### Table 1: SMV model checking experimental results on original software Properties Verification CPU time (sec) BDD Nodes

2000

"... In PAGE 8: ... Property 3 asserts that if XDATA =0 is read during a rising edge of the clock (RA[2] =1 and CSTAT[2] =0) then the right flag (FLAG[3] is set to 1 in all cases in the future [13]. Table1 shows the model checking results of verification of Bit1 of Bitx routine using Cadence SMV. This and subsequent experiments are done on a Sun Sparc Ultra1 with 256... In PAGE 9: ...Through our experiment, we could notice that the test made over the embedded software written over the piece of micro controller device failed ( Table1 ). A counterexample by Cadence SMV notified the error.... In PAGE 11: ...In this paper, there is only one model, which is the model of the software routine running on the hardware. Even though, in [2] there are two models, one of the specification and the other of the implementation, of the software routine, comparing the results obtained in Table1 with that in Table 4, show a remarkable reduction in the size of the graphs and the CPU time. Further more, Thiry and Claesen [13] report the verification of Property A on the Bit routine, run on a 486DX33 machine with 16 MB RAM.... ..."

Cited by 2

### Table 1: SMV model checking experimental results on original software Properties Verification CPU time (sec) BDD Nodes

"... In PAGE 8: ... Property 3 asserts that if XDATA =0 is read during a rising edge of the clock (RA[2] =1 and CSTAT[2] =0) then the right flag (FLAG[3] is set to 1 in all cases in the future [13]. Table1 shows the model checking results of verification of Bit1 of Bitx routine using Cadence SMV. This and subsequent experiments are done on a Sun Sparc Ultra1 with 256... In PAGE 9: ...Through our experiment, we could notice that the test made over the embedded software written over the piece of micro controller device failed ( Table1 ). A counterexample by Cadence SMV notified the error.... In PAGE 11: ...In this paper, there is only one model, which is the model of the software routine running on the hardware. Even though, in [2] there are two models, one of the specification and the other of the implementation, of the software routine, comparing the results obtained in Table1 with that in Table 4, show a remarkable reduction in the size of the graphs and the CPU time. Further more, Thiry and Claesen [13] report the verification of Property A on the Bit routine, run on a 486DX33 machine with 16 MB RAM.... ..."

### Table 2: Term rewriting system, used for the elimination of the pre x operator.

1996

"... In PAGE 9: ... Note that kk and kk are allowed (that is, k and k without communication). The complete pre x expression can be rewritten using the term rewriting system in Table2 . This term rewriting system is basically an implementation of the axioms for the free (left) merge, encapsu- lation, hiding, renaming, and process pre xing.... In PAGE 9: ... After interpretation, atomic elements will always end up in the set A . Because the rewrite rules from Table2 remain valid when we substitute elements of this set for , this does not lead to inconsistencies. In rewrite rules M3g, M5 and PP7, some reservation has been made in case that the variable d should occur free in y or z.... In PAGE 13: ...ariable later. Next, the function bpa performs one rewrite step on Pre;Pre2. The pre x operator is no longer the main operator and the result Pre apos; is given back to trans-expr. The function bpa performs one rewrite step from the term rewriting system in Table2 . The function normalize is nothing more than a sequence of bpa applications, as long as the result is not yet a pCRL expression.... In PAGE 13: ...xpression. For example, see the equation that implements the rule M3c. atomic(Pre1) = true bpa(Globvar; Locvar; Pre1 kk Pre2; Newvar) = lt; Pre1 : Pre2; Newvar gt; [bpa-39] If Pre1 is an atomic element, then Pre1 kk Pre2 is rewritten into Pre1 Pre2. The variable Newvar in the equations above has to do with the reservation that has been made towards rules M3g, M5 and PP7 in Table2... In PAGE 14: ... It will only be executed if none of the other equations can be executed. Because the free left-merge is the main operator, this will be the case if none of the rules M2a{M6 from Table2 apply. In the condition of equation [bpa-54], bpa performs one rewrite step on Pre1, resulting in Pre apos;.... In PAGE 14: ... Next, Pre apos; kk Pre2 is returned for further rewriting. Finally, we present the equation modeling the most important rewrite rule from Table2 : rule PP4 that eliminates the early read and the pre x operator: bpa(Globvar; Locvar; er(Trm; Cns); Pre; Newvar) [bpa-58] = lt; put-sums(Cns; Trm; Cns; Pre; r); Newvar gt; The actual transformation is done in the function put-sums. Trms = transform(Cns) put-sums(N; Trm; Cns; Pre; N0) = sum(N; N0(Trm; Trms) : Pre)... ..."

Cited by 3

### Table 1. The -Rewriting System

"... In PAGE 4: ...1 The -calculus The -calculus of explicit substitutions extends the -calculus with explicit operators to simulate the substitution (meta-)operation of the -calculus. The rewriting system of the -calculus is given in Table1 . Its syntax is given as follows: Types A ::= K j A ! A Contexts ::= nil j A Terms a ::= 1 j X j a a j A:a j a[s] where X 2 X Substitutions s ::= id j quot; j a s j s s The set of -terms is written as (X).... In PAGE 10: ... In particular the types of the terms inside the substitutions remain unchanged. Normalise: From Table1 we infer that terms are introduced inside substitutions only by applications of the rules (Beta) or (Abs). In both cases, the type of the term introduced in the substitution is equal to the type associated1 to the abstractor of the applied rule.... ..."

### Table 4: Comparative verification results on the 1-bit fabric model using FormalCheck and VIS

"... In PAGE 5: ... FormalCheck, by default, uses 1-step reduction algo- rithm, which first performs a single reduction, and then ver- ifies the property [3]. As we can see in Table4 , the memory usage of the properties in FormalCheck has been less than in VIS for all of the properties checked. The CPU time usu- ally depends on the amount of work being loaded on the CPU at the time of the verification.... ..."

### Table 21: Term rewriting system for BPA drt.

1996

"... In PAGE 46: ...Table 21: Term rewriting system for BPA drt. Proof The term rewriting system of Table21 is associated to BPA drt by assigning a direction to the axioms. With the method of the lexicographical path ordering it is easily proven that this term rewriting system is strongly normalizing.... ..."

Cited by 7

### Table 3: A term rewriting system

1996

"... In PAGE 6: ...Table 3: A term rewriting system Table3 contains a term rewriting system (TRS) which reduces sequential composition to its pre x counterpart and which eliminates expressions x and x and x. De ne a weight function on terms as follows: w( ) = 2 w(p + q) = w(p) + w(q) w(pq) = w(p)2w(q) w( p) =... ..."

Cited by 6

### Table 3: A term rewriting system

1996

"... In PAGE 7: ...2 Construction of basic terms In this section we de ne a class of basic terms, and we show that each process term is provably equal to a basic term. Table3 contains a Term Rewriting System (TRS) which reduces sequential com- position to its pre x counterpart and which eliminates expressions x and x and x. De ne a weight function on terms as follows: w( ) = 2 w(p + q) = w(p) + w(q) w(pq) = w(p)2w(q) w( p) = 6w(p): It is easy to see that the weight of terms always strictly decreases under application of the rewrite rules.... ..."

Cited by 6

### Table 1: Verification results of model checking of TMRS using FormalCheck

2001

"... In PAGE 4: ... We first give an informal description of each property, then its equivalent expression in For- malCheck including details on the particular reduction technique and options used. The experimental results of these sample proper- ties are summarized in Table1 (cf.... In PAGE 4: ... In FormalCheck, this property is expressed as follows. Table1 reports that the verification of Property_A was Termi- nated , indicating that the verification attempt was stopped by an abnormal condition. Based on the specification of the TMRS the START_TRANSF state starts the transfer by asserting OSOC sig- nal [12], therefore, Property_A expects the FSM to move to START_TRANSF state and the OSOC signal to be set to high in the same clock cycle.... In PAGE 4: ... In FormalCheck, this property is expressed as follows. It is observed from Table1 , that the verification of Property_B failed. This means even after a cell transfer is done and there are no more cells to transfer, ODAT_OEB will still be asserted.... In PAGE 5: ... When the TMRS is polled by the master, the Polling controller uses the internal output of the Transfer control- ler to assert/deassert the RCA signal. While this property was suc- cessfully checked (see Table1 ), the vertical verification described in Section 2 could be applicable for this type of property in case of state explosion. 4.... In PAGE 5: ....3. Experimental Results The experimental results of the sample properties described in Section 4.2 are shown in Table1 , including the reduction tech- nique used, the status of the property verification, the number of reached states, the number of state variables in the model, the veri- fication CPU time (real time) in seconds, and the memory usage in megabytes. All verifications were executed on a HP9000 (440MHz) with 6144 MB RAM and HP-UX11 operating system.... ..."

Cited by 1

### Table 22: Term rewriting system for BPAdrt.

1996

"... In PAGE 58: ...Table22... ..."

Cited by 7