Results 1  10
of
130
Pushdown Processes: Games and Model Checking
, 1996
"... Games given by transition graphs of pushdown processes are considered. It is shown that ..."
Abstract

Cited by 183 (8 self)
 Add to MetaCart
Games given by transition graphs of pushdown processes are considered. It is shown that
Using model checking to generate tests from specifications
 In Proceedings of the Second IEEE International Conference on Formal Engineering Methods (ICFEM’98
, 1998
"... Abstract We apply a model checker to the problem of test generation using a new application of mutation analysis. We define syntactic operators, each of which produces a slight variation on a given model. The operators define a form of mutation analysis at the level of the model checker specificatio ..."
Abstract

Cited by 150 (13 self)
 Add to MetaCart
(Show Context)
Abstract We apply a model checker to the problem of test generation using a new application of mutation analysis. We define syntactic operators, each of which produces a slight variation on a given model. The operators define a form of mutation analysis at the level of the model checker specification. A model checker generates counterexamples which distinguish the variations from the original specification. The counterexamples can easily be turned into complete test cases, that is, with inputs and expected output. We define two classes of operators: those that produce test cases from which a correct implementation must differ, and those that produce test cases with which it must agree. There are substantial advantages to combining a model checker with mutation analysis. First, the generation of test cases is automatic; each counterexample serves as a complete test case. Second, in sharp contrast to programbased mutation analysis, the identification of equivalent mutants is also automatic; the model checker simply reports that the mutant satisfies the constraints, and hence no counterexample is produced. We apply our method to an example specification and evaluate the resulting test sets with coverage metrics on a corresponding implementation in Java. 1 Introduction The use of formal methods has been widely advocated to reduce the likelihood of errors in the early stages of system development. Some of the chief drawbacks to applying formal methods is the difficulty of conducting formal analysis [5] and the perceived or actual payoff in project budget. Testing is an expensive part of the software budget, and formal methods offer an opportunity to significantly reduce the testing costs. We have developed an innovative combination of mutation analysis, model checking, and test generation which solves some problems previously plaguing these approaches and automatically produces good sets of tests from formal specifications. This section reviews the formal methods and approaches we use.
Another Look at LTL Model Checking
 FORMAL METHODS IN SYSTEM DESIGN
, 1994
"... We show how LTL model checking can be reduced to CTL model checking with fairness constraints. Using this reduction, we also describe how to construct a symbolic LTL model checker that appears to be quite efficient in practice. In particular, we show how the SMV model checking system developed by Mc ..."
Abstract

Cited by 121 (11 self)
 Add to MetaCart
(Show Context)
We show how LTL model checking can be reduced to CTL model checking with fairness constraints. Using this reduction, we also describe how to construct a symbolic LTL model checker that appears to be quite efficient in practice. In particular, we show how the SMV model checking system developed by McMillan [16] can be extended to permit LTL specifications. The results that we have obtained are quite surprising. For the examples we considered, the LTL model checker required at most twice as much time and space as the CTL model checker. Although additional examples still need to be tried, it appears that efficient LTL model checking is possible when the specifications are not excessively complicated.
Module Checking
, 1996
"... . In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of ..."
Abstract

Cited by 113 (12 self)
 Add to MetaCart
. In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of temporal logics to describe an ongoing interaction of a reactive program with its environment makes them particularly appropriate for the specification of open systems. Nevertheless, modelchecking algorithms used for the verification of closed systems are not appropriate for the verification of open systems. Correct model checking of open systems should check the system with respect to arbitrary environments and should take into account uncertainty regarding the environment. This is not the case with current modelchecking algorithms and tools. In this paper we introduce and examine the problem of model checking of open systems (mod ule checking, for short). We show that while module che...
Semantic Issues in the Verification of Agent Communication Languages
 Autonomous Agents and MultiAgent Systems
, 1999
"... This article examines the issue of developing semantics for agent communication languages. In particular, it considers the problem of giving a verifiable semantics for such languages  a semantics where conformance (or otherwise) to the semantics could be determined by an independent observer. The ..."
Abstract

Cited by 83 (4 self)
 Add to MetaCart
This article examines the issue of developing semantics for agent communication languages. In particular, it considers the problem of giving a verifiable semantics for such languages  a semantics where conformance (or otherwise) to the semantics could be determined by an independent observer. These problems are precisely dened in an abstract formal framework. Using this framework, a number of example agent communication frameworks are defined. A discussion is then presented, of the various options open to designers of agent communication languages, with respect the problem of verifying conformance.
Vacuity Detection in Temporal Model Checking
, 1999
"... One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelcheckin ..."
Abstract

Cited by 80 (15 self)
 Add to MetaCart
(Show Context)
One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a sy...
Program analysis as model checking of abstract interpretations
, 1998
"... Abstract. This paper presents a collection of techniques, a methodology, in which abstract interpretation, flow analysis, and model checking are employed in the representation, abstraction, and analysis of programs. The methodology shows the areas of intersection of the different techniques as well ..."
Abstract

Cited by 78 (3 self)
 Add to MetaCart
Abstract. This paper presents a collection of techniques, a methodology, in which abstract interpretation, flow analysis, and model checking are employed in the representation, abstraction, and analysis of programs. The methodology shows the areas of intersection of the different techniques as well as the opportunites that exist when one technique is used in support of another. The methodology is presented as a threestep process: First, from a (smallstep) operational semantics definition and a program, one constructs a program model, which is a statetransition system that encodes the program’s executions. Second, abstraction upon the program model is performed, reducing the detail of information in the model’s nodes and arcs. Finally, the program model is analyzed for properties of its states and paths. 1
Research Directions in Requirements Engineering
 In 2007 Future of Software Engineering (May 23  25, 2007). International Conference on Software Engineering. IEEE Computer Society
, 2007
"... This paper reviews the current state of the art of requirements engineering (RE) research and identifies RE research challenges for future systems. First, the paper overviews the highlights of RE research over the past two decades; the research is considered with respect to requirements technolog ..."
Abstract

Cited by 74 (2 self)
 Add to MetaCart
(Show Context)
This paper reviews the current state of the art of requirements engineering (RE) research and identifies RE research challenges for future systems. First, the paper overviews the highlights of RE research over the past two decades; the research is considered with respect to requirements technologie, including notations and methodologies, developed to address specific RE tasks, such as elicitation, modeling, and analysis. Such a review enables us to identify mature areas of research, as well as areas that warrant further investigation. Next, we identify several research challenges posed by emerging systems for the future. In order to help delineate the scope of future RE research directions, we then identify several strategies for performing RE research. (The spectrum of research strategies ranges from empirical research to paradigm shifts.) Finally, within the context of these RE research strategies, we identify “hot areas ” of research that address RE needs for emerging systems of the future. 1.
Implementation of Symbolic Model Checking for Probabilistic Systems
, 2002
"... In this thesis, we present ecient implementation techniques for probabilistic model checking, a method which can be used to analyse probabilistic systems such as randomised distributed algorithms, faulttolerant processes and communication networks. A probabilistic model checker inputs a probabilist ..."
Abstract

Cited by 72 (21 self)
 Add to MetaCart
In this thesis, we present ecient implementation techniques for probabilistic model checking, a method which can be used to analyse probabilistic systems such as randomised distributed algorithms, faulttolerant processes and communication networks. A probabilistic model checker inputs a probabilistic model and a speci cation, such as \the message will be delivered with probability 1", \the probability of shutdown occurring is at most 0.02" or \the probability of a leader being elected within 5 rounds is at least 0.98", and can automatically verify if the speci cation is true in the model.
Verification of PolyhedralInvariant Hybrid Automata Using Polygonal Flow Pipe Approximations
, 1999
"... . This paper presents a computational technique for verifying properties of hybrid systems with arbitrary continuous dynamics. The approach is based on the computation of approximating automata, which are finitestate approximations to the (possibly infinitestate) discretetrace transition system fo ..."
Abstract

Cited by 61 (7 self)
 Add to MetaCart
. This paper presents a computational technique for verifying properties of hybrid systems with arbitrary continuous dynamics. The approach is based on the computation of approximating automata, which are finitestate approximations to the (possibly infinitestate) discretetrace transition system for the hybrid system. The fundamental computation in the generation of approximating automata is the mapping of sets of continuous states to the boundaries of the location invariants. This mapping is computed by intersecting flow pipes, the sets of reachable states for continuous systems, with the invariant boundaries. Flow pipes are approximated by sequences of overlapping convex polygons. The paper presents an application of the computational procedure to a benchmark hybrid system, a batch evaporator. 1 Introduction Hybrid system behaviors can be described by an infinitestate transition system [7]. A standard approach to verifying properties of a hybrid system is to find an equivalent tra...