Results 1 - 2 of 2
"... Model checking the AMBA protocol in HOL ..."(Show Context)
"... Theorem proving and model checking have complementary strengths. Theorem proving can be applied to complex systems like complete processors, but it requires skilled manual guidance to verify most properties of practical interest. Model checking is automatic, but can only be applied to relatively sma ..."
Abstract - Add to MetaCart(Show Context)
Theorem proving and model checking have complementary strengths. Theorem proving can be applied to complex systems like complete processors, but it requires skilled manual guidance to verify most properties of practical interest. Model checking is automatic, but can only be applied to relatively small problems (e.g. fragments of processors, bus protocols); however, it provides counter-examples of great use in debugging. The research summarised here aimed to explore new ways to coherently combine the complementary strengths of each method. Two approaches that have been tried in the past are: (i) invoke a checker as an external black box from a prover , and (ii) define the checker entirely inside a prover . The project described here explored a method that is between (i) and (ii). A model checker, holcheck, is defined in a theorem prover (HOL4 ) using efficient data manipulations provided by an external BDD engine [17, 11] as additional inference rules. Model checking is fully-expansive: it consists of a sequence of simple inference steps using a fixed set of rules, but it is efficient because the performance-critical steps are computed using state-of-the-art algorithms implemented in an external engine. In addition to implementing holcheck, several threads of theorem proving research were also followed. These are motivated and described in the next section. 2 Key Advances and Supporting Methodology An overview of the main scientific results of the project are listed below. • Implementation and public release of a fully expansive model checker for the µ-calculus and CTL using a BDD oracle linked to the HOL4 theorem prover. (Amjad [3, 1]) • Implementation in HOL4 of a fully automatic counterexample-guided abstraction refinement framework, using an external SAT oracle (Amjad ). • Case study using the model checker to verify properties of the AMBA bus (Amjad ). • Implementation of ‘boolification ’ proof strategies to translate high level data-types to vectors of booleans suitable for model checking (Hurd in collaboration with Prof. Slind of the