G.J. Holzmann, P. Godefroid, D. Pirottin, Coverage Preserving Reduction Strategies for Reachability Analysis, in Proc. 12th IFIP WG 6.1. International Symposium on Protocol Specification, Testing, and Validation, FORTE/PSTV '92, pp.349-363, North-Holland, 1992.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....analyses can explore many execution sequences that are not strictly required to prove the safety and liveness properties of a concurrent system. In the last few years, several proposals have been made for revised search algorithms that can avoid some or all of this redundancy, e.g. V90] GW91] [HGP92], V93] P93] The methods that have been studied so far can be classified as dynamic reduction methods. They attempt to compute mostly at runtime (i.e. during the search) which parts of the reachability analysis are redundant and can be skipped. Unavoidably, the additional computations also ....

....to be considered successful is known as the reduction proviso. The need for such a proviso was first recognized by Valmari in [V90] The version of the proviso used here was first proposed in [P93] A weaker version of the same test, for the preservation of safety properties only, was discussed in [HGP92]. In the next section we will show that the stronger proviso from [P93] guarantees the preservation of both safety and liveness properties. 8 s = top(Stack) 8a order processes; using safety as ordering principle see text 9 for each sequential process i 9a boolean NotInStack = ....

[Article contains additional citation context not shown here]

G.J. Holzmann, P. Godefroid, and D. Pirottin, "Coverage preserving reduction strategies for reachability analysis," Proc. IFIP, Symp. on Protocols Specification, Testing, and Verification, June 1992, Orlando, Fl. pp. 349-364.

....that some claim expressed using a temporal logic is never violated. Explicit modeling of all the interleavings of steps among any particular set of intercommunicating processes is a computationally very expensive operation. Fortunately, a class of optimizations based upon partial order techniques [13, 18] can significantly decrease the necessary complexity by taking advantage of the fact that only a few state transitions represent model events which actually affect changes in the state of communication channels and other processes. This allows the model checker to omit verification of most ....

Gerard J. Holzmann, Patrice Godefroid, and Didier Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proceedings of PSTV, 1992.

....that some claim expressed using a temporal logic is never violated. Explicit modeling of all the interleavings of steps among any particular set of intercommunicating processes is a computationally very expensive operation. Fortunately, a class of optimizations based upon partial order techniques [13, 18] can significantly decrease the necessary complexity by taking advantage of the fact that only a few state transitions represent model events which actually affect changes in the state of communication channels and other processes. This allows the model checker to omit verification of most ....

Gerard J. Holzmann, Patrice Godefroid, and Didier Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proceedings of PSTV, 1992.

....in size as potentially an extremely large number of configurations may need to be covered. Even without the inclusion of internal variables in the configuration, the size of the reachability tree increases exponentially with respect to the number of orthogonal components. 30 Holzmann et al. HGP92] observed that, for a section of a reachability graph that models transitions from concurrent machines performing independent actions, the outcome of all paths through that subgraph is the same. In this section of the graph, each machine performs a valid computation without violating any local ....

....on the reachability graph, corresponding to elements in the sleep set, do not need to be executed to achieve full transition and configuration coverage. Each node is labelled with its corresponding sleep set. There are several additional optimisations to reachability analysis, e.g. conflict sets [HGP92] Optimisations on standard reachability analysis could potentially be used to construct the combined FSM from a system of concurrent machines that could be used in testing. Alternatively, the reachability analysis could be used to generate initialisation sequences to move the system into a state ....

Gerard Holzmann, Patrice Godefroid, and Didier Pirottin. Coverage preserving reduction strategies for reachability analysis. IFIP Transactions CCommunication Systems, 8:349--363, 1992. 227

....when state s is expanded. Condition C3 duplicate forbids s in any ample set if s is not fully expanded. Hence, fff 1 g and fff 1 #ff 2 g are examples of not valid ample set. On the other hand, the set fff 2 g is not refuted. 3. 3 Ample Set Construction for Safety Properties The authors of [9] propose an approximation of the C3 condition that can be applied when checking safety properties. This condition is defined as follows: stack : If a state s is not fully expanded, then at least one transition in ample(s) does not lead to a state on the searchstack. Consider again the example ....

....C3 condition that together with C0 C3 is sufficient and necessary to guarantee a correct reduction for safety properties. If a transition ff is enabled in every state, then ff must be selected in the ample set of some of the states of the state space. This condition is implicitly defined in [9]. It is a relaxation of C3 that is only correctly applicable to the verification of safety properties, which is the focus of our approach. stack cannot be used with A , since cycles cannot be efficiently detected with this algorithm. Therefore, we propose an alternative condition in order to ....

[Article contains additional citation context not shown here]

G. Holzmann, P. Godefroid, and D. Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proc. 12th Int. Conf on Protocol Specification, Testing, and Verification, INWG/IFIP, Orlando, Fl., June 1992.

....complicated. In fact, it has been shown to be at least as hard as checking reachability for the full state space. It is, however, usually over approximated by checking a stronger condition [3] that can be checked independently of the search algorithm. Condition C3 has been implicitly proposed in [11]. In the following we focus on this condition. We will see that the complexity of checking it depends on the search algorithm used. 3.3 Dynamically Checking C3 Checking C3 can be reduced to detecting cycles during the search. Cycles can easily be established in depth first search: Every cycle ....

....Consequently, avoiding ample sets containing only backward edges except when the state is fully expanded ensures satisfaction of C3 when using depth first search or IDA , since both methods perform a depth first traversal. The resulting stack based characterization C3 stack can be stated as follows[11]: Condition C3 stack : If a state s is not fully expanded, then at least one transition in ample(s) does not lead to a state on the search stack. The implementation of C3 stack for depth first search strategies marks each expanded state on the stack with an additional flag, so that stack ....

[Article contains additional citation context not shown here]

G. Holzmann, P. Godefroid, and D. Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proc. 12th Int. Conf on Protocol Specification, Testing, and Verification, INWG/IFIP, Orlando, Fl., June 1992.

....when state s is expanded. Condition C3 duplicate forbids s 0 in any ample set if s is not fully expanded. Hence, fff 1 g and fff 1 ; ff 2 g are examples of not valid ample set. On the other hand, the set fff 2 g is not refuted. 3. 3 Ample Set Construction for Safety Properties The authors of [10] propose an approximation of the C3 condition that can be applied when checking safety properties. This condition is defined as follows: C3 Gamma stack : If a state s is not fully expanded, then at least one transition in ample(s) does not lead to a state on the search stack. Consider again ....

....that together with C0 C3 is sufficient and necessary to guarantee a correct reduction for safety properties. C3 Gamma : If a transition ff is enabled in every state, then ff must be selected in the ample set of some of the states of the state space. 9 This condition is implicitly defined in [10]. It is a relaxation of C3 that is only correctly applicable to the verification of safety properties, which is the focus of our approach. Condition C3 Gamma stack cannot be used with A , since cycles cannot be efficiently detected with this algorithm. Therefore, we propose an alternative ....

[Article contains additional citation context not shown here]

G. Holzmann, P. Godefroid, and D. Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proc. 12th Int. Conf on Protocol Specification, Testing, and Verification, INWG/IFIP, Orlando, Fl., June 1992.

....the state space of a concurrent system is the state explosion, caused by the arbitrary interleaving of independent actions of the various components of the system. Several techniques have been developed to cope with this problem. Partial order reduction is a very prominent one (see, for example, [1, 7, 8, 11, 12, 18, 19, 20, 21, 22]) It exploits the independence of actions to reduce the state space of a system while preserving properties of interest. When generating a state space, in each state, a subset of the enabled actions satisfying certain criteria is chosen for further exploration. Following [12, 19] we call these ....

....in the state labeling of the LTS representing the state space of the system. Thus, at this point, the reason for including a set of boolean propositions and an accompanying state labeling in the definition of an LTS becomes apparent. For more details on the verification of local properties, see [7, 11, 20]. The third class of properties are those expressible in (next time free) Linear time Temporal Logic (LTL) Also LTL properties are formulated in terms of the propositions in an LTS. It is beyond the scope of this paper to give a formal definition of LTL; the interested reader is referred to ....

[Article contains additional citation context not shown here]

G.J. Holzmann, P. Godefroid, and D. Pirottin. Coverage Preserving Reduction Strategies for Reachability Analysis. In R.J. Linn, Jr. and M. U. Uyar, eds, Protocol Specification, Testing and Verification, XII, p. 349--363. Elsevier, 1992.

....from its current location , etc. The aim of these algorithms is to obtain the smallest possible persistent sets. Usually, the more information about the program the algorithm uses, the smallest 6 the persistent set it produces are, albeit at the cost of a higher computational complexity. See [HGP92] for a brief comparison of several of these algorithms. Note that exploring the smallest number of enabled transitions at each step of the search is only a heuristic: it does not necessary lead to the exploration of the smallest number of states. The most elaborated technique for computing ....

....from the initial state. The problem illustrated above is sometimes referred to as the ignoring problem [Val91] the behavior of some processes (e.g. P 2 in the above example) can be completely ignored during a selective search. Various solutions have been proposed to solve this problem (e.g. [Val91, HGP92]) The idea is to enforce additional conditions during the search that ensures that the choices between enabled independent transitions is not completely unfair with respect to some processes. It can be shown that the reachability of a local state can be checked by such a fair selective ....

G. J. Holzmann, P. Godefroid, and D. Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proc. 12th International Symposium on Protocol Specification, Testing, and Verification, Lake Buena Vista, Florida, June 1992. North-Holland.

....No PFPT exhaustive 409,257 34 Mbytes No bitstate 405,969 33.9 Mbytes Yes hashcompact 409,257 3. 6 Mbytes No For the first of these experiments, the DTP protocol from [HGP92] was first modified as follows. In the original version of the protocol there are 251,409 reachable states [HGP92] By doubling the number of slots in the message channels, the number of reachable states is increased to 427,567. For the second experiment, the number of reachable states is also ....

....405,969 33.9 Mbytes Yes hashcompact 409,257 3.6 Mbytes No For the first of these experiments, the DTP protocol from [HGP92] was first modified as follows. In the original version of the protocol there are 251,409 reachable states [HGP92]. By doubling the number of slots in the message channels, the number of reachable states is increased to 427,567. For the second experiment, the number of reachable states is also close to 450,000 states. The hashcompact test in each case consumed M = 3.6 Mbyte ( 28.8 Mbit) or approximately ....

Holzmann, G.J., Godefroid, P., and Pirottin, D. (1992) `Coverage preserving reduction strategies for reachability analysis,' Proc. 12th IFIP WG 6.1 Int. Workshop on Protocol Specification, Testing, and Verification , North-Holland Publ., Amsterdam, pp. 349-363.

No context found.

G.J. Holzmann, P. Godefroid, D. Pirottin, Coverage Preserving Reduction Strategies for Reachability Analysis, in Proc. 12th IFIP WG 6.1. International Symposium on Protocol Specification, Testing, and Validation, FORTE/PSTV '92, pp.349-363, North-Holland, 1992.

No context found.

G.J. Holzmann, P. Godefroid, D. Pirottin, CoveragePreservingReductionStrategies for Reachability Analysis, in Proc. 12th IFIP WG 6.1. International Symposium on Protocol Specification, Testing, and Validation, FORTE/PSTV '92, pp.349-363, North-Holland, 1992.

No context found.

Holzmann GJ, Godefroid P, Pirottin D (1992) Coverage preserving reduction strategies for reachability analysis. In: 12th international conference on protocol specification, testing, and verification (PSTV)

No context found.

G. Holzmann, P. Godefroid, and D. Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proc. 12th Int. Conf on Protocol Specification, Testing, and Verification, INWG/IFIP, Orlando, Fl., June 1992.

No context found.

G. J. Holzmann, P. Godefroid, and D. Pirottin. Coverage preserving reduction strategies for reachability analysis. In 12th International Conference on Protocol Specification, Testing, and Verification, INWG/IFIP, 1992.

No context found.

G.J. Holzmann, P. Godefroid, and D. Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proc. 12th Int. Conf on Protocol Specification, Testing, and Verification, INWG/IFIP, Orlando, Fl., June 1992.

No context found.

G.J. Holzmann, P. Godefroid, and D. Pirottin. Coverage Preserving Reduction Strategies for Reachability Analysis. In R.J. Linn, Jr. and M. U. Uyar, eds, Protocol Specification, Testing and Verification, XII, p. 349--363. Elsevier, 1992.

No context found.

Gerard Holzmann, Patrice Godefroid, and Didier Pirottin. Coverage preserving reduction strategies for reachability analysis. In InternationalSymposium on Protocol Specification, Testing, and Verification, Lake Buena Vista, Florida, USA, June 1992.

No context found.

G.J. Holzmann, P. Godefroid, and D. Pirottin. Coverage Preserving Reduction Strategies for Reachability Analysis. In 12-th International Symposium on Protocol Specification, Testing, and Verification, Lake Buena Vista, Florida, June 1992. North-Holland.

No context found.

Gerard Holzmann, Patrice Godefroid, and Didier Pirottin. Coverage preserving reduction strategies for reachability analysis. In InternationalSymposium on Protocol Specification, Testing, and Verification, Lake Buena Vista, Florida, USA, June 1992.

No context found.

Gerard Holzmann, Patrice Godefroid, and Didier Pirottin. Coverage preserving reduction strategies for reachability analysis. In International Symposium on Protocol Specification, Testing, and Verification, Lake Buena Vista, Florida, USA, June 1992.

No context found.

G. J. Holzmann, P. Godefroid, and D. Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proc. 12th International Symposium on Protocol Specification, Testing, and Verification, Lake Buena Vista, Florida, June 1992. North-Holland.

No context found.

G.J. Holzmann, P. Godefroid, and D. Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proc. 12th Int. Conf on Protocol Specification, Testing, and Verification, INWG/IFIP, Orlando, Fl., June 1992.

No context found.

G. J. Holzmann, P. Godefroid, and D. Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proc. 12th IFIP WG 6.1 International Symposium on Protocol Specification, Testing, and Verification, Lake Buena Vista, Florida, June 1992. North-Holland.

No context found.

G.J. Holzmann, P. Godefroid, and D. Pirottin. Coverage preserving reduction strategies for reachability analysis. In Proc. 12th Int. Conf on Protocol Specification, Testing, and Verification, INWG/IFIP, Orlando, Fl., June 1992.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC