Results 1  10
of
96
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 2407 (62 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Dynamic Logic
 Handbook of Philosophical Logic
, 1984
"... ed to be true under the valuation u iff there exists an a 2 N such that the formula x = y is true under the valuation u[x=a], where u[x=a] agrees with u everywhere except x, on which it takes the value a. This definition involves a metalogical operation that produces u[x=a] from u for all possibl ..."
Abstract

Cited by 825 (8 self)
 Add to MetaCart
ed to be true under the valuation u iff there exists an a 2 N such that the formula x = y is true under the valuation u[x=a], where u[x=a] agrees with u everywhere except x, on which it takes the value a. This definition involves a metalogical operation that produces u[x=a] from u for all possible values a 2 N. This operation becomes explicit in DL in the form of the program x := ?, called a nondeterministic or wildcard assignment. This is a rather unconventional program, since it is not effective; however, it is quite useful as a descriptive tool. A more conventional way to obtain a square root of y, if it exists, would be the program x := 0 ; while x < y do x := x + 1: (1) In DL, such programs are firstclass objects on a par with formulas, complete with a collection of operators for forming compound programs inductively from a basis of primitive programs. To discuss the effect of the execution of a program on the truth of a formula ', DL uses a modal construct <>', which
Secure Information Flow by SelfComposition
 PROCEEDINGS OF CSFW’04
, 2004
"... Noninterference is a highlevel security property that guarantees the absence of illicit information leakages through a program execution. A common means to enforce noninterference is to use an information flow type system. However, such type systems are inherently imprecise, and reject many secur ..."
Abstract

Cited by 80 (8 self)
 Add to MetaCart
Noninterference is a highlevel security property that guarantees the absence of illicit information leakages through a program execution. A common means to enforce noninterference is to use an information flow type system. However, such type systems are inherently imprecise, and reject many secure programs, even for simple programming languages. The purpose of this paper is to propose a logical formulation of noninterference that allows a more precise analysis or programs, and that is amenable to deductive verification techniques, such as programming logics and weakest precondition calculi, and algorithmic verification techniques such as modelchecking. We illustrate the applicability of our method in several scenarii, including a simple imperative language, a nondeterministic language, and finally a language with shared mutable data structures.
Completing the Temporal Picture
, 1991
"... The paper presents a relatively complete proof system for proving the validity of temporal properties of reactive programs. The presented proof system improves on previous temporal systems, in that it reduces the validity of program properties into pure assertional reasoning, not involving additiona ..."
Abstract

Cited by 74 (16 self)
 Add to MetaCart
The paper presents a relatively complete proof system for proving the validity of temporal properties of reactive programs. The presented proof system improves on previous temporal systems, in that it reduces the validity of program properties into pure assertional reasoning, not involving additional temporal reasoning. The proof system is based on the classification of temporal properties according to the Borel hierarchy, providing appropriate proof rules for the classes of safety, response, and reactivity properties.
Polymorphism and separation in Hoare type theory
 In icfp
, 2006
"... In previous work we have proposed a Dependent Hoare Type Theory (HTT) as a framework for development and reasoning about higherorder functional programs with effects of state, aliasing and nontermination. The main feature of HTT is the type of Hoare triples {P}x:A{Q} specifying computations with pr ..."
Abstract

Cited by 67 (14 self)
 Add to MetaCart
In previous work we have proposed a Dependent Hoare Type Theory (HTT) as a framework for development and reasoning about higherorder functional programs with effects of state, aliasing and nontermination. The main feature of HTT is the type of Hoare triples {P}x:A{Q} specifying computations with precondition P and postcondition Q, that return a result of type A. Here we extend HTT with predicative type polymorphism. Type quantification is possible in both types and assertions, and we can also quantify over Hoare triples. We show that as a consequence it becomes possible to reason about disjointness of heaps in the assertion logic of HTT. We use this expressiveness to interpret the Hoare triples in the “small footprint ” manner advocated by Separation Logic, whereby a precondition tightly describes the heap fragment required by the computation. We support stateful commands of allocation, lookup, strong update, deallocation, and pointer arithmetic. 1
Ten Years of Hoare's Logic: A Survey  Part l
, 1981
"... A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with par ..."
Abstract

Cited by 66 (2 self)
 Add to MetaCart
A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with parameters, together with the corresponding soundness, completeness, and incompleteness results, are discussed.
Proving Concurrent Constraint Programs Correct
, 1994
"... We develop a compositional proofsystem for the partial correctness of concurrent constraint programs. Soundness and (relative) completeness of the system are proved with respect to a denotational semantics based on the notion of strongest postcondition. The strongest postcondition semantics provide ..."
Abstract

Cited by 59 (14 self)
 Add to MetaCart
We develop a compositional proofsystem for the partial correctness of concurrent constraint programs. Soundness and (relative) completeness of the system are proved with respect to a denotational semantics based on the notion of strongest postcondition. The strongest postcondition semantics provides a justification of the declarative nature of concurrent constraint programs, since it allows to view programs as theories in the specification logic. 1 Introduction Concurrent constraint programming ([24, 25, 26]) (ccp, for short) is a concurrent programming paradigm which derives from replacing the storeasvaluation conception of von Neumann computing by the storeas constraint model. Its computational model is based on a global store, represented by a constraint, which expresses some partial information on the values of the variables involved in the computation. The concurrent execution of different processes, which interact through the common store, refines the partial information of...
Relative Completeness of Abstraction Refinement for Software Model Checking
, 2002
"... Automated methods for an undecidable class of verification problems cannot be complete (terminate for every correct program). We therefore consider a new kind of quality measure for such methods, which is completeness relative to a (powerful but unrealistic) oraclebased method. More precisely, we a ..."
Abstract

Cited by 59 (4 self)
 Add to MetaCart
Automated methods for an undecidable class of verification problems cannot be complete (terminate for every correct program). We therefore consider a new kind of quality measure for such methods, which is completeness relative to a (powerful but unrealistic) oraclebased method. More precisely, we ask whether an often implemented method known as "software model checking with abstraction refinement" is complete relative to fixpoint iteration with "oracleguided" widening. We show that whenever backward fixpoint iteration with oracleguided widening succeeds in proving a property' (for some sequence of widenings determined by the oracle) then software model checking with a particular form of backward refinement will succeed in proving'. Intuitively, this means that the use of fixpoint iteration over abstractions and a particular backwards refinement of the abstractions has the effect of exploring the entire state space of all possible sequences of widenings.
Differential Dynamic Logic for Hybrid Systems
, 2007
"... Hybrid systems are models for complex physical systems and are defined as dynamical systems with interacting discrete transitions and continuous evolutions along differential equations. With the goal of developing a theoretical and practical foundation for deductive verification of hybrid systems, ..."
Abstract

Cited by 41 (30 self)
 Add to MetaCart
Hybrid systems are models for complex physical systems and are defined as dynamical systems with interacting discrete transitions and continuous evolutions along differential equations. With the goal of developing a theoretical and practical foundation for deductive verification of hybrid systems, we introduce a dynamic logic for hybrid programs, which is a program notation for hybrid systems. As a verification technique that is suitable for automation, we introduce a free variable proof calculus with a novel combination of realvalued free variables and Skolemisation for lifting quantifier elimination for real arithmetic to dynamic logic. The calculus is compositional, i.e., it reduces properties of hybrid programs to properties of their parts. Our main result proves that this calculus axiomatises the transition behaviour of hybrid systems completely relative to differential equations. In a case study with cooperating traffic agents of the European Train Control System, we further show that our calculus is wellsuited for verifying realistic hybrid systems with parametric system dynamics.