P. Wolper, P. Godefroid, Partial-order methods for temporal verification, Concurrency Theory 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....on peut citer l exploration partielle contr ol ee par des ensembles persistants (stubborn) Val88,Val93] dormants (sleep set) God] ou encore la technique des graphes de pas couvrant [VAM] not es GPC dans la suite) que nous avons d evelopp e au LAAS. Dans le cas des ensembles persistants [WG] ou des stubborns, seulement un sous ensemble des transitions sensibilis ees est examin e, le graphe construit est alors un sous graphe du graphe exhaustif. Dans le cas du Graphe de Pas Couvrant [VAM] toutes les transitions sensibilis ees sont consid er ees, mais les ev enements ind ependants ....

P. Wolper and P. Godefroid. Partial-order methods for temporal verification. In Proceedings of CONCUR'93. Springer Verlag, LNCS 575. 18

....approaches. The partial order techniques (see [GW93,Pel98] for a survey) are the framework of the approach developed in this paper. Their basic principle is to consider a single specific path among all the sequences which possess the same Mazurkiewicz trace [Maz86] In the case of persistent sets [WG93], only a subset of enabled transitions is examined, the derived graph is then a subgraph of the whole graph. In the case of covering steps [VAM96] all the transitions are considered, but independent events are put together to build a single transition step, the firing of this transition step is ....

....2.3 Persistent sets Persistent sets are particular stubborn sets [Val88a] in which all transitions are enabled. Standard persistent sets exploration preserves deadlocks; numerous extensions have been proposed to preserve richer properties [Val90,GW93,Pel93] Definition 4. Persistent sets [WG93]: A set P of transitions is persistent in a state s iff all transitions not in P that are enabled in s or in states reachable from s by firing transitions not in P , are independent of all transitions in P , that is iff: 8t2P : s Gamma Gamma and 8w2P : s ) jjwjj o P . 4 A ....

P. Wolper and P. Godefroid. Partial-order methods for temporal verification. In Proceedings of CONCUR'93. Springer Verlag, LNCS 575, 1993.

....des techniques d ordre partiel (voir [God96] pour un panorama complet) dont le principe de base est de r eduire la taille du graphe d etats en exploitant le fait que deux s equences poss edant la meme trace de Mazurkiewicz[Maz86] conduisent au meme etat. Dans le cas des ensembles persistants [WG93] ou des stubborns [Val88a] seulement un sous ensemble des transitions sensibilis ees est examin e, le graphe construit est alors un sous graphe du graphe exhaustif. Dans le cas du Graphe de Pas Couvrant [VAM96] toutes les transitions sensibilis ees sont consid er ees, mais les ev enements ....

....dans lesquels toutes les transitions sont sensibilis ees. L exploration standard par ensembles persistants conserve les blocages; de nombreuses extensions ont et e propos ees dans le but de pr eserver d autres classes de propri et es [Val90,Val93] GW93] Definition 4. Ensemble persistant [WG93] : Un ensemble T de transitions est persistant dans un etat s ssi toutes les transitions qui ne sont pas dans T et sensibilis ees dans s ou dans un etat accessible depuis s en tirant des transitions qui ne sont pas dans T , sont ind ependantes de toutes les transitions de T , i.e. ssi: 8t2T : ....

P. Wolper and P. Godefroid. Partial-order methods for temporal verification. In Proceedings of Concur'93. LNCS 575, 1993. 15

....an interleaving of local executions of action sequences in the processes. If two or more interleavings are sufficiently similar to each other, we can call all except one of them redundant interleavings. The stubborn set method [68, 73, 74, 75, 76, 77, 78, 79, 80, 81] and the sleep set method [25, 26, 27, 28, 30, 31, 38, 49, 55, 99, 100] are state search techniques that are based on the idea that when two executions of action sequences are sufficiently similar to each other, it is not necessary to investigate both of the executions. Persistent sets [25, 26, 29, 31, 38, 98, 99, 100] and ample sets [51, 55, 56, 57] are strikingly ....

