Results 1  10
of
17
Lazy theorem proving for bounded model checking over infinite domains
, 2002
"... Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over program ..."
Abstract

Cited by 74 (11 self)
 Add to MetaCart
Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over program states, and an upper bound k, our procedure determines if there is a falsifying path of length k to the hypothesis that M satisfies the specification '. This problem can be reduced to the satisfiability of Boolean constraint formulas. Our verification engine for these kinds of formulas is lazy in that propositional abstractions of Boolean constraint formulas are incrementally refined by generating lemmas on demand from an automated analysis of spurious counterexamples using theorem proving. We exemplify bounded model checking for timed automata and for RTL level descriptions, and investigate the lazy integration of SAT solving and theorem proving. 1 Introduction Model checking decides the problem of whether a system satisfies a temporal logic property by exploring the underlying state space. It applies primarily to finitestate systems but also to certain infinitestate systems, and the state space can be represented in symbolic or explicit form. Symbolic model checking has traditionally employed a boolean representation of state sets using binary decision diagrams (BDD) [4] as a way of checking temporal properties, whereas explicitstate model checkers enumerate the set of reachable states of the system.
Relative Completeness of Abstraction Refinement for Software Model Checking
, 2002
"... Automated methods for an undecidable class of verification problems cannot be complete (terminate for every correct program). We therefore consider a new kind of quality measure for such methods, which is completeness relative to a (powerful but unrealistic) oraclebased method. More precisely, we a ..."
Abstract

Cited by 59 (4 self)
 Add to MetaCart
Automated methods for an undecidable class of verification problems cannot be complete (terminate for every correct program). We therefore consider a new kind of quality measure for such methods, which is completeness relative to a (powerful but unrealistic) oraclebased method. More precisely, we ask whether an often implemented method known as "software model checking with abstraction refinement" is complete relative to fixpoint iteration with "oracleguided" widening. We show that whenever backward fixpoint iteration with oracleguided widening succeeds in proving a property' (for some sequence of widenings determined by the oracle) then software model checking with a particular form of backward refinement will succeed in proving'. Intuitively, this means that the use of fixpoint iteration over abstractions and a particular backwards refinement of the abstractions has the effect of exploring the entire state space of all possible sequences of widenings.
Finding Feasible Counterexamples when Model Checking Abstracted Java Programs
 In Proceedings of TACAS
, 2001
"... . Despite recent advances in model checking and in adapting model checking techniques to software, the state explosion problem remains a major hurdle in applying model checking to software. Recent work in automated program abstraction has shown promise as a means of scaling model checking to lar ..."
Abstract

Cited by 47 (5 self)
 Add to MetaCart
. Despite recent advances in model checking and in adapting model checking techniques to software, the state explosion problem remains a major hurdle in applying model checking to software. Recent work in automated program abstraction has shown promise as a means of scaling model checking to larger systems. Most common abstraction techniques compute an upper approximation of the original program. Thus, when a specification is found true for the abstracted program, it is known to be true for the original program. Finding a specification to be false, however, is inconclusive since the specification may be violated on a behavior in the abstracted program which is not present in the original program. We have extended an explicitstate model checker, Java PathFinder (JPF), to analyze counterexamples in the presence of abstractions. We enhanced JPF to search for "feasible" counterexamples during model checking. Alternatively, an abstract counterexample can be used to guide the simulation of the concrete computation and thereby check feasibility of the counterexample. We demonstrate the effectiveness of these techniques on counterexamples from checks of several multithreaded Java programs. 1
Predicate Abstraction with Minimum Predicates
 In Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME
, 2003
"... Predicate abstraction is a popular abstraction technique employed in formal software verification. A crucial requirement to make predicate abstraction effective is to use as few predicates as possible, since the abstraction process is in the worst case exponential (in both time and memory requiremen ..."
Abstract

Cited by 30 (8 self)
 Add to MetaCart
Predicate abstraction is a popular abstraction technique employed in formal software verification. A crucial requirement to make predicate abstraction effective is to use as few predicates as possible, since the abstraction process is in the worst case exponential (in both time and memory requirements) in the number of predicates involved. If a property can be proven to hold or not hold based on a given finite set of predicates P, the procedure we propose in this paper finds automatically a minimal subset of P that is sufficient for the proof. We explain how our technique can be used for more efficient verification of C programs. Our experiments show that predicate minimization can result in a significant reduction of both verification time and memory usage compared to earlier methods.
MultipleCounterexample Guided Iterative Abstraction Refinement: An Industrial Evaluation
, 2003
"... In this paper, we describe a completely automated framework for iterative abstraction refinement that is fully integrated into a formalverification environment. This environment consists of three basic software tools: Forecast, a BDDbased model checker, Thunder, a SATbased bounded model checke ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
In this paper, we describe a completely automated framework for iterative abstraction refinement that is fully integrated into a formalverification environment. This environment consists of three basic software tools: Forecast, a BDDbased model checker, Thunder, a SATbased bounded model checker, and MCE, a technology for multiplecounterexample analysis. In our framework, the initial abstraction is chosen relative to the property under verification. The abstraction is model checked by Forecast; in case of failure, a counterexample is returned. Our framework includes an abstract counterexample analyzer module that applies techniques for bounded model checking to check whether the abstract counterexample holds in the concrete model. If it does, it is extended to a concrete counterexample. This important capability is provided as a separate tool that also addresses one of the major problems of verification by manual abstraction.
Checking Temporal Properties of Software with Boolean Programs
 In Proceedings of the Workshop on Advances in Verification
, 2000
"... A fundamental issue in model checking of software is the choice of a model for software. We present a model called boolean programs that is expressive enough to capture interesting properties of programs and is amenable to model checking. We present a model checking algorithm for boolean programs us ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
A fundamental issue in model checking of software is the choice of a model for software. We present a model called boolean programs that is expressive enough to capture interesting properties of programs and is amenable to model checking. We present a model checking algorithm for boolean programs using contextfreelanguage reachability. The model checking algorithm allows procedure calls with unbounded recursion, exploits locality of variable scopes, and gives short error traces. Furthermore, we give a process for incrementally re ning an initial skeletal boolean program B (representing a source program P ) with respect to a particular reachability query in P . The presence of infeasible paths in P may lead to the model checker reporting false positive errors in B. We show how to re ne B by introducing boolean variables to rule out the infeasible paths. The process uses ideas from model checking and symbolic execution to automatically perform predicate abstraction.
Localization and register sharing for predicate abstraction
 In TACAS
, 2005
"... Abstract. In the domain of software verification, predicate abstraction has emerged to be a powerful and popular technique for extracting finitestate models from often complex source code. In this paper, we report on the application of three techniques for improving the performance of the predicate ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
Abstract. In the domain of software verification, predicate abstraction has emerged to be a powerful and popular technique for extracting finitestate models from often complex source code. In this paper, we report on the application of three techniques for improving the performance of the predicate abstraction refinement loop. The first technique allows faster computation of the abstraction. Instead of maintaining a global set of predicates, we find predicates relevant to various basic blocks of the program by weakest precondition propagation along spurious program traces. The second technique enables faster model checking of the abstraction by reducing the number of state variables in the abstraction. This is done by reusing Boolean variables to represent different predicates in the abstraction in a safe way. However, some predicates are useful at many program locations and discovering them lazily in various parts of the program leads to a large number of abstraction refinement iterations. The third technique attempts to identify such predicates early in the abstraction refinement loop and handles them separately by introducing dedicated state variables for such predicates. We have incorporated these techniques into NECâ€™s software verification tool FSoft, and present promising experimental results for various case studies using these techniques. 1
Combinations of model checking and theorem proving
 Proceedings of the Third Intl. Workshop on Frontiers of Combining Systems, volume 1794 of LNCS
, 2000
"... Abstract. The two main approaches to the formal verification of reactive systems are based, respectively, on model checking (algorithmic verification) and theorem proving (deductive verification). These two approaches have complementary strengths and weaknesses, and their combination promises to enh ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. The two main approaches to the formal verification of reactive systems are based, respectively, on model checking (algorithmic verification) and theorem proving (deductive verification). These two approaches have complementary strengths and weaknesses, and their combination promises to enhance the capabilities of each. This paper surveys a number of methods for doing so. As is often the case, the combinations can be classified according to how tightly the different components are integrated, their range of application, and their degree of automation. 1
High Integrity HardwareSoftware Codesign
, 2004
"... Programmable logic devices (PLDs) are increasing in complexity and speed, and are being used as important components in safetycritical systems. Methods for developing highintegrity software for these systems are wellknown, but this is not true for programmable logic. We propose a process for deve ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Programmable logic devices (PLDs) are increasing in complexity and speed, and are being used as important components in safetycritical systems. Methods for developing highintegrity software for these systems are wellknown, but this is not true for programmable logic. We propose a process for developing a system incorporating software and PLDs, suitable for safety critical systems of the highest levels of integrity. This process incorporates the use of Synchronous Receptive Process Theory as a semantic basis for specifying and proving properties of programs executing on PLDs, and extends the use of SPARK Ada from a programming language for safetycritical systems software to cover the interface between software and programmable logic. We have validated this approach through the specification and development of a substantial safetycritical system incorporating both software and programmable logic components, and the development of tools to support this work. This enables us to claim that the methods demonstrated are not only feasible but also scale up to realistic system sizes, allowing development of such safetycritical softwarehardware systems to the levels required by current system safety standards. Declaration of originality I declare that no part of this work has previously been submitted to a university or other educational institution for a degree or other qualification. I further declare that this thesis is my original work, except for clearly indicated sections where the appropriate attributions and acknowledgements are given to work by other authors.
Automatic Abstraction in Model Checking
, 2000
"... As technology advances and demand for higher performance increases hardware designs are becoming more and more sophisticated. A typical chip design may contain over ten million switching devices. Since the systems become more and more complex, detecting design errors for systems of such scale become ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
As technology advances and demand for higher performance increases hardware designs are becoming more and more sophisticated. A typical chip design may contain over ten million switching devices. Since the systems become more and more complex, detecting design errors for systems of such scale becomes extremely difficult. Formal verification methodologies can potentially catch subtle design errors. However, many stateoftheart formal verification tools suffer from the state explosion problem. This thesis explores abstraction techniques to avoid the state explosion problem. In our methodology, atomic formulas extracted from an SMVlike concurrent program are used to construct abstraction functions. The initial abstract structure is built by using existential abstraction techniques. When the model checker disproves a universal property on the abstract structure, it generates a counterexample. However, this abstract counterexample might be spurious because abstraction is not complete. We provide a new symbolic algorithm to determine whether an abstract counterexample is spurious. When a counterexample is identified to be spurious, the algorithm will compute the shortest prefix of the abstract counterexample that does not correspond to an actual trace in the concrete model. The last abstract state in this prefix is split into less abstract states so that the spurious counterexample is eliminated. Thus, a more refined abstraction function is obtained. It is usually desirable to obtain the coarsest refinement which eliminates the counterexample because this corresponds to the smallest abstract model that avoids the spurious counterexample. We prove, however, that finding the coarsest refinement is NPhard. Because of this, we use a polynomialtime algorithm which gives a su...