## Model Checking and Modular Verification (1991)

Venue: | ACM Transactions on Programming Languages and Systems |

Citations: | 282 - 11 self |

### BibTeX

@ARTICLE{Grumberg91modelchecking,

author = {Orna Grumberg and David E. Long},

title = {Model Checking and Modular Verification},

journal = {ACM Transactions on Programming Languages and Systems},

year = {1991},

volume = {16}

}

### Years of Citing Articles

### OpenURL

### Abstract

We describe a framework for compositional verification of finite state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition; and a preorder on structures which captures the relation between a component and a system containing the component. Satisfaction of a formula in the logic corresponds to being below a particular structure (a tableau for the formula) in the preorder. We show how to do assume-guarantee style reasoning within this framework. In addition, we demonstrate efficient methods for model checking in the logic and for checking the preorder in several special cases. We have implemented a system based on these methods, and we use it to give a compositional verification of a CPU controller. 1 Introduction Temporal logic model checking procedures are useful tools for the verification of finite state systems [3, 12, 20]. However, these procedures have traditionally suffered from the state explosion proble...

### Citations

4096 |
Introduction to Automata Theory, Languages and Computation
- Hopcroft, Ullman
- 1979
(Show Context)
Citation Context ...fined earlier (definition 2) can be used for compositional reasoning about synchronous systems. However, such systems are typically given using a more common finite state model such as Moore machines =-=[14]-=-. Moore machines are models of computation with an explicit notion of inputs and outputs. Since the inputs originate from an external, uncontrolled environment, the machine can always receive any comb... |

2638 | Model Checking
- Clarke, Grumberg, et al.
- 1999
(Show Context)
Citation Context ...be a method for generating a reduced version of the global state space given a description of how the system is structured and specifications of how the components interact. Clarke, Long and McMillan =-=[4]-=- describe a similar attempt. Both methods will still produce large state graphs if most of the states in the system are not equivalent, and much of the verification must be redone if part of the syste... |

1408 |
A Calculus of Communicating Systems
- Milner
- 1980
(Show Context)
Citation Context ...dle assume-guarantee reasoning. The method is fairly ad hoc however, and more complex forms of reasoning such as induction cannot be easily incorporated into the system. 3 Within the framework of CCS =-=[22]-=-, there have been a number of suggestions for compositional reasoning. Larsen [19] investigates the expressive power of formalisms for specifying the behavior of a process in a system. He suggests equ... |

1239 | Automatic verification of finite-state concurrent systems using temporal logic specifications
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ... methods, and we use it to give a compositional verification of a CPU controller. 1 Introduction Temporal logic model checking procedures are useful tools for the verification of finite state systems =-=[3, 12, 20]-=-. However, these procedures have traditionally suffered from the state explosion problem. This problem arises in systems which are composed of many parallel processes; in general, the size of the stat... |

258 |
Trace Theory for Automatic Hierarchical Verication of Speed-Independent Circuits. ACM Distinguished Dissertations
- Dill
- 1989
(Show Context)
Citation Context ...ainment of !- regular languages. Homomorphic reductions are used to map implementations to specifications, and the specifications may be used as implementations at the next level of abstraction. Dill =-=[10]-=- proposes an elegant form of trace theory which can be used in a similar manner, but the framework does not handle liveness properties well. Both approaches depend on specifications being deterministi... |

246 | Checking that finite state concurrent programs satisfy their linear specification
- Lichtenstein, Pnueli
- 1985
(Show Context)
Citation Context ... methods, and we use it to give a compositional verification of a CPU controller. 1 Introduction Temporal logic model checking procedures are useful tools for the verification of finite state systems =-=[3, 12, 20]-=-. However, these procedures have traditionally suffered from the state explosion problem. This problem arises in systems which are composed of many parallel processes; in general, the size of the stat... |

234 |
Efficient model checking in fragments of the propositional µ–calculus
- Emerson, Lei
- 1986
(Show Context)
Citation Context ... methods, and we use it to give a compositional verification of a CPU controller. 1 Introduction Temporal logic model checking procedures are useful tools for the verification of finite state systems =-=[3, 12, 20]-=-. However, these procedures have traditionally suffered from the state explosion problem. This problem arises in systems which are composed of many parallel processes; in general, the size of the stat... |

108 | A structural induction theorem for processes
- Kurshan, McMillan
- 1989
(Show Context)
Citation Context ...ence M k M 0 j= /. Note that assumptions may be given either as formulas or directly as finite state models, whichever is more concise or convenient. More complex forms of reasoning such as induction =-=[18]-=- are also possible within this framework. In choosing a computational model, a logic and a preorder to obtain a system such as this, we are guided by the following considerations. First, we must be ab... |

107 |
Local model checking in the modal mu-calculus
- Stirling, Walker
- 1991
(Show Context)
Citation Context ...can be grouped into two classes. The first class includes methods to build a reduced global state graph or to expand only the needed portion of the global state graph. Local model checking algorithms =-=[6, 26, 29]-=- based on logics like the -calculus use a tableau-based procedure to deduce that a specific state (the initial state of the system) satisfies a given logical formula. The state space can be generated ... |

95 |
Symbolic model checking: states and beyond
- Burch, Clarke, et al.
- 1992
(Show Context)
Citation Context ...ducing symbolic representations for sets of states and transition relations and using a symbolic model checking procedure, systems with very large state spaces (10 100 or more states) can be verified =-=[1, 8]-=-. Further, the time and space requirements with these techniques may in practice be polynomial in the number of components of the system. This research was sponsored in part by the Avionics Laboratory... |

92 |
sometimes" and "not never" revisited: on branching versus linear time temporal logic
- Emerson, Halpern
- 1983
(Show Context)
Citation Context ...checking the preorder. Finally, it should be possible to implement these procedures effectively using symbolic techniques. In this paper, we propose a preorder for use with a subset of the logic CTL* =-=[11]-=-. This subset is strictly more expressive than LTL. Further, the induced subset of CTL is expressive enough for most verification tasks and has an efficient model checking algorithm. We also give a ta... |

91 | Tableau-based model checking in the propositional mu-calculus
- Cleaveland
- 1990
(Show Context)
Citation Context ...can be grouped into two classes. The first class includes methods to build a reduced global state graph or to expand only the needed portion of the global state graph. Local model checking algorithms =-=[6, 26, 29]-=- based on logics like the -calculus use a tableau-based procedure to deduce that a specific state (the initial state of the system) satisfies a given logical formula. The state space can be generated ... |

67 |
Analysis of discrete event coordination
- Kurshan
- 1989
(Show Context)
Citation Context ...he approach is very appealing, but unfortunately, dealing with parallel composition is difficult. It is not apparent whether any of these methods will work well with symbolic representations. Kurshan =-=[16]-=- describes a verification methodology based on testing containment of !- regular languages. Homomorphic reductions are used to map implementations to specifications, and the specifications may be used... |

63 |
Verifying Temporal Properties of Sequential Machines Without Building their State Diagrams
- Coudert, Madre, et al.
- 1990
(Show Context)
Citation Context ...ducing symbolic representations for sets of states and transition relations and using a symbolic model checking procedure, systems with very large state spaces (10 100 or more states) can be verified =-=[1, 8]-=-. Further, the time and space requirements with these techniques may in practice be polynomial in the number of components of the system. This research was sponsored in part by the Avionics Laboratory... |

51 |
Bisimulation and divergence
- Walker
- 1990
(Show Context)
Citation Context ...sting relations between an implementation and its specification. However, he does not discuss the applicability of these ideas to verification, nor does he suggest how they can be implemented. Walker =-=[27]-=- demonstrates how to use a preorder plus knowledge of how a system should operate to simplify the verification of bisimulation equivalence. Cleaveland and Steffen [7] use a similar idea. Winskel [28] ... |

37 | A language for compositional specification and verification of finite state hardware controllers
- Clarke, Long, et al.
- 1991
(Show Context)
Citation Context ...truction) , and checking for homomorphism. To illustrate the system, we use the controller of a simple CPU as an example. The controller is written in a state machine description language called CSML =-=[5]-=- which is compiled into Moore machines. We give only a brief description of the CPU here; Clarke, Long and McMillan [5] give details. The CPU is a simple stack-based machine, i.e., part of the CPU's m... |

28 |
A note on model checking the modal -calculus
- Winskel
- 1991
(Show Context)
Citation Context ...can be grouped into two classes. The first class includes methods to build a reduced global state graph or to expand only the needed portion of the global state graph. Local model checking algorithms =-=[6, 26, 29]-=- based on logics like the -calculus use a tableau-based procedure to deduce that a specific state (the initial state of the system) satisfies a given logical formula. The state space can be generated ... |