....79, 80, 81] and the sleep set method [25, 26, 27, 28, 30, 31, 38, 49, 55, 99, 100] are state search techniques that are based on the idea that when two executions of action sequences are sufficiently similar to each other, it is not necessary to investigate both of the executions. Persistent sets [25, 26, 29, 31, 38, 98, 99, 100] and ample sets [51, 55, 56, 57] are strikingly similar to stubborn sets, at least if we consider the actual construction algorithms that have been suggested for stubborn, persistent and ample sets. This similarity is made explicit in [48] where a set is said to be a stamper set whenever the set ....

[Article contains additional citation context not shown here]

Wolper, P., and Godefroid, P.: Partial-Order Methods for Temporal Verification. Best, E. (Ed.), Proceedings of the 4th International Conference on Concurrency Theory, Hildesheim, Germany, August 1993.

.... use distributed alphabets as in Thiagarajan [159] to allow multiset of actions as in step transition systems see e.g. 125] or to introduce parallel composition as known from for instance process algebra at the transition system level as in the communicating automata used by Wolper and Godefroid [174]. Closely related to transition systems are the I O automata of Lynch and Tuttle [108] here transition systems are augmented with extra structure partitioning actions into input or output and into internal or external, and parallel composition and hiding is supported. The wide applicability of ....

....trees (SATT s) we define below consists of a tuple of non deterministic top down finite tree automata and work on tuples of finite trees such that each NTA works on its component of a tuple while synchronising with the others. SATT s are closely related to communicating finite automata, see e.g. [174], and may be seen as communicating finite tree automata. Let T# = T# T# denote the set of l tuples of finite trees over the alphabet #. Definition 44 For i = 1, l let i = #, Q i , S i , # i ) be permutation closed NTAs. A synchronous automaton on tuples of finite trees, SATT , ....

P. Wolper and P. Godefroid. Partial-order methods for temporal verification. In Proc. CONCUR '93, volume 715 of Lecture Notes in Computer Science, pages 233-- 246, Hildesheim, August 1993. Springer-Verlag.

....time temporal logic CTL and the linear time temporal logics L(F ) and L(X;U;S) over K bounded Petri nets are PSPACE complete. 1 Introduction Formal verification techniques of distributed systems have received much attention, see for example [Lam80, SC85, CES86, Lar88, Mil89, SW89, Val90, WG93] A predominant technique is known as model checking. The approach is as follows. The systems one considers either explicitly or implicitly specify a state space which can be regarded as a (labelled) graph. Viewing these graphs as models (Kripke structures) for temporal logics, one can use ....

....structures whose sizes are exponentially larger than the description of the systems. For example, the state space of a K bounded Petri net can be (no more than) exponentially larger than the net. We will call such systems compact systems. K bounded Petri nets [JLL77] and synchronised automata [WG93] are examples of models which are widely use to specify and implement concurrent systems. Verification techniques for these and related systems have been presented in [Lar88, SW89, Val90, WG93, ES92, Esp93, BCM 92] Whereas the work in [Lar88, SW89] focuses on algorithms (tableau systems) for ....

[Article contains additional citation context not shown here]

Pierre Wolper and Patrice Godefroid. Partial-order methods for temporal verification. Technical report, Universit'e de Li`ege, Institut Montefiore, August

....to to cope with concurrent systems [10, 13] which do not necessarily terminate and has become increasingly popular as an approach to model checking [12, 35] both for large finite and for infinite state systems. Some other approaches are, e.g. behaviour abstraction [31] partial order methods [36], data independence [34] symbolic model checking [4, 20] and symbolic transition graphs [29] 1 One could argue that the actual implementation on a computer is finite state because memory is limited (but with a huge number of states; 10 100000000 for current PC s, even excluding disk ....

.... how liveness properties can be expressed in the proposed framework (a solution based on a refined treatment of negation might prove to be successful, see [28] We will also attempt to characterise the power of our approach compared to existing techniques for handling infinite state systems (e.g. [4, 36, 34, 29, 31, 35]) 2. Development of a combined partial evaluation and abstract interpretation system, building upon the ecce system [27] and the framework developed in [22] Specific features for infinite model checking based upon the insights of task 1 will probably be incorporated. 4 One may wonder why the ....

P. Wolper and P. Godefroid. Partial-order methods for temporal verification. In E. Best, editor, 4th. Int. Conf. on Concurrency Theory (CONCUR), LNCS 715, pages 233--246, 1993. Springer-Verlag, Berlin. 8

....methods, called partial order reductions, exploits the fact that many properties are insensitive to the order in which concurrent operations are executed. Therefore, selecting one such order can be used to reduce the memory and time needed to check these properties. Such methods were studied in [7, 28, 19, 20, 24, 25, 26, 5, 21, 23] and mostly applied to linear time temporal logic (LTL) and branching time temporal logic (CTL ) without the next state operator as well as to the weak modal mu calculus. Partial order reductions are aimed at constructing a reduced state graph, based on exploring for each visited state only a ....

P. Wolper, P. Godefroid, Partial-order methods for temporal verification, Concurrency Theory

....(physical) agents normally cannot achieve complete synchronisation and must know if it necessary to determine some order of acting or if some degree of independence is guaranteed. A definition that resembles common specifications of concurrent transition systems is the following (adapted from [WG93] Definition 9 Two state transitions t 1 and t 2 over the set of states S can possibly be executed in asynchronous concurrency if the following two conditions are true in all states s 2 S: 1. if t 1 [t 2 ] is enabled in s and t 1 (s) s 0 [t 2 (s) s 0 ] then t 2 [t 1 ] is enabled in s ....

Pierre Wolper and Patrice Godefroid. Partial-order methods for temporal verifications. In Proc. of CONCUR '93, volume 715, pages 233--246. Springer, 1993.

....dealing with the phenomenon of state space explosion. One line is to view sequences of actions, i.e. system behavior, as being equivalent, if they are equal except for permutations of some independent actions. This line of coping with state space explosion is referred to as partial order semantics [GW91, GW92, GW93, WG93, Val91b, Val91a]. The other line is based on realizing that there exist quite often internal behaviors of distributed components that are completely unimportant with respect to the global behavior of the system and the properties to be verified. Such an unimportantinternal behavior can be erased by mappings on ....

.... of abstractions of system behavior [Bru93, GL93, Nit94a, Nit94c, Nit94d, Och94b, Och94a, Sif83] For both lines, there exist approaches for constructing a reduced description of a system s behavior directly from the specification without an exhaustive exploration of the state space (see e.g. [WG93, Val91b, Och94a]) We will present in this article an abstraction based approach, where we retranslate temporal properties of abstractions into corresponding properties of the original behavior. We call it the retranslation method. For abstractions defined by simple homomorphisms, there exists a compositional ....

[Article contains additional citation context not shown here]

Pierre Wolper and Patrice Godefroid. Partial-order methods for temporal verification. In Best [Bes93], pages 233--246. 30

....large for automatic verification techniques to be feasible. State space reduction can help to improve the efficiency of verification algorithms. Basically two main concepts for the construction of a reduced state space exist: abstraction techniques [7 10,16,23,26,27] and partial order methods [14,15,31,30,32]. Abstraction reduces the state space by reducing the diversity of actions: actions can be ignored or identified with one another. Partial order methods avoid considering particular interleavings of concurrent behavioural patterns. Though being useful for some examples, both concepts still have ....

....one. The presented approach presents a framework of how reduced state spaces have to look like to be compatible with abstraction and verification under fairness assumptions. To construct an abstraction compatible trace system, some kind of reduced reachability analysis like, for instance, in [15,32] has to take place. In addition, one has to care for a fair treatment of all actions during the analysis, e.g. byintroducing a prioritisation of actions that changes during the program s analysis phase. The construction of such an algorithm is the next topictobestudied in this framework. A ....

Pierre Wolper and Patrice Godefroid. Partial-order methods for temporal verification. In Best [6], pages 233--246. 17

....a good compromise in the trade off between not making too detailed an analysis of dependencies and at the same time getting a reasonable reduction. 5. 3 Related Work The stubborn set method is one of a group of rather similar methods also suggested under the names of persistent sets, sleep sets [49, 50, 136], and ample sets [101, 102] All of these methods are based on the fact that the total effect of a set of concurrent actions is independent of the order in which the actions are executed. Therefore, it often suffices to investigate only one or some orderings in order to reason about the behaviour ....

