Results 1  10
of
29
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 3218 (68 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Breaking up is hard to do: An evaluation of automated assumeguarantee reasoning
 ACM Transactions on Software Engineering and Methodology
, 2008
"... Finitestate verification techniques are often hampered by the stateexplosion problem. One proposed approach for addressing this problem is assumeguarantee reasoning, where a system under analysis is partitioned into subsystems and these subsystems are analyzed individually. By composing the resul ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
Finitestate verification techniques are often hampered by the stateexplosion problem. One proposed approach for addressing this problem is assumeguarantee reasoning, where a system under analysis is partitioned into subsystems and these subsystems are analyzed individually. By composing the results of these analyses, it can be determined whether or not the system satisfies a property. Because each subsystem is smaller than the whole system, analyzing each subsystem individually may reduce the overall cost of verification. Often the behavior of a subsystem is dependent on the subsystems with which it interacts, and thus it is usually necessary to provide assumptions about the environment in which a subsystem executes. Because developing assumptions has been a difficult manual task, the evaluation of assumeguarantee reasoning has been limited. Using recent advances for automatically generating assumptions, we undertook a study to determine if assumeguarantee reasoning provides an advantage over monolithic verification. In this study, we considered all twoway decompositions for a set of systems and properties, using two different verifiers, FLAVERS and LTSA. By increasing the number of repeated tasks in these systems, we evaluated the decompositions as they were scaled. We found that in only a few cases can assumeguarantee reasoning verify properties on larger systems than monolithic verification can, and in these cases the systems that can be analyzed are only a few sizes larger. Although these results are discouraging, they provide insight about research directions that should be pursued and highlight the importance of experimental
Breaking Up is Hard to Do: An Investigation of Decomposition for AssumeGuarantee Reasoning
, 2004
"... Finitestate verification techniques, such as model checking, are often hampered by the state explosion problem, where the number of reachable states to be explored is exponential in the number of concurrent processes in a system. One proposed approach for addressing this problem is assumeguarantee ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
(Show Context)
Finitestate verification techniques, such as model checking, are often hampered by the state explosion problem, where the number of reachable states to be explored is exponential in the number of concurrent processes in a system. One proposed approach for addressing this problem is assumeguarantee reasoning in which a system is decomposed into subsystems and, after appropriate assumptions are selected about the behavior of these subsystems, the verification of the original system is accomplished via the verification of these smaller subsystems. Recent advances in assumeguarantee reasoning allow the assumptions to be automatically generated. An outstanding problem, however, is how to find good decompositions. To explore this problem, we undertook a study that considered all twoway decompositions for a set of systems and properties. By increasing the number of repeated tasks for a system, we evaluated the decompositions as the systems were scaled to larger sizes. Our results show that, in most cases, we were able to find a decomposition that led to memory savings at the cost of additional time. Surprisingly, our use of assumeguarantee reasoning did not usually produce a large enough savings in memory to allow us to verify a larger configuration than monolithic verification. This negative result casts doubt on the usefulness of assumeguarantee reasoning as an effective compositional approach for increasing the size of systems that can be analyzed by finitestate verification.
Automated AssumeGuarantee Reasoning by Abstraction Refinement
"... Abstract. Current automated approaches for compositional model checking in the assumeguarantee style are based on learning of assumptions as deterministic automata. We propose an alternative approach based on abstraction refinement. Our new method computes the assumptions for the assumeguarantee r ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Current automated approaches for compositional model checking in the assumeguarantee style are based on learning of assumptions as deterministic automata. We propose an alternative approach based on abstraction refinement. Our new method computes the assumptions for the assumeguarantee rules as conservative and not necessarily deterministic abstractions of some of the components, and refines those abstractions using counterexamples obtained from model checking them together with the other components. Our approach also exploits the alphabets of the interfaces between components and performs iterative refinement of those alphabets as well as of the abstractions. We show experimentally that our preliminary implementation of the proposed alternative achieves similar or better performance than a previous learningbased implementation. 1
Local Proofs for Global Safety Properties
"... Abstract. This paper explores the concept of locality in proofs of global safety properties of asynchronously composed, multiprocess programs. Model checking on the full state space is often infeasible due to state explosion. A local proof, in contrast, is a collection of perprocess invariants, wh ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This paper explores the concept of locality in proofs of global safety properties of asynchronously composed, multiprocess programs. Model checking on the full state space is often infeasible due to state explosion. A local proof, in contrast, is a collection of perprocess invariants, which together imply the global safety property. Local proofs can be compact: but a central problem is that local reasoning is incomplete. In this paper, we present a “completion ” algorithm, which gradually exposes facts about the internal state of components, until either a local proof or a real error is discovered. Experiments show that local reasoning can have significantly better performance over a reachability computation. Moreover, for some parameterized protocols, a local proof can be used to show correctness for all instances. 1
Extending Automated Compositional Verification to the Full Class of OmegaRegular Languages ⋆
"... Abstract. Recent studies have suggested the applicability of learning to automated compositional verification. However, current learning algorithms fall short when it comes to learning liveness properties. We extend the automaton synthesis paradigm for the infinitary languages by presenting an algor ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Recent studies have suggested the applicability of learning to automated compositional verification. However, current learning algorithms fall short when it comes to learning liveness properties. We extend the automaton synthesis paradigm for the infinitary languages by presenting an algorithm to learn an arbitrary regular set of infinite sequences (an ωregular language) over an alphabet Σ. Our main result is an algorithm to learn a nondeterministic Büchi automaton that recognizes an unknown ωregular language. This is done by learning a unique projection of it on Σ ∗ using the framework suggested by Angluin for learning regular subsets of Σ ∗. 1
Assumeguarantee abstraction refinement for probabilistic systems
 In: Proc. of CAV. Vol. 7358 of LNCS
, 2012
"... ar ..."
Optimized l*based assumeguarantee reasoning
 In (to appear) Proc. of the 19 th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’07
, 2007
"... Abstract. In this paper, we suggest three optimizations to the L*based automated AssumeGuarantee reasoning algorithm for the compositional verification of concurrent systems. First, we use each counterexample from the model checker to supply multiple strings to L*, saving candidate queries. Second ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we suggest three optimizations to the L*based automated AssumeGuarantee reasoning algorithm for the compositional verification of concurrent systems. First, we use each counterexample from the model checker to supply multiple strings to L*, saving candidate queries. Second, we observe that in existing instances of this paradigm, the learning algorithm is coupled weakly with the teacher. Thus, the learner ignores completely the details about the internal structure of the system and specification being verified, which are available already to the teacher. We suggest an optimization that uses this information in order to avoid many unnecessary – and expensive, since they involve model checking – membership and candidate queries. Finally, and most importantly, we develop a method for minimizing the alphabet used by the assumption, which reduces the size of the assumption and the number of queries required to construct it. We present these three optimizations in the context of verifying trace containment for concurrent systems composed of finite state machines. We have implemented our approach and experimented with reallife examples. Our results exhibit an average speedup of over 12 times due to the proposed improvements. 1
Assumeguarantee reasoning for deadlock
 IN: PROC. OF FMCAD.
, 2006
"... We extend the learningbased automated assume guarantee paradigm to perform compositional deadlock detection. We define Failure Automata, a generalization of finite automata that accept regular failure sets. We develop a learning algorithm L F that constructs the minimal deterministic failure autom ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
We extend the learningbased automated assume guarantee paradigm to perform compositional deadlock detection. We define Failure Automata, a generalization of finite automata that accept regular failure sets. We develop a learning algorithm L F that constructs the minimal deterministic failure automaton accepting any unknown regular failure set using a minimally adequate teacher. We show how L F can be used for compositional regular failure language containment, and deadlock detection, using noncircular and circular assume guarantee rules. We present an implementation of our techniques and encouraging experimental results on several nontrivial benchmarks.