Results 1  10
of
79
Counterexampleguided Abstraction Refinement
, 2000
"... We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techn ..."
Abstract

Cited by 602 (60 self)
 Add to MetaCart
We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques which analyze such counterexamples and refine the abstract model correspondingly.
Formal Analysis of a Space Craft Controller using SPIN
 In Proceedings of the 4th SPIN workshop
, 1998
"... Abstract. This report documents an application of the nite state model checker Spin to formally verify a multi{threaded plan execution programming language. The plan execution language is one componentof NASA's New Millennium Remote Agent, an arti cial intelligence based spacecraft control system ar ..."
Abstract

Cited by 72 (22 self)
 Add to MetaCart
Abstract. This report documents an application of the nite state model checker Spin to formally verify a multi{threaded plan execution programming language. The plan execution language is one componentof NASA's New Millennium Remote Agent, an arti cial intelligence based spacecraft control system architecture that is scheduled to launch inDecember of 1998 as part of the Deep Space 1 mission to Mars. The language is concretely named Esl (Executive Support Language) and is basically a language designed to support the construction of reactive control mechanisms for autonomous robots and space crafts. It o ers advanced control constructs for managing interacting parallel goalandevent driven processes, and is currently implemented as an extension to amultithreaded Common Lisp. A total of 5 errors were in fact identi ed, 4 of which were important. This is regarded as a very successful result. According to the Remote Agent programming team the e ort has had a major impact, locating errors that would probably not have been
Toolsupported Program Abstraction for Finitestate Verification
 In Proceedings of the 23rd International Conference on Software Engineering
, 2000
"... Numerous researchers have reported success in reasoning about properties of small programs using finitestate verification techniques. We believe, as do most researchers in this area, that in order to scale those initial successes to realistic programs, aggressive abstraction of program data will be ..."
Abstract

Cited by 63 (6 self)
 Add to MetaCart
Numerous researchers have reported success in reasoning about properties of small programs using finitestate verification techniques. We believe, as do most researchers in this area, that in order to scale those initial successes to realistic programs, aggressive abstraction of program data will be necessary. Furthermore, we believe that to make abstractionbased verification usable by nonexperts significant tool support will be required. In this paper, we describe how several different program analysis and transformation techniques are integrated into the Bandera toolset to provide facilities for abstracting Java programs to produce compact, finitestate models that are amenable to verification, for example via model checking. We illustrate the application of Bandera's abstraction facilities to analyze a realistic multithreaded Java program. 1. Introduction Finitestate verification techniques, such as model checking, are rekindling interest in program verification. Such techniqu...
Infinite state model checking by abstract interpretation and program specialisation
 LogicBased Program Synthesis and Transformation. Proceedings of LOPSTR’99, LNCS 1817
, 2000
"... Abstract. We illustrate the use of logic programming techniques for finite model checking of CTL formulae. We present a technique for infinite state model checking of safety properties based upon logic program specialisation and analysis techniques. The power of the approach is illustrated on severa ..."
Abstract

Cited by 55 (24 self)
 Add to MetaCart
Abstract. We illustrate the use of logic programming techniques for finite model checking of CTL formulae. We present a technique for infinite state model checking of safety properties based upon logic program specialisation and analysis techniques. The power of the approach is illustrated on several examples. For that, the efficient tools logen and ecce are used. We discuss how this approach has to be extended to handle more complicated infinite state systems and to handle arbitrary CTL formulae. 1
Finding Feasible Counterexamples when Model Checking Abstracted Java Programs
 In Proceedings of TACAS
, 2001
"... . Despite recent advances in model checking and in adapting model checking techniques to software, the state explosion problem remains a major hurdle in applying model checking to software. Recent work in automated program abstraction has shown promise as a means of scaling model checking to lar ..."
Abstract

Cited by 47 (5 self)
 Add to MetaCart
. Despite recent advances in model checking and in adapting model checking techniques to software, the state explosion problem remains a major hurdle in applying model checking to software. Recent work in automated program abstraction has shown promise as a means of scaling model checking to larger systems. Most common abstraction techniques compute an upper approximation of the original program. Thus, when a specification is found true for the abstracted program, it is known to be true for the original program. Finding a specification to be false, however, is inconclusive since the specification may be violated on a behavior in the abstracted program which is not present in the original program. We have extended an explicitstate model checker, Java PathFinder (JPF), to analyze counterexamples in the presence of abstractions. We enhanced JPF to search for "feasible" counterexamples during model checking. Alternatively, an abstract counterexample can be used to guide the simulation of the concrete computation and thereby check feasibility of the counterexample. We demonstrate the effectiveness of these techniques on counterexamples from checks of several multithreaded Java programs. 1
An Overview of SAL
 LFM 2000: Fifth NASA Langley Formal Methods Workshop
, 2000
"... To become practical for assurance formal methods must be made more costeffective and must contribute to both debugging and certification. Furthermore, the style of interaction must reflect the concerns of a designer rather than the peculiarities of a prover. SAL (Symbolic Analysis Laboratory) attem ..."
Abstract

Cited by 39 (5 self)
 Add to MetaCart
To become practical for assurance formal methods must be made more costeffective and must contribute to both debugging and certification. Furthermore, the style of interaction must reflect the concerns of a designer rather than the peculiarities of a prover. SAL (Symbolic Analysis Laboratory) attempts to address these issues. It is a framework for combining different tools to calculate properties (i.e., performing symbolic analysis) of concurrent systems. The heart of SAL is a language, developed in collaboration with Stanford, Berkeley, and Verimag, for specifying concurrent systems in a compositional way. Our instantiation of the SAL framework augments PVS with tools for abstraction, invariant generation, program analysis (such as slicing), theorem proving, and model checking to calculate properties (i.e., perform symbolic analysis) of concurrent systems. We describe the motivation, the language, the tools, and their integration in SAL/PVS, and some preliminary experience of their use. ...
An Approach to Symbolic Test Generation
 In Proc. Integrated Formal Methods
, 2000
"... . Test generation is a programsynthesis problem: starting from the formal specification of a system under test, and from a test purpose describing a set of behaviours to be tested, compute a reactive program that observes an implementation of the system to detect nonconformant behaviour, while try ..."
Abstract

Cited by 39 (7 self)
 Add to MetaCart
. Test generation is a programsynthesis problem: starting from the formal specification of a system under test, and from a test purpose describing a set of behaviours to be tested, compute a reactive program that observes an implementation of the system to detect nonconformant behaviour, while trying to control it towards satisfying the test purpose. In this paper we describe an approach for generating symbolic test cases, in the form of inputoutput automata with variables and parameters. 1 Introduction It is widely recognized that testing is an essential component of the full lifecycle of software systems. Among the many di#erent testing techniques, conformance testing [11] is one of the most rigorous. The usual theoretical approach [5, 16] is to consider a formal specification of the intended behaviour of the Implementation Under Test (IUT). It allows to define the notion of conformance relation, which defines the correct implementations with respect to the specification. It also...
Symbolic Verification of Lossy Channel Systems: Application to the Bounded Retransmission Protocol
 In TACAS'99. LNCS 1579
, 1999
"... We consider the problem of verifying automatically infinitestate systems that are systems of finite machines that communicate by exchanging messages through unbounded lossy fifo channels. In a previous work [1], we proposed an algorithmic approach based on constructing a symbolic representation ..."
Abstract

Cited by 36 (5 self)
 Add to MetaCart
We consider the problem of verifying automatically infinitestate systems that are systems of finite machines that communicate by exchanging messages through unbounded lossy fifo channels. In a previous work [1], we proposed an algorithmic approach based on constructing a symbolic representation of the set of reachable configurations of a system by means of a class of regular expressions (SREs). The construction of such a representation consists of an iterative computation with an acceleration technique which enhance the chance of convergence. This technique is based on the analysis of the effect of iterating control loops. In the work we present here, we experiment our approach and show how it can be effectively applied. For that, we developed a tool prototype based on the results in [1]. Using this tool, we provide a fully automatic verification of (the parameterized version of) the Bounded Retransmission Protocol, for arbitrary values of the size of the transmitted files, and the allowed number of retransmissions. ? Contact author. 1 1
Predicate Abstraction of ANSIC Programs using SAT
 Formal Methods in System Design (FMSD), 25:105– 127, September–November
, 2003
"... Predicate abstraction is a major method for verification of software. However, the generation of the abstract Boolean program from the set of predicates and the original program suffers from an exponential number of theorem prover calls as well as from soundness issues. This paper presents a novel t ..."
Abstract

Cited by 30 (5 self)
 Add to MetaCart
Predicate abstraction is a major method for verification of software. However, the generation of the abstract Boolean program from the set of predicates and the original program suffers from an exponential number of theorem prover calls as well as from soundness issues. This paper presents a novel technique that uses an efficient SAT solver for generating the abstract transition relation of ANSIC programs. The SATbased approach computes a more precise and safe abstraction compared to existing predicate abstraction techniques.
Verification by Augmented Finitary Abstraction
 Information and Computation
, 1999
"... . The paper deals with the proof method of verification by finitary abstraction (vfa), which presents a feasible approach to the verification of the temporal properties of (potentially infinitestate) reactive systems. The method consists of a twostep process by which, in a first step, the system a ..."
Abstract

Cited by 29 (11 self)
 Add to MetaCart
. The paper deals with the proof method of verification by finitary abstraction (vfa), which presents a feasible approach to the verification of the temporal properties of (potentially infinitestate) reactive systems. The method consists of a twostep process by which, in a first step, the system and its temporal specification are jointly abstracted into a finitestate system and a finitestate specification. The second step uses model checking to establish the validity of the abstracted property over the abstracted system. The vfa method can be considered as a viable alternative to verification by temporal deduction which, up to now, has been the main method generally applicable for verification of infinitestate systems. The paper presents a general recipe for the joint abstraction, which is shown to be sound , where soundness means that validity over the abstract system implies validity over the concrete (original) system. To make the method applicable for the verification of liven...