Results 1  10
of
276
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 3252 (70 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Counterexampleguided Abstraction Refinement
, 2000
"... We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symb ..."
Abstract

Cited by 843 (71 self)
 Add to MetaCart
We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques which analyze such counterexamples and refine the abstract model correspondingly.
Computing Simulations on Finite and Infinite Graphs
, 1996
"... . We present algorithms for computing similarity relations of labeled graphs. Similarity relations have applications for the refinement and verification of reactive systems. For finite graphs, we present an O(mn) algorithm for computing the similarity relation of a graph with n vertices and m edges ..."
Abstract

Cited by 195 (7 self)
 Add to MetaCart
(Show Context)
. We present algorithms for computing similarity relations of labeled graphs. Similarity relations have applications for the refinement and verification of reactive systems. For finite graphs, we present an O(mn) algorithm for computing the similarity relation of a graph with n vertices and m edges (assuming m n). For effectively presented infinite graphs, we present a symbolic similaritychecking procedure that terminates if a finite similarity relation exists. We show that 2D rectangular automata, which model discrete reactive systems with continuous environments, define effectively presented infinite graphs with finite similarity relations. It follows that the refinement problem and the 8CTL modelchecking problem are decidable for 2D rectangular automata. 1 Introduction A labeled graph G = (V; E;A; hh\Deltaii) consist of a (possibly infinite) set V of vertices, a set E ` V 2 of edges, a set A of labels, and a function hh\Deltaii : V ! A that maps each vertex v to a label hh...
Boolean and Cartesian Abstraction for Model Checking C Programs
, 2001
"... The problem of model checking a specification in form of a C program with recursive procedures and many thousands of lines of code has not been addressed before. In this paper, we show how we attack this problem using an abstraction that is formalized with the Cartesian abstraction. It is implemente ..."
Abstract

Cited by 194 (12 self)
 Add to MetaCart
The problem of model checking a specification in form of a C program with recursive procedures and many thousands of lines of code has not been addressed before. In this paper, we show how we attack this problem using an abstraction that is formalized with the Cartesian abstraction. It is implemented through a sourcetosource transformation into a `Boolean' C program; we give an algorithm to compute the transformation with a cost that is exponential in its theoretical worstcase complexity but feasible in practice.
Property preserving abstractions for the verification of concurrent systems
 FORMAL METHODS IN SYSTEM DESIGN, VOL 6, ISS
, 1995
"... We study property preserving transformations for reactive systems. The main idea is the use of simulations parameterized by Galois connections ( �), relating the lattices of properties of two systems. We propose and study a notion of preservation of properties expressed by formulas of a logic, by a ..."
Abstract

Cited by 152 (6 self)
 Add to MetaCart
(Show Context)
We study property preserving transformations for reactive systems. The main idea is the use of simulations parameterized by Galois connections ( �), relating the lattices of properties of two systems. We propose and study a notion of preservation of properties expressed by formulas of a logic, by a function mapping sets of states of a system S into sets of states of a system S'. We give results on the preservation of properties expressed in sublanguages of the branching timecalculus when two systems S and S' are related via h � isimulations. They can be used to verify a property for a system by verifying the same property on a simpler system which is an abstraction of it. We show also under which conditions abstraction of concurrent systems can be computed from the abstraction of their components. This allows a compositional application of the proposed verification method. This is a revised version of the papers [2] and [16] � the results are fully developed in [27].
General Decidability Theorems for InfiniteState Systems
, 1996
"... ) Parosh Aziz Abdulla Uppsala University K¯arlis Cer¯ans University of Latvia Bengt Jonsson Uppsala University YihKuen Tsay National Taiwan University Abstract Over the last few years there has been an increasing research effort directed towards the automatic verification of infinite state sys ..."
Abstract

Cited by 141 (19 self)
 Add to MetaCart
) Parosh Aziz Abdulla Uppsala University K¯arlis Cer¯ans University of Latvia Bengt Jonsson Uppsala University YihKuen Tsay National Taiwan University Abstract Over the last few years there has been an increasing research effort directed towards the automatic verification of infinite state systems. For different classes of such systems (e.g., hybrid automata, dataindependent systems, relational automata, Petri nets, and lossy channel systems) this research has resulted in numerous highly nontrivial algorithms. As the interest in this area increases, it will be important to extract common principles that underly these and related results. This paper is concerned with identifying general mathematical structures which could serve as sufficient conditions for achieving decidability. We present decidability results for systems which consist of a finite control part operating on an infinite data domain. The data domain is equipped with a wellordered and wellfounded preorder such tha...
Computing abstractions of infinite state systems compositionally and automatically
 PROCEEDINGS OF CAV ’98
, 1998
"... We present a method for computing abstractions of infinite state systems compositionally and automatically. Given a concrete system S = S1 k \Delta \Delta \Delta k Sn of programs and given an abstraction function ff, using our method one can compute an abstract system S a = Sa 1 k \Delta \Delta \Del ..."
Abstract

Cited by 109 (6 self)
 Add to MetaCart
(Show Context)
We present a method for computing abstractions of infinite state systems compositionally and automatically. Given a concrete system S = S1 k \Delta \Delta \Delta k Sn of programs and given an abstraction function ff, using our method one can compute an abstract system S a = Sa 1 k \Delta \Delta \Delta k S a n such that S simulates S a. A distinguishing feature of our method is that it does not produce a single abstract state graph but rather preserves the structure of the concrete system. This feature is a prerequisite to benefit from the techniques developed in the context of modelchecking for mitigating the state explosion. Moreover, our method has the advantage that the process of constructing the abstract system does not depend on whether the computation model is synchronous or asynchronous.
Making Abstract Interpretations Complete
, 1997
"... Completeness in abstract interpretation is an ideal situation where the abstract semantics is able to take full advantage of the power of representation of the underlying abstract domain. Thus, complete abstract interpretations can be rightfully considered as optimal. In this article, we develop a g ..."
Abstract

Cited by 106 (36 self)
 Add to MetaCart
Completeness in abstract interpretation is an ideal situation where the abstract semantics is able to take full advantage of the power of representation of the underlying abstract domain. Thus, complete abstract interpretations can be rightfully considered as optimal. In this article, we develop a general theory of completeness in abstract interpretation, also dealing with the most frequent case of least fixpoint semantics. We show that both completeness and least fixpoint completeness are properties that only depend on the underlying abstract domain. In this context, we demonstrate that there always exist both the greatest complete and least fixpoint complete restrictions of any abstract d...
An Integration of Model Checking with Automated Proof Checking
, 1995
"... Although automated proof checking tools for generalpurpose logics have been successfully employed in the verification of digital systems, there are inherent limits to the efficient automation of expressive logics. If the expressiveness is constrained, there are useful logic fragments for which effi ..."
Abstract

Cited by 101 (8 self)
 Add to MetaCart
(Show Context)
Although automated proof checking tools for generalpurpose logics have been successfully employed in the verification of digital systems, there are inherent limits to the efficient automation of expressive logics. If the expressiveness is constrained, there are useful logic fragments for which efficient decision procedures can be found. The model checking paradigm yields an important class of decision procedures for establishing temporal properties of finitestate systems. Model checking is remarkably effective for automatically verifying finite automata with relatively small state spaces, but is inadequate when the state spaces are either too large or unbounded. For this reason, it is useful to integrate the complementary technologies of model checking and proof checking. Such an integration has to be carried out in a delicate manner in order to be more than just the sum of the techniques. We describe...
Using abstraction and model checking to detect safety violations in requirements specifications
 IEEE Transactions on Software Engineering
, 1998
"... Abstract—Exposing inconsistencies can uncover many defects in software specifications. One approach to exposing inconsistencies analyzes two redundant specifications, one operational and the other propertybased, and reports discrepancies. This paper describes a “practical ” formal method, based on ..."
Abstract

Cited by 97 (38 self)
 Add to MetaCart
(Show Context)
Abstract—Exposing inconsistencies can uncover many defects in software specifications. One approach to exposing inconsistencies analyzes two redundant specifications, one operational and the other propertybased, and reports discrepancies. This paper describes a “practical ” formal method, based on this approach and the SCR (Software Cost Reduction) tabular notation, that can expose inconsistencies in software requirements specifications. Because users of the method do not need advanced mathematical training or theorem proving skills, most software developers should be able to apply the method without extraordinary effort. This paper also describes an application of the method which exposed a safety violation in the contractorproduced software requirements specification of a sizable, safetycritical control system. Because the enormous state space of specifications of practical software usually renders direct analysis impractical, a common approach is to apply abstraction to the specification. To reduce the state space of the control system specification, two “pushbutton ” abstraction methods were applied, one which automatically removes irrelevant variables and a second which replaces the large, possibly infinite, type sets of certain variables with smaller type sets. Analyzing the reduced specification with the model checker Spin uncovered a possible safety violation. Simulation demonstrated that the safety violation was not spurious but an actual defect in the original specification.