Results 1 
8 of
8
Model checking of hierarchical state machines
 ACM Trans. Program. Lang. Syst
"... Model checking is emerging as a practical tool for detecting logical errors in early stages of system design. We investigate the model checking of sequential hierarchical (nested) systems, i.e., finitestate machines whose states themselves can be other machines. This nesting ability is common in var ..."
Abstract

Cited by 78 (9 self)
 Add to MetaCart
Model checking is emerging as a practical tool for detecting logical errors in early stages of system design. We investigate the model checking of sequential hierarchical (nested) systems, i.e., finitestate machines whose states themselves can be other machines. This nesting ability is common in various software design methodologies, and is available in several commercial modeling tools. The straightforward way to analyze a hierarchical machine is to flatten it (thus incurring an exponential blow up) and apply a modelchecking tool on the resulting ordinary FSM. We show that this flattening can be avoided. We develop algorithms for verifying lineartime requirements whose complexity is polynomial in the size of the hierarchical machine. We also address the verification of branching time requirements and provide efficient algorithms and matching lower bounds.
Reliable Hashing without Collision Detection
 IN COMPUTER AIDED VERIFICATION. 5TH INTERNATIONAL CONFERENCE
, 1993
"... Thanks to a variety of new techniques, statespace exploration is becoming an increasingly effective method for the verification of concurrent programs. One of these techniques, hashing without collision detection, was proposed by Holzmann as a waytovastly reduce the amount of memory needed to s ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
Thanks to a variety of new techniques, statespace exploration is becoming an increasingly effective method for the verification of concurrent programs. One of these techniques, hashing without collision detection, was proposed by Holzmann as a waytovastly reduce the amount of memory needed to store the explored state space. Unfortunately, this reduction in memory use comes at the price of a high probability of ignoring part of the state space and hence of missing existing errors. In this paper, we carefully analyze this method and show that, by using a modified strategy, it is possible to reduce the risk of error to a negligible amount while maintaining the memory use advantage of Holzmann's technique. Our proposed strategy has been implemented and we describe experiments that confirm the excellent expected results.
The state of spin
 In Alur and Henzinger
, 1996
"... Abstract. The number of installations of the Spin model checking tool is steadily increasing. There are well over two thousand installations today, divided roughly evenly over academic and industrial sites. The tool itself also continues to evolve � it has more than doubled in size, and hopefully at ..."
Abstract

Cited by 55 (3 self)
 Add to MetaCart
Abstract. The number of installations of the Spin model checking tool is steadily increasing. There are well over two thousand installations today, divided roughly evenly over academic and industrial sites. The tool itself also continues to evolve � it has more than doubled in size, and hopefully at least equally so in functionality, since it was rst distributed in early 1991. The tool runs on most standard workstations, and starting with version 2.8 also on standard PCs. In this overview, we summarize the design principles of the tool, and review its current state. 1
A SpaceEfficient Onthefly Algorithm for RealTime Model Checking
 In Proceedings of CONCUR'96, Volume 1119 of LNCS
"... . In temporallogic model checking, we verify the correctness of a program with respect to a desired behavior by checking whether a structure that models the program satisfies a temporallogic formula that specifies the behavior. The main practical limitation of model checking is caused by the size ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
. In temporallogic model checking, we verify the correctness of a program with respect to a desired behavior by checking whether a structure that models the program satisfies a temporallogic formula that specifies the behavior. The main practical limitation of model checking is caused by the size of the state space of the program, which grows exponentially with the number of concurrent components. This problem, known as the stateexplosion problem, becomes more difficult when we consider realtime model checking, where the program and the specification involve quantitative references to time. In particular, when use timed automata to describe realtime programs and we specify timed behaviors in the logic TCTL, a realtime extension of the temporal logic CTL with clock variables, then the state space under consideration grows exponentially not only with the number of concurrent components, but also with the number of clocks and the length of the clock constraints used in the program a...
CTL* Model Checking for SPIN
 IN SOFTWARE TOOLS FOR TECHNOLOGY TRANSFER, LNCS
, 1999
"... We describe an efficient CTL* model checking algorithm based on alternating automata and games. A CTL* formula, expressing a correctness property, is first translated to a hesitant alternating automaton and then composed with a Kripke structure representing the model to be checked, this resulting ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
We describe an efficient CTL* model checking algorithm based on alternating automata and games. A CTL* formula, expressing a correctness property, is first translated to a hesitant alternating automaton and then composed with a Kripke structure representing the model to be checked, this resulting automaton is then checked for nonemptiness. We introduce the nonemptiness game that checks the nonemptiness of a hesitant alternating automata (HAA). In the same
Spin's LTL Formula Conversion into Bchi Automata with Randomly Generated Input
 In Proceedings of the 7th International SPIN Workshop on Model Checking of Software (SPIN’2000
, 2000
"... . The use of model checking tools in the veri#cation of reactive systems has become into widespread use. Because the model checkers are often used to verify critical systems, a lot of e#ort should be put on ensuring the reliability of their implementation. We describe techniques which can be use ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
. The use of model checking tools in the veri#cation of reactive systems has become into widespread use. Because the model checkers are often used to verify critical systems, a lot of e#ort should be put on ensuring the reliability of their implementation. We describe techniques which can be used to test and improve the reliability of linear temporal logic #LTL# model checker implementations based on the automatatheoretic approach. More speci#cally, we will concentrate on the LTLtoB#chi automata conversion algorithm implementations, and propose using a random testing approach to improve their robustness. As a case study, we apply the methodology to the testing of this part of the Spin model checker. We also propose adding a simple counterexample validation algorithm to LTL model checkers to double check the counterexamples generated by the main LTL model checking algorithm. 1 Introduction Model checking of linear temporal logic #LTL# properties can be done using the au...
StateSpace Caching Revisited
, 1992
"... Statespace caching is a verification technique for finitestate concurrent systems. It performs an exhaustive exploration of the state space of the system being checked while storing only all states of just one execution sequence plus as many other previously visited states as available memory a ..."
Abstract
 Add to MetaCart
Statespace caching is a verification technique for finitestate concurrent systems. It performs an exhaustive exploration of the state space of the system being checked while storing only all states of just one execution sequence plus as many other previously visited states as available memory allows. So far, this technique has been of little practical significance: it allows one to reduce memory usage byonlytwo to three times, before an unacceptable blowup of the runtime overhead sets in. The explosion of the runtime requirements is due to redundantmultiple explorations of unstored parts of the state space. Indeed, almost all states in the state space of concurrent systems are typically reached several times during the search.