Results 1  10
of
14
Powerful Techniques for the Automatic Generation of Invariants
 In CAV
, 1996
"... . When proving invariance properties of programs one is faced with two problems. The first problem is related to the necessity of proving tautologies of the considered assertion language, whereas the second manifests in the need of finding sufficiently strong invariants. This paper focuses on the se ..."
Abstract

Cited by 89 (9 self)
 Add to MetaCart
. When proving invariance properties of programs one is faced with two problems. The first problem is related to the necessity of proving tautologies of the considered assertion language, whereas the second manifests in the need of finding sufficiently strong invariants. This paper focuses on the second problem and describes techniques for the automatic generation of invariants. The first set of these techniques is applicable on sequential transition systems and allows to derive socalled local invariants, i.e. predicates which are invariant at some control location. The second is applicable on networks of transition systems and allows to combine local invariants of the sequential components to obtain local invariants of the global systems. Furthermore, a refined strengthening technique is presented that allows to avoid the problem of sizeincrease of the considered predicates which is the main drawback of the usual strengthening technique. The proposed techniques are illustrated by ex...
Parameterized Verification with Automatically Computed Inductive Assertions
, 2001
"... The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic mo ..."
Abstract

Cited by 63 (8 self)
 Add to MetaCart
The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic modelchecking techniques for both tasks. First, we show how to use modelchecking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Next, we show that the premises of the standard deductive inv rule for proving invariance properties can be automatically resolved by finitestate (bddbased) methods with no need for interactive theorem proving. Combining the automatic computation of invariants with the automatic resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying large classes of parameterized systems. The generated invariants can be transferred to the VCvalidation phase without ever been examined by the user, which explains why we refer to them as "invisible". The efficacy of the method is demonstrated by automatic verification of diverse parameterized systems in a fully automatic and efficient manner.
Tools and Rules for the Practicing Verifier
, 1991
"... The paper presents a minimal proof theory which is adequate for proving the main important temporal properties of reactive programs. The properties we consider consist of the classes of invariance, response, and precedence properties. For each of these classes we present a small set of rules that is ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
The paper presents a minimal proof theory which is adequate for proving the main important temporal properties of reactive programs. The properties we consider consist of the classes of invariance, response, and precedence properties. For each of these classes we present a small set of rules that is complete for verifying properties belonging to this class. We illustrate the application of these rules by analyzing and verifying the properties of a new algorithm for mutual exclusion. 1 Introduction In this paper we present a minimal proof theory that is adequate for proving interesting properties of concurrent programs. The simple theory is illustrated on a single example, which is a new and interesting algorithm for mutual exclusion [Szy88]. There are several points we would like to demonstrate in this paper. The first and main point is that a very little general (temporal) theory is required to handle the most important properties of concurrent programs. The types of properties, on w...
Abstracting WS1S Systems to Verify Parameterized Networks
, 2000
"... We present a method that allows to verify parameterized networks of finite state processes. Our method is based on three main ideas. The first one consists in modeling an infinite family of networks by a single WS1S transition system, that is, a transition system whose variables are set (2ndorder) ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
We present a method that allows to verify parameterized networks of finite state processes. Our method is based on three main ideas. The first one consists in modeling an infinite family of networks by a single WS1S transition system, that is, a transition system whose variables are set (2ndorder) variables and whose transitions are described in WS1S. Then, we present methods that allow to abstract a WS1S system into a finite state system that can be modelchecked. Finally, in order to verify liveness properties, we present an algorithm that allows to enrich the abstract system with strong fairness conditions while preserving safety of the abstraction. We implemented our method in a tool, called pax, and applied it to several examples.
Environment abstraction for parameterized verification
 In 7 th VMCAI, LNCS 3855
, 2006
"... Abstract. Many aspects of computer systems are naturally modeled as parameterized systems which renders their automatic verification difficult. In wellknown examples such as cache coherence protocols and mutual exclusion protocols, the unbounded parameter is the number of concurrent processes which ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
Abstract. Many aspects of computer systems are naturally modeled as parameterized systems which renders their automatic verification difficult. In wellknown examples such as cache coherence protocols and mutual exclusion protocols, the unbounded parameter is the number of concurrent processes which run the same distributed algorithm. In this paper, we introduce environment abstraction as a tool for the verification of such concurrent parameterized systems. Environment abstraction enriches predicate abstraction by ideas from counter abstraction; it enables us to reduce concurrent parameterized systems with unbounded variables to precise abstract finite state transition systems which can be verified by a finite state model checker. We demonstrate the feasibility of our approach by verifying the safety and liveness properties of Lamport’s bakery algorithm and Szymanski’s mutual exclusion algorithm. To the best of our knowledge, this is the first time both safety and liveness properties of the bakery algorithm have been verified at this level of automation. 1
A generic framework for reasoning about dynamic networks of infinitestate processes
 In TACAS’07, volume 4424 of Lecture Notes in Computer Science
, 2007
"... Abstract. We propose a framework for reasoning about unbounded dynamic networks of infinitestate processes. We propose Constrained Petri Nets (CPN) as generic models for these networks. They can be seen as Petri nets where tokens (representing occurrences of processes) are colored by values over so ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Abstract. We propose a framework for reasoning about unbounded dynamic networks of infinitestate processes. We propose Constrained Petri Nets (CPN) as generic models for these networks. They can be seen as Petri nets where tokens (representing occurrences of processes) are colored by values over some potentially infinite data domain such as integers, reals, etc. Furthermore, we define a logic, called CML (colored markings logic), for the description of CPN configurations. CML is a firstorder logic over tokens allowing to reason about their locations and their colors. Both CPNs and CML are parametrized by a color logic allowing to express constraints on the colors (data) associated with tokens. We investigate the decidability of the satisfiability problem of CML and its applications in the verification of CPNs. We identify a fragment of CML for which the satisfiability problem is decidable (whenever it is the case for the underlying color logic), and which is closed under the computations of post and pre images for CPNs. These results can be used for several kinds of analysis such as invariance checking, prepost condition reasoning, and bounded reachability analysis. 1.
An Exercise in the Verification of MultiProcess Programs
 Beauty is Our Business
, 1991
"... We present an approach to the verification of a multiprocess program consisting of a fixed but unbounded number of processes executing an identical program. The approach is illustrated on an algorithm for mutual exclusion that contains tests that refer to many shared variables at the same time. We ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
We present an approach to the verification of a multiprocess program consisting of a fixed but unbounded number of processes executing an identical program. The approach is illustrated on an algorithm for mutual exclusion that contains tests that refer to many shared variables at the same time. We analyze the algorithm first under the assumption that these tests are atomic. We then consider the more realistic assumption that they are molecular, i.e. performed by several steps, each reading a single shared variable. We show that the algorithm is correct only for the limited implementation in which the variables are checked in ascending order of indices. This research was supported in part by the National Science Foundation under grant CCR8812595, by the Defense Advanced Research Projects Agency under contract N0003984 C0211, by the United States Air Force Office of Scientific Research under contracts AFOSR 870149 and 880281, and by the European Community ESPRIT Basic Research A...
Predicate Abstraction and Refinement for Verifying MultiThreaded Programs
"... Automated verification of multithreaded programs requires explicit identification of the interplay between interacting threads, socalled environment transitions, to enable scalable, compositional reasoning. Once the environment transitions are identified, we can prove program properties by consider ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Automated verification of multithreaded programs requires explicit identification of the interplay between interacting threads, socalled environment transitions, to enable scalable, compositional reasoning. Once the environment transitions are identified, we can prove program properties by considering each program thread in isolation, as the environment transitions keep track of the interleaving with other threads. Finding adequate environment transitions that are sufficiently precise to yield conclusive results and yet do not overwhelm the verifier with unnecessary details about the interleaving with other threads is a major challenge. In this paper we propose a method for safety verification of multithreaded programs that applies (transition) predicate abstractionbased discovery of environment transitions, exposing a minimal amount of information about the thread interleaving. The crux of our method is an abstraction refinement procedure that uses recursionfree Horn clauses to declaratively state abstraction refinement queries. Then, the queries are resolved by a corresponding constraint solving algorithm. We present preliminary experimental results for mutual exclusion protocols and multithreaded device drivers.
Getting Rid of StoreBuffers in TSO Analysis ⋆
"... Abstract. We propose an approach for reducing the TSO reachability analysis of concurrent programs to their SC reachability analysis, under some conditions on the explored behaviors. First, we propose a linear codetocode translation that takes as input a concurrent program P and produces a concurr ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. We propose an approach for reducing the TSO reachability analysis of concurrent programs to their SC reachability analysis, under some conditions on the explored behaviors. First, we propose a linear codetocode translation that takes as input a concurrent program P and produces a concurrent program P ′ such that, running P ′ under SC yields the same set of reachable (shared) states as running P under TSO with at most k contextswitches for each thread, for a fixed k. Basically, we show that it is possible to use only O(k) additional copies of the shared variables of P as local variables to simulate the store buffers, even if they are unbounded. Furthermore, we show that our translation can be extended so that an unbounded number of contextswitches is possible, under the condition that each write operation sent to the store buffer stays there for at most k contextswitches of the thread. Experimental results show that bugs due to TSO can be detected with small bounds, using offtheshelf SC analysis tools. 1
Automatic Verification of Parameterized Systems
 New York University
, 2005
"... To my parents and the memory of the late Dr. Robert Paige iv Acknowledgements The road leading to the Doctor’s Degree of Philosophy in Computer Science has been a long and winding journey for me. It started with the encouragement of my parents who inseminated in me the love of science and intellectu ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
To my parents and the memory of the late Dr. Robert Paige iv Acknowledgements The road leading to the Doctor’s Degree of Philosophy in Computer Science has been a long and winding journey for me. It started with the encouragement of my parents who inseminated in me the love of science and intellectual fulfillment. At times when I was in serious doubt about my academic choices and was near the point of giving up all my research it always came back to this very basic point. The reality of being a graduate student can be harsh at times, and the experience of being a parttime Ph.D. student and a fulltime working mother is a once in a lifetime adventure, and I am very glad that I had it. For that I owe abundance of thankyous to my husband Cris, whose insistence upon completing the course made me carry on, whose sharing of childcaring and house work gave me most precious time, and whose sense of humor and good spirit melt away my frustrations yet spared me no nonsense. Another per