We present a process for validating temporal safety properties of software that uses a well-defined interface. The process requires only that the user state the property of interest. It then automatically creates abstractions of C code using iterative refinement, based on the given property. The process is realized in the SLAM toolkit, which consists of a model checker, predicate abstraction tool and predicate discovery tool. We have applied the SLAM toolkit to a number of Windows NT device drivers to validate critical safety properties such as correct locking behavior. We have found that the process converges on a set of predicates powerful enough to validate properties in just a few iterations. 1 Introduction Large-scale software has many components built by many programmers. Integration testing of these components is impossible or ineffective at best. Property checking of interface usage provides a way to partially validate such software. In this approach, an interface is augmented with a set of properties that all clients of the interface should respect. An automatic analysis of the client code then validates that it meets the properties, or provides examples of execution paths that violate the properties. The benefit of such an analysis is that errors can be caught early in the coding process. We are interested in checking that a program respects a set of temporal safety properties of the interfaces it uses. Safety properties are the class of properties that state that "something bad does not happen". An example is requiring that a lock is never released without first being acquired (see [24] for a formal definition). Given a program and a safety property, we wish to either validate that the code respects the property, or find an execution path that shows how the code violates the property.

The problem of model checking a specification in form of a C program with recursive procedures and many thousands of lines of code has not been addressed before. In this paper, we show how we attack this problem using an abstraction that is formalized with the Cartesian abstraction. It is implemented through a source-to-source transformation into a `Boolean' C program; we give an algorithm to compute the transformation with a cost that is exponential in its theoretical worst-case complexity but feasible in practice.

Automated methods for an undecidable class of verification problems cannot be complete (terminate for every correct program). We therefore consider a new kind of quality measure for such methods, which is completeness relative to a (powerful but unrealistic) oracle-based method. More precisely, we ask whether an often implemented method known as "software model checking with abstraction refinement" is complete relative to fixpoint iteration with "oracle-guided" widening. We show that whenever backward fixpoint iteration with oracle-guided widening succeeds in proving a property' (for some sequence of widenings determined by the oracle) then software model checking with a particular form of backward refinement will succeed in proving'. Intuitively, this means that the use of fixpoint iteration over abstractions and a particular backwards refinement of the abstractions has the effect of exploring the entire state space of all possible sequences of widenings.

Abstract. We present a symbolic algorithm for strongly connected component decomposition. The algorithm performs �(n log n) image and preimage computations in the worst case, where n is the number of nodes in the graph. This is an improvement over the previously known quadratic bound. The algorithm can be used to decide emptiness of Büchi automata with the same complexity bound, improving Emerson and Lei’s quadratic bound, and emptiness of Streett automata, with a similar bound in terms of nodes. It also leads to an improved procedure for the generation of nonemptiness witnesses.

Temporal logic. Logical formalisms for reasoning about time and the timing of events appear in several fields: physics, philosophy, linguistics, etc. Not surprisingly, they also appear in computer science, a field where logic is ubiquitous. Here temporal logics are used in automated reasoning, in planning, in semantics of programming languages, in artificial intelligence, etc. There is one area of computer science where temporal logic has been unusually successful: the specification and verification of programs and systems, an area we shall just call programming for simplicity. In today's curricula, thousands of programmers first learn about temporal logic in a course on model checking!

Over the past nine years, the Formal Methods Group at the IBM Haifa Research Laboratory has made steady progress in developing tools and techniques that make the power of model checking accessible to the community of hardware designers and verification engineers, to the point where it has become an integral part of the design cycle of many teams. We discuss our approach to the problem of integrating formal methods into an industrial design cycle, and point out those techniques which we have found to be especially effective in an industrial setting.

Abstract. We present a new abstraction-based framework for deciding satisfiability of quantifier-free Presburger arithmetic formulas. Given a Presburger formula φ, our algorithm invokes a SAT solver to produce proofs of unsatisfiability of approximations of φ. These proofs are in turn used to generate abstractions of φ as inputs to a theorem prover. The SAT-encodings of the approximations of φ are obtained by instantiating the variables of the formula over finite domains. The satisfying integer assignments provided by the theorem prover are then used to selectively increase domain sizes and generate fresh SAT-encodings of φ. The efficiency of this approach derives from the ability of SAT solvers to extract small unsatisfiable cores, leading to small abstracted formulas. We present experimental results which suggest that our algorithm is considerably more efficient than directly invoking the theorem prover on the original formula. 1

A fundamental issue in model checking of software is the choice of a model for software. We present a model called boolean programs that is expressive enough to capture interesting properties of programs and is amenable to model checking. We present a model checking algorithm for boolean programs using context-free-language reachability. The model checking algorithm allows procedure calls with unbounded recursion, exploits locality of variable scopes, and gives short error traces. Furthermore, we give a process for incrementally re ning an initial skeletal boolean program B (representing a source program P ) with respect to a particular reachability query in P . The presence of infeasible paths in P may lead to the model checker reporting false positive errors in B. We show how to re ne B by introducing boolean variables to rule out the infeasible paths. The process uses ideas from model checking and symbolic execution to automatically perform predicate abstraction.

. In the synchronous composition of processes, one process may prevent another process from proceeding unless compositions without a wellde ned product behavior are ruled out. They can be ruled out semantically, by insisting on the existence of certain xed points, or syntactically, by equipping processes with types, which make the dependencies between input and output signals transparent. We classify various typing mechanisms and study their eects on the control problem. A static type enforces xed, acyclic dependencies between input and output ports. For example, synchronous hardware without combinational loops can be typed statically. A dynamic type may vary the dependencies from state to state, while maintaining acyclicity, as in level-sensitive latches. Then, two dynamically typed processes can be syntactically compatible, if all pairs of possible dependencies are compatible, or semantically compatible, if in each state the combined dependencies remain acyclic. For a given plant process and control objective, there may be a controller of a static type, or only a controller of a syntactically compatible dynamic type, or only a controller of a semantically compatible dynamic type. We show this to be a strict hierarchy of possibilities, and we present algorithms and determine the complexity of the corresponding control problems. Furthermore, we consider versions of the control problem in which the type of the controller (static or dynamic) is given. We show that the solution of these xed-type control problems requires the evaluation of partially ordered (Henkin) quantiers on boolean formulas, and is therefore harder (nondeterministic exponential time) than more traditional control questions. 1

The duality between invariance and progress is fundamental in proof techniques for the verication of programs. Proving invariance requires the construction of invariants, while progress proofs hinge on the identication of appropriate ranking functions. With the recent interest in automated verication techniques, the topic of automatic generation of invariants is facing a revival of interest. In [14] it has been shown that temporal properties of reactive systems can be proven via nitary abstractions if those abstractions comprise a notion of acceptance conditions, like !-automata. Based on this, that paper concludes that there is a strong need for devising eective heuristics for generating such conditions. In this note, we address this issue. We suggest a simple heuristic in the spirit of, and combining well with, the popular predicate abstraction approach to the automatic generation and renement of invariants. The presentation is non-technical and guided by examples. ...