## Synchronous Observers and the Verification of Reactive Systems (1993)

Venue: | Third Int. Conf. on Algebraic Methodology and Software Technology, AMAST'93, Twente |

Citations: | 105 - 10 self |

### BibTeX

@INPROCEEDINGS{Halbwachs93synchronousobservers,

author = {Nicolas Halbwachs and Fabienne Lagnier and Pascal Raymond},

title = {Synchronous Observers and the Verification of Reactive Systems},

booktitle = {Third Int. Conf. on Algebraic Methodology and Software Technology, AMAST'93, Twente},

year = {1993},

publisher = {Springer Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper is a survey of our specification and verification techniques, in a very general, language independent, framework. Section 1 introduces a simple model of synchronous input/output machines, which will be used throughout the paper. In section 2, we show how such a machine can be designed to check the satisfaction of a safety property, and we discuss the use of such an observer in program verification. In section 3, we use an observer to restrict the behavior of a machine. This is the basic way for representing assumptions about the environment. Applications to modular and inductive verification are considered. In modular verification, one has to find, by intuition, a property of a subprogram that is strong enough to allow the verification of the whole program without fully considering the subprogram. In section 4, we consider the automatic synthesis of such a property, and in section 5, we investigate the possibility of deducing the subprogram from such a synthesized specification.

### Citations

1947 |
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...xpoint: Invar (Q M P ) = X:Q M P " f pre M jj\Omega P (X) Approximate analysis: When infinite state systems are considered, approximate methods (and, in particular, abstract interpretation techni=-=ques [9, 10]-=-) can be applied to compute approximations of the set Reach((M jj\Omega P ) # ff). If an upper approximation of this set is included in Q M P , this proves that the erroneous states cannot be reached ... |

1208 | Automatic verification of finite-state concurrent systems using temporal logic specifications
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ...e verification problem, according to various verification methods: State enumeration: For finite state systems, state enumeration techniques (enumerative model-checking) have been widely experimented =-=[31, 11]-=-. In general, these techniques involve the construction of the whole state graph of the program, and its memorization for the analysis of trace properties. Now, since the problem has been reduced to t... |

691 | The Esterel Synchronous Programming Language: Design, Semantics, Implementation
- Berry, Gonthier
- 1992
(Show Context)
Citation Context ...can happen that the product of two deterministic (respectively reactive) machines is not deterministic (resp. reactive). This is the well-known problem of causality paradoxessin synchronous languages =-=[6, 26]-=-. For instance, let I M1 = fx; yg; I M2 = fx; zg; OM1 = fzg and OM2 = fyg. Then: ffl Assume (see Fig.1.a) that q 1 fx;yg ; !q 0 1 and q 1 fxg fzg !q 00 1 are the only transitions in ffi M1 from state ... |

586 | The control of discrete event systems
- Ramadge, Wonham
- 1989
(Show Context)
Citation Context ...ion [4, 12] are also a way of expressing assumptions about the environment. ffl The synthesis problems considered in Sections 4 and 5 have been dealt with in several papers --- both in control theory =-=[32, 33, 19]-=-, and in computer science [30, 3] --- and often extended to cope with liveness properties. Our simplifications consist in considering safety properties of synchronous systems. They are suggested by th... |

545 | Composing specifications
- Abadi, Lamport
- 1993
(Show Context)
Citation Context ...es M 1 jjM 2 . This amounts to considering M 2 as the environment of M 1 . Of course, assumptions about the global environment can also be taken into account. With a little additional hypothesis (see =-=[2] and the &-=-quot;decomposition theorem" of [23]), which amounts to the absence of causality problems, one can even use a seemingly circular reasoning, which consists first in proving a property P 2 of M 2 un... |

520 | The synchronous dataflow programming language lustre - Halbwachs, Caspi, et al. - 1991 |

485 |
Supervisory control of a class of discrete event processes
- Ramadge, Wonham
- 1987
(Show Context)
Citation Context ...ion [4, 12] are also a way of expressing assumptions about the environment. ffl The synthesis problems considered in Sections 4 and 5 have been dealt with in several papers --- both in control theory =-=[32, 33, 19]-=-, and in computer science [30, 3] --- and often extended to cope with liveness properties. Our simplifications consist in considering safety properties of synchronous systems. They are suggested by th... |

414 | Synchronous programming of reactive systems
- Halbwachs
- 1993
(Show Context)
Citation Context ...las Halbwachs Verimag Laboratory and Stanford University y Fabienne Lagnier, Pascal Raymond Verimag Laboratory Rue Lavoisier, 38330 - Montbonnot St.Martin, France Introduction Synchronous programming =-=[20, 14]-=- is a useful approach to design reactive systems. A synchronous program is supposed to instantly and deterministically react to events coming from its environment. The advantages of this approach have... |

343 |
R.: On the synthesis of a reactive module
- Pnueli, Rosner
- 1989
(Show Context)
Citation Context ...ng assumptions about the environment. ffl The synthesis problems considered in Sections 4 and 5 have been dealt with in several papers --- both in control theory [32, 33, 19], and in computer science =-=[30, 3]-=- --- and often extended to cope with liveness properties. Our simplifications consist in considering safety properties of synchronous systems. They are suggested by the application field we have in mi... |

321 |
Calculi for synchrony and asynchrony
- Milner
- 1983
(Show Context)
Citation Context ...educing the subprogram from such a synthesized specification. 1 Synchronous I/O machines We first define an abstract model of synchronous reactive machines. We could use a synchronous process algebra =-=[27, 28, 1]-=- as a basic formalism. but we will see that non symmetric communication is essential for the definition of observer: An observer can see the behavior of the program without modifying it, i.e., without... |

293 | Abstract interpretation and application to logic programs
- Cousot, Cousot
- 1992
(Show Context)
Citation Context ...xpoint: Invar (Q M P ) = X:Q M P " f pre M jj\Omega P (X) Approximate analysis: When infinite state systems are considered, approximate methods (and, in particular, abstract interpretation techni=-=ques [9, 10]-=-) can be applied to compute approximations of the set Reach((M jj\Omega P ) # ff). If an upper approximation of this set is included in Q M P , this proves that the erroneous states cannot be reached ... |

147 |
The Esterel Language
- Boussinot, Simone
- 1991
(Show Context)
Citation Context ...control structure of the object code is a finite automaton which is synthesized by an exhaustive simulation of a finite abstraction of the program. Concerning program verification, it has been argued =-=[8, 16, 29]-=- that the practical goal, for reactive programs, is generally to verify some simple logical safety properties: By a safety property, we mean, as usual, a property which expresses that something will n... |

101 | V.: Verifying properties of large sets of processes with network invariants
- Wolper, Lovinfosse
- 1990
(Show Context)
Citation Context ...oving that M 1 satisfies P 1 assuming M 2 satisfies P 2 . Inductive proofs: Moreover, the modular verification technique can be extended to the inductive verification of regular networks of processes =-=[34, 16]-=-. Assume one wants to prove a safety property P of the machine M jjM jj : : :jjM --- --zsn times for any ns1. This can be done by finding a property P 0 such that (1) M satisfies P 0 , (2) (M 1 =\Omeg... |

92 | Operational and compositional semantics of synchronous automaton compositions
- Maraninchi
- 1992
(Show Context)
Citation Context ...can happen that the product of two deterministic (respectively reactive) machines is not deterministic (resp. reactive). This is the well-known problem of causality paradoxessin synchronous languages =-=[6, 26]-=-. For instance, let I M1 = fx; yg; I M2 = fx; zg; OM1 = fzg and OM2 = fyg. Then: ffl Assume (see Fig.1.a) that q 1 fx;yg ; !q 0 1 and q 1 fxg fzg !q 00 1 are the only transitions in ffi M1 from state ... |

83 | Ratel: Programming and verifying realtime systems by means of the synchronous dataflow programming language Lustre
- Halbwachs, Lagnier, et al.
- 1992
(Show Context)
Citation Context ...ification. Generally, the critical properties of a reactive system are only required to hold provided the environment also behaves correctly, that is, under some assumptions about the environment. In =-=[17]-=-, we verified a very simple railways control system, and the most important part was the description of the realistic behavior of the trains (they obey the signals, they do not jump from one track to ... |

73 |
Realizable and Unrealizable Specifications of Reactive Systems
- Abadi, Lamport, et al.
- 1989
(Show Context)
Citation Context ...server of E(P ). Another consequence is that (O; I)=\Omega E(P ) is the most general reactive machine satisfying P . Notice that Exe can be empty, which means that P is not realizable in the sense of =-=[3]-=-: There is no machine on (I; O) preservingsP against any environment. Conclusion Many ideas that have been presented are specializations and simplifications of previous works. For instance: ffl The sp... |

65 |
Analysis of Discrete Event Coordination
- Kurshan
- 1990
(Show Context)
Citation Context ... been presented are specializations and simplifications of previous works. For instance: ffl The specification of properties by means of a synchronous observer is very close to the approach of COSPAN =-=[24]-=-, which takes also into account liveness, both in the program and the properties. ffl Several verification approaches take into account the environment, e.g., [21] [2] [22], and some of them propose m... |

61 |
Online minimization of transition systems
- LEE, YANNAKAKIS
- 1992
(Show Context)
Citation Context ...roperty is satisfied, then the minimal state graph of (M jj\Omega P ) # ff has only one state (it is the "always silent" automaton). Algorithms for generating a minimal state graph have been=-= proposed [5, 25]-=-. When applied to our simple verification problem, these algorithms amount to proving that the initial state belongs to the greatest invariant Invar(Q M P ) included in Q M P , i.e., the greatest part... |

59 | Delay Analysis in Synchronous Programs
- Halbwachs
- 1993
(Show Context)
Citation Context ... be applied to compute approximations of the set Reach((M jj\Omega P ) # ff). If an upper approximation of this set is included in Q M P , this proves that the erroneous states cannot be reached (see =-=[13]-=- for an application of such a method). If a lower approximation intersects the complement of Q M P , an error is detected. In the remainder of the paper, we will essentially consider finite state mach... |

52 |
Algèbre de processus et synchronisation
- Austry, Boudol
- 1984
(Show Context)
Citation Context ...educing the subprogram from such a synthesized specification. 1 Synchronous I/O machines We first define an abstract model of synchronous reactive machines. We could use a synchronous process algebra =-=[27, 28, 1]-=- as a basic formalism. but we will see that non symmetric communication is essential for the definition of observer: An observer can see the behavior of the program without modifying it, i.e., without... |

42 |
Receptive process theory
- Josephs
- 1992
(Show Context)
Citation Context ...e to the approach of COSPAN [24], which takes also into account liveness, both in the program and the properties. ffl Several verification approaches take into account the environment, e.g., [21] [2] =-=[22], and some-=- of them propose modular methods. The "don't care sets" considered in hardware design and verification [4, 12] are also a way of expressing assumptions about the environment. ffl The synthes... |

35 | Verification of a multiplier: 64 bits and beyond
- Kurshan, Lamport
- 1993
(Show Context)
Citation Context ...ing M 2 as the environment of M 1 . Of course, assumptions about the global environment can also be taken into account. With a little additional hypothesis (see [2] and the "decomposition theorem=-=" of [23]-=-), which amounts to the absence of causality problems, one can even use a seemingly circular reasoning, which consists first in proving a property P 2 of M 2 under the assumption that M 1 satisfies P ... |

30 |
Multi-level logic minimization using implicit don't cares
- Bartlett, Brayton, et al.
- 1988
(Show Context)
Citation Context ... Several verification approaches take into account the environment, e.g., [21] [2] [22], and some of them propose modular methods. The "don't care sets" considered in hardware design and ver=-=ification [4, 12]-=- are also a way of expressing assumptions about the environment. ffl The synthesis problems considered in Sections 4 and 5 have been dealt with in several papers --- both in control theory [32, 33, 19... |

28 | Minimal state graph generation
- Bouajjani, Fernandez, et al.
- 1992
(Show Context)
Citation Context ...roperty is satisfied, then the minimal state graph of (M jj\Omega P ) # ff has only one state (it is the "always silent" automaton). Algorithms for generating a minimal state graph have been=-= proposed [5, 25]-=-. When applied to our simple verification problem, these algorithms amount to proving that the initial state belongs to the greatest invariant Invar(Q M P ) included in Q M P , i.e., the greatest part... |

28 |
An experience in proving regular networks of processes by modular model checking
- Halbwachs, Lagnier, et al.
- 1992
(Show Context)
Citation Context ...control structure of the object code is a finite automaton which is synthesized by an exhaustive simulation of a finite abstraction of the program. Concerning program verification, it has been argued =-=[8, 16, 29]-=- that the practical goal, for reactive programs, is generally to verify some simple logical safety properties: By a safety property, we mean, as usual, a property which expresses that something will n... |

28 | Automated protocol validation in Argos, assertion proving, scatter searching
- Holzmann
- 1987
(Show Context)
Citation Context ...perties. Now, since the problem has been reduced to the analysis of a state property (an invariant), the state graph needs only to be traversed. Particularly efficient techniques are available (e.g., =-=[18]-=-) for such a traversal. Reduction techniques: The drawback of state enumeration techniques is the explosion of the number of states, as the size of the program increases 3 . Other approaches [7] consi... |

27 |
Process calculi, from theory to practice: Verification tools
- Boudol, Simone, et al.
- 1990
(Show Context)
Citation Context ....g., [18]) for such a traversal. Reduction techniques: The drawback of state enumeration techniques is the explosion of the number of states, as the size of the program increases 3 . Other approaches =-=[7]-=- consist in building a reduced state graph, according to some observation criteria. Now, in our approach, the machine of interest is not really M jj\Omega P , but rather (M jj\Omega P ) # ff, since we... |

19 |
Don’t care set specifications in combinational and synchronous logic circuits
- Damiani, Micheli
- 1993
(Show Context)
Citation Context ... Several verification approaches take into account the environment, e.g., [21] [2] [22], and some of them propose modular methods. The "don't care sets" considered in hardware design and ver=-=ification [4, 12]-=- are also a way of expressing assumptions about the environment. ffl The synthesis problems considered in Sections 4 and 5 have been dealt with in several papers --- both in control theory [32, 33, 19... |

14 |
Symbolic synthesis of supervisory controllers
- Hoffmann, Wong-Toi
- 1992
(Show Context)
Citation Context ...ion [4, 12] are also a way of expressing assumptions about the environment. ffl The synthesis problems considered in Sections 4 and 5 have been dealt with in several papers --- both in control theory =-=[32, 33, 19]-=-, and in computer science [30, 3] --- and often extended to cope with liveness properties. Our simplifications consist in considering safety properties of synchronous systems. They are suggested by th... |

8 |
MCTL - an extension of CTL for modular verification of concurrent systems
- Josko
- 1987
(Show Context)
Citation Context ...very close to the approach of COSPAN [24], which takes also into account liveness, both in the program and the properties. ffl Several verification approaches take into account the environment, e.g., =-=[21] [2] [22],-=- and some of them propose modular methods. The "don't care sets" considered in hardware design and verification [4, 12] are also a way of expressing assumptions about the environment. ffl Th... |

7 |
How Vital is Liveness? Verifying Timing Properties of Reactive and Hybrid Systems
- Pnueli
- 1992
(Show Context)
Citation Context ...control structure of the object code is a finite automaton which is synthesized by an exhaustive simulation of a finite abstraction of the program. Concerning program verification, it has been argued =-=[8, 16, 29]-=- that the practical goal, for reactive programs, is generally to verify some simple logical safety properties: By a safety property, we mean, as usual, a property which expresses that something will n... |

1 |
Specification and verification of concurrentsystems in Cesar
- Queille, Sifakis
- 1982
(Show Context)
Citation Context ...e verification problem, according to various verification methods: State enumeration: For finite state systems, state enumeration techniques (enumerative model-checking) have been widely experimented =-=[31, 11]-=-. In general, these techniques involve the construction of the whole state graph of the program, and its memorization for the analysis of trace properties. Now, since the problem has been reduced to t... |