Results 1  10
of
13
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 2407 (62 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Model checking continuoustime Markov chains by transient analysis
, 2000
"... . The verification of continuoustime Markov chains (CTMCs) against continuous stochastic logic (CSL) [3, 6], a stochastic branchingtime temporal logic, is considered. CSL facilitates among others the specification of steadystate properties and the specification of probabilistic timing properties o ..."
Abstract

Cited by 69 (17 self)
 Add to MetaCart
. The verification of continuoustime Markov chains (CTMCs) against continuous stochastic logic (CSL) [3, 6], a stochastic branchingtime temporal logic, is considered. CSL facilitates among others the specification of steadystate properties and the specification of probabilistic timing properties of the form P# #p(#1 U I #2 ), for state formulas #1 and #2 , comparison operator ##, probability p, and real interval I. The main result of this paper is that model checking probabilistic timing properties can be reduced to the problem of computing transient state probabilities for CTMCs. This allows us to verify such properties by using e#cient techniques for transient analysis of CTMCs such as uniformisation. A second result is that a variant of ordinary lumping equivalence (i.e., bisimulation), a wellknown notion for aggregating CTMCs, preserves the validity of all CSLformulas. In 12th Annual Symposium on Computer Aided Verification, CAV 2000, c # SpringerVerlag 2000 Chicago,...
Vacuity Detection in Temporal Model Checking
, 1999
"... One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelcheckin ..."
Abstract

Cited by 60 (14 self)
 Add to MetaCart
One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a sy...
Correctness of Pipelined Machines
 Formal Methods in ComputerAided Design–FMCAD 2000, volume 1954 of LNCS
"... The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness ..."
Abstract

Cited by 26 (13 self)
 Add to MetaCart
The correctness of pipelined machines is a subject that has been studied extensively. Most of the recent work has used variants of the Burch and Dill notion of correctness [4]. As new features are modeled, e.g., interrupts, new notions of correctness are developed. Given the plethora of correctness conditions, the question arises: what is a reasonable notion of correctness? We discuss the issue at length and show, by mechanical proof, that variants of the Burch and Dill notion of correctness are awed. We propose a notion of correctness based on WEBs (Wellfounded Equivalence Bisimulations) [16, 19]. Briey, our notion of correctness implies that the ISA (Instruction Set Architecture) and MA (MicroArchitecture) machines have the same observable in nite paths, up to stuttering. This implies that the two machines satisfy the same CTL* X properties and the same safety and liveness properties (up to stuttering). To test the utility of the idea, we use ACL2 to verify s...
On Model Checking Dataindependent Systems with Arrays without Reset
 THEORY AND PRACTICE OF LOGIC PROGRAMMING
, 2004
"... A system is dataindependent with respect to a data type X iff the only operation it can perform on values of type X is equality testing. The system may also store, input and output values of type X. We study model checking of systems which are dataindependent with respect to two distinct type vari ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
A system is dataindependent with respect to a data type X iff the only operation it can perform on values of type X is equality testing. The system may also store, input and output values of type X. We study model checking of systems which are dataindependent with respect to two distinct type variables X and Y, and may in addition use arrays with indices from X and values from Y. The main problem of interest is the following parameterised modelchecking problem: whether a given program satisfies a given temporallogic formula for all nonempty finite instances of X and Y. Initially, we consider instead the abstraction where X and Y are infinite and where partial functions with finite domains are used to model arrays. Using a translation to dataindependent systems without arrays, we show that the mucalculus modelchecking problem is decidable for these systems. From this result, we can deduce properties of all systems with finite instances of X and Y. We show that there is a procedure for the above parameterised modelchecking problem of the universal fragment of the mucalculus, such that it always terminates but may give false negatives. We also deduce that there is a procedure for the parameterised modelchecking problem of the universal disjunctionfree fragment of the mucalculus. Practical motivations for model checking dataindependent systems with arrays include verification of faulttolerant cache systems, where X is the type of memory addresses, and Y the type of storable values. As an example we verify a faulttolerant memory interface over a set of unreliable memories.
Flat Fragments of CTL and CTL*: Separating the Expressive and Distinguishing Powers
"... We study both the expressive and the distinguishing powers of at temporal logics. These are fragments obtained by restricting the rst argument of the Until operator to propositional formulae. Both the lineartime and the branchingtime cases are considered. Keywords: temporal logic, LTL, CTL, expre ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
We study both the expressive and the distinguishing powers of at temporal logics. These are fragments obtained by restricting the rst argument of the Until operator to propositional formulae. Both the lineartime and the branchingtime cases are considered. Keywords: temporal logic, LTL, CTL, expressiveness, bisimulation 1 Introduction Temporal logic lies at the basis of several specication formalisms that are widely used in practice. For a large part, this acceptance stems from the availability of software tools for automated verication, that allow to prove or disprove the satisfaction of a temporal property interpreted over a model of the system under consideration. Model checking is such an approach, that has proven successful in the debugging and verication of hardware circuitry and communication protocols for example. Being based on an exhaustive inspection of the state space of the model, the scalability of model checking is limited, which is referred to as the state expl...
Lifting Temporal Proofs Through Abstractions
 In Proceedings of VMCAI’03
, 2003
"... Model checking is often performed by checking a transformed property on a suitable nitestate abstraction of the source program. ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Model checking is often performed by checking a transformed property on a suitable nitestate abstraction of the source program.
Simple Representative Instantiations for Multicast Protocols
 In TACAS 2003
, 2003
"... We present a formal model for multicast network protocols working on arbitrary tree structures. We give sucient conditions under which correctness of the protocol for all structures reduces to correctness for the structures with at most one layer of internal nodes. If additional conditions hold, ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We present a formal model for multicast network protocols working on arbitrary tree structures. We give sucient conditions under which correctness of the protocol for all structures reduces to correctness for the structures with at most one layer of internal nodes. If additional conditions hold, we can reduce further to correctness for one single structure. All these results can be applied to (an abstract version of) the Pragmatic General Multicast protocol.
Five Ways to Use Induction and Symmetry in the Verification of Networks of Processes By ModelChecking
, 2002
"... The verification of networks of processes by modelchecking is discussed. Five classes of... ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
The verification of networks of processes by modelchecking is discussed. Five classes of...
Model Checking DataIndependent Systems With Arrays
, 2003
"... We say a program is dataindependent with respect to a data type X if the operations it can perform on values of type X are restricted to just equality testing, although the system may also input, store and move around values of type X within its variables. This property can be exploited to give ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
We say a program is dataindependent with respect to a data type X if the operations it can perform on values of type X are restricted to just equality testing, although the system may also input, store and move around values of type X within its variables. This property can be exploited to give procedures for the automatic veri cation, called model checking, of such programs independently of the instance for the type X.