Results 1  10
of
63
Model Checking Programs
, 2003
"... The majority of work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers, proof checkers and model checkers. In this pape ..."
Abstract

Cited by 462 (60 self)
 Add to MetaCart
The majority of work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers, proof checkers and model checkers. In this paper we will attempt to give convincing arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle big states, and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space. JPF has been applied to a realtime avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, runtime analysis, and slicing with model checking.
Model Checking Java Programs Using Java PathFinder
, 1998
"... . This paper describes a translator called Java PathFinder (Jpf), from Java to Promela, the modeling language of the Spin model checker. Jpf translates a given Java program into a Promela model, which then can be model checked using Spin. The Java program may contain assertions, which are translated ..."
Abstract

Cited by 314 (29 self)
 Add to MetaCart
. This paper describes a translator called Java PathFinder (Jpf), from Java to Promela, the modeling language of the Spin model checker. Jpf translates a given Java program into a Promela model, which then can be model checked using Spin. The Java program may contain assertions, which are translated to similar assertions in the Promela model. The Spin model checker will then look for deadlocks and violations of any stated assertions. Jpf generates a Promela model with the same state space characteristics as the Java program. Hence, the Java program must have a finite and tractable state space. This work should be seen in a broader attempt to make formal methods applicable within NASA's areas such as space, aviation, and robotics. The work is a continuation of an effort to formally analyze, using Spin, a multithreaded operating system for the DeepSpace 1 space craft, and of previous work in applying existing model checkers and theorem provers to real applications. Key words: Program...
PVS: Combining Specification, Proof Checking, and Model Checking
, 1996
"... rem Proving and Typechecking The PVS specification language is based on classical, simply typed higherorder logic, but the type system has been augmented with subtypes and dependent types. Though typechecking is undecidable for the PVS type system, the PVS typechecker automatically checks for simp ..."
Abstract

Cited by 206 (4 self)
 Add to MetaCart
rem Proving and Typechecking The PVS specification language is based on classical, simply typed higherorder logic, but the type system has been augmented with subtypes and dependent types. Though typechecking is undecidable for the PVS type system, the PVS typechecker automatically checks for simple type correctness and generates proof obligations corresponding to predicate subtypes. These proof obligations can be discharged through the use of the PVS proof checker. PVS also has parametric theories so that it is possible to capture, say, the notion of sorting with respect to arbitrary sizes, types, and ordering relations. By exploiting subtyping, dependent typing, and parametric theories, researchers at NASA Langley Research Center and SRI have developed a very general bitvector library. Paul Miner at NASA ? The development of PVS was funded by SRI International through IR&D funds. Various applications and customizations have been funded by NSF Grant CCR9300
Validity Checking for Combinations of Theories with Equality
, 1996
"... . An essential component in many verification methods is a fast decision procedure for validating logical expressions. This paper presents the algorithm used in the Stanford Validity Checker (SVC) which has been used to aid several realistic hardware verification efforts. The logic for this decision ..."
Abstract

Cited by 151 (23 self)
 Add to MetaCart
. An essential component in many verification methods is a fast decision procedure for validating logical expressions. This paper presents the algorithm used in the Stanford Validity Checker (SVC) which has been used to aid several realistic hardware verification efforts. The logic for this decision procedure includes Boolean and uninterpreted functions and linear arithmetic. We have also successfully incorporated other interpreted functions, such as array operations and linear inequalities. The primary techniques which allow a complete and efficient implementation are expression sharing, heuristic rewriting, and congruence closure with interpreted functions. We discuss these techniques and present the results of initial experiments in which SVC is used as a decision procedure in PVS, resulting in dramatic speedups. 1 Introduction Decision procedures are emerging as a central component of formal verification systems. Such a procedure can be included as a component of a generalpurpos...
Using Model Checking to Generate Tests from Requirements Specifications
, 1999
"... Recently, many formal methods, such as the SCR (Software Cost Reduction) requirements method, have been proposed for improving the quality of software specifications. Although improved specifications are valuable, the ultimate objective of software development is to produce software that satisfi ..."
Abstract

Cited by 130 (12 self)
 Add to MetaCart
Recently, many formal methods, such as the SCR (Software Cost Reduction) requirements method, have been proposed for improving the quality of software specifications. Although improved specifications are valuable, the ultimate objective of software development is to produce software that satisfies its requirements. To evaluate the correctness of a software implementation, one can apply blackbox testing to determine whether the implementation, given a sequence of system inputs, produces the correct system outputs. This paper describes a specificationbased method for constructing a suite of test sequences, where a test sequence is a sequence of inputs and outputs for testing a software implementation.
Computing abstractions of infinite state systems compositionally and automatically
 PROCEEDINGS OF CAV ’98
, 1998
"... We present a method for computing abstractions of infinite state systems compositionally and automatically. Given a concrete system S = S1 k \Delta \Delta \Delta k Sn of programs and given an abstraction function ff, using our method one can compute an abstract system S a = Sa 1 k \Delta \Delta \Del ..."
Abstract

Cited by 98 (5 self)
 Add to MetaCart
We present a method for computing abstractions of infinite state systems compositionally and automatically. Given a concrete system S = S1 k \Delta \Delta \Delta k Sn of programs and given an abstraction function ff, using our method one can compute an abstract system S a = Sa 1 k \Delta \Delta \Delta k S a n such that S simulates S a. A distinguishing feature of our method is that it does not produce a single abstract state graph but rather preserves the structure of the concrete system. This feature is a prerequisite to benefit from the techniques developed in the context of modelchecking for mitigating the state explosion. Moreover, our method has the advantage that the process of constructing the abstract system does not depend on whether the computation model is synchronous or asynchronous.
Formal Analysis of a Space Craft Controller using SPIN
 In Proceedings of the 4th SPIN workshop
, 1998
"... Abstract. This report documents an application of the nite state model checker Spin to formally verify a multi{threaded plan execution programming language. The plan execution language is one componentof NASA's New Millennium Remote Agent, an arti cial intelligence based spacecraft control system ar ..."
Abstract

Cited by 72 (22 self)
 Add to MetaCart
Abstract. This report documents an application of the nite state model checker Spin to formally verify a multi{threaded plan execution programming language. The plan execution language is one componentof NASA's New Millennium Remote Agent, an arti cial intelligence based spacecraft control system architecture that is scheduled to launch inDecember of 1998 as part of the Deep Space 1 mission to Mars. The language is concretely named Esl (Executive Support Language) and is basically a language designed to support the construction of reactive control mechanisms for autonomous robots and space crafts. It o ers advanced control constructs for managing interacting parallel goalandevent driven processes, and is currently implemented as an extension to amultithreaded Common Lisp. A total of 5 errors were in fact identi ed, 4 of which were important. This is regarded as a very successful result. According to the Remote Agent programming team the e ort has had a major impact, locating errors that would probably not have been
Generating finitestate abstractions of reactive systems using decision procedures
 In: CAV 98: Conference on ComputerAided Verification. Volume 1427 of Lecture Notes in Computer Science., SpringerVerlag
, 1998
"... Abstract. We present an algorithm that uses decision procedures to generate finitestate abstractions of possibly infinitestate systems. The algorithm compositionally abstracts the transitions of the system, relative to a given, fixed set of assertions. Thus, the number of validity checks is propor ..."
Abstract

Cited by 67 (5 self)
 Add to MetaCart
Abstract. We present an algorithm that uses decision procedures to generate finitestate abstractions of possibly infinitestate systems. The algorithm compositionally abstracts the transitions of the system, relative to a given, fixed set of assertions. Thus, the number of validity checks is proportional to the size of the system description, rather than the size of the abstract statespace. The generated abstractions are weakly preserving for ∀CTL * temporal properties. We describe several applications of the algorithm, implemented using the decision procedures of the Stanford Temporal Prover (STeP). 1
The Bounded Retransmission Protocol must be on time!
 THIRD INT. WORKSHOP ON TOOLS AND ALGORITHMS FOR THE CONSTRUCTION AND ANALYSIS OF SYSTEMS (TACAS'97), LNCS 1217
, 1997
"... This paper concerns the transfer of files via a lossy communication channel. It formally specifies this file transfer service in a propertyoriented way and investigates  using two different techniques  whether a given bounded retransmission protocol conforms to this service. This protocol is ba ..."
Abstract

Cited by 42 (9 self)
 Add to MetaCart
This paper concerns the transfer of files via a lossy communication channel. It formally specifies this file transfer service in a propertyoriented way and investigates  using two different techniques  whether a given bounded retransmission protocol conforms to this service. This protocol is based on the wellknown alternating bit protocol but allows for a bounded number of retransmissions of a chunk, i.e., part of a file, only. So, eventual delivery is not guaranteed and the protocol may abort the file transfer. We investigate to what extent realtime aspects are important to guarantee the protocol's correctness and use Spin and
Symbolic Verification of Lossy Channel Systems: Application to the Bounded Retransmission Protocol
 In TACAS'99. LNCS 1579
, 1999
"... We consider the problem of verifying automatically infinitestate systems that are systems of finite machines that communicate by exchanging messages through unbounded lossy fifo channels. In a previous work [1], we proposed an algorithmic approach based on constructing a symbolic representation ..."
Abstract

Cited by 36 (5 self)
 Add to MetaCart
We consider the problem of verifying automatically infinitestate systems that are systems of finite machines that communicate by exchanging messages through unbounded lossy fifo channels. In a previous work [1], we proposed an algorithmic approach based on constructing a symbolic representation of the set of reachable configurations of a system by means of a class of regular expressions (SREs). The construction of such a representation consists of an iterative computation with an acceleration technique which enhance the chance of convergence. This technique is based on the analysis of the effect of iterating control loops. In the work we present here, we experiment our approach and show how it can be effectively applied. For that, we developed a tool prototype based on the results in [1]. Using this tool, we provide a fully automatic verification of (the parameterized version of) the Bounded Retransmission Protocol, for arbitrary values of the size of the transmitted files, and the allowed number of retransmissions. ? Contact author. 1 1