Results 1  10
of
23
Counterexampleguided Abstraction Refinement
, 2000
"... We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techn ..."
Abstract

Cited by 602 (60 self)
 Add to MetaCart
We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques which analyze such counterexamples and refine the abstract model correspondingly.
Model checking of message sequence charts
, 1999
"... Scenariobased specifications such as message sequence charts (MSC) or an intuitive and visual way of describing design requirements. Such specifications focus on message exchanges among communicating entities in distributed software systems. Structured specifications such as MSCgraphs and Hierarch ..."
Abstract

Cited by 124 (6 self)
 Add to MetaCart
Scenariobased specifications such as message sequence charts (MSC) or an intuitive and visual way of describing design requirements. Such specifications focus on message exchanges among communicating entities in distributed software systems. Structured specifications such as MSCgraphs and Hierarchical MSCgraphs (HMSC) allow convenient expression of multiple scenarios, and can be viewed as an early model of the system. In this paper, we present a comprehensive study of the problem of verifying whether this model satisfies a temporal requirement given by an automaton, by developing algorithms for the different cases along with matching lower bounds. When the model is given as an MSC, model checking can be done by constructing a suitable automaton for the linearizations of the partial order specified by the MSC, and the problem is coNPcomplete. When the model is given by an MSCgraph, we consider two possible semantics depending on the synchronous or asynchronous interpretation of concatenating two MSCs. For synchronous model checking of MSCgraphs and HMSCs, we present algorithms whose time complexity is proportional to the product of the size of the description and the cost of processing MSCs at individual vertices. Under the asynchronous interpretation, we prove undecidability of the model checking problem. We, then, identify a natural requirement of boundedness, give algorithms to check boundedness, and establish asynchronous model checking to be Pspacecomplete for bounded MSCgraphs and Expspacecomplete for bounded HMSCs.
You Assume, We Guarantee: Methodology and Case Studies
, 1998
"... Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large ..."
Abstract

Cited by 95 (14 self)
 Add to MetaCart
Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large verification problems, we therefore attempted to make use of both techniques. We soon found that rather than o ering instant solutions, the success of assumeguarantee reasoning depends critically on the construction of suitable abstraction modules, and the success of refinement checking depends critically on the construction of suitable witness modules. Moreover, as abstractions need to be witnessed, and witnesses abstracted, the process must be iterated. We present here the main lessons we learned from our experiments, in form of a systematic and structured discipline for the compositional verification of reactive modules. An infrastructure to support this discipline, and automate parts of the verification, has been implemented in the tool Mocha.
Model checking of hierarchical state machines
 ACM Trans. Program. Lang. Syst
"... Model checking is emerging as a practical tool for detecting logical errors in early stages of system design. We investigate the model checking of sequential hierarchical (nested) systems, i.e., finitestate machines whose states themselves can be other machines. This nesting ability is common in var ..."
Abstract

Cited by 77 (9 self)
 Add to MetaCart
Model checking is emerging as a practical tool for detecting logical errors in early stages of system design. We investigate the model checking of sequential hierarchical (nested) systems, i.e., finitestate machines whose states themselves can be other machines. This nesting ability is common in various software design methodologies, and is available in several commercial modeling tools. The straightforward way to analyze a hierarchical machine is to flatten it (thus incurring an exponential blow up) and apply a modelchecking tool on the resulting ordinary FSM. We show that this flattening can be avoided. We develop algorithms for verifying lineartime requirements whose complexity is polynomial in the size of the hierarchical machine. We also address the verification of branching time requirements and provide efficient algorithms and matching lower bounds.
The state of spin
 In Alur and Henzinger
, 1996
"... Abstract. The number of installations of the Spin model checking tool is steadily increasing. There are well over two thousand installations today, divided roughly evenly over academic and industrial sites. The tool itself also continues to evolve � it has more than doubled in size, and hopefully at ..."
Abstract

Cited by 55 (3 self)
 Add to MetaCart
Abstract. The number of installations of the Spin model checking tool is steadily increasing. There are well over two thousand installations today, divided roughly evenly over academic and industrial sites. The tool itself also continues to evolve � it has more than doubled in size, and hopefully at least equally so in functionality, since it was rst distributed in early 1991. The tool runs on most standard workstations, and starting with version 2.8 also on standard PCs. In this overview, we summarize the design principles of the tool, and review its current state. 1
The SHIFT Programming Language and Runtime System for Dynamic Networks of Hybrid Automata
"... Shift is a programming language for describing and simulating dynamic networks of hybrid automata. Such systems consist of components that can be created, interconnected and destroyed as the system evolves. Components exhibit hybrid behavior, consisting of continuoustime phases separated by discret ..."
Abstract

Cited by 54 (10 self)
 Add to MetaCart
Shift is a programming language for describing and simulating dynamic networks of hybrid automata. Such systems consist of components that can be created, interconnected and destroyed as the system evolves. Components exhibit hybrid behavior, consisting of continuoustime phases separated by discreteevent transitions. Components may evolve independently, or they may interact through selected state variables and events. The interaction network itself may evolve. Shift is currently used in two applications: automated highway systems and coordinated submarine systems. The Shift model offers the proper level of abstraction for describing these and other applications such as air traffic control systems and robotic shopfloors whose dynamic reconfigurations cannot be captured easily by conventional models. We have implemented a compiler and a runtime system for Shift. The compiler translates a Shift program into a C program, which, when run, simulates the design specified in the Shift s...
Mechanical Verification of Timed Automata: A Case Study
 In Proc. 1996 IEEE RealTime Technology and Applications Symp. (RTAS'96). IEEE Computer
, 1996
"... This paper reports the results of a case study on the feasibility of developing and applying mechanical methods, based on the proof system PVS, to prove propositions about realtime systems specified in the LynchVaandrager timed automata model. In using automated provers to prove propositions about ..."
Abstract

Cited by 30 (9 self)
 Add to MetaCart
This paper reports the results of a case study on the feasibility of developing and applying mechanical methods, based on the proof system PVS, to prove propositions about realtime systems specified in the LynchVaandrager timed automata model. In using automated provers to prove propositions about systems described by a specific mathematical model, both the proofs and the proof process can be simplified by exploiting the special properties of the mathematical model. Because both specifications and methods of reasoning about them tend to be repetitive, the use of a standard template for specifications, accompanied by standard shared theories and standard proof strategies or tactics, is often feasible. Presented are the PVS specification of three theories that underlie the timed automata model, a template for specifying timed automata models in PVS, and an example of its instantiation. Both hand proofs and the corresponding PVS proofs of two propositions are provided to illustrate h...
Incremental CTL Model Checking Using BDD Subsetting
, 1998
"... An automatic abstraction/refinement algorithm for symbolic CTL model checking is presented. Conservative model checking is thus done for the full CTL language  no restriction is made to the universal or existential fragments. The algorithm begins with conservative verification of an initial abstra ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
An automatic abstraction/refinement algorithm for symbolic CTL model checking is presented. Conservative model checking is thus done for the full CTL language  no restriction is made to the universal or existential fragments. The algorithm begins with conservative verification of an initial abstraction. If the conclusion is negative, it derives a "goal set" of states which require further resolution. It then successively refines, with respect to this goal set, the approximations made in the subformulas, until the given formula is verified or computational resources are exhausted. This method applies uniformly to the abstractions based in overapproximation as well as underapproximations of the model. Both the refinement and the abstraction procedures are based in BDDsubsetting. Note that refinement procedures which are based on error traces, are limited to overapproximation on the universal fragment (or for language containment), whereas the goal set method is applicable to all consistent...
The SHVerification Tool  AbstractionBased Verification of Cooperating Systems
, 1999
"... The shverification tool comprises computing abstractions of finitestate behaviour representations as well as automata and temporal logic based verification approaches. To be suitable for the verification of so called cooperating systems, a modified type of satisfaction relation (approximate satis ..."
Abstract

Cited by 20 (9 self)
 Add to MetaCart
The shverification tool comprises computing abstractions of finitestate behaviour representations as well as automata and temporal logic based verification approaches. To be suitable for the verification of so called cooperating systems, a modified type of satisfaction relation (approximate satisfaction) is considered. Regarding abstraction, alphabetic language homomorphisms are used to compute abstract behaviours. Toavoid loss of important information when moving to the abstract level, abstracting homomorphismshave to satisfy a certain property called simplicity on the concrete (i.e. not abstracted) behaviour. The well known state space explosion problem is tackled by a compositional method combined with a partial order method.
Verifying Hybrid Systems Modeled as Timed Automata: A Case Study
 In Hybrid and RealTime Systems (HART'97), volume 1201 of Lect. Notes in Comp. Sci
, 1997
"... Verifying properties of hybrid systems can be highly complex. To reduce the effort required to produce a correct proof, the use of mechanical verification techniques is promising. Recently, we extended a mechanical verification system, originally developed to reason about deterministic realtime aut ..."
Abstract

Cited by 19 (6 self)
 Add to MetaCart
Verifying properties of hybrid systems can be highly complex. To reduce the effort required to produce a correct proof, the use of mechanical verification techniques is promising. Recently, we extended a mechanical verification system, originally developed to reason about deterministic realtime automata, to verify properties of hybrid systems. To evaluate our approach, we applied our extended proof system to a solution, based on the LynchVaandrager timed automata model, of the Steam Boiler Controller problem, a hybrid systems benchmark. This paper reviews our mechanical verification system, which builds on SRI's Prototype Verification System (PVS), and describes the features we added to handle hybrid systems. It also discusses some errors we detected in applying our system to the benchmark problem. We conclude with a summary of insights we acquired in using our system to specify and verify hybrid systems. 1 Introduction Researchers have proposed many innovative formal methods for...