Results 1  10
of
114
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 3252 (70 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Model Checking and Modular Verification
 ACM Transactions on Programming Languages and Systems
, 1991
"... We describe a framework for compositional verification of finite state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition; and a preorder on structures which captures the relation between a component and a system containing ..."
Abstract

Cited by 312 (11 self)
 Add to MetaCart
(Show Context)
We describe a framework for compositional verification of finite state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition; and a preorder on structures which captures the relation between a component and a system containing the component. Satisfaction of a formula in the logic corresponds to being below a particular structure (a tableau for the formula) in the preorder. We show how to do assumeguarantee style reasoning within this framework. In addition, we demonstrate efficient methods for model checking in the logic and for checking the preorder in several special cases. We have implemented a system based on these methods, and we use it to give a compositional verification of a CPU controller. 1 Introduction Temporal logic model checking procedures are useful tools for the verification of finite state systems [3, 12, 20]. However, these procedures have traditionally suffered from the state explosion proble...
Reasoning about Systems with Many Processes
 Journal of the ACM
, 1992
"... Abstract. Methods are given for automatically verifying temporal properties of concurrent systems containing an arbitrary number of finitestate processes that communicate using CCS actions. Two models of systems are considered. Systems in the first model consist of a unique contro [ process and an ..."
Abstract

Cited by 168 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Methods are given for automatically verifying temporal properties of concurrent systems containing an arbitrary number of finitestate processes that communicate using CCS actions. Two models of systems are considered. Systems in the first model consist of a unique contro [ process and an arbitrary number of user processes with identical detlnitions, For this model, a decision procedure to check whether all the executions of a process satisfy a given specification is presented. This algorithm runs in time double exponential mthe sizes of the control andthe user process definitions. It is also proven that it is decidable whether all the fair executions of a process satisfy a gwen specification. The second model is a special case of the first. In this model, all the processes have identical definitions. For this model, an efficient decision procedure is presented that checks if every execution of a process satisfies a given temporal logic specification. This algorithm runs in time polynomial inthesize of the process definition. Itisshown howtoverify certamglobal properties such as mutual exchrslon and absence of deadlocks. Finally, it is shown how these decision procedures can beusedto reason about certain systems with a communication network,
MONA: Monadic SecondOrder Logic in Practice
 IN PRACTICE, IN TOOLS AND ALGORITHMS FOR THE CONSTRUCTION AND ANALYSIS OF SYSTEMS, FIRST INTERNATIONAL WORKSHOP, TACAS '95, LNCS 1019
, 1995
"... The purpose of this article is to introduce Monadic Secondorder Logic as a practical means of specifying regularity. The logic is a highly succinct alternative to the use of regular expressions. We have built a tool MONA, which acts as a decision procedure and as a translator to finitestate au ..."
Abstract

Cited by 149 (20 self)
 Add to MetaCart
(Show Context)
The purpose of this article is to introduce Monadic Secondorder Logic as a practical means of specifying regularity. The logic is a highly succinct alternative to the use of regular expressions. We have built a tool MONA, which acts as a decision procedure and as a translator to finitestate automata. The tool is based on new algorithms for minimizing finitestate automata that use binary decision diagrams (BDDs) to represent transition functions in compressed form. A byproduct of this work is a new bottomup algorithm to reduce BDDs in linear time without hashing. The potential
Verification Tools for FiniteState Concurrent Systems
"... Temporal logic model checking is an automatic technique for verifying finitestate concurrent systems. Specifications are expressed in a propositional temporal logic, and the concurrent system is modeled as a statetransition graph. An efficient search procedure is used to determine whether or not t ..."
Abstract

Cited by 130 (3 self)
 Add to MetaCart
(Show Context)
Temporal logic model checking is an automatic technique for verifying finitestate concurrent systems. Specifications are expressed in a propositional temporal logic, and the concurrent system is modeled as a statetransition graph. An efficient search procedure is used to determine whether or not the statetransition graph satisfies the specification. When the technique was first developed ten years ago, it was only possible to handle concurrent systems with a few thousand states. In the last few years, however, the size of the concurrent systems that can be handled has increased dramatically. By representing transition relations and sets of states implicitly using binary decision diagrams, it is now possible to check concurrent systems with more than 10 120 states. In this paper we describe in detail how the new implementation works and
Symbolic model checking with rich assertional languages
 Theoretical Computer Science
, 1997
"... Abstract. The paper shows that, by an appropriate choice of a rich assertional language, it is possible to extend the utility of symbolic model checking beyond the realm of bddrepresented nitestate systems into the domain of in nitestate systems, leading to a powerful technique for uniform veri c ..."
Abstract

Cited by 120 (4 self)
 Add to MetaCart
Abstract. The paper shows that, by an appropriate choice of a rich assertional language, it is possible to extend the utility of symbolic model checking beyond the realm of bddrepresented nitestate systems into the domain of in nitestate systems, leading to a powerful technique for uniform veri cation of unbounded (parameterized) process networks. The main contributions of the paper are a formulation of a general framework for symbolic model checking of in nitestate systems, a demonstration that many individual examples of uniformly veri ed parameterized designs that appear in the literature are special cases of our general approach, verifying the correctness of the Futurebus+ design for all singlebus con gurations, extending the technique to tree architectures, and establishing that the presented method is a precise dual to the topdown invariant generation method used in deductive veri cation. 1
Verifying properties of large sets of processes with network invariants (Extended Abstract)
, 1990
"... ..."
(Show Context)
Automatic Deductive Verification with Invisible Invariants
, 2001
"... The paper presents a method for the automatic verification of a certain class of parameterized systems. These are boundeddata systems consisting of N processes (N being the parameter), where each process is finitestate. First, we show that if we use the standard deductive inv rule for proving inva ..."
Abstract

Cited by 103 (11 self)
 Add to MetaCart
(Show Context)
The paper presents a method for the automatic verification of a certain class of parameterized systems. These are boundeddata systems consisting of N processes (N being the parameter), where each process is finitestate. First, we show that if we use the standard deductive inv rule for proving invariance properties, then all the generated verification conditions can be automatically resolved by finitestate (bddbased) methods with no need for interactive theorem proving. Next, we show how to use modelchecking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Combining this automatic computation of invariants with the previously mentioned resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying boundeddata parameterized systems. The generated invariants can be transferred to the VCvalidation phase without ever been examined by the user, which explains why we refer to them as "invisible". We illustrate the method on a nontrivial example of a cache protocol, provided by Steve German.
Parameterized Verification with Automatically Computed Inductive Assertions
, 2001
"... The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic mo ..."
Abstract

Cited by 90 (9 self)
 Add to MetaCart
The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic modelchecking techniques for both tasks. First, we show how to use modelchecking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Next, we show that the premises of the standard deductive inv rule for proving invariance properties can be automatically resolved by finitestate (bddbased) methods with no need for interactive theorem proving. Combining the automatic computation of invariants with the automatic resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying large classes of parameterized systems. The generated invariants can be transferred to the VCvalidation phase without ever been examined by the user, which explains why we refer to them as "invisible". The efficacy of the method is demonstrated by automatic verification of diverse parameterized systems in a fully automatic and efficient manner.
Automatic Verification of Parameterized Cache Coherence Protocols
, 2000
"... We propose a new method for the verification of parameterized cache coherence protocols. Cache coherence protocols are used to maintain data consistency in commercial multiprocessor systems equipped with local fast caches. In our approach we use arithmetic constraints to model possibly infinite sets ..."
Abstract

Cited by 89 (6 self)
 Add to MetaCart
We propose a new method for the verification of parameterized cache coherence protocols. Cache coherence protocols are used to maintain data consistency in commercial multiprocessor systems equipped with local fast caches. In our approach we use arithmetic constraints to model possibly infinite sets of global states of a multiprocessor system with many identical caches. In preliminary experiments using symbolic model checkers for infinitestate systems based on real arithmetics (HyTech [HHW97] and DMC [DP99]) we have automatically verified safety properties for parameterized versions of widely implemented writeinvalidate and writeupdate cache coherence policies like the Mesi, Berkeley, Illinois, Firey and Dragon protocols [Han93]. With this application, we show that symbolic model checking tools originally designed for hybrid and concurrent systems can be applied successfully to a new class of infinitestate systems of practical interest.