24 |
A unified approach for showing language containment and equivalence between various types of w-automata
- Draghicescu, Kurshan
(Show Context)
Citation Context ...a state s is the set of sequences of labelings which occur along the fair paths starting at s). This relation can be checked in polynomial time using the techniques of Clarke, Draghicescu and Kurshan =-=[2]-=-. Finally, if M 0 is the result of a tableau construction, say M 0 = T(/), then as shown in the previous section, checking whether MsM 0 reduces to the problem of checking whether M j= /. 21 8 An exam... |

23 |
Network grammars, communication behaviors and automatic verification
- Shtadler, Grumberg
(Show Context)
Citation Context ... methods will still produce large state graphs if most of the states in the system are not equivalent, and much of the verification must be redone if part of the system changes. Shtadler and Grumberg =-=[24]-=- show how to verify networks of processes whose structure is described by grammars. In this approach, which involves finding the global behavior of each component, networks of arbitrary complexity can... |

15 |
Verifying the correctness of AADL modules using model checking
- Josko
- 1990
(Show Context)
Citation Context ...ods are compositional; properties of the individual components are verified, and properties of the global system are deduced from these. A representation of the global state space is not built. Josko =-=[15]-=- gives an algorithm for checking whether a system satisfies a CTL specification in all environments. His algorithm also allows assumptions about the environment to be specified in a restricted linear-... |

14 |
transition for global to modular temporal reasoning about programs
- Pnueli
- 1984
(Show Context)
Citation Context ...rties of the system. When verifying properties of the components, it may also be necessary to make assumptions about the environment. This approach is exemplified by Pnueli's assumeguarantee paradigm =-=[23]-=-. A formula in his logic is a triple h'iM h/i where ' and / are temporal formulas and M is a program. The formula is true if whenever M is part of a system satisfying ', the system must also satisfy /... |

13 |
The modular framework of computer-aided veri - cation
- Shurek, Grumberg
- 1990
(Show Context)
Citation Context ...ll. Both approaches depend on specifications being deterministic for efficiency, and neither approach makes provisions for using logical formulas as specifications or assumptions. Shurek and Grumberg =-=[25]-=- describe criteria for obtaining a modular framework, and illustrate the idea using CTL* with only universal path quantifiers. This system is closest to the work presented here, but they give no provi... |

7 |
Compositional minimization of finite state processes
- Graf, Steffen
- 1990
(Show Context)
Citation Context ...ntire space is generated (for example, when checking that a property holds globally). It is also not clear whether the algorithms can take good advantage of symbolic representations. Graf and Steffen =-=[13]-=- describe a method for generating a reduced version of the global state space given a description of how the system is structured and specifications of how the components interact. Clarke, Long and Mc... |

4 |
When is "partial" adequate? a logic-based proof technique using partial specifications
- Cleaveland, Steffen
- 1990
(Show Context)
Citation Context ... they can be implemented. Walker [27] demonstrates how to use a preorder plus knowledge of how a system should operate to simplify the verification of bisimulation equivalence. Cleaveland and Steffen =-=[7]-=- use a similar idea. Winskel [28] proposes a method for decomposing specifications into properties which the components of a system must satisfy for the specification to hold. The approach is very app... |

4 |
Compositional checking of validity on finite state processes
- Winskel
- 1990
(Show Context)
Citation Context ... [27] demonstrates how to use a preorder plus knowledge of how a system should operate to simplify the verification of bisimulation equivalence. Cleaveland and Steffen [7] use a similar idea. Winskel =-=[28]-=- proposes a method for decomposing specifications into properties which the components of a system must satisfy for the specification to hold. The approach is very appealing, but unfortunately, dealin... |

1 |
The expressive power of implicit specifications. To appear
- Larsen
(Show Context)
Citation Context ...lex forms of reasoning such as induction cannot be easily incorporated into the system. 3 Within the framework of CCS [22], there have been a number of suggestions for compositional reasoning. Larsen =-=[19]-=- investigates the expressive power of formalisms for specifying the behavior of a process in a system. He suggests equivalence, refinement and satisfaction (of a formula) as three interesting relation... |