Results 1  10
of
48
TreeLike Counterexamples in Model Checking
 In Proceedings of the 17 th Annual IEEE Symposium on Logic in Computer Science (LICS’02
, 2002
"... Counterexamples for specification violations provide engineers with important debugging information. Although counterexamples are considered one of the main advantages of model checking, stateof the art model checkers are restricted to relatively simple counterexamples, and surprisingly little rese ..."
Abstract

Cited by 62 (5 self)
 Add to MetaCart
(Show Context)
Counterexamples for specification violations provide engineers with important debugging information. Although counterexamples are considered one of the main advantages of model checking, stateof the art model checkers are restricted to relatively simple counterexamples, and surprisingly little research effort has been put into counterexamples. In this paper, we introduce a new general framework for counterexamples. The paper has three main contributions: (i) We determine the general form of ACTL counterexamples. To this end, we investigate the notion of counterexample and show that a large class of temporal logics beyond ACTL admits counterexamples with a simple treelike transition relation. We show that the existence of treelike counterexamples is related to a universal fragment of extended branching time logic based on ! regular temporal operators. (ii) We present new symbolic algorithms to generate treelike counterexamples for ACTL specifications. (iii) Based on treelike counterexamples we extend the abstraction refinement methodology developed recently by Clarke et al. (CAV'2000) to full ACTL. This demonstrates the conceptual simplicity and elegance of treelike counterexamples.
Finding and fixing faults
 Paul (Eds.), 13th Conference on Correct Hardware Design and Verification Methods (CHARME ’05
, 2005
"... Knowing that a program has a bug is good, knowing its location is better, but a fix is best. We present a method to automatically locate and correct faults in a finite state system, either at the gate level or at the source level. We assume that the specification is given in Linear Temporal Logic, a ..."
Abstract

Cited by 40 (6 self)
 Add to MetaCart
(Show Context)
Knowing that a program has a bug is good, knowing its location is better, but a fix is best. We present a method to automatically locate and correct faults in a finite state system, either at the gate level or at the source level. We assume that the specification is given in Linear Temporal Logic, and state the correction problem as a game, in which the protagonist selects a faulty component and suggests alternative behavior. The basic approach is complete but as complex as synthesis. It also suffers from problems of readability: the correction may add state and logic to the system. We present two heuristics. The first avoids the doubly exponential blowup associated with synthesis by using nondeterministic automata. The second heuristic finds a memoryless strategy, which we show is an NPcomplete problem. A memoryless strategy corresponds to a simple, local correction that does not add any state. The drawback of the two heuristics is that they are not complete unless the specification is an invariant. Our approach is general: the user can define what constitutes a component, and the suggested correction can be an arbitrary combinational function of the current state and the inputs. We show experimental results supporting the applicability of our approach.
The existence of finite abstractions for branching time model checking
 In LICS (2004
"... Abstraction is often essential to verify a program with model checking. Typically, a concrete source program with an infinite (or finite, but large) state space is reduced to a small, finite state, abstract program on which a correctness property can be checked. The fundamental question we investig ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
(Show Context)
Abstraction is often essential to verify a program with model checking. Typically, a concrete source program with an infinite (or finite, but large) state space is reduced to a small, finite state, abstract program on which a correctness property can be checked. The fundamental question we investigate in this paper is whether such a reduction to finite state programs is always possible, for arbitrary branching time temporal properties. We begin by showing that existing abstraction frameworks are inherently incomplete for verifying purely existential or mixed universalexistential properties. We then propose a new, complete abstraction framework which is based on a class of focused transition systems (FTS’s). The key new feature in FTS’s is a way of “focusing ” an abstract state to a set of more precise abstract states. While focus operators have been defined for specific contexts, this result shows their fundamental usefulness for proving nonuniversal properties. The constructive completeness proof provides linear size maximal models for properties expressed in logics such as CTL and the mucalculus. This substantially improves upon known (worstcase) exponential size constructions for their universal fragments. 1.
Explaining Counterexamples Using Causality
"... Abstract. When a model does not satisfy a given specification, a counterexample is produced by the model checker to demonstrate the failure. A user must then examine the counterexample trace, in order to visually identify the failure that it demonstrates. If the trace is long, or the specification i ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
(Show Context)
Abstract. When a model does not satisfy a given specification, a counterexample is produced by the model checker to demonstrate the failure. A user must then examine the counterexample trace, in order to visually identify the failure that it demonstrates. If the trace is long, or the specification is complex, finding the failure in the trace becomes a nontrivial task. In this paper, we address the problem of analyzing a counterexample trace and highlighting the failure that it demonstrates. Using the notion of causality, introduced by Halpern and Pearl, we formally define a set of causes for the failure of the specification on the given counterexample trace. These causes are marked as red dots and presented to the user as a visual explanation of the failure. We study the complexity of computing the exact set of causes, and provide a polynomialtime algorithm that approximates it. This algorithm is implemented as a feature in the IBM formal verification platform RuleBase PE, where these visual explanations are an integral part of every counterexample trace. Our approach is independent of the tool that produced the counterexample, and can be applied as a lightweight external layer to any model checking tool, or used to explain simulation traces. 1
Making Prophecies with Decision Predicates
"... We describe a new algorithm for proving temporal properties expressed in LTL of infinitestate programs. Our approach takes advantage of the fact that LTL properties can often be proved more efficiently using techniques usually associated with the branchingtime logic CTL than they can with native LT ..."
Abstract

Cited by 11 (7 self)
 Add to MetaCart
(Show Context)
We describe a new algorithm for proving temporal properties expressed in LTL of infinitestate programs. Our approach takes advantage of the fact that LTL properties can often be proved more efficiently using techniques usually associated with the branchingtime logic CTL than they can with native LTL tools. The caveat is that, in certain instances, nondeterminism in the system’s transition relation can cause CTL methods to report counterexamples that are spurious with respect to the original LTL formula. To address this problem we describe an algorithm that, as it attempts to apply CTL proof methods, finds and then removes problematic nondeterminism via an analysis on the potentially spurious counterexamples. Problematic nondeterminism is characterized using decision predicates, and removed using a partial and symbolic determinization procedure that introduces new prophecy variables to predict the future outcome of these decisions. We demonstrate—using examples taken from the PostgreSQL database server, Apache web server, and Windows OS kernel—that our method can yield enormous performance improvements in comparison to known tools, allowing us to automatically prove properties of programs where we could not prove them before. 1.
Embedding finite automata within regular expressions
 In 1st International Symposium on Leveraging Applications of Formal Methods
, 2004
"... Abstract. Regular expressions and their extensions have become a major component of industrystandard specification languages such as PSL/Sugar ([2]). The model checking procedure of regular expression based formulas, as well as of many LTL and CTL formulas, involves constructing an automaton which ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Regular expressions and their extensions have become a major component of industrystandard specification languages such as PSL/Sugar ([2]). The model checking procedure of regular expression based formulas, as well as of many LTL and CTL formulas, involves constructing an automaton which runs in parallel with the model. In this paper we reexamine this construction. Instead of directly translating a regular expression into an automaton, as traditionally done, we propose an algorithm which allows an intermediate representation mixing both regular expressions and automata. This representation can be thought of as plugging an automaton inside a regular expression, to replace an existing subexpression. In order to be verified, the intermediate representation is then translated into another automaton, resulting in a set of automata running in parallel. A key feature of this algorithm is that the plugin automaton is independent of the regular expression from which it originated, and thus can be used in several different properties. The contribution of our work is manyfold, as demonstrated in the paper. It allows modularity and flexibility of the automata construction, and can increase expressiveness when SEREs are mixed with CTL. In many cases it significantly reduces the size of the automata built for formulas, thus reducing the overall run time of verification. 1
On decidability of LTL model checking for process rewrite systems
 in: FSTTCS 2006, LNCS 4337 (2006
"... Abstract. We establish a decidability boundary of the model checking problem for infinitestate systems defined by Process Rewrite Systems (PRS) or weakly extended Process Rewrite Systems (wPRS), and properties described by basic fragments of actionbased Linear Temporal Logic (LTL). It is known tha ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We establish a decidability boundary of the model checking problem for infinitestate systems defined by Process Rewrite Systems (PRS) or weakly extended Process Rewrite Systems (wPRS), and properties described by basic fragments of actionbased Linear Temporal Logic (LTL). It is known that the problem for general LTL properties is decidable for Petri nets and for pushdown processes, while it is undecidable for PA processes. As our main result, we show that the problem is decidable for wPRS if we consider properties defined by formulae with only modalities strict eventually and strict always. Moreover, we show that the problem remains undecidable for PA processes even with respect to the LTL fragment with the only modality until or the fragment with modalities next and infinitely often. 1
Algorithmic metatheorems for decidable LTL model checking over infinite systems
"... By algorithmic metatheorems for a model checking problem P over infinitestate systems we mean generic results that can be used to infer decidability (possibly complexity) of P not only over a specific class of infinite systems, but over a large family of classes of infinite systems. Such results n ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
By algorithmic metatheorems for a model checking problem P over infinitestate systems we mean generic results that can be used to infer decidability (possibly complexity) of P not only over a specific class of infinite systems, but over a large family of classes of infinite systems. Such results normally start with a powerful formalism F of infinitestate systems, over which P is undecidable, and assert decidability when is restricted by means of an extra “semantic condition ” C. We prove various algorithmic metatheorems for the problems of model checking LTL and its two common fragments LTL(Fs,Gs) and LTLdet over the expressive class of word/tree automatic transition systems, which are generated by synchronized finitestate transducers operating on finite words and trees. We present numerous applications, where we derive (in a unified manner) many known and previously unknown decidability and complexity results of model checking LTL and its fragments over specific classes of infinitestate systems including pushdown systems; prefixrecognizable systems; reversalbounded counter systems with discrete clocks and a free counter; concurrent pushdown systems with a bounded number of contextswitches; various subclasses of Petri nets; weakly extended PAprocesses; and weakly extended groundtree rewrite systems. In all cases, we are able to derive optimal (or near optimal) complexity. Finally, we pinpoint the exact locations in the arithmetic and analytic hierarchies of the problem of checking a relevant semantic condition and the LTL model checking problems over all word/tree automatic systems.
Modeling and Analysis of StateoftheArt VMBased Cloud Management Platforms
"... Abstract—Virtualization is one of the key aspects used in cloud computing environment to achieve scalability and flexibility. To cope with the large number of virtual machines (VM) involved in the cloud, several solutions have been proposed to automatically monitor and deploy VM in resource pools. M ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
Abstract—Virtualization is one of the key aspects used in cloud computing environment to achieve scalability and flexibility. To cope with the large number of virtual machines (VM) involved in the cloud, several solutions have been proposed to automatically monitor and deploy VM in resource pools. Most of the cloud management system, such as Amazon EC2, are proprietary and are not generally available for research. In the said perspective, many open source VMbased cloud platforms launched for general users to research. The existing work performed in VMbased cloud management platforms have mainly focused on the discussion of architecture, feature set, and performance analysis. However, other important aspects, such as formal analysis, modeling, and verification are usually ignored. In this paper, we provide a formal analysis, modeling, and verification of three open source stateoftheart VMbased cloud management platforms: 1) Eucalyptus, 2) Open Nebula, and 3) Nimbus. We have used highlevel Petri nets (HLPN) to model and analyze the structural and behavioral properties of the systems. Moreover, to verify the models, we have used Satisfiability Modulo Theories Library (SMTLib) and Z3 Solver. We modeled about 100 VM to verify the correctness and feasibility of our models. The results reveal that the models are functioning correctly. Moreover, the increase in the number of VM does not affect the working of the models that indicates the practicability of the models in a highly scalable and flexible environment. Index Terms—VMbased cloud management, highlevel Petri nets (HLPN), SMT, Z3, modeling, and verification Ç 1
The Common Fragment of ACTL and LTL
"... The paper explores the relationship between tree languages definable in LTL, CTL, and ACTL, the fragment of CTL where only universal path quantification is allowed. The common fragment of LTL and ACTL is shown to be strictly smaller than the common fragment of LTL and CTL. Furthermore, an algorithm ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
The paper explores the relationship between tree languages definable in LTL, CTL, and ACTL, the fragment of CTL where only universal path quantification is allowed. The common fragment of LTL and ACTL is shown to be strictly smaller than the common fragment of LTL and CTL. Furthermore, an algorithm is presented for deciding if an LTL formula can be expressed in ACTL. This algorithm uses an effective characterization of level 3/2 of the concatenation hierarchy for infinite words, also a new result.