# Checking. E. M. Clarke O. Grumberg K. L. McMillan X. Zhao

Save this PDF as:

Size: px
Start display at page:

Download "Checking. E. M. Clarke O. Grumberg K. L. McMillan X. Zhao"

## Transcription

2 2 The temporal logic CTL The logic that we use to specify circuits is a propositional temporal logic of branching time, called CTL or Computation Tree Logic [5]. Let P be the set of atomic propositions, then: 1. Every atomic proposition p in P is a formula in CTL. 2. If f and g are CTL formulas, then so are :f, f _ g, EX f, E[f U g] and EG f. The semantics of a CTL formula is dened with respect to a labeled state-transition graph. A labeled state-transition graph is a 5-tuple M =(AP; S; L; N; S 0) where AP is a set of atomic propositions, S is a nite set of states, L is a function labeling each state with a set of atomic propositions, N S S is a transition relation, and S 0 is a set of initial states. A computation path is an innite sequence of states s 0;s 1;s 2;... such that N(s i;s i+1) is true for every i. The propositional connectives : and _ have their usual meanings of negation and disjunction. The other propositional operators can be dened in terms of these. X is the nexttime operator: EX f will be true in a state s of M if and only if s has a successor s 0 such that f is true at s 0. U is the until operator: E[f U g] will be true in a state s of M if and only if there exists a computation path starting in s and an initial prex of the path such that g holds at the last state of the prex and f holds at all other states along the prex. The operator G is used to express the invariance of some property over time: EG f will be true at a state s if there is a path starting at s such that f holds at each state on the path. If f is true in state s of structure M, we write M;s j= f. A CTL formula f is identied with the set fsjm;s j= fg of states that make f true. We use the following syntactic abbreviations for CTL formulas: AX f :EX :f which means that f holds at all successor states of the current state. EF f E[true U f] which means that for some path, there exists a state on the path at which f holds. AF f :EG :f which means that for every path, there exists a state on the path at which f holds. AG f :EF :f which means that for every path, f holds in each state on the path. A[f U g] :E[:gU:f^:g]^:EG :g which means that for every path, there exists an initial prex of the path such that g holds at the last state of the prex and f holds at all other states along the prex. 3 Symbolic Model Checking Model checking is the problem of nding the set of states in a state-transition graph where a given CTL formula is true. There is a program called EMC (Extended Model Checker) that solves this problem using ecient graph-traversal techniques. If the model is represented as a state-transition graph, the complexity of the algorithm is linear in the size of the graph and in the length of the formula. The algorithm is quite fast in practice [4, 5]. However, an explosion in the size of the model may occur when the state-transition graph is extracted from a nite state concurrent system that has many processes or components. Ordered binary decision diagrams (OBDDs) are a canonical form representation for boolean formulas [1]. They are often substantially more compact than traditional normal forms such as conjunctive normal form and disjunctive normal form, and they can be manipulated very eciently. In this section, we describe a symbolic model checking algorithm for CTL which uses OBDDs to represent the statetransition graph. Assume that the behavior of the concurrent system is determined by n boolean state variables v 1;v 2;...;v n. The transition relation R(v; v 0 ) for the concurrent system is given as a boolean formula in terms of two copies of the state variables: v =(v 1;...;v n) which represents the current state and v 0 =(v1;...;v 0 n) 0 which represents the next state. The formula R(v; v 0 )isnow converted to an OBDD. This usually results in a very concise representation of the transition relation. Our model checking algorithm is based on the standard xpoint characterizations of the basic CTL operators. A xpoint of :2 S!2 S is a set S 0 S such that (S 0 )=S 0. If is monotonic, it has a xpoint S 0 that is a subset of every other xpoint of. S 0 is called the least xpoint of (f). The greatest xpoint of (f), can be dened similarly as the xpoint of and is denoted by lfp f, gfp f that is a superset of all other xpoints. It can be shown that the least xpoint lfp f (f) is the limit of the sequence of approximations False;(False); 2 (False);...; i (False);... and the greatest xpoint gfp f (f) is the limit of the sequence of approximations True;(True); 2 (True);...; i (True);... When the state-transition graph is nite, both of these sequences are guaranteed to converge in a nite number of steps. Each of the basic CTL operators can be characterized as a least or greatest xpoint of some functional :2 S!2 S. In particular, it is shown in [4] that E[f U g] =lfp Z g _ f ^ EX Z, and EG f = gfp Z f ^ EX Z. The symbolic model checking algorithm is implemented by a procedure Check that takes the CTL formula to be checked as its argument and returns an OBDD that represents exactly those states of the system that satisfy the formula. Of course, the output of Check depends on the system being checked; this parameter is implicit in the discussion below. We dene Check inductively over the structure of CTL formulas. If f is an atomic proposition v i, then Check(f) is simply the OBDD for v i.formulas of the form EX f, E[f U g], and EG f are handled by the procedures: Check(EX f) =CheckEX (Check(f)); Check(E[f U g]) = CheckEU(Check(f); Check(g)); Check(EG f) =CheckEG(Check(f)): Notice that these intermediate procedures take boolean formulas as their arguments, while Check takes a CTL formula Page 2

