Results 1  10
of
35
Symbolic compositional verification by learning assumptions
 In CAV
, 2005
"... Abstract. The verification problem for a system consisting of components can be decomposed into simpler subproblems for the components using assumeguarantee reasoning. However, such compositional reasoning requires user guidance to identify appropriate assumptions for components. In this paper, we ..."
Abstract

Cited by 52 (7 self)
 Add to MetaCart
Abstract. The verification problem for a system consisting of components can be decomposed into simpler subproblems for the components using assumeguarantee reasoning. However, such compositional reasoning requires user guidance to identify appropriate assumptions for components. In this paper, we propose an automated solution for discovering assumptions based on the L \Lambda algorithm for active learning of regular languages. We present a symbolic implementation of the learning algorithm, and incorporate it in the model checker NuSMV. Our experiments demonstrate significant savings in the computational requirements of symbolic model checking.
Runtime verification for LTL and TLTL
, 2007
"... This paper studies runtime verification of properties expressed either in lineartime temporal logic (LTL) or timed lineartime temporal logic (TLTL). It classifies runtime verification in identifying its distinguishing features to model checking and testing, respectively. It introduces a threevalued ..."
Abstract

Cited by 25 (7 self)
 Add to MetaCart
This paper studies runtime verification of properties expressed either in lineartime temporal logic (LTL) or timed lineartime temporal logic (TLTL). It classifies runtime verification in identifying its distinguishing features to model checking and testing, respectively. It introduces a threevalued semantics (with truth values true, false, inconclusive) as an adequate interpretation as to whether a partial observation of a running system meets an LTL or TLTL property. For LTL, a conceptually simple monitor generation procedure is given, which is optimal in two respects: First, the size of the generated deterministic monitor is minimal, and, second, the monitor identifies a continuously monitored trace as either satisfying or falsifying a property as early as possible. The feasibility of the developed methodology is demontrated using a collection of realworld temporal logic specifications. Moreover, the presented approach is related to the properties monitorable in general and is compared to existing concepts in the literature. It is shown that the set of monitorable properties does not only encompass the safety and cosafety properties but is strictly larger. For TLTL, the same road map is followed by first defining a threevalued semantics. The corresponding construction of a timed monitor is more involved, yet, as shown, possible.
Automated AssumeGuarantee Reasoning for Simulation Conformance
 In Proc. of CAV’05, volume 3576 of LNCS
, 2005
"... Abstract. The applicability of assumeguarantee reasoning in practice has been limited since it requires the right assumptions to be constructed manually. In this article, we address the issue of efficiently automating assumeguarantee reasoning for simulation conformance between finite state system ..."
Abstract

