Results 1  10
of
68
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 3218 (68 self)
 Add to MetaCart
(Show Context)
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Breaking up is hard to do: An evaluation of automated assumeguarantee reasoning
 ACM Transactions on Software Engineering and Methodology
, 2008
"... Finitestate verification techniques are often hampered by the stateexplosion problem. One proposed approach for addressing this problem is assumeguarantee reasoning, where a system under analysis is partitioned into subsystems and these subsystems are analyzed individually. By composing the resul ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
Finitestate verification techniques are often hampered by the stateexplosion problem. One proposed approach for addressing this problem is assumeguarantee reasoning, where a system under analysis is partitioned into subsystems and these subsystems are analyzed individually. By composing the results of these analyses, it can be determined whether or not the system satisfies a property. Because each subsystem is smaller than the whole system, analyzing each subsystem individually may reduce the overall cost of verification. Often the behavior of a subsystem is dependent on the subsystems with which it interacts, and thus it is usually necessary to provide assumptions about the environment in which a subsystem executes. Because developing assumptions has been a difficult manual task, the evaluation of assumeguarantee reasoning has been limited. Using recent advances for automatically generating assumptions, we undertook a study to determine if assumeguarantee reasoning provides an advantage over monolithic verification. In this study, we considered all twoway decompositions for a set of systems and properties, using two different verifiers, FLAVERS and LTSA. By increasing the number of repeated tasks in these systems, we evaluated the decompositions as they were scaled. We found that in only a few cases can assumeguarantee reasoning verify properties on larger systems than monolithic verification can, and in these cases the systems that can be analyzed are only a few sizes larger. Although these results are discouraging, they provide insight about research directions that should be pursued and highlight the importance of experimental
Learning to divide and conquer: applying the L* algorithm to automate assumeguarantee reasoning
, 2008
"... Assumeguarantee reasoning enables a “divideandconquer ” approach to the verification of large systems that checks system components separately while using assumptions about each component’s environment. Developing appropriate assumptions used to be a difficult and manual process. Over the past fi ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
(Show Context)
Assumeguarantee reasoning enables a “divideandconquer ” approach to the verification of large systems that checks system components separately while using assumptions about each component’s environment. Developing appropriate assumptions used to be a difficult and manual process. Over the past five years, we have developed a framework for performing assumeguarantee verification of systems in an incremental and fully automated fashion. The framework uses an offtheshelf learning algorithm to compute the assumptions. The assumptions are initially approximate and become more precise by means of counterexamples obtained by model checking components separately. The framework supports different assumeguarantee rules, both symmetric and asymmetric. Moreover, we have recently introduced alphabet refinement, which extends the assumption learning process to also infer assumption alphabets. This refinement technique starts with assumption alphabets that are a subset of the minimal interface between a component and its environment, and adds actions to it as necessary until a given property is shown to hold or to be violated in the system. We have applied the learning framework to a number of case studies that show that compositional verification by learning assumptions can be significantly more scalable than noncompositional verification. Key words: Assumeguarantee reasoning, model checking, labeled transition systems, learning, proof rules, compositional verification, safety properties. 1
Refining Interface Alphabets for Compositional Verification
 In Proc. of the 19th Int. Conf. on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS'07
"... Abstract. Techniques for learning automata have been adapted to automatically infer assumptions in assumeguarantee compositional verification. Learning, in this context, produces assumptions and modifies them using counterexamples obtained by model checking components separately. In this process, t ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Techniques for learning automata have been adapted to automatically infer assumptions in assumeguarantee compositional verification. Learning, in this context, produces assumptions and modifies them using counterexamples obtained by model checking components separately. In this process, the interface alphabets between components, that constitute the alphabets of the assumption automata, are fixed: they include all actions through which the components communicate. This paper introduces alphabet refinement, a novel technique that extends the assumption learning process to also infer interface alphabets. The technique starts with only a subset of the interface alphabet and adds actions to it as necessary until a given property is shown to hold or to be violated in the system. Actions to be added are discovered by counterexample analysis. We show experimentally that alphabet refinement improves the current learning algorithms and makes compositional verification by learning assumptions more scalable than noncompositional verification. 1
Automated assumption generation for compositional verification
 Form. Methods Syst. Des
"... Abstract. We describe a method for computing an exact minimal automaton to act as an intermediate assertion in assumeguarantee reasoning, using a sampling approach and a Boolean satisfiability solver. For a set of synthetic benchmarks intended to mimic common situations in hardware verification, th ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a method for computing an exact minimal automaton to act as an intermediate assertion in assumeguarantee reasoning, using a sampling approach and a Boolean satisfiability solver. For a set of synthetic benchmarks intended to mimic common situations in hardware verification, this is shown to be significantly more effective than earlier approximate methods based on Angluin’s L * algorithm. For many of these benchmarks, this method also outperforms BDDbased model checking and interpolationbased model checking. 1
