O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....3 W m 3 W m 3 W # 3 ) # (# 1 # 1 # 3 ) 3) which is model checked by STeP in a fraction of a second. This implies the validity of mutual exclusion, one bounded overtaking and accessibility for the infinite state concrete system, bakery(2) For more on simulation and refinement, see e.g. [33, 20, 41]. Other approaches to the generation of abstract finite state systems are presented in [29, 3] As with the invariant generation methods of Sect. 4, the underlying theory is based on abstract interpretation [22] see, for instance, 24, 8, 62] 8. Atomic bakery(N) In many applications, an ....

E. M. Clarke, O. Grumberg, and D. E. Long. Model checking and abstraction. ACM Trans. on Programming Languages and Systems, 16(5):1512--1542, Sept. 1994.

.... systems for safety properties are found in [ZdRvE84] Pan88] PJ91] dRdBH 99] Other assume guarantee rules for safety properties are proposed in [Sta85] Pnu85] Kur87] AH96] McM97] More general rules that apply to both safety and liveness properties are proposed in [Pnu85] Jos87] CLM89] GL94] AL95] McM99] We have concentrated on the completeness question for general rules that apply to both safety and liveness properties. As shown in Section 3, the circular rules in [AL95] and the rule C1 derived from [McM99] are incomplete. The circular rule presented in [HQRT98] for the ....

....in LTL, the notion of circularity is a somewhat weak one, in that proofs carried out with circular rules are efficiently translatable into proofs with non circular rules, and vice versa. The computational complexity of establishing an assume guarantee triple has been studied extensively in [GL94,KV95,KV97] for various combinations of specification logics. We have considered a different question, that of the complexity of translating between proofs obtained with different compositional rules, whenever this is possible. There are a number of ways one could choose to strengthen the ....

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems (TOPLAS), 1994.

....preorder. For state machines without acceptance conditions, there is a well understood notion of simulation with a long history (see, e.g. Mil89,HHK95] For automata, where acceptance (fairness) conditions are present, there are a variety of different simulation notions (see, e.g. HKR97] [GL94]) At a minimum, for such a simulation to be of use for purpose (1) it must have the following property: whenever state q 0 simulates state q the language of the automaton with start state q 0 contains the language of the automaton with start state q. This property alone however is ....

O. Grumberg and D. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

.... the problem: How can we be sure that a computer program is correct The general problem is extremely di#cult, and the enormous variety of computer software in use demands a corresponding variety of approaches: e.g. structured design methods [YC86] automated testing [Ber91] and model checking [GL94] Another possibility in some sense the most idealistic is the formal development of programs with mathematical proofs of correctness claims. If this ideal is ever to become a reality, it is widely agreed that certain basic requirements must be met: The language in which programs are ....

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. Programming Languages and Systems, 16(3):843--871, 1994.

....2 ) m 3 W m 3 W :m 3 W 3 ) 1 ) 1 3 ) 3) which is model checked by STeP in a fraction of a second. This implies the validity of mutual exclusion, one bounded overtaking and accessibility for the in nite state concrete system, bakery(2) For more on simulation and re nement, see e.g. [33, 20, 41]. Other approaches to the generation of abstract nite state systems are presented in [29, 3] As with the invariant generation methods of Sect. 4, the underlying theory is based on abstract interpretation [22] see, for instance, 24, 8, 62] 8. Atomic bakery(N) In many applications, an unknown ....

E. M. Clarke, O. Grumberg, and D. E. Long. Model checking and abstraction. ACM Trans. on Programming Languages and Systems, 16(5):1512-1542, Sept. 1994.

....logic formulas is essentially the same as model checking the module with respect to linear temporal logic formulas. The situation is different for the branching temporal paradigm, where assumptions are taken to apply to the computation tree of the system within which the module is interacting [43]. In this framework, a module M satisfies an assume guarantee pair h ; i iff whenever M is part of a system satisfying , the system also satisfies . As is shown in [43] this is not equivalent to M satisfying . We call this branching modular model checking. Furthermore, it is argued in ....

....paradigm, where assumptions are taken to apply to the computation tree of the system within which the module is interacting [43] In this framework, a module M satisfies an assume guarantee pair h ; i iff whenever M is part of a system satisfying , the system also satisfies . As is shown in [43], this is not equivalent to M satisfying . We call this branching modular model checking. Furthermore, it is argued in [43] as well as in [26,51,43,27] that in the context of modular verification it is advantageous to use only universal branching temporal logic, i.e. branching temporal ....

[Article contains additional citation context not shown here]

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

....We distinguish here between two types of temporal logics: universal and non universal. Both logics describe the computation tree induced by the system. Formulas of universal temporal logics, such as LTL, 8CTL, and 8CTL , describe requirements that should hold in all the branches of the tree [GL94] These requirements may be either linear (e.g. in all computations, only finitely many requests are sent) as in LTL or branching (e.g. in all computations we eventually reach a state from which, no matter how we continue, no requests are sent) as in 8CTL. In both cases, the more behaviors the ....

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

...., and vice versa. Robustness with respect to LTL, and PSPACE completeness extend to the fair case. It is less obvious how to generalize the branching approach to account for fairness. Several proposals for fair bisimulation can be found in the literature. We consider here three: 9 bisimulation [GL94] game bisimulation [HKR97,HR00] and 8 bisimulation [LT87] In a bisimulation relation between S and S 0 with no fairness, two related states s and s 0 agree on their observable variables, every successor of s is related to some successor of s 0 , and every successor of s 0 is related to ....

....extend a relation H W Theta W 0 , over the states of S and S 0 , to a relation over infinite computations of S and S 0 : for two computations = w 0 ; w 1 ; in S, and 0 = w 0 0 ; w 0 1 ; in S 0 , we have H( 0 ) iff H(w i ; w 0 i ) for all i 0. 9 bisimulation [GL94] A relation H W Theta W 0 is an 9 bisimulation relation between S and S 0 iff the following conditions hold for all hw; w 0 i 2 H . 1. L(w) L 0 (w 0 ) 2. Each fair w computations in S has a fair w 0 computation 0 in S 0 with H( 0 ) 3. Each fair w 0 ....

[Article contains additional citation context not shown here]

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

....enable the description of behaviors that satisfy both liveness and safety properties, containment and simulation are revised to consider only the fair computations of the implementation and the specification. The resulting problems, of fair containment and fair simulation [BBLS92, ASB 94, GL94] are both PSPACE complete [KV98] 4. The implementation complexity of fair containment and fair simulation. Here, the advantage of the trace based approach reappears. Indeed, the implementation complexity of fair simulation stays PSPACE complete, whereas that of fair containment is ....

....O of observable events and 1 While it is not hard to extend the trace based approach to account for fairness, it is not so obvious how to do it in the tree based approach. Several proposals for fair bisimulation can be found in the literature. In this paper, we study the earliest definition, of [GL94] The alternative definition of [HKR97] is based on games, and the complexity of checking game simulation is only polynomial. 5 n components S 1 ; S n for some n 1. Each component S i is a tuple hO i ; W i ; W 0 i ; ffi i ; L i ; ff i i, where: ffl O i O is a set of local ....

[Article contains additional citation context not shown here]

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

.... of the branching logic CTL , over LTL [CD88] Indeed, while a correct trace based implementation is guaranteed to satisfy all the LTL formulas satisfied in the specification, a correct tree based implementation is guaranteed to satisfy all the 8CTL formulas satisfied in the specification [GL94] 2 1. The joint complexity of containment and simulation. This measure considers the complexity in terms of both the implementation and the specification. The joint complexity of simulation is PTIME complete [Mil80, BGS92] whereas that of containment is PSPACEcomplete [SVW87] 2 2. The ....

