Results 1  10
of
17
Automatically validating temporal safety properties of interfaces
, 2001
"... We present a process for validating temporal safety properties of software that uses a welldefined interface. The process requires only that the user state the property of interest. It then automatically creates abstractions of C code using iterative refinement, based on the given property. The pro ..."
Abstract

Cited by 385 (20 self)
 Add to MetaCart
We present a process for validating temporal safety properties of software that uses a welldefined interface. The process requires only that the user state the property of interest. It then automatically creates abstractions of C code using iterative refinement, based on the given property. The process is realized in the SLAM toolkit, which consists of a model checker, predicate abstraction tool and predicate discovery tool. We have applied the SLAM toolkit to a number of Windows NT device drivers to validate critical safety properties such as correct locking behavior. We have found that the process converges on a set of predicates powerful enough to validate properties in just a few iterations. 1 Introduction Largescale software has many components built by many programmers. Integration testing of these components is impossible or ineffective at best. Property checking of interface usage provides a way to partially validate such software. In this approach, an interface is augmented with a set of properties that all clients of the interface should respect. An automatic analysis of the client code then validates that it meets the properties, or provides examples of execution paths that violate the properties. The benefit of such an analysis is that errors can be caught early in the coding process. We are interested in checking that a program respects a set of temporal safety properties of the interfaces it uses. Safety properties are the class of properties that state that "something bad does not happen". An example is requiring that a lock is never released without first being acquired (see [24] for a formal definition). Given a program and a safety property, we wish to either validate that the code respects the property, or find an execution path that shows how the code violates the property.
Boolean and Cartesian Abstraction for Model Checking C Programs
, 2001
"... The problem of model checking a specification in form of a C program with recursive procedures and many thousands of lines of code has not been addressed before. In this paper, we show how we attack this problem using an abstraction that is formalized with the Cartesian abstraction. It is implemente ..."
Abstract

Cited by 160 (14 self)
 Add to MetaCart
The problem of model checking a specification in form of a C program with recursive procedures and many thousands of lines of code has not been addressed before. In this paper, we show how we attack this problem using an abstraction that is formalized with the Cartesian abstraction. It is implemented through a sourcetosource transformation into a `Boolean' C program; we give an algorithm to compute the transformation with a cost that is exponential in its theoretical worstcase complexity but feasible in practice.
Relative Completeness of Abstraction Refinement for Software Model Checking
, 2002
"... Automated methods for an undecidable class of verification problems cannot be complete (terminate for every correct program). We therefore consider a new kind of quality measure for such methods, which is completeness relative to a (powerful but unrealistic) oraclebased method. More precisely, we a ..."
Abstract

Cited by 59 (4 self)
 Add to MetaCart
Automated methods for an undecidable class of verification problems cannot be complete (terminate for every correct program). We therefore consider a new kind of quality measure for such methods, which is completeness relative to a (powerful but unrealistic) oraclebased method. More precisely, we ask whether an often implemented method known as "software model checking with abstraction refinement" is complete relative to fixpoint iteration with "oracleguided" widening. We show that whenever backward fixpoint iteration with oracleguided widening succeeds in proving a property' (for some sequence of widenings determined by the oracle) then software model checking with a particular form of backward refinement will succeed in proving'. Intuitively, this means that the use of fixpoint iteration over abstractions and a particular backwards refinement of the abstractions has the effect of exploring the entire state space of all possible sequences of widenings.
An algorithm for strongly connected component analysis in n log n symbolic steps
 Formal Methods in System Design
"... Abstract. We present a symbolic algorithm for strongly connected component decomposition. The algorithm performs �(n log n) image and preimage computations in the worst case, where n is the number of nodes in the graph. This is an improvement over the previously known quadratic bound. The algorithm ..."
Abstract

Cited by 47 (6 self)
 Add to MetaCart
Abstract. We present a symbolic algorithm for strongly connected component decomposition. The algorithm performs �(n log n) image and preimage computations in the worst case, where n is the number of nodes in the graph. This is an improvement over the previously known quadratic bound. The algorithm can be used to decide emptiness of Büchi automata with the same complexity bound, improving Emerson and Lei’s quadratic bound, and emptiness of Streett automata, with a similar bound in terms of nodes. It also leads to an improved procedure for the generation of nonemptiness witnesses.
The Complexity of Temporal Logic Model Checking
, 2002
"... Temporal logic. Logical formalisms for reasoning about time and the timing of events appear in several fields: physics, philosophy, linguistics, etc. Not surprisingly, they also appear in computer science, a field where logic is ubiquitous. Here temporal logics are used in automated reasoning, in pl ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
Temporal logic. Logical formalisms for reasoning about time and the timing of events appear in several fields: physics, philosophy, linguistics, etc. Not surprisingly, they also appear in computer science, a field where logic is ubiquitous. Here temporal logics are used in automated reasoning, in planning, in semantics of programming languages, in artificial intelligence, etc. There is one area of computer science where temporal logic has been unusually successful: the specification and verification of programs and systems, an area we shall just call programming for simplicity. In today's curricula, thousands of programmers first learn about temporal logic in a course on model checking!
Model Checking at IBM
 IN PROC. 9 TH INTERNATIONAL CONFERENCE ON COMPUTER AIDED VERIFICATION (CAV), LNCS 1254
, 2002
"... Over the past nine years, the Formal Methods Group at the IBM Haifa Research Laboratory has made steady progress in developing tools and techniques that make the power of model checking accessible to the community of hardware designers and verification engineers, to the point where it has become an ..."
Abstract

Cited by 22 (8 self)
 Add to MetaCart
Over the past nine years, the Formal Methods Group at the IBM Haifa Research Laboratory has made steady progress in developing tools and techniques that make the power of model checking accessible to the community of hardware designers and verification engineers, to the point where it has become an integral part of the design cycle of many teams. We discuss our approach to the problem of integrating formal methods into an industrial design cycle, and point out those techniques which we have found to be especially effective in an industrial setting.
Abstractionbased satisfiability solving of Presburger arithmetic
 In: Proc. CAV. Volume 3114 of LNCS. (2004) 308–320
, 2004
"... Abstract. We present a new abstractionbased framework for deciding satisfiability of quantifierfree Presburger arithmetic formulas. Given a Presburger formula φ, our algorithm invokes a SAT solver to produce proofs of unsatisfiability of approximations of φ. These proofs are in turn used to genera ..."
Abstract

Cited by 22 (8 self)
 Add to MetaCart
Abstract. We present a new abstractionbased framework for deciding satisfiability of quantifierfree Presburger arithmetic formulas. Given a Presburger formula φ, our algorithm invokes a SAT solver to produce proofs of unsatisfiability of approximations of φ. These proofs are in turn used to generate abstractions of φ as inputs to a theorem prover. The SATencodings of the approximations of φ are obtained by instantiating the variables of the formula over finite domains. The satisfying integer assignments provided by the theorem prover are then used to selectively increase domain sizes and generate fresh SATencodings of φ. The efficiency of this approach derives from the ability of SAT solvers to extract small unsatisfiable cores, leading to small abstracted formulas. We present experimental results which suggest that our algorithm is considerably more efficient than directly invoking the theorem prover on the original formula. 1
Checking Temporal Properties of Software with Boolean Programs
 In Proceedings of the Workshop on Advances in Verification
, 2000
"... A fundamental issue in model checking of software is the choice of a model for software. We present a model called boolean programs that is expressive enough to capture interesting properties of programs and is amenable to model checking. We present a model checking algorithm for boolean programs us ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
A fundamental issue in model checking of software is the choice of a model for software. We present a model called boolean programs that is expressive enough to capture interesting properties of programs and is amenable to model checking. We present a model checking algorithm for boolean programs using contextfreelanguage reachability. The model checking algorithm allows procedure calls with unbounded recursion, exploits locality of variable scopes, and gives short error traces. Furthermore, we give a process for incrementally re ning an initial skeletal boolean program B (representing a source program P ) with respect to a particular reachability query in P . The presence of infeasible paths in P may lead to the model checker reporting false positive errors in B. We show how to re ne B by introducing boolean variables to rule out the infeasible paths. The process uses ideas from model checking and symbolic execution to automatically perform predicate abstraction.
The Control of Synchronous Systems
, 2000
"... . In the synchronous composition of processes, one process may prevent another process from proceeding unless compositions without a wellde ned product behavior are ruled out. They can be ruled out semantically, by insisting on the existence of certain xed points, or syntactically, by equipping ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
. In the synchronous composition of processes, one process may prevent another process from proceeding unless compositions without a wellde ned product behavior are ruled out. They can be ruled out semantically, by insisting on the existence of certain xed points, or syntactically, by equipping processes with types, which make the dependencies between input and output signals transparent. We classify various typing mechanisms and study their eects on the control problem. A static type enforces xed, acyclic dependencies between input and output ports. For example, synchronous hardware without combinational loops can be typed statically. A dynamic type may vary the dependencies from state to state, while maintaining acyclicity, as in levelsensitive latches. Then, two dynamically typed processes can be syntactically compatible, if all pairs of possible dependencies are compatible, or semantically compatible, if in each state the combined dependencies remain acyclic. For a given plant process and control objective, there may be a controller of a static type, or only a controller of a syntactically compatible dynamic type, or only a controller of a semantically compatible dynamic type. We show this to be a strict hierarchy of possibilities, and we present algorithms and determine the complexity of the corresponding control problems. Furthermore, we consider versions of the control problem in which the type of the controller (static or dynamic) is given. We show that the solution of these xedtype control problems requires the evaluation of partially ordered (Henkin) quantiers on boolean formulas, and is therefore harder (nondeterministic exponential time) than more traditional control questions. 1
A Heuristic for the Automatic Generation of Ranking Functions
 Workshop on Advances in Verification
, 2000
"... The duality between invariance and progress is fundamental in proof techniques for the verication of programs. Proving invariance requires the construction of invariants, while progress proofs hinge on the identication of appropriate ranking functions. With the recent interest in automated verica ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
The duality between invariance and progress is fundamental in proof techniques for the verication of programs. Proving invariance requires the construction of invariants, while progress proofs hinge on the identication of appropriate ranking functions. With the recent interest in automated verication techniques, the topic of automatic generation of invariants is facing a revival of interest. In [14] it has been shown that temporal properties of reactive systems can be proven via nitary abstractions if those abstractions comprise a notion of acceptance conditions, like !automata. Based on this, that paper concludes that there is a strong need for devising eective heuristics for generating such conditions. In this note, we address this issue. We suggest a simple heuristic in the spirit of, and combining well with, the popular predicate abstraction approach to the automatic generation and renement of invariants. The presentation is nontechnical and guided by examples. ...