Results 1  10
of
315
An AutomataTheoretic Approach to BranchingTime Model Checking
 JOURNAL OF THE ACM
, 1998
"... Translating linear temporal logic formulas to automata has proven to be an effective approach for implementing lineartime modelchecking, and for obtaining many extensions and improvements to this verification method. On the other hand, for branching temporal logic, automatatheoretic techniques ..."
Abstract

Cited by 354 (66 self)
 Add to MetaCart
Translating linear temporal logic formulas to automata has proven to be an effective approach for implementing lineartime modelchecking, and for obtaining many extensions and improvements to this verification method. On the other hand, for branching temporal logic, automatatheoretic techniques have long been thought to introduce an exponential penalty, making them essentially useless for modelchecking. Recently, Bernholtz and Grumberg have shown that this exponential penalty can be avoided, though they did not match the linear complexity of nonautomatatheoretic algorithms. In this paper we show that alternating tree automata are the key to a comprehensive automatatheoretic framework for branching temporal logics. Not only, as was shown by Muller et al., can they be used to obtain optimal decision procedures, but, as we show here, they also make it possible to derive optimal modelchecking algorithms. Moreover, the simple combinatorial structure that emerges from the a...
Simple Onthefly Automatic Verification of Linear Temporal Logic
, 1995
"... We present a tableaubased algorithm for obtaining an automaton from a temporal logic formula. The algorithm is geared towards being used in model checking in an "onthefly" fashion, that is the automaton can be constructed simultaneously with, and guided by, the generation of the model. ..."
Abstract

Cited by 327 (29 self)
 Add to MetaCart
(Show Context)
We present a tableaubased algorithm for obtaining an automaton from a temporal logic formula. The algorithm is geared towards being used in model checking in an "onthefly" fashion, that is the automaton can be constructed simultaneously with, and guided by, the generation of the model. In particular, it is possible to detect that a propertydoes not hold by only constructing part of the model and of the automaton. The algorithm can also be used to checkthevalidity of a temporal logic assertion. Although the general problem is PSPACEcomplete, experiments show that our algorithm performs quite well on the temporal formulas typically encountered in verification. While basing lineartime temporal logic modelchecking upon a transformation to automata is not new, the details of how to do this efficiently, and in "onthefly" fashion havenever been given.
An automatatheoretic approach to linear temporal logic
 Logics for Concurrency: Structure versus Automata, volume 1043 of Lecture Notes in Computer Science
, 1996
"... Abstract. The automatatheoretic approach to linear temporal logic uses the theory of automata as a unifying paradigm for program specification, verification, and synthesis. Both programs and specifications are in essence descriptions of computations. These computations can be viewed as words over s ..."
Abstract

Cited by 295 (26 self)
 Add to MetaCart
(Show Context)
Abstract. The automatatheoretic approach to linear temporal logic uses the theory of automata as a unifying paradigm for program specification, verification, and synthesis. Both programs and specifications are in essence descriptions of computations. These computations can be viewed as words over some alphabet. Thus,programs and specificationscan be viewed as descriptions of languagesover some alphabet. The automatatheoretic perspective considers the relationships between programs and their specifications as relationships between languages.By translating programs and specifications to automata, questions about programs and their specifications can be reduced to questions about automata. More specifically, questions such as satisfiability of specifications and correctness of programs with respect to their specifications can be reduced to questions such as nonemptiness and containment of automata. Unlike classical automata theory, which focused on automata on finite words, the applications to program specification, verification, and synthesis, use automata on infinite words, since the computations in which we are interested are typically infinite. This paper provides an introduction to the theory of automata on infinite words and demonstrates its applications to program specification, verification, and synthesis. 1
Visibly pushdown languages
, 2004
"... Abstract. We study congruences on words in order to characterize the class of visibly pushdown languages (Vpl), a subclass of contextfree languages. For any language L, we define a natural congruence on words that resembles the syntactic congruence for regular languages, such that this congruence i ..."
Abstract

Cited by 189 (19 self)
 Add to MetaCart
Abstract. We study congruences on words in order to characterize the class of visibly pushdown languages (Vpl), a subclass of contextfree languages. For any language L, we define a natural congruence on words that resembles the syntactic congruence for regular languages, such that this congruence is of finite index if, and only if, L is a Vpl. We then study the problem of finding canonical minimal deterministic automata for Vpls. Though Vpls in general do not have unique minimal automata, we consider a subclass of VPAs called kmodule singleentry VPAs that correspond to programs with recursive procedures without input parameters, and show that the class of wellmatched Vpls do indeed have unique minimal kmodule singleentry automata. We also give a polynomial time algorithm that minimizes such kmodule singleentry VPAs. 1 Introduction The class of visibly pushdown languages (Vpl), introduced in [1], is a subclassof contextfree languages accepted by pushdown automata in which the input letter determines the type of operation permitted on the stack. Visibly pushdown languages are closed under all boolean operations, and problems such as inclusion, that are undecidable for contextfree languages, are decidable for Vpl. Vpls are relevant to several applications that use contextfree languages suchas the modelchecking of software programs using their pushdown models [13]. Recent work has shown applications in other contexts: in modeling semanticsof effects in processing XML streams [4], in game semantics for programming languages [5], and in identifying larger classes of pushdown specifications thatadmit decidable problems for infinite games on pushdown graphs [6].
Alternating refinement relations
 In Proceedings of the Ninth International Conference on Concurrency Theory (CONCUR’98), volume 1466 of LNCS
, 1998
"... Abstract. Alternating transition systems are a general model for composite systems which allow the study of collaborative as well as adversarial relationships between individual system components. Unlike in labeled transition systems, where each transition corresponds to a possible step of the syste ..."
Abstract

Cited by 166 (20 self)
 Add to MetaCart
(Show Context)
Abstract. Alternating transition systems are a general model for composite systems which allow the study of collaborative as well as adversarial relationships between individual system components. Unlike in labeled transition systems, where each transition corresponds to a possible step of the system (which may involve some or all components), in alternating transition systems, each transition corresponds to a possible move in a game between the components. In this paper, we study refinement relations between alternating transition systems, such as “Does the implementation refine the set £ of specification components without constraining the components not in £? ” In particular, we generalize the definitions of the simulation and trace containment preorders from labeled transition systems to alternating transition systems. The generalizations are called alternating simulation and alternating trace containment. Unlike existing refinement relations, they allow the refinement of individual components within the context of a composite system description. We show that, like ordinary simulation, alternating simulation can be checked in polynomial time using a fixpoint computation algorithm. While ordinary trace containment is PSPACEcomplete, we establish alternating trace containment to be EXPTIMEcomplete. Finally, we present logical characterizations for the two preorders in terms of ATL, a temporal logic capable of referring to games between system components. 1
Model Checking of Safety Properties
, 1999
"... Of special interest in formal verification are safety properties, which assert that the system always stays within some allowed region. Proof rules for the verification of safety properties have been developed in the proofbased approach to verification, making verification of safety properties simp ..."
Abstract

Cited by 149 (22 self)
 Add to MetaCart
Of special interest in formal verification are safety properties, which assert that the system always stays within some allowed region. Proof rules for the verification of safety properties have been developed in the proofbased approach to verification, making verification of safety properties simpler than verification of general properties. In this paper we consider model checking of safety properties. A computation that violates a general linear property reaches a bad cycle, which witnesses the violation of the property. Accordingly, current methods and tools for model checking of linear properties are based on a search for bad cycles. A symbolic implementation of such a search involves the calculation of a nested fixedpoint expression over the system's state space, and is often impossible. Every computation that violates a safety property has a finite prefix along which the property is violated. We use this fact in order to base model checking of safety properties on a search for ...
Adding nesting structure to words
 In Developments in Language Theory, LNCS 4036
, 2006
"... We propose the model of nested words for representation of data with both a linear ordering and a hierarchically nested matching of items. Examples of data with such dual linearhierarchical structure include executions of structured programs, annotated linguistic data, and HTML/XML documents. Neste ..."
Abstract

Cited by 119 (17 self)
 Add to MetaCart
(Show Context)
We propose the model of nested words for representation of data with both a linear ordering and a hierarchically nested matching of items. Examples of data with such dual linearhierarchical structure include executions of structured programs, annotated linguistic data, and HTML/XML documents. Nested words generalize both words and ordered trees, and allow both word and tree operations. We define nested word automata—finitestate acceptors for nested words, and show that the resulting class of regular languages of nested words has all the appealing theoretical properties that the classical regular word languages enjoys: deterministic nested word automata are as expressive as their nondeterministic counterparts; the class is closed under union, intersection, complementation, concatenation, Kleene*, prefixes, and language homomorphisms; membership, emptiness, language inclusion, and language equivalence are all decidable; and definability in monadic second order logic corresponds exactly to finitestate recognizability. We also consider regular languages of infinite nested words and show that the closure properties, MSOcharacterization, and decidability of decision problems carry over. The linear encodings of nested words give the class of visibly pushdown languages of words, and this class lies between balanced languages and deterministic contextfree languages. We argue that for algorithmic verification of structured programs, instead of viewing the program as a contextfree language over words, one should view it as a regular language of nested words (or equivalently, a visibly pushdown language), and this would allow model checking of many properties (such as stack inspection, prepost conditions) that are not expressible in existing specification logics. We also study the relationship between ordered trees and nested words, and the corresponding automata: while the analysis complexity of nested word automata is the same as that of classical tree automata, they combine both bottomup and topdown traversals, and enjoy expressiveness and succinctness benefits over tree automata. 1
Formal verification in hardware design: A survey
, 1997
"... In recent years, formal methods have emerged as an alternative approach to ensuring the quality and correctness of hardware designs, overcoming some of the limitations of traditional validation techniques such as simulation and testing. There are two main aspects to the application of formal methods ..."
Abstract

Cited by 113 (0 self)
 Add to MetaCart
In recent years, formal methods have emerged as an alternative approach to ensuring the quality and correctness of hardware designs, overcoming some of the limitations of traditional validation techniques such as simulation and testing. There are two main aspects to the application of formal methods in a design process: The formal framework used to specify desired properties of a design, and the verification techniques and tools used to reason about the relationship between a specification and a corresponding implementation. We survey a variety of frameworks and techniques which have been proposed in the literature and applied to actual designs. The specification frameworks we describe include temporal logics, predicate logic, abstraction and refinement, as well as containment between!regular languages. The verification techniques presented include model checking, automatatheoretic techniques, automated theorem proving, and approaches that integrate the above methods.
The ForSpec Temporal Logic: A New Temporal PropertySpecification Language
, 2001
"... In this paper we describe the ForSpec Temporal Logic (FTL), the new temporal propertyspecification logic of ForSpec, Intel's new formal specification language. The key features of FTL are as follows: it is a linear temporal logic, based on Pnueli's LTL, it is based on a rich set of log ..."
Abstract

Cited by 90 (22 self)
 Add to MetaCart
In this paper we describe the ForSpec Temporal Logic (FTL), the new temporal propertyspecification logic of ForSpec, Intel's new formal specification language. The key features of FTL are as follows: it is a linear temporal logic, based on Pnueli's LTL, it is based on a rich set of logical and arithmetical operations on bit vectors to describe state properties, it enables the user to define temporal connectives over time windows, it enables the user to define regular events, which are regular sequences of Boolean events, and then relate such events via special connectives, it enables the user to express properties about the past, and it includes constructs that enable the user to model multiple clock and reset signals, which is useful in the verification of hardware design.
Vacuity Detection in Temporal Model Checking
, 1999
"... One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelcheckin ..."
Abstract

Cited by 80 (15 self)
 Add to MetaCart
(Show Context)
One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a sy...