Results 1  10
of
41
Logics for Hybrid Systems
 Proceedings of the IEEE
, 2000
"... This paper offers a synthetic overview of, and original contributions to, the use of logics and formal methods in the analysis of hybrid systems ..."
Abstract

Cited by 93 (7 self)
 Add to MetaCart
This paper offers a synthetic overview of, and original contributions to, the use of logics and formal methods in the analysis of hybrid systems
Relative Completeness of Abstraction Refinement for Software Model Checking
, 2002
"... Automated methods for an undecidable class of verification problems cannot be complete (terminate for every correct program). We therefore consider a new kind of quality measure for such methods, which is completeness relative to a (powerful but unrealistic) oraclebased method. More precisely, we a ..."
Abstract

Cited by 59 (4 self)
 Add to MetaCart
Automated methods for an undecidable class of verification problems cannot be complete (terminate for every correct program). We therefore consider a new kind of quality measure for such methods, which is completeness relative to a (powerful but unrealistic) oraclebased method. More precisely, we ask whether an often implemented method known as "software model checking with abstraction refinement" is complete relative to fixpoint iteration with "oracleguided" widening. We show that whenever backward fixpoint iteration with oracleguided widening succeeds in proving a property' (for some sequence of widenings determined by the oracle) then software model checking with a particular form of backward refinement will succeed in proving'. Intuitively, this means that the use of fixpoint iteration over abstractions and a particular backwards refinement of the abstractions has the effect of exploring the entire state space of all possible sequences of widenings.
Symbolic Algorithms for InfiniteState Games
, 2001
"... A procedure for the analysis of state spaces is called symbolic if it manipulates not individual states, but sets of states that are represented by constraints. Such a procedure can be used for the analysis of infinite state spaces, provided termination is guaranteed. We present symbolic procedures, ..."
Abstract

Cited by 42 (6 self)
 Add to MetaCart
A procedure for the analysis of state spaces is called symbolic if it manipulates not individual states, but sets of states that are represented by constraints. Such a procedure can be used for the analysis of infinite state spaces, provided termination is guaranteed. We present symbolic procedures, and corresponding termination criteria, for the solution of infinitestate games, which occur in the control and modular verification of infinitestate systems. To characterize the termination of symbolic procedures for solving infinitestate games, we classify these game structures into four increasingly restrictive categories: 1. Class 1 consists of infinitestate structures for which all safety and reachability games can be solved...
Mocha: A Model Checking Tool that Exploits Design Structure
 IN ICSE 01: PROCEEDINGS OF THE 23RD INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING
, 2001
"... ..."
WellAbstracted Transition Systems: Application to FIFO Automata
, 2000
"... this paper on symbolic representations for the computation of the reachability set of FIFO automata  a finite control with multiple unbounded FIFO channels. To the best of our knowledge, Pachl uses for the first time regular expressions to represent infinite sets of channel contents [31]. In [17] ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
this paper on symbolic representations for the computation of the reachability set of FIFO automata  a finite control with multiple unbounded FIFO channels. To the best of our knowledge, Pachl uses for the first time regular expressions to represent infinite sets of channel contents [31]. In [17], linear regular expressions have been defined and used. Boigelot et al. chosed a deterministic finite automata based representation, namely Queuecontent Decision Diagrams [4] and afterwards Bouajjani et al. added Pressburger formulas, namely Constrained QDDs [5]. Simple regular expressions have been introduced for lossy FIFO automata [1]
On Model Checking Dataindependent Systems with Arrays without Reset
 THEORY AND PRACTICE OF LOGIC PROGRAMMING
, 2004
"... A system is dataindependent with respect to a data type X iff the only operation it can perform on values of type X is equality testing. The system may also store, input and output values of type X. We study model checking of systems which are dataindependent with respect to two distinct type vari ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
A system is dataindependent with respect to a data type X iff the only operation it can perform on values of type X is equality testing. The system may also store, input and output values of type X. We study model checking of systems which are dataindependent with respect to two distinct type variables X and Y, and may in addition use arrays with indices from X and values from Y. The main problem of interest is the following parameterised modelchecking problem: whether a given program satisfies a given temporallogic formula for all nonempty finite instances of X and Y. Initially, we consider instead the abstraction where X and Y are infinite and where partial functions with finite domains are used to model arrays. Using a translation to dataindependent systems without arrays, we show that the mucalculus modelchecking problem is decidable for these systems. From this result, we can deduce properties of all systems with finite instances of X and Y. We show that there is a procedure for the above parameterised modelchecking problem of the universal fragment of the mucalculus, such that it always terminates but may give false negatives. We also deduce that there is a procedure for the parameterised modelchecking problem of the universal disjunctionfree fragment of the mucalculus. Practical motivations for model checking dataindependent systems with arrays include verification of faulttolerant cache systems, where X is the type of memory addresses, and Y the type of storable values. As an example we verify a faulttolerant memory interface over a set of unreliable memories.
jMocha: A Model Checking Tool that Exploits Design Structure
, 2001
"... MOCHA is a model checker ..."
Combinations of model checking and theorem proving
 Proceedings of the Third Intl. Workshop on Frontiers of Combining Systems, volume 1794 of LNCS
, 2000
"... Abstract. The two main approaches to the formal verification of reactive systems are based, respectively, on model checking (algorithmic verification) and theorem proving (deductive verification). These two approaches have complementary strengths and weaknesses, and their combination promises to enh ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. The two main approaches to the formal verification of reactive systems are based, respectively, on model checking (algorithmic verification) and theorem proving (deductive verification). These two approaches have complementary strengths and weaknesses, and their combination promises to enhance the capabilities of each. This paper surveys a number of methods for doing so. As is often the case, the combinations can be classified according to how tightly the different components are integrated, their range of application, and their degree of automation. 1
Generalized strong preservation by abstract interpretation
 J. Logic and Computation
, 2007
"... Standard abstract model checking relies on abstract Kripke structures which approximate concrete models by gluing together indistinguishable states, namely by a partition of the concrete state space. models that are more general than abstract Kripke structures. Accordingly, strong preservation is ge ..."
Abstract

Cited by 11 (8 self)
 Add to MetaCart
Standard abstract model checking relies on abstract Kripke structures which approximate concrete models by gluing together indistinguishable states, namely by a partition of the concrete state space. models that are more general than abstract Kripke structures. Accordingly, strong preservation is generalized to abstract interpretationbased models and precisely related to the concept of completeness in abstract interpretation. The problem of minimally refining an abstract model in order to make it strongly preserving for some language L can be formulated as a minimal domain refinement in abstract interpretation in order to get completeness w.r.t. the logical/temporal operators of L. It turns out that this refined strongly preserving abstract model always exists and can be characterized as a greatest fixed point. As a consequence, some wellknown behavioural equivalences, like bisimulation, simulation and stuttering, and their corresponding partition refinement algorithms can be elegantly characterized in abstract interpretation as completeness properties and refinements.