Dams D, Gerth R, Grumberg O (1997) Abstract interpretation of reactive systems. ACM Trans programming lang syst 19(2):253--291  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... a homomophism onto the monotone Kripke structure, A IC = h A ; A ; IA i: A = IC ( C ) A= fa A IC (c ; a IC (c)g IA (a) a As suggested earlier, we use the range of IC as the states for the abstract structure; the de nition can be proved to be complete for state set, IC ( C ) [8, 12]. The formalization of complete must wait until the section on Galois connections, where needed technical machinery is provided. Standard uses of homomorphisms to relate concrete and abstract structures can be found in papers by Clarke, Grumberg, and Long [5] and Clarke, et al. 2] among ....

....must respect the labels: c R a c implies that a a . Thus, properties that hold true for all paths starting at a also hold true for all paths starting at c. This supports sound veri cation of LTL and ACTL coded properties of temporal logic on the abstract Kripke structure [4, 12, 34, 37]. A left total simulation ensures that every state in the concrete structure can be modelled in the abstract structure. Right totality ensures that there are no super uous abstract states. Simulations play a crucial role in equivalence proofs of interpreters [20] Each execution step of ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM TOPLAS, 19:253-291, 1997.

....fixed point depends crucially on the absence of negation, which is antimonotonic on the complete lattice, P(M) For this reason, LMC allows negations on atomic propositions only. For the denotations of atomic propositions, we demand the following consistency property for the interpretation map, I [14]: for all s 2 Sigma; for all p 2 AtomProp; fp; pg 6 I(s) We can also demand completeness of I: for all s 2 Sigma and p 2 AtomProp; either p 2 I(s) or :p 2 I(s) 2 Env P(M) where ae 2 Env = Var P(M) ae = f 2 M j p 2 I( 0) g ae = f 2 M j :p 2 I( 0) g where and : P(M) ....

....M # s = f 2 M j (0) sg Two commonly used notions are 8OE iff j= OE for all 2 M # s 9OE iff there exists 2 M # s and j= We say that OE universally holds at s if s j= 8OE, and OE existentially holds at s if s j= 9OE. Further, we have these forms of properties, for OE 2 LMC [14]: universal safety: s j= universal liveness: s j= existential safety: s j= existential liveness: s j= Of course, to make the check effective, we require a finite representation of . This issue is addressed shortly in the guise of a (finite )state transition system that generates all ....

[Article contains additional citation context not shown here]

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM TOPLAS, 19:253--291, 1997.

....In the case that R reflects properties, we expect a similar reflection result for c 2 6 C , a 2 6 A , and OE 2 L Atom : where c j= OE denotes that OE holds true for (the transition sequences that begin at) c. This notion is formalized in the next section. This is called weak preservation [12,13,31]) And, when R preserves properties, we demand the dual: 114 or, more tellingly expressed in the contrapositive, When a temporal logic possesses both weak preservation and the above preservation property, this is called strong preservation [12,13,31] The remainder of this paper is devoted ....

....section. This is called weak preservation [12,13,31] And, when R preserves properties, we demand the dual: 114 or, more tellingly expressed in the contrapositive, When a temporal logic possesses both weak preservation and the above preservation property, this is called strong preservation [12,13,31]) The remainder of this paper is devoted to understanding the forms of temporal logic that reflect and preserve propositions in the presence of simulations. 5 Temporal Logics As noted by Emerson in his excellent survey [16] temporal logic is a variant of modal logic for expressing the ....

[Article contains additional citation context not shown here]

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM TOPLAS, 19:253--291, 1997.

....2 It is easy to see that this property may not hold for our simplified protocol in presence of malicious intruders. 3 Nonces are random numbers incorporated into messages in order to avoid replay attacks. 2 A standard approach to overcome this problem is the use of abstraction techniques (see [6, 9, 8]) in order to reduce the infinite system modeling the cryptographic protocol into a finite (or into a still infinite, but simpler) one. The use of abstraction techniques is summarized by the following diagram: Abstraction M M a j= j= a Here, given a model M and a property , we ....

.... is in is the same as is in Recall that (n) is in (l) n is in l then pred is in : Nat List 8x : Nat ; l : List x is in l , x is in l x = 0 ) Remark 1. Related ideas (duplicating predicate symbols) have been used in some works on abstractions for reactive systems [9, 6, 12], using automata and some kind of temporal logic. Let us stress that here, due to the crucial rle of the messages exchanged in a cryptographic protocol, it seems more convenient to model a cryptographic protocol by a first order structure in order to obtain a uniform framework for modeling both ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. In ACM Transactions on Programming Languages ans Systems, volume 19, 1997.

....for modeling reactive systems. However, due to their limited expressiveness, finite state models are not suitable for specifying most infinite state systems. To overcome this limitation researchers have used 1. abstraction techniques to generate finite state abstractions of infinite state systems [2, 3, 4], 1 2. semi decision procedures which prove or disprove a property if they converge, but are not guaranteed to converge [5, 6] and 3. conservative approximation techniques which are guaranteed to converge but may not always return a definite answer [7, 8] Another promising approach for ....

D. Dams, R. Gerth, and O. Grumberg, "Abstract interpretation of reactive systems," ACM Trans. on Programming Languages and Systems, 19(2) (1997) 253--291.

....Abstract Interpretation, Domain Re nement, Program Analysis. 1 Introduction Many authors recognized in the possibility of modifying abstract models by modifying abstractions a great potential for improving abstract model checking in precision and reducing complexity (e.g. see Section 9 in [10]) but few applications of these techniques are known in the eld of model checking. In this paper we observe that there exists a strong connection between the standard notion of complete abstract interpretation [6, 7, 14] and the corresponding one for abstract model checking [10, 2] and we show ....

....see Section 9 in [10] but few applications of these techniques are known in the eld of model checking. In this paper we observe that there exists a strong connection between the standard notion of complete abstract interpretation [6, 7, 14] and the corresponding one for abstract model checking [10, 2], and we show how the latter one can be achieved by minimally modifying abstract domains. Completeness in abstract interpretation corresponds to require that no loss of precision is introduced by approximating a semantic function computed on abstract objects with respect to approximating the same ....

[Article contains additional citation context not shown here]

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Trans. Program. Lang. Syst., 19(2):253-291, 1997.

....V. Call M the function that maps values from the concrete domain V to an abstract domain A, i.e. vV , M(v)A. A requirement on the validity of the abstraction is that we can define a reverse function R that lifts abstract values back into the concrete domain, in such a way that [CW00] CC76] [DGG97]: vV , vR(M(v) mA , mM(R(m) i.e. such that M and A form a Galois connection. The relations are illustrated in Figure 17. V A R(M(v) M(v) V A . R(m) M(R(m) Fig. 17 Abstraction and Concretization. These relations hold for the sample abstraction mapping from the integer ....

D. Dams, R. Gerth, and O. Grumberg, Abstract interpretation of reactive systems, ACM Trans. on Programming Languages and Systems, Vol. 2, No. 19, pp. 253-291, March 1997.

....context of process algebra and automata theory, like bisimulation and its quantitative extensions, can be useful for formally dealing with such abstractions. Additionally, proper techniques, like abstract interpretation may be of great help [Bruns 1993; Clarke et al. 1994; Cousot and Cousot 1999; Dams et al. 1997] The problem of relating different views of the same system has been addressed also in the work done about the formalization of consistency between different viewpoints of the Open Distributed Processing computational model [Bowman et al. 1996] ....

D. Dams, O. Grumberg and R. Gerth, "Abstract Interpretation of Reactive Systems.," ACM Toplas, vol. 19, no. 2, pp.253-291, 1997.

....model if and only if they hold in the original one [Clarke et al. 1994] M j= P i M j= P ) Such an abstraction is called strong property preserving. However, such an assurance is difficult to obtain: a different abstraction has to be built for each class of properties under analysis [Dams et al. 1997] and often theorem proving needs to be used to ensure that the abstraction is built correctly [Rushby, 1999] Therefore, most of the time the users cannot trust some of the answers received from the model checker (and are not sure which answers to trust and which not to) Since model checking ....

....approximate backward, approximate forward and reachability analysis, this approach, if it converges, is strong property preserving. However, the procedure is partial, with the convergence dependent on the structure of the program and the formula to be verified. 5 Dams [Dams et al. 1994, Dams et al. 1997] demonstrated how to abstract reactive systems so that the abstracted transition systems preserve certain forms of combined safety liveness properties. The properties are specified using a version of calculus [Kozen, 1983] which can express safety, liveness and fairness properties of real time ....

Dams, D., Gerth, R., and Grumberg, O. (1997). "Abstract Interpretation of Reactive Systems". ACM Transactions on Programming Languages and Systems, 2(19):253--291.

....informative, re nement of the state based model checking semantics of the x calculus which is complete w.r.t. the trace based semantics, and this turns out to be essentially the trace based semantics itself. Cousot and Cousot [6, Section 14] also showed that standard abstract model checking [2, 3, 7, 10] using a surjective mapping from concrete states to a set of abstract states can be understood as a further step of abstraction over the statebased model checking semantics. Analogously to what has been studied in this paper, this opens the question of minimally re ning abstract model checking in ....

D. Dams, O. Grumberg, and R. Gerth. Abstract interpretation of reactive systems. ACM TOPLAS, 16(5):1512-1542, 1997.

....Both model checking and abstract interpretation have benefited from mutual cross fertilization. In particular model checking can now consider infinite state systems whereas in abstract interpretation it is common to consider properties significantly more complex than safety invariance (see e.g. (Dams et al. 1997, Dill and Wong Toi, 1995, Fernandez, 1993, Halbwachs, 1994) and (Steffen, 1991) We would like to consider further combinations of abstract interpretation and universal safety model checking. 70 COUSOT AND COUSOT Reduction by abstraction consists in approximating infinite or very large finite ....

....or very large finite transition systems by finite ones, on which existing algorithms designed for finite automata are directly applicable. This semi verification idea was first introduced by (Clarke et al. 1992) and progressively refined to cope with wider classes of temporal logic (Kelb, 1994, Dams et al. 1997, Cleaveland et al. 1995) or calculus formul (Graf and Loiseaux, 1993, Loiseaux et al. 1995, Cridlig, 1995, Cridlig, 1996) We extend this to abstract transition systems which are infinite. The algorithms designed for universal safety analysis of finite transition systems can be simply extended ....

[Article contains additional citation context not shown here]

Dams, D., Gerth, R., and Grumberg, O. 1997. Abstract interpretation of reactive systems. Trans. Prog. Lang.

....this happens then the abstract interpretation is complete. Unlike the correctness condition, completeness is not an essential requirement, but rather an ideal situation which does not occur very often in practice. In the literature it is often also referred to as exactness [8] or optimality [13]. Completeness means for an abstract interpretation that in the above relations for correctness the equality holds, so that the abstraction results in no loss of information. It is a dual notion to correctness; in particular xpoint completeness is dual to xpoint correctness and is expressed by ....

D. Dams, R. Gerth, and O. Grumberg. Abstract Interpretations of Reactive Systems. ACM Trans. Program. Lang. Syst., 19(2):253-291, 1997.

....formula = C( Psi) The concretization is such that ff Gamma ( Psi. The survey in [CGL96] considers an even simpler case in which the abstraction does not concern the variables on which the property depends. Consequently, this is the case in which ff = A more elaborate study in [DGG97] considers a more complex specification language L , which is a positive version of the calculus. None of these three articles considers explicitly the question of fairness requirements and how they are affected by the abstraction process. Approaches based on simulation and studies of the ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Trans. Prog. Lang. Sys., 19(2), 1997.

....formula = C( Psi ) The concretization is such that M ff 8 ( Psi . The survey in [CGL96] considers an even simpler case in which the abstraction does not concern the variables on which the property depends. Consequently, this is the case in which ff = A more elaborate study in [DGG97] considers a more complex specification language L , which is a positive version of the calculus. None of these three articles considers explicitly the question of fairness requirements and how they are affected by the abstraction process. Approaches based on simulation and studies of the ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Trans. Prog. Lang. Sys., 19(2), 1997.

....systems under fairness constraints needs to be done with some care. This paper discusses why and how. 1 Introduction This section introduces the concepts of abstraction in model checking and fairness at an informal level and presents a motivating example. For technical de nitions, we refer to [3, 2] and [6, 9] 1.1 Abstraction Figure 1 shows a (concrete) transition system consisting of states s i (s 1 and s 2 are initial 1 ) and transitions (thin arrows) Superimposed on it is an abstraction. Each abstract state represents a set of concrete states, indicated by drawing each abstract ....

....some state along , p has value true. This does not hold for the abstract system of Figure 1, because indeed there does exist such a free path , namely a 1 ; a 3 ; a 3 ; 4 Discussion We have extended the framework of model checking over abstractions of transition systems as developed in [2, 3], to systems with fairness constraints speci ed external to the correctness formula. The practical relevance of this result is that it allows to incorporate formal abstraction into model checkers that treat fairness algorithmically. Technically, the interpretation of temporal logic over abstract ....

Dennis Dams, Orna Grumberg, and Rob Gerth. Abstract interpretation of reactive systems:

.... static program analyses, and in recent years has increasingly gained popularity as a general methodology for describing and formalizing approximate computations in many different areas of computer science, like for instance in theorem proving [Plaisted 1981] model checking [Clarke et al. 1994; Dams et al. 1997; Loiseaux et al. 1995] verification of distributed memory systems [Graf 1997] type inference [Cousot 1997b] constraint solving [Caseau 1991] query optimization [Helm et al. 1995] and comparative semantics [Comini and Levi 1994; Cousot and Cousot 1992c; Cousot 1997a; Giacobazzi 1996] The ....

....completeness. For instance: Cousot [1997b, Section 12] Cousot [1997a, Section 12] and Clarke et al. 1994, Section 4.3] call exactness our notion of (nonfull) completeness; Steffen [1989, Section 3. 1] uses instead the term full abstraction; Comini and Levi [1994] use the term precision; while Dams et al. 1997, Section 4] use the term optimality for the same notion. We follow Cousot and Cousot [1994] Mycroft [1993] Reddy and Kamin [1992] and Sekar et al. 1997] by using the term completeness, which is more typically used in contrast to the well established notion of soundness. 2 rule of signs ....

[Article contains additional citation context not shown here]

Dams, D., Gerth, R., and Grumberg, O. 1997. Abstract interpretation of reactive systems. ACM Trans.

....we expect a similar reflection result for c 2 Sigma C , a 2 Sigma A , and OE 2 L Atom : c R a and a j= OE imply c j= OE where c j= OE denotes that OE holds true for (the transition sequences that begin at) c. This notion is formalized in the next section. This is called weak preservation [12,13,31]) 26 And, when R preserves properties, we demand the dual: c R a and c j= OE imply a j= OE or, more tellingly expressed in the contrapositive, c R a and a 6 j=OE imply c 6 j=OE When a temporal logic possesses both weak preservation and the above preservation property, this is called strong ....

.... when R preserves properties, we demand the dual: c R a and c j= OE imply a j= OE or, more tellingly expressed in the contrapositive, c R a and a 6 j=OE imply c 6 j=OE When a temporal logic possesses both weak preservation and the above preservation property, this is called strong preservation [12,13,31]) The remainder of this paper is devoted to understanding the forms of temporal logic that reflect and preserve propositions in the presence of simulations. 5 Temporal Logics As noted by Emerson in his excellent survey [16] temporal logic is a variant of modal logic for expressing the ....

[Article contains additional citation context not shown here]

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM TOPLAS, 19:253--291, 1997.

....otherwise, abstractions may not be safe (write safety requirements for methods that are not synchronized) Abstraction function may be used in the abstraction of new. We need translation from JAVA to PVS. 3 Library of Abstractions 3.1 Abstractions for Integers. ffl even odd ( 3] [4]) ffl congruence Modulo an integer ( 3] ffl representation by logarithm ( 3] h(i) lg i (used for multiplier overflow in [3] ffl single bit ( 3] h(i) j th bit of i, where h is the abstraction function. ffl product abstraction ( 3] h(i) h1(i) h2(i) 5 ffl symbolic abstractions ....

D.Dams, R.Gerth, O.Grumberg. Abstract Interpretation of Reactive Systems.

....hold on the abstracted model if and only if they hold in the original one [7] M j= P iff M j= P ) Such an abstraction is called strong property preserving. However, such an assurance is difficult to obtain: a different abstraction has to be built for each class of properties under analysis [14] and often theorem proving needs to be used to ensure that the abstraction is built correctly [31] Since model checking enables people without extensive training in formal methods to do verification effectively, it is essential that we provide computer support to enable users to correctly ....

....exact backward, exact forward, approximate backward, approximate forward and reachability analysis, this approach, if it converges, is strong property preserving. However, the procedure is partial, with the convergence dependent on the structure of the program and the formula to be verified. Dams [14] demonstrated how to abstract reactive systems so that the abstracted transition systems preserve certain forms of combined safety liveness properties. The properties are specified using L [28] which is a modal calculus that can express safety, liveness and fairness properties of real time ....

D. Dams, R. Gerth, and O. Grumberg. "Abstract Interpretation of Reactive Systems". ACM Transactions on Programming Languages and Systems, 2(19):253--291, March 1997.

....for modeling reactive systems. However, due to their limited expressiveness, finitestate models are not suitable for specifying most infinite state systems. To overcome this limitation researchers have used 1) abstraction techniques to generate finite state abstractions of infinite state systems [DF95,DGG97,BLO98], 2) semi decision procedures which prove or disprove a property if they converge, but are not guaranteed to converge [BG96,WB98] or 3) conservative approximation techniques which are guaranteed to converge but may not always return # Supported in part by NSF grants IRI 9700370 and IIS 9817432. ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Trans. on Programming Languages and Systems, 19(2):253-291, March 1997.

....the possible transitions) These permit to obtain a safe checking algorithm for CTL formulae by using the liberal relation when checking universal path properties and the conservative relation when verifying existential properties. The same idea underlies the work of Dams, Gerth and Grumberg [7] that present an abstract interpretation based framework for reducing transition systems while preserving validity of the full mu calculus. The main departure of our approach with respect to this second approach is that we do not 13 perform any abstraction to transform an infinite system into a ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Trans. on Prog. Lang. and Systems, 19:253-- 291, 1997.

....formula = C( Psi ) The concretization is such that ff Gamma ( Psi . The survey in [8] considers an even simpler case in which the abstraction does not concern the variables on which the property depends. Consequently, this is the case in which ff = A more elaborate study in [11] considers a more complex specification language L , which is a positive version of the calculus. None of these three articles considers explicitly the question of fairness requirements and how they are affected by the abstraction process. Approaches based on simulation and studies of the ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Trans. Prog. Lang. Sys., 19(2), 1997.

.... either automatically or by hand [16] And, although it is highlydesirable that properties hold on the abstracted model if and only if they hold in the original model [6] such assurance is difficult to obtain: a different abstraction has to be built for each class of properties under analysis [9]. Given a large number of available verification techniques and a potential complexity and expense of their application and interpretation of results, we propose a layered approach to automatic verification, depicted in Figure 1. Given a system S and a property P , we would like to know if P ....

....explored by several researchers. In particular, Jackson [17] proposed a model checking method to analyze infinite specifications expressed in Z or VDM. His approach defines an abstract state space where each abstract state represents a (possibly infinite) equivalence class of concrete states. Dams [9] demonstrated how to abstract reactive systems, so that the abstracted transition systems preserves certain forms of combined safety liveness properties. Pardo [24] built the abstract and the concrete models of the system and conservatively verified properties expressed in calculus on the ....

[Article contains additional citation context not shown here]

D. Dams, R. Gerth, and O. Grumberg. "Abstract Interpretation of Reactive Systems". ACM Transactions on Programming Languages and Systems, 2(19):253--291, March 1997.

....automata with Buchi acceptance conditions. ffl Establishing completeness of the vaa method. 1. 1 Related Work There has been an extensive study of the use of data abstraction techniques, mostly based on the notions of abstract interpretation (a partial list [CC77] CH78] CGL94] CGL96] DGG97] Most of the previous work was done in a branching context which complicates the problem if one wishes to preserve both existential and universal properties. None of these articles considers explicitly the question of fairness requirements and how they are affected by the abstraction process. ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Trans. Prog. Lang. Sys., 19(2), 1997.

....different methodologies for abstracting the system and the properties specified in these logics. There has been an extensive study of the use of data abstraction techniques in these frameworks, mostly based on the notions of abstract interpretation ( CC77, CH78] See for example [CGL94, CGL96, DGG97, LGS 95, BBM95] All of these methods are only applied for the verification of safety properties. Liveness, and therefore fairness, are not considered. A deductive methodology for proving temporal properties over infinite state system is presented in [MP91a] The methodology is based on a set ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Trans. Prog. Lang. Sys., 19(2), 1997. 22

....the possible transitions) These permit to obtain a safe checking algorithm for CTL formulae by using the liberal relation when checking universal path properties and the conservative relation when verifying existential properties. The same idea underlies the work of Dams, Gerth and Grumberg [7] that present an abstract interpretation based framework for reducing transition systems while preserving validity of the full mu calculus. The main departure of our approach with respect to this second approach is that we do not perform any abstraction to transform an infinite system into a ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Trans. on Prog. Lang. and Systems, 19:253--291, 1997.

....that we show, for well structured systems, that our abstraction is exact for the analysis of the above problems. Related Work The idea of verifying a system by analyzing a property for an abstraction or simpler approximation of the system has been considered by several authors [CGL92, LGS 95, DGG94] These works present conditions such that if the property is satisfied by the abstract programs then it will be satisfied by the original program. Sufficient conditions are given for an abstraction to preserve e.g. the branching time logic CTL or fragments thereof. However, these works do not ....

D. Dams, O. Grumberg, and R. Gerth. Abstract interpretation of reactive systems:

....hand, verification by abstraction appears to be promising for reasoning about control intensive protocols in which control is finite but the data part is infinite or very large. The use of abstraction techniques to model check finite state reactive systems is by now a well established approach [4, 21, 9, 19, 20, 6, 18]. There are methods tools that compute an abstract system from the text of a finite state program and an abstraction relation [4, 8, 13, 7, 10] It should be realized that it is important to avoid the construction of the concrete model which represents the semantics of the considered program ....

....which agrees with ff on the old abstract variables. Then, all transitions which have been eliminated during the generation of S a need not be considered for the construction of an abstraction of S with respect to ff 0 . Furthermore, it is worth mentioning that, by the preservation results of [9, 20], one can use our method to compute a finite abstract system that can be used to verify every temporal property that does not include an existential quantification over computation paths. Though our method is based on a rather simple mathematical background, we view it as practically important. ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems:

....Both model checking and abstract interpretation have benefited from mutual cross fertilization. In particular model checking can now consider infinite state systems whereas in abstract interpretation it is common to consider properties significantly more complex than safety invariance (see e.g. (Dams et al. 1997, Dill and Wong Toi, 1995, Fernandez, 1993, Halbwachs, 1994) and (Steffen, 1991) We would like to consider further combinations of abstract interpretation and universal safety model checking. 70 COUSOT AND COUSOT Reduction by abstraction consists in approximating infinite or very large finite ....

....or very large finite transition systems by finite ones, on which existing algorithms designed for finite automata are directly applicable. This semi verification idea was first introduced by (Clarke et al. 1992) and progressively refined to cope with wider classes of temporal logic (Kelb, 1994, Dams et al. 1997, Cleaveland et al. 1995) or calculus formul (Graf and Loiseaux, 1993, Loiseaux et al. 1995, Cridlig, 1995, Cridlig, 1996) We extend this to abstract transition systems which are infinite. The algorithms designed for universal safety analysis of finite transition systems can be simply ....

[Article contains additional citation context not shown here]

Dams, D., Gerth, R., and Grumberg, O. 1997. Abstract interpretation of reactive systems. Trans. Prog. Lang.

.... for a 2 AbsStore (a) S U ff fi fi; ffl ffl (b) is:S iff X ff is:U X fi is:S X ffl is:S isExit is:U iff X fi is:S X ffl is:U (c) Figure 5: Representations of stability property property that every abstract execution trace safely simulates a set of corresponding concrete execution traces [4, 8, 9, 15]. Regardless of how this property is formally defined, we assume that the following concretization property is maintained: for P 2 Program, d 2 Store, and their concrete execution trace, t C (P; d) we have that t C (P; d) 2 fl AbsT race (t A (P; a) where a 2 AbsStore, d 2 fl AbsStore (a) and ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM TOPLAS, 19:253--291, 1997.

.... for these efforts are two fold: ffl We desire a semantically sound and general technique for exposing the semantic control flow graph of a program, much like that employed by Gallagher and Lafave [11] so that static analysis (especially abstract interpretation [4, 5, 16, 24] and model checking [2, 6, 9]) can be conducted on top of the resulting graph. ffl We desire a foolproof methodology for incremental static analysis, along the lines of Codish, Debray, and Giacobazzi [3] where incomplete or modular programs can be analyzed as best as possible, and the residuals of the partially analyzed ....

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM TOPLAS, 19:253--291, 1997.

....In contrast, our approach is to transform a concrete system into a property preserving abstract system automatically, obviating the need to prove property preservation for an abstraction given a priori . Approaches based on abstract interpretation [CC77] are presented in, e.g. CGL94,Dam96,DGG97] Much of this work is specialized to the case of finitestate systems. We include some simple fairness considerations, a special case of those in the verification rules of [KMP94] which do not appear in most work on abstract interpretation. Other work uses abstractions that are more explicitly ....

D.R. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Transactions on Prog. Lang. and Systems, 19(2):253--291, 1997.

....and a simulator for symbolically executing the specification to ensure that it captures the specifier s intent. Recently, we added a model checking capability to the toolset. Once an SCR requirements specification is developed and refined using our tools, the user can invoke the explicit state model checker Spin (Holzmann, 1997) within the toolset to analyze the specification for application properties. To make model checking feasible, the user can apply our abstraction methods to the specification prior to invoking Spin. Recently, the practical utility of the SCR methods and tools for detecting errors in software ....

MODEL CHECKING 67 Dams, D. and Gerth, R. 1997. Abstract interpretation of reactive systems. ACM Trans. on Prog. Lang. and Systems, pages 111--149.

No context found.

Dams D, Gerth R, Grumberg O (1997) Abstract interpretation of reactive systems. ACM Trans programming lang syst 19(2):253--291

No context found.

Dams, D., Gerth, R. and Grumberg, O. (1997) Abstract interpretation of reactive systems. ACM Transactions on Programming Languages and Systems 19 (2) 253--291.

No context found.

Dams D, Gerth R, Grumberg O (1997) Abstract interpretation of reactive systems. ACM Trans Programm Lang Sys 19(2):111--149

No context found.

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems. ACM Trans. on Prog. Lang. and Systems, 19:253--291, 1997.

No context found.

Dennis Dams, Orna Grumberg, and Rob Gerth. Abstract interpretation of reactive systems:

No context found.

D. Dams, R. Gerth, and O. Grumberg. Abstract interpretation of reactive systems:

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC