Results 1  10
of
551
Dynamic Logic
 Handbook of Philosophical Logic
, 1984
"... ed to be true under the valuation u iff there exists an a 2 N such that the formula x = y is true under the valuation u[x=a], where u[x=a] agrees with u everywhere except x, on which it takes the value a. This definition involves a metalogical operation that produces u[x=a] from u for all possibl ..."
Abstract

Cited by 1012 (7 self)
 Add to MetaCart
ed to be true under the valuation u iff there exists an a 2 N such that the formula x = y is true under the valuation u[x=a], where u[x=a] agrees with u everywhere except x, on which it takes the value a. This definition involves a metalogical operation that produces u[x=a] from u for all possible values a 2 N. This operation becomes explicit in DL in the form of the program x := ?, called a nondeterministic or wildcard assignment. This is a rather unconventional program, since it is not effective; however, it is quite useful as a descriptive tool. A more conventional way to obtain a square root of y, if it exists, would be the program x := 0 ; while x < y do x := x + 1: (1) In DL, such programs are firstclass objects on a par with formulas, complete with a collection of operators for forming compound programs inductively from a basis of primitive programs. To discuss the effect of the execution of a program on the truth of a formula ', DL uses a modal construct <>', which
InductiveDataType Systems
, 2002
"... In a previous work ("Abstract Data Type Systems", TCS 173(2), 1997), the leI two authors presented a combined lmbined made of a (strongl normal3zG9 alrmal rewrite system and a typed #calA#Ik enriched by patternmatching definitions folnitio a certain format,calat the "General Schem ..."
Abstract

Cited by 821 (23 self)
 Add to MetaCart
In a previous work ("Abstract Data Type Systems", TCS 173(2), 1997), the leI two authors presented a combined lmbined made of a (strongl normal3zG9 alrmal rewrite system and a typed #calA#Ik enriched by patternmatching definitions folnitio a certain format,calat the "General Schema", whichgeneral39I theusual recursor definitions fornatural numbers and simil9 "basic inductive types". This combined lmbined was shown to bestrongl normalIk39f The purpose of this paper is toreformul33 and extend theGeneral Schema in order to make it easil extensibl3 to capture a more general cler of inductive types, cals, "strictly positive", and to ease the strong normalgAg9Ik proof of theresulGGg system. Thisresul provides a computation model for the combination of anal"DAfGI specification language based on abstract data types and of astrongl typed functional language with strictly positive inductive types.
Dynamically discovering likely program invariants to support program evolution.
 ICSE
, 1999
"... ..."
(Show Context)
Parametric Shape Analysis via 3Valued Logic
, 2001
"... Shape Analysis concerns the problem of determining "shape invariants"... ..."
Abstract

Cited by 663 (80 self)
 Add to MetaCart
Shape Analysis concerns the problem of determining "shape invariants"...
Automatic predicate abstraction of C programs
 IN PROC. ACM PLDI
, 2001
"... Model checking has been widely successful in validating and debugging designs in the hardware and protocol domains. However, statespace explosion limits the applicability of model checking tools, so model checkers typically operate on abstractions of systems. Recently, there has been significant in ..."
Abstract

Cited by 488 (33 self)
 Add to MetaCart
(Show Context)
Model checking has been widely successful in validating and debugging designs in the hardware and protocol domains. However, statespace explosion limits the applicability of model checking tools, so model checkers typically operate on abstractions of systems. Recently, there has been significant interest in applying model checking to software. For infinitestate systems like software, abstraction is even more critical. Techniques for abstracting software are a prerequisite to making software model checking a reality. We present the first algorithm to automatically construct a predicate abstraction of programs written in an industrial programming language such as C, and its implementation in a tool C2bp. The C2bp tool is part of the SLAM toolkit, which uses a combination of predicate abstraction, model checking, symbolic reasoning, and iterative refinement to statically check temporal safety properties of programs. Predicate abstraction of software has many applications, including detecting program errors, synthesizing program invariants, and improving the precision of program analyses through predicate sensitivity. We discuss our experience applying the C2bp predicate abstraction tool to a variety of problems, ranging from checking that listmanipulating code preserves heap invariants to finding errors in Windows NT device drivers.
A Logic for Reasoning about Time and Reliability
 Formal Aspects of Computing
, 1994
"... We present a logic for stating properties such as, "after a request for service there is at least a 98% probability that the service will be carried out within 2 seconds". The logic extends the temporal logic CTL by Emerson, Clarke and Sistla with time and probabilities. Formulas are inter ..."
Abstract

Cited by 371 (1 self)
 Add to MetaCart
We present a logic for stating properties such as, "after a request for service there is at least a 98% probability that the service will be carried out within 2 seconds". The logic extends the temporal logic CTL by Emerson, Clarke and Sistla with time and probabilities. Formulas are interpreted over discrete time Markov chains. We give algorithms for checking that a given Markov chain satisfies a formula in the logic. The algorithms require a polynomial number of arithmetic operations, in size of both the formula and This research report is a revised and extended version of a paper that has appeared under the title "A Framework for Reasoning about Time and Reliability" in the Proceeding of the 10 th IEEE Realtime Systems Symposium, Santa Monica CA, December 1989. This work was partially supported by the Swedish Board for Technical Development (STU) as part of Esprit BRA Project SPEC, and by the Swedish Telecommunication Administration. the Markov chain. A simple example is inc...
FailStop Processors: An Approach to Designing FaultTolerant Computing Systems
, 1983
"... This paper was originally submitted to ACM Transactions on Programming Languages and Systems. The responsible editor was Susan L. Graham. The authors and editor kindly agreed to transfer the paper to the ACM Transactions on Computer Systems ..."
Abstract

Cited by 354 (18 self)
 Add to MetaCart
This paper was originally submitted to ACM Transactions on Programming Languages and Systems. The responsible editor was Susan L. Graham. The authors and editor kindly agreed to transfer the paper to the ACM Transactions on Computer Systems
Abstractions from Proofs
, 2004
"... The success of model checking for large programs depends crucially on the ability to efficiently construct parsimonious abstractions. A predicate abstraction is parsimonious if at each control location, it specifies only relationships between current values of variables, and only those which are req ..."
Abstract

Cited by 268 (33 self)
 Add to MetaCart
The success of model checking for large programs depends crucially on the ability to efficiently construct parsimonious abstractions. A predicate abstraction is parsimonious if at each control location, it specifies only relationships between current values of variables, and only those which are required for proving correctness. Previous methods for automatically refining predicate abstractions until sufficient precision is obtained do not systematically construct parsimonious abstractions: predicates usually contain symbolic variables, and are added heuristically and often uniformly to many or all control locations at once. We use Craig interpolation to efficiently construct, from a given abstract error trace which cannot be concretized, a parsominous abstraction that removes the trace. At each location of the trace, we infer the relevant predicates as an interpolant between the two formulas that define the past and the future segment of the trace. Each interpolant is a relationship between current values of program variables, and is relevant only at that particular program location. It can be found by a linear scan of the proof of infeasibility of the trace. We develop
Managing conflicts in goaldriven requirements engineering
 IEEE Transactions on Software Engineering
, 1998
"... Abstract A wide range of inconsistencies can arise during requirements engineering as goals and requirements are elicited from multiple stakeholders. Resolving such inconsistencies sooner or later in the process is a necessary condition for successful development of the software implementing those ..."
Abstract

Cited by 178 (25 self)
 Add to MetaCart
(Show Context)
Abstract A wide range of inconsistencies can arise during requirements engineering as goals and requirements are elicited from multiple stakeholders. Resolving such inconsistencies sooner or later in the process is a necessary condition for successful development of the software implementing those requirements. The paper first reviews the main types of inconsistency that can arise during requirements elaboration, defining them in an integrated framework and exploring their interrelationships. It then concentrates on the specific case of conflicting formulations of goals and requirements among different stakeholder viewpoints or within a single viewpoint. A frequent, weaker form of conflict called divergence is introduced and studied in depth. Formal techniques and heuristics are proposed for detecting conflicts and divergences from specifications of goals / requirements and of domain properties. Various techniques are then discussed for resolving conflicts and divergences systematically by introduction of new goals or by transformation of specifications of goals/objects towards conflictfree versions. Numerous examples are given throughout the paper to illustrate the practical relevance of the concepts and techniques presented. The latter are discussed in the framework of the KAOS methodology for goaldriven requirements engineering.