The Stanford Temporal Prover, STeP, is a tool for the computer-aided formal verification of reactive systems, including real-time and hybrid systems, based on their temporal specification. STeP integrates methods for deductive and algorithmic verification, including model checking, theorem proving, automatic invariant generation, abstraction and modular reasoning. We describe the most recent version of STeP, Version 2.0.

We present a modular framework for proving temporal properties of real-time systems, based on clocked transition systems and linear-time temporal logic. We show how deductive verification rules, verification diagrams, and automatic invariant generation can be used to establish properties of real-time systems in this framework. We also discuss global and modular proofs of the branching-time property of nonZenoness. As an example, we present the mechanical verification of the generalized railroad crossing case study using the Stanford Temporal Prover, STeP.

We review a number of formal verification techniques supported by STeP, the Stanford Temporal Prover, describing how the tool can be used to verify properties of several versions of the Bakery algorithm for mutual exclusion. We verify the classic two-process algorithm and simple variants, as well as an atomic parameterized version. The methods used include deductive verification rules, verification diagrams, automatic invariant generation, and finite-state model checking and abstraction.

Generalized Verification Diagrams combine deductive and algorithmic verification to establish general temporal properties of finite and infinite-state reactive systems. The diagram serves as an abstraction of the system. This abstraction is deductively justified and algorithmically model checked. We present a new simple class of verification diagrams, using Müller acceptance conditions, and show how they can be used to verify general temporal properties of reactive systems.

Program analysis tools typically compute two types of information: (1) may information that is true of all program executions and is used to prove the absence of bugs in the program, and (2) must information that is true of some program executions and is used to prove the existence of bugs in the program. In this paper, we propose a new algorithm, dubbed SMASH, which computes both may and must information compositionally. At each procedure boundary, may and must information is represented and stored as may and must summaries, respectively. Those summaries are computed in a demand-driven manner and possibly using summaries of the opposite type. We have implemented SMASH using predicate abstraction (as in SLAM) for the may part and using dynamic test generation (as in DART) for the must part. Results of experiments with 69 Microsoft Windows Vista device drivers show that SMASH can significantly outperform may-only, must-only and non-compositional may-must algorithms. Indeed, our empirical results indicate that most complex code fragments in large programs are actually often either easy to prove irrelevant to the specific property of interest using may analysis or easy to traverse using directed testing. The fine-grained coupling and alternation of may (universal) and must (existential) summaries allows SMASH to easily navigate through these code fragments while traditional may-only, must-only or noncompositional may-must algorithms are stuck in their specific analyses. 1.

Abstract. The two main approaches to the formal verification of reactive systems are based, respectively, on model checking (algorithmic verification) and theorem proving (deductive verification). These two approaches have complementary strengths and weaknesses, and their combination promises to enhance the capabilities of each. This paper surveys a number of methods for doing so. As is often the case, the combinations can be classified according to how tightly the different components are integrated, their range of application, and their degree of automation. 1

We present a generic algorithm that provides a unifying scheme for the comparison of abstraction refinement algorithms. It is centered around the notion of refinement cue which generalizes counterexamples. It is demonstrated how the essential features of several refinement algorithms can be captured as instances. We argue that the generic algorithm does not limit the completeness of instances, and show that the proposed generalization of counterexamples is necessary for completeness — thus addressing a shortcoming of more limited notions of counterexample-guided refinement. 1

Pre/post condition-based specifications are commonplace in a variety of software engineering activities that range from requirements through to design and implementation. The fragmented nature of these specifications can hinder validation as it is difficult to understand if the specifications for the various operations fit together well. In this paper we propose a novel technique for automatically constructing abstractions in the form of behaviour models from pre/post condition-based specifications. The level of abstraction at which such models are constructed preserves enabledness of sets of operations, resulting in a finite model that is intuitive to validate and which facilitates tracing back to the specification for debugging. The paper also reports on the application of the approach to an industrial strength protocol specification in which concerns were identified. 1.

ion Yonit Kesten ? and Amir Pnueli ?? Abstract. The paper deals with the proof method of verification by augmented finitary abstraction (vaa), which presents an effective approach to the verification of the temporal properties of (potentially infinitestate) reactive systems. The method consists of a two-step process by which, in a first step, the system and its temporal specification are combined an then abstracted into a finite-state Buchi automaton. The second step uses model checking to establish emptiness of the abstracted automaton. The vaa method can be considered as a viable alternative to verification by temporal deduction which, up to now, has been the main method shown to be complete for the verification of infinite-state systems. The paper presents a general recipe for the abstraction of Buchi automata which is shown to be sound , where soundness means that emptiness of the abstract automaton implies emptiness of the concrete (infinitestate) automaton. To ...

Software engineering artefacts that define behaviour tend to be of a fragmented nature in order to facilitate their construction, modification, and modular reasoning (e.g. modular code, pre/post-conditions specifications). However, fragmentation makes the validation of global behaviour difficult. Typically synthesis techniques that yield global representations of large and potentially infinite states are used in combination with simulation, animation or partial explorations, tecniques which necesarily loose the global view of system behaviour. I aim to develop abstraction-for-validation techniques that automatically produce finite state abstractions that are sufficiently small to support validating the emergent behaviour of a fragmented description “at a glance”.