About
122
Publications
6,478
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
4,872
Citations
Introduction
Additional affiliations
August 1982 - present
Publications
Publications (122)
In this paper we briefly discuss ten papers by Joost-Pieter Katoen on quantitative extensions of causality models from the period 1994–2001 that all resulted from collaboration with Pisa and/or Twente.
We revisit model-based testing for labelled transition systems in the context of specifications that may contain divergent behaviour, i.e., infinite paths of internal computations. The standard approach based on the theory of input-output conformance, known as the ioco-framework, cannot deal with divergences directly, as it restricts specifications...
Since testing is inherently incomplete, test selection is of vi-tal importance. Coverage measures evaluate the quality of a test suite and help the tester select test cases with maximal impact at minimum cost. Existing coverage criteria for test suites are usually defined in terms of syntactic characteristics of the implementation under test or its...
The dependability of high-volume embedded systems, such as consumer electronic devices, is threatened by a combination of quickly increasing complexity, decreasing time-to-market, and strong cost constraints. This poses challenging research questions that are investigated in the Trader project, following the industry-as-lab approach. We present the...
This paper is concerned with the derivation of infinite schedules for timed automata that are in some sense optimal. To cover
a wide class of optimality criteria we start out by introducing an extension of the (priced) timed automata model that includes
both costs and rewards as separate modelling features. A precise definition is then given of wha...
The dependability of high-volume embedded systems, such a consumer electronic devices, is threatened by a combination of quickly increasing complexity, decreasing time-to-market, and strong cost constraints. This poses challenging research questions that are investigated in the Trader project, following the industry-as-lab approach. We present the...
Embedded system technology has become an important, if not dominating component in the realization of all sorts of high-tech products, machines, and infrastructures. The temptation to create systems with new, powerful, intelligent features has turned embedded software into an essential high-tech ingredient that, exploiting the hardware capabilities...
We report on the use of the SPIN model checker for both the verification of a process control program and the derivation of
optimal control schedules. This work was carried out as part of a case study for the EC VHS project (Verification of Hybrid
Systems), in which the program for a Programmable Logic Controller (PLC) of an experimental chemical p...
Since testing is inherently incomplete, test selection has vital importance. Coverage measures evaluate the quality of a test suite and help the tester select test cases with maximal impact at minimum cost. Existing coverage criteria for test suites are usually defined in terms of syntactic characteristics of the implementation under test or its sp...
Event structures are a prominent noninterleaving model for concurrency. Real-time event structures associate a set of time instants to events, modelling absolute time constraints, and to causal dependencies, modelling relative delays between causally dependent events. We introduce this novel temporal model and show how it can be used to provide a d...
This paper deals with transformations in a process algebraic formalism that has been extended with an abstract data type language. We show how for a well-known class of processes (bags, queues, stacks, etc.) descriptions in terms of simple process definitions and complex state parameters can be transformed in a stepwise fashion into equivalent syst...
We survey the key objectives and the structure of this Dagstuhl seminar, and discuss common themes that emerged. @InProceedings{brinksma_et_al:DSP:2007:957, author = {Ed Brinksma and David Harel and Angelika Mader and Perdita Stevens and Roel Wieringa}, title = {06351 Summary -- Methods for Modelling Software Systems (MMOSS)}, booktitle = {Methods...
From 27.08.06 to 01.09.06, the Dagstuhl Seminar 06351 ``Methods for Modelling Software Systems (MMOSS)'' was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations g...
In formal testing, the assumption of input enabling is typically made. This assumption requires all inputs to be enabled anytime. In addition, the useful concept of quiescence is sometimes applied. Briefly, a system is in a quiescent state when it cannot produce outputs.
In this paper, we relax the input enabling assumption, and allow some input se...
Mobile health systems can extend the enterprise computing system of the healthcare provider by bringing services to the patient any time and anywhere. We propose a model-driven design and development methodology for the development of the m-health components in such extended enterprise computing systems. The methodology applies a model-driven desig...
Process algebra is a theoretical framework for the modelling and analysis of the behaviour of concurrent discrete event systems that has been developed within computer science in past quarter century. It has generated a deeper understanding of the nature of concepts such as observable behaviour in the presence of nondeterminism, system composition...
We present an extension of Tretmans’ theory and algorithm for test generation for input-output transition systems to real-time
systems. Our treatment is based on an operational interpretation of the notion of quiescence in the context of real-time behaviour. This gives rise to a family of implementation relations parameterized by observation
durati...
Schedule synthesis based on reachability analysis of timed automata has received attention in the last few years. The main strength of this approach is that the expressiveness of timed automata allows - unlike many classical approaches - the modelling of scheduling problems of very different kinds. Furthermore, the models are robust against changes...
The delivery of quality video service often requires high bandwidth with low delay or cost in network transmission. Current routing protocols such as those used in the Internet are mainly based on the single-path approach (e.g., the shortest-path routing). ...
In formal testing, the assumption of input enabling is typi-cally made. This assumption requires all inputs to be enabled anytime. In addition, the useful concept of quiescence is sometimes applied. Briefly, a system is in a quiescent state when it cannot produce outputs. In this paper, we relax the input enabling assumption, and allow some input s...
Summary form only given. Although testing has always been the most important technique for the validation of software systems it has only become a topic of serious academic research in the past decade or so. In this period research on the use of formal methods for model-driven test generation and execution of functional test cases has led to a numb...
This paper is concerned with the derivation of infinite schedules for timed automata that are in some sense optimal. To cover
a wide class of optimality criteria we start out by introducing an extension of the (priced) timed automata model that includes
both costs and rewards as separate modelling features. A precise definition is then given of wha...
The aim of the seminar Perspectives of Model-Based Testing was to bring together researchers and practitioners from industry and academia to discuss the state of the art in theory, methods, tools, applications, and industrialization of model-based testing, and to identify the important open issues and challenges. @InProceedings{brinksma_et_al:DSP:2...
From 05.09.04 to 10.09.04, the Dagstuhl Seminar 04371 ``Perspectives of Model-Based Testing'' was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during...
Dieser Beitrag ist der zweite Teil einer Einführung in die Prozessalgebra. Im ersten Teil wurde eine Basis-Prozessalgebra vorgestellt und informell die Bedeutung ihrer Operatoren erläutert. Im zweiten Teil des Artikels beschreiben wir, wie prozessalgebraische Ausdrücke als Transitionssysteme interpretiert werden können. Anhand des Roboter-Beispiels...
This paper presents an introduction to process algebras. In the first part of the contribution we introduce a basic process algebra and give an informal interpretation of its operators. In the second part of the contribution we show how expressions of process algebra can be interpreted as transition systems. Using the robot example of this series t...
In this paper we take a closer look at the automated analysis of designs, in particular of verification by model checking. Model checking tools are increasingly being used for the verification of real-life systems in an industrial context. In addition to ongoing research aimed at curbing the complexity of dealing with the inherent state space explo...
We report on the use of model checking techniques for both the verification of a process control program and the derivation of optimal control schedules. Most of this work has been carried out as part of a case study for the EU VHS project (Verification of Hybrid Systems), in which the program for a Programmable Logic Controller (PLC) of an experim...
We survey the basic principles behind the application of model checking to controller verification and synthesis. A promising development is the area of guided model checking, in which the state space search strategy of the model checking algorithm can be influenced to visit more interesting sets of states first. In particular, we discuss how model...
In this paper we present an algorithm for efficiently computing optimal cost of reaching a goal state in the model of Linearly Priced Timed Automata (LPTA). The central contribution of this paper is a priced extension of so-called zones. This, together with a notion of facets of a zone, allows the entire machinery for symbolic reachability for time...
1. Software Testing Software quality is an issue that currently attracts a lot of attention. Software invades everywhere in our society and life and we are increasingly dependent on it. Moreover, the complexity of software is still growing. This also applies to software in mobile systems. Consequently, the quality, functional correctness and reliab...
Traditionally, models and methods for the analysis of the functional correctness of reactive systems, and those for the analysis of their performance (and - pendability) aspects, have been studied by di?erent research communities. This has resulted in the development of successful, but distinct and largely unrelated modeling and analysis techniques...
The formal verification of concurrent systems is usually seen as an example par excellence of the application of mathematical
methods to computer science. Although the practical application of such verification methods will always be limited by the
underlying forms of combinatorial explosion, recent years have shown remarkable progress in computer...
. The formal verification of concurrent systems is usually seen as an example par excellence of the application of mathematical
methods to computer science. Although the practical application of such verification methods will always be limited by the
underlying forms of combinatorial explosion, recent years have shown remarkable progress in compute...
We report on the use of the SPIN model checker for both the verification of a process control program and the derivation of optimal control schedules. This work was carried out as part of a case study for the EC VHS project (Verification of Hybrid Systems), in which the program for a Programmable Logic Controller (PLC) of an experimental chemical p...
Labelled transition system based test theory has made remarkable progress over the past 15 years. From a theoretically interesting
approach to the semantics of reactive systems it has developed into a field where testing theory is (slowly) narrowing the
gap with testing practice. In particular, new test generation algorithms are being designed that...
This paper surveys and relates the basic concepts of process algebra and the modelling of continuous time Markov chains. It provides basic introductions to both fields, where we also study the Markov chains from an algebraic perspective, viz. that of Markov chain algebra. We then proceed to study the interrelation of reactive processes and Markov c...
Although testing is the most widely used technique to control the quality of software systems, it is a topic that, until relatively recently, has received scant attention from the computer research community. Although some pioneering work was already done a considerable time ago [Cho78,GG83,How78,Mye79], the testing of software systems has never be...
This paper presents a process algebra for specifying soft real-time constraints in a compositional way. For these soft constraints we take a stochastic point of view and allow arbitrary probability distributions to express delays of activities. The semantics of this process algebra is given in terms of stochastic automata, a variant of timed automa...
In this paper we present a proof of the sequential consistency of the lazy caching protocol of Afek, Brown, and Merritt.
The proof will follow a strategy of stepwise refinement, developing the distributed caching memory in five transformation steps from a specification of the serial memory, whilst
preserving the sequential consistency in each step....
This paper presents a process algebra for specifying soft real-time constraints in a compositional way. For these soft constraints we take a stochastic point of view and allow arbitrary probability distributions to express delays of activities. The semantics of this process algebra is given in terms of stochastic automata, a variant of timed automa...
In this paper we show how to use McMillan’s complete finite prefix approach for process algebra. We present the model of component
event structures as a semantics for process algebra, and show how to construct a complete finite prefix for this model. We
present a simple adequate order (using an order on process algebra expressions) as an optimizati...
This paper discusses our experience with literate programming tools in the realm of the modelling and validation of systems.
We propose the use of literate programming techniques to structure and control the validation trajectory. The use of literate
programming is illustrated by means of a running example using Promela and Spin. The paper can also...
This paper discusses a timed variant of a process algebra akin to LOTOS, baptized UPA, in a causality-based setting. Two timed features are incorporated—a delay function which constrains the occurrence time of atomic actions and an urgency operator that forces (local or synchronized) actions to happen urgently. Timeouts are typical urgent phenomena...
In this paper we present factorized test generation techniques that can be
used to generate test cases from a specification that is modelled as a labelled
transition system. The test generation techniques are able to construct a sound
(and complete) test suite for correctness criterion miocoF [5] by splitting
up this correctness criterion into many...
) P. R. D'Argenio 1 , J.-P. Katoen 2 , and E. Brinksma 1 1 Dept. of Computer Science. University of Twente. P.O.Box 217. 7500 AE Enschede. The Netherlands. fdargenio,brinksmag@cs.utwente.nl 2 Lehrstuhl fur Informatik VII. University of Erlangen-Nurnberg. Martensstrasse 3. D-91058 Erlangen. Germany. katoen@informatik.uni-erlangen.de Abstract We intr...
Event structures are a prominent model for non-interleaving concurrency. The use of event structures for providing a compositional non-interleaving semantics to LOTOS without data is studied. In particular, several quantitative extensions of event structures are proposed that incorporate notions like time – both of deterministic and stochastic natu...
Event structure models often have some constraint which ensures that for each system run it is clear what are the causal predecessors of an event (i.e. there is no causal ambiguity). In this contribution we study what happens if we remove such constraints. We define five different partial order semantics that are intentional in the sense that they...
In this paper we present the application of the fair testing pre-order , introduced in a previous paper, to the specification and analysis of distributed systems. This pre-order combines some features of the standard testing pre-orders, viz. the possibility to refine a specification by the resolution of nondeterminism, with a powerful feature of st...
This paper discusses some of the developments in the theory of test generation from labelled transition systems over the last decade, and puts these devel-opments in a historical perspective. These developments are driven by the need to make testing theory applicable to realistic systems. We illustrate the developments that have taken place in a ch...
A language for representing timed automata is introduced. Its semantics is defined in terms of timed automata. This language is complete in the sense that any timed automaton can be represented by a term in the language. We also define a direct operational semantics for the language in terms of (timed) transition systems. This is proven to be equiv...
The appreciation of formal methods as useful tools for the design and analysis of communicating systems is subject to considerable variation of opinion. They are seen as a solution by some, and a problem by others. They have been hailed as the answer to the software crisis by some and others have detested them for their obvious inapplicability. Som...
In this paper we present the application of the fair testing pre-order , introduced in a previous paper, to the specification and analysis of distributed systems. This pre-order combines some features of the standard testing pre-orders, viz. the possibility to refine a specification by the resolution of nondeterminism, with a powerful feature of st...
So far, most research in the area of formal methods has been focussed on the development of theories, methods, and tools for the design and analysis of functional, or qualitative, aspects of information-processing systems. Performance analysis, on the other hand, has always been concerned with the quantitative analysis of such systems. As a result...
ion for developing Reactive Systems : : : : : : : : : : : : : : : : : : : : : : : 18 Steven Klusener, CWI: Verification of an Audio protocol : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 19 Hans Hook, SICS About Integration of Formal Description Techniques and Systems Development Processes : : :...
This paper discusses stochastic extensions of a simple process algebra in a causalitybased setting. Atomic actions are supposed to happen after a delay that is determined by a stochastic variable with a certain distribution. A simple stochastic type of event structures is discussed, restricting the distribution functions to be exponential. A corres...
In this paper a generic framework inspired by [LX90] is presented for the validation of reactive systems embedded in a test environment, or isolated from their operational environment, thereby inducing a natural classification of validation strategies in different scenarios. We show that verification strategies and falsification strategies are comp...
We present an algorithm for the decomposition of processes in a process algebraic framework. Decomposition, or the refinement of process substructure, is an important design principle in the top-down development of concurrent systems. In the approach that we follow the decomposition is based on a given partition of the actions of a system specifica...
In this chapter we present an overview of enhancements of the ISO specification language LOTOS that have been proposed in the Lotosphere project. The detailed proposals Management and Evaluation of Language Development can be found in [D07].
This book presents 12 revised refereed papers selected as the best from 32 submissions for the First International Workshop on Tools and Algorithms for the Construction and Analysis of Systems, TACAS '95, held in Aarhus, Denmark, in May 1995.
The workshop brought together 46 researchers interested in the development and application of tools and alg...
In distributed shared memory architectures, memory usually obeys weaker constraints than that of ordinary memory in (cache-less) single processor systems. One popular weakening is that of sequential cOl1Jisfency. Proving that a memory is sequentialy consistent does not easily fit the standard refinemcnt and vcrification strategies. This paper takes...
We present an algorithm for the decomposition of processes i n a process algebraic framework. Decomposition, or the refin ement of process substructure, is an important design principle in t he top-down development of concurrent systems. In the appro ach that we follow the decomposition is based on a given partition of the action s of a system spec...
The validation of implementations is an essential part of the design of both hardware and software systems in order to establish the correctness of such systems. As such it has been an important application area for all kinds of formal methods to support this activity. Many of such methods, however, aim at a complete proof of correctness, which bec...
This paper presents an algorithm for the guided simulation of LOTOS specifications. Based on the selection of a behaviour expression occurrence contained in a LOTOS specification the algorithm determines a reduced inference system that calculates, if it exists, the shortest path from the initial state of the specification behaviour to an active con...
We revisit the question of the uniqueness of solutions to fixpoint equations modulo observation congruence. In the literature
various sufficient conditions are given for the uniqueness of such solutions for a given signature of process combinators,
such as guardedness and sequentiality (CCS) or the absence of abstraction (ACP), concealment (CSP), o...
A testing architecture influences the way a tester communicates with an implementation under test (IUT), in particular whether communication is synchronous or asynchronous. Testers that communicate synchronously with the IUT can detect more differences between implementations than testers that communicate asynchronously. Moreover, test cases derive...
Substantial experience with the use of formal specification languages in the design of distributed systems has shown that finding appropriate structures for formal specifications presents a serious, and often underestimated problem. Its solutions are of great importance for ensuring the quality of the various designs that need to be developed at di...
There are now several theories for describing and reasoning about the behavior of communicating systems, where the behavior of a communicating system is described in terms of its capabilities to perform communication actions in cooperation with its environment. In such theories, preorders or equivalences are defined as criteria for when one system...
Many of the formal methods that abound in computer science are in fact just formal languages or calculi. They can be used to describe and analyse models of information systems of different complexities and application domains. Only to a much lesser extent are we also provided with methods that tell exactly how these models may be used to obtain wor...
The term architecture denotes in this paper an abstract object that defines a set of requirements for a class of products, and that can be used to derive from it various more concrete objects, called (product) implementations. We assume that an architecture is expressed in a formal description language. The paper argues that in practice any archite...
Constraint-oriented specification is a style that can be used in some process algebraic formalisms to implement the power of a logical conjunction. Although this type of conjunction is usually limited to properties of traces, and therefore to the safety aspects of a specification, it turns out to be an extremely useful tool in realistic application...