## Automatic Checking of Aggregation Abstractions Through State Enumeration (0)

Citations: | 1 - 0 self |

### BibTeX

@MISC{Park_automaticchecking,

author = {Seungjoon Park and Satyaki Das and David L. Dill},

title = {Automatic Checking of Aggregation Abstractions Through State Enumeration},

year = {}

}

### OpenURL

### Abstract

ions Through State Enumeration Seungjoon Park Satyaki Das David L. Dill Computer Systems Laboratory, Stanford University Gates f358, 312, 314g, Stanford University, Ca 94305, U. S. A. fpark@turnip, satyaki@turnip, dill@csg.stanford.edu Abstract We present a technique for checking aggregation abstractions automatically using a finite-state enumerator. The abstraction relation between implementation and specification is checked on-the-fly and the verification requires examining no more states than checking a simple invariant property. This technique can be used alone for verification of finite-state protocols, or as preparation for a more general aggregation proof using a general-purpose theorem-prover. We illustrate the technique on the cache coherence protocol in the Flash multiprocessor system. Keywords Automatic verification, cache coherence protocols, distributed systems, aggregation abstraction, formal methods 1 INTRODUCTION Formal verification of a system design compares tw...

### Citations

3054 | Graph-Based Algorithms for Boolean Function Manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...omething like (as shown in Figure 1): 8s 1 ; s 0 1 ; s 2 : 9s 0 2 : R(s 1 ; s 2 )sImpl(s 1 ; s 0 1 ) ) R(s 0 1 ; s 0 2 )sSpec(s 2 ; s 0 2 ); (1) BDD-based model checkers use a binary decision diagram =-=[2]-=- to represent a Boolean function that describes a set of states symbolically. 4 Automatic Checking of Aggregation Abstractions Through State Enumeration where Impl is a step of the implementation, Spe... |

1334 |
Symbolic Model Checking
- McMillan
- 1993
(Show Context)
Citation Context ...ying to prove them formally. Obviously, the same general technique can be used with any program capable of enumerating the reachable states of a system description, including BDD-based model checkers =-=[22]-=-. Indeed, it may outperform other methods using abstraction in BDD-based model checkers, for some applications. Background and related work The use of abstraction functions and relations of various ki... |

1213 | Automatic verification of finite-state concurrent systems using temporal logics
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ...tically using a finite-state enumerator. We reduce the problem of checking the aggregation correspondence to the simpler problem of checking an invariant (an "ag property" for those familiar=-= with CTL [3]-=-) by generating a set of propositional properties from the correspondence requirements of the aggregation method. This method can be used alone for verification of finite-state distributed protocols, ... |

836 | The temporal logic of actions
- Lamport
- 1991
(Show Context)
Citation Context ...ther methods using abstraction in BDD-based model checkers, for some applications. Background and related work The use of abstraction functions and relations of various kinds (also called refinements =-=[1, 19]-=-, homomorphisms [16], and simulations [23]) to compare two descriptions is a fundamental verification technique that can be applied to many different problems and representations in many different way... |

445 | The existence of refinement mappings
- Abadi, Lamport
- 1991
(Show Context)
Citation Context ...ther methods using abstraction in BDD-based model checkers, for some applications. Background and related work The use of abstraction functions and relations of various kinds (also called refinements =-=[1, 19]-=-, homomorphisms [16], and simulations [23]) to compare two descriptions is a fundamental verification technique that can be applied to many different problems and representations in many different way... |

426 |
Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach
- Kurshan
- 1994
(Show Context)
Citation Context ...raction in BDD-based model checkers, for some applications. Background and related work The use of abstraction functions and relations of various kinds (also called refinements [1, 19], homomorphisms =-=[16]-=-, and simulations [23]) to compare two descriptions is a fundamental verification technique that can be applied to many different problems and representations in many different ways (e.g. [21, 18, 6])... |

322 | The Stanford FLASH Multiprocessor
- Kuskin, Ofelt, et al.
- 1994
(Show Context)
Citation Context ...ple: FLASH cache coherence protocol 9 4 EXAMPLE: FLASH CACHE COHERENCE PROTOCOL This section illustrates our technique on the cache coherence protocol used in the Stanford Flash multiprocessor system =-=[17, 12]-=-. 4.1 Informal description of the protocol The system consists of a set of nodes, each of which contains a processor, caches, and a portion of global memory of the system. The distributed nodes commun... |

198 |
An algebraic definition of simulation between programs
- Milner
- 1971
(Show Context)
Citation Context ...odel checkers, for some applications. Background and related work The use of abstraction functions and relations of various kinds (also called refinements [1, 19], homomorphisms [16], and simulations =-=[23]-=-) to compare two descriptions is a fundamental verification technique that can be applied to many different problems and representations in many different ways (e.g. [21, 18, 6]). - - ? ? R R s 2 s 1 ... |

150 | The Murphi verification system
- Dill
- 1996
(Show Context)
Citation Context ...ntation. Therefore, the aggregation abstraction can be automatically checked using any finite-state enumerator which is able to check such propositional properties. Although we used the Mur' verifier =-=[8]-=- for this purpose, the technique could be used with other model checkers, including model checkers based on BDDs [22] or other symbolic representations. 3.1 Mur' description language and verifier syst... |

148 | The NCSU Concurrency Workbench
- Cleaveland, Sims
- 1996
(Show Context)
Citation Context ...e elimination of states that cannot satisfy property (1). Simulation preorder checking can be computed "on-the-fly" if the state graphs are given implicitly as a set of rules or finite-state=-= programs [4, 5, 15, 14]-=-. Unfortunately, in the worst case, this computation is linear in the size of the product of the implementation and specification graphs. In both theory and practice, checking simulation preorder betw... |

84 |
Model Checking, Abstraction, and Compositional Verification
- Long
- 1993
(Show Context)
Citation Context ...he cost of verification using this method is also much greater than that of checking a simple property on an implementation state graph alone. Another approach using abstraction with BDDs is found in =-=[20, 10, 9]-=-. The method claims that a concrete program satisfies a property specified with CTL formulas if the abstracted program satisfies the corresponding property by an abstraction relation. To apply this me... |

76 | Experiments in theorem proving and model checking for protocol verification
- Havelund, Shankar
- 1996
(Show Context)
Citation Context ...ng is basically identical to simulation preorder checking. Recently, there has been proposed an approach to using a model checker for comparing a specification protocol and an implementation protocol =-=[11]-=-. However, the technique uses a model checker simply to run the two protocols in parallel without defining a precise abstraction relation between the two protocols. Moreover, the size of each state ch... |

62 |
Protocol verification via projections
- Lam, Shankar
- 1984
(Show Context)
Citation Context ...rphisms [16], and simulations [23]) to compare two descriptions is a fundamental verification technique that can be applied to many different problems and representations in many different ways (e.g. =-=[21, 18, 6]-=-). - - ? ? R R s 2 s 1 s 0 2 s 0 1 Spec Impl Figure 1 Abstraction relation Since the details of these methods vary greatly, it is difficult to find a simple general principle underlying them all. Howe... |

44 | Verifying systems with replicated components in Mur
- Ip, Dill
- 1996
(Show Context)
Citation Context ...e elimination of states that cannot satisfy property (1). Simulation preorder checking can be computed "on-the-fly" if the state graphs are given implicitly as a set of rules or finite-state=-= programs [4, 5, 15, 14]-=-. Unfortunately, in the worst case, this computation is linear in the size of the product of the implementation and specification graphs. In both theory and practice, checking simulation preorder betw... |

36 | ªVerification of FLASH Cache Coherence Protocol by Aggregation of Distributed Transactions,º
- Park, Dill
- 1996
(Show Context)
Citation Context ... a purported aggregation function in early stage. The Flash protocol example has been verified before by applying aggregation abstraction using a general-purpose theorem-prover, which took two months =-=[26]-=-. However, the proof would have been much easier had we thought of this finite-state method before completing them. Use of the automatic checking can reveal any human errors in finding aggregation fun... |

34 | A tool for symbolic program verification and abstraction
- Loiseaux
- 1993
(Show Context)
Citation Context ...he cost of verification using this method is also much greater than that of checking a simple property on an implementation state graph alone. Another approach using abstraction with BDDs is found in =-=[20, 10, 9]-=-. The method claims that a concrete program satisfies a property specified with CTL formulas if the abstracted program satisfies the corresponding property by an abstraction relation. To apply this me... |

