Results 1  10
of
16
Symbolic model checking for sequential circuit verification
 IEEE TRANSACTIONS ON COMPUTERAIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS
, 1994
"... The temporal logic model checking algorithm of Clarke, Emerson, and Sistla [17] is modified to represent state graphs using binary decision diagrams (BDD’s) [7] and partitioned trunsirion relations [lo], 1111. Because this representation captures some of the regularity in the state space of circuit ..."
Abstract

Cited by 271 (12 self)
 Add to MetaCart
(Show Context)
The temporal logic model checking algorithm of Clarke, Emerson, and Sistla [17] is modified to represent state graphs using binary decision diagrams (BDD’s) [7] and partitioned trunsirion relations [lo], 1111. Because this representation captures some of the regularity in the state space of circuits with data path logic, we are able to verify circuits with an extremely large number of states. We demonstrate this new technique on a synchronous pipelined design with approximately 5 x 10^120 states. Our model checking algorithm handles full CTL with fairness constraints. Consequently, we are able to express a number of important liveness and fairness properties, which would otherwise not be expressible in CTL. We give empirical results on the performance of the algorithm applied to both synchronous and asynchronous circuits with data path logic.
A Partial Approach to Model Checking
 INFORMATION AND COMPUTATION
, 1994
"... This paper presents a modelchecking method for lineartime temporal logic that can avoid most of the state explosion due to the modelling of concurrency by interleaving. The method relies on the concept of Mazurkiewicz's trace as a semantic basis and uses automatatheoretic techniques, includin ..."
Abstract

Cited by 124 (4 self)
 Add to MetaCart
This paper presents a modelchecking method for lineartime temporal logic that can avoid most of the state explosion due to the modelling of concurrency by interleaving. The method relies on the concept of Mazurkiewicz's trace as a semantic basis and uses automatatheoretic techniques, including automata that operate on words of ordinality higher than \omega.
Module Checking
, 1996
"... . In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of ..."
Abstract

Cited by 113 (12 self)
 Add to MetaCart
. In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of temporal logics to describe an ongoing interaction of a reactive program with its environment makes them particularly appropriate for the specification of open systems. Nevertheless, modelchecking algorithms used for the verification of closed systems are not appropriate for the verification of open systems. Correct model checking of open systems should check the system with respect to arbitrary environments and should take into account uncertainty regarding the environment. This is not the case with current modelchecking algorithms and tools. In this paper we introduce and examine the problem of model checking of open systems (mod ule checking, for short). We show that while module che...
TableauBased Model Checking in the Propositional MuCalculus
 Acta Informatica
, 1990
"... This paper describes a procedure, based around the construction of tableau proofs, for determining whether finitestate systems enjoy properties formulated in the propositional mucalculus. It presents a tableaubased proof system for the logic and proves it sound and complete, and it discusses tech ..."
Abstract

Cited by 101 (7 self)
 Add to MetaCart
(Show Context)
This paper describes a procedure, based around the construction of tableau proofs, for determining whether finitestate systems enjoy properties formulated in the propositional mucalculus. It presents a tableaubased proof system for the logic and proves it sound and complete, and it discusses techniques for the efficient construction of proofs that states enjoy properties expressed in the logic. The approach is the basis of an ongoing implementation of a model checker in the Concurrency Workbench, an automated tool for the analysis of concurrent systems. 1 Introduction One area of program verification that has proven amenable to automation involves the analysis of finitestate processes. While computer systems in general are not finitestate, many interesting ones, including a variety of communication protocols and hardware systems, are, and their finitary nature enables the development and implementation of decision procedures that test for various properties. Model checking has p...
A language for compositional specification and verification of finite state hardware controllers
 Proceedings of the IEEE
, 1991
"... Abstract SML is a language for describing complex finitestate hardware controllers. It provides many of the standard control structures found in modern programming languages. The state tables produced by the SML compiler can be used as input to a temporal logic model checker that can automatically ..."
Abstract

Cited by 38 (2 self)
 Add to MetaCart
(Show Context)
Abstract SML is a language for describing complex finitestate hardware controllers. It provides many of the standard control structures found in modern programming languages. The state tables produced by the SML compiler can be used as input to a temporal logic model checker that can automatically determine whether a specification in the logic CTL is satisfied. We describe extensions to SML for the design of modular controllers. These extensions allow a compositional approach to model checking which can substantially reduce its complexity. To demonstrate our methods, we discuss the specification and verification of a simple CPU controller. 0
Fair SMG and Linear Time Model Checking
 In Proceedings of Workshop on Automatic Verification Methods for Finite State Systems
, 1989
"... SMG is a system designed to generate a finite state model of a program from the program itself and an operational semantics for the programming language. This finite state model can then be modelchecked to verify desired temporal properties of the original program. In this paper we first show how w ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
SMG is a system designed to generate a finite state model of a program from the program itself and an operational semantics for the programming language. This finite state model can then be modelchecked to verify desired temporal properties of the original program. In this paper we first show how we have incorporated notions of fairness into SMG; in particular, a user is now able to define semantics with "fair" constructs, for example, parallel, repetitive choice, etc. The user can, indeed, mix different forms of fairness checking. Secondly we describe a practical approach to model checking of linear temporal formulae over the fair structures generated by SMG. Our approach is a refinement and extension of the fairsatisfiability algorithms, presented earlier by Lichtenstein and Pnueli, together with techniques developed in our practical implementations of decision procedures for linear temporal logic.
A Model Checker for Linear Time Temporal Logic
 Formal Aspects of Computing
, 1992
"... This report describes the design and implementation of a model checker for linear time temporal logic. The model checker uses a depthfirst search algorithm that attempts to find a minimal satisfying model and uses as little space as possible during the checking procedure. The depthfirst nature of ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
This report describes the design and implementation of a model checker for linear time temporal logic. The model checker uses a depthfirst search algorithm that attempts to find a minimal satisfying model and uses as little space as possible during the checking procedure. The depthfirst nature of the algorithm enables the model checker to be used where space is at a premium. 1 Introduction Temporal logic has been widely used for the specification and verification of reactive systems. It has been successfully used to describe verifiable properties of statemachines derived from practical applications [CES83, BCDM84, GB88]. In this report we consider the verification of temporal properties of such statemachines through modelchecking [CES83] (also known as satisfiability checking). Using this approach, a finite statemachine, often derived from some practical system, is checked to see if it satisfies various properties represented by temporal formulae. The satisfaction of these prope...
Automated Computation of Decomposable Synchronization Conditions
 Second IEEE High−Assurance Systems Engineering Workshop HASE 97
, 1997
"... The most important aspect of concurrent and distributed computation is the interaction between system components. Integration of components into a system requires some synchronization that prevents the components from interacting in ways that may endanger the system users, its correctness or perform ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
The most important aspect of concurrent and distributed computation is the interaction between system components. Integration of components into a system requires some synchronization that prevents the components from interacting in ways that may endanger the system users, its correctness or performance. The undesirable interactions are usually described using temporal logic, or safety and liveness assertions. Automated synthesis of synchronization conditions is a portable alternative to the manual design of system synchronization, and it is already widespread in the hardware CAD domain. The automated synchronization for concurrent software systems is hindered by their excessive complexity, because their state spaces can rarely be exhaustively analyzed to compute the synchronization conditions. The analysis of global state spaces is required for liveness and realtime properties, but simple safety rules depend only on the referenced components and not on the rest of the system or it...
A Runtime Environment for a Validation Language
, 1993
"... Our Department is currently engaged in a project to validate the correctness of reactive systems, specifically operating system kernels. Model checking is used as a validation technique. A model checker was implemented using transition systems as a modelling formalism and computation tree logic (CTL ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
Our Department is currently engaged in a project to validate the correctness of reactive systems, specifically operating system kernels. Model checking is used as a validation technique. A model checker was implemented using transition systems as a modelling formalism and computation tree logic (CTL) to specify correctness requirements. Although transition systems are powerful enough to specify the behaviour of reactive systems, it is inconvenient to use because it is too low level. Therefore a highlevel validation language is required. Since the behaviour of an operating system kernel is often dependent on the manipulation of complex data the validation language must support complex data structures. This thesis describes the design and implementation...
Analysis and Applications of Receptive Safety Properties in Concurrent Systems
"... : Formal verification for complex concurrent systems is a computationally intensive and, in some cases, intractable process. The complexity is an inherent part of the verification process due to the system complexity that is an exponential function of the sizes of its components. However, some prop ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
: Formal verification for complex concurrent systems is a computationally intensive and, in some cases, intractable process. The complexity is an inherent part of the verification process due to the system complexity that is an exponential function of the sizes of its components. However, some properties can be enforced by automatically synchronizing the components, thus eliminating the need for verification. Moreover, the complexity of the analysis required to enforce the properties grows incrementally with addition of new components and properties that make the system complexity grow exponentially. The properties in question are the receptive safety properties, a subset of safety properties that can only be violated by component actions. The receptive safety properties represent the realizable subset of the general safety properties because a system that satisfies any nonreceptive safety properties must satisfy related receptive safety properties. This implies that any system with...