Z. Har'El and R. P. Kurshan. Software for analytical development of communication protocols. AT&T Technical Journal, 1990.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....is a directed graph that represents the combined behavior of all concurrent components in the system. For software systems, existing state space exploration tools are restricted to the exploration of the state space of an abstract description of the system, specified in a modeling language (e.g. HK90, Hol91, DDHY92, FGM 92, CPS93, McM93] Several very complex examples of concurrent systems (e.g. communication protocols) have been modeled and then analyzed using such tools. In many cases, these analyses were able to reveal quite subtle design errors (e.g. Rud92, CGH 93, BG96] ....

Z. Har'El and R. P. Kurshan. Software for analytical development of communication protocols. AT&T Technical Journal, 1990.

....[1, 5, 11] and hybrid high level Petri Nets [28, 27] All of these languages have a formal semantics. Specifications written in such a language would therefore be amenable to mathematical analysis. This analysis can in some cases be supported by automatic verification such as model checking [2, 19, 4, 10]. A formal model can only be developed when sufficiently detailed information is available. The descriptions of user interface techniques in the VE literature are often insufficient from this point of view. One of the aims of this paper is to investigate whether formalisms for the description of ....

Z. Har'El and R. Kurshan. Software for analytical development of communications protocols. AT&T Bell Lab. Tech. J., 69(1 (Jan.-Feb.)), 1990.

....the property. In reality, for atomicity properties, we need the failure refinement, which extends the trace refinement to handle non determinism. Model checking is a demonstrated success in hardware verification. Researchers and industrialists have used checkers like SMV [17] Murphi [6] COSPAN [9] and SPIN [11] to find bugs in published circuit designs, floating point standards, and cache coherence protocols for multiprocessors. It has been adopted by the hardware community to complement the traditional validation method of hardware simulation. Model checking has also recently gained the ....

Zvi Har'El and Robert P. Kurshan. Software for analytical development of communications protocols. In AT&TTechnical Journal, pages 45--60, January/February 1990.

....formulas. In spite of these limitations, model checking systems were used successfully to find previously unknown errors in several published circuit designs. Alternative techniques for verifying concurrent systems were proposed by a number of other researchers. The approach developed by Kurshan [48, 52] was based on checking inclusion between two automata. The first machine represented the system that was being verified; the second represented its specification. Automata on infinite tapes ( automata) were used in order to handle fairness. Pnueli and Lichtenstein [56] reanalyzed the complexity ....

.... form (p; q; r) Thus, a state (p; q) in M satisfies E f if and only if there exists r such that (p; q; r) 2 V and (p; r) 2 sat(f ) 10 Checking language containment An alternative technique for verifying finite state systems is based on showing language inclusion between finite automata [48, 52, 77]. We model the system to be verified by an automaton K sys . The specification to be checked is given by a second automaton K spec . The system will satisfy its specification if the language accepted by K sys is contained in the language accepted by K spec , i.e. L(K sys ) L(K spec ) In ....

Z. Har'El and R. P. Kurshan. Software for analytical development of communications protocols. AT&T Technical Journal, 69(1):45--59, Jan.--Feb. 1990.

....systems has a lot in common with the specification and verification of concurrent software systems. Several verification techniques for concurrent software have been widely studied [7] Research prototypes embodying some of these techniques (such as the Concurrency Workbench [12] and COSPAN [21]) are also available. In addition, formalisms such as trace theory [13] and Temporal Logic [30] have been applied for the verification of speed independent asynchronous circuits [14] as well as for verifying concurrent protocols such as cache coherence protocols. These tools have also been used by ....

....of the USART in the CFSIM environment has the effect of connecting an 8251 to a modem and a microprocessor and switching on the power quite realistically. It is interesting to compare the style of validation we have presented against that offered in verification tools such as SMV [30] and COSPAN [21]. SMV is a system that allows concurrent finite state systems to be described in a language reminiscent of data flow languages as well as guarded command languages. The transition relation underlying finite state systems modeled in SMV are represented using binary decision diagrams (BDDs) which ....

Har'El, Z., and Kurshan, R. P. Software for analytical development of communication protocols. AT&T Technical Journal (Jan. 1990). To appear.

....they can often express important safety and liveness properties. Related methods are based on language inclusion: implementation and specification are described by automata and we show that the language (of behaviors) accepted by the implementation is a subset of that accepted by the specification [5]. The requirement to severely downscale a system description to make it suitable for finite state exploration, coupled with limitations on the properties that can be checked in this way, mean that finite state methods are generally most suitable for examining questions related to control, rather ....

Zvi Har'El and Robert P. Kurshan. Software for analytical development of communications protocols. AT&T Technical Journal, 69(1):45--59, January /February 1990.

....(e.g. CES86, LP85, QS81, VW86] In what follows, we will use the term model checking in a broad sense, to denote any automatic state space exploration technique that can be used for verification purposes. 1 Examples of tools that follow the above paradigm are CAESAR [FGM 92] COSPAN [HK90] CWB [CPS93] MURPHI [DDHY92] SMV [McM93] SPIN [Hol91] and VFSMvalid [FHS95] among others. These tools differ by the modeling languages they use for representing systems and properties, and by the conformation criteria according to which these representations are compared. But all of them ....

Z. Har'El and R. P. Kurshan. Software for analytical development of communication protocols. AT&T Technical Journal, 1990.

....attracting growing attention for checking the correctness of concurrent reactive systems. In the case of a software system, existing state space exploration tools are restricted to the exploration of the state space of an abstract description of the system, specified in a modeling language (e.g. HK90, Hol91, DDHY92, FGM 92, CPS93, McM93] Recently [God97] it has been shown how the scope of systematic state space exploration can be extended to deal directly with actual code implementing concurrent reactive software systems, in which processes execute arbitrary code written in ....

Z. Har'El and R. P. Kurshan. Software for analytical development of communication protocols. AT&T Technical Journal, 1990.

....6,000 lines of proof mostly, proofs of invariance. We saw that a model checker could be used to check proposed invariants. Our first thought was to translate from TLA to the input language of an existing model checker. A translator from TLA specifications to S R, the input language of cospan [6], already existed [7] However, it required specifications to be written in a primitive language that was far from TLA , so it was no help. We considered using SMV [14] and Mur# [5] but neither of them were up to the task. Among their problems is that their input languages are too primitive, ....

Z. Har'El and R. P. Kurshan. Software for analytical development of communication protocols. AT&T Technical Journal, 69(1):44--59, 1990.

....of all concurrent components in a system. In the case of software systems, existing state space exploration tools can compute automatically a state space from an abstract description of such a system, specified in a modeling language. Examples of such tools are CAESAR [FGM 92] COSPAN [HK90] CWB [CPS93] MURPHI [DDHY92] SMV [McM93] SPIN [Hol91] and VFSMvalid [FHS95] among others. In many cases, analyses of complex concurrent systems using state space exploration techniques were able to reveal quite subtle design errors (for instance, see [Rud92, CGH 93, BG96] VeriSoft ....

Z. Har'El and R. P. Kurshan. Software for analytical development of communication protocols. AT&T Technical Journal, 1990.

....(items 3 and 4) or wherever a set of states is expected in the PIF file; these two constants denote the universe set and the empty set respectively. Also note that multiple constraints of each type can be defined. For example, multiple . subsets constraints correspond to a set of cysets of Kurshan [6]. 3 For a beginning user, we suggest the use of only negative fairness constraints for the system. Also, many constraints can be specified without using CFC s (the 4th type of negative fairness constraint) However, CFC s are the most expressive kinds of constraints, and an experienced user will ....

Z. Har'El and R. P. Kurshan. Software for Analytical Development of Communication Protocols. AT&T Technical Journal, pages 45--59, January 1990.

....models such as Promela. 1. Introduction Verification techniques are used increasingly often to ensure the correctness of safety critical systems such as some concurrent reactive applications. Many tools provide support for exploring the state space of such systems such as STeP[13] CWB[4] COSPAN[8]. However, when the implementation phase has to be realized, it is often difficult to choose the language and to implement the model. In this paper we will show that it can be easily achieved by using the PROMELA[12] language to model and Synchronous C [2] to implement the system. As we will ....

Har`El Z., Kurshan R.P. (1990) Software for analytical Development of Communications Protocol. AT&T Tech. J. 69, Pages 45-59.

....the verifier can report an execution history that shows how the violation could occur. Currently, one of the most sophisticated verification programs is COSPAN, developed by R. Kurshan and others and AT T Bell Laboratories. COSPAN has been used to verify many protocols and hardware designs. COSPAN [HK89, JK86, ZH90] is based on a model which specifies the system in terms of finite state machines coupled with a powerful communication mechanism. The model is powerful enough so that COSPAN can express and validate any regular property. In general, the models used by these programs abstract away from time ....

R. P Kurshan Z. Har'El. Software for analytical development of communication protocols. AT&T Technical Journal, 1990.

....p j 1 ; p j n Gammak . A witness can be computed in exactly the same manner as in the last section. 8. Counterexamples for Language Containment Problems An alternative technique for verifying finite state systems is based on showing language inclusion between finite automata [9, 10, 13]. We model the system to be verified by an automaton K sys . The specification to be checked is given by a second automaton K spec . The system will satisfy its specification if the language accepted by K sys is contained in the language accepted by K spec , i.e. L(K sys ) L(K spec ) In ....

Z. Har'El and R. P. Kurshan. Software for analytical development of communications protocols. AT&T Technical Journal, 69(1):45--59, Jan.--Feb. 1990.

....and Engineering Research Council. x Lehrstuhl fur Informatik II, RWTH Aachen, Ahornstra e 55, W 5100 Aachen, GERMANY tools, which typically embody a particular semantics and a particular form of verification. Examples of such systems include Ald ebaran [22] AUTO [3] CESAR [47] COSPAN [28], EMC [6] and Winston [42] Other tools, such as SPIN [32] perform more specialized kinds of analysis (such as deadlock detection) and are used primarily to validate (as opposed to verify) existing real world systems. In order to achieve this flexibility the algorithms in the Workbench are ....

Har'el, Z. and R.P. Kurshan. "Software for Analytical Development of Communications Protocols." AT&T Technical Journal, v. 69, n. 1, pp. 45--59. February, 1990.

....flaws at a very late stage of their development process. We also present suggestions for solving the detected problems. 1 Introduction State space exploration techniques are increasingly being used for debugging and proving correct finite state concurrent reactive systems (cf. Rud87, Liu89, HK90, Hol91, DDHY92, FGM 92] These techniques consist of exploring a global state graph, called the state space, representing the combined behavior of all concurrent components in the system. This is done by recursively exploring all successor states of all states encountered during the ....

Z. Har'El and R. P. Kurshan. Software for analytical development of communication protocols. AT&T Technical Journal, 1990.

....processes are created at the time of initialization. A S R specification may also contain a number of tasks to specify the properties to be verified. These constructs coupled with the general synchronous model, give rise to a specification language with the power of Gammaautomaton [4] COSPAN [2] is an analyzer for models written in the S R language. This tool offers a number of options to make verification of large complex systems feasible including implicit enumeration (using BDDs) explicit enumeration, and automatic task relative reduction of a specification with respect to the tasks ....

Z. Har'El and R. P. Kurshan. Software for analytical development of communication protocols. AT&T Tech. J., 69:45--59, 1990.

....method for verification as the L environment. Computing the complement of the language of a property is trivial: just think of the L automaton as an L process. Based on this paradigm, the first software tool for automatic verification of finite state systems using language containment was built ([HK90]) The advent of BDD s allows for handling of very large state spaces. HTKB92] and [HBK93] gave various efficient BDD based algorithms for language containment and debugging in the L environment. In this paper, we introduce a new language containment based formal verification environment. The ....

Z. Har'El and R.P. Kurshan. Software for Analytical Development of Communication Protocols. AT&T Technical Journal, pages 45--59, January 1990.

....are not large and can therefore be undertaken by a few highly skilled people. It is not necessary to train every programmer to get valuable returns from formal methods. Another opportunity lies in problems where formal methods can be massively automated. Example include certain kinds of protocols [HK90,CGH 95] and hardware designs [MS95] a For example, Tesla quit Edison s laboratory after less than a year complaining of Edison s preference for empirical methods knowing that a little theory and calculation would have saved him 90 of his labor [Bur93] Standards and guidance documents ....

.... range is from tens of thousands to tens of millions) Hardware, and distributed algorithms such as protocols are particularly suitable for this kind of examination through exhaustive state exploration [DDHY92] related technologies are known as model checking [CGL94] and language inclusion [HK90] A specification may admit too many behaviors for state exploration to succeed, but it may be possible to develop a downscaled version that can be examined in this way. For example, a communications protocol may be designed to move arbitrary data reliably over a faulty channel using sequence ....

Zvi Har'El and Robert P. Kurshan. Software for analytical development of communications protocols. AT&T Technical Journal, 69(1):45--59, January/February 1990.

....manager in the model. In summary, we are mainly interested in efficient model checking tools that can sustain the complexity of the problems we are dealing with here. Many such tools based on theoretical foundation of temporal logic have been created in the past few years. Examples are COSPAN [13] , SMV [14] 15] and SPIN [10] 3.3 Composition Tools In this process, two levels of composition are considered: 1. Composition of a feature context for feature specification. A feature context can be composed from BFCs. During such a composition, the following information is crucial: ....

Z. Har'El and R. P. Kurshan. Software for Analytical Development of Communications Protocols. AT&T Technical Journal , pp.45-59, Vol. 69, No. 1, January 1990.

....the property. In reality, for atomicity properties, we need the failure refinement, which extends the trace refinement to handle non determinism. Model checking is a demonstrated success in hardware verification. Researchers and industrialists have used checkers like SMV [15] Murphi [5] COSPAN [8] and SPIN [10] to find bugs in published circuit designs, floating point standards, and cache coherence protocols for multiprocessors. It has been adopted by the hardware community to complement the traditional validation method of hardware simulation. Model checking has also recently gained the ....

Zvi Har'El and Robert P. Kurshan. Software for analytical development of communications protocols. In AT&T Technical Journal, pages 45--60, January/February 1990.

....space, representing the combined behavior of all concurrent components in a system. Existing state space exploration tools can compute automatically a state space from a description of the concurrent system specified in a modeling language. Examples of such tools are CAESAR [FGM 92] COSPAN [HK90] CWB [CPS93] MURPHI [DDHY92] SMV [McM93] SPIN [Hol91] and VFSMvalid [FHS95] among others. These tools differ by the modeling languages they use for representing systems and properties, and by the conformation criteria according to which these representations are compared. But all of them ....

Z. Har'El and R. P. Kurshan. Software for analytical development of communication protocols. AT&T Technical Journal, 1990.

.... to fifteen [25] 5 Related Work Model checking originated with Clarke and Emerson s work in 1981 [8] As mentioned in the introduction, it has already proven to be extremely successful in debugging hardware [4, 14, 23, 10, 9, 3] Tool support for model checking includes SMV [22] FDR [16] COSPAN [19], and the Concurrency Workbench [11] There are more and more documented case studies; for example, the proceedings of the 1995 Workshop of Industrial Strength Formal Techniques contains four model checking case study papers [17] We are not the first to explore the use of model checking in the ....

Har'El, Z., and Kurshan, R. P. Software for analytical development of communications protocols. AT&T Technical Journal 69, 1 (Jan.--Feb. 1990), 45-- 59.

....our approach of combining model checking of local properties with theorem proving to work for real multipliers. We combine two existing tools: the TLP theorem prover [4] which verifies models written in the Temporal Logic of Actions (TLA) 12] and the automatatheoretic model checker COSPAN [5], which verifies models written in the language S R [6] We chose to combine TLA and S R because they are simple and have similar semantic bases. Moreover, a tool exists for the automatic synthesis to hardware of an S R specification. In principle, we could write the models in either language and ....

Z. Har'El and R. P. Kurshan. Software for analytical development of communication protocols. AT&T Technical Journal, 69(1):44--59, 1990.

....needed to solve the original language inclusion question, and give a proof or a counter example to the original question. In the worst case, the number of iterations needed is exponential in the size of the original delay constraint. We have implemented the proposed scheme in the verifier Cospan [HK90] In Section 5, we present the results of our experiments on some examples including timing based algorithms for mutual exclusion, and a toy controller for railroad crossing. In all these examples, the number of iterations needed before termination is much smaller than the worst case exponential ....

....by an exponential factor. This strategy may, however, result in constructing bigger region automata. We have not yet done sufficient experiments to determine which strategy is better in practice. 5 Implementation and examples We have implemented the proposed scheme in the verifier Cospan [HK90] Cospan is a tool for verifying logical properties of a system modeled as a collection of coordinating processes. The system is specified in a language called S R [AKS83] The syntax of S R allows one to specify the association between the state transitions of individual processes and the ....

Z. Har'El and R.P. Kurshan. Software for analytical development of communication protocols. AT&T Technical Journal, 1990.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC