Results 1 
8 of
8
Games with secure equilibria
 In Logic in Computer Science
, 2004
"... Abstract. In 2player nonzerosum games, Nash equilibria capture the options for rational behavior if each player attempts to maximize her payoff. In contrast to classical game theory, we consider lexicographic objectives: first, each player tries to maximize her own payoff, and then, the player tr ..."
Abstract

Cited by 36 (12 self)
 Add to MetaCart
Abstract. In 2player nonzerosum games, Nash equilibria capture the options for rational behavior if each player attempts to maximize her payoff. In contrast to classical game theory, we consider lexicographic objectives: first, each player tries to maximize her own payoff, and then, the player tries to minimize the opponent’s payoff. Such objectives arise naturally in the verification of systems with multiple components. There, instead of proving that each component satisfies its specification no matter how the other components behave, it often suffices to prove that each component satisfies its specification provided that the other components satisfy their specifications. We say that a Nash equilibrium is secure if it is an equilibrium with respect to the lexicographic objectives of both players. We prove that in graph games with Borel winning conditions, which include the games that arise in verification, there may be several Nash equilibria, but there is always a unique maximal payoff profile of a secure equilibrium. We show how this equilibrium can be computed in the case of ωregular winning conditions, and we characterize the memory requirements of strategies that achieve the equilibrium.
Assumeguarantee reasoning for deadlock
 IN: PROC. OF FMCAD.
, 2006
"... We extend the learningbased automated assume guarantee paradigm to perform compositional deadlock detection. We define Failure Automata, a generalization of finite automata that accept regular failure sets. We develop a learning algorithm L F that constructs the minimal deterministic failure autom ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
We extend the learningbased automated assume guarantee paradigm to perform compositional deadlock detection. We define Failure Automata, a generalization of finite automata that accept regular failure sets. We develop a learning algorithm L F that constructs the minimal deterministic failure automaton accepting any unknown regular failure set using a minimally adequate teacher. We show how L F can be used for compositional regular failure language containment, and deadlock detection, using noncircular and circular assume guarantee rules. We present an implementation of our techniques and encouraging experimental results on several nontrivial benchmarks.
Automated compositional proofs for realtime systems. Full version with appendices available online from http://www.elet.polimi.it/upload/furia
, 2005
"... Abstract. We present a framework for formally proving that the composition of the behaviors of the different parts of a complex, realtime system ensures a desired global specification of the overall system. The framework is based on a simple compositional rely/guarantee circular inference rule, plu ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present a framework for formally proving that the composition of the behaviors of the different parts of a complex, realtime system ensures a desired global specification of the overall system. The framework is based on a simple compositional rely/guarantee circular inference rule, plus a small set of conditions concerning the integration of the different parts into a whole system. The reference specification language is the TRIO metric linear temporal logic. The novelty of our approach with respect to existing compositional frameworks — most of which do not deal explicitly with realtime requirements — consists mainly in its generality and abstraction from any assumptions about the underlying computational model and from any semantic characterizations of the temporal logic language used in the specification. Moreover, the framework deals equally well with continuous and discrete time. It is supported by a tool, implemented on top of the proofchecker PVS, to perform deductionbased verification through theoremproving of modular realtime axiom systems. As an example of application, we show the verification of a realtime version of the oldfashioned but still relevant “benchmark ” of the dining philosophers problem.
On the completeness of compositional reasoning methods
 ACM Trans. Comput. Logic
, 2010
"... ..."
(Show Context)
Reasoning about FiniteState Switched Systems
"... Abstract. A switched system is composed of components. The components do not interact with one another. Rather, they all interact with the same environment, which switches one of them on at each moment in time. In standard concurrency, a component restricts the environment of the other components, t ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. A switched system is composed of components. The components do not interact with one another. Rather, they all interact with the same environment, which switches one of them on at each moment in time. In standard concurrency, a component restricts the environment of the other components, thus the concurrent system has fewer behaviors than its components. On the other hand, in a switched system, a component suggests an alternative to the other components, thus the switched system has richer behaviors than its components. We study finitestate switched systems, where each of the underlying components is a finitestate transducer. While the main challenge, namely compositionality, is similar in standard concurrent systems and in switched systems, the problems and solutions are different. In the verification front, we suggest and study an assumeguarantee paradigm for switched systems, and study formalisms in which satisfaction of a specification in all components imply its satisfaction in the switched system. In the synthesis front, we show that while compositional synthesis and design are undecidable, the problem of synthesizing a switching rule with which a given switched system satisfies an LTL specification is decidable. 1
1AssumeGuarantee Reasoning for Deadlock
"... Abstract — We extend the learningbased automated assume guarantee paradigm to perform compositional deadlock detection. We define Failure Automata, a generalization of finite automata that accept regular failure sets. We develop a learning algorithm LF that constructs the minimal deterministic fai ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract — We extend the learningbased automated assume guarantee paradigm to perform compositional deadlock detection. We define Failure Automata, a generalization of finite automata that accept regular failure sets. We develop a learning algorithm LF that constructs the minimal deterministic failure automaton accepting any unknown regular failure set using a minimally adequate teacher. We show how LF can be used for compositional regular failure language containment, and deadlock detection, using noncircular and circular assume guarantee rules. We present an implementation of our techniques and encouraging experimental results on several nontrivial benchmarks. I.
Automated Compositional Analysis for Checking Component Substitutability
, 2007
"... Model checking is an automated technique to verify hardware and software systems formally. Most of the model checking research has focused on developing scalable techniques for verifying large systems. A number of techniques, e.g., symbolic methods, abstractions, compositional reasoning, etc. have b ..."
Abstract
 Add to MetaCart
(Show Context)
Model checking is an automated technique to verify hardware and software systems formally. Most of the model checking research has focused on developing scalable techniques for verifying large systems. A number of techniques, e.g., symbolic methods, abstractions, compositional reasoning, etc. have been proposed towards this goal. While methods based on symbolic reasoning (using binary decision diagrams or satisfiability solving) and methods based on computing abstractions automatically in a counterexampledriven manner have proved to be useful in verifying hardware and software systems, they do not directly scale to systems with large number of modules or components. The reason is that they try to verify the complete system in a monolithic manner, which inevitably leads to the statespace explosion problem, i.e., there are too many states in the system to explore exhaustively. Compositional reasoning techniques try to address this problem by following a divideandconquer approach: the task of system verification is divided into several subtasks, each
Contact address:
"... Abstract. The paper proposes a bottomup approach to the verification of systems with modular structure: when modules are composed in specific ways, the complete software system verifies a composition of the properties each component does. The focus of the work is on the process of upgrading system ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. The paper proposes a bottomup approach to the verification of systems with modular structure: when modules are composed in specific ways, the complete software system verifies a composition of the properties each component does. The focus of the work is on the process of upgrading systems with new functionalities, where the validity of old requirements needs to be ensured, but also an understanding of the new properties the upgraded system would enjoy is useful. Each component is supposed to be specified by a CCS process, and the properties expressed by selective mucalculus formulae.