....stubborn sets of process partitioned CP nets can also be used to compute ample sets of CP nets. Moreover, most algorithms for constructing ample sets are such that it is also possible to add disabled binding elements to the ample set and obtain a stubborn set. The persistent set method of [136] is similar to the ample set method and the set of enabled binding elements in a stubborn set constitute a persistent set as proven in [133] The ample set method has primarily been implemented in the SPIN tool. The construction of ample sets in the SPIN tool [24, 59] is based on an approach ....

[Article contains additional citation context not shown here]

P. Wolper and P. Godefroid. Partial Order Methods for Temporal Verification. In E. Best, editor, Proc. of 4th International Conference on Concurrency Theory (CONCUR), volume 715 of Lecture Notes in Computer Science. SpringerVerlag, 1993.

....by the state explosion problem, which is mainly caused by representing concurrency of operations by their interleaving. Therefore, many different reduction techniques have been introduced in order to alleviate the state explosion. The major methods include application of partial order reductions [Pel96, Val89, WG93], symmetry reductions [ES96] abstraction techniques [DGG94] BDDbased symbolic storage methods [Bry86] and SAT related algorithms [BCCZ99] Recently, the interest in automated verification is moving towards concurrent real time systems. Two main models for representing such systems are usually ....

....the reduction algorithm visits a new state and the set of enabled transitions en(ff 0 ) is examined, only a subset (Ample set) of it, denoted E(ff 0 ) is used to generate successors. The choice of Ample sets is constrained by the following conditions introduced and precisely discussed in [Pel96, Val89, WG93, GKPP99, PSGK00]. Let Vis denote the set of transitions, which change valuations of the propositions used in . Invis = T n V is. C1 No transition t 2 T n E(ff) that is not covered by a transition in E(ff) can be executed in N before a transition of E(ff) is executed. C2 On every cycle in the constructed state ....

P. Wolper and P. Godefroid, Partial-order methods for temporal verification, LNCS, vol. 715, 233--246, LNCS, Springer-Verlag, 1993, pp. 233--246.

.... allows the analysis of partial automata produced with the help of verification systems like AUTO, e.g. de Simone and Vergamini, 1989] and visualisation with the graphical verification tool AUTOGRAPH [Roy, 1990] Some of the algorithms used by our programs are inspired from existing algorithms ([Wolper and Godefroid, 1993; Peled, 1993] others are original. Among the last ones, a loop control allows to reduce an automata network without loss of behaviours, guaranteeing all the traces. 6.1 An example : The Dining Philosophers problem We have implemented the well known Dining Philosophers problem. The following ....

Pierre Wolper and Patrice Godefroid. Partial-Order Methods for Temporal Verification. In Concur'93, volume 715 of LNCS. SpringerVerlag, 1993.

....of the order in which the actions of the di#erent processes is merged. If we restrict to consider only one interleaving, then the number of states in the above example is reduced to nk 1. Several methods have been proposed to avoid representing all possible interleavings of (independent) actions ([WG93] gives an overview) The most elaborated method is the stubborn set method, which has been developed in a series of papers ( Val94] gives an overview) Algorithms for applying the method to CP nets was given in [Val91] The approach taken in [Val91] rely on unfolding the CP net into the equivalent ....

P. Wolper and P. Godefroid. Partial Order Methods for Temporal Verification. In E. Best, editor, Proc. of 4th international conference on Concurrency Theory (CONCUR), volume 715 of LNCS. Springer-Verlag, 1993.

.... have been used both for model checking and for general theorem proving (see [16] for a variety of approaches) In particular, ideas of the independence of operations that lead to partial order reductions have either been used for (usually linear) temporal logic based model checking reductions [14, 18, 7], or for theoretical work on general correctness proofs in unbounded domains. 11, 15, 8] For general correctness (as opposed to model checking) no mechanization has been implemented until now, and sample proofs have been hand simulated. The intuitive idea behind convenient computations is ....

P. Wolper and P. Godefroid. Partial-order methods for temporal verification. In Proceedings of CONCUR'93 (Eike Best, ed.), LNCS 715, 1993. 11

....The number of states of a system quickly grows too large for model checking algorithms to handle; often even an infinite number of states has to be analysed. Three different techniques have been established to address state space explosion: behaviour abstraction [40] partial order methods [48], and symbolic model checking [7] However, these techniques operate on finite state descriptions of a system s behaviour, leaving the problem of handling infinite statespaces unsolved. Since software systems, in general, are infinite state systems, model checking has had hardly any impact on ....

P. Wolper and P. Godefroid. Partial-order methods for temporal verification. In 4th. Int. Conf. on Concurrency Theory (CONCUR), LNCS 715, pages 233--246. Springer-Verlag, Berlin, Aug 1993. 8

....transition system may grow exponentially with the number of system components. Several approaches have been undertaken to overcome the state explosion problem, including partial order reductions, which attempt to reduce the number of states of the transition system to be investigated, see e.g. [Val89, Val90, GW93a, GW93b]. A recent systematic approach in this direction is given in [Pel93] for linear time temporal logics and in [GKPP95] for branching time. The idea (explained for linear time) is to use a notion of sequential run equivalence, which is induced by commutativity of the independent actions . One ....

P. Wolper and P. Godefroid, Partial-order methods for temporal verification, In E. Best, editor, Proceedings of the Third International Conference on Concurrency Theory CONCUR'93, number 715 in Lecture Notes in Computer Science, pages 233--246, Berlin-Heidelberg-New York, 1993, Springer.

....closure and can be convenient. Finally, projective equivalence [12] is an extension of stutter equivalence that requires stutter equivalence of various projections of a sequence. One context in which knowing that a property is closed is valuable is that of partial order verification algorithms [22, 4, 26, 13, 14]. These algorithms proceed by checking a property on a reduced state space obtained by only exploring selected interleaving sequences. The reduction is based on the observation that it is not necessary to explore different interleavings that vary from each other only by the relative order of ....

....and can easily be adapted for a large class of equivalence relations. 6 Application of Recognizing Equivalence Closedness 6. 1 Model Checking Applications Partial order reduction methods is a generic name for a family of algorithms for generating a reduced state space of a concurrent program [22, 4, 26, 14]. These algorithms are used for model checking properties of concurrent programs. They are based on a modified depth first search, where at each state in the search only a subset of the transitions that can be taken (i.e. are enabled) are chosen. The main observation in these algorithms is that ....

Wolper, P., Godefroid, P.: Partial-order methods for temporal verification. In Proc. CONCUR, 4th Conference on Concurrency Theory, Hildesheim, Germany. Lect. Notes in Comput. Sci., vol. 715, Springer (1993) 233--246. This article was processed using the L a T E X macro package with LLNCS style 15

....PSPACEcomplete problem. In spite of such rather discouraging complexity results, much effort has been devoted to making state space exploration practically feasible. These efforts have been quite successful and techniques such as symbolic verification [BCM 92] or partial order methods [Val92, WG93] are quite effective and tools based upon them are in regular use. For infinite state systems, even the theoretical possibility of exploring the state space disappears. Indeed, except for severely restricted classes of systems, most problems about reachable states become undecidable. This has ....

P. Wolper and P. Godefroid. Partial-order methods for temporal verification. In Proc. CONCUR '93, volume 715 of Lecture Notes in Computer Science, pages 233--246, Hildesheim, August 1993. Springer-Verlag. This article was processed using the L a T E X macro package with LLNCS style

No context found.

P. Wolper, P. Godefroid, Partial-order methods for temporal verification, Concurrency Theory 1993.

No context found.

P. Wolper, P. Godefroid, Partial-order methods for temporal verification, Concurrency Theory

No context found.

P. Wolper, P. Godefroid, Partial-order methods for temporal verification, Concurrency Theory

No context found.

P. Wolper and P. Godefroid. Partial-order methods for temporal verification. In E. Best, editor, Proceedings of the 4th International Conference on Concurrency Theory (CONCUR'93), volume 715 of LNCS, 1993.

No context found.

Wolper, P., Godefroid, P.: Partial-Order Methods for Temporal Verification, Proceedings of CONCUR'93, 715, Springer-Verlag, 1993, 233--246.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC