Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Conclusion
References

Model checking action system refinements

Profile image of Antonio CeroneAntonio Cerone

2009, Formal Aspects of Computing

https://doi.org/10.1007/S00165-007-0053-4
visibility

description

32 pages

link

1 file

Abstract

Action systems provide a formal approach to modelling parallel and reactive systems. They have a well established theory of refinement supported by simulation-based proof rules. This paper introduces an automatic approach for verifying action system refinements utilising standard CTL model checking. To do this, we encode each of the simulation conditions as a simulation machine, a Kripke structure on which the proof obligation can be discharged by checking that an associated CTL property holds. This ...

Related papers

Modular Verification of a Component-Based Actor Language
Marjan Sirjani

Journal of Universal Computer Science, 2005

Rebeca is an actor-based language for modeling concurrent and distributed systems as a set of reactive objects which communicate via asynchronous message passing. Rebeca is extended to support synchronous communication, and at the same time components are introduced to encapsulate the tightly coupled reactive objects which may communicate by synchronous messages. This provide us a language for modeling globally asynchronous and locally synchronous systems. Components interact only by asynchronous messages. This feature and also the eventdriven nature of the computation are exploited to introduce a modular verification approach in order to overcome the state explosion problem in model checking. In this paper we elaborate on the corresponding theory of the modular verification approach which is based on the formal semantics of components in extended Rebeca. /10/05 © J.UCS Rebeca (Reactive Objects Language) is an actor-based language with a formal foundation, introduced in [19, 21] which is designed in an effort to bridge the gap between formal verification approaches and real applications. Rebeca is supported by a front-end tool for the translation of Rebeca codes into existing model-checker languages , also, recently a tool is developed for direct model checking of Rebeca codes . Inherent characteristics of Rebeca are used to introduce compositional verification and abstraction techniques for reducing the state space and make it possible to verify complicated reactive systems.

View PDFchevron_right
A tactic language for refinement of state-rich concurrent specifications
Marcel Vinicius Medeiros Oliveira

Science of Computer Programming, 2011

Circus is a refinement language in which specifications define both data and behavioural aspects of concurrent systems using a combination of Z and CSP. Its refinement theory and calculus are distinctive, but since refinements may be long and repetitive, the practical application of this technique can be hard. Useful strategies have been identified, described, and used, and by documenting them as tactics, they can be expressed and repeatedly applied as single transformation rules. Here, we present ArcAngelC , a language for defining such tactics; we present the language, its semantics, and its application in the formalisation of an existing strategy for verification of Ada implementations of control systems specified by Simulink diagrams. We also discuss its mechanisation in a theorem prover, ProofPower-Z.

View PDFchevron_right
A Front-End Tool for Automated Abstraction and Modular Verification of Actor-Based Models
Marjan Sirjani

2004

Actor-based modeling is known to be an appropriate approach for representing concurrent and distributed systems. Rebeca is an actor-based language with a formal foundation, based on an operational interpretation of the actor model. We develop a front-end tool for translating a subset of Rebeca to SMV in order to model check Rebeca models. Automated modular verification and abstraction techniques are supported by the tool.

View PDFchevron_right
An Update on STeP: Deductive-Algorithmic Verification of Reactive Systems
Michael Colon

1998

The Stanford Temporal Prover, STeP, is a tool for the computer-aided formal verification of reactive systems, including real-time and hybrid systems, based on their temporal specification. STeP integrates methods for deductive and algorithmic verification, including model checking, theorem proving, automatic invariant generation, abstraction and modular reasoning. We describe the most recent version of STeP, Version 2.0.

View PDFchevron_right
aSPIN: A tool for abstract model checking
Ernesto Pimentel

International Journal on …, 2004

Abstraction methods have become one of the most interesting topics in the automatic verification of software systems because they can reduce the state space to be explored and allow model checking of more complex systems. Nevertheless, there is a lack of tools actually supporting this technique. One direction for abstracting a system is to transform its formal description (its model) into a simpler version specified in the same language, thus skipping the construction of a specific (model checking) tool for the abstract model. The abstraction of the model should be followed by the abstraction of the temporal formulas to be checked. This paper presents αspin, a tool for the integration of abstraction (for models and formulas) into the well-known model checker spin. We present the theoretical results supporting the implementation together with a case study.

View PDFchevron_right
Operational semantics for model checking circus
Leonardo Freitas

FM 2005: Formal Methods, 2005

Circus is a combination of Z, CSP, and the refinement calculus, and is based on Hoare & He's Unifying Theories of Programming. A model checker is being constructed for the language to conduct refinement checking in the style of FDR, but supported by theorem proving for reasoning about the complex states and data types that arise from the use of Z. FDR deals with bounded labelled transition systems (LTSs), but the Circus model checker manipulates LTSs with possibly infinite inscriptions on arcs and in nodes, and so, in general, the success or failure of a refinement check depends on interaction with a theorem prover. An LTS is generated from a source text using an operational interpretation of Circus; we present a Structured Operational Semantics for Circus, including both its process-algebraic and state-rich features.

View PDFchevron_right
An Expressive Verification Framework for State/Event
Natasha Sharygina

Specification languages for concurrent software systems need to combine practical algorithmic efficiency with high expressive power and the ability to reason about both states and events. We address this question by defining a new branching-time temporal logic SE-AΩ which integrates both state-based and action-based properties. SE-AΩ is universal, i.e., preserved by the simulation relation, and thus amenable to counterexample-guided abstraction refinement. We provide a model-checking algorithm for this logic, and describe a compositional abstraction-refinement loop which exploits the natural decomposition of the concurrent system; the abstraction and refinement steps are performed over each component separately, and only the model checking step requires an explicit composition of the abstracted components. For experimental evaluation, we have integrated the presented algorithms in the software verification tool MAGIC, and determined a previously unknown race condition error in a piece of an industrial robot control software. sets Ω of ω-regular path operators. A subtle property of AΩ is the monotonicity of the path operators: the semantics guarantees that the extended path operators cannot be used to implicitly define negation. While this property comes for free with the standard temporal path operators, its presence is crucial for obtaining extended universal branching logics. Such logics are preserved by simulation, and are therefore amenable to existential abstraction .

View PDFchevron_right
Compositional Verification of an Object-Based Model for Reactive Systems
Ali Movaghar

2001

View PDFchevron_right
A tool for abstraction in model checking
Ernesto Pimentel

Electronic Notes in …, 2002

Abstraction methods have become one of the most interesting topics in the automatic verification of software systems because they can reduce the state space to be explored and allow model checking of more complex systems. Nevertheless, there is a lack of tools actually supporting this technique. One direction for abstracting a system is to transform its formal description (its model) into a simpler version specified in the same language, thus skipping the construction of a specific (model checking) tool for the abstract model. The abstraction of the model should be followed by the abstraction of the temporal formulas to be checked. This paper presents αSpin, a tool for the integration of several abstraction approaches (for models and formulas) into the well known model checker Spin. In particular, αSpin integrates two dual approaches, the classic abstraction method, based on underapproximating properties, and an alternative approach, proposed by the authors, where abstraction provides an over-approximation of the formulas. 2

View PDFchevron_right
STeP: Deductive-Algorithmic Verification of Reactive and Real-Time Systems
Michael Colon

Computer Aided …, 1996

The Stanford Temporal Prover, STEP, combines deductive methods with algorithmic techniques to verify linear-time temporal logic specifications of reactive and real-time systems. STeP uses verification rules, verification diagrams, automatically generated invariants, model checking, and a collection of decision procedures to verify finite-and infinite-state systems. System Description: The Stanford Temporal Prover, STEP, supports the computer-aided formal verification of reactive, real-time (and, in particular, concurrent) systems based on temporal specifications. Reactive systems maintain an ongoing interaction with their environment; their specifications are typically expressed as constraints on their behavior over time. STeP is not restricted to finite-state systems, but combines algorithmic and deductive methods to allow the verification of a broad class of systems, including parameterized (Ncomponent) circuit designs, parameterized (N-process) programs, and programs with infinite data domains. The deductive methods of STeP verify temporal properties of systems by means of verification rules and verification diagrams. Verification rules are used to reduce temporal properties of systems to first-order verification conditions [8]. Verification diagrams [7, 3] provide a visual language for guiding, organizing, and displaying proofs. Verification diagrams allow the user to construct proofs hierarchically, starting from a high-level, intuitive proof sketch and proceeding incrementally, as necessary, through layers of greater detail. Deductive verification almost always relies on finding, for a given program and specification, suitably strong auxiliary invariants and intermediate assertions. STeP implements a variety of techniques for automatic invariant generation. These methods include local, linear and polyhedral invariant generation, which perform an approximate, abstract propagation through the system [2]. Verification conditions can then be established using the automatically generated auxiliary invariants as background properties.

View PDFchevron_right

References (43)

  1. CS1: p=4 AND acr1 --> aw'=aw+1+1; acr1'=FALSE; p'=2;
  2. NS1: p=4 AND NOT(acr1) --> acr1' IN {t:BOOLEAN|true}; p'=2;
  3. % % no abstract stuttering actions (these would be enabled in p=2 and p=6)
  4. %----------- [] BS0: (p=1 OR p=4 OR p=5) AND ccr0 AND cpc0=0 --> cb0'=TRUE; cpc0'=1;
  5. BS1: (p=1 OR p=4 OR p=5) AND ccr1 AND cpc1=0 --> cb1'=TRUE; cpc1'=1;
  6. TS0: (p=1 OR p=4 OR p=5) AND cpc0=1 --> ct'=0; cpc0'=2;
  7. TS1: (p=1 OR p=4 OR p=5) AND cpc1=1 --> ct'=1; cpc1'=2;
  8. CCS0: p=3 AND cpc0=2 AND (NOT(cb1) OR ct=1) --> cw'=cw+0+1; ccr0'=FALSE; cpc0'=3; p'=4;
  9. CCS1: p=3 AND cpc1=2 AND (NOT(cb0) OR ct=0) --> cw'=cw+1+1; ccr1'=FALSE; cpc1'=3; p'=4;
  10. BR0: (p=1 OR p=4 OR p=5) AND cpc0=3 --> cpc0'=0; cb0'=FALSE;
  11. BR1: (p=1 OR p=4 OR p=5) AND cpc1=3 --> cpc1'=0; cb1'=FALSE;
  12. CNS0: p=3 AND NOT(ccr0) --> ccr0' IN {t:BOOLEAN|true}; p'=4;
  13. CNS1: p=3 AND NOT(ccr1) --> ccr1' IN {b:BOOLEAN|true}; p'=4;
  14. ELSE --> ] END; % of Module AandC REFINE: THEOREM AandC |-AG(p=1 => EX(p=2 AND EF(R
  15. AND (NOT(Aaborting) => (AG(p=4 => EX(p=2 AND EF(R
  16. AND (p=3 AND Caborting => Aaborting) AND (p=3 AND Cterminating => (Aaborting OR Aterminating)) AND (EX(EG(p=5)) => (Aaborting OR EX(EG(p=6))));
  17. Abrial J-R (1996) The B-Book: Assigning programs to meanings. Cambridge University Press, Cambridge
  18. Back RJR (1992) Refinement of parallel and reactive programs. Technical Report Caltech-CS-TR-92-23, Computer Science Department, California Institute of Technology [BGL + 97] Butler M, Grundy J, Langbacka T, Ruksenas R, von Wright J (1997) The refinement calculator: Proof support for program refinement. In: Groves L, Reeves S (eds) Formal Methods Pacific '97. Springer, Berlin, pp 40-61
  19. Back RJR, Kurki-Suonio R (1989) Decentralization of process nets with centralized control. Distributed Comput 3(2):73-87
  20. Bolton C (2005) Using the Alloy analyzer to verify data refinement in Z. In: Derrick J, Boiten E (eds) REFINE 2005, vol 137, Issue 2 of ENTCS. Elsevier, Amsterdam, pp 23-44
  21. Back RJR, Sere K (1992) Superposition refinement of parallel algorithms. In: Parker K, Rose G (eds) Formal Description Techniques (FORTE IV). North-Holland, Amsterdam, pp 475-493
  22. Back RJR, von Wright J (1994) Trace refinement of action systems. In: Jonsson B, Parrow J (eds) Concurrency theory (CONCUR '94). LNCS, vol 836. Springer, Berlin, pp 367-384
  23. Back RJR, von Wright J (1998) Refinement calculus: A systematic introduction. Graduate Texts in Computer Science. Springer, Berlin
  24. Derrick J, Boiten E (2001) Refinement in Z and Object-Z, foundations and advanced applications. Springer, Berlin [dMOR + 04] de Moura L, Owre S, RueßH, Rushby J, Shankar N, Sorea M, Tiwari A (2004) SAL 2. In: Alur R, Peled D (eds) International Conference on Computer Aided Verification (CAV 2004). LNCS, vol 3114. Springer, Berlin, pp 496-500
  25. Emerson EA (1990) Temporal and modal logic. In: van Leeuwen J (ed) Handbook of theoretical computer science, vol B. Elsevier, Amsterdam, pp 996-1072
  26. Fischer C, Wehrheim H (1999) Model-checking CSP-OZ specifications with FDR. In: Araki K, Galloway A, Taguchi K (eds) International Conference on Integrated Formal Methods (IFM'99). Springer, Berlin, pp 315-334
  27. He J (1989) Process refinement. In: McDermid J (ed) The theory and practice of refinement. Butterworths, London
  28. Jackson D (2002) Alloy: a lightweight object modelling notation. ACM Trans Software Eng Methodol 11(2):256-290
  29. Josephs M (1988) A state-based approach to communicating processes. Distributed Comput 3:9-18
  30. Kassel G, Smith G (2001) Model checking Object-Z classes: some experiments with FDR. In: Asia-Pacific Software Engineering Conference (APSEC 2001). IEEE Computer Society Press, Washington
  31. Leuschel M, Butler M (2003) ProB: a model checker for B. In: Araki K, Gnesi S, Mandrioli D (eds) Formal Methods Europe (FME 2003). LNCS, vol 2805. Springer, Berlin, pp 855-874
  32. Leuschel M, Butler M (2005) Automatic refinement checking for B. In: Lau K, Banach R (eds) International Conference on Formal Engineering Methods (ICFEM 2005). LNCS, vol 3785. Springer, Berlin, pp 345-359
  33. Mota A, Sampaio A (2001) Model-checking CSP-Z: strategy, tool support and industrial application. Sci Comput Program 40:59-96
  34. Robinson N, Fidge C (2002) Animation of data refinements. In: Strooper P, Muenchaisri P (eds) Asia-Pacific Software Engi- neering Conference (APSEC 2002). IEEE Computer Society Press, Washington, pp 137-146
  35. Robinson N (2002) Checking Z data refinement using an animation tool. In: Bert D, Bowen JP, Henson MC, Robinson K (eds) International Conference of Z and B users (ZB 2002). LNCS, vol 2272. Springer, Berlin, pp 62-81
  36. Robinson N (2003) Finding abstraction relations for data refinement. Technical Report TR03-03, Software Verification Research Centre, The University of Queensland
  37. Robinson N (2003) Incremental derivation of abstraction relations for data refinement. In: Dong JS, Woodcock J (eds) Inter- national Conference on Formal Engineering Methods (ICFEM 2003). LNCS, vol 2885. Springer, Berlin, pp 246-265
  38. Roscoe AW (1998) The theory and practice of concurrency. Series in Computer Science. Prentice-Hall, Englewood Cliffs
  39. Smith G, Derrick J (2006) Verifying data refinements using a model checker. Formal Aspects Comput 18(3):264-287
  40. Smith G (2000) The Object-Z Specification language. Advances in formal methods. Kluwer, Dordrecht
  41. Spivey JM (1992) The Z notation: A reference manual 2nd edn. Prentice-Hall, Englewood Cliffs
  42. Smith G, Winter K (2006) Simulation machines for checking action system refinements. In: Aichernig B, Boiten E, Derrick J, Groves L (eds) International Refinement Workshop (Refine 2006), vol 187 of ENTCS. Elsevier, Amsterdam, pp 75-90
  43. Waldén M, Sere K (1996) Refining action systems within B-Tool. In Formal Methods Europe (FME '96). LNCS, vol 1051. Springer, Berlin, pp 84-103

