We present a methodology for constructing abstractions and refining them by analyzing counter-examples. We also present a uniform verification method that combines abstraction, model-checking and deductive verification in a novel way. In particular, it allows and shows how to use the set of reachable states of the abstract system in a deductive proof even when the abstract model does not satisfy the specification and when it simulates the concrete system with respect to a weaker simulation notion than Milner's.

Abstract. We propose a new framework, based on predicate abstraction and model checking, for shape analysis of programs. Shape analysis is used to statically collect information — such as possible reachability and sharing — about program stores. Rather than use a specialized abstract interpretation based on shape graphs, we instantiate a generic and automated abstraction procedure with shape predicates from a correctness property. This results in a predicate-discovery procedure that identifies predicates relevant for correctness, using an analysis based on weakest preconditions, and creates a finite state abstract program. The correctness property is then checked on the abstraction with a model checking tool. To enable this process, we calculate weakest preconditions for common shape properties, and present heuristics for accelerating convergence. Exploring abstract state spaces with model checkers enables one to tap into a wealth of techniques and highly optimized implementations for state space exploration, and to analyze properties that go beyond invariances. We illustrate this simple and flexible framework with the analysis of some “classical ” list manipulation programs, using our implementation of the abstraction algorithm, and the SPIN and COSPAN model checkers for state space exploration. 1

Predicate abstraction is a popular abstraction technique employed in formal software verification. A crucial requirement to make predicate abstraction effective is to use as few predicates as possible, since the abstraction process is in the worst case exponential (in both time and memory requirements) in the number of predicates involved. If a property can be proven to hold or not hold based on a given finite set of predicates P, the procedure we propose in this paper finds automatically a minimal subset of P that is sufficient for the proof. We explain how our technique can be used for more efficient verification of C programs. Our experiments show that predicate minimization can result in a significant reduction of both verification time and memory usage compared to earlier methods.

Abstract. Abstraction reduces the problem of whether an infinite state system satisfies version. The most common abstractions are quotients of the original system. We present a simple method of defining quotient abstractions by means of equations collapsing the set of states. Our method yields the minimal quotient system together with a set of proof obligations that guarantee its executability and can be discharged with tools such as those in the Maude formal environment.

There has been considerable progress in the domain of software veri cation over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques like predicate abstraction. However, the state space explosion problem in model checking remains the chief obstacle to the practical veri cation of real-world distributed systems. Even in the case of purely sequential programs, a crucial requirement to make predicate abstraction eective is to use as few predicates as possible. This is because, in the worst case, the state space of the abstraction generated (and consequently the time and memory complexity of the abstraction process) is exponential in the number of predicates involved. In addition, for concurrent programs, the number of reachable states could grow exponentially with the number of components.

The state space explosion problem in model checking remains the chief obstacle to the practical verification of real-world distributed systems. We attempt to address this problem in the context of verifying concurrent (message-passing) C programs against safety specifications. More specifically, we present a fully automated compositional framework which combines two orthogonal abstraction techniques (operating respectively on data and events) within a counterexample-guided abstraction refinement (CEGAR) scheme. In this way, our algorithm incrementally increases the granularity of the abstractions until the specification is either established or refuted. Our explicit use of compositionality delays the onset of state space explosion for as long as possible. To our knowledge, this is the first compositional use of CEGAR in the context of model checking concurrent C programs. We describe our approach in detail, and report on some very encouraging preliminary experimental results obtained with our tool MAGIC.

An abstraction is a property-preserving contraction of a program 's model into a smaller one that is suitable for automated analysis.

The duality between invariance and progress is fundamental in proof techniques for the verication of programs. Proving invariance requires the construction of invariants, while progress proofs hinge on the identication of appropriate ranking functions. With the recent interest in automated verication techniques, the topic of automatic generation of invariants is facing a revival of interest. In [14] it has been shown that temporal properties of reactive systems can be proven via nitary abstractions if those abstractions comprise a notion of acceptance conditions, like !-automata. Based on this, that paper concludes that there is a strong need for devising eective heuristics for generating such conditions. In this note, we address this issue. We suggest a simple heuristic in the spirit of, and combining well with, the popular predicate abstraction approach to the automatic generation and renement of invariants. The presentation is non-technical and guided by examples. ...

. In POPL'00, Cousot and Cousot introduced and studied a novel general temporal specication language, called x ? -calculus, in particular featuring a natural and rich time-symmetric trace-based semantics. The classical state-based model checking of the x ? -calculus is an abstract interpretation of its trace-based semantics, which, surprisingly, turns out to be incomplete, even for nite systems. Cousot and Cousot identied the temporal connectives causing such incompleteness. In this paper, we rst characterize the least, i.e. least informative, renements of the state-based model checking abstraction which are complete relatively to any incomplete temporal connective. On the basis of this analysis, we show that the least renement of the state-based model checking semantics of (a slight and natural monotone restriction of) the x ? -calculus which is complete w.r.t. the trace-based semantics does exist, and it is essentially the trace-based semantics itself. This result c...

We introduce the operation of domain compression for complete re nements of nite abstract domains. This provides a systematic method for simplifying abstract domains in order to isolate the most abstract domain, when it exists, whose re nement toward completeness for a given semantic function returns a given domain. Domain compression is particularly relevant to compare abstractions in static program analysis and abstract model checking. In this latter case we consider domain compression in predicate abstraction of transition systems.