3 as its argument. CTL formulas of the form f _ g or :f are handled using the standard algorithms for computing boolean connectives with OBDDs. Since AX f, A[f U g] and AG f can all be rewritten using just the above operators, this denition of Check covers all CTL formulas. The procedure for CheckEX is straightforward since the formula EX f is true in a state if the state has a successor in which f is true. CheckEX(f(v)) = 9v 0 f(v 0 ) ^ R(v; v 0 ) : If we have OBDDs for f and R, then we can compute an OBDD for 9v 0 f(v 0 ) ^ R(v; v 0 ) : The procedure for CheckEU is based on the least xpoint characterization for the CTL operator EU. CheckEU (f(v);g(v)) = lfp Z(v) g(v)_ f(v)^checkex (Z(v)) In this case we can compute the sequence of approximations Q 0;Q 1;...;Q i;... for the least xpoint as described above. If we have OBDDs for f, g, and the current approximation Q i, then we can compute an OBDD for the next approximation Q i+1. Since OBDDs provide a canonical form of boolean functions, it is easy to test for convergence by comparing consecutive approximations. When Q i = Q i+1, this process terminates. The set of states corresponding to E[f U g] will be represented by the OBDD for Q i. CheckEG is similar. In this case the procedure is based on the greatest xpont characterization for the CTL operator EG CheckEG(f(v)) = gfp Z(v) f(v) ^ CheckEX(Z(v)) : If the OBDD for f is given, then the sequence of approximations for the greatest xpoint can be used to compute the OBDD representation for the set of states that satisfy EG f. 4 Fairness Constraints Next, we consider the issue of fairness. In many cases, we are only interested in the correctness along fair computation paths. For example, if we are verifying an asynchronous circuit with an arbiter, wemay wish to consider only those executions in which the arbiter does not ignore one of its request inputs forever. This type of property cannot be expressed directly in CTL. In order to handle such properties we must modify the semantics of CTL slightly. A fairness constraint can be an arbitrary set of states, usually described by a formula of the logic. A path is said to be fair with respect to a set of fairness constraints if each constraint holds innitely often along the path. The path quantiers in CTL formulas are then restricted to fair paths. In the remainder of this section we describe how to modify the algorithm above to handle fairness constraints. We assume the fairness constraints are given by a set of CTL formulas H = fh 1;...;h ng.we dene a new procedure CheckFair for checking CTL formulas relative to the fairness constraints in H. We do this by giving denitions for new intermediate : procedures CheckFairEX, CheckFairEU, and CheckFairEG which correspond to the intermediate procedures used to de- ne Check. Consider the formula EG f given fairness constraints H. The formula means that there exists a path beginning with the current state on which f holds globally (invariantly) and each formula in H holds innitely often on the path. The set of such states S is the largest set with the following two properties: 1. all of the states in S satisfy f, and 2. for all fairness constraints h k 2 H and all states s 2 S, there is a sequence of states of length one or greater from s to a state in S satisfying h k such that all states on the path satisfy f. It is easy to show that if these conditions hold, each state in the set is the beginning of an innite computation path on which f is always true, and for which every formula in H holds innitely often. Thus, the procedure CheckFairEG(f(v)) will compute the greatest xpoint gfp Z(v) f(v)^ k=1 CheckEX (CheckEU (f(v);z(v)^check (h k ))) : The xed point can be evaluated in the same manner as before. The main dierence is that each time the above expression is evaluated, several nested xed point computations are done (inside CheckEU ). Checking EX f and E[f U g] under fairness constraints is simpler. The set of all states which are the start of some fair computation is fair(v) =CheckFair(EG True): The formula EX f is true under fairness constraints in a state s if and only if there is a successor state s 0 such that s 0 satises f and s 0 is at the beginning of some fair computation path. It follows that the formula EX f (under fairness constraints) is equivalent to the formula EX(f ^ fair) (without fairness constraints). Therefore, we dene CheckFairEX (f(v)) = CheckEX (f(v) ^ fair(v)): Similarly, the formula E[f Ug] (under fairness constraints) is equivalent to the formula E[f U (g ^ fair)] (without fairness constraints). Hence, we dene CheckFairEU (f(v);g(v)) = CheckEU (f(v);g(v) ^ fair(v)): 5 Counterexamples and Witnesses One of the most important features of CTL model checking algorithms is the ability to nd counterexamples and witnesses. When this feature is enabled and the model checker determines that a formula with a universal path quantier is false, it will nd a computation path which demonstrates that the negation of the formula is true. Likewise, when the model checker determines that a formula with an existential path quantier is true, it will nd a computation path that demonstrates why the formula is true. For example, if the model checker discovers that the formula AG f is false, it will produce a path to a state in which :f holds. Similarly, Page 3

