Orna Grumberg

Learn More
The state explosion problem remains a major hurdle in applying symbolic model checking to large hardware designs. State space abstraction, having been essential for verifying designs of industrial complexity, is typically a manual process, requiring considerable creativity and insight.In this article, we present an automatic iterative abstraction-refinement(More)
We describe a method for using abstraction to reduce the complexity of temporal-logic model checking. Using techniques similar to those involved in abstract interpretation, we construct an abstract model of a program without ever examining the corresponding unabstracted model. We show how this abstract model can be used to verify properties of the original(More)
We describe a framework for compositional verification of finite-state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition, and a preorder on structures which captures the relation between a component and a system containing the component. Satisfaction of a formula in the logic(More)
We present an automatic iterative abstraction-re nement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be veri ed. Abstract models may admit erroneous (or \spurious") counterexamples. We devise new symbolic techniques which analyze such counterexamples and re ne the abstract(More)
This work presents a minimization algorithm. The algorithm receives a Kripke structure M and returns the smallest structure that is simulation equivalent to M. The simulation equivalencerelation is weaker than bisimulation but stronger than the simulation preorder. It strongly preserves ACTL and LTL (as sub-logics of ACTL). We show that every structure M(More)
Model checking is an automatic technique for verifying sequential circuit designs and protocols. An efficient search procedure is used to determine whethe or not the specification is satisfied. If it is not satisfied, our technique will produce a counter-example execution trace that shows the cause of the problem. We describe an efficient algorithm to(More)