Results 1  10
of
147
Interpolation and SATbased model checking
, 2003
"... Abstract. We consider a fully SATbased method of unbounded symbolic model checking based on computing Craig interpolants. In benchmark studies using a set of large industrial circuit verification instances, this method is greatly more efficient than BDDbased symbolic model checking, and compares f ..."
Abstract

Cited by 283 (11 self)
 Add to MetaCart
(Show Context)
Abstract. We consider a fully SATbased method of unbounded symbolic model checking based on computing Craig interpolants. In benchmark studies using a set of large industrial circuit verification instances, this method is greatly more efficient than BDDbased symbolic model checking, and compares favorably to some recent SATbased model checking methods on positive instances. 1
Automatic Abstraction without Counterexamples
, 2002
"... A method of automatic abstraction is presented that uses proofs of unsatisfiability derived from SATbased bounded model checking as a guide to choosing an abstraction for unbounded model checking. Unlike earlier methods, this approach is not based on analysis of abstract counterexamples. The perfo ..."
Abstract

Cited by 129 (9 self)
 Add to MetaCart
(Show Context)
A method of automatic abstraction is presented that uses proofs of unsatisfiability derived from SATbased bounded model checking as a guide to choosing an abstraction for unbounded model checking. Unlike earlier methods, this approach is not based on analysis of abstract counterexamples. The performance of this approach on benchmarks derived from microprocessor verification indicates that SAT solvers are quite effective in eliminating logic that is not relevant to a given property. Moreover, benchmark results suggest that when bounded model checking successfully terminates, and the problem is unsatisfiable, the number of state variables in the proof of unsatisfiability tends to be small. In all cases tested, when bounded model checking succeeded, unbounded model checking of the resulting abstraction also succeeded.
Lazy theorem proving for bounded model checking over infinite domains
, 2002
"... Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over pr ..."
Abstract

Cited by 90 (11 self)
 Add to MetaCart
Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over program states, and an upper bound k, our procedure determines if there is a falsifying path of length k to the hypothesis that M satisfies the specification '. This problem can be reduced to the satisfiability of Boolean constraint formulas. Our verification engine for these kinds of formulas is lazy in that propositional abstractions of Boolean constraint formulas are incrementally refined by generating lemmas on demand from an automated analysis of spurious counterexamples using theorem proving. We exemplify bounded model checking for timed automata and for RTL level descriptions, and investigate the lazy integration of SAT solving and theorem proving. 1 Introduction Model checking decides the problem of whether a system satisfies a temporal logic property by exploring the underlying state space. It applies primarily to finitestate systems but also to certain infinitestate systems, and the state space can be represented in symbolic or explicit form. Symbolic model checking has traditionally employed a boolean representation of state sets using binary decision diagrams (BDD) [4] as a way of checking temporal properties, whereas explicitstate model checkers enumerate the set of reachable states of the system.
A Brief Account of Runtime Verification
, 2008
"... In this paper, a brief account of the field of runtime verification is given. Starting with a definition of runtime verification, a comparison to wellknown verification techniques like model checking and testing is provided, and applications in which runtime verification brings out its distinguishi ..."
Abstract

Cited by 70 (0 self)
 Add to MetaCart
(Show Context)
In this paper, a brief account of the field of runtime verification is given. Starting with a definition of runtime verification, a comparison to wellknown verification techniques like model checking and testing is provided, and applications in which runtime verification brings out its distinguishing features are pointed out. Moreover, extensions of runtime verification such as monitororiented programming, and monitorbased runtime reflection are sketched and their similarities and differences are discussed. Finally, the use of runtime verification for contract enforcement is briefly pointed out.
Runtime verification for LTL and TLTL
, 2007
"... This paper studies runtime verification of properties expressed either in lineartime temporal logic (LTL) or timed lineartime temporal logic (TLTL). It classifies runtime verification in identifying its distinguishing features to model checking and testing, respectively. It introduces a threevalued ..."
Abstract

Cited by 63 (12 self)
 Add to MetaCart
(Show Context)
This paper studies runtime verification of properties expressed either in lineartime temporal logic (LTL) or timed lineartime temporal logic (TLTL). It classifies runtime verification in identifying its distinguishing features to model checking and testing, respectively. It introduces a threevalued semantics (with truth values true, false, inconclusive) as an adequate interpretation as to whether a partial observation of a running system meets an LTL or TLTL property. For LTL, a conceptually simple monitor generation procedure is given, which is optimal in two respects: First, the size of the generated deterministic monitor is minimal, and, second, the monitor identifies a continuously monitored trace as either satisfying or falsifying a property as early as possible. The feasibility of the developed methodology is demontrated using a collection of realworld temporal logic specifications. Moreover, the presented approach is related to the properties monitorable in general and is compared to existing concepts in the literature. It is shown that the set of monitorable properties does not only encompass the safety and cosafety properties but is strictly larger. For TLTL, the same road map is followed by first defining a threevalued semantics. The corresponding construction of a timed monitor is more involved, yet, as shown, possible.
Distributed Usage Control
 Communications of the ACM
, 2006
"... Computer systems play an increasingly prominent role in our daily lives. Interacting with these systems often involves disclosing personal data, i.e., data that can be traced back to particular individuals, collected in different contexts. For example, healthcare providers, insurance companies, and ..."
Abstract

Cited by 61 (14 self)
 Add to MetaCart
(Show Context)
Computer systems play an increasingly prominent role in our daily lives. Interacting with these systems often involves disclosing personal data, i.e., data that can be traced back to particular individuals, collected in different contexts. For example, healthcare providers, insurance companies, and tax
Liveness Checking as Safety Checking
 In FMICS’02: Formal Methods for Industrial Critical Systems, volume 66(2) of ENTCS
, 2002
"... Temporal logic is widely used for specifying hardware and software systems. Typically two types of properties are distinguished, safety and liveness properties. While safety can easily be checked by reachability analysis, and many e#cient checkers for safety properties exist, more sophisticated algo ..."
Abstract

Cited by 56 (5 self)
 Add to MetaCart
(Show Context)
Temporal logic is widely used for specifying hardware and software systems. Typically two types of properties are distinguished, safety and liveness properties. While safety can easily be checked by reachability analysis, and many e#cient checkers for safety properties exist, more sophisticated algorithms have always been considered to be necessary for checking liveness. In this paper we describe an e#cient translation of liveness checking problems into safety checking problems. A counter example is detected by saving a previously visited state in an additional state recording component and checking a loop closing condition. The approach handles fairness and thus extends to full LTL.
Monitoring of realtime properties
 In Proceedings of the 26th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS), volume 4337 of LNCS
, 2006
"... Abstract. This paper presents a construction for runtime monitors that check realtime properties expressed in timed LTL (TLTL). Due to D’Souza’s results, TLTL can be considered a natural extension of LTL towards realtime. Moreover, a typical obstacle in runtime verification is solved both for unti ..."
Abstract

Cited by 55 (15 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a construction for runtime monitors that check realtime properties expressed in timed LTL (TLTL). Due to D’Souza’s results, TLTL can be considered a natural extension of LTL towards realtime. Moreover, a typical obstacle in runtime verification is solved both for untimed and timed formulae, in that standard models of linear temporal logic are infinite traces, whereas in runtime verification only finite system behaviours are at hand. Therefore, a 3valued semantics (true, false, inconclusive) for LTL and TLTL on finite traces is defined that resembles the infinite trace semantics in a suitable and intuitive manner. Then, the paper describes how to construct, given a (T)LTL formula, a deterministic monitor with three output symbols that reads a finite trace and yields its according 3valued (T)LTL semantics. Notably, the monitor rejects a trace as early as possible, in that any minimal bad prefix results in false as a return value. 1
Bounded LTL model checking with stable models
 Proceedings of the 6th International Conference on Logic Programming and Nonmonotonic Reasoning
, 2003
"... In this paper bounded model checking of asynchronous concurrent systems is introduced as a promising application area for answer set programming. As the model of asynchronous systems a generalisation of communicating automata, 1safe Petri nets, are used. It is shown how a 1safe Petri net and a req ..."
Abstract

Cited by 52 (6 self)
 Add to MetaCart
In this paper bounded model checking of asynchronous concurrent systems is introduced as a promising application area for answer set programming. As the model of asynchronous systems a generalisation of communicating automata, 1safe Petri nets, are used. It is shown how a 1safe Petri net and a requirement on the behaviour of the net can be translated into a logic program such that the bounded model checking problem for the net can be solved by computing stable models of the corresponding program. The use of the stable model semantics leads to compact encodings of bounded reachability and deadlock detection tasks as well as the more general problem of bounded model checking of linear temporal logic. Correctness proofs of the devised translations are given, and some experimental results using the translation and the Smodels system are presented.
Compositional message sequence charts
 IN PROC. 7 TH INTL. CONFERENCE ON TOOLS AND ALGORITHMS FOR THE CONSTRUCTION AND ANALYSIS OF SYSTEMS (TACAS’01), VOLUME 2031 OF LECT. NOTES IN COMP. SCI
, 2001
"... Message sequence charts (MSCs) is a standard notation for describing the interaction between communicating objects. It is popular among the designers of communication protocols. MSCs enjoy both a visual and a textual representation. High level MSCs (HMSCs) allow specifying in nite scenarios and di ..."
Abstract

Cited by 48 (6 self)
 Add to MetaCart
Message sequence charts (MSCs) is a standard notation for describing the interaction between communicating objects. It is popular among the designers of communication protocols. MSCs enjoy both a visual and a textual representation. High level MSCs (HMSCs) allow specifying in nite scenarios and di erent choices. Speci cally, anHMSC consists of a graph, where each node is a nite MSC with matched send and receive events, and vice versa. In this paper we demonstrate a weakness of HMSCs, which disallows one to model certain interactions. We will show, by means of an example, that some simple nite state and simple communication protocol cannot be represented using HMSCs. We then propose an extension to the MSC standard, which allows HMSC nodes to include unmatched messages. The corresponding graph notation will be called HCMSC, which stands for High level Compositional Message Sequence Charts. With the extended framework, we provide an algorithm for automatically constructing an MSC representation for nite state asynchronous message passing protocols.