Results 1  10
of
64
Reachability Analysis of Pushdown Automata: Application to ModelChecking
, 1997
"... We apply the symbolic analysis principle to pushdown systems. We represent (possibly infinite) sets of configurations of such systems by means of finitestate automata. In order to reason in a uniform way about analysis problems involving both existential and universal path quantification (like mode ..."
Abstract

Cited by 292 (36 self)
 Add to MetaCart
We apply the symbolic analysis principle to pushdown systems. We represent (possibly infinite) sets of configurations of such systems by means of finitestate automata. In order to reason in a uniform way about analysis problems involving both existential and universal path quantification (like modelchecking for branchingtime logics), we consider the more general class of alternating pushdown systems and use alternating finitestate automata as a representation structure for their sets of configurations. We give a simple and natural procedure to compute sets of predecessors for this representation structure. We apply this procedure and the automatatheoretic approach to modelchecking to define new modelchecking algorithms for pushdown systems and both linear and branchingtime properties. From these results we derive upper bounds for several modelchecking problems, and we also provide matching lower bounds, using reductions based on some techniques introduced by Walukiewicz.
Regular Model Checking
, 2000
"... . We present regular model checking, a framework for algorithmic verification of infinitestate systems with, e.g., queues, stacks, integers, or a parameterized linear topology. States are represented by strings over a finite alphabet and the transition relation by a regular lengthpreserving re ..."
Abstract

Cited by 128 (20 self)
 Add to MetaCart
. We present regular model checking, a framework for algorithmic verification of infinitestate systems with, e.g., queues, stacks, integers, or a parameterized linear topology. States are represented by strings over a finite alphabet and the transition relation by a regular lengthpreserving relation on strings. Major problems in the verification of parameterized and infinitestate systems are to compute the set of states that are reachable from some set of initial states, and to compute the transitive closure of the transition relation. We present two complementary techniques for these problems. One is a direct automatatheoretic construction, and the other is based on widening. Both techniques are incomplete in general, but we give sufficient conditions under which they work. We also present a method for verifying !regular properties of parameterized systems, by computation of the transitive closure of a transition relation. 1 Introduction This paper presents regular ...
Model checking large software specifications
 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING
, 1998
"... In this paper, we present our experiences in using symbolic model checking to analyze a specification of a software system for aircraft collision avoidance. Symbolic model checking has been highly successful when applied to hardware systems. We are interested in whether model checking can be effect ..."
Abstract

Cited by 117 (6 self)
 Add to MetaCart
In this paper, we present our experiences in using symbolic model checking to analyze a specification of a software system for aircraft collision avoidance. Symbolic model checking has been highly successful when applied to hardware systems. We are interested in whether model checking can be effectively applied to large software specifications. To investigate this, we translated a portion of the statebased system requirements specification of Traffic Alert and Collision Avoidance System II (TCAS II) into input to a symbolic model checker (SMV). We successfully used the symbolic model checker to analyze a number of properties of the system. We report on our experiences, describing our approach to translating the specification to the SMV language, explaining our methods for achieving acceptable performance, and giving a summary of the properties analyzed. Based on our experiences, we discuss the possibility of using model checking to aid specification development by iteratively applying the technique early in the development cycle. We consider the paper to be a data point for optimism about the potential for more widespread application of model checking to software systems.
A Direct Symbolic Approach to Model Checking Pushdown Systems (Extended Abstract)
, 1997
"... This paper gives a simple and direct algorithm for computing the always regular set of reachable states of a pushdown system. It then exploits this algorithm for obtaining model checking algorithms for lineartime temporal logic as well as for the logic CTL. For the latter, a new technical tool is i ..."
Abstract

Cited by 113 (4 self)
 Add to MetaCart
This paper gives a simple and direct algorithm for computing the always regular set of reachable states of a pushdown system. It then exploits this algorithm for obtaining model checking algorithms for lineartime temporal logic as well as for the logic CTL. For the latter, a new technical tool is introduced: pushdown automata with transitions conditioned on regular predicates on the stack content. Finally, this technical tool is also used to establish that CTL model checking remains decidable when the formulas are allowed to include regular predicates on the stack content.
EServices: A Look behind the Curtain
, 2003
"... The emerging paradigm of electronic services promises to bring to distributed computation and services the flexibility that the web has brought to the sharing of documents. An understanding of fundamental properties of eservice composition is required in order to take full advantage of the paradigm ..."
Abstract

Cited by 103 (5 self)
 Add to MetaCart
The emerging paradigm of electronic services promises to bring to distributed computation and services the flexibility that the web has brought to the sharing of documents. An understanding of fundamental properties of eservice composition is required in order to take full advantage of the paradigm. This paper examines proposals and standards for eservices from the perspectives of XML, data management, workflow, and process models. Key areas for study are identified, including behavioral service signatures, verification and synthesis techniques for composite services, analysis of service data manipulation commands, and XML analysis applied to service specifications. We give a sample of the relevant results and techniques in each of these areas.
OntheFly Analysis of Systems with Unbounded, Lossy FIFO Channels
 In CAV'98. LNCS 1427
, 1998
"... . We consider symbolic onthefly verification methods for systems of finitestate machines that communicate by exchanging messages via unbounded and lossy FIFO queues. We propose a novel representation formalism, called simple regular expressions (SREs), for representing sets of states of proto ..."
Abstract

Cited by 71 (17 self)
 Add to MetaCart
. We consider symbolic onthefly verification methods for systems of finitestate machines that communicate by exchanging messages via unbounded and lossy FIFO queues. We propose a novel representation formalism, called simple regular expressions (SREs), for representing sets of states of protocols with lossy FIFO channels. We show that the class of languages representable by SREs is exactly the class of downward closed languages that arise in the analysis of such protocols. We give methods for (i) computing inclusion between SREs, (ii) an SRE representing the set of states reachable by executing a single transition in a system, and (iii) an SRE representing the set of states reachable by an arbitrary number of executions of a control loop of a program. All these operations are rather simple and can be carried out in polynomial time. With these techniques, one can construct a semialgorithm which explores the set of reachable states of a protocol, in order to check variou...
The Power of QDDs
, 1997
"... . Queuecontent Decision Diagrams (QDDs) are finiteautomaton based data structures for representing (possibly infinite) sets of contents of a finite collection of unbounded FIFO queues. Their intended use is to serve as a symbolic representation of the possible queue contents that can occur in the ..."
Abstract

Cited by 57 (1 self)
 Add to MetaCart
. Queuecontent Decision Diagrams (QDDs) are finiteautomaton based data structures for representing (possibly infinite) sets of contents of a finite collection of unbounded FIFO queues. Their intended use is to serve as a symbolic representation of the possible queue contents that can occur in the state space of a protocol modeled by finitestate machines communicating through unbounded queues. This is done with the help of a loopfirst search, a statespace exploration technique that attempts whenever possible to compute symbolically the effect of repeatedly executing a loop any number of times, making it possible to analyze protocols with infinite state spaces though without the guarantee of termination. This paper first solves a key problem concerning the use of QDDs in this context: it precisely characterizes when, and shows how, the operations required by a loopfirst search can be applied to QDDs. Then, it addresses the problem of exploiting QDDs and loopfirst searches to broad...
On Model Checking for NonDeterministic InfiniteState Systems
, 1998
"... We demonstrate that many known algorithms for model checking infinitestate systems can be derived uniformly from a reachability procedure that generates a "covering graph", a generalization of the KarpMiller graph for Petri Nets. Each node of the covering graph has an associated nonempty set of re ..."
Abstract

Cited by 56 (4 self)
 Add to MetaCart
We demonstrate that many known algorithms for model checking infinitestate systems can be derived uniformly from a reachability procedure that generates a "covering graph", a generalization of the KarpMiller graph for Petri Nets. Each node of the covering graph has an associated nonempty set of reachable states, which makes it possible to model check safety properties of the system on the covering graph. For systems with a wellquasiordered simulation relation, each infinite fair computation has a finite witness, which may be detected using the covering graph and combinatorial properties of the specific infinite state system. These results explain many known decidability results in a simple, uniform manner. This is a strong indication that the covering graph construction is appropriate for the analysis of infinite state systems. We also consider the new application domain of parameterized broadcast protocols, and indicate how to apply the construction in this domain. This application is illustrated on an invalidationbased cache coherency protocol, for which many safety properties can be proved fully automatically for an arbitrary number of processes. 1
Transitive Closures of Regular Relations for Verifying InfiniteState Systems
"... . We consider a model for representing infinitestate and parameterized systems, in which states are represented as strings over a finite alphabet. Actions are transformations on strings, in which the change can be characterized by an arbitrary finitestate transducer. This program model is able ..."
Abstract

Cited by 48 (3 self)
 Add to MetaCart
. We consider a model for representing infinitestate and parameterized systems, in which states are represented as strings over a finite alphabet. Actions are transformations on strings, in which the change can be characterized by an arbitrary finitestate transducer. This program model is able to represent programs operating on a variety of data structures, such as queues, stacks, integers, and systems with a parameterized linear topology. The main contribution of this paper is an effective derivation of a general and powerful transitive closure operation for this model. The transitive closure of an action represents the effect of executing the action an arbitrary number of times. For example, the transitive closure of an action which transmits a single message to a buffer will be an action which sends an arbitrarily long sequence of messages to the buffer. Using this transitive closure operation, we show how to model and automatically verify safety properties for severa...