomic commitment of choice into gradual commitment. The other preserves atomicity, but introduces divergence. The divergent encoding is fully abstract with respect to weak bisimulation, but the more natural divergencefree encoding is not. Instead, we show that it is fully abstract with respect to coupled simulation, a slightly coarserbut still coinductively definedequivalence that does not enforce bisimilarity of internal branching decisions. The correctness proofs for the two choice encodings introduce a novel proof technique exploiting the properties of explicit decodings from translations to source terms.
Model Checking Partial State Spaces with 3Valued Temporal Logics (Extended Abstract)
 In Proceedings of the 11th Conference on Computer Aided Verification
, 1999
"... ) Glenn Bruns and Patrice Godefroid Bell Laboratories, Lucent Technologies fgrb,godg@belllabs.com Abstract. We address the problem of relating the result of model checking a partial state space of a system to the properties actually possessed by the system. We represent incomplete state space ..."
Abstract

Cited by 96 (7 self)
 Add to MetaCart
) Glenn Bruns and Patrice Godefroid Bell Laboratories, Lucent Technologies fgrb,godg@belllabs.com Abstract. We address the problem of relating the result of model checking a partial state space of a system to the properties actually possessed by the system. We represent incomplete state spaces as partial Kripke structures, and give a 3valued interpretation to modal logic formulas on these structures. The third truth value ? means "unknown whether true or false". We define a preorder on partial Kripke structures that reflects their degree of completeness. We then provide a logical characterization of this preorder. This characterization thus relates properties of less complete structures to properties of more complete structures. We present similar results for labeled transition systems and show a connection to intuitionistic modal logic. We also present a 3valued CTL model checking algorithm, which returns ? only when the partial state space lacks information needed ...
Generalized Model Checking: Reasoning about Partial State Spaces
, 2000
"... We discuss the problem of model checking temporal properties on partial Kripke structures, which were used in [BG99] to represent incomplete state spaces. We first extend the results of [BG99] by showing that the modelchecking problem for any 3valued temporal logic can be reduced to two modelchec ..."
Abstract

Cited by 74 (6 self)
 Add to MetaCart
We discuss the problem of model checking temporal properties on partial Kripke structures, which were used in [BG99] to represent incomplete state spaces. We first extend the results of [BG99] by showing that the modelchecking problem for any 3valued temporal logic can be reduced to two modelchecking problems for the corresponding 2valued temporal logic. We then introduce a new semantics for 3valued temporal logics that can give more definite answers than the previous one. With this semantics, the evaluation of a formula OE on a partial Kripke structure M returns the third truth value? (read "unknown") only if there exist Kripke structures M1 and M2 that both complete M and such that M1 satisfies OE while M2 violates OE, hence making the value of OE on M truly unknown. The partial Kripke structure M can thus be viewed as a partial solution to the satisfiability problem which reduces the solution space to complete Kripke structures that are more complete than M wit...
Compositional Minimization of Finite State Systems
 IN PROC. 2ND INTERNATIONAL CONFERENCE OF COMPUTERAIDED VERIFICATION
, 1991
"... In this paper we develop a compositional method for the construction of the minimal transition system that represents the semantics of a given reactive system. The point of this method is that it exploits structural properties of the reactive system in order to avoid the consideration of large inter ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
In this paper we develop a compositional method for the construction of the minimal transition system that represents the semantics of a given reactive system. The point of this method is that it exploits structural properties of the reactive system in order to avoid the consideration of large intermediate representations. Central is the use of interface specifications here, which express constraints on the components' communication behaviour, and therefore to control the state explosion caused by the interleavings of actions of communicating parallel components. The effect of the method, which is developed for bisimulation semantics here, depends on the structure of the reactive system under consideration, in particular on the accuracy of the interface specifications. However, its correctness does not: every "successful" construction is guaranteed to yield the desired minimal transition system, independently of the correctness of the interface specifications provided by the designer.
Computing Behavioural Relations, Logically
 In Proceedings of 18th International Colloquium on Automata, Languages and Programming
, 1991
"... This paper develops a modelchecking algorithm for a fragment of the modal mucalculus and shows how it may be applied to the efficient computation of behavioral relations between processes. The algorithm's complexity is proportional to the product of the size of the process and the size of the f ..."
Abstract

