Results 1  10
of
122
Symbolic Model Checking: 10^20 States and Beyond
, 1992
"... Many different methods have been devised for automatically verifying finite state systems by examining stategraph models of system behavior. These methods all depend on decision procedures that explicitly represent the state space using a list or a table that grows in proportion to the number of st ..."
Abstract

Cited by 574 (30 self)
 Add to MetaCart
Many different methods have been devised for automatically verifying finite state systems by examining stategraph models of system behavior. These methods all depend on decision procedures that explicitly represent the state space using a list or a table that grows in proportion to the number of states. We describe a general method that represents the state space symbolical/y instead of explicitly. The generality of our method comes from using a dialect of the MuCalculus as the primary specification language. We describe a model checking algorithm for MuCalculus formulas that uses Bryantâ€™s Binary Decision Diagrams (Bryant, R. E., 1986, IEEE Trans. Comput. C35) to represent relations and formulas. We then show how our new MuCalculus model checking algorithm can be used to derive efficient decision procedures for CTL model checking, satistiability of lineartime temporal logic formulas, strong and weak observational equivalence of finite transition systems, and language containment for finite wautomata. The fixed point computations for each decision procedure are sometimes complex. but can be concisely expressed in the MuCalculus. We illustrate the practicality of our approach to symbolic model checking by discussing how it can be used to verify a simple synchronous pipeline circuit.
Combining Partial Order Reductions with Onthefly Modelchecking
, 1994
"... Abstract Partial order modelchecking is an approach to reduce time and memory in modelchecking concurrent programs. Onthefly modelchecking is a technique to eliminate part of the search by intersecting an automaton representing the (negation of the) checked property with the state space during i ..."
Abstract

Cited by 191 (14 self)
 Add to MetaCart
Abstract Partial order modelchecking is an approach to reduce time and memory in modelchecking concurrent programs. Onthefly modelchecking is a technique to eliminate part of the search by intersecting an automaton representing the (negation of the) checked property with the state space during its generation. We prove conditions under which these two methods can be combined in order to gain reduction from both methods. An extension of the modelchecker SPIN, which implements this combination, is studied, showing substantial reduction over traditional search, not only in the number of reachable states, but directly in the amount of memory and time used. We also describe how to apply partialorder modelchecking under given fairness assumptions.
All from one, one for all: on model checking using representatives
 LNCS
, 1993
"... Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequences, based ..."
Abstract

Cited by 150 (6 self)
 Add to MetaCart
Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequences, based on infinite traces such that for each equivalence class, either all or none of the sequences satisfy the checked formula. We present an algorithm for constructing a state graph that contains at least one representative sequence for each equivalence class. This allows applying existing model checking algorithms to the reduced state graph rather than on the larger full state graph of the program. It also allows model checking under fairness assumptions, and exploits these assumptions to obtain smaller state graphs. A formula rewriting technique is presented to allow coarser equivalence relation among sequences, such that less representatives are needed. 1
A Technique of State Space Search Based on Unfolding
 Formal Methods in System Design
, 1992
"... Unfoldings of Petri nets provide a method of searching the state space of concurrent systems without considering all possible interleavings of concurrent events. A procedure is given for constructing the unfolding of a Petri net, terminating the construction when it is sufficient to represent all re ..."
Abstract

Cited by 64 (0 self)
 Add to MetaCart
Unfoldings of Petri nets provide a method of searching the state space of concurrent systems without considering all possible interleavings of concurrent events. A procedure is given for constructing the unfolding of a Petri net, terminating the construction when it is sufficient to represent all reachable markings. This procedure is applied to hazard and deadlock detection in asynchronous circuits. Examples are given of scalable systems with exponential size state spaces, but polynomial size unfoldings, including a distributed mutual exclusion ring circuit.
PartialOrder Reduction in Symbolic State Space Exploration
, 1997
"... . State space explosion is a fundamental obstacle in formal verification of designs and protocols. Several techniques for combating this problem have emerged in the past few years, among which two are significant: partialorder reductions and symbolic state space search. In asynchronous systems, ..."
Abstract

Cited by 59 (0 self)
 Add to MetaCart
. State space explosion is a fundamental obstacle in formal verification of designs and protocols. Several techniques for combating this problem have emerged in the past few years, among which two are significant: partialorder reductions and symbolic state space search. In asynchronous systems, interleavings of independent concurrent events are equivalent, and only a representative interleaving needs to be explored to verify local properties. Partialorder methods exploit this redundancy and visit only a subset of the reachable states. Symbolic techniques, on the other hand, capture the transition relation of a system and the set of reachable states as boolean functions. In many cases, these functions can be represented compactly using binary decision diagrams (BDDs). Traditionally, the two techniques have been practiced by two different schoolspartialorder methods with enumerative depthfirst search for the analysis of asynchronous network protocols, and symbolic bread...
Coverage Preserving Reduction Strategies for Reachability Analysis
"... We study the effect of three new reduction strategies for conventional reachability analysis, as used in automated protocol validation algorithms. The first two strategies are implementations of partial order semantics rules that attempt to minimize the number of execution sequences that need to be ..."
Abstract

Cited by 58 (8 self)
 Add to MetaCart
We study the effect of three new reduction strategies for conventional reachability analysis, as used in automated protocol validation algorithms. The first two strategies are implementations of partial order semantics rules that attempt to minimize the number of execution sequences that need to be explored for a full state space exploration. The third strategy is the implementation of a state compression scheme that attempts to minimize the amount of memory that is used to built a state space. The three strategies are shown to have a potential for substantially improving the performance of a conventional search. The paper discusses the optimal choices for reducing either run time or memory requirements by four to six times. The strategies can readily be combined with each other and with alternative state space reduction techniques such as supertrace or state space caching methods.
Partial order reductions for timed systems
 In International Conference on Concurrency Theory
, 1998
"... Abstract. In this paper, we present a partialorder reduction method for timed systems based on a localtime semantics for networks of timed automata. The main idea is to remove the implicit clock synchronization between processes in a network by letting local clocks in each process advance independ ..."
Abstract

Cited by 53 (4 self)
 Add to MetaCart
Abstract. In this paper, we present a partialorder reduction method for timed systems based on a localtime semantics for networks of timed automata. The main idea is to remove the implicit clock synchronization between processes in a network by letting local clocks in each process advance independently of clocks in other processes, and by requiring that two processes resynchronize their local time scales whenever they communicate. A symbolic version of this new semantics is developed in terms of predicate transformers, which enjoys the desired property that two predicate transformers are independent if they correspond to disjoint transitions in different processes. Thus we can apply standard partial order reduction techniques to the problem of checking reachability for timed systems, which avoid exploration of unnecessary interleavings of independent transitions. The price is that we must introduce extra machinery to perform the resynchronization operations on local clocks. Finally, we present a variant of DBM representation of symbolic states in the local time semantics for efficient implementation of our method. 1
Complexity Results for 1safe Nets
, 1993
"... We study the complexity of several standard problems for 1safe Petri nets and some of its subclasses. We prove that reachability, liveness, and deadlock are all PSPACEcomplete for 1safe nets. We also prove that deadlock is NPcomplete for freechoice nets and for 1safe freechoice nets. Finally, ..."
Abstract

Cited by 44 (7 self)
 Add to MetaCart
We study the complexity of several standard problems for 1safe Petri nets and some of its subclasses. We prove that reachability, liveness, and deadlock are all PSPACEcomplete for 1safe nets. We also prove that deadlock is NPcomplete for freechoice nets and for 1safe freechoice nets. Finally, we prove that for arbitrary Petri nets, deadlock is equivalent to reachability and liveness. This paper is to be presented at FST&TCS 13, Foundations of Software Technology & Theoretical Computer Science, to be held 1517 December 1993, in Bombay, India. A version of the paper with most proofs omitted is to appear in the proceedings. 1 Introduction Petri nets are one of the oldest and most studied formalisms for the investigation of concurrency [33]. Shortly after the birth of complexity theory, Jones, Landweber, and Lien studied in their classical paper [24] the complexity of several fundamental problems for Place/Transition nets (called in [24] just Petri nets). Some years later, Howell,...
Bounded Model Checking for the Universal Fragment of CTL
, 2002
"... Bounded Model Checking (BMC) has been recently introduced as an efficient verification method for reactive systems. BMC based on SAT methods consists in searching for a counterexample of a particular length and generating a propositional formula that is satisfiable iff such a counterexample exist ..."
Abstract

Cited by 42 (22 self)
 Add to MetaCart
Bounded Model Checking (BMC) has been recently introduced as an efficient verification method for reactive systems. BMC based on SAT methods consists in searching for a counterexample of a particular length and generating a propositional formula that is satisfiable iff such a counterexample exists. This new technique has been introduced by E. Clarke et al. for model checking of linear time temporal logic (LTL). Our paper shows how the concept of bounded model checking can be extended to ACTL (the universal fragment of CTL). The implementation of the algorithm for Elementary Net Systems is described together with the experimental results.
Interval Timed Coloured Petri Nets and their Analysis
, 1993
"... . Practical experiences show that only timed and coloured Petri nets are capable of modelling large and complex realtime systems. This is the reason we present the Interval Timed Coloured Petri Net (ITCPN) model. An interval timed coloured Petri net is a coloured Petri net extended with time; time ..."
Abstract

Cited by 41 (9 self)
 Add to MetaCart
. Practical experiences show that only timed and coloured Petri nets are capable of modelling large and complex realtime systems. This is the reason we present the Interval Timed Coloured Petri Net (ITCPN) model. An interval timed coloured Petri net is a coloured Petri net extended with time; time is in tokens and transitions determine a delay for each produced token. This delay is specified by an upper and lower bound, i.e. an interval. The ITCPN model allows the modelling of the dynamic behaviour of large and complex systems, without losing the possibility of formal analysis. In addition to the existing analysis techniques for coloured Petri nets, we propose a new analysis method to analyse the temporal behaviour of the net. This method constructs a reduced reachability graph and exploits the fact that delays are described by an interval. 1 Introduction Petri nets have been widely used for the modelling and analysis of concurrent systems (Reisig [25]). There are several factors whi...