## Abstract model checking of infinite specifications (1994)

### Cached

### Download Links

- [sdg.csail.mit.edu]
- [sdg.csail.mit.edu]
- [sdg.lcs.mit.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proceedings of Formal Methods Europe |

Citations: | 15 - 2 self |

### BibTeX

@INPROCEEDINGS{Jackson94abstractmodel,

author = {Daniel Jackson},

title = {Abstract model checking of infinite specifications},

booktitle = {In Proceedings of Formal Methods Europe},

year = {1994},

pages = {519--531},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. A new method for analyzing specifications in languages like Z and VDM is proposed. Theorems are checked automatically by exhaustive search of the state space. An abstraction over the actual states can be defined that reduces an infinite state space to a finite number of equivalence classes, allowing it to be searched exhaustively by treating each class as a single abstract state. A prototype has been built that has verified some small theorems from the literature. 1

### Citations

2311 | Statecharts: A Visual Formalism for Complex Systems
- Harel-
(Show Context)
Citation Context ...he incompatibility of representations; the state machine models appropriate for hardware are rarely good for software too, and even languages that are overtly state-machine-based (such as Statecharts =-=[Har87]-=-) are not suitable for direct model checking. Languages without named events are easier to handle; a notable success is Atlee and Gannon’s scheme [AG93] for translating Parnas’s “SCR-style” specificat... |

1996 | Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints - Cousot, Cousot - 1977 |

1241 | Automatic verification of finite-state concurrent systems using temporal logic specifications - Clarke, Emerson, et al. - 1986 |

1156 |
The Z Notation: A Reference Manual
- Spivey
- 1989
(Show Context)
Citation Context ...erpretations, such as the theory of lists [NO80] and, more relevant to this work, various fragments of set theory: set constraints [HJ90, * This confusing term is used to distinguish languages like Z =-=[Spi89]-=- and VDM [Jon86], whose state spaces are constructed explicitly out of tuples, sets and relations, from “property-oriented” languages like the Larch Shared Language [GHW85], which define the behaviour... |

670 |
Systematic Software Development using VDM
- Jones
- 1990
(Show Context)
Citation Context ...ch as the theory of lists [NO80] and, more relevant to this work, various fragments of set theory: set constraints [HJ90, * This confusing term is used to distinguish languages like Z [Spi89] and VDM =-=[Jon86]-=-, whose state spaces are constructed explicitly out of tuples, sets and relations, from “property-oriented” languages like the Larch Shared Language [GHW85], which define the behaviour of operations w... |

667 | Model checking and abstraction
- Clarke, Grumberg, et al.
- 1994
(Show Context)
Citation Context ...How often this will work in practice remains to be seen. 8 Related Work Most of the ideas in this paper are taken from Clarke, Grumberg and Long’s work on abstraction in temporal logic model checking =-=[CGL92]-=-. They show that abstracting a state machine preserves the properties that can be expressed in the reFME 9 6/30/94, 1:40 PMsstricted temporal logic ÅCTL. When the abstraction is exact, all properties ... |

194 | Fast decision procedures based on congruence closure
- Nelson, Oppen
- 1980
(Show Context)
Citation Context ...cur only in certain patterns does the trick. Many of these results may be found in [Ack54]. The theory of equality with uninterpreted function symbols can be decided efficiently by congruence closure =-=[NO80]-=-. Decision procedures have been invented for a number of special theories in which function symbols have fixed interpretations, such as the theory of lists [NO80] and, more relevant to this work, vari... |

169 | An Introduction to Formal Specification and Z - Potter, Sinclair, et al. - 1996 |

159 |
Solvable cases of the decision problem
- Ackermann
- 1954
(Show Context)
Citation Context ...-order logic is decidable when restricted to monadic predicates; for first-order logic, restricting quantifiers to occur only in certain patterns does the trick. Many of these results may be found in =-=[Ack54]-=-. The theory of equality with uninterpreted function symbols can be decided efficiently by congruence closure [NO80]. Decision procedures have been invented for a number of special theories in which f... |

151 | The NCSU Concurrency Workbench
- Cleaveland, Sims
- 1996
(Show Context)
Citation Context ...he SMV model checker [BC+92]. Tools for investigating properties of finite machines specified in process algebras have been applied to software; examples are FDR [FSE92] and the Concurrency Workbench =-=[CPS89]-=-. Because process algebras have more elaborate models than simple state machines (due mainly to the distinction between internal and external choice), these tools cannot use standard model checking te... |

135 | State-Based Model Checking of Event-Driven System Requirements
- Atlee, Gannon
- 1993
(Show Context)
Citation Context ...ertly state-machine-based (such as Statecharts [Har87]) are not suitable for direct model checking. Languages without named events are easier to handle; a notable success is Atlee and Gannon’s scheme =-=[AG93]-=- for translating Parnas’s “SCR-style” specifications [PM90] into the Kripke structures of the SMV model checker [BC+92]. Tools for investigating properties of finite machines specified in process alge... |

105 |
The larch family of specification languages
- GUTTAG, HORNING, et al.
- 1985
(Show Context)
Citation Context ...istinguish languages like Z [Spi89] and VDM [Jon86], whose state spaces are constructed explicitly out of tuples, sets and relations, from “property-oriented” languages like the Larch Shared Language =-=[GHW85]-=-, which define the behaviour of operations without making the structure of the states explicit. State machine languages such as Statecharts [Har87] are not usually described as model-based. FME 10 6/3... |

95 | Symbolic model checking - Clarke, McMillan, et al. - 1996 |

94 |
Abstract Debugging of Higher-Order Imperative Languages
- Bourdoncle
- 1993
(Show Context)
Citation Context ...inistic, and return, instead of a set of possible abstract values, a single element that bounds them in the lattice. Abstract interpretation has been used almost exclusively within compilers (but see =-=[Bou93]-=-). Analyses that have been designed for software engineering purposes (such as bug detection) have tended not use lattices, perhaps because the extra loss of information incurred when sets of values a... |

74 |
Functional Documentation for Computer Systems Engineering (Version 2
- Parnas, Madey
- 1991
(Show Context)
Citation Context ... not suitable for direct model checking. Languages without named events are easier to handle; a notable success is Atlee and Gannon’s scheme [AG93] for translating Parnas’s “SCR-style” specifications =-=[PM90]-=- into the Kripke structures of the SMV model checker [BC+92]. Tools for investigating properties of finite machines specified in process algebras have been applied to software; examples are FDR [FSE92... |

72 | Set constraints are the monadic class - Bachmair, Ganzinger, et al. - 1993 |

39 | Formal Specification as a Design Tool
- Guttag, Homing
(Show Context)
Citation Context ...al interpretation and is thus open to investigation by mechanical means. An early and influential paper on formal specification showed how to evaluate a design by casting informal queries as theorems =-=[GH80]-=-. For a long time this has been the most compelling argument for formalization. If we could prove or disAuthor’s address: School of Computer Science, Carnegie Mellon University, 5000 Forbes Avenue, Pi... |

35 | A decision procedure for a class of Herbrand set constraints - Heintze, Jaar - 1990 |

10 |
Testing containment of !-regular languages
- Kurshan
- 1986
(Show Context)
Citation Context ...ysis described here. A number of schemes have been developed for investigating the properties of a state machine; the most prominent are based on temporal logic [CES86, BC+92] or language containment =-=[Kur86]-=-. To my knowledge, this paper is the first application of model checking ideas to conventional, model-based* specifications. Model checking was developed primarily with hardware verification in mind, ... |

8 | Verifying a Static RAM Design by Logic Simulation
- Bryant
- 1988
(Show Context)
Citation Context ..., so the unrestricted logic may be used and the proof method is complete. The first use of symbolic constants in model checking appears to have been by Bryant, in the verification of a memory circuit =-=[Bry88]-=-. It is not obvious how to apply this framework to software specifications. This paper contributes two new ideas. First, [CGL92] regards abstractions as exact only when all primitive predicates (wheth... |

8 |
Mechanisms for Compile-Time Enforcement of Security
- Strom
- 1983
(Show Context)
Citation Context ...e the extra loss of information incurred when sets of values are replaced by a single value is unacceptable, and leads to ad hoc results. The finite state modelling of [Hen75] and the “typestates” of =-=[Str83]-=- use flat abstract state spaces like mine, but it is not clear how to apply these techniques to specifications. 9 Conclusion The case for writing formal specifications would be far more compelling if ... |

1 |
Decision Procedures for Elementary FME 12
- Ferro, Omodeo, et al.
- 1987
(Show Context)
Citation Context ...t making the structure of the states explicit. State machine languages such as Statecharts [Har87] are not usually described as model-based. FME 10 6/30/94, 1:40 PMsBGW92] and multi-level syllogistic =-=[FOS80]-=-. These could, I suspect, prove the theorems of Table 1, which, since they treat the pairs of a relation as single objects, are probably of the monadic class. But the full theory of relations is not d... |

1 |
Finite State Modelling
- Henderson
- 1975
(Show Context)
Citation Context ...not use lattices, perhaps because the extra loss of information incurred when sets of values are replaced by a single value is unacceptable, and leads to ad hoc results. The finite state modelling of =-=[Hen75]-=- and the “typestates” of [Str83] use flat abstract state spaces like mine, but it is not clear how to apply these techniques to specifications. 9 Conclusion The case for writing formal specifications ... |