Cited by 29 (8 self)
 Add to MetaCart
This paper develops a modelchecking algorithm for a fragment of the modal mucalculus and shows how it may be applied to the efficient computation of behavioral relations between processes. The algorithm's complexity is proportional to the product of the size of the process and the size of the formula, and thus improves on the best existing algorithm for such a fixed point logic. The method for computing preorders that the model checker induces is also more efficient than known algorithms.
A Complete Axiomatization for Branching Bisimulation Congruence of FiniteState Behaviours
 In Proc. MFCS’93, LNCS 711
, 1993
"... ion is usually performed by turning actions that are considered unimportant into the invisible action ø . Then, a system that after some activity reaches a state from which only an invisible action is possible, leading to another state, is considered equivalent to an otherwise identical system, that ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
ion is usually performed by turning actions that are considered unimportant into the invisible action ø . Then, a system that after some activity reaches a state from which only an invisible action is possible, leading to another state, is considered equivalent to an otherwise identical system, that after said activity immediately reaches the other state. Thus the mechanism of abstraction by hiding of irrelevant or unobservable actions needs support from the congruence notion employed. There are many ways to extend bisimulation congruence to processes with hidden moves. The simplest generalization is strong (bisimulation) equivalence, in which øactions are treated no different than visible actions. For this reason strong congruence is not abstract in the sense stipulated above. Another option is to take the testing scenario underlying bisimulation equivalence as primary, incorporating the unobservable nature of hidden moves. This yields Milner's notion of weak (bisimulation) congruenc...
On Implementations and Semantics of a Concurrent Programming Language
 IN PROCEEDINGS OF CONCUR '97. LNCS 1243
, 1997
"... The concurrency theory literature contains many proposals for models of process algebras. We consider an example application of the πcalculus, the programming language Pict of Pierce and Turner, primarily in order to see how far it is possible to argue, from facts about the application, that some m ..."
Abstract

Cited by 19 (12 self)
 Add to MetaCart
The concurrency theory literature contains many proposals for models of process algebras. We consider an example application of the πcalculus, the programming language Pict of Pierce and Turner, primarily in order to see how far it is possible to argue, from facts about the application, that some model is the most appropriate. We discuss informally the sense in which the semantics of Pict relates to the behaviour of actual implementations. Based on this we give an operational model of the interactions between a Pict implementation (considered as the abstract behaviour of a C program) and its environment (modelling an operating system and user). We then give a class of abstract machines and a definition of abstract machine correctness, using an adapted notion of testing, and prove that a sample abstract machine is indeed correct. We briefly discuss the standard of correctness appropriate for program transformations and the induced precongruence. Many of the semantic choices do indeed t...
Priority and Maximal Progress are completely axiomatisable (Extended Abstract)
, 1998
"... . During the last decade, CCS has been extended in different directions, among them priority and real time. One of the most satisfactory results for CCS is Milner's complete proof system for observational congruence [28]. Observational congruence is fair in the sense that it is possible to escape di ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
. During the last decade, CCS has been extended in different directions, among them priority and real time. One of the most satisfactory results for CCS is Milner's complete proof system for observational congruence [28]. Observational congruence is fair in the sense that it is possible to escape divergence, reflected by an axiom recX:(ø:X + P ) = recX:ø:P . In this paper we discuss observational congruence in the context of interactive Markov chains, a simple stochastic timed variant CCS with maximal progress. This property implies that observational congruence becomes unfair, i.e. it is not always possible to escape divergence. This problem also arises in calculi with priority. So, completeness results for such calculi modulo observational congruence have been unknown until now. We obtain a complete proof system by replacing the above axiom by a set of axioms allowing to escape divergence by means of a silent alternative. This treatment can be profitably adapted to other calculi. 1 I...