Results 11  20
of
87
Combining Model Checking and Deduction for I/OAutomata
"... We propose a combination of model checking and interactive theorem proving where the theorem prover is used to represent finite and infinite state systems, reason about them compositionally and reduce them to small finite systems by verified abstractions. As an example we verify a version of the Alt ..."
Abstract

Cited by 48 (3 self)
 Add to MetaCart
We propose a combination of model checking and interactive theorem proving where the theorem prover is used to represent finite and infinite state systems, reason about them compositionally and reduce them to small finite systems by verified abstractions. As an example we verify a version of the Alternating Bit Protocol with unbounded lossy and duplicating channels: the channels are abstracted by interactive proof and the resulting finite state system is model checked.
Verifying Abstractions of Timed Systems
 in Proc. CONCUR'96
, 1996
"... ions of Timed Systems Serdar Ta¸siran ? Rajeev Alur ?? Robert P. Kurshan ?? Robert K. Brayton ? Abstract. Given two descriptions of a realtime system at different levels of abstraction, we consider the problem of proving that the refined representation is a correct implementation of the ab ..."
Abstract

Cited by 45 (4 self)
 Add to MetaCart
ions of Timed Systems Serdar Ta¸siran ? Rajeev Alur ?? Robert P. Kurshan ?? Robert K. Brayton ? Abstract. Given two descriptions of a realtime system at different levels of abstraction, we consider the problem of proving that the refined representation is a correct implementation of the abstract one. To avoid the complexity of building a representation for the refined system in its entirety, we develop a compositional framework for the implementation check to be carried out in a modulebymodule manner using assumeguarantee style proof rules. On the algorithmic side, we show that the problem of checking for timed simulation relations, a sufficient condition for correct implementation, is decidable. We study state homomorphisms as a way of specifying a correspondence between two modules. We present an algorithm for checking if a given mapping is a homomorphism preserving timed behaviors. We have implemented this check in the verifier Cospan, and applied our method to the comp...
Timed I/O Automata: A Mathematical Framework for Modeling and Analyzing RealTime Systems
 In RTSS 2003: The 24th IEEE International RealTime Systems Symposium, Cancun,Mexico
, 2003
"... We describe the Timed Input/Output Automata (TIOA) framework, a general mathematical framework for modeling and analyzing realtime systems. It is based on timed I/O automata, which engage in both discrete transitions and continuous trajectories. The framework includes a notion of external behavior, ..."
Abstract

Cited by 39 (8 self)
 Add to MetaCart
(Show Context)
We describe the Timed Input/Output Automata (TIOA) framework, a general mathematical framework for modeling and analyzing realtime systems. It is based on timed I/O automata, which engage in both discrete transitions and continuous trajectories. The framework includes a notion of external behavior, and notions of composition and abstraction. We define safety and liveness properties for timed I/O automata, and a notion of receptiveness, and prove basic results about all of these notions. The TIOA framework is defined as a special case of the new Hybrid I/O Automata (HIOA) modeling framework for hybrid systems. Specifically, a TIOA is an HIOA with no external variables; thus, TIOAs communicate via shared discrete actions only, and do not interact continuously. This restriction is consistent with previous realtime system models, and gives rise to some simplifications in the theory (compared to HIOA). The resulting model is expressive enough to describe complex timing behavior, and to express the important ideas of previous timed automata frameworks.
Action Transducers and Timed Automata
 Formal Aspects of Computing
, 1996
"... The timed automaton model of [LV92, LV93] is a general model for timingbased systems. A notion of timed action transducer is here defined as an automatatheoretic way of representing operations on timed automata. It is shown that two timed trace inclusion relations are substitutive with respect to ..."
Abstract

Cited by 38 (14 self)
 Add to MetaCart
The timed automaton model of [LV92, LV93] is a general model for timingbased systems. A notion of timed action transducer is here defined as an automatatheoretic way of representing operations on timed automata. It is shown that two timed trace inclusion relations are substitutive with respect to operations that can be described by timed action transducers. Examples are given of operations that can be described in this way, and a preliminary proposal is given for an appropriate language of operators for describing timingbased systems.
Proving Time Bounds for Randomized Distributed Algorithms
 In Proceedings of the 13th Annual ACM Symposium on the Principles of Distributed Computing
, 1994
"... A method of analyzing time bounds for randomized distributed algorithms is presented, in the context of a new and general framework for describing and reasoning about randomized algorithms. The method consists of proving auxiliary statements of the form U , which means that whenever the algor ..."
Abstract

Cited by 36 (11 self)
 Add to MetaCart
(Show Context)
A method of analyzing time bounds for randomized distributed algorithms is presented, in the context of a new and general framework for describing and reasoning about randomized algorithms. The method consists of proving auxiliary statements of the form U , which means that whenever the algorithm begins in a state in set U , with probability p, it will reach a state in set U within time t.
Deductive verification of realtime systems using STeP
 COMPUTER SCIENCE DEPARTMENT, STANFORD UNIVERSITY
, 1998
"... We present a modular framework for proving temporal properties of realtime systems, based on clocked transition systems and lineartime temporal logic. We show how deductive verification rules, verification diagrams, and automatic invariant generation can be used to establish properties of realtim ..."
Abstract

Cited by 34 (8 self)
 Add to MetaCart
(Show Context)
We present a modular framework for proving temporal properties of realtime systems, based on clocked transition systems and lineartime temporal logic. We show how deductive verification rules, verification diagrams, and automatic invariant generation can be used to establish properties of realtime systems in this framework. We also discuss global and modular proofs of the branchingtime property of nonZenoness. As an example, we present the mechanical verification of the generalized railroad crossing case study using the Stanford Temporal Prover, STeP.
Dynamic Input/Output Automata: a Formal and Compositional Model for Dynamic Systems
, 2003
"... We present a compositional model of dynamic systems, based on I/O automata [LT89]. In our model, automata can be created and destroyed dynamically, as computation proceeds. In addition, an automaton can dynamically change its signature, that is, the set of actions in which it can participate. This a ..."
Abstract

Cited by 30 (5 self)
 Add to MetaCart
(Show Context)
We present a compositional model of dynamic systems, based on I/O automata [LT89]. In our model, automata can be created and destroyed dynamically, as computation proceeds. In addition, an automaton can dynamically change its signature, that is, the set of actions in which it can participate. This allows us to model mobility, as discussed in [AL01], by enforcing the constraint that only automata at the same location may synchronize on common actions. Our model features operators for parallel composition, action hiding, and action renaming, and a notion of simulation from one dynamic system to another, which can be used to prove that one system implements the other. Our model is hierarchical: a dynamically changing system of interacting automata is itself modeled as a single automaton that is “one level higher. ” This can be repeated, so that an automaton that represents such a dynamic system can itself be created and destroyed. We can thus model the addition and removal of entire subsystems with a single action. We establish fundamental compositionality results for DIOA: if one component is replaced by another whose traces are a subset of the former, then the set of traces of the system as a whole can only be reduced, and not increased, i.e., no new behaviors are added. In other words,
Synchronizations in Team Automata for Groupware Systems
 Journal of Collaborative Computing
, 1999
"... Team automata have been proposed in (Ellis, 1997) as a formal framework for modeling both the conceptual and the architectural level of groupware systems. Here we define team automata in a mathematically precise way in terms of component automata which synchronize on certain executions of actions. A ..."
Abstract

Cited by 30 (15 self)
 Add to MetaCart
Team automata have been proposed in (Ellis, 1997) as a formal framework for modeling both the conceptual and the architectural level of groupware systems. Here we define team automata in a mathematically precise way in terms of component automata which synchronize on certain executions of actions. At the conceptual level, our model serves as a formal framework in which basic groupware notions can be rigorously defined and studied. At the architectural level, team automata can be used as building blocks in the design of groupware systems.
Hybrid I/O Automata Revisited
 Proceedings Fourth International Workshop on Hybrid Systems: Computation and Control (HSCC'01
, 2001
"... In earlier work, we developed a mathematical hybrid I/O automaton (HIOA) modeling... ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
(Show Context)
In earlier work, we developed a mathematical hybrid I/O automaton (HIOA) modeling...
Simulation Techniques For Proving Properties Of RealTime Systems
 IN REX WORKSHOP '93, LECTURE NOTES IN COMPUTER SCIENCE
, 1993
"... The method of simulations is an important technique for reasoning about realtime and other timingbased systems. It is adapted from an analogous method for untimed systems. This paper presents the simulation method in the context of a very general automaton (i.e., labelled transition system) mo ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
(Show Context)
The method of simulations is an important technique for reasoning about realtime and other timingbased systems. It is adapted from an analogous method for untimed systems. This paper presents the simulation method in the context of a very general automaton (i.e., labelled transition system) model for timingbased systems. Sketches are presented of several typical examples for which the method has been used successfully. Other complementary tools are also described, in particular, invariants for safety proofs, progress functions for timing proofs, and execution correspondences for liveness proofs.