Results 1  10
of
45
Validating SAT solvers using an independent resolutionbased checker: Practical implementations and other applications
 In Proceedings of DATE
, 2003
"... As the use of SