Results 1  10
of
39
The Algebra of Timed Processes ATP: Theory and Application
 INFORMATION AND COMPUTATION
, 1994
"... We study a process algebra ATP for the description and analysis of systems of timed processes. An important feature of the algebra is that its vocabulary of actions contains a distinguished element . An occurrence of is a time event representing progress of time. The algebra has, apart from standar ..."
Abstract

Cited by 108 (4 self)
 Add to MetaCart
We study a process algebra ATP for the description and analysis of systems of timed processes. An important feature of the algebra is that its vocabulary of actions contains a distinguished element . An occurrence of is a time event representing progress of time. The algebra has, apart from standard operators of process algebras like CCS or ACP, a primitive binary unitdelay operator. For two arguments, processes P and Q, this operator gives a process which behaves as P if started before the occurrence of a time action and as Q otherwise. From this operator we define dunit delay operators that can model delay constructs of languages, like timeouts or watchdogs. The use of such operators is illustrated by examples. ATP is provided with a complete axiomatisation with respect to strong bisimulation semantics. It is shown that the algebras obtained by adding the various dunit delay operators to ATP are conservative extensions of it.
Transition Invariants
"... Proof rules for program verification rely on auxiliary assertions. We propose a (sound and relatively complete) proof rule whose auxiliary assertions are transition invariants. A transition invariant of a program is a binary relation over program states that contains the transitive closure of the tr ..."
Abstract

Cited by 90 (17 self)
 Add to MetaCart
Proof rules for program verification rely on auxiliary assertions. We propose a (sound and relatively complete) proof rule whose auxiliary assertions are transition invariants. A transition invariant of a program is a binary relation over program states that contains the transitive closure of the transition relation of the program. A relation is disjunctively wellfounded if it is a finite union of wellfounded relations. We characterize the validity of termination or another liveness property by the existence of a disjunctively wellfounded transition invariant. The main contribution of
Completing the Temporal Picture
, 1991
"... The paper presents a relatively complete proof system for proving the validity of temporal properties of reactive programs. The presented proof system improves on previous temporal systems, in that it reduces the validity of program properties into pure assertional reasoning, not involving additiona ..."
Abstract

Cited by 74 (16 self)
 Add to MetaCart
The paper presents a relatively complete proof system for proving the validity of temporal properties of reactive programs. The presented proof system improves on previous temporal systems, in that it reduces the validity of program properties into pure assertional reasoning, not involving additional temporal reasoning. The proof system is based on the classification of temporal properties according to the Borel hierarchy, providing appropriate proof rules for the classes of safety, response, and reactivity properties.
Generalized Temporal Verification Diagrams
 IN 15TH CONFERENCE ON THE FOUNDATIONS OF SOFTWARE TECHNOLOGY AND THEORETICAL COMPUTER SCIENCE
, 1994
"... Verification diagrams are a succinct and intuitive way of representing proofs that reactive systems satisfy a given temporal property. We present a generalized verification diagram that allows representation of a proof of any property expressible by a temporal formula. We show that representation of ..."
Abstract

Cited by 56 (19 self)
 Add to MetaCart
Verification diagrams are a succinct and intuitive way of representing proofs that reactive systems satisfy a given temporal property. We present a generalized verification diagram that allows representation of a proof of any property expressible by a temporal formula. We show that representation of a proof by generalized verification diagram is sound and complete.
Verifying Temporal Properties without Temporal Logic
, 1989
"... this paper were first presented at the "IEEE Symposium on Logic in Computer Science," Ithaca, New York, June 1987 ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
this paper were first presented at the "IEEE Symposium on Logic in Computer Science," Ithaca, New York, June 1987
stateless model checking
 In PLDI 08: Programming Language Design and Implementation
, 2008
"... Stateless model checking is a useful statespace exploration technique for systematically testing complex realworld software. Existing stateless model checkers are limited to the verification of safety properties on terminating programs. However, realistic concurrent programs are nonterminating, a ..."
Abstract

Cited by 36 (4 self)
 Add to MetaCart
Stateless model checking is a useful statespace exploration technique for systematically testing complex realworld software. Existing stateless model checkers are limited to the verification of safety properties on terminating programs. However, realistic concurrent programs are nonterminating, a property that significantly reduces the efficacy of stateless model checking in testing them. Moreover, existing stateless model checkers are unable to verify that a nonterminating program satisfies the important liveness property of livelockfreedom, a property that requires the program to make continuous progress for any input. To address these shortcomings, this paper argues for incorporating a fair scheduler in stateless exploration. The key contribution of this paper is an explicit scheduler that is (strongly) fair and at the same time sufficiently nondeterministic to guarantee full coverage of safety properties. We have implemented the fair scheduler in the CHESS model checker. We show through theoretical arguments and empirical evaluation that our algorithm satisfies two important properties: 1) it visits all states of a finitestate program achieving state coverage at a faster rate than existing techniques, and 2) it finds all livelocks in a finitestate program. Before this work, nonterminating programs had to be manually modified in order to apply CHESS to them. The addition of fairness has allowed CHESS to be effectively applied to realworld nonterminating programs without any modification. For example, we have successfully booted the Singularity operating system under the control of CHESS. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verification — formal methods, validation;
A logic for concurrent programming: Safety
 Journal of Computer and Software Engineering
, 1995
"... The UNITYlogic is a fragment of linear temporal logic. It was designed to specify safety and and progress properties of reactive systems. Experience gained in applying this logic in practice has led us to modify some of its operators. In particular, we had adopted unless as the primary operator for ..."
Abstract

Cited by 32 (7 self)
 Add to MetaCart
The UNITYlogic is a fragment of linear temporal logic. It was designed to specify safety and and progress properties of reactive systems. Experience gained in applying this logic in practice has led us to modify some of its operators. In particular, we had adopted unless as the primary operator for expressing safety properties for many years. We suggest a new operator, co, to take its place. Our experience suggests that the simplicity of formal manipulations is at least as important as the expressive power of an operator. Theoretically, unless and co are equally expressive, while the latter has more pleasing derived rules that allow simpler manipulations. This research is presented in two papers. We study safety properties in the first paper and progress properties in the second paper. We use a small amount of theory to introduce the co operator. The major portion of the paper is devoted to applying the theory in practice: showing how various safety properties can be expressed and manipulated using co.
Control and Data Abstraction: The Cornerstones of Practical Formal Verification.
 Software Tools for Technology Transfer
, 2000
"... ion: The Cornerstones of Practical Formal Verification. Yonit Kesten 1 , Amir Pnueli 2 1 Dept. of Communication Systems Engineering, Ben Gurion University, BeerSheva, Israel, email: ykesten@bgumail.bgu.ac.il 2 Dept. of Applied Mathematics and Computer Science, the Weizmann Institute of S ..."
Abstract

Cited by 31 (9 self)
 Add to MetaCart
ion: The Cornerstones of Practical Formal Verification. Yonit Kesten 1 , Amir Pnueli 2 1 Dept. of Communication Systems Engineering, Ben Gurion University, BeerSheva, Israel, email: ykesten@bgumail.bgu.ac.il 2 Dept. of Applied Mathematics and Computer Science, the Weizmann Institute of Science, Rehovot, Israel, email: amir@wisdom.weizmann.ac.il The date of receipt and acceptance will be inserted by the editor Abstract. In spite of the impressive progress in the development of the two main methods for formal verification of reactive systems  Symbolic Model Checking and Deductive Verification, they are still limited in their ability to handle large systems. It is generally recognized that the only way these methods can ever scale up is by the extensive use of abstraction and modularization, which break the task of verifying a large system into several smaller tasks of verifying simpler systems. In this paper, we review the two main tools of compositionality and abstrac...
Verification by Augmented Finitary Abstraction
 Information and Computation
, 1999
"... . The paper deals with the proof method of verification by finitary abstraction (vfa), which presents a feasible approach to the verification of the temporal properties of (potentially infinitestate) reactive systems. The method consists of a twostep process by which, in a first step, the system a ..."
Abstract

Cited by 29 (11 self)
 Add to MetaCart
. The paper deals with the proof method of verification by finitary abstraction (vfa), which presents a feasible approach to the verification of the temporal properties of (potentially infinitestate) reactive systems. The method consists of a twostep process by which, in a first step, the system and its temporal specification are jointly abstracted into a finitestate system and a finitestate specification. The second step uses model checking to establish the validity of the abstracted property over the abstracted system. The vfa method can be considered as a viable alternative to verification by temporal deduction which, up to now, has been the main method generally applicable for verification of infinitestate systems. The paper presents a general recipe for the joint abstraction, which is shown to be sound , where soundness means that validity over the abstract system implies validity over the concrete (original) system. To make the method applicable for the verification of liven...
Model Checking Coloured Petri Nets Exploiting Strongly Connected Components
 Proceedings of the International Workshop on Discrete Event Systems, WODES96. Institution of Electrical Engineers, Computing and Control Division
, 1997
"... . In this paper we present a CTLlike logic which is interpreted over the state spaces of Coloured Petri Nets. The logic has been designed to express properties of both state and transition information. This is possible because the state spaces are labelled transition systems. We compare the express ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
. In this paper we present a CTLlike logic which is interpreted over the state spaces of Coloured Petri Nets. The logic has been designed to express properties of both state and transition information. This is possible because the state spaces are labelled transition systems. We compare the expressiveness of our logic with CTL's. Then, we present a model checking algorithm which for efficiency reasons utilises strongly connected components and formula reduction rules. We present empirical results for nontrivial examples and compare the performance of our algorithm with that of Clarke, Emerson, and Sistla. 1 Introduction Coloured Petri Nets (CPnets or CPN) are convenient for specifying complex concurrent systems. Until now properties of CPnets have mainly been specified directly in terms of the state spaces of CPnets [4,6]. Temporal logics such as CTL are also useful for expressing properties of concurrent systems (see, e.g., [1]). We show how we can define a CTL like logic, ASKC...