....enable the description of behaviors that satisfy both liveness and safety properties, containment and simulation are revised to consider only the fair computations of the implementation and the specification. The resulting problems, of fair containment and fair simulation [BBLS92, ASB 94, GL94] are both PSPACE complete [KV96] 4. The implementation complexity of fair containment and fair simulation. Here, the advantage of the trace based approach reappears [KV96] We address the question about the power of concurrency in program verification by examining the four measures when ....

[Article contains additional citation context not shown here]

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

....of open systems with respect to branching temporal specifications is rather intractable. Recall that not all specification formalisms are sensitive to the distinction between open and closed systems. The study of verification of open system has motivated the use of universal temporal logic [GL94] as a specification formalism. Formulas of universal temporal logics describe requirements that should hold in all computations of the system. These requirements may be either linear or branching. In both cases, the more behaviors the system has, the harder it is for the system to satisfy the ....

....being nondeterministic. Thus, for such formulas, one can use the module checking method. We study the problems of determining whether a given formula is universal or mixed, and show that they are both EXPTIME complete. These result are relevant also in the contexts of modular verification [GL94] and backwards reasoning [HKQ98] In the discussion, we compare robust model checking with previous work about verification of open systems as well as with the closely related area of supervisory control [RW89, Ant95] We also argue for the generality of the model studied in this paper and show ....

[Article contains additional citation context not shown here]

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

....a serious obstacle to industrial scale verification. Various techniques reduce the size of the state space that a model checker must analyze. Some decompose designs into smaller components which are analyzed separately; combining results on the smaller components yields results on the full design [23, 29]. Others reduce the size of individual components through some form of abstraction [11, 18] An abstraction hides some information from a state space to yield a smaller state space. Ideally, operations over the smaller state space should use less resources than over the original state space. ....

Grumberg, O. and D. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

....logic formulas is essentially the same as model checking the module with respect to linear temporal logic formulas. The situation is different for the branching temporal paradigm, where assumptions are taken to apply to the computation tree of the system within which the module is interacting [GL94] In this framework, a module M satisfies an assume guarantee pair h ; i iff whenever M is part of a system satisfying , the system also satisfies . As is shown in [GL94] this is not equivalent to M satisfying . We call this branching modular model checking. Furthermore, it is argued ....

....paradigm, where assumptions are taken to apply to the computation tree of the system within which the module is interacting [GL94] In this framework, a module M satisfies an assume guarantee pair h ; i iff whenever M is part of a system satisfying , the system also satisfies . As is shown in [GL94] this is not equivalent to M satisfying . We call this branching modular model checking. Furthermore, it is argued in [GL94] as well as in [DDGJ89, Jos89, GL94, DGG93] that in the context of modular verification it is advantageous to use only universal branching temporal logic, i.e. ....

[Article contains additional citation context not shown here]

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

No context found.

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

No context found.

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems (TOPLAS), 16(3):843--871, 1994.

No context found.

O. Grumberg and D. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

No context found.

O. Grumberg and D.E. Long. Model checking and modular veri#cation. ACM Trans. on Programming Languages and Systems, 16#3#:843#871, 1994.

....described in [MBB 98] 3 Abstraction Abstraction reduces the complexity of a system being verified by considering a simpler abstract system, where some of the details of the original concrete system are hidden. There is much work on the theoretical foundations of reactive system abstraction [CGL94,DGG94,LGS 95,Dam96] usually based on the ideas of abstract interpretation [CC77] Most abstractions weakly preserve temporal properties: if a property holds for the abstract system, then a corresponding property will hold for the concrete one. However, the converse will not be true: not all ....

....to a model checkable finite state system, uncovering significant flaws in the original design. DGH95] investigates the separation of control and data in infinite state systems, combining model checking with the generation of verification conditions that are established deductively. Lon93,CGL94] show how abstraction and modularity can be combined for finite state systems that are synchronously composed and symbolically model checked. Refinement: In general, refinement can be seen as the dual of abstraction, and used as a formal system design methodology [dBdRR90,KMP94] first, a ....

E.M. Clarke, O. Grumberg, and D.E. Long. Model checking and abstraction. ACM Trans. on Programming Languages and Systems, 16(5):1512-- 1542, September 1994.

....may both avoid missed implementation errors and save precious verification time. Below we describe our method to determine whether a specification is complete with respect to a given implementation. We restrict our attention to safety properties written in the universal branching time logic ACTL [3]. This logic is relatively restricted, but can still express most of the specifications used in practice. Moreover, it can fully characterizes every deterministic implementation. We consider a single specification formula (the conjunction of all properties) We first apply model checking to ....

....can fully characterizes every deterministic implementation. We consider a single specification formula (the conjunction of all properties) We first apply model checking to verify that the specification formula is true for the implementation model. The formula is then transformed into a tableau [3]. By definition, since the formula is true for the model, the tableau is greater by the simulation preorder [9] than the model. We defined a reduced tableau for ACTL safety formulas. Our tableau is based on the Particle tableau for LTL, presented in [6] We further reduce their tableau by ....

[Article contains additional citation context not shown here]

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994. 17

....[9] i.e. the subset of CTL that contains only existential path quantifiers. In the other direction, viewing M 1 as the model with idle transitions, tr as the identity relation will be faithful for both languages being CTL specifications that contain only universal path quantifiers (ACTL ) [10]. If the infinite idle executions are eliminated due to fairness constraints in the models, then the models are stuttering bisimilar and tr as the identity will be strongly faithful with respect to full CTL GammaX [4] The well known observation of Lamport [16] that linear time temporal ....

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

.... are widely used are the bisimulation equivalence [Par81] and the simulation preorder [Mil71] The former guarantees strong preservation of branchingtime temporal logics such as CTL and CTL [CE81] The latter guarantees weak preservation of the universal fragment of these logics (ACTL and ACTL [GL94]) Bisimulation has the advantage of preserving more expressive logics. However, this is also a disadvantage since it requires the abstract structure to be too similar to the original one, thus allowing less powerful reductions. The simulation preorder, on the other hand, allows more powerful ....

....hold: 1. s 0 ; s 0 0 ) 2 H. 2. For all (s; s 0 ) 2 H, L(s) L 0 (s 0 ) and 8t[ s; t) 2 R 9t 0 [ s 0 ; t 0 ) 2 R 0 (t; t 0 ) 2 H] We say that M 0 simulates M (denoted by M M 0 ) if there exists a simulation relation H over M Theta M 0 . The logic ACTL [GL94] is the universal fragment of the powerful branchingtime logic CTL . ACTL consists of the temporal operators X (next time) U (until) and R (release) and the universal path quantifier A (for all paths) The formal definition is omitted and can be found in [CGP99] The following lemma and ....

[Article contains additional citation context not shown here]

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

....of all computations of the program that satisfy . The problem of verifying that a given module M satisfies such a pair h ; i, which we call the linear branching modular model checking problem, is more general than either linear or branching model checking. A second approach was considered in [GL94] where assumptions are taken to apply to the computation tree of the system within which the module is interacting. Accordingly, assumptions in [GL94] are also expressed in branching temporal logic. There, a module M satisfies an assume guarantee pair h ; i iff whenever M is part of a system ....

....modular model checking problem, is more general than either linear or branching model checking. A second approach was considered in [GL94] where assumptions are taken to apply to the computation tree of the system within which the module is interacting. Accordingly, assumptions in [GL94] are also expressed in branching temporal logic. There, a module M satisfies an assume guarantee pair h ; i iff whenever M is part of a system satisfying , the system satisfies too. We call this branching modular model checking. Furthermore, it is argued there, as well as in [DDGJ89, Jos89, ....

[Article contains additional citation context not shown here]

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

No context found.

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

No context found.

O. Grumberg and D. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3), 1994.

No context found.

O. Grumberg and D.E. Long. Model checking and modular verification. ACM Trans. on Programming Languages and Systems, 16(3):843--871, 1994.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC