Results 1  10
of
104
Computing abstractions of infinite state systems compositionally and automatically
 PROCEEDINGS OF CAV ’98
, 1998
"... We present a method for computing abstractions of infinite state systems compositionally and automatically. Given a concrete system S = S1 k \Delta \Delta \Delta k Sn of programs and given an abstraction function ff, using our method one can compute an abstract system S a = Sa 1 k \Delta \Delta \Del ..."
Abstract

Cited by 98 (5 self)
 Add to MetaCart
We present a method for computing abstractions of infinite state systems compositionally and automatically. Given a concrete system S = S1 k \Delta \Delta \Delta k Sn of programs and given an abstraction function ff, using our method one can compute an abstract system S a = Sa 1 k \Delta \Delta \Delta k S a n such that S simulates S a. A distinguishing feature of our method is that it does not produce a single abstract state graph but rather preserves the structure of the concrete system. This feature is a prerequisite to benefit from the techniques developed in the context of modelchecking for mitigating the state explosion. Moreover, our method has the advantage that the process of constructing the abstract system does not depend on whether the computation model is synchronous or asynchronous.
Slicing Software for Model Construction
 Higherorder and Symbolic Computation
, 1999
"... Applying finitestate verification techniques (e.g., model checking) to software requires that program source code be translated to a finitestate transition system that safely models program behavior. Automatically checking such a transition system for a correctness property is typically very cos ..."
Abstract

Cited by 88 (16 self)
 Add to MetaCart
Applying finitestate verification techniques (e.g., model checking) to software requires that program source code be translated to a finitestate transition system that safely models program behavior. Automatically checking such a transition system for a correctness property is typically very costly, thus it is necessary to reduce the size of the transition system as much as possible. In fact, it is often the case that much of a program's source code is irrelevant for verifying a given correctness property. In this paper, we apply program slicing techniques to remove automatically such irrelevant code and thus reduce the size of the corresponding transition system models. We give a simple extension of the classical slicing definition, and prove its safety with respect to model checking of linear temporal logic (LTL) formulae. We discuss how this slicing strategy fits into a general methodology for deriving effective software models using abstractionbased program specializati...
Experiments in Theorem Proving and Model Checking for Protocol Verification
, 1996
"... . Communication protocols pose interesting and difficult challenges for verification technologies. The state spaces of interesting protocols are either infinite or too large for finitestate verification techniques like model checking and state exploration. Theorem proving is also not effective sinc ..."
Abstract

Cited by 73 (12 self)
 Add to MetaCart
. Communication protocols pose interesting and difficult challenges for verification technologies. The state spaces of interesting protocols are either infinite or too large for finitestate verification techniques like model checking and state exploration. Theorem proving is also not effective since the formal correctness proofs of these protocols can be long and complicated. We describe a series of protocol verification experiments culminating in a methodology where theorem proving is used to abstract out the sources of unboundedness in the protocol to yield a skeletal protocol that can be verified using model checking. Our experiments focus on the Philips bounded retransmission protocol originally studied by Groote and van de Pol and by Helmink, Sellink, and Vaandrager. First, a scaleddown version of the protocol is analyzed using the MurOE state exploration tool as a debugging aid and then translated into the PVS specification language. The PVS verification of the generalized prot...
Model Checking Complete Requirements Specifications Using Abstraction
 Automated Software Engineering
, 1999
"... Although model checking has proven remarkably effective in detecting errors in hardware designs, its success in the analysis of software specifications has been limited. Model checking algorithms for hardware verification commonly use Binary Decision Diagrams (BDDs) to represent predicates involving ..."
Abstract

Cited by 70 (19 self)
 Add to MetaCart
Although model checking has proven remarkably effective in detecting errors in hardware designs, its success in the analysis of software specifications has been limited. Model checking algorithms for hardware verification commonly use Binary Decision Diagrams (BDDs) to represent predicates involving the many Boolean variables commonly found in hardware descriptions. Unfortunately, BDD representations may be less effective for analyzing software specifications, which usually contain not only Booleans but variables spanning a wide range of data types. Further, software specifications typically have huge, sometimes infinite, state spaces that cannot be model checked directly using conventional symbolic methods. One promising but largely unexplored approach to model checking software...
Verification of Control Flow Based Security Properties
, 1998
"... A fundamental problem in softwarebased security is whether local security checks inserted into the code are sufficient to implement a global security property. We introduce a formalism based on a twolevel lineartime temporal logic for specifying global security properties pertaining to the contro ..."
Abstract

Cited by 70 (5 self)
 Add to MetaCart
A fundamental problem in softwarebased security is whether local security checks inserted into the code are sufficient to implement a global security property. We introduce a formalism based on a twolevel lineartime temporal logic for specifying global security properties pertaining to the controlflow of the program, and illustrate its expressive power with a number of existing properties. We define a minimalistic, securitydedicated program model that only contains procedure call and runtime security checks and propose an automatic method for verifying that an implementation using local security checks satisfies a global security property. For a given formula in the temporal logic we prove that there exists a bound on the size of the states that have to be considered in order to assure the validity of the formula: this reduces the problem to finitestate model checking. Finally, we instantiate the framework to the security architecture proposed for Java (JDK 1.2).
The practitioner's guide to coloured Petri nets
 International Journal on Software Tools for Technology Transfer
, 1998
"... Coloured Petri nets (CPnets or CPNs) provide a framework for the design, specification, validation, and verification of systems. CPnets have a wide range of application areas and many CPN projects have been carried out in industry, e.g., in the areas of communication protocols, operating systems, ..."
Abstract

Cited by 69 (16 self)
 Add to MetaCart
Coloured Petri nets (CPnets or CPNs) provide a framework for the design, specification, validation, and verification of systems. CPnets have a wide range of application areas and many CPN projects have been carried out in industry, e.g., in the areas of communication protocols, operating systems, hardware designs, embedded systems, software system designs, and business process reengineering. Design/CPN is a graphical computer tool supporting the practical use of CPnets. The tool supports the construction, simulation, and functional and performance analysis of CPN models. The tool is used by more than four hundred organisations in forty different countries  including one hundred commercial companies. It is available free of charge, also for commercial use. This paper provides a comprehensive road map to the practical use of CPnets and the Design/CPN tool. We give an informal introduction to the basic concepts and ideas underlying CPnets. The key components and facilities of the Design/CPN tool are presented and their use illustrated. The paper is selfcontained and does not assume any prior knowledge of Petri nets and CPnets nor any experience with the Design/CPN tool.
Model Checking of RealTime Reachability Properties Using Abstractions
, 1998
"... . Practical realtime model checking suffers from the stateexplosion problem: the size of the state space grows exponentially with many system parameters: number of clocks, size of constants, number of system components. To cope with state explosion, we propose to use abstractions reducing the sta ..."
Abstract

Cited by 68 (9 self)
 Add to MetaCart
. Practical realtime model checking suffers from the stateexplosion problem: the size of the state space grows exponentially with many system parameters: number of clocks, size of constants, number of system components. To cope with state explosion, we propose to use abstractions reducing the statespace while preserving reachability properties. Four exact , plus one safe abstractions are defined. In the main abstraction (simulation) a concrete state is mapped to a symbolic abstract state (a set of concrete states). The other four abstractions are defined on top of the simulation one. They can be computed onthefly in a completely orthogonal manner and thus can be combined to yield better reductions. A prototype implementation in the tool Kronos has permitted to verify two benchmark examples with a significant scaleup in size. 1 Introduction Model checking is an approach commonly used for the automatic verification of reachability properties. Given a system and a property p, reac...
Generating finitestate abstractions of reactive systems using decision procedures
 In: CAV 98: Conference on ComputerAided Verification. Volume 1427 of Lecture Notes in Computer Science., SpringerVerlag
, 1998
"... Abstract. We present an algorithm that uses decision procedures to generate finitestate abstractions of possibly infinitestate systems. The algorithm compositionally abstracts the transitions of the system, relative to a given, fixed set of assertions. Thus, the number of validity checks is propor ..."
Abstract

Cited by 67 (5 self)
 Add to MetaCart
Abstract. We present an algorithm that uses decision procedures to generate finitestate abstractions of possibly infinitestate systems. The algorithm compositionally abstracts the transitions of the system, relative to a given, fixed set of assertions. Thus, the number of validity checks is proportional to the size of the system description, rather than the size of the abstract statespace. The generated abstractions are weakly preserving for ∀CTL * temporal properties. We describe several applications of the algorithm, implemented using the decision procedures of the Stanford Temporal Prover (STeP). 1
Algorithmic analysis of programs with well quasiordered domains
 Information and Computation
"... Over the past few years increasing research effort has been directed towards the automatic verification of infinitestate systems. This paper is concerned with identifying general mathematical structures which can serve as sufficient conditions for achieving decidability. We present decidability res ..."
Abstract

Cited by 56 (13 self)
 Add to MetaCart
Over the past few years increasing research effort has been directed towards the automatic verification of infinitestate systems. This paper is concerned with identifying general mathematical structures which can serve as sufficient conditions for achieving decidability. We present decidability results for a class of systems (called wellstructured systems) which consist of a finite control part operating on an infinite data domain. The results assume that the data domain is equipped with a preorder which is a well quasiordering, such that the transition relation is ``monotonic' ' (a simulation) with respect to the preorder. We show that the following properties are decidable for wellstructured systems: v Reachability: whether a certain set of control states is reachable. Other safety properties can be reduced to the reachability problem. 1
Finding Feasible Counterexamples when Model Checking Abstracted Java Programs
 In Proceedings of TACAS
, 2001
"... . Despite recent advances in model checking and in adapting model checking techniques to software, the state explosion problem remains a major hurdle in applying model checking to software. Recent work in automated program abstraction has shown promise as a means of scaling model checking to lar ..."
Abstract

Cited by 47 (5 self)
 Add to MetaCart
. Despite recent advances in model checking and in adapting model checking techniques to software, the state explosion problem remains a major hurdle in applying model checking to software. Recent work in automated program abstraction has shown promise as a means of scaling model checking to larger systems. Most common abstraction techniques compute an upper approximation of the original program. Thus, when a specification is found true for the abstracted program, it is known to be true for the original program. Finding a specification to be false, however, is inconclusive since the specification may be violated on a behavior in the abstracted program which is not present in the original program. We have extended an explicitstate model checker, Java PathFinder (JPF), to analyze counterexamples in the presence of abstractions. We enhanced JPF to search for "feasible" counterexamples during model checking. Alternatively, an abstract counterexample can be used to guide the simulation of the concrete computation and thereby check feasibility of the counterexample. We demonstrate the effectiveness of these techniques on counterexamples from checks of several multithreaded Java programs. 1