This paper describes the language Lustre, which is a dataflow synchronous language, designed for programming reactive systems --- such as automatic control and monitoring systems --- as well as for describing hardware. The dataflow aspect of Lustre makes it very close to usual description tools in these domains (block-diagrams, networks of operators, dynamical samples-systems, etc: : : ), and its synchronous interpretation makes it well suited for handling time in programs. Moreover, this synchronous interpretation allows it to be compiled into an efficient sequential program. Finally, the Lustre formalism is very similar to temporal logics. This allows the language to be used for both writing programs and expressing program properties, which results in an original program verification methodology. 1 Introduction Reactive systems Reactive systems have been defined as computing systems which continuously interact with a given physical environment, when this environment is unable to sy...

Linear Relation Analysis [CH78] is an abstract interpretation devoted to the automatic discovery of invariant linear inequalities among numerical variables of a program. In this paper, we apply such an analysis to the verification of quantitative time properties of two kinds of systems: synchronous programs and linear hybrid systems.

This paper is a survey of our specification and verification techniques, in a very general, language independent, framework. Section 1 introduces a simple model of synchronous input/output machines, which will be used throughout the paper. In section 2, we show how such a machine can be designed to check the satisfaction of a safety property, and we discuss the use of such an observer in program verification. In section 3, we use an observer to restrict the behavior of a machine. This is the basic way for representing assumptions about the environment. Applications to modular and inductive verification are considered. In modular verification, one has to find, by intuition, a property of a subprogram that is strong enough to allow the verification of the whole program without fully considering the subprogram. In section 4, we consider the automatic synthesis of such a property, and in section 5, we investigate the possibility of deducing the subprogram from such a synthesized specification.

Abstract. The paper shows that, by an appropriate choice of a rich assertional language, it is possible to extend the utility of symbolic model checking beyond the realm of bdd-represented nite-state systems into the domain of in nite-state systems, leading to a powerful technique for uniform veri cation of unbounded (parameterized) process networks. The main contributions of the paper are a formulation of a general framework for symbolic model checking of in nite-state systems, a demonstration that many individual examples of uniformly veri ed parameterized designs that appear in the literature are special cases of our general approach, verifying the correctness of the Futurebus+ design for all single-bus con gurations, extending the technique to tree architectures, and establishing that the presented method is a precise dual to the top-down invariant generation method used in deductive veri cation. 1

We investigate the benefits of using a synchronous data-flow language for programming critical real-time systems. These benefits concern ergonomy --- since the dataflow approach meets traditional description tools used in this domain ---, and ability to support formal design and verification methods. We show, on a simple example, how the language Lustre and its associated verification tool Lesar, can be used to design a program, to specify its critical properties, and to verify these properties. As the language Lustre and its use have been already published in several papers (e.g., [11, 18]), we put particular emphasis on program verification. A preliminary version of this paper has been published in [28]. 1 Introduction It is useless to repeat why real-time programs are among those in which errors can have the most dramatic consequences. Thus, these programs constitute a domain where there is a special need of rigorous design methods. We advocate a "language approach" to this problem...

The paper presents a method for the automatic verification of a certain class of parameterized systems. These are bounded-data systems consisting of N processes (N being the parameter), where each process is finite-state. First, we show that if we use the standard deductive inv rule for proving invariance properties, then all the generated verification conditions can be automatically resolved by finite-state (bdd-based) methods with no need for interactive theorem proving. Next, we show how to use model-checking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Combining this automatic computation of invariants with the previously mentioned resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying boundeddata parameterized systems. The generated invariants can be transferred to the VC-validation phase without ever been examined by the user, which explains why we refer to them as "invisible". We illustrate the method on a non-trivial example of a cache protocol, provided by Steve German.

The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic model-checking techniques for both tasks. First, we show how to use model-checking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Next, we show that the premises of the standard deductive inv rule for proving invariance properties can be automatically resolved by finite-state (bdd-based) methods with no need for interactive theorem proving. Combining the automatic computation of invariants with the automatic resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying large classes of parameterized systems. The generated invariants can be transferred to the VC-validation phase without ever been examined by the user, which explains why we refer to them as "invisible". The efficacy of the method is demonstrated by automatic verification of diverse parameterized systems in a fully automatic and efficient manner.

ion: The Cornerstones of Practical Formal Verification. Yonit Kesten 1 , Amir Pnueli 2 1 Dept. of Communication Systems Engineering, Ben Gurion University, Beer-Sheva, Israel, e-mail: ykesten@bgumail.bgu.ac.il 2 Dept. of Applied Mathematics and Computer Science, the Weizmann Institute of Science, Rehovot, Israel, e-mail: amir@wisdom.weizmann.ac.il The date of receipt and acceptance will be inserted by the editor Abstract. In spite of the impressive progress in the development of the two main methods for formal verification of reactive systems -- Symbolic Model Checking and Deductive Verification, they are still limited in their ability to handle large systems. It is generally recognized that the only way these methods can ever scale up is by the extensive use of abstraction and modularization, which break the task of verifying a large system into several smaller tasks of verifying simpler systems. In this paper, we review the two main tools of compositionality and abstrac...

This paper describes a method to verify safety properties of parameterized linear networks of processes. The method is based on the construction of a network invariant, defined as a fixpoint. Such invariants can often be automatically computed using heuristics based on Cousot's widening techniques. These techniques have been implemented and some non-trivial examples are presented.

We present a method that allows to verify parameterized networks of finite state processes. Our method is based on three main ideas. The first one consists in modeling an infinite family of networks by a single WS1S transition system, that is, a transition system whose variables are set (2nd-order) variables and whose transitions are described in WS1S. Then, we present methods that allow to abstract a WS1S system into a finite state system that can be model-checked. Finally, in order to verify liveness properties, we present an algorithm that allows to enrich the abstract system with strong fairness conditions while preserving safety of the abstraction. We implemented our method in a tool, called pax, and applied it to several examples.