Results 1  10
of
16
Automatic verification of finitestate concurrent systems using temporal logic specifications
 ACM Transactions on Programming Languages and Systems
, 1986
"... We give an efficient procedure for verifying that a finitestate concurrent system meets a specification expressed in a (propositional, branchingtime) temporal logic. Our algorithm has complexity linear in both the size of the specification and the size of the global state graph for the concurrent ..."
Abstract

Cited by 1173 (58 self)
 Add to MetaCart
We give an efficient procedure for verifying that a finitestate concurrent system meets a specification expressed in a (propositional, branchingtime) temporal logic. Our algorithm has complexity linear in both the size of the specification and the size of the global state graph for the concurrent system. We also show how this approach can be adapted to handle fairness. We argue that our technique can provide a practical alternative to manual proof construction or use of a mechanical theorem prover for verifying many finitestate concurrent systems. Experimental results show that state machines with several hundred states can be checked in a matter of seconds.
Automatic verification of sequential circuits using temporal logic
 IEEE Transactions on Computer C35
, 1986
"... AbstractVerifying the correctness of sequential circuits has been an important problem for a long time. But lack of any formal and efficient method of verification has prevented the creation of practical design aids for this purpose. Since all the known techniques of simulation apd prototype testi ..."
Abstract

Cited by 74 (11 self)
 Add to MetaCart
AbstractVerifying the correctness of sequential circuits has been an important problem for a long time. But lack of any formal and efficient method of verification has prevented the creation of practical design aids for this purpose. Since all the known techniques of simulation apd prototype testing are time consuming and not very reliable, there is an acute need for such tools. In this paper we describe an automatic verification system for sequential circuits in which specifications are expressed in a propositional temporal logic. In contrast to most other mechanical verification systems, our system does not require any user assistance and is quite;fastexperimental results show that state machines with several hundred states can be checked for correctness in a matter of seconds! The verification system uses a simple and efficient algorithm, called a model checker. The algorithm works in two steps: in the first step, it builds a labeled statetransition graph; and in the second step, it determines the truth of a temporal formula with. respect to the statetransition graph. We discuss two different techniques that we thave implemented for automatically generating the statetransition graphs: The first involves extracting the state graph directly feom the circuit by exhaustive simulation. The second obtains the state graph by compilation from an HDL specification of the original circuit. Index TermsAsynchronous circuits, hardware verification, sequential circuit verification, temporal logic, temporal logic model checking. I.
Efficient Detection of Vacuity in ACTL Formulas
 FMSD
, 1997
"... Propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is true trivially because the precondition of the implication is not satisfiable. In other words, the postcondition of the implication does not affect the truth value of the formula. We ca ..."
Abstract

Cited by 42 (4 self)
 Add to MetaCart
Propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is true trivially because the precondition of the implication is not satisfiable. In other words, the postcondition of the implication does not affect the truth value of the formula. We call this a vacuous pass, and extend the definition of vacuity to cover other kinds of trivial passes in temporal logic. We define wACTL, a subset of CTL and show by construction that for every wACTL formula \phi there is a formula w(\phi), such that: both \phi and w(\phi) are true in some model M iff \phi passes vacuously. A useful sideeffect of w(\phi) is that if false, any counterexample is also a nontrivial witness of the original formula \phi.
OnTheFly Model Checking of RCTL Formulas
 In Proc. 10 th International Conference on Computer Aided Verification (CAV’98), LNCS 1427
, 1998
"... The specification language RCTL, an extension of CTL, is defined by adding the power of regular expressions to CTL. In addition to being a more expressive and natural hardware specification language than CTL, a large family of RCTL formulas can be verified onthefly (during symbolic reachability ..."
Abstract

Cited by 40 (14 self)
 Add to MetaCart
The specification language RCTL, an extension of CTL, is defined by adding the power of regular expressions to CTL. In addition to being a more expressive and natural hardware specification language than CTL, a large family of RCTL formulas can be verified onthefly (during symbolic reachability analysis). Onthefly model checking, as a powerful verification paradigm, is especially efficient when the specification is false and extremely efficient when the computation needed to get to a failing state is short. It is suitable for the inherently gradual design process since it detects a multitude of bugs at the early verification stages, and paves the way towards finding the more complex errors as the design matures. It is shown that for every erroneous finite computation, there is an RCTL formula that detects it and can be verified onthefly. Onthefly verification of RCTL formulas has moved model checking in IBM into a different class of designs inaccessible by prior techniques.
Automated Software Testing Using ModelChecking
, 1996
"... Whitebox testing allows developers to determine whether or not a program is partially consistent with its specified behavior and design through the examination of intermediate values of variables during program execution. These intermediate values are often recorded as an execution trace produced b ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
Whitebox testing allows developers to determine whether or not a program is partially consistent with its specified behavior and design through the examination of intermediate values of variables during program execution. These intermediate values are often recorded as an execution trace produced by monitoring code inserted into the program. After program execution, the values in an execution trace are compared to values predicted by the specified behavior and design. Inconsistencies between predicted and actual values can lead to the discovery of errors in the specification and its implementation. This paper describes an approach to (1) verify the execution traces created by monitoring statements during whitebox testing using a model checker as a semantic tableau; (2) organize multiple execution traces into distinct equivalence partitions based on requirements specifications written in linear temporal logic (LTL); and (3) use the counterexample generation mechanisms found in most modelchecker tools to generate new testcases for unpopulated equivalence partitions.
Efficient Detection of Vacuity in Temporal Model Checking
 Formal Methods in System Design
, 2001
"... Abstract. The ability to generate a counterexample is an important feature of model checking tools, because a counterexample provides information to the user in the case that the formula being checked is found to be nonvalid. In this paper, we turn our attention to providing similar feedback to t ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
Abstract. The ability to generate a counterexample is an important feature of model checking tools, because a counterexample provides information to the user in the case that the formula being checked is found to be nonvalid. In this paper, we turn our attention to providing similar feedback to the user in the case that the formula is found to be valid, because valid formulas can hide real problems in the model. For instance, propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is trivially valid because the precondition of the implication is not satisfiable. We call this vacuity, and extend the definition to cover other kinds of trivial validity. For nonvacuously valid formulas, we define an interesting witness as a nontrivial example of the validity of the formula. We formalize the notions of vacuity and interesting witness, and show how to detect vacuity and generate interesting witnesses in temporal model checking. Finally, we provide a practical solution for a useful subset of ACTL formulas.
A Grainless Semantics for Parallel Programs with Shared Mutable Data
"... We provide a new denotational semantic model, based on “footstep traces”, for parallel programs which share mutable state. The model embodies a classic principle proposed by Dijkstra: processes should be treated independently, with interference occurring only at synchronization points. The result is ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
We provide a new denotational semantic model, based on “footstep traces”, for parallel programs which share mutable state. The model embodies a classic principle proposed by Dijkstra: processes should be treated independently, with interference occurring only at synchronization points. The result is a model which makes fewer distinctions between programs than traditional trace models, helping to mitigate the combinatorial explosion triggered by interleaving. Indeed, for a sequential or synchronizationfree program the footstep trace semantics is equivalent to a nondeterministic state transformation. The new model can be used to validate the soundness of concurrent separation logic, replacing the action trace semantic model used in previous work for that purpose and yielding a conceptually simpler proof. We include some example programs to facilitate comparison with earlier models, and we discuss briefly the relationship with a recent model by John Reynolds in which actions have discernable starts and finishes.
Generating Test Oracles via Model Checking
 NASNWVU Software Research Lab
, 1998
"... This paper describes a method for automatically generating (and regenerating) test oracles during software development using the counterexample generation mechanism found in most model checker tools. Given a statebased specification of a system, our method helps organize test cases into a complet ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
This paper describes a method for automatically generating (and regenerating) test oracles during software development using the counterexample generation mechanism found in most model checker tools. Given a statebased specification of a system, our method helps organize test cases into a complete cover of disjoint equivalence partitions on a test space. These partitions are comprised of paths in the test space that conform to specified requirements written in linear temporal logic (LTL) formulae or quantified regular expressions (QRE). The oracles can also be used to drive test executions in cases where the test environment must generate events and conditions in order to force particular behaviors in nondeterministic systems. Keywords specificationbase testing, formal methods, model checking INTRODUCTION Software developers often use models to reason about the design of their systems, but keeping the models and source code in fidelity during development is a difficult task [1]...
Using Symbolic Model Checking to Verify the Railway Stations of HoornKersenboogerd and Heerhugowaard
, 1999
"... Stalmarck's proof procedure is a method of tautology checkingthat has been used to verify railway interlocking software. Recently, it has been proposed [SS98] that the method has potential to increase the capacity of formal verification tools for hardware. In this paper, weexamine this potential ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Stalmarck's proof procedure is a method of tautology checkingthat has been used to verify railway interlocking software. Recently, it has been proposed [SS98] that the method has potential to increase the capacity of formal verification tools for hardware. In this paper, weexamine this potential in light of anexperiment in the opposite direction: the application of symbolic model checking to railway interlocking software previously verified with Stalmarck's method. We show that these railway systemsshare important characteristics which distinguish them from most hardware designs, and that these differences raise some doubts about the applicability of Stalmarck's method to hardware verification.
Proving the Value of Formal Methods
 Proc. 7th FORTE Conference
, 1994
"... The record of successful applications of formal verification techniques is slowly growing. Our ultimate aim, however, is not to perform small pilot projects that show that verification is sometimes feasible in an industrial setting; our aim must be to integrate verification techniques into the so ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
The record of successful applications of formal verification techniques is slowly growing. Our ultimate aim, however, is not to perform small pilot projects that show that verification is sometimes feasible in an industrial setting; our aim must be to integrate verification techniques into the software design cycle as a nonnegotiable part of quality control.