Results 1  10
of
43
Alternatingtime Temporal Logic
 Journal of the ACM
, 1997
"... Temporal logic comes in two varieties: lineartime temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branchingtime temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general var ..."
Abstract

Cited by 477 (48 self)
 Add to MetaCart
Temporal logic comes in two varieties: lineartime temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branchingtime temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic: alternatingtime temporal logic offers selective quantification over those paths that are possible outcomes of games, such as the game in which the system and the environment alternate moves. While lineartime and branchingtime logics are natural specification languages for closed systems, alternatingtime logics are natural specification languages for open systems. For example, by preceding the temporal operator "eventually" with a selective path quantifier, we can specify that in the game between the system and the environment, the system has a strategy to reach a certain state. Also the problems of receptiveness, realizability, and controllability can be formulated as modelchecking problems for alternatingtime formulas.
An automatatheoretic approach to linear temporal logic
 Logics for Concurrency: Structure versus Automata, volume 1043 of Lecture Notes in Computer Science
, 1996
"... Abstract. The automatatheoretic approach to linear temporal logic uses the theory of automata as a unifying paradigm for program specification, verification, and synthesis. Both programs and specifications are in essence descriptions of computations. These computations can be viewed as words over s ..."
Abstract

Cited by 232 (22 self)
 Add to MetaCart
Abstract. The automatatheoretic approach to linear temporal logic uses the theory of automata as a unifying paradigm for program specification, verification, and synthesis. Both programs and specifications are in essence descriptions of computations. These computations can be viewed as words over some alphabet. Thus,programs and specificationscan be viewed as descriptions of languagesover some alphabet. The automatatheoretic perspective considers the relationships between programs and their specifications as relationships between languages.By translating programs and specifications to automata, questions about programs and their specifications can be reduced to questions about automata. More specifically, questions such as satisfiability of specifications and correctness of programs with respect to their specifications can be reduced to questions such as nonemptiness and containment of automata. Unlike classical automata theory, which focused on automata on finite words, the applications to program specification, verification, and synthesis, use automata on infinite words, since the computations in which we are interested are typically infinite. This paper provides an introduction to the theory of automata on infinite words and demonstrates its applications to program specification, verification, and synthesis. 1
On the Synthesis of Discrete Controllers for Timed Systems
 in E.W. Mayr and C. Puech (Eds), Proc. STACS'95, LNCS 900
, 1995
"... Abstract. This paper presents algorithms for the automatic synthesis of realtime controllers by nding a winning strategy for certain games de ned by the timedautomata of Alur and Dill. In such games, the outcome depends on the players ' actions as well as on their timing. We believe that thes ..."
Abstract

Cited by 201 (20 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents algorithms for the automatic synthesis of realtime controllers by nding a winning strategy for certain games de ned by the timedautomata of Alur and Dill. In such games, the outcome depends on the players ' actions as well as on their timing. We believe that these results will pave theway for the application of program synthesis techniques to the construction of realtime embedded systems from their speci cations. 1
Symbolic Controller Synthesis for Discrete and Timed Systems
 Hybrid Systems II, LNCS 999
, 1995
"... . This paper presents algorithms for the symbolic synthesis of discrete and realtime controllers. At the semantic level the controller is synthesized by finding a winning strategy for certain games defined by automata or by timedautomata. The algorithms for finding such strategies need, this way o ..."
Abstract

Cited by 114 (17 self)
 Add to MetaCart
(Show Context)
. This paper presents algorithms for the symbolic synthesis of discrete and realtime controllers. At the semantic level the controller is synthesized by finding a winning strategy for certain games defined by automata or by timedautomata. The algorithms for finding such strategies need, this way or another, to search the statespace of the system which grows exponentially with the number of components. Symbolic methods allow such a search to be conducted without necessarily enumerating the statespace. This is achieved by representing sets of states using formulae (syntactic objects) over state variables. Although in the worst case such methods are as bad as enumerative ones, many huge practical problems can be treated by finetuned symbolic methods. In this paper the scope of these methods is extended from analysis to synthesis and from purely discrete systems to realtime systems. We believe that these results will pave the way for the application of program synthesis techniques to...
Verifying properties of large sets of processes with network invariants,” in Automatic Verification Methods for Finite State Systems
, 1990
"... If a system is built from a large number of identical finitestate processes, it seems intuitively obvious that, with the help of "a little induction", the verification of such a system can be reduced to a finitestate problem. The difficulty is to find the right form of "a little in ..."
Abstract

Cited by 103 (0 self)
 Add to MetaCart
If a system is built from a large number of identical finitestate processes, it seems intuitively obvious that, with the help of "a little induction", the verification of such a system can be reduced to a finitestate problem. The difficulty is to find the right form of "a little induction". There have been several attempts to address this problem in the context of modelchecking [CGBS6], [CGS7], [GSS7]. In very general terms (see Section 6 for more details), the approach is to find ways of proving that if a process atisfies a fornmla, then the nfold parallel composition of this process with itself still satisfies the same (or a related) formula. This approach makes some interesting verifications possible. However, it has its limits and usually requires the implementation of special purpose tools. In this paper, we propose an alternative approach. It is an attempt o make the "little induction " explicit and simple. If one wants to prove that some property holds for the composition of n processes P, one ought to be able to proceed as follows. Prove that one process satisfies the property or, as is often necessary when using induction, a stronger property I. Then prove that the composition of any process satisfying I with one of the processes P still satisfies I. Such a property I essentially represents the joint behavior of any number of processes P. Since adding one more process P to a network satisfying I does not change I, we call it a network invariant. All this is general and quite obvious. The problem is to find a framework in which it works. For this, we turn to process theory in the style of CCS and CSP [MilS0], [Hoa85]. We actually use a variant of TCSP, but this choice is not important as long as some conditions made explicit in Section 2 are satisfied. The idea is that the network invariant I is itself expressed as a process. The inductive step then essentially reduces to proving in the process theory that I I I P is a process equal to or stronger than I. Of course if the processes are finitestate, this can be done with an automatic verification toot. Hence, once the invariant I is found, our method is completely automatic.
Synthesizing StateBased Object Systems from LSC Specifications
, 2000
"... Live sequence charts (LSCs) have been de ned recently as an extension of message sequence charts (MSCs � or their UML variant, sequence diagrams) for rich interobject speci cation. One of the main additions is the notion of universal charts and hot, mandatory behavior, which, among other things, en ..."
Abstract

Cited by 90 (22 self)
 Add to MetaCart
Live sequence charts (LSCs) have been de ned recently as an extension of message sequence charts (MSCs � or their UML variant, sequence diagrams) for rich interobject speci cation. One of the main additions is the notion of universal charts and hot, mandatory behavior, which, among other things, enables one to specify forbidden scenarios. LSCs are thus essentially as expressive as statecharts. This paper deals with synthesis, which is the problem of deciding, given an LSC speci cation, if there exists a satisfying object system and, if so, to synthesize one automatically. The synthesis problem is crucial in the development of complex systems, since sequence diagrams serve as the manifestation of use cases  whether used formally or informally  and if synthesizable they could lead directly to implementation. Synthesis is considerably harder for LSCs than for MSCs, and we tackle it by de ning consistency, showing that an entire LSC speci cation is consistent i it is satis able by a statebased object system, and then synthesizing a satisfying system as a collection of nite state machines or statecharts. 1
Generalized model checking: Reasoning about partial state spaces
 CONCUR, Lecture Notes in Computer Science 1877 (2000
"... ..."
(Show Context)
Smart PlayOut of Behavioral Requirements
 The Weizmann Institute of Science
, 2002
"... We describe a methodology for executing scenariobased requirements of reactive systems, focusing on "playingout" the behavior using formal verification techniques for driving the execution. The methodology is implemented in full in our playengine tool . The approach appears to be useful ..."
Abstract

Cited by 58 (39 self)
 Add to MetaCart
We describe a methodology for executing scenariobased requirements of reactive systems, focusing on "playingout" the behavior using formal verification techniques for driving the execution. The methodology is implemented in full in our playengine tool . The approach appears to be useful in many stages in the development of reactive systems, and might also pave the way to systems that are constructed directly from their requirements, without the need for intraobject or intracomponent modeling or coding.
Synthesizing Distributed Systems
, 2001
"... In system synthesis, we transform a specication into a system that is guaranteed to satisfy the speci cation. When the system is distributed, the goal is to construct the system's underlying processes. Results on multiplayer games imply that the synthesis problem for linear specications is un ..."
Abstract

Cited by 49 (1 self)
 Add to MetaCart
In system synthesis, we transform a specication into a system that is guaranteed to satisfy the speci cation. When the system is distributed, the goal is to construct the system's underlying processes. Results on multiplayer games imply that the synthesis problem for linear specications is undecidable for general architectures, and is nonelementary decidable for hierarchical architectures, where the processes are linearly ordered and information among them ows in one direction. In this paper we present a signicant extension of this result. We handle both linear and branching specications, and we show that a sucient condition for decidability of the synthesis problem is a linear or cyclic order among the processes, in which information ows in either one or both directions. We also allow the processes to have internal hidden variables, and we consider communications with and without delay. Many practical applications fall into this class. 1 Introduction In system synthesis, we...
Weak alternating automata and tree automata emptiness
 In Proc. 30th STOC
, 1998
"... Abstract Automata on infinite words and trees are used for specification and verification of nonterminating programs. The verification and the satisfiability problems of specifications can be reduced to the nonemptiness problem of such automata. In a weak automaton, the state space is partitioned in ..."
Abstract

Cited by 35 (17 self)
 Add to MetaCart
Abstract Automata on infinite words and trees are used for specification and verification of nonterminating programs. The verification and the satisfiability problems of specifications can be reduced to the nonemptiness problem of such automata. In a weak automaton, the state space is partitioned into partially ordered sets, and the automaton can proceed from a certain set only to smaller sets. Reasoning about weak automata is easier than reasoning about automata with no restricted structure. In particular, the nonemptiness problem for weak alternating automata over a singleton alphabet can be solved in linear time. Known translations of alternating automata to weak alternating automata involve determinization, and therefore involve a double exponential blowup. In this paper we describe simple and efficient translations, which circumvent the need for determinization, of parity and Rabin alternating word automata to weak alternating word automata. Beyond the independent interest of such translations, they give rise to a simple algorithm for deciding the nonemptiness of nondeterministic parity and Rabin tree automata. In particular, our algorithm for Rabin automata runs in