Results 1  10
of
170
Reactive Modules
 FORMAL METHODS IN SYSTEM DESIGN
, 1996
"... We present a formal model for concurrent systems. The model represents synchronous and asynchronous components in a uniform framework that supports compositional (assumeguarantee) and hierarchical (stepwiserefinement) design and verification. While synchronous models are based on a notion of at ..."
Abstract

Cited by 325 (38 self)
 Add to MetaCart
We present a formal model for concurrent systems. The model represents synchronous and asynchronous components in a uniform framework that supports compositional (assumeguarantee) and hierarchical (stepwiserefinement) design and verification. While synchronous models are based on a notion of atomic computation step, and asynchronous models remove that notion by introducing stuttering, our model is based on a flexible notion of what constitutes a computation step: by applying an abstraction operator to a system, arbitrarily many consecutive steps can be collapsed into a single step. The abstraction operator, which may turn an asynchronous system into a synchronous one, allows us to describe systems at various levels of temporal detail. For describing systems at various levels of spatial detail, we use a hiding operator that may turn a synchronous system into an asynchronous one. We illustrate the model with diverse examples from synchronous circuits, asynchronous sharedm...
You Assume, We Guarantee: Methodology and Case Studies
, 1998
"... Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large ..."
Abstract

Cited by 120 (18 self)
 Add to MetaCart
(Show Context)
Assumeguarantee reasoning has long been advertised as an important method for decomposing proof obligations in system verification. Re nement mappings (homomorphisms) have long been advertised as an important method for solving the languageinclusion problem in practice. When confronted with large verification problems, we therefore attempted to make use of both techniques. We soon found that rather than o ering instant solutions, the success of assumeguarantee reasoning depends critically on the construction of suitable abstraction modules, and the success of refinement checking depends critically on the construction of suitable witness modules. Moreover, as abstractions need to be witnessed, and witnesses abstracted, the process must be iterated. We present here the main lessons we learned from our experiments, in form of a systematic and structured discipline for the compositional verification of reactive modules. An infrastructure to support this discipline, and automate parts of the verification, has been implemented in the tool Mocha.
Formal verification in hardware design: A survey
, 1997
"... In recent years, formal methods have emerged as an alternative approach to ensuring the quality and correctness of hardware designs, overcoming some of the limitations of traditional validation techniques such as simulation and testing. There are two main aspects to the application of formal methods ..."
Abstract

Cited by 110 (0 self)
 Add to MetaCart
In recent years, formal methods have emerged as an alternative approach to ensuring the quality and correctness of hardware designs, overcoming some of the limitations of traditional validation techniques such as simulation and testing. There are two main aspects to the application of formal methods in a design process: The formal framework used to specify desired properties of a design, and the verification techniques and tools used to reason about the relationship between a specification and a corresponding implementation. We survey a variety of frameworks and techniques which have been proposed in the literature and applied to actual designs. The specification frameworks we describe include temporal logics, predicate logic, abstraction and refinement, as well as containment between!regular languages. The verification techniques presented include model checking, automatatheoretic techniques, automated theorem proving, and approaches that integrate the above methods.
Using Model Checking to Help Discover Mode Confusions and Other Automation Surprises
, 2002
"... essible to those from the human factors community to whom this technology may be new. Keywords: automation surprise, mode confusion, model checking, formal methods, mental model, humancomputer interaction 1 INTRODUCTION Automated systems sometimes behave in ways that surprise their operators ..."
Abstract

Cited by 83 (7 self)
 Add to MetaCart
(Show Context)
essible to those from the human factors community to whom this technology may be new. Keywords: automation surprise, mode confusion, model checking, formal methods, mental model, humancomputer interaction 1 INTRODUCTION Automated systems sometimes behave in ways that surprise their operators [22]. These "automation surprises " are particularly welldocumented in the cockpits of advanced commercial aircraft [6,17,21] and several fatal crashes and other incidents are attributed to problems in the "flightcrewautomation interface" [9, Appendix D]. Cognitive scientists have proposed that humans construct "mental models" of the world [13]; in particular, operators and users of an automated system develop such models of the system's behavior and use them to guide their interaction with it [16]. An automation surprise then occurs when the actual behavior of a system departs from that predicted by its operator's mental model. Complex systems are often stru
Parallelizing the Murφ verifier
 Computer Aided Verification. 9th International Conference
, 1997
"... With the use of state and memory reduction techniques in verification by explicit state enumeration, runtime becomes a major limiting factor. We describe a parallel version of the explicit state enumeration verifier Murφ for distributed memory multiprocessors and networks of workstations that is ba ..."
Abstract

Cited by 72 (0 self)
 Add to MetaCart
With the use of state and memory reduction techniques in verification by explicit state enumeration, runtime becomes a major limiting factor. We describe a parallel version of the explicit state enumeration verifier Murφ for distributed memory multiprocessors and networks of workstations that is based on the message passing paradigm. In experiments with three complex cache coherence protocols, parallel Murφ shows close to linear speedups, which are largely insensitive to communication latency and bandwidth. There is some slowdown with increasing communication overhead, for which a simple yet relatively accurate approximation formula is given. Techniques to reduce overhead and required bandwidth and to allow heterogeneity and dynamically changing load in the parallel machine are discussed, which we expect will allow good speedups when using conventional networks of workstations.
MultiValued Symbolic ModelChecking
 ACM TRANSACTIONS ON SOFTWARE ENGINEERING AND METHODOLOGY
, 2003
"... This paper introduces the concept and the general theory of multivalued model checking, and describes a multivalued symbolic modelchecker \Chi Chek. Multivalued ..."
Abstract

Cited by 68 (17 self)
 Add to MetaCart
This paper introduces the concept and the general theory of multivalued model checking, and describes a multivalued symbolic modelchecker \Chi Chek. Multivalued
Computational techniques for the verification of hybrid systems
 Proceedings of the IEEE
, 2003
"... Hybrid system theory lies at the intersection of the fields of engineering control theory and computer science verification. It is defined as the modeling, analysis, and control of systems that involve the interaction of both discrete state systems, represented by finite automata, and continuous sta ..."
Abstract

Cited by 66 (8 self)
 Add to MetaCart
Hybrid system theory lies at the intersection of the fields of engineering control theory and computer science verification. It is defined as the modeling, analysis, and control of systems that involve the interaction of both discrete state systems, represented by finite automata, and continuous state dynamics, represented by differential equations. The embedded autopilot of a modern commercial jet is a prime example of a hybrid system: the autopilot modes correspond to the application of different control laws, and the logic of mode switching is determined by the continuous state dynamics of the aircraft, as well as through interaction with the pilot. To understand the behavior of hybrid systems, to simulate, and to control these systems, theoretical advances, analyses, and numerical tools are needed. In this paper, we first present a general model for a hybrid system along with an overview of methods for verifying continuous and hybrid systems. We describe a particular verification
Model checking TLA+ specifications
 Correct Hardware Design and Verification Methods
, 1999
"... Abstract. TLA+ is a specification language for concurrent and reactive systems that combines the temporal logic TLA with full firstorder logic and ZF set theory. TLC is a new model checker for debugging a TLA+ specification by checking invariance properties of a finitestate model of the specificat ..."
Abstract

Cited by 63 (7 self)
 Add to MetaCart
Abstract. TLA+ is a specification language for concurrent and reactive systems that combines the temporal logic TLA with full firstorder logic and ZF set theory. TLC is a new model checker for debugging a TLA+ specification by checking invariance properties of a finitestate model of the specification. It accepts a subclass of TLA+ specifications that should include most descriptions of real system designs. It has been used by engineers to find errors in the cache coherence protocol for a new Compaq multiprocessor. We describe TLA+ specifications and their TLC models, how TLC works, and our experience using it. 1 Introduction Model checkers are usually judged by the size of system they can handle and the class of properties they can check [3, 16, 4]. The system is generally described in either a hardwaredescription language or a language tailored to the needs of the model checker. The criteria that inspired the model checker TLC are completely different. TLC checks specifications written in TLA+, a rich language with a welldefined semantics that was designed for expressiveness and ease of formal reasoning, not model checking. Two main goals led us to this approach: The systems that interest us are too large and complicated to be completely
Distributing Timed Model Checking  How the Search Order Matters
, 2000
"... In this paper we address the problem of distributing model checking of timed automata. We demonstrate through four real life examples that the combined processing and memory resources of multiprocessor computers can be effectively utilized. The approach assumes a distributed memory model and is appl ..."
Abstract

Cited by 53 (7 self)
 Add to MetaCart
In this paper we address the problem of distributing model checking of timed automata. We demonstrate through four real life examples that the combined processing and memory resources of multiprocessor computers can be effectively utilized. The approach assumes a distributed memory model and is applied to both a network of workstations and a symmetric multiprocessor machine. However, certain unexpected phenomena have to be taken into account. We show how in the timed case the search order of the state space is crucial for the effectiveness and scalability of the exploration. An effective heuristic to counter the effect of the search order is provided. Some of the results open up for improvements in the single processor case.
FiniteState Analysis of Two Contract Signing Protocols
 THEORETICAL COMPUTER SCIENCE
, 2001
"... Optimistic contract signing protocols allow two parties to commit to a previously agreed upon contract, relying on a third party to abort or confirm the contract if needed. These protocols are relatively subtle, since there may be interactions between the subprotocols used for normal signing without ..."
Abstract

Cited by 53 (1 self)
 Add to MetaCart
Optimistic contract signing protocols allow two parties to commit to a previously agreed upon contract, relying on a third party to abort or confirm the contract if needed. These protocols are relatively subtle, since there may be interactions between the subprotocols used for normal signing without the third party, aborting the protocol through the third party, or requesting confirmation from the third party. With the help of Mur', a finitestate verification tool, we analyze two related contract signing protocols: the optimistic contract signing protocol of Asokan, Shoup, and Waidner, and the abusefree contract signing protocol of Garay, Jakobsson, and MacKenzie. For the first protocol, we discover that a malicious participant can produce inconsistent versions of the contract or mount a replay attack. For the second protocol, we discover that negligence or corruption of the trusted third party may allow abuse or unfairness. In this case, contrary to the intent of the protocol, the cheated party is not able to hold the third party accountable. We present and analyze modifications to the protocols that avoid these problems and discuss the basic challenges involved in formal analysis of fair exchange protocols.