Cited by 19 (5 self)
 Add to MetaCart
Abstract. The applicability of assumeguarantee reasoning in practice has been limited since it requires the right assumptions to be constructed manually. In this article, we address the issue of efficiently automating assumeguarantee reasoning for simulation conformance between finite state systems and specifications. We focus on a noncircular assumeguarantee proof rule, and show that there is a weakest assumption that can be represented canonically by a deterministic tree automata (DTA). We then present an algorithm L T that learns this DTA automatically in an incremental fashion, in time that is polynomial in the number of states in the equivalent minimal DTA. The algorithm assumes a teacher that can answer membership queries pertaining to the language of the unknown DTA, and can also test a conjecture and provide a counter example if the conjecture is false. We show how the teacher and its interaction with L T are implemented in a model checker. We have implemented this framework in the ComFoRT toolkit and we report encouraging results (up to 41 and 14 times improvement in memory and time consumption respectively) on nontrivial benchmarks.
DomainSpecific Optimization in Automata Learning
 In Proc. 15 th Int. Conf. on Computer Aided Verification
, 2003
"... Automatically generated models may provide the key towards controlling the evolution of complex systems, form the basis for test generation and may be applied as monitors for running applications. ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
Automatically generated models may provide the key towards controlling the evolution of complex systems, form the basis for test generation and may be applied as monitors for running applications.
Mutually enhancing test generation and specification inference
 In Proc. 3rd International Workshop on Formal Approaches to Testing of Software, volume 2931 of LNCS
, 2003
"... Abstract. Generating effective tests and inferring likely program specifications are both difficult and costly problems. We propose an approach in which we can mutually enhance the tests and specifications that are generated by iteratively applying each in a feedback loop. In particular, we infer li ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
Abstract. Generating effective tests and inferring likely program specifications are both difficult and costly problems. We propose an approach in which we can mutually enhance the tests and specifications that are generated by iteratively applying each in a feedback loop. In particular, we infer likely specifications from the executions of existing tests and use these specifications to guide automatic test generation. Then the existing tests, as well as the new tests, are used to infer new specifications in the subsequent iteration. The iterative process continues until there is no new test that violates specifications inferred in the previous iteration. Inferred specifications can guide test generation to focus on particular program behavior, reducing the scope of analysis; and newly generated tests can improve the inferred specifications. During each iteration, the generated tests that violate inferred specifications are collected to be inspected. These violating tests are likely to have a high probability of exposing faults or exercising new program behavior. Our hypothesis is that such a feedback loop can mutually enhance test generation and specification inference. 1
Actively learning to verify safety for FIFO automata
 In LNCS 3328, Proc. of FSTTCS’04
, 2004
"... We apply machine learning techniques to verify safety properties of finite state machines which communicate over unbounded FIFO channels. Instead of attempting to iteratively compute the reachable states, we use Angluin's L* algorithm to learn these states. The learnt set of reachable states is t ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
We apply machine learning techniques to verify safety properties of finite state machines which communicate over unbounded FIFO channels. Instead of attempting to iteratively compute the reachable states, we use Angluin's L* algorithm to learn these states. The learnt set of reachable states is then used either to prove that the system is safe, or to produce a valid execution of the system that leads to an unsafe state (i.e. to produce a counterexample). Specifically, we assume that we are given a model of the system and we provide a novel procedure which answers both membership and equivalence queries for a representation of the reachable states. We define a new encoding scheme for representing reachable states and their witness execution; this enables the learning algorithm to analyze a larger class of FIFO systems automatically than a naive encoding would allow.
Learning to Verify Safety Properties
 In LNCS 3308, Proc. of ICFEM’04
, 2004
"... We present a novel approach for verifying safety properties of finite state machines communicating over unbounded FIFO channels that is based on applying machine learning techniques. We assume that we are given a model of the system and learn the set of reachable states from a sample set of exec ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
We present a novel approach for verifying safety properties of finite state machines communicating over unbounded FIFO channels that is based on applying machine learning techniques. We assume that we are given a model of the system and learn the set of reachable states from a sample set of executions of the system, instead of attempting to iteratively compute the reachable states. The learnt set of reachable states is then used to either prove that the system is safe or to produce a valid execution of the system leading to an unsafe state (i.e. a counterexample). We have implemented this method for verifying FIFO automata in a tool called Lever that uses a regular language learning algorithm called RPNI. We apply our tool to a few case studies and report our experience with this method. We also demonstrate how this method can be generalized and applied to the verification of other infinite state systems.
Regular inference for state machines with parameters
 In FASE
, 2006
"... Abstract. Techniques for inferring a regular language, in the form of a finite automaton, from a sufficiently large sample of accepted and nonaccepted input words, have been employed to construct models of software and hardware systems, for use, e.g., in test case generation. We intend to adapt thes ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Abstract. Techniques for inferring a regular language, in the form of a finite automaton, from a sufficiently large sample of accepted and nonaccepted input words, have been employed to construct models of software and hardware systems, for use, e.g., in test case generation. We intend to adapt these techniques to construct state machine models of entities of communication protocols. The alphabet of such state machines can be very large, since a symbol typically consists of a protocol data unit type with a number of parameters, each of which can assume many values. In typical algorithms for regular inference, the number of needed input words grows with the size of the alphabet and the size of the minimal DFA accepting the language. We therefore modify such an algorithm (Angluin’s algorithm) so that its complexity grows not with the size of the alphabet, but only with the size of a certain symbolic representation of the DFA. The main new idea is to infer, for each state, a partitioning of input symbols into equivalence classes, under the hypothesis that all input symbols in an equivalence class have the same effect on the state machine. Whenever such a hypothesis is disproved, equivalence classes are refined. We show that our modification retains the good properties of Angluin’s original algorithm, but that its complexity grows with the size of our symbolic DFA representation rather than with the size of the alphabet. We have implemented the algorithm; experiments on synthesized examples are consistent with these complexity results. 1
Optimized l*based assumeguarantee reasoning
 In (to appear) Proc. of the 19 th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’07
, 2007
"... Abstract. In this paper, we suggest three optimizations to the L*based automated AssumeGuarantee reasoning algorithm for the compositional verification of concurrent systems. First, we use each counterexample from the model checker to supply multiple strings to L*, saving candidate queries. Second ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Abstract. In this paper, we suggest three optimizations to the L*based automated AssumeGuarantee reasoning algorithm for the compositional verification of concurrent systems. First, we use each counterexample from the model checker to supply multiple strings to L*, saving candidate queries. Second, we observe that in existing instances of this paradigm, the learning algorithm is coupled weakly with the teacher. Thus, the learner ignores completely the details about the internal structure of the system and specification being verified, which are available already to the teacher. We suggest an optimization that uses this information in order to avoid many unnecessary – and expensive, since they involve model checking – membership and candidate queries. Finally, and most importantly, we develop a method for minimizing the alphabet used by the assumption, which reduces the size of the assumption and the number of queries required to construct it. We present these three optimizations in the context of verifying trace containment for concurrent systems composed of finite state machines. We have implemented our approach and experimented with reallife examples. Our results exhibit an average speedup of over 12 times due to the proposed improvements. 1
Integrating Formal Verification and Conformance Testing for Reactive Systems
, 2007
"... In this paper, we describe a methodology integrating verification and conformance testing. A specification of a system— an extended inputoutput automaton, which may be infinitestate—and a set of safety properties (“nothing bad ever happens”) and possibility properties (“something good may happen” ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
In this paper, we describe a methodology integrating verification and conformance testing. A specification of a system— an extended inputoutput automaton, which may be infinitestate—and a set of safety properties (“nothing bad ever happens”) and possibility properties (“something good may happen”) are assumed. The properties are first tentatively verified on the specification using automatic techniques based on approximated statespace exploration, which are sound, but, as a price to pay for automation, are not complete for the given class of properties. Because of this incompleteness and of statespace explosion, the verification may not succeed in proving or disproving the properties. However, even if verification did not succeed, the testing phase can proceed and provide useful information about the implementation. Test cases are automatically and symbolically generated from the specification and the properties and are executed on a blackbox implementation of the system. The test execution may detect violations of conformance between implementation and specification; in addition, it may detect violation/satisfaction of the properties by the implementation and by the specification. In this sense, testing completes verification. The approach is illustrated on simple examples and on a Bounded Retransmission Protocol.