• Journal of KIISE:Software and Applications
• /
• v.31 no.11
• /
• pp.1560-1567
• /
• 2004

In temporal logic model checking, the number of states is exponentially increased by the size of a model. This is called the state explosion problem. Abstraction, partial order, symmetric, etc. are widely used to avoid the problem. They reduce a number of states by exploiting structural information in a model. Instead, this paper proposes the relay model checking that decomposes a temporal formula to be verified into several sub-formulas and then model checking them one by one. As a result, we solve complex games that can't handle with previous techniques.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2010.11a
• /
• pp.295-298
• /
• 2010

Linear Temporal Logic synthesis 는 LTL formula 로 표현된 요구 사항으로부터 그것을 만족하는 시스템을 만들어낸다. 이러한 synthesis 과정은 2EXPTIME-complete 이 요구 되지만 GR formula 라는 특수한 형태를 사용함으로써 복잡도를 Polynomial 시간으로 줄일 수 있다. LTL synthesis 는 작업 공간, 로봇이 취하는 센서 정보와 액션의 종류, 상위 수준의 작업 명세를 입력으로 받아 GR formula 형태로 변환하고, 기대되는 작업이 실현 가능하다면 그것을 성취할 수 있는 오토마타를 생성해낸다. Synthesis 알고리즘을 구현한 LTLMoP 라는 도구를 이용하여 LTL synthesis 과정을 보이고 화성 행궁의 미아 찾기 로봇 작업 계획을 구현한다. 마지막으로 시뮬레이션 과정을 통해 기대하는 작업을 성공적으로 성취할 수 있음을 보인다.

• Journal of KIISE:Software and Applications
• /
• v.30 no.7_8
• /
• pp.642-648
• /
• 2003

In this paper, we are interested in checking equivalence of FSMs(finite state machines). Two FSMs are equivalent if and only if their responses are always equal with each other with respect to the same external stimuli. Equivalence checking FSMs makes complicated FSM be substituted for simpler one, if they are equivalent. We can also determine the system satisfies the requirements, if they are all written in FSMs. In this paper, we regard equivalence checking problem as model checking one. For doing so, we construct the product model $M ={M_A} {\beta}{M_B} from two FSMs ${M_A} and {M_B}$. And we also get the temporal logic formula ${\Phi}$ from the equivalence checking definition. Then, we can check with model checker whether if satisfies ${\Phi}$, written $M= {.\Phi}$. Two FSMs are equivalent, if $M= {.\Phi}$ Otherwise, it is not equivalent. In that case, model checker generates counterexamples which explain why FSMs are not equivalent. In summary, we solve the equivalence checking problem with model checking techniques. As a result of applying to several examples, we have many satisfiable results.

• Journal of Korea Game Society
• /
• v.4 no.1
• /
• pp.58-66
• /
• 2004

This paper uses counterexamples for solving reachability games. An objective. of the game we consider here is to find out a minimal path from an initial state to the goal state. We represent initial states and game rules as finite state model and the goal state as temporal logic formula. Then, model checking is used to determine whether the model satisfies the formula. In case the model does not satisfy the formula, model checking generates a counterexample that shows how to reach the goal state from an initial state. In this way, we solve many of small-sized Push Push games. However, we cannot handle larger-sized games due to the state explosion problem. To mitigate the problem, abstraction is used to reduce the state space to be che cked. As a result, unsolved games are solved with the abstraction technique we propose inthis paper.

• Journal of KIISE:Software and Applications
• /
• v.35 no.9
• /
• pp.529-537
• /
• 2008

Since concurrent software is hard to debug, the verification of such systems inevitably needs automatic tools which support exhaustive searching. Bounded Model Checking (BMC) is one of them. Within a bound k, BMC exhaustively check some errors in execution traces of the given system. In this paper, we introduce the tool that performs BMC for LTS, modeling language for concurrent programs. In this tool, a property is described by a FLTL formula, which is suitable to present the property with actions in a LTS model. To experiment with existential model checkers and out tool, we compare and analysis the performance of the developed tool and others.

• Journal of the Institute of Electronics Engineers of Korea CI
• /
• v.39 no.3
• /
• pp.1-17
• /
• 2002

In this paper, we present our experiences in using symbolic model checker(SMV) to analyze a number of properties of RACE cache coherence protocol designed by ETRI(Electronics and Communications Research Institute) and to verify that RACE protocol satisfies important requirements. To investigate this, we specified the model of the RACE protocol as the input language of SMV and specified properties as a formula in temporal logic CTL. We successfully used the symbolic model checker to analyze a number of properties of RACE protocol. We verified that abnormal state/input combinations was not occurred and every possible request of processors was executed correctly We verified that RACE protocol satisfies liveness, safety and the property that any abnormal state/input combination was never occurred. Besides, We found some ambiguities of the specification and a case of starvation that the protocol designers could not expect before. By this verification experience, we show advantages of model checking method. And, we propose a new method to generate automatically test cases which are used in simulation and testing.

• Journal of KIISE:Software and Applications
• /
• v.30 no.3_4
• /
• pp.212-218
• /
• 2003

State invariant is a property that holds in every reachable state. It can be used not only in understanding and analyzing complex software systems, but it can also be used for system verifications such as checking safety, liveness, and consistency. For these reasons, there are many vital researches for deriving state invariant from finite state machine models. In previous works every reachable state is to be considered to generate state invariant. Thus it is likely to be too complex for the user to understand. This paper seeks to answer the question `how to simplify state invariant\ulcorner`. Since the complexity of state invariant is strongly dependent upon the size of states to be considered, so the smaller the set of states to be considered is, the shorter the length of state invariant is. For doing so, we let the user focus on some interested scopes rather than a whole state space in a model. Computation Tree Logic(CTL) is used to specify scopes in which he/she is interested. Given a scope in CTL, mixed reachability analysis is used to find out a set of states inside it. Obviously, a set of states calculated in this way is a subset of every reachable state. Therefore, we give a weaker, but comprehensible, state invariant.