## Model Checking: Software and Beyond

Citations: | 6 - 0 self |

### BibTeX

@MISC{Clarke_modelchecking:,

author = {Edmund M. Clarke and Flavio Lerda},

title = {Model Checking: Software and Beyond},

year = {}

}

### OpenURL

### Abstract

Temporal logic model checking, first developed by Clarke and Emerson [1] and independently discovered by Queille and Sifakis [2], is an automated technique for the verification of finite-state systems. The specification is expressed as a

### Citations

3153 | Graph-based algorithms for boolean function manipulation
- Bryant
(Show Context)
Citation Context ...s and transitions. Model checking is performed directly on the BDD representations. Reduced Ordered Binary Decision Diagrams, or ROBDDs, are an efficient data structure to represent Boolean functions =-=[13]-=-. Given a set of variables V = {x1, . . .,xn}, a binary decision diagram is a directed acyclic graph where each non-terminal vertex v has two successors true(v) and false(v) and is labeled by a variab... |

2666 | Model Checking
- Clarke, Grumberg, et al.
- 2001
(Show Context)
Citation Context ...tablishing whether a system is a model for a given formula, i.e., if it is satisfies its specification. Model checking has had a big impact on formal verification over the past twenty five years [3], =-=[4]-=-. Section II describes the basic algorithm for temporal logic model checking, as well as some of the breakthroughs in this area. Section III introduces some recent developments and ideas for future re... |

2168 | A theory of timed automata
- Alur, Dill
- 1994
(Show Context)
Citation Context ... depends on the exact timing of events. As a consequence, models must include the time at which events occur. A commonly used formalism to model and reason about timed systems is timed automata [34], =-=[35]-=-. Timed automata are an extension of finite state automata that define a set of real-valued clock variables. The state space of a timed automaton can be infinite as the clocks assume values from the r... |

1304 |
The temporal logic of programs
- Pnueli
- 1977
(Show Context)
Citation Context ...y given by means of a Kripke structure, a labeled graph that represents the possible states of a system and the transitions between them. The specification, instead, is expressed using temporal logic =-=[5]-=-, an extension of propositional logic that allows reasoning about the relative timing of events. In the following, we will describe Kripke structures and temporal logics. Kripke Structures A Kripke st... |

1246 | Automatic verification of finitestate concurrent systems using temporal logic specifications
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ...cient way. In this section, we present two model checking algorithms, one for specifications expressed using CTL and one for specifications expressed using LTL. CTL Model Checking. The algorithm [1], =-=[9]-=- assumes that the specification f is a CTL formula. Every CTL formula can be rewritten in terms of only EX, EG, EU, ¬, and ∧. The algorithm labels each state with the sub-formulas of f that hold at th... |

1203 | Chaff: Engineering an efficient SAT solver - Moskewicz, Madigan, et al. - 2001 |

1122 |
A computing procedure for quantification theory
- Davis, Putnam
- 1960
(Show Context)
Citation Context ...arge number of Boolean variables [16]. Most of modern SAT solvers take as input a Boolean formula in conjunctive normal form (CNF) and are based on the Davis-Putnam-Logemann-Loveland (DPLL) algorithm =-=[17]-=-, [18]. If the formula is satisfiable, they produce a satisfying assignment, if it is not, they produce a proof of unsatisfiability. In the context of model checking, SAT solvers have become popular s... |

770 | Symbolic model checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ... present, it is necessary to repeat the check for a greater length. The procedure continues until either a counterexample is found or the completeness threshold is reached. The completeness threshold =-=[20]-=- is the minimum length such that, if the specification is violated, there exists a counterexample shorter than that length. Bounds on the completeness threshold of various classes of specifications ha... |

662 | Counterexample-guided abstraction refinement for symbolic model checking
- Clarke, Lu, et al.
- 2003
(Show Context)
Citation Context ...at the verification of software. Some of the techniques for software model checking that have been very successful are predicate abstraction [31] and counterexampleguided abstraction refinement [32], =-=[33]-=-. These techniques have made model checking of software feasible. Infinite-State Systems. While the state space of a software may be very large, under certain conditions, it is still finite. This is n... |

647 | Construction of abstract state graphs with PVS
- Graf, Säıdi
- 1997
(Show Context)
Citation Context ...0], just to cite a few, have been developed that are aimed at the verification of software. Some of the techniques for software model checking that have been very successful are predicate abstraction =-=[31]-=- and counterexampleguided abstraction refinement [32], [33]. These techniques have made model checking of software feasible. Infinite-State Systems. While the state space of a software may be very lar... |

620 |
An automata-theoretic approach to automatic program verification
- Vardi, Wolper
- 1986
(Show Context)
Citation Context ...al strongly connected component of Gf is labeled by EG f. Moreover, every predecessor of a state labeled by EG f that is itself labeled by f is also labeled by EG f. LTL Model Checking. The algorithm =-=[10]-=- assumes that the specification is an LTL formula, i.e., of the form A g. Checking that the system satisfies the formula A g is equivalent to checking that it satisfies ¬E ¬g. The algorithm constructs... |

570 |
A machine program for theorem-proving
- Davis, Logemann, et al.
- 1962
(Show Context)
Citation Context ...umber of Boolean variables [16]. Most of modern SAT solvers take as input a Boolean formula in conjunctive normal form (CNF) and are based on the Davis-Putnam-Logemann-Loveland (DPLL) algorithm [17], =-=[18]-=-. If the formula is satisfiable, they produce a satisfying assignment, if it is not, they produce a proof of unsatisfiability. In the context of model checking, SAT solvers have become popular since t... |

547 |
Symbolic Model Checking: An Approach to the State Explosion Problem
- McMillan
- 1992
(Show Context)
Citation Context ...ction R(s, s ′ ) over V ∪V ′ that evaluates to true if a transition from s to s ′ is possible. A CTL model checking algorithm that operates on sets of states represented as BDDs was proposed in [14], =-=[15]-=-. As before, we need to consider only EX, EG, EU, ∧, and ¬, as formulas can be rewritten to contain only these operators and atomic propositions. The set of states labeled by an atomic proposition can... |

506 | Automata on infinite objects - Thomas - 1990 |

485 | Lazy abstraction
- Henzinger, Jhala, et al.
(Show Context)
Citation Context ...odel checking and other formal verification techniques. Software Model Checking. More recently, software has been the focus of much effort in the model checking community. Tools like SLAM [27], BLAST =-=[28]-=-, MAGIC [29], and CBMC [30], just to cite a few, have been developed that are aimed at the verification of software. Some of the techniques for software model checking that have been very successful a... |

437 |
Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach
- Kurshan
- 1994
(Show Context)
Citation Context ...aimed at the verification of software. Some of the techniques for software model checking that have been very successful are predicate abstraction [31] and counterexampleguided abstraction refinement =-=[32]-=-, [33]. These techniques have made model checking of software feasible. Infinite-State Systems. While the state space of a software may be very large, under certain conditions, it is still finite. Thi... |

383 |
Model-checking for real-time systems
- Alur, Courcoubetis, et al.
- 1990
(Show Context)
Citation Context ...system depends on the exact timing of events. As a consequence, models must include the time at which events occur. A commonly used formalism to model and reason about timed systems is timed automata =-=[34]-=-, [35]. Timed automata are an extension of finite state automata that define a set of real-valued clock variables. The state space of a timed automaton can be infinite as the clocks assume values from... |

383 | Formal Methods: State of the Art and Future Direction
- Clarke, Wing
- 1996
(Show Context)
Citation Context ...at establishing whether a system is a model for a given formula, i.e., if it is satisfies its specification. Model checking has had a big impact on formal verification over the past twenty five years =-=[3]-=-, [4]. Section II describes the basic algorithm for temporal logic model checking, as well as some of the breakthroughs in this area. Section III introduces some recent developments and ideas for futu... |

288 | Simple onthe-fly automatic verification of linear temporal logic
- Gerth, Peled, et al.
- 1995
(Show Context)
Citation Context ...ition is a counterexample. The LTL model checking algorithm constructs a Büchi automaton [11] B¬g that accepts the traces that satisfy ¬g. Different algorithms for doing this have been proposed [10], =-=[12]-=-. Given the Kripke structure M corresponding to the system, an equivalent Büchi automaton BM is constructed. The model checking algorithm constructs, on-the-fly, the synchronous composition of the two... |

271 |
Sometimes’ and ‘Not Never’ Revisited: On Branching versus Linear Time Temporal Logic
- Emerson, Halpern
- 1986
(Show Context)
Citation Context ...time and can reason about multiple paths at once. The latter uses a linear notion of time and considers a single path at a time. Both CTL and LTL can be expressed in terms of the temporal logic CTL ∗ =-=[8]-=-. CTL and LTL formulas represent two overlapping, but different subsets of CTL ∗ formulas. The temporal logic CTL ∗ defines two path quantifiers (the universal path quantifier A and the existential pa... |

251 | Specification and verification of concurrent systems in CESAR - Queille, Sifakis - 1982 |

234 | Bebop: A symbolic model checker for boolean programs
- Ball, Rajamani
- 2000
(Show Context)
Citation Context ...been using model checking and other formal verification techniques. Software Model Checking. More recently, software has been the focus of much effort in the model checking community. Tools like SLAM =-=[27]-=-, BLAST [28], MAGIC [29], and CBMC [30], just to cite a few, have been developed that are aimed at the verification of software. Some of the techniques for software model checking that have been very ... |

222 | Interpolation and SAT-Based Model Checking
- McMillan
- 2003
(Show Context)
Citation Context ...ht bounds on the completeness threshold can be determined. However, complete methods based on bounded model checking that rely on alternative methods to determine termination have been proposed [23], =-=[24]-=-, [25]. III. SOFTWARE AND BEYOND The previous section described some of the seminal work in model checking. One of the application domains in which model checking has seen most successes is hardware: ... |

222 |
Kronos: a verification tool for real-time systems
- Yovine
- 1997
(Show Context)
Citation Context ...tate space of a timed automaton can be infinite as the clocks assume values from the reals. Specialized algorithms and data structures have been developed that enable model checking of timed automata =-=[36]-=-, [37], [38]. Hybrid Systems. Another example of infinite state systems, hybrid systems are characterized by the presence of discrete and continuous components. The continuous components are usually d... |

204 |
Synthesis of synchronization skeletons for branching time temporal logic
- Clarke, Emerson
- 1981
(Show Context)
Citation Context ...lavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA 15213 email: flerda+@cs.cmu.edu I. INTRODUCTION Temporal logic model checking, first developed by Clarke and Emerson =-=[1]-=- and independently discovered by Queille and Sifakis [2], is an automated technique for the verification of finite-state systems. The specification is expressed as a logical formula. Model checking ai... |

174 |
The temporal logic of branching time
- Ben-Ari, Pnueli, et al.
- 1983
(Show Context)
Citation Context ...of propositional logic where temporal operators are introduced to reason about the timing of events. In model checking, two alternative temporal logics are commonly used: Computation Tree Logic (CTL) =-=[6]-=- and Linear-Time Temporal Logic (LTL) [7]. The former uses a branching notion of time and can reason about multiple paths at once. The latter uses a linear notion of time and considers a single path a... |

166 |
Checking safety properties using induction and a sat solver
- Sheeran, Singh, et al.
- 2000
(Show Context)
Citation Context ...ss tight bounds on the completeness threshold can be determined. However, complete methods based on bounded model checking that rely on alternative methods to determine termination have been proposed =-=[23]-=-, [24], [25]. III. SOFTWARE AND BEYOND The previous section described some of the seminal work in model checking. One of the application domains in which model checking has seen most successes is hard... |

157 |
The temporal semantics of concurrent programs
- Pnueli
- 1982
(Show Context)
Citation Context ...rators are introduced to reason about the timing of events. In model checking, two alternative temporal logics are commonly used: Computation Tree Logic (CTL) [6] and Linear-Time Temporal Logic (LTL) =-=[7]-=-. The former uses a branching notion of time and can reason about multiple paths at once. The latter uses a linear notion of time and considers a single path at a time. Both CTL and LTL can be express... |

151 |
Chaff: Engineering an Efficient
- Moskewicz, Madigan, et al.
- 2001
(Show Context)
Citation Context ...l example of an NPcomplete problem, has been the focus of a lot of attention in recent years. SAT solvers have been developed that are able to handle problems with a large number of Boolean variables =-=[16]-=-. Most of modern SAT solvers take as input a Boolean formula in conjunctive normal form (CNF) and are based on the Davis-Putnam-Logemann-Loveland (DPLL) algorithm [17], [18]. If the formula is satisfi... |

119 |
Specification and Verification of Concurrent Systems
- Queille, Sifakis
- 1982
(Show Context)
Citation Context ... University Pittsburgh, PA 15213 email: flerda+@cs.cmu.edu I. INTRODUCTION Temporal logic model checking, first developed by Clarke and Emerson [1] and independently discovered by Queille and Sifakis =-=[2]-=-, is an automated technique for the verification of finite-state systems. The specification is expressed as a logical formula. Model checking aims at establishing whether a system is a model for a giv... |

97 | Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. Lazy abstraction - Henzinger - 2002 |

75 | Yorav; “Behavioral Consistency of C and Verilog Programs Using Bounded Model Checking
- Clarke, Kroening, et al.
(Show Context)
Citation Context ...mal verification techniques. Software Model Checking. More recently, software has been the focus of much effort in the model checking community. Tools like SLAM [27], BLAST [28], MAGIC [29], and CBMC =-=[30]-=-, just to cite a few, have been developed that are aimed at the verification of software. Some of the techniques for software model checking that have been very successful are predicate abstraction [3... |

72 |
Automata on infinite objects, Handbook of Theoretical Computer Science
- Thomas
- 1990
(Show Context)
Citation Context ... If the composition is empty, then M satisfies the specification Ag. Otherwise, any of the traces of the composition is a counterexample. The LTL model checking algorithm constructs a Büchi automaton =-=[11]-=- B¬g that accepts the traces that satisfy ¬g. Different algorithms for doing this have been proposed [10], [12]. Given the Kripke structure M corresponding to the system, an equivalent Büchi automaton... |

70 | Compositional and Symbolic Model-Checking of Real-Time Systems
- Larsen, Pettersson, et al.
- 1995
(Show Context)
Citation Context ...f a timed automaton can be infinite as the clocks assume values from the reals. Specialized algorithms and data structures have been developed that enable model checking of timed automata [36], [37], =-=[38]-=-. Hybrid Systems. Another example of infinite state systems, hybrid systems are characterized by the presence of discrete and continuous components. The continuous components are usually defined using... |

54 | Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. Counterexample-guided abstraction refinement - Clarke - 2000 |

48 | A Survey of Recent Advances in SAT-based Formal Verification
- Prasad, Biere, et al.
(Show Context)
Citation Context ...nds on the completeness threshold can be determined. However, complete methods based on bounded model checking that rely on alternative methods to determine termination have been proposed [23], [24], =-=[25]-=-. III. SOFTWARE AND BEYOND The previous section described some of the seminal work in model checking. One of the application domains in which model checking has seen most successes is hardware: model ... |

43 | Efficient Computation of Recurrence Diameters
- Kroening, Strichman
(Show Context)
Citation Context ...he specification is violated, there exists a counterexample shorter than that length. Bounds on the completeness threshold of various classes of specifications have been given in the literature [19], =-=[21]-=-, [22]. However, in practice, the computed bounds are often quite large. In this case, the verification terminates when the problem becomes intractable, without being able to prove that the system sat... |

27 | Completeness and complexity of bounded model checking
- Clarke, Kroening, et al.
- 2004
(Show Context)
Citation Context ...cification is violated, there exists a counterexample shorter than that length. Bounds on the completeness threshold of various classes of specifications have been given in the literature [19], [21], =-=[22]-=-. However, in practice, the computed bounds are often quite large. In this case, the verification terminates when the problem becomes intractable, without being able to prove that the system satisfies... |

21 |
Verifying the SRT division algorithm using theorem proving techniques
- Clarke, German, et al.
- 1996
(Show Context)
Citation Context ...instance, soon after Intel had to recall a large number of Pentium processors because of a design bug, researchers were able to show that the bug could have been detected by using formal verification =-=[26]-=-. Since then, many chip design companies have been using model checking and other formal verification techniques. Software Model Checking. More recently, software has been the focus of much effort in ... |

10 | Model-checker for timed automata with clock-restriction diagram - Red - 2001 |

5 | Model Checking of Robotic Control Systems
- Scherer, Lerda, et al.
- 2005
(Show Context)
Citation Context ...i.e., systems in which discrete and continuous components coexist. One of the challenges is that the continuous components give rise to an infinite set of possible states. The approach we proposed in =-=[40]-=- focuses on control software, a particular kind of software that interacts with a continuous environment. Very often such software is made of a set of periodic tasks, that are executed on a fixed sche... |

3 | Flavio Lerda, and Muralidhar Talupur. An abstraction technique for real-time verification - Clarke - 2007 |

3 |
Model-checker for Timed Automata with ClockRestriction Diagram,” Workshop on Real-Time Tools
- Wang, “RED
(Show Context)
Citation Context ...pace of a timed automaton can be infinite as the clocks assume values from the reals. Specialized algorithms and data structures have been developed that enable model checking of timed automata [36], =-=[37]-=-, [38]. Hybrid Systems. Another example of infinite state systems, hybrid systems are characterized by the presence of discrete and continuous components. The continuous components are usually defined... |

1 | An Abstraction Technique for Real-Time Verification
- Clarke, Lerda, et al.
- 2007
(Show Context)
Citation Context ...e systems are, in general, infinite-state systems because time is a continuous variable, under certain assumptions, it is possible to reduce the problem to finite-state model checking. In recent work =-=[39]-=-, we have investigated techniques that, by using a well known mapping from infinite-state timed automata to finite-state region automata, can leverage the recent advances in model checking. In particu... |