Automated AssumeGuarantee Reasoning by Abstraction Refinement
"... Abstract. Current automated approaches for compositional model checking in the assumeguarantee style are based on learning of assumptions as deterministic automata. We propose an alternative approach based on abstraction refinement. Our new method computes the assumptions for the assumeguarantee r ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Current automated approaches for compositional model checking in the assumeguarantee style are based on learning of assumptions as deterministic automata. We propose an alternative approach based on abstraction refinement. Our new method computes the assumptions for the assumeguarantee rules as conservative and not necessarily deterministic abstractions of some of the components, and refines those abstractions using counterexamples obtained from model checking them together with the other components. Our approach also exploits the alphabets of the interfaces between components and performs iterative refinement of those alphabets as well as of the abstractions. We show experimentally that our preliminary implementation of the proposed alternative achieves similar or better performance than a previous learningbased implementation. 1
Extending Automated Compositional Verification to the Full Class of OmegaRegular Languages ⋆
"... Abstract. Recent studies have suggested the applicability of learning to automated compositional verification. However, current learning algorithms fall short when it comes to learning liveness properties. We extend the automaton synthesis paradigm for the infinitary languages by presenting an algor ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Recent studies have suggested the applicability of learning to automated compositional verification. However, current learning algorithms fall short when it comes to learning liveness properties. We extend the automaton synthesis paradigm for the infinitary languages by presenting an algorithm to learn an arbitrary regular set of infinite sequences (an ωregular language) over an alphabet Σ. Our main result is an algorithm to learn a nondeterministic Büchi automaton that recognizes an unknown ωregular language. This is done by learning a unique projection of it on Σ ∗ using the framework suggested by Angluin for learning regular subsets of Σ ∗. 1
Learningbased symbolic assumeguarantee reasoning with automatic decomposition
 In ATVA
, 2006
"... Abstract. Compositional reasoning aims to improve scalability of verification tools by reducing the original verification task into subproblems. The simplification is typically based on the assumeguarantee reasoning principles, and requires decomposing the system into components as well as identify ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Compositional reasoning aims to improve scalability of verification tools by reducing the original verification task into subproblems. The simplification is typically based on the assumeguarantee reasoning principles, and requires decomposing the system into components as well as identifying adequate environment assumptions for components. One recent approach to automatic derivation of adequate assumptions is basedontheL ∗ algorithm for active learning of regular languages. In this paper, we present a fully automatic approach to compositional reasoning by automating the decomposition step using an algorithm for hypergraph partitioning for balanced clustering of variables. We also propose heuristic improvements to the assumption identification phase. We report on an implementation based on NuSMV, and experiments that study the effectiveness of automatic decomposition and the overall savings in the computational requirements of symbolic model checking. 1
Componentbased hardware/software coverification
 In MEMOCODE
, 2007
"... In componentbased hardware/software coverification, properties of an embedded system are established from properties of its hardware and software components. A major challenge in componentbased coverification is the property formulation problem: (1) what are the system properties to verify, (2) ..."
Abstract

Cited by 11 (7 self)
 Add to MetaCart
(Show Context)
In componentbased hardware/software coverification, properties of an embedded system are established from properties of its hardware and software components. A major challenge in componentbased coverification is the property formulation problem: (1) what are the system properties to verify, (2) what are the component properties needed for verifying the system properties, and (3) what are the environment assumptions for establishing these properties. We present a patternguided approach to the property formulation problem. We develop an embedded architecture description language (EADL). A key feature of EADL is its support to specification of architectural patterns for embedded systems. Such patterns capture recurring system structures and, furthermore, templates for properties to verify on systems following these patterns and strategies for decomposing system properties into component properties. We have applies EADL in coverification of medical sensor systems, which shows that architectural patterns have major potential in facilitating componentbased coverification. 1
AssumeGuarantee Verification for Interface Automata
"... Abstract. Interface automata provide a formalism capturing the high level interactions between software components. Checking compatibility, and other safety properties, in an automatabased system suffers from the scalability issues inherent in exhaustive techniques such as model checking. This work ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Interface automata provide a formalism capturing the high level interactions between software components. Checking compatibility, and other safety properties, in an automatabased system suffers from the scalability issues inherent in exhaustive techniques such as model checking. This work develops a theoretical framework and automated algorithms for modular verification of interface automata. We propose sound and complete assumeguarantee rules for interface automata, and learningbased algorithms to automate assumption generation. Our algorithms have been implemented in a practical modelchecking tool and have been applied to a realistic NASA case study. 1