Results 1  10
of
353
MOCHA: Modularity in Model Checking
, 1998
"... this paper, we describe the toolkit MOCHA in which the proposed approach is being implemented. The input language of MOCHA is a machine readable variant of reactive modules. The following functionalities are currently being supported: ..."
Abstract

Cited by 158 (20 self)
 Add to MetaCart
this paper, we describe the toolkit MOCHA in which the proposed approach is being implemented. The input language of MOCHA is a machine readable variant of reactive modules. The following functionalities are currently being supported:
Alternating refinement relations
 In Proceedings of the Ninth International Conference on Concurrency Theory (CONCUR’98), volume 1466 of LNCS
, 1998
"... Abstract. Alternating transition systems are a general model for composite systems which allow the study of collaborative as well as adversarial relationships between individual system components. Unlike in labeled transition systems, where each transition corresponds to a possible step of the syste ..."
Abstract

Cited by 123 (16 self)
 Add to MetaCart
Abstract. Alternating transition systems are a general model for composite systems which allow the study of collaborative as well as adversarial relationships between individual system components. Unlike in labeled transition systems, where each transition corresponds to a possible step of the system (which may involve some or all components), in alternating transition systems, each transition corresponds to a possible move in a game between the components. In this paper, we study refinement relations between alternating transition systems, such as “Does the implementation refine the set £ of specification components without constraining the components not in £? ” In particular, we generalize the definitions of the simulation and trace containment preorders from labeled transition systems to alternating transition systems. The generalizations are called alternating simulation and alternating trace containment. Unlike existing refinement relations, they allow the refinement of individual components within the context of a composite system description. We show that, like ordinary simulation, alternating simulation can be checked in polynomial time using a fixpoint computation algorithm. While ordinary trace containment is PSPACEcomplete, we establish alternating trace containment to be EXPTIMEcomplete. Finally, we present logical characterizations for the two preorders in terms of ATL, a temporal logic capable of referring to games between system components. 1
Synthesis of interface specifications for Java classes
 In POPL
, 2005
"... While a typical software component has a clearly specified (static) interface in terms of the methods and the input/output types they support, information about the correct sequencing of method calls the client must invoke is usually undocumented. In this paper, we propose a novel solution for autom ..."
Abstract

Cited by 110 (4 self)
 Add to MetaCart
While a typical software component has a clearly specified (static) interface in terms of the methods and the input/output types they support, information about the correct sequencing of method calls the client must invoke is usually undocumented. In this paper, we propose a novel solution for automatically extracting such temporal specifications for Java classes. Given a Java class, and a safety property such as “the exception E should not be raised”, the corresponding (dynamic) interface is the most general way of invoking the methods in the class so that the safety property is not violated. Our synthesis method first constructs a symbolic representation of the finite statetransition system obtained from the class using predicate abstraction. Constructing the interface then corresponds to solving a partialinformation twoplayer game on this symbolic graph. We present a sound approach to solve this computationallyhard problem approximately using algorithms for learning finite automata and symbolic model checking for branchingtime logics. We describe an implementation of the proposed techniques in the tool JIST — Java Interface Synthesis Tool—and demonstrate that the tool can construct interfaces accurately and efficiently for sample Java2SDK library classes.
Interface Theories for Componentbased Design
, 2001
"... We classify componentbased models of computation into component models and interface models. A component model specifies for each component how the component behaves in an arbitrary environment; an interface model specifies for each component what the component expects from the environment. ..."
Abstract

Cited by 108 (17 self)
 Add to MetaCart
We classify componentbased models of computation into component models and interface models. A component model specifies for each component how the component behaves in an arbitrary environment; an interface model specifies for each component what the component expects from the environment.
Learning assumptions for compositional verification
, 2003
"... Abstract. Compositional verification is a promising approach to addressing the state explosion problem associated with model checking. One compositional technique advocates proving properties of a system by checking properties of its components in an assumeguarantee style. However, the application ..."
Abstract

Cited by 105 (16 self)
 Add to MetaCart
Abstract. Compositional verification is a promising approach to addressing the state explosion problem associated with model checking. One compositional technique advocates proving properties of a system by checking properties of its components in an assumeguarantee style. However, the application of this technique is difficult because it involves nontrivial human input. This paper presents a novel framework for performing assumeguarantee reasoning in an incremental and fully automated fashion. To check a component against a property, our approach generates assumptions that the environment needs to satisfy for the property to hold. These assumptions are then discharged on the rest of the system. Assumptions are computed by a learning algorithm. They are initially approximate, but become gradually more precise by means of counterexamples obtained by model checking the component and its environment, alternately. This iterative process may at any stage conclude that the property is either true or false in the system. We have implemented our approach in the LTSA tool and applied it to a NASA system.
Logics for Hybrid Systems
 Proceedings of the IEEE
, 2000
"... This paper offers a synthetic overview of, and original contributions to, the use of logics and formal methods in the analysis of hybrid systems ..."
Abstract

Cited by 93 (7 self)
 Add to MetaCart
This paper offers a synthetic overview of, and original contributions to, the use of logics and formal methods in the analysis of hybrid systems
A game theoretic approach to controller design for hybrid systems
 Proceedings of the IEEE
, 2000
"... We present a method to design controllers for safety specifications in hybrid systems. The hybrid system combines discrete event dynamics with nonlinear continuous dynamics: the discrete event dynamics model linguistic and qualitative information and naturally accommodate mode switching logic, and t ..."
Abstract

Cited by 89 (29 self)
 Add to MetaCart
We present a method to design controllers for safety specifications in hybrid systems. The hybrid system combines discrete event dynamics with nonlinear continuous dynamics: the discrete event dynamics model linguistic and qualitative information and naturally accommodate mode switching logic, and the continuous dynamics model the physical processes themselves, such as the continuous response of an aircraft to the forces of aileron and throttle. Input variables model both continuous and discrete control and disturbance parameters. We translate safety specifications into restrictions on the system’s reachable sets of states. Then, using analysis based on optimal control and game theory for automata and continuous dynamical systems, we derive Hamilton–Jacobi equations whose solutions describe the boundaries of reachable sets. These equations are the heart of our general controller synthesis technique for hybrid systems, in which we calculate feedback control laws for
Assumption generation for software component verification
 In ASE’02: Automated Software Engineering
, 2002
"... Model checking is an automated technique that can be used to determine whether a system satisfies certain required properties. The typical approach to verifying properties of software components is to check them for all possible environments. In reality, however, a component is only required to sati ..."
Abstract

Cited by 82 (11 self)
 Add to MetaCart
Model checking is an automated technique that can be used to determine whether a system satisfies certain required properties. The typical approach to verifying properties of software components is to check them for all possible environments. In reality, however, a component is only required to satisfy properties in specific environments. Unless these environments are formally characterized and used during verification (assumeguarantee paradigm), the results returned by verification can be overly pessimistic. This work defines a framework that brings a new dimension to model checking of software components. When checking a component against a property, our model checking algorithms return one of the following three results: the component satisfies a property for any environment; the component violates the property for any environment; or finally, our algorithms generate an assumption that characterizes exactly those environments in which the component satisfies its required property. Our approach has been implemented in the LTSA tool and has been applied to the analysis of a NASA application. 1.
Tractable Multiagent Planning for Epistemic Goals
 In Proceedings of the First International Joint Conference on Autonomous Agents and Multiagent Systems (AAMAS2002
, 2002
"... agent or group of agents. In this paper, we address the problem of how plans might be developed for a group of agents to cooperate to bring about such a goal. We present a novel approach to this problem, in which the problem is formulated as one of model checking in Alternating Temporal Epistemic Lo ..."
Abstract

Cited by 67 (10 self)
 Add to MetaCart
agent or group of agents. In this paper, we address the problem of how plans might be developed for a group of agents to cooperate to bring about such a goal. We present a novel approach to this problem, in which the problem is formulated as one of model checking in Alternating Temporal Epistemic Logic (ATEL). After introducing this logic, we present a model checking algorithm for it, and show that the model checking problem for this logic is tractable. We then show how multiagent planning can be treated as a model checking problem in ATEL, and discuss the related issue of checking knowledge preconditions for multiagent plans. We illustrate the approach with an example. We then describe how this example was implemented using the MOCHA model checking system, and conclude by discussing the relationship of our work with that of others in the planning and speech acts communities.
Cooperation, Knowledge, and Time: Alternatingtime Temporal Epistemic Logic and its Applications
 Copyright 2004 ACM
, 2003
"... Branchingtime temporal logics have proved to be an extraordinarily successful tool in the formal specification and verification of distributed systems. Much of their success stems from the tractability of the model checking problem for the branching time logic ctl, which has made it possible to imp ..."
Abstract

Cited by 53 (7 self)
 Add to MetaCart
Branchingtime temporal logics have proved to be an extraordinarily successful tool in the formal specification and verification of distributed systems. Much of their success stems from the tractability of the model checking problem for the branching time logic ctl, which has made it possible to implement tools that allow designers to automatically verify that systems satisfy requirements expressed in ctl. Recently, ctl was generalised by Alur, Henzinger, and Kupferman in a logic known as "Alternatingtime Temporal Logic" (atl). The key insight in atl is that the path quantifiers of ctl could be replaced by "cooperation modalities", of the form where # is a set of agents. The intended interpretation of an atl formula is that the agents # can cooperate to ensure that # holds (equivalently, that # have a winning strategy for #). In this paper, we extend atl with knowledge modalities, of the kind made popular in the work of Fagin, Halpern, Moses, Vardi and colleagues. Combining these knowledge modalities with atl, it becomes possible to express such properties as "group # can cooperate to bring about # i# it is common knowledge in # that #". The resulting logic  Alternatingtime Temporal Epistemic Logic (atel)  shares the tractability of model checking with its atl parent, and is a succinct and expressive language for reasoning about gamelike multiagent systems.