Results 1 
7 of
7
Bounded model checking and induction: From refutation to verification (extended abstract, category A
 Proceedings of the 15th International Conference on Computer Aided Verification, CAV 2003, volume 2725 of Lecture Notes in Computer Science
"... Abstract. We explore the combination of bounded model checking and induction for proving safety properties of infinitestate systems. In particular, we define a general kinduction scheme and prove completeness thereof. A main characteristic of our methodology is that strengthened invariants are gen ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We explore the combination of bounded model checking and induction for proving safety properties of infinitestate systems. In particular, we define a general kinduction scheme and prove completeness thereof. A main characteristic of our methodology is that strengthened invariants are generated from failed kinduction proofs. This strengthening step requires quantifierelimination, and we propose a lazy quantifierelimination procedure, which delays expensive computations of disjunctive normal forms when possible. The effectiveness of induction based on bounded model checking and invariant strengthening is demonstrated using infinitestate systems ranging from communication protocols to timed automata and (linear) hybrid automata. 1 Introduction Bounded model checking (BMC) [5, 4, 7] is often used for refutation, where one systematically searches for counterexamples whose length is bounded by some integer k. The bound k is increased until a bug is found, or some precomputed completeness threshold is reached. Unfortunately, the computation of completeness thresholds is usually prohibitively expensive and these thresholds may be too large to effectively explore the associated bounded search space. In addition, such completeness thresholds do not exist for many infinitestate systems.
An Overview of Formal Verification for the TimeTriggered Architecture
, 2002
"... We describe formal verification of some of the key algorithms in the TimeTriggered Architecture (TTA) for realtime safetycritical control applications. ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
We describe formal verification of some of the key algorithms in the TimeTriggered Architecture (TTA) for realtime safetycritical control applications.
Proving the Correctness of Simpson's 4slot ACM Using an Assertional RelyGuarantee Proof Method
, 2003
"... This paper describes a relyguarantee proof to show that Simpson's 4slot singlereader, singlewriter ACM is Lamport atomic (as described fully in the paper). First an abstract ACM speci cation is proved Lamport atomic using an exhaustive assertional method. A formal model of Simpson' ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
This paper describes a relyguarantee proof to show that Simpson's 4slot singlereader, singlewriter ACM is Lamport atomic (as described fully in the paper). First an abstract ACM speci cation is proved Lamport atomic using an exhaustive assertional method. A formal model of Simpson's 4slot is then given and this has been proved to be a re nement of the abstract speci cation using Nipkow's retrieve relation rule. Simpson's 4slot is then shown to be Lamport atomic using an interleaved concurrency relyguarantee proof method for shared variable concurrency.
Ramifications of Metastability in Bit Variables Explored via Simpson’s 4Slot Mechanism
, 2003
"... Protocol descriptions often fail to take metastability into account. Metastability, however, can undermine protocols which depend on shared bits. In this paper, a series of increasingly realistic models of bits are developed in CSP, to explore the implications of metastability for Simpson’s 4Slot ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Protocol descriptions often fail to take metastability into account. Metastability, however, can undermine protocols which depend on shared bits. In this paper, a series of increasingly realistic models of bits are developed in CSP, to explore the implications of metastability for Simpson’s 4Slot asynchronous communication mechanism. It is shown that the 4Slot mechanism with realistic bit models preserves datacoherence, freshness, and sequencing, and is Lamportatomic. We demonstrate that metastability can undermine the correctness of protocols demonstrated correct with Lamportsafe models of bits; furthermore, realistic bit models can demonstrate protocols correct which Lamportsafe bit models would suggest were incorrect.
A relyguarantee proof system for x86TSO
 In VSTTE
, 2010
"... Abstract. Current multiprocessors provide weak or relaxed memory models. Existing program logics assume sequential consistency, and are thereforetypically unsoundforweakmemory.WeintroduceanovelRelyGuarantee style proof system for reasoning about x86 assembly programs running against the weak x86TS ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. Current multiprocessors provide weak or relaxed memory models. Existing program logics assume sequential consistency, and are thereforetypically unsoundforweakmemory.WeintroduceanovelRelyGuarantee style proof system for reasoning about x86 assembly programs running against the weak x86TSO memory model. Interesting features of the logic include processor assertions which can refer to the local state of other processors (including their program counters), and a syntactic operation of closing an assertion under write buffer interference. We use the expressivity of the proof system to construct a new correctness proof for an x86TSO version of Simpson’s four slot algorithm. Mechanization in the Hol theorem prover provides a flexible tool to support semiautomated verification. 1
Explanation by refinement and linearisability of two nonblocking sharedvariable communication algorithms
 UNDER CONSIDERATION FOR PUBLICATION IN FORMAL ASPECTS OF COMPUTING
"... ..."
Using Lightweight Theorem Proving in an Asynchronous Systems Context
"... Abstract. As part of the development of a new realtime operating system, an asynchronous communication mechanism, for use between applications, has been implemented in a programming language with an advanced static type system. This mechanism is designed to provide desired properties of asynchronic ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. As part of the development of a new realtime operating system, an asynchronous communication mechanism, for use between applications, has been implemented in a programming language with an advanced static type system. This mechanism is designed to provide desired properties of asynchronicity, coherency and freshness. We used the features of the type system, including linear and dependent types, to represent and partially prove that the implementation safely upheld coherency and freshness. We believe that the resulting program code forms a good example of how easily linear and dependent types can be applied in practice to prove useful properties of lowlevel concurrent systems programming, while leaving no traces of runtime overhead. 1