Related papers

Simulation machines for checking action system refinements
Kirsten Winter

Electronic Notes in Theoretical Computer Science, 2007

Action systems provide a formal approach to modelling parallel and reactive systems. They have a well established theory of refinement supported by simulation-based proof rules. This paper introduces an automatic approach for verifying action system refinements utilising standard CTL model checking. To do this, we encode each of the simulation conditions as a simulation machine, a Kripke structure on which the proof obligation can be discharged by checking that an associated CTL property holds. This procedure transforms each simulation condition into a model checking problem. Each simulation condition can then be model checked in isolation, or, if desired, together with the other simulation conditions by combining the simulation machines and the CTL properties.

View PDFchevron_right
Action Language verifier: an infinite-state model checker for reactive software specifications
sof ba

Formal Methods in System Design, 2009

Action Language is a specification language for reactive software systems. In this paper, we present the syntax and the semantics of the Action Language and we also present an infinite-state symbolic model checker called Action Language Verifier (ALV) that verifies (or falsifies) CTL properties of Action Language specifications. ALV is built on top of the Composite Symbolic Library, which is a symbolic manipulator that combines multiple symbolic representations.

View PDFchevron_right
Symbolic model checking of logics with actions
Franco Raimondi

2007

Reasoning about agents and modalities such as knowledge and belief leads to models where different relations over states co-exist, or equivalently, where information (labels, actions) is associated to state transitions. This paper discusses how to augment classical CTL symbolic model-checking to support logics with actions such as A-CTL (action-CTL), and how this can be implemented using BDDs in tools such as the SMV/NuSMV package.

View PDFchevron_right
Merging state-based and action-based verification
Henri Hansen

Third International Conference on Application of Concurrency to System Design, 2003. Proceedings., 2003

A formalism is presented that is intended to combine basic properties of both state-based and action-based verification. In state-based verification the behaviour of the system is described in terms of the properties of its states, whereas action-based methods concentrate on transitions between states. A typical state-based approach consists of representing requirements as temporal logic formulae, and model-checking the state space of the system against them. Action-based verification often consists of comparing systems according to some equivalence or preorder relation.

View PDFchevron_right
An action-based framework for veryfying logical and behavioural properties of concurrent systems
ALESSANDRO FANTECHI

Computer Networks and ISDN Systems, 1993

A system is described which supports proofs of both behavioural and logical properties of concurrent systems; these are specified by means of a process algebra and its associated logics. The logic is an action based version of the branching time logic CTL which we call ACTL; it is interpreted over transition labelled structures while CTL is interpreted over state labelled ones. The core of the system are two existing tools, AUTO and EMC. The f'wst builds the labelled transition system corresponding to a term of a process algebra and permits proof of equivalence and simplification of terms, while the second chocks validity of CTL logical formulae. The integration is realized by memos of two translation functions from the action based branching time logic ACTL to CTL and from transition-labelled to state-labelled structures. The correctness of the integration is guaranteed by the proof that the two functions when coupled preserve satisfiability of logical formulae.

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved