Formal Systems (Europe) Ltd. Failures-Divergence Refinement. FDR2 User Manual. Available at http://www.formal.demon.co.uk/fdr2manual/index.html, 3 May 2000.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....the verification and assessment work package within MAFTIA employs non automated proof and automated proof. The automated proof takes the form of model checking, where the models and specifications are described in the process algebra CSP ( Hoare 1985, Roscoe 1998] and the model checker FDR [Formal Systems (Europe) Ltd] is used to help reason about them. 6.3.4 By degree of formality One can distinguish rigorous definitions and proofs in the sense of mathematics (where one can mix natural language and formulas quite freely) and formal ones in the sense of being restricted to a specific language with ....

Formal Systems (Europe) Ltd, "Failures-Divergences Refinement", http://www.formal.demon.co.uk/FDR2.html , (accessed: 17 October, 2000).

.... are used as correctness criterion, we remind: ffl the numerous studies of Schneider (e.g. see [28] and the ones of Lowe (e.g. see [18] who independently provided a theoretical foundation for security properties definition within the framework of CSP process algebra, and who used FDR tool [19] model checker to find unknown flaws on many commercial protocols; ffl the NRL compiler (e.g. see [20] of Meadows, a special purpose verification tool for the analysis of cryptographic protocols that checks security starting from an insecure state description and trying to reach an initial ....

Formal System (Europe) Ltd. Failures-Divergence Refinement, FDR2. 2000.

....texts including [HJ95] 5. Is there tool support available for the method There is tool support for CSP. 6. Is it possible to animate stages of the design There does not appear to be any tools available for animation of CSP. CHAPTER 2. RELATED WORK 47 7. Is there support for proof FDR [Ltd97] is a tool that supports model checking, or to be more exact state space exploration of untimed CSP. For theorem proving there has been some work carried out by Dutertre and Schneider [DS97] and more recently by Brooke [Bro99] into translating CSP into the PVS [OSRSC98a, OSRSC98c, OSRSC98b] ....

Formal Systems (Europe) Ltd. Failures-divergence refinement. http:www.formal.demon.co.uk/, (Accessed October 1997), October 1997.

....given behaviors is verified; e.g. verify whether the labelled transition systems are related by a given transformation. At the semantic level, refinement has been defined for labelled transition systems [Jif89, GMM88] I O automata [LT87, Bes91, LV91, LV93] and traces, failures and divergences [For93] A common property of refinements in these models is their soundness with respect to trace set inclusion; that is, if there is a refinement from a detailed specification Imp to an abstract specification Spec, then the traces of Imp are a subset of the traces of Spec. A common assumption of ....

Formal Systems (Europe) Ltd, 3 Alfred Street, Oxford OXl 4EH, UK (Registred Office). Failures Divergence Refinement. User Manual and Tutorial, Version 1.2 rev.ffi edition, April 1993.

....tree according to the specified hierarchy. The occurrence of the highest threat means that the system failed. In order to verify that the highest threat can never occur, all interleavings of all system components have to be examined. This can be achieved by using a model checker, such as FDR (cf. [2]) In [6] this procedure has been used to verify that the safety requirements, concerning the real time protocol indicated in Sec. 3.1, hold. 5 The Driving Wizard The first application module using the safe interface of the black box delivered by the safety layer is the driving wizard. This ....

Formal Systems Ltd., Failures--Divergence Refinement, FDR2 User Manual, Oxford, 1997

....for 1 The Espress project is a cooperation of industry and research institutes funded by the German Bundesministerium fur Bildung, Wissenschaft, Forschung und Technologie. 2 Bussow, Grieskamp, Heicking, Herrmann formal methods (such as the deduction system Isabelle [17] or the model checker FDR [6]) and specialized tools newly developed in the application context of Espress. Integration has to regard the following aspects: Data Integration. The various tools that are to be combined within the tool environment usually have their own, proprietary data format. The tool environment should ....

Formal Systems (Europe) Ltd. Failures Divergence Refinement, FDR2 User Manual, 1997.

....the resulting system can then be validated with the SMV model checker. We believe our approach is quite general, however. Elsewhere [23] we have applied it to the model checker SPIN [13] and its language Promela. We are also developing a feature construct for CSP [12] using the model checker FDR2 [10]. SMV is well suited to this approach for the following reasons: 7 ffl The SMV language is designed and optimised for concurrent, reactive systems, such as the telephone system. ffl The SMV language is expressive yet compact. Its compactness means that the feature construct is compact too, and ....

Formal Systems (Europe) Ltd, Oxford, UK. Failures-Divergence Refinement, Oct 1997.

....command language, MUROE [14] with a guarded command language based on UNITY, and SMV [36] which uses a (binary decision diagram) symbolic model checking algorithm. Most model checkers employ a temporal logic for expressing properties. The CSP FDR approach is distinctive in that it uses CSPM [31, 33, 16] for expressing both properties and models, it is compositional, and it uses effective compression techniques for state space reduction. CSP [18] models a system as a process which interacts with its environment by means of atomic events. Communication is synchronous: an event takes place ....

....behaviour, or an abstract property corresponding to a correctness constraint, such as deadlock or livelock freedom. A wide range of correctness conditions can be encoded as refinement checks between processes. Mechanical refinement checking is provided by Formal Systems model checker, FDR [16]. FDR exhaustively checks that each transition fired by a single event of P is allowed by S (supplying counter examples when checks fail) in contrast to symbolic model checking, analogous to wp calculus, which produce logical proof obligations on data variables which must be proven to establish a ....

Formal Systems (Europe) Ltd. Failures Divergence Refinement. User Manual and Tutorial, version 2.11.

....tools. Model checking based techniques do not directly handle unbounded state problems; however this induction technique enables their use for certain classes of such applications, notably end to end protocols with arbitrary numbers of intermediate nodes. We illustrate the method using FDR [8, 23], a software package offered by Formal Systems (Europe) Ltd, which allows automatic checking of many properties of finite state systems and the interactive investigation of processes which fail these checks. The tool is based on the mathematical theory of Communicating Sequential Processes(CSP) ....

....process, which represents the specification in a form where the implementation can be checked against it by simple model checking techniques. When a refinement check fails, FDR provides the user with an illustrative counter example. The definitive source book for CSP FDR is found in [25] CSPM [8, 25, 26] combines the CSP process algebra with an expression language inspired by languages like Miranda Orwell and Haskell Gofer and modified to support the idioms of CSP. Hereafter we shall simply refer to CSP. Unlike most packages of this type, FDR was specifically developed by Formal Systems for ....

Formal Systems (Europe) Ltd. Failures Divergence Refinement. User Manual and Tutorial, version 2.11.

.... a number of semantic models (the choice of which being dictated by the power of the results which the user wishes to bring to bear on problems) and two of these (the traces model and the failures divergences model) are described in the standard text on CSP [Hoa85] A model checking tool (FDR [For92] based on the latter has recently been implemented. The focus of the work in this thesis is on Z, which is in (relatively) widespread use for system specification, but for which deductive systems are still being explored. Spivey gave Z a detailed formal semantics [Spi88] after Z had already been ....

Formal Systems (Europe), Ltd. Failures divergence refinement, User Manual and Tutorial, 1992.

.... Specifications of the gate controller have been performed in the EVES prover of Odyssey Research[1] with SRI s PVS prover[18] and with the Modechart graphical language[11] Heitmeyer, et al. 10] report that solutions using CSP and Modecharts are underway as well as a solution using the FDR tool[17]. A related but more complex problem involving the control of multiple trains has been specified by Wood[21] using the Z specification language[20] A version of the multiple train problems has also been specified using Nqthm[19] We accepted the challenge of formalizing the Leveson Stolzy ....

Formal Systems (Europe) Ltd. Failure Divergence Refinement, User Manual and Tutorial. Formal Systems Ltd., Oxford, UK, 1992.

....is in the crossing. To solve the GRC problem, real time researchers have applied a variety of formal methods, including process algebraic [9, 3, 1] event based [10] and logic based approaches [19, 11] They have also used various mechanical proof systems, including PVS [18] EVES [11] and FDR [2], to Code 5546, Naval Research Laboratory, Washington, D.C. 20375. y Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA 02139. formally analyze and verify their solutions. Reference [5] describes three early efforts to solve the GRC problem. This paper ....

Oxford Formal Systems (Europe) Ltd. Failure Divergence Refinement, user manual and tutorial, 1992.

....such as deduction based analysis, model checking, systematic testing, simulation, and more. Established CASE tools (such as Statemate [9] shall be used in combination with the strength of existing tools for formal methods (such as the deduction system Isabelle [17] or the model checker FDR [6]) and specialized tools newly developed in the application context of Espress. Integration has to regard the following aspects: Data Integration. The various tools that are to be combined within the tool environment usually have their own, proprietary data format. The tool environment should ....

Formal Systems (Europe) Ltd. Failures Divergence Refinement, FDR2 User Manual, 1997.

....Science, Massachusetts Institute of Technology, Cambridge, MA 02139. Supported by NSF grant 9225124 CCR, ONR contract N00014 91 J 1046, AFOSR contract F49620 94 1 0199, and ARPA contract N00014 92 J 4033. have also used various mechanical proof systems, including PVS [18] EVES [11] and FDR [2], to formally analyze and verify their solutions. Reference [5] describes three early efforts to solve the GRC problem. This paper describes a new solution of the GRC based on the Lynch Vaandrager timed automaton model [16, 15] using invariant and simulation mapping techniques [12, 15, 14] To ....

Oxford Formal Systems (Europe) Ltd. Failure Divergence Refinement, user manual and tutorial, 1992.

....as well as correctness of service delivery is a priority. This paper presents elements of formal models of networks which capture various properties of resource management and control flow schemes, of special relevance for high speed, multiservice networks. These models are analysed with FDR [FDR94,RGG95], a software package offered by Formal Systems (Europe) Ltd, which allows automatic checking of many properties of finite state systems and the interactive investigation of processes which fail these checks. It is based on the mathematical theory of Communicating Sequential Processes, developed at ....

....support is to prove that an implementation satisfies a variation of what is sometimes known as the COPY property, whereby a message is passed by a black box process from a specific sender to a specific receiver. Examples include the alternating bit, sliding window, and multiplexed switches [PS91,FDR94]. In all of these examples the black box connecting the sender to the receiver is refined by an implementation with a fixed number of subcomponents, each with a fixed interface (set of communication channels) An arbitrary network topology is modelled with action systems [But92] and extended in ....

Formal Systems (Europe) Ltd. Failures Divergence Refinement. User Manual and Tutorial, version 1.4 1994.

....explain an approach to decompose them into appropriate components. Then hybrid automata are introduced. Following the decompositional approach for hybrid systems, we develop a CSP model for hybrid automata, which is used to realize a work bench which includes existing tools like HYTECH [12] FDR [8] and VVT RT [15] to provide specification, animation, debugging and testing facilities for hybrid systems. 2 Hybrid Systems A Decompositional Approach Hybrid Systems consist of discrete and continuous components. Usually, they are modelled as reactive systems, i.e. digital controllers ....

....used for several parts of HySC a development environment for hybrid systems, which allows us to specify, transform, animate, implement and test hybrid systems (cf. 3] The implementation combines tools like HYTECH (cf. 12] a symbolic model checker for hybrid systems FDR 1. 42 (cf. [8]) for the untimed CSP parts and MATLAB (cf. 14] with its mathematical support. Further, it includes also a graphical user interface with a graph editor both written in Tcl Tk. HySC tries to include the ideas of well known programming work benches and debuggers, still used in the programmer s ....

Formal Systems (Europe) Ltd. Failures Divergence Refinement, User Manual and Tutorial, Version 1.42 for Sun Sparc with Solaris 2, 1995.

....which can be generated with AUTOGRAPH (cf. 12] a graphical display and editor system. Then, some transformations have to be done which are necessary for the other parts. The specified hybrid automaton can be translated into a CSP process. This process is used by the model checker FDR (cf. [4]) to do verification and to produce the transition graph representation for the process. The transition graph itself is the basis for the animation, where the hybrid automaton can be executed traversing its belonging transition graph. Finally, the transition graph is also used for the test of a ....

Formal Systems (Europe) Ltd. Failures-Divergence Refinement, FDR 2, Preliminary Manual, 1995.

....Naval Research Laboratory, Washington, DC 20375. y Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA 02139. Supportedby NSF grant 9225124 CCR, ONR contract N00014 91 J 1046, AFOSR contract F49620 94 1 0199, and ARPA contract N00014 92 J 4033. 11] and FDR [2], to formally analyze and verify their solutions. Reference [5] describes three early efforts to solve the GRC problem. This paper describes a new solution of the GRC based on the Lynch Vaandrager timed automaton model [16, 15] using invariant and simulation mapping techniques [12, 15, 14] To ....

Oxford Formal Systems (Europe) Ltd. Failure Divergence Refinement, user manual and tutorial, 1992.

No context found.

Formal Systems (Europe) Ltd. Failures-Divergence Refinement. FDR2 User Manual. Available at http://www.formal.demon.co.uk/fdr2manual/index.html, 3 May 2000.

No context found.

Formal Systems (Europe) Ltd., Failures Divergence Refinement, User Manual and Tutorial, 1992.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC