O. Kupferman and M. Vardi. Vacuity detection in temporal model checking. STTT, 4(2):224-- 233, February 2003.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....De nition 10 (Polarity of Sub formula) The polarity of f s sub formula is recursively de ned on the structure of f as below, f has positive polarity. Let be a sub formula of , then has the positive (negative polarity) if it is nested in even (odd) number of negation. Theorem 1. [KV99] A Kripke structure T satis es the formula f vacuously if and only if T j= f [a (a) for some (occurrence of) atomic proposition a, where (a) false if a has positive polarity in f and (a) true otherwise. 4 Proof Structure and Rational Trace 4.1 Proof structure for 9LTL model checking ....

O. Kupferman and M. Vardi. Vacuity detection in temporal model checking, 1999.

....execution paths of the system. In general the existence of linear counterexamples witnesses depends on the structure of formulas as well as the Kripke structure being checked. In the case of CTL, for example, linear counterexamples (witnesses) exist if the primary path quantier used is A (E) [KV99] gives more general conditions for CTL # and shows show that judging whether a CTL # formulae admits such counterexamples witnesses is PSPACE complete. Here we show how support sets may be used to generate linear counterexamples witnesses without reference to the temporal logic in which ....

....at. We showed how model checkers may be modied to return support sets and how support sets may be used to generate diagnostic information and may be efciently checked for internal consistency. We have also studied other uses for support sets not mentioned in this paper, including vacuity checking [KV99]. Prototype implementations of these results are being investigated in the context of the CWB NC verication tool [CS96] The idea of retaining evidence during model checking as a basis for justifying the result has appeared in several recent publications. In [PZ01,PPZ01] ideas in the setting of ....

O. Kupferman and M. Y. Vardi. Vacuity detection in temporal model checking. In Proceedings of the Tenth Conference on Correct Hardware Design and Verication Mothods, LNCS 1703, 1999.

....(witnesses) exist if the primary path quantifier used is A (E) 2] also gives the definition for witness and counterexample in ACTL. Their definition is semantics based: A counter example of a failing formula # in model T = computation path C = s 0 in T such that s 0 C #. [29] extends the definitions to CTL # and show that judging whether a CTL # formulae admits such counterexamples witnesses under the definitions of [2] is PSPACE complete. It s worth to point out that the definitions in [2, 29] are not exactly same as in [7] Let s consider the formula # = ....

....# in model T = computation path C = s 0 in T such that s 0 C #. 29] extends the definitions to CTL # and show that judging whether a CTL # formulae admits such counterexamples witnesses under the definitions of [2] is PSPACE complete. It s worth to point out that the definitions in [2, 29] are not exactly same as in [7] Let s consider the formula # = AG(AFa AF b) and the transition system T 2 in Figure 3. According the definition in [7] path C = s 0 s 2 is a counterexample for # because s 0 don t satisfy # = AFa AFb in model T 2 . Nevertheless, under the model C, both s 0 ....

[Article contains additional citation context not shown here]

O. Kupferman and M. Vardi. Vacuity detection in temporal model checking, 1999.

....Definition 10 (Polarity of Sub formula) The polarity of f s sub formula is recursively defined on the structure of f as below, f has positive polarity. Let # be a sub formula of #, then # has the positive (negative polarity) if it is nested in even (odd) number of negation. Theorem 1. [KV99] A Kripke structure T satisfies the formula f vacuously if and only if T f [a #(a) for some (occurrence of) atomic proposition a, where #(a) false if a has positive polarity in f and #(a) true otherwise. 4 Proof Structure and Rational Trace 4.1 Proof structure for In this section ....

O. Kupferman and M. Vardi. Vacuity detection in temporal model checking, 1999.

....from which it was generated. We normally expect that all but a few final states in the automaton are reached. If only the initial state is reached, or a minority of all the remaining states, this most likely indicates a vacuous result. A more thorough method of vacuity checking can be found in [KV99]. 4.3 Main Benefits The FeaVer tool grew out of an attempt to come up with a thorough method to check the call processing software for a commercial switching product, called the PathStar Access Server. We pursued this approach over a period of eighteen months, working with the developers of the ....

O. Kupferman, M.Y. Vardi, Vacuity detection in temporal model checking, Conf. on Correct Hardware Design and Verification Methods, SpringerVerlag, LNCS 1703, 1999, pp. 82-96.

....[17] modular decomposition [62] breadth first checking with the SAT procedure [9] etc. model checking still has to scale up for hardware, not speaking of software. Di#culties also come out of the temporal logic used for the specification which is often beyond human understanding capabilities [64 , 69]. Most of the success of model checking is not so much in the formal verification of refined functional specifications (always subjects to errors in the design of the model and or specification) but in the finding of bugs not found by other informal methods (such as testing or simulation) Such ....

O. Kupferman and M.Y. Vardi. Vacuity detection in temporal model checking. In L. Pierre and T. Kropf, eds., Correct Hardware Design and Verification Methods, IFIP WG 10.5 Adv. Res. Work. Conf. CHARME '99 , Bad Herrenalp, DE, LNCS 1703, pages 82--96. Springer-Verlag, 27--29 Sep. 1999.

.... [ 0 ] ut In [BB 97] we defined a subset of ACTL, and a set of important sub formulas, and proved that in order to detect vacuity with respect to this set it is enough to show that M j= false] where is the minimal sub formula of all the important sub formulas (See section 5) In [KV99], Kupferman and Vardi expand on this result by showing that for CTL , a formula is vacuous iff there is some minimal sub formula of such that M satisfies [ true] iff M satisfies [ false] We will now prove a very similar result that holds for all logics with polarity. The proof is ....

....on this result by showing that for CTL , a formula is vacuous iff there is some minimal sub formula of such that M satisfies [ true] iff M satisfies [ false] We will now prove a very similar result that holds for all logics with polarity. The proof is practically the same as the one in [KV99]; we give it here for the sake of completeness. We define the semantics of true and false as follows: true] fM jM is a modelg and [ false] Theorem 13. Let be a sub formula of formula in a logic with polarity. Then, for every model M the following are equivalent: 1. does not affect ....

[Article contains additional citation context not shown here]

O. Kupferman and M.Y. Vardi, "Vacuity Detection in Temporal Model Checking", CHARME 99, LNCS 1703, Springer-Verlag 1999.

....usually be determined quickly, and the abstraction can be adjusted to prevent reoccurrences. The absence of errors occurs when the application faithfully satisfies the property, but in this case it is possible that the property itself was in fact inadequate. This is called a vacuous property, cf. [KV99], or false positive, and it is addressed differently. Consider a property of the type we discussed earlier (p X ( q) A states that whenever a trigger condition p occurs then sometime thereafter, within a finite number of execution steps, a response q will follow, where q itself can either be ....

Kupferman, O., and Vardi, M.Y., Vacuity detection in temporal model checking, 10th Advanced Research Working Conference on Correct Hardware Design and Verification Methods, Lecture Notes in Computer Science, Springer-Verlag, 1999.

No context found.

O. Kupferman and M. Vardi. Vacuity detection in temporal model checking. STTT, 4(2):224-- 233, February 2003.

No context found.

O. Kupferman and M.Y. Vardi. Vacuity detection in temporal model checking. Journal on Software Tools For Technology Transfer, 4(2):224--233, February 2003.

....the basis for a methodology for detecting vacuity in temporal logic specifications, the particular method described in [BBER97] is quite limited. A general method for detection of vacuity for specifications in CTL (and hence also LTL, which was not handled by [BBER97] was presented in [KV99,KV03] The key idea there is a general method for generating witness formulas. It is shown in [KV03] that instead of replacing a subformula by all subformulas , it suffices to replace it by either true or false depending on whether occurs in with negative polarity (i.e. under an odd number of ....

....method described in [BBER97] is quite limited. A general method for detection of vacuity for specifications in CTL (and hence also LTL, which was not handled by [BBER97] was presented in [KV99,KV03] The key idea there is a general method for generating witness formulas. It is shown in [KV03] that instead of replacing a subformula by all subformulas , it suffices to replace it by either true or false depending on whether occurs in with negative polarity (i.e. under an odd number of negations) or positive polarity (i.e. under an even number of negations) Thus, vacuity ....

[Article contains additional citation context not shown here]

O. Kupferman and M.Y. Vardi. Vacuity detection in temporal model checking. STTT, 4(2):224--233, 2003.

....set the basis for a methodology for detecting vacuity in temporal logic specifications, the particular method described in [BBER97] is quite limited. A general method for detection of vacuity for specifications in CTL (and hence also LTL, which was not handled by [BBER97] was presented in [KV99,KV03] The key idea there is a general method for generating witness formulas. It is shown in [KV03] that instead of replacing a subformula by all subformulas , it suffices to replace it by either true or false depending on whether occurs in with negative polarity (i.e. under an odd ....

O. Kupferman and M.Y. Vardi. Vacuity detection in temporal model checking. In 10th CHARME, LCNS 170, 82--96. Springer-Verlag, 1999.

....suspects are possible errors in the modeling of the system or of the behavior, and possible incompleteness in the speci cation. There are various ways to look for possible errors in the modeling of the system or the behavior. One direction is to detect vacuous satisfaction of the speci cation [BBER97, KV99], where cases like antecedent failure [BB94] make parts of the speci cation irrelevant to its satisfaction. For example, the speci cation = AG(req AF grant) is vacuously satis ed in a system in which req is always false. A similar direction is to check the validity of the speci cation. ....

....the speci cation or in uence variables that appear in the speci cation [CGP99] It is easy to see that such a reduction abstracts away only states that are not covered, hence the set of covered states is not sensitive to such a reduction. Coverage and vacuity The notions of coverage and vacuity [BBER97, KV99] are closely related. In vacuity, we check that all the subformulas of the speci cation are relevant to its satisfaction. Thus, vacuity can be viewed as a coverage metric for the speci cation. Also, if there is a signal x that does not in uence the satisfaction of in the design, then no state in ....

O. Kupferman and M.Y. Vardi. Vacuity detection in temporal model checking. In 10th Advanced Research Working Conference on Correct Hardware Design and Verication Methods, Lecture Notes in Computer Science. Springer-Verlag, 1999.

....of such suspects are possible errors in the modeling of the system or of the behavior, and possible incompleteness in the specification. There are various ways to look for possible errors in the modeling of the system or the behavior. One way is to detect vacuous satisfaction of the specification [BBER97,KV99], where cases like antecedent failure [BB94] make parts of the specification irrelevant to its satisfaction. For example, the specification = G(req F grant) is vacuously satisfied in a system in which req is always false. A similar way is to check the validity of the specification. Clearly, a ....

O. Kupferman and M.Y. Vardi. Vacuity detection in temporal model checking. In 10th CHARME, LNCS 1703, pp. 82--96, 1999.

....engineers are usually interested in linear counterexamples, but there are CTL formulas whose failure cannot be witnessed by a linear counterexample. In general, CTL based model checkers do always accompany a negative answer by a counterexample. A similar comment applies to positive witnesses [59]. 6 It is important to consider infinite paths, since we are interested in ongoing computations. Deadlock and termination can be modeled explicitly via sink state. is that, given an LTL formula , it is possible to construct a finite state automaton A that accepts all computations that satisfy ....

O. Kupferman and M.Y. Vardi. Vacuity detection in temporal model checking. In 10th Advanced Research Working Conference on Correct Hardware Design and Verification Methods, volume 1703 of Lecture Notes in Computer Science, pages 82--96. Springer-Verlag, 1999.

....suspects are possible errors in the modeling of the system or of the behavior, and possible incompleteness in the specification. There are various ways to look for possible errors in the modeling of the system or the behavior. One direction is to detect vacuous satisfaction of the specification [BBER97,KV99], where cases like antecedent failure [BB94] make parts of the specification irrelevant to its satisfaction. For example, the specification = AG(req AF grant) is vacuously satisfied in a system in which req is always false. A similar direction is to check the validity of the specification. ....

.... covered states is not sensitive to applying cone of influence reduction, where we abstract away parts of the systems that do not contain variables appearing in the specification or influence variables that appear in the specification [CGP99] We also note that the notions of coverage and vacuity [BBER97,KV99] are closely related. Vacuity can be viewed as a coverage metric for the specification. Also, if there is a signal x that does not influence the satisfaction of in the system, then no state in the system is x covered by . Our coverage metrics are compositional, in the sense that the ....

O. Kupferman and M.Y. Vardi. Vacuity detection in temporal model checking. In 10th CHARME, LNCS 1703. pp. 82-96, Springer-Verlag, 1999.

No context found.

O. Kupferman and M. Y. Vardi. Vacuity detection in temporal model checking. In Conference on Correct Hardware Design and Verification Methods, pages 82--96, 1999.

No context found.

O. Kupferman and M. Y. Vardi. Vacuity detection in temporal model checking. In Conference on Correct Hardware Design and Verification Methods, pages 82--96, 1999.

No context found.

O. Kupferman and M. Vardi. Vacuity detection in temporal model checking. In 10th Advanced Research Working Conference on Correct Hardware Design and Verification Methods, volume 1703 of Lecture Notes in Computer Science, pages 82--96. Springer-Verlag, 1999.

No context found.

O. Kupferman and M. Y. Vardi. Vacuity detection in temporal model checking. In Conference on Correct Hardware Design and Verification Methods, pages 82--96, 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC