@inproceedings{4600, abstract = {Model checking is a practical tool for automated debugging of embedded software. In model checking, a high-level description of a system is compared against a logical correctness requirement to discover inconsistencies. Since model checking is based on exhaustive state-space exploration and the size of the state space of a design grows exponentially with the size of the description, scalability remains a challenge. We have thus developed techniques for exploiting modular design structure during model checking, and the model checker jMocha (Java MOdel-CHecking Algorithm) is based on this theme. Instead of manipulating unstructured state-transition graphs, it supports the hierarchical modeling framework of reactive modules. jMocha is a growing interactive software environment for specification, simulation and verification, and is intended as a vehicle for the development of new verification algorithms and approaches. It is written in Java and uses native C-code BDD libraries from VIS. jMocha offers: (1) a GUI that looks familiar to Windows/Java users; (2) a simulator that displays traces in a message sequence chart fashion; (3) requirements verification both by symbolic and enumerative model checking; (4) implementation verification by checking trace containment; (5) a proof manager that aids compositional and assume-guarantee reasoning; and (6) SLANG (Scripting LANGuage) for the rapid and structured development of new verification algorithms. jMocha is available publicly at ; it is a successor and extension of the original Mocha tool that was entirely written in C.}, author = {Alur, Rajeev and De Alfaro, Luca and Grosu, Radu and Henzinger, Thomas A and Kang, Myong and Kirsch, Christoph and Majumdar, Ritankar and Mang, Freddy and Wang, Bow}, booktitle = {Proceedings of the 23rd International Conference on Software Engineering}, isbn = {0769510507}, pages = {835 -- 836}, publisher = {IEEE}, title = {{jMocha: A model-checking tool that exploits design structure}}, doi = {10.1109/ICSE.2001.919196}, year = {2001}, } @article{4599, abstract = {State-space explosion is a fundamental obstacle in the formal verification of designs and protocols. Several techniques for combating this problem have emerged in the past few years, among which two are significant: partial-order reduction and symbolic state-space search. In asynchronous systems, interleavings of independent concurrent events are equivalent, and only a representative interleaving needs to be explored to verify local properties. Partial-order methods exploit this redundancy and visit only a subset of the reachable states. Symbolic techniques, on the other hand, capture the transition relation of a system and the set of reachable states as boolean functions. In many cases, these functions can be represented compactly using binary decision diagrams (BDDs). Traditionally, the two techniques have been practiced by two different schools—partial-order methods with enumerative depth-first search for the analysis of asynchronous network protocols, and symbolic breadth-first search for the analysis of synchronous hardware designs. We combine both approaches and develop a method for using partial-order reduction techniques in symbolic BDD-based invariant checking. We present theoretical results to prove the correctness of the method, and experimental results to demonstrate its efficacy.}, author = {Alur, Rajeev and Brayton, Robert and Henzinger, Thomas A and Qadeer, Shaz and Rajamani, Sriram}, issn = {0925-9856}, journal = {Formal Methods in System Design}, number = {2}, pages = {97 -- 116}, publisher = {Springer}, title = {{Partial-order reduction in symbolic state-space exploration}}, doi = {10.1023/A:1008767206905}, volume = {18}, year = {2001}, } @inproceedings{4622, abstract = {Conventional type systems specify interfaces in terms of values and domains. We present a light-weight formalism that captures the temporal aspects of software component interfaces. Specifically, we use an automata-based language to capture both input assumptions about the order in which the methods of a component are called, and output guarantees about the order in which the component calls external methods. The formalism supports automatic compatability checks between interface models, and thus constitutes a type system for component interaction. Unlike traditional uses of automata, our formalism is based on an optimistic approach to composition, and on an alternating approach to design refinement. According to the optimistic approach, two components are compatible if there is some environment that can make them work together. According to the alternating approach, one interface refines another if it has weaker input assumptions, and stronger output guarantees. We show that these notions have game-theoretic foundations that lead to efficient algorithms for checking compatibility and refinement.}, author = {De Alfaro, Luca and Henzinger, Thomas A}, booktitle = {Proceedings of the 8th European software engineering conference}, isbn = {9781581133905}, location = {Vienna, Austria}, pages = {109 -- 120}, publisher = {ACM}, title = {{Interface automata}}, doi = {10.1145/503209.503226}, year = {2001}, } @inproceedings{4623, abstract = {We classify component-based models of computation into component models and interface models. A component model specifies for each component howthe component behaves in an arbitrary environment; an interface model specifies for each component what the component expects from the environment. Component models support compositional abstraction, and therefore component-based verification. Interface models support compositional refinement, and therefore componentbased design. Many aspects of interface models, such as compatibility and refinement checking between interfaces, are properly viewed in a gametheoretic setting, where the input and output values of an interface are chosen by different players.}, author = {De Alfaro, Luca and Henzinger, Thomas A}, booktitle = {Proceedings of the 1st International Workshop on Embedded Software}, isbn = {9783540426738}, location = {Tahoe City, CA, USA}, pages = {148 -- 165}, publisher = {ACM}, title = {{Interface theories for component-based design}}, doi = {10.1007/3-540-45449-7_11}, volume = {2211}, year = {2001}, } @inproceedings{4564, abstract = {This paper presents a concept for integrating the embedded programming methodology Giotto and the object-oriented AOCS Framework to create an environment for the rapid development of distributed software for safety-critical embedded control systems with hard real-time requirements of the kind typically found in aerospace applications.}, author = {Brown, Timothy and Pasetti, Alessandro and Pree, Wolfgang and Henzinger, Thomas A and Kirsch, Christoph}, booktitle = {Proceedings of the 20th Digital Avionics Systems Conference}, isbn = {0780370341}, location = {Daytona Beach, FL, USA}, pages = {1 -- 11}, publisher = {IEEE}, title = {{A reusable and platform-independent framework for distributed control systems}}, doi = {10.1109/DASC.2001.964169}, year = {2001}, }