4 if it discovers that the formula EF f is true, it will produce a path to a state in which f holds. Note that the counterexample for a universally quantied formula is the witness for the dual existentially quantied formula. By exploiting this observation we can restrict our discussion of this feature to nding witnesses for the three basic CTL operators EX, EG, and EU. We start by considering the complexity of nding a good witness for the formula EG f under the set of fairness constraints H = fh 1;...;h ng.we will identify each h i with the set of states that make it true. Given a state s satisfying EG f, wemust exhibit a path starting with s, such that f holds at each state, and every fairness constraint h 2 H is satised innitely often along the path. Since the witness is an innite path, we must nd a nite representation for it. It is easy to see that a witness can always be found that consists of a nite prex followed by a repeating cycle. Each fairness constraint h i is satised at least once on the cycle. Such a path is called a nite witness. The length of a nite witness is dened as the total length of the prex and the cycle. It is desirable to nd a nite witness with minimal length; however, this problem is NP-complete. Theorem:If fairness constraints are permitted, nding a nite witness with minimal length for the formula EG True is NP-complete. Proof: It is relatively easy to see that this problem in NP. Finding a Hamiltonian cycle for a directed graph is known to be an NP-complete problem. Thus, it is sucient to prove that the Hamiltonian cycle problem can be reduced to the minimal nite witness problem. Consider an instance of the Hamiltonian cycle problem for a directed graph with n nodes. This graph is treated as a state-transition graph and the set of fairness constraints H = fh 1;...;h ng is selected so that each state satises a distinct fairness constraint. On any nite witness, each state must appear at least once on the cycle; hence, the length of the nite witness must be at least n. The length of the minimal nite witness is n if and only if the n states on the path form a Hamiltonian cycle. Thus, the Hamiltonian cycle problem reduces to nding a minimal nite witness and checking if this path has length n. This reduction can be performed in polynomial time. Consequently, the minimal nite witness problem is also NP-complete. 2 Although we are unable to nd the minimal nite witness easily, we still want to obtain a nite witness that is as short as possible. In order to accomplish this task, we will need to examine the strongly connected components of the transition graph determined by the Kripke structure. We will say that two states s 1 and s 2 are equivalent if there is a path from s 1 to s 2 and also from s 2 to s 1. We will call the equivalence classes of this relation strongly connected components(sccs). We can form a new graph in which the nodes are the SCCs and there is an edge from one SCC to another if and only if there is an edge from a state in one to a state in the other. It is easy to see that the new graph does not contain any proper cycles, i.e., each cycle in the graph is contained in one of the SCCs. Moreover, since we only consider nite Kripke structures, each innite path must have a suf- x that is entirely contained within a SCC of the transition graph. Recall that the set of states that satisfy the formula EG f with the fairness constraints H is given by the formula gfp Z f ^ EX(E[f U Z ^ h k]) (1) k=1 For brevity, we will use EG f to denote the set of states that satisfy EG f under the fairness constraints H. We construct the witness path incrementally by giving a sequence of pre- xes of the path of increasing length until a cycle is found. At each step in the construction we must ensure that the current prex can be extended to a fair path along which each state satises f. This invariant is guaranteed by making sure that each time we add a state to the current prex, the state satises EG f. First, we evaluate the above xpoint formula. In every iteration of the outer xpoint computation, we compute a collection of least xpoints associated with the formulas E[f U Z ^ h], for each fairness constraint h 2 H. For every constraint h, we obtain an increasing sequence of approximations Q h 0 ;Q h 1;Q h 2;..., where Q h i is the set of states from which a state in Z ^ h can be reached in i or fewer steps, while satisfying f. In the last iteration of the outer xpoint when Z = EG f, wesave the sequence of approximations Q h for each h in H. Now, suppose we are given an initial state s satisfying EG f. Then s belongs to the set of states computed in equation (1), so it must have a successor in E[fU(EG f)^h] for each h 2 H. In order to minimize the length of the witness path, we choose the rst fairness constraint that can be reached from s. This is accomplished by testing the saved sets Q h i for increasing values of i until one is found that contains some successor t of s. Note that since t 2 Q h i, it has a path to a state in (EG f) ^ h and therefore t is in EG f. If i>0, we nd a successor of t in Q h i 1. This is done by nding the set of successors of t, intersecting it with Q h i 1, and then choosing an arbitrary element of the resulting set. Continuing until i = 0,we obtain a path from the initial state s to some state in (EG f) ^ h. We then eliminate h from further consideration, and repeat the above procedure until all of the fairness constraints have been visited. Let s 0 be the nal state of the path obtained thus far. To complete a cycle, we need a non-trivial path from s 0 to the state t along which each state satises f. In other words, we need a witness for the formula fs 0 g^ex E[f U ftg]. If this formula is true, we have found the witness path for s. If the formula is false, there are several possible strategies. The simplest is to restart the procedure from the nal state s 0. Since fs 0 g^ex E[f Uftg] is false, we know that s 0 is not in the SCC of f containing t, however s 0 is in EG f. Thus, if we continue this strategy, we must descend in the directed acyclic graph of SCCs, eventually either nding a cycle, or reaching a terminal SCC of f. In the latter case, we are guaranteed to nd a cycle, since we cannot exit a terminal SCC. A slightly more sophisticated approach would be to precompute E[(EG f) U ftg]. The rst time we exit this set, we know the cycle cannot be completed, so we restart from that state. Heuristically, these approaches tend to nd short counterexamples (probably because the number of SCCs Page 4

5 UA1 UR1 UR2 UA2 C1 MEI1 OR1 MEI2 OR2 C2 TR1 TA1 SA AND1 MEO1 UR1 ME MEO2 UR2 AND2 SA TR2 TA2 C3 C4 OR3 SR caused tr1 and ta1 to become low. Next, OR1 responded and mei1 became high. Then, the ME element and the AND1 gate caused tr1 to become high again while ta1 continued to be low. In this state, the formula tr1! AF ta1 was false. Since ua1 was already high, ur1 could become low. This caused tr1 to become low. The counterexample showed that ur1 was always low. Therefore, ta1 remained low as well. A correction for the error was proposed in [6], but will not be discussed here. 6 Counterexamples and Witnesses for CTL* Formulas Figure 1: An asynchronous arbiter tends to be small), so no attempt is made to nd the shortest cycle. The witness procedure for EG f under fairness constraints H can be used to extend witnesses for E[f U g] and EX f to innite fair paths. Let fair be the set of states that satisfy EG Trueunder the fairness constraints H. We can compute E[f Ug] under H by using the standard CTL model checking algorithm (without fairness constraints) to compute E[f U (g ^ fair)]. Similarly, We can compute EX f by using the standard CTL model checking algorithm to compute EX(f ^ fair). In order to test the procedure for nding counterexamples when fairness constraints are used, we have examined an error in an arbiter design originally developed by Seitz [13]. The circuit is shown in Figure 1; it is designed to be speed independent, which means that each gate can take an arbitrarily long time to respond to its inputs. Fairness constraints are used to ensure that every gate eventually responds. An attempt was made to verify the circuit using an explicit state model checker [6]. However, the attempt failed because the number of states was too large. In order to complete the verication, one of the input devices had to be disabled. By using symbolic model checking techniques, we are able to verify the original circuit without using any simplifying assumptions. The model contains 33,633 reachable states, and the entire verication takes only a few minutes. We have veried several liveness properties which require that each request signal inevitably leads to an acknowledgement signal. Such properties can be easily represented by CTL formulas with the form AG(r! AF a), where r represents a request and a represents an acknowledgment. An error was discovered when the specication AG(tr1! AF ta1) was checked. The algorithm given earlier in this section found a counterexample that was seventy eight states long and had a cycle with length thirty. The counterexample showed that the following execution sequence was possible. The circuit could reach a state where every node was low except meo1 if the ME element took a long time to respond. When ur1 was issued, tr1, ta1, sr, sa and ua1 became true consecutively. Because of the long delay of the OR1 gate, mei1 remained low. Eventually, the ME element responded to its inputs and set meo1 low. This In the previous sections, we described how to perform model checking and nd counterexamples or witnesses for CTL formulas. However, some temporal properties that are important for reasoning about sequential circuit designs and protocols cannot be expressed by CTL formulas. In these cases, an extension of CTL, called CTL*, is often used. There are two types of formulas in CTL*: state formulas (which are true in a specic state) and path formulas (which are true along a specic path). As before, let AP be the set of atomic propositions. The syntax of state formulas is given by the following rules: If p 2 AP, then p is a state formula. If f and g are state formulas, then :f and f _ g are state formulas. If f is a path formula, then E(f) is a state formula. Two additional rules are needed to specify the syntax of path formulas: If f is a state formula, then f is also a path formula. If f and g are path formulas, then :f, f _ g, X f, and f U g are path formulas. CTL is the set of state formulas generated by the above rules. The logical connectives : and _ have their usual meaning. The formula E(f) is true in a state when there exists a path from the state such that f holds along the path. Let = s 0;s 1;... be a path. We use i to denote the sux of starting at s i. A state formula holds along when it is true in the rst state s 0. X f holds along when f holds along 1. Finally, the formula f U g holds along when there exists a k 0 such that g holds on k and f holds along every j where 0 j<k. The following abbreviations are used in writing CTL formulas: f ^ g :(:f_:g) A(f) :E(:f) Ff true U f Gf:F:f In general, model checking is very expensive for CTL* formulas. However, for a large class of formulas which have the form E W n i=1 V ni algorithms exist [7]. Because i=1 (GF pij_fg qij), ecient model checking n n_ i n ^ n_ ^ i E (GF p ij _ FG q ij) = E (GF p ij _ FG q ij); i=1 Page 5

6 it V is sucient to check formulas having the form n E (GF pj _ FG qj). A xed point characterization for these formulas is given in [7] E (GF pj _ FG qj) = EF gfp Y ((qj ^ EX Y ) _ EX E[Y U (pj ^ Y )]) : j=0 By performing a computation that is similar to the one described in Section 4, we are able to check the restricted class of CTL* formulas mentioned above. The problem of nding witnesses for these formulas is more complicated. V Suppose n that wewant nd a witness for s0 j= E (GF pj _FG qj). It is easy to see that E (GF pj _ FG qj) 1 = E (GF pj _ FG qj) ^ GF pn n 1 _ E ^ (GF pj _ FG qj) ^ FG qn: V n 1 Consequently, ifs0 j=e (GF pj _ FG qj) ^ FG qn, it is sucient to nd a witness V for this formula; otherwise, n 1 a witness must exist for E (GF pj _ FG qj) ^ GF pn. If we continue this process for the remainder of the formula, we will eventually obtain a formula which has the form EFGqi 1 ^...^FGqi k ^GF pj 1 ^...^GF pj n k. Because E(FG qi 1 ^...^FGqi k ^GF pj 1 ^...^GF pj n k ) = EF EG(qi 1 ^...^qi k ^Fpj 1 ^...^Fpj n k ); this formula is true if and only if the CTL formula EG(qi 1 ^...^qi k ) is true under the fairness constraints pj 1 ;...;pj n k. A witness can be computed in exactly the same manner as in the last section. 7 Directions for Future Research In this paper, we have described an ecient technique for generating counterexamples and witnesses for symbolic model checking algorithms. However, when the number of reachable states is very large, the counterexample can still be very long. Techniques for generating even shorter counterexamples will make symbolic model checking more useful in practice. Finding a counterexample can sometimes take most of the execution time required for model checking. Additional research is needed to develop more ecient algorithms. This is particularly important because the model checking algorithm may need to be invoked several times in order to nd the witness for a CTL* formula. Another problem with the counterexample generated by the model checker is that it is sometimes hard to read. A more readable form will be helpful to engineers who are not familiar with model checking. References [1] R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(8), [2] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang. Symbolic model checking: states and beyond. Information and Computation, 98(2):142{ 170, June [3] E. M. Clarke, I. A. Draghicescu, and R. P. Kurshan. A unied approach for showing language containment and equivalence between various types of!-automata. In A. Arnold and N. D. Jones, editors, Proceedings of the 15th Colloquium on Trees in Algebra and Programming, volume 407 of Lecture Notes in Computer Science. Springer-Verlag, May [4] E. M. Clarke and E. A. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In Logic of Programs: Workshop, Yorktown Heights, NY, May 1981, volume 131 of Lecture Notes in Computer Science. Springer-Verlag, [5] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verication of nite-state concurrent systems using temporal logic specications. ACM Transactions on Programming Languages and Systems, 8(2):244{263, [6] D. L. Dill and E. M. Clarke. Automatic verication of asynchronous circuits using temporal logic. IEE Proceedings, Part E 133(5), [7] E. A. Emerson and C.-L. Lei. Ecient model checking in fragments of the propositional mu-calculus. In Proceedings of the First Annual Symposium on Logic in Computer Science. IEEE Computer Society Press, June [8] Z. Har'El and R. P. Kurshan. Software for analytical development of communications protocols. AT&T Technical Journal, 69(1):45{59, Jan.{Feb [9] R. Hojati, R. K. Brayton, and R. P. Kurshan. BDDbased debugging of designs using language containment and fair CTL. Proceedings of the 5th international conference on computer aided verication, June, [10] R. Hojati, V. Singhal, and R. K. Brayton, Edge- Streett/Edge-Rabin Automata Environment for Formal Verication Using Language Containment. Memorandum No. UCB/ERL M94/12, UC Berkeley, [11] R. P. Kurshan. Analysis of discrete event coordination. In J. W. de Bakker, W.-P. deroever, and G. Rozenberg, editors, Proceedings of the REX Workshop on Stepwise Renement of Distributed Systems, Models, Formalisms, Correctness, volume 430 of Lecture Notes in Computer Science. Springer-Verlag, May [12] K. L. McMillan. Symbolic Model Checking: An Approach to the State Explosion Problem. PhD thesis, Carnegie Mellon University, [13] C. L. Seitz. Ideas about arbiters. Lambda, 10(4), Page 6

### Model Checking II Temporal Logic Model Checking

1/32 Model Checking II Temporal Logic Model Checking Edmund M Clarke, Jr School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 2/32 Temporal Logic Model Checking Specification Language:

### Verication Tools. for Finite-State Concurrent Systems? E. Clarke 1, O. Grumberg 2, and D. Long 3. 2 The Technion, Haifa

Verication Tools for Finite-State Concurrent Systems? E. Clarke, O. Grumberg 2, and D. Long 3 Carnegie Mellon, Pittsburgh 2 The Technion, Haifa 3 AT&T Bell Labs, Murray Hill ABSTRACT: Temporal logic model

### Model Checking: An Introduction

Announcements Model Checking: An Introduction Meeting 2 Office hours M 1:30pm-2:30pm W 5:30pm-6:30pm (after class) and by appointment ECOT 621 Moodle problems? Fundamentals of Programming Languages CSCI

### Introduction to Software Verification

Introduction to Software Verification Orna Grumberg Lectures Material winter 2013-14 Lecture 4 5.11.13 Model Checking Automated formal verification: A different approach to formal verification Model Checking

Verication by Finitary Abstraction Weizmann Institute of Sciences and Universite Joseph Fourier, Grenoble Fourth International Spin Workshop (SPIN'98) Paris 2.11.98 Joint work with: Y. Kesten Ben Gurion

### Formal Verification Methods 3: Model Checking

Formal Verification Methods 3: Model Checking John Harrison Intel Corporation Marktoberdorf 2003 Fri 1st August 2003 (11:25 12:10) This presentation was not given in Marktoberdorf since it mostly duplicates

### Toward Model-Based Verification of Adaptive Allocation Managers

Toward Model-Based Verification of Adaptive Allocation Managers William Leal, Frank Drews, Chang Liu, Lonnie Welch Ohio University { leal@cs.ohiou.edu, drews@ohiou.edu, changliu@cs.ohiou.edu, welch@ohio.edu

### Formal Verification of Software

Formal Verification of Software Sabine Broda Department of Computer Science/FCUP 12 de Novembro de 2014 Sabine Broda (DCC-FCUP) Formal Verification of Software 12 de Novembro de 2014 1 / 26 Formal Verification

### Software Modeling and Verification

Software Modeling and Verification Alessandro Aldini DiSBeF - Sezione STI University of Urbino Carlo Bo Italy 3-4 February 2015 Algorithmic verification Correctness problem Is the software/hardware system

### A Logic Approach for LTL System Modification

A Logic Approach for LTL System Modification Yulin Ding and Yan Zhang School of Computing & Information Technology University of Western Sydney Kingswood, N.S.W. 1797, Australia email: {yding,yan}@cit.uws.edu.au

### Temporal Logics. Computation Tree Logic

Temporal Logics CTL: definition, relationship between operators, adequate sets, specifying properties, safety/liveness/fairness Modeling: sequential, concurrent systems; maximum parallelism/interleaving

### A Systematic Approach. to Parallel Program Verication. Tadao TAKAOKA. Department of Computer Science. Ibaraki University. Hitachi, Ibaraki 316, JAPAN

A Systematic Approach to Parallel Program Verication Tadao TAKAOKA Department of Computer Science Ibaraki University Hitachi, Ibaraki 316, JAPAN E-mail: takaoka@cis.ibaraki.ac.jp Phone: +81 94 38 5130

### 2 Temporal Logic Model Checking

Bounded Model Checking Using Satisfiability Solving Edmund Clarke 1, Armin Biere 2, Richard Raimi 3, and Yunshan Zhu 4 1 Computer Science Department, CMU, 5000 Forbes Avenue Pittsburgh, PA 15213, USA,

### d i g i t a l SRC Technical Note December 16, 1994 Introduction to TLA Leslie Lamport Systems Research Center 130 Lytton Avenue

SRC Technical Note 1994-001 December 16, 1994 Introduction to TLA Leslie Lamport d i g i t a l Systems Research Center 130 Lytton Avenue Palo Alto, California 94301 http://www.research.digital.com/src/

### Alan R. Martello and Steven P. Levitan. University of Pittsburgh. Pittsburgh, PA 15261

Temporal Specication Verication via ausal Reasoning lan R. Martello and Steven P. Levitan Department of Electrical Engineering University of Pittsburgh Pittsburgh, P 15261 LIMITED DISTRIUTION NOTIE This

### Formal Verification by Model Checking

Formal Verification by Model Checking Natasha Sharygina Carnegie Mellon University Guest Lectures at the Analysis of Software Artifacts Class, Spring 2005 1 Outline Lecture 1: Overview of Model Checking

### Formal Verification In Industry (I)

Formal Verification In Industry (I) 1 Formal Verification In Industry (I) John Harrison Intel Corporation Formal verification Importance of hardware verification Approaches to hardware verification Combinational

### Boolean Representations and Combinatorial Equivalence

Chapter 2 Boolean Representations and Combinatorial Equivalence This chapter introduces different representations of Boolean functions. It then discuss the applications of these representations for proving

### logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

5. LTL, CTL Last part: Alloy logic language, static/dynamic models SAT solvers Today: Temporal Logic (LTL, CTL) Verified Software Systems 1 Overview How can we model check of a program or system? Modeling

### Outline. NP-completeness. When is a problem easy? When is a problem hard? Today. Euler Circuits

Outline NP-completeness Examples of Easy vs. Hard problems Euler circuit vs. Hamiltonian circuit Shortest Path vs. Longest Path 2-pairs sum vs. general Subset Sum Reducing one problem to another Clique

### Testing LTL Formula Translation into Büchi Automata

Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland

### linear hybrid automata is undecidable the method provides also diagnostic information that aids in design

Symbolic Analysis of Hybrid Systems y Rajeev Alur 1 Thomas A. Henzinger 2 Howard Wong-Toi 3 Abstract. A hybrid system is a dynamical system whose behavior exhibits both discrete and continuous change.

### A Propositional Dynamic Logic for CCS Programs

A Propositional Dynamic Logic for CCS Programs Mario R. F. Benevides and L. Menasché Schechter {mario,luis}@cos.ufrj.br Abstract This work presents a Propositional Dynamic Logic in which the programs are

### The Goldberg Rao Algorithm for the Maximum Flow Problem

The Goldberg Rao Algorithm for the Maximum Flow Problem COS 528 class notes October 18, 2006 Scribe: Dávid Papp Main idea: use of the blocking flow paradigm to achieve essentially O(min{m 2/3, n 1/2 }

### http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86

Atlantic Electronic http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86 AUTOMATED RECOGNITION OF STUTTER INVARIANCE OF LTL FORMULAS Jeffrey Dallien 1 and Wendy

CBV Semantics (Draft) Navit Fedida, John Havlicek, Nissan Levi, and Hillel Miller Motorola, Inc. 7700 W. Parmer Lane Austin, TX 78729 13 January 2002 Abstract A precise denition is given of the semantics

### Combinatorial PCPs with ecient veriers

Combinatorial PCPs with ecient veriers Or Meir Abstract The PCP theorem asserts the existence of proofs that can be veried by a verier that reads only a very small part of the proof. The theorem was originally

### Why? A central concept in Computer Science. Algorithms are ubiquitous.

Analysis of Algorithms: A Brief Introduction Why? A central concept in Computer Science. Algorithms are ubiquitous. Using the Internet (sending email, transferring files, use of search engines, online

### Combining Software and Hardware Verification Techniques

Formal Methods in System Design, 21, 251 280, 2002 c 2002 Kluwer Academic Publishers. Manufactured in The Netherlands. Combining Software and Hardware Verification Techniques ROBERT P. KURSHAN VLADIMIR

### Satisfiability of Boolean Expressions

Satisfiability of Boolean Expressions In the previous section, we have analysed in great detail one particular problem reachability in directed graphs. The reason for the attention devoted to this one

Lecture 10 Union-Find The union-nd data structure is motivated by Kruskal's minimum spanning tree algorithm (Algorithm 2.6), in which we needed two operations on disjoint sets of vertices: determine whether

Reihe Informatik 11 / 1996 Constructing Optimal Bushy Processing Trees for Join Queries is NP-hard Wolfgang Scheufele Guido Moerkotte 1 Constructing Optimal Bushy Processing Trees for Join Queries is NP-hard

From Verication to Control: Dynamic Programs for Omega-regular Objectives y Luca de Alfaro Thomas A. Henzinger Rupak Majumdar Electrical Engineering and Computer Sciences, University of California, Berkeley

### Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications Sayantan Das Prasenjit Basu Ansuman Banerjee Pallab Dasgupta P.P. Chakrabarti Department of Computer Science & Engineering

### The element the node represents. End-of-Path marker. The sons T. e 1 e 3. e 1. e 2. e 3

A New Method to Index and Query Sets Jorg Homann and Jana Koehler Institute for Computer Science Albert Ludwigs University Am Flughafen 17 79110 Freiburg, Germany homannjkoehler@informatik.uni-freiburg.de

### A simple algorithm with no simple verication

A simple algorithm with no simple verication Laszlo Csirmaz Central European University Abstract The correctness of a simple sorting algorithm is resented, which algorithm is \evidently wrong" at the rst

### Measuring Rationality with the Minimum Cost of Revealed Preference Violations. Mark Dean and Daniel Martin. Online Appendices - Not for Publication

Measuring Rationality with the Minimum Cost of Revealed Preference Violations Mark Dean and Daniel Martin Online Appendices - Not for Publication 1 1 Algorithm for Solving the MASP In this online appendix

Abstraction as the Key for Invariant Verication Saddek Bensalem and Susanne Graf and Yassine Lakhnech VERIMAG? Centre Equation 2, avenue de Vignate F-38610 Gieres France fbensalem,graf,lakhnechg@imag.fr

### Mathematics for Computer Science/Software Engineering. Notes for the course MSM1F3 Dr. R. A. Wilson

Mathematics for Computer Science/Software Engineering Notes for the course MSM1F3 Dr. R. A. Wilson October 1996 Chapter 1 Logic Lecture no. 1. We introduce the concept of a proposition, which is a statement

### Systems of Linear Equations in Two Variables

Chapter 6 Systems of Linear Equations in Two Variables Up to this point, when solving equations, we have always solved one equation for an answer. However, in the previous chapter, we saw that the equation

### Lecture 7: NP-Complete Problems

IAS/PCMI Summer Session 2000 Clay Mathematics Undergraduate Program Basic Course on Computational Complexity Lecture 7: NP-Complete Problems David Mix Barrington and Alexis Maciel July 25, 2000 1. Circuit

Logic Cuts Generation in a Branch and Cut Framework for Location Problems Mara A. Osorio Lama School of Computer Science Autonomous University of Puebla, Puebla 72560 Mexico Rosalba Mujica Garca Abstract

### Development of dynamically evolving and self-adaptive software. 1. Background

Development of dynamically evolving and self-adaptive software 1. Background LASER 2013 Isola d Elba, September 2013 Carlo Ghezzi Politecnico di Milano Deep-SE Group @ DEIB 1 Requirements Functional requirements

### T-79.186 Reactive Systems: Introduction and Finite State Automata

T-79.186 Reactive Systems: Introduction and Finite State Automata Timo Latvala 14.1.2004 Reactive Systems: Introduction and Finite State Automata 1-1 Reactive Systems Reactive systems are a class of software

### ONLINE EXERCISE SYSTEM A Web-Based Tool for Administration and Automatic Correction of Exercises

ONLINE EXERCISE SYSTEM A Web-Based Tool for Administration and Automatic Correction of Exercises Daniel Baudisch, Manuel Gesell and Klaus Schneider Embedded Systems Group, University of Kaiserslautern,

### Fairness in Routing and Load Balancing

Fairness in Routing and Load Balancing Jon Kleinberg Yuval Rabani Éva Tardos Abstract We consider the issue of network routing subject to explicit fairness conditions. The optimization of fairness criteria

### From Workflow Design Patterns to Logical Specifications

AUTOMATYKA/ AUTOMATICS 2013 Vol. 17 No. 1 http://dx.doi.org/10.7494/automat.2013.17.1.59 Rados³aw Klimek* From Workflow Design Patterns to Logical Specifications 1. Introduction Formal methods in software

### 0 0-10 5-30 8-39. Rover. ats gotorock getrock gotos. same time compatibility. Rock. withrover 8-39 TIME

Verication of plan models using UPPAAL Lina Khatib 1, Nicola Muscettola, and Klaus Havelund 2 NASA Ames Research Center, MS 269-2 Moett Field, CA 94035 1 QSS Group, Inc. 2 RECOM Technologies flina,mus,havelundg@ptolemy.arc.nasa.gov

### To appear in the Conference on Computer-Aided Verification, June 21-23, 1994. Automatic Verication of. Pipelined Microprocessor Control

To appear in the Conference on Computer-Aided Verification, June 21-23, 1994 (this version has an appendix not present in the conference version) Automatic Verication of Pipelined Microprocessor Control

### COMPUTER SCIENCE TRIPOS

CST.98.5.1 COMPUTER SCIENCE TRIPOS Part IB Wednesday 3 June 1998 1.30 to 4.30 Paper 5 Answer five questions. No more than two questions from any one section are to be answered. Submit the answers in five

### Coverability for Parallel Programs

2015 http://excel.fit.vutbr.cz Coverability for Parallel Programs Lenka Turoňová* Abstract We improve existing method for the automatic verification of systems with parallel running processes. The technique

### CS510 Software Engineering

CS510 Software Engineering Propositional Logic Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Scott A. Carr Slides inspired by Xiangyu Zhang http://nebelwelt.net/teaching/15-cs510-se

### can be extended into NC and RNC algorithms, respectively, that solve more

Extending NC and RNC Algorithms Nimrod Megiddo A technique is presented by which NC and RNC algorithms for some problems can be extended into NC and RNC algorithms, respectively, that solve more general

### Model Checking. and the. Abstract. There is a growing recognition of the need to apply formal

Model Checking and the Mu-calculus E. Allen Emerson University of Texas at Austin, Austin, Tx 78712, USA Abstract. There is a growing recognition of the need to apply formal mathematical methods in the

### Topic 1: Matrices and Systems of Linear Equations.

Topic 1: Matrices and Systems of Linear Equations Let us start with a review of some linear algebra concepts we have already learned, such as matrices, determinants, etc Also, we shall review the method

### Threshold Logic. 2.1 Networks of functions

2 Threshold Logic 2. Networks of functions We deal in this chapter with the simplest kind of computing units used to build artificial neural networks. These computing elements are a generalization of the

Chapter 4 Multi-Stage Interconnection Networks The general concept of the multi-stage interconnection network, together with its routing properties, have been used in the preceding chapter to describe

### S = {1, 2,..., n}. P (1, 1) P (1, 2)... P (1, n) P (2, 1) P (2, 2)... P (2, n) P = . P (n, 1) P (n, 2)... P (n, n)

last revised: 26 January 2009 1 Markov Chains A Markov chain process is a simple type of stochastic process with many social science applications. We ll start with an abstract description before moving

### Index Terms Domain name, Firewall, Packet, Phishing, URL.

BDD for Implementation of Packet Filter Firewall and Detecting Phishing Websites Naresh Shende Vidyalankar Institute of Technology Prof. S. K. Shinde Lokmanya Tilak College of Engineering Abstract Packet

### Formal Verification and Linear-time Model Checking

Formal Verification and Linear-time Model Checking Paul Jackson University of Edinburgh Automated Reasoning 21st and 24th October 2013 Why Automated Reasoning? Intellectually stimulating and challenging

### Software Model Checking: Theory and Practice

Software Model Checking: Theory and Practice Lecture: Secification Checking - Temoral Logic Coyright 2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are coyrighted

### EFFICIENT KNOWLEDGE BASE MANAGEMENT IN DCSP

EFFICIENT KNOWLEDGE BASE MANAGEMENT IN DCSP Hong Jiang Mathematics & Computer Science Department, Benedict College, USA jiangh@benedict.edu ABSTRACT DCSP (Distributed Constraint Satisfaction Problem) has

### A computational model for MapReduce job flow

A computational model for MapReduce job flow Tommaso Di Noia, Marina Mongiello, Eugenio Di Sciascio Dipartimento di Ingegneria Elettrica e Dell informazione Politecnico di Bari Via E. Orabona, 4 70125

### The Model Checker SPIN

The Model Checker SPIN Author: Gerard J. Holzmann Presented By: Maulik Patel Outline Introduction Structure Foundation Algorithms Memory management Example/Demo SPIN-Introduction Introduction SPIN (Simple(

### Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Model checking test models Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl February 14, 2014 Abstract This thesis is about model checking testing models. These testing

Graph Visualization U. Dogrusoz and G. Sander Tom Sawyer Software, 804 Hearst Avenue, Berkeley, CA 94710, USA info@tomsawyer.com Graph drawing, or layout, is the positioning of nodes (objects) and the

### Class notes Program Analysis course given by Prof. Mooly Sagiv Computer Science Department, Tel Aviv University second lecture 8/3/2007

Constant Propagation Class notes Program Analysis course given by Prof. Mooly Sagiv Computer Science Department, Tel Aviv University second lecture 8/3/2007 Osnat Minz and Mati Shomrat Introduction This

### Algorithmic Software Verification

Algorithmic Software Verification (LTL Model Checking) Azadeh Farzan What is Verification Anyway? Proving (in a formal way) that program satisfies a specification written in a logical language. Formal

### Discuss the size of the instance for the minimum spanning tree problem.

3.1 Algorithm complexity The algorithms A, B are given. The former has complexity O(n 2 ), the latter O(2 n ), where n is the size of the instance. Let n A 0 be the size of the largest instance that can

### Lecture 2: March 20, 2015

Automatic Software Verification Spring Semester, 2015 Lecture 2: March 20, 2015 Lecturer: Prof. Mooly Sagiv Scribe: Kalev Alpernas and Elizabeth Firman 2.1 Introduction In this lecture we will go over

### Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

Introduction to Formal Methods Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm Outline Introduction Formal Specification Formal Verification Model Checking Theorem Proving Introduction Good papers to

### Sequential Circuits Sequential circuits combinational circuits clocked sequential circuits gate delay

Sequential Circuits Sequential circuits are those with memory, also called feedback. In this, they differ from combinational circuits, which have no memory. The stable output of a combinational circuit

### Boolean Algebra And Its Applications

oolean lgebra nd Its pplications Introduction Let Ω be a set consisting of two elements denoted by the symbols 0 and 1, i.e. Ω = {0, 1}. Suppose that three operations has been defined: the logical sum

### Formal Verification Problems in a Bigdata World: Towards a Mighty Synergy

Dept. of Computer Science Formal Verification Problems in a Bigdata World: Towards a Mighty Synergy Matteo Camilli matteo.camilli@unimi.it http://camilli.di.unimi.it ICSE 2014 Hyderabad, India June 3,

### Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation

Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation Franco Raimondi Alessio Lomuscio Department of Computer Science King s College London London

### Offline 1-Minesweeper is NP-complete

Offline 1-Minesweeper is NP-complete James D. Fix Brandon McPhail May 24 Abstract We use Minesweeper to illustrate NP-completeness proofs, arguments that establish the hardness of solving certain problems.

### tutorial: hardware and software model checking

tutorial: hardware and software model checking gerard holzmann and anuj puri { gerard anuj } @research.bell-labs.com Bell Labs, USA outline introduction (15 mins) theory and algorithms system modeling

### MAT-71506 Program Verication: Exercises

MAT-71506 Program Verication: Exercises Antero Kangas Tampere University of Technology Department of Mathematics September 11, 2014 Accomplishment Exercises are obligatory and probably the grades will

### CHAPTER 7 GENERAL PROOF SYSTEMS

CHAPTER 7 GENERAL PROOF SYSTEMS 1 Introduction Proof systems are built to prove statements. They can be thought as an inference machine with special statements, called provable statements, or sometimes

### 2.3 Scheduling jobs on identical parallel machines

2.3 Scheduling jobs on identical parallel machines There are jobs to be processed, and there are identical machines (running in parallel) to which each job may be assigned Each job = 1,,, must be processed

### causal theories into logic programs given by Proposition 6.1 from [10]. We call this translation lpn. Our basic translation lp is similar (and equival

Representing Transition Systems by Logic Programs Vladimir Lifschitz 1 and Hudson Turner 2 1 Department of Computer Sciences University of Texas at Austin Austin, TX 78712, USA vl@cs.utexas.edu 2 Department

### Introduction to Logic in Computer Science: Autumn 2006

Introduction to Logic in Computer Science: Autumn 2006 Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Plan for Today Now that we have a basic understanding

### An Eective Load Balancing Policy for

An Eective Load Balancing Policy for Geometric Decaying Algorithms Joseph Gil y Dept. of Computer Science The Technion, Israel Technion City, Haifa 32000 ISRAEL Yossi Matias z AT&T Bell Laboratories 600

### NP-complete? NP-hard? Some Foundations of Complexity. Prof. Sven Hartmann Clausthal University of Technology Department of Informatics

NP-complete? NP-hard? Some Foundations of Complexity Prof. Sven Hartmann Clausthal University of Technology Department of Informatics Tractability of Problems Some problems are undecidable: no computer

### Agenda. Quick Overview Properties, Automata and State Machines Model Checking. Pallab Dasgupta, Dept. of Computer Sc & Engg, IIT Kharagpur

Model Checking Agenda Quick Overview Properties, Automata and State Machines Model Checking 2 Formal Property Verification What is formal property verification? Verification of formal properties? Formal

### 4.1 Introduction - Online Learning Model

Computational Learning Foundations Fall semester, 2010 Lecture 4: November 7, 2010 Lecturer: Yishay Mansour Scribes: Elad Liebman, Yuval Rochman & Allon Wagner 1 4.1 Introduction - Online Learning Model

### COT5405 Analysis of Algorithms Homework 3 Solutions

COT0 Analysis of Algorithms Homework 3 Solutions. Prove or give a counter example: (a) In the textbook, we have two routines for graph traversal - DFS(G) and BFS(G,s) - where G is a graph and s is any

### Software Verification and Testing. Lecture Notes: Temporal Logics

Software Verification and Testing Lecture Notes: Temporal Logics Motivation traditional programs (whether terminating or non-terminating) can be modelled as relations are analysed wrt their input/output

### Reducing Clocks in Timed Automata while Preserving Bisimulation

Reducing Clocks in Timed Automata while Preserving Bisimulation Shibashis Guha Chinmay Narayan S. Arun-Kumar Indian Institute of Technology Delhi {shibashis, chinmay, sak}@cse.iitd.ac.in arxiv:1404.6613v2

### Formal Specification and Verification

Formal Specification and Verification Stefan Ratschan Katedra číslicového návrhu Fakulta informačních technologíı České vysoké učení technické v Praze 2. 5. 2011 Stefan Ratschan (FIT ČVUT) PI-PSC 4 2.

### On strong fairness in UNITY

On strong fairness in UNITY H.P.Gumm, D.Zhukov Fachbereich Mathematik und Informatik Philipps Universität Marburg {gumm,shukov}@mathematik.uni-marburg.de Abstract. In [6] Tsay and Bagrodia present a correct

### Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

University of Texas at El Paso DigitalCommons@UTEP Departmental Technical Reports (CS) Department of Computer Science 8-1-2007 Using Patterns and Composite Propositions to Automate the Generation of Complex

### PROPERTECHNIQUEOFSOFTWARE INSPECTIONUSING GUARDED COMMANDLANGUAGE

International Journal of Computer ScienceandCommunication Vol. 2, No. 1, January-June2011, pp. 153-157 PROPERTECHNIQUEOFSOFTWARE INSPECTIONUSING GUARDED COMMANDLANGUAGE Neeraj Kumar Singhania University,

### The Bakery Algorithm: Yet Another. Specication and Verication. Dean Rosenzweig z. Abstract. In a meeting at Schloss Dagstuhl in June 1993, Uri Abraham

1 The Bakery Algorithm: Yet Another Specication and Verication Egon Borger Yuri Gurevich y Dean Rosenzweig z Abstract In a meeting at Schloss Dagstuhl in June 1993, Uri Abraham and Menachem Magidor have

### Minimizing the Eect of Clock Skew. Via Circuit Retiming 1. Technical Report 93-5-04. May, 1992

Minimizing the Eect of Clock kew Via Circuit Retiming 1 Brian Lockyear and Carl Ebeling Department of Computer cience and Engineering University of Washington eattle, Washington 98195 Technical Report

### Solving nonlinear equations in one variable

Chapter Solving nonlinear equations in one variable Contents.1 Bisection method............................. 7. Fixed point iteration........................... 8.3 Newton-Raphson method........................

### Approximation Algorithms

Approximation Algorithms or: How I Learned to Stop Worrying and Deal with NP-Completeness Ong Jit Sheng, Jonathan (A0073924B) March, 2012 Overview Key Results (I) General techniques: Greedy algorithms

### Adapting an AI Planning Heuristic for Directed Model Checking

Adapting an AI Planning Heuristic for Directed Model Checking Sebastian Kupferschmid 1, Jorg Homann 2, Henning Dierks 3, and Gerd Behrmann 4 1 University Freiburg, Germany, kupfersc@informatik.uni-freiburg.de