## Compositional Reasoning in Model Checking (1998)

### Cached

### Download Links

- [www.dcc.ufmg.br]
- [www.dcc.ufmg.br]
- [reports-archive.adm.cs.cmu.edu]
- [www.cs.cmu.edu]
- [www-2.cs.cmu.edu]
- [www.cs.cmu.edu]
- [www.cs.cmu.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 43 - 4 self |

### BibTeX

@MISC{Berezin98compositionalreasoning,

author = {Sergey Berezin and Sérgio Campos and Edmund M. Clarke},

title = {Compositional Reasoning in Model Checking},

year = {1998}

}

### Years of Citing Articles

### OpenURL

### Abstract

### Citations

3166 | Graph-based algorithms for Boolean function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...tems [7]. It models a computer system as a state-transition graph. E cient algorithms are used to traverse this graph and determine whether various properties are satis ed by the model. By using BDDs =-=[5]-=- it is possible to verify extremely large systems having as many as10 120 states. Several systems of industrial complexity have been veri ed using this technique. These systems include parts of the Fu... |

2692 | Model Checking
- Clarke, Grumberg, et al.
- 1999
(Show Context)
Citation Context ... Vaandrager [16] that runs inO(mn) time. It is unknown, however, if this algorithm can use BDDs as well. 5.4 Interface Processes Example As a simple example, we consider a model of the CPU controller =-=[13]-=- ( g. 4). The model comprises two parallel processesPa andPe called the access unitsand the execution unit. The access unitPa fetches instructions and stores them in an instruction queue and maintains... |

283 | Model Checking and Modular Verification - Grumberg, Long - 1994 |

243 | Symbolic model checking for sequential circuit veri¯cation
- Burch, Clarke, et al.
- 1994
(Show Context)
Citation Context ...echniques used in practice and show a few examples demonstrating their performance. 1 Introduction Symbolic model checking is a very successful method for verifying complex nitestate reactive systems =-=[7]-=-. It models a computer system as a state-transition graph. E cient algorithms are used to traverse this graph and determine whether various properties are satis ed by the model. By using BDDs [5] it i... |

170 |
Proofs of networks of processes
- Misra, Chandy
- 1981
(Show Context)
Citation Context ...avior, then we can conclude that the veri ed properties are true of the entire system. These properties can be used to deduce additional global properties of the system. The assume-guarantee paradigm =-=[17, 21, 23, 25]-=- uses this method. Typically, a formula is a triplehgiMhfi wheregandf are temporal formulas andM is a program. The formula is true if wheneverM is part of a system satisfyingg, the system must also sa... |

167 | Verification of synchronous sequential machines based on symbolic execution - Coudert, Berthet, et al. - 1989 |

166 | Symbolic model checking with partitioned transition relations
- Burch, Clarke, et al.
- 1991
(Show Context)
Citation Context ...the user. Others require more user intervention but can achieve better results. Each iswell suited for some applications while not so e cient for others. For example, partitioned transition relations =-=[6]-=- and lazy parallel composition [11, 27] are automatic and, therefore, preferred in cases where user intervention is not desired (for example, when the user is not an expert). These techniques provide ... |

157 | B.: Implicit state enumeration of finite state machines using BDDs - Touati, Savoj, et al. - 1991 |

146 | Characterizing finite Kripke structures in propositional temporal logic - Browne, Clarke, et al. - 1988 |

100 | Veri of the Futurebus+ cache coherence protocol - Clarke, Grumberg, et al. - 1993 |

65 | An Efficient Algorithm for Branching Bisimulation and Stuttering Equivalence
- Groote, Vaandrager
- 1990
(Show Context)
Citation Context ...os, and E.M. Clarke Memory System Pa Pe Access controller Access unit Fig. 4. A CPU controller. Execute controller Execute unit Stuttering Equivalence. Unlike bisimulation, the stuttering equivalence =-=[4, 16]-=- is usually de ned over the computation paths of the models. Intuitively, two paths and 0 are considered stuttering equivalent if they can be partitioned into nite blocks of repeated, or stuttered sta... |

56 |
Modal Logics for Communicating Systems
- Stirling
- 1987
(Show Context)
Citation Context ...ing checked, and simpli es the resulting formula. Similar method is described in [2]. Theorem proving techniques are also used to decompose and prove (manually) the property for each of the component =-=[15, 26]-=-. In general, all of the compositional model checking techniques have their limitations and much work remains to be done. The most important problem is the trade-o between e ciency and automation. Mor... |

47 | Fair simulation
- Henzinger, Kupferman, et al.
- 1997
(Show Context)
Citation Context ...umberg and Long suggest how tocheck the fair preorder only for a few trivial cases. Kupferman and Vardi showed that the general case is PSPACE-hard to compute [22]. Henzinger, Kupferman, and Rajamani =-=[18]-=- have proposed a new type of fair preorder that can be computed in polynomial time. However, it is not clear that this preorder is appropriate for compositional reasoning. Example: The Futurebus+ Prot... |

40 | Computing quantitative characteristics of finite-state real-time systems - Campos, Clarke, et al. - 1994 |

37 | Module Checking revisited
- Kupferman, Vardi
- 1997
(Show Context)
Citation Context ...fair preorder between models. In [17], Grumberg and Long suggest how tocheck the fair preorder only for a few trivial cases. Kupferman and Vardi showed that the general case is PSPACE-hard to compute =-=[22]-=-. Henzinger, Kupferman, and Rajamani [18] have proposed a new type of fair preorder that can be computed in polynomial time. However, it is not clear that this preorder is appropriate for compositiona... |

32 |
A Compositional Proof System for the Modal ��-Calculus. //To appear
- Andersen, Winskel
(Show Context)
Citation Context ...e successfully used. For example, partial model checking [1] encodes one of the processes into the formula, which is being checked, and simpli es the resulting formula. Similar method is described in =-=[2]-=-. Theorem proving techniques are also used to decompose and prove (manually) the property for each of the component [15, 26]. In general, all of the compositional model checking techniques have their ... |

30 | Partial model checking (extended abstract
- Andersen
- 1995
(Show Context)
Citation Context ...rotocols. This paper does not cover all of compositional proof techniques. There are a number of other compositional techniques that can also be successfully used. For example, partial model checking =-=[1]-=- encodes one of the processes into the formula, which is being checked, and simpli es the resulting formula. Similar method is described in [2]. Theorem proving techniques are also used to decompose a... |

29 | Verus: a tool for quantitative analysis of finite-state real-time systems - Campos, Clarke, et al. - 1995 |

20 | Verifying the performance of the PCI local bus using symbolic techniques
- Campos, Clarke, et al.
- 1996
(Show Context)
Citation Context ...ems having as many as10 120 states. Several systems of industrial complexity have been veri ed using this technique. These systems include parts of the Futurebus+ standard [12, 19], the PCI local bus =-=[10, 20]-=-, a robotics systems [8] and an aircraft controller [9]. In spite of such success, symbolic model checking has its limitations. In some cases the BDD representation can be exponential in the size of s... |

20 | A Quantitative Approach to the Formal Verification of RealTime Systems - Campos - 1996 |

15 |
Verifying the correctness of AADL modules using model checking
- Josko
- 1990
(Show Context)
Citation Context ...avior, then we can conclude that the veri ed properties are true of the entire system. These properties can be used to deduce additional global properties of the system. The assume-guarantee paradigm =-=[17, 21, 23, 25]-=- uses this method. Typically, a formula is a triplehgiMhfi wheregandf are temporal formulas andM is a program. The formula is true if wheneverM is part of a system satisfyingg, the system must also sa... |

15 | Compositional proof systems for model checking infinite state processes - Dam - 1995 |

14 |
transition for global to modular temporal reasoning about programs
- Pnueli
- 1984
(Show Context)
Citation Context ...avior, then we can conclude that the veri ed properties are true of the entire system. These properties can be used to deduce additional global properties of the system. The assume-guarantee paradigm =-=[17, 21, 23, 25]-=- uses this method. Typically, a formula is a triplehgiMhfi wheregandf are temporal formulas andM is a program. The formula is true if wheneverM is part of a system satisfyingg, the system must also sa... |

12 | Three Efficient Algorithms Based on Partition Refinement - Paige, Tarjan - 1987 |

9 |
Veri cation of synchronous sequential machines based on symbolic execution
- Coudert, Berthet, et al.
- 1989
(Show Context)
Citation Context ...ormula above means thatN andN 0 agree on transitions that start from states inS. It is possible to representN 0 with signi cantly fewer nodes than N in some cases by using the constrain operator from =-=[14, 27]-=-. For two boolean formulasf andg,f 0 =constrain(f;g) is a formula that has the same truth value asf for variable assignments that satisfyg. If the variable assignment does not satisfyg, the value off ... |

9 |
Model checking and modular veri cation
- Grumberg, Long
- 1994
(Show Context)
Citation Context ...nating events that do not relate to the communication variables. In this way, properties that refer to the interface variables are preserved, but the model becomes smaller. Assume-guarantee reasoning =-=[17]-=- is a manual technique that veri es each component separately. The behavior of each component depends on the behavior of the rest of the system, i.e., its environment. Because of this, the user must s... |

7 |
Characterizing ¯nite Kripke structures in propositional temporal logic
- Browne, Clarke, et al.
- 1988
(Show Context)
Citation Context ...os, and E.M. Clarke Memory System Pa Pe Access controller Access unit Fig. 4. A CPU controller. Execute controller Execute unit Stuttering Equivalence. Unlike bisimulation, the stuttering equivalence =-=[4, 16]-=- is usually de ned over the computation paths of the models. Intuitively, two paths and 0 are considered stuttering equivalent if they can be partitioned into nite blocks of repeated, or stuttered sta... |

6 |
Computing quantitative characteristics of nite-state real-time systems
- Campos, Clarke, et al.
- 1994
(Show Context)
Citation Context ...trial complexity have been veri ed using this technique. These systems include parts of the Futurebus+ standard [12, 19], the PCI local bus [10, 20], a robotics systems [8] and an aircraft controller =-=[9]-=-. In spite of such success, symbolic model checking has its limitations. In some cases the BDD representation can be exponential in the size of system description. This behavior is called the state ex... |

5 |
Implicit state enumeration of nite state machines using BDD's
- Touati, Savoj, et al.
- 1988
(Show Context)
Citation Context ... intervention but can achieve better results. Each iswell suited for some applications while not so e cient for others. For example, partitioned transition relations [6] and lazy parallel composition =-=[11, 27]-=- are automatic and, therefore, preferred in cases where user intervention is not desired (for example, when the user is not an expert). These techniques provide a way to compute the set of successors ... |

4 |
Veri cation of the Futurebus+ cache coherence protocol
- Clarke, Grumberg, et al.
- 1993
(Show Context)
Citation Context ... verify extremely large systems having as many as10 120 states. Several systems of industrial complexity have been veri ed using this technique. These systems include parts of the Futurebus+ standard =-=[12, 19]-=-, the PCI local bus [10, 20], a robotics systems [8] and an aircraft controller [9]. In spite of such success, symbolic model checking has its limitations. In some cases the BDD representation can be ... |

3 |
Model checking algorithms for the mu-calculus
- Berezin, Clarke, et al.
- 1996
(Show Context)
Citation Context ... from which there is a path to the current state along which the current labelingL(s) changes exactly once. This involves computing another least xpoint. The details of the algorithm are described in =-=[3]-=-. A more e cient algorithm based on the Paige-Tarjan algorithm was found by Groote and Vaandrager [16] that runs inO(mn) time. It is unknown, however, if this algorithm can use BDDs as well. 5.4 Inter... |

2 |
A Quantitative Approach to the Formal Veri cation of RealTime Systems
- Campos
- 1996
(Show Context)
Citation Context ... intervention but can achieve better results. Each iswell suited for some applications while not so e cient for others. For example, partitioned transition relations [6] and lazy parallel composition =-=[11, 27]-=- are automatic and, therefore, preferred in cases where user intervention is not desired (for example, when the user is not an expert). These techniques provide a way to compute the set of successors ... |

2 |
Three e cient algorithms based on partition re nement
- Paige, Tarjan
- 1987
(Show Context)
Citation Context ...f this algorithm isO(m 2 ), wheremin the sum of the sizes of the transition relations. There are more e cient algorithms for computing bisimulation equivalence, for example the Paige-Tarjan algorithm =-=[24]-=-. It's complexity isO(mlogn) in time andO(m +n) in space, wheren is the sum of the numbers of states in both models, andmin the sum of the sizes of the transition relations. However, it is unclear if ... |

1 |
Verus: a tool for quantitative analysis of nite-state real-time systems
- Campos, Clarke, et al.
- 1995
(Show Context)
Citation Context ...tates. Several systems of industrial complexity have been veri ed using this technique. These systems include parts of the Futurebus+ standard [12, 19], the PCI local bus [10, 20], a robotics systems =-=[8]-=- and an aircraft controller [9]. In spite of such success, symbolic model checking has its limitations. In some cases the BDD representation can be exponential in the size of system description. This ... |

1 |
Compositional proof systems for model checking in nite state processes
- Dam
- 1995
(Show Context)
Citation Context ...ing checked, and simpli es the resulting formula. Similar method is described in [2]. Theorem proving techniques are also used to decompose and prove (manually) the property for each of the component =-=[15, 26]-=-. In general, all of the compositional model checking techniques have their limitations and much work remains to be done. The most important problem is the trade-o between e ciency and automation. Mor... |