32 |
I/O automata: A model for discrete event systems
- Lynch
- 1988
(Show Context)
Citation Context ...rphisms [16], and simulations [23]) to compare two descriptions is a fundamental verification technique that can be applied to many different problems and representations in many different ways (e.g. =-=[21, 18, 6]-=-). - - ? ? R R s 2 s 1 s 0 2 s 0 1 Spec Impl Figure 1 Abstraction relation Since the details of these methods vary greatly, it is difficult to find a simple general principle underlying them all. Howe... |

30 |
Verification of a distributed cache memory by using abstractions
- GRAF
- 1994
(Show Context)
Citation Context ...he cost of verification using this method is also much greater than that of checking a simple property on an implementation state graph alone. Another approach using abstraction with BDDs is found in =-=[20, 10, 9]-=-. The method claims that a concrete program satisfies a property specified with CTL formulas if the abstracted program satisfies the corresponding property by an abstraction relation. To apply this me... |

19 |
Checking for language inclusion using simulation relations
- Dill, Hu, et al.
- 1991
(Show Context)
Citation Context ...same as checking a simple safety property on the implementation graph alone. Simulation preorder checking can also be performed on graphs represented by BDDs by using a symbolic fixed-point algorithm =-=[7]-=-. However, this requires dealing with relations containing Boolean variables of both the implementation and specification state graphs, so the cost of verification using this method is also much great... |

17 |
Parallelizing the Mur� verifier
- Stern, Dill
- 1997
(Show Context)
Citation Context ...educed model, such as the consistency of data at the user level, than the original protocol description. To check the abstraction automatically, we have run Parallel Mur' on 32 Ultra Sparc processors =-=[27]-=-. For the protocol with 3 processing nodes and request/reply message queues of size 5, the verifier explored 457,558 states in 126 seconds; for 4 processing nodes and queues of size 3, about 19 millio... |

16 | Protocol verification by aggregation of distributed transactions
- Park, Dill
- 1996
(Show Context)
Citation Context ...hed by Chapman & Hall 2 Automatic Checking of Aggregation Abstractions Through State Enumeration which reassembles individual implementation steps into atomic transactions in a specification protocol =-=[25, 24]-=-. This method addresses the primary difficulty with using theorem proving for verification of real systems, which is the amount of human effort required to complete a proof, by making it easier to cre... |

15 | Techniques for Efficient Formal Verification Using Binary Decision Diagrams
- Hu
- 1995
(Show Context)
Citation Context ...ethod uses BDDs or some similar symbolic representation. Yet, we have found that explicit state enumeration greatly outperforms straightforward BDD-based verification for some classes of descriptions =-=[13]-=-, such as all those described below. A direct approach would appear to checking inclusion of the language of a finite automaton describing implementation behavior in the language of another automaton ... |

15 | State reduction methods for automatic formal verification. Thesis CS-TR-96-1578
- Ip
- 1996
(Show Context)
Citation Context ...e elimination of states that cannot satisfy property (1). Simulation preorder checking can be computed "on-the-fly" if the state graphs are given implicitly as a set of rules or finite-state=-= programs [4, 5, 15, 14]-=-. Unfortunately, in the worst case, this computation is linear in the size of the product of the implementation and specification graphs. In both theory and practice, checking simulation preorder betw... |

7 | Computer Assisted Analysis of Multiprocessor Memory Systems
- Park
- 1996
(Show Context)
Citation Context ...hed by Chapman & Hall 2 Automatic Checking of Aggregation Abstractions Through State Enumeration which reassembles individual implementation steps into atomic transactions in a specification protocol =-=[25, 24]-=-. This method addresses the primary difficulty with using theorem proving for verification of real systems, which is the amount of human effort required to complete a proof, by making it easier to cre... |

4 |
The FLASH Protocol. Internal document
- Heinrich
- 1993
(Show Context)
Citation Context ...ple: FLASH cache coherence protocol 9 4 EXAMPLE: FLASH CACHE COHERENCE PROTOCOL This section illustrates our technique on the cache coherence protocol used in the Stanford Flash multiprocessor system =-=[17, 12]-=-. 4.1 Informal description of the protocol The system consists of a set of nodes, each of which contains a processor, caches, and a portion of global memory of the system. The distributed nodes commun... |