We study a process algebra ATP for the description and analysis of systems of timed processes. An important feature of the algebra is that its vocabulary of actions contains a distinguished element . An occurrence of is a time event representing progress of time. The algebra has, apart from standard operators of process algebras like CCS or ACP, a primitive binary unit-delay operator. For two arguments, processes P and Q, this operator gives a process which behaves as P if started before the occurrence of a time action and as Q otherwise. From this operator we define d-unit delay operators that can model delay constructs of languages, like timeouts or watchdogs. The use of such operators is illustrated by examples. ATP is provided with a complete axiomatisation with respect to strong bisimulation semantics. It is shown that the algebras obtained by adding the various d-unit delay operators to ATP are conservative extensions of it.

The paper presents a relatively complete proof system for proving the validity of temporal properties of reactive programs. The presented proof system improves on previous temporal systems, in that it reduces the validity of program properties into pure assertional reasoning, not involving additional temporal reasoning. The proof system is based on the classification of temporal properties according to the Borel hierarchy, providing appropriate proof rules for the classes of safety, response, and reactivity properties.

Proof rules for program verification rely on auxiliary assertions. We propose a (sound and relatively complete) proof rule whose auxiliary assertions are transition invariants. A transition invariant of a program is a binary relation over program states that contains the transitive closure of the transition relation of the program. A relation is disjunctively well-founded if it is a finite union of well-founded relations. We characterize the validity of termination or another liveness property by the existence of a disjunctively well-founded transition invariant. The main contribution of

Verification diagrams are a succinct and intuitive way of representing proofs that reactive systems satisfy a given temporal property. We present a generalized verification diagram that allows representation of a proof of any property expressible by a temporal formula. We show that representation of a proof by generalized verification diagram is sound and complete.

this paper were first presented at the "IEEE Symposium on Logic in Computer Science," Ithaca, New York, June 1987

ion: The Cornerstones of Practical Formal Verification. Yonit Kesten 1 , Amir Pnueli 2 1 Dept. of Communication Systems Engineering, Ben Gurion University, Beer-Sheva, Israel, e-mail: ykesten@bgumail.bgu.ac.il 2 Dept. of Applied Mathematics and Computer Science, the Weizmann Institute of Science, Rehovot, Israel, e-mail: amir@wisdom.weizmann.ac.il The date of receipt and acceptance will be inserted by the editor Abstract. In spite of the impressive progress in the development of the two main methods for formal verification of reactive systems -- Symbolic Model Checking and Deductive Verification, they are still limited in their ability to handle large systems. It is generally recognized that the only way these methods can ever scale up is by the extensive use of abstraction and modularization, which break the task of verifying a large system into several smaller tasks of verifying simpler systems. In this paper, we review the two main tools of compositionality and abstrac...

The UNITY-logic is a fragment of linear temporal logic. It was designed to specify safety and and progress properties of reactive systems. Experience gained in applying this logic in practice has led us to modify some of its operators. In particular, we had adopted unless as the primary operator for expressing safety properties for many years. We suggest a new operator, co, to take its place. Our experience suggests that the simplicity of formal manipulations is at least as important as the expressive power of an operator. Theoretically, unless and co are equally expressive, while the latter has more pleasing derived rules that allow simpler manipulations. This research is presented in two papers. We study safety properties in the first paper and progress properties in the second paper. We use a small amount of theory to introduce the co operator. The major portion of the paper is devoted to applying the theory in practice: showing how various safety properties can be expressed and manipulated using co.

Stateless model checking is a useful state-space exploration technique for systematically testing complex real-world software. Existing stateless model checkers are limited to the verification of safety properties on terminating programs. However, realistic concurrent programs are nonterminating, a property that significantly reduces the efficacy of stateless model checking in testing them. Moreover, existing stateless model checkers are unable to verify that a nonterminating program satisfies the important liveness property of livelock-freedom, a property that requires the program to make continuous progress for any input. To address these shortcomings, this paper argues for incorporating a fair scheduler in stateless exploration. The key contribution of this paper is an explicit scheduler that is (strongly) fair and at the same time sufficiently nondeterministic to guarantee full coverage of safety properties. We have implemented the fair scheduler in the CHESS model checker. We show through theoretical arguments and empirical evaluation that our algorithm satisfies two important properties: 1) it visits all states of a finite-state program achieving state coverage at a faster rate than existing techniques, and 2) it finds all livelocks in a finite-state program. Before this work, nonterminating programs had to be manually modified in order to apply CHESS to them. The addition of fairness has allowed CHESS to be effectively applied to real-world nonterminating programs without any modification. For example, we have successfully booted the Singularity operating system under the control of CHESS. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verification — formal methods, validation;

. The paper deals with the proof method of verification by finitary abstraction (vfa), which presents a feasible approach to the verification of the temporal properties of (potentially infinite-state) reactive systems. The method consists of a two-step process by which, in a first step, the system and its temporal specification are jointly abstracted into a finite-state system and a finite-state specification. The second step uses model checking to establish the validity of the abstracted property over the abstracted system. The vfa method can be considered as a viable alternative to verification by temporal deduction which, up to now, has been the main method generally applicable for verification of infinite-state systems. The paper presents a general recipe for the joint abstraction, which is shown to be sound , where soundness means that validity over the abstract system implies validity over the concrete (original) system. To make the method applicable for the verification of liven...

. In this paper we present a CTL-like logic which is interpreted over the state spaces of Coloured Petri Nets. The logic has been designed to express properties of both state and transition information. This is possible because the state spaces are labelled transition systems. We compare the expressiveness of our logic with CTL's. Then, we present a model checking algorithm which for efficiency reasons utilises strongly connected components and formula reduction rules. We present empirical results for non-trivial examples and compare the performance of our algorithm with that of Clarke, Emerson, and Sistla. 1 Introduction Coloured Petri Nets (CP-nets or CPN) are convenient for specifying complex concurrent systems. Until now properties of CP-nets have mainly been specified directly in terms of the state spaces of CP-nets [4,6]. Temporal logics such as CTL are also useful for expressing properties of concurrent systems (see, e.g., [1]). We show how we can define a CTL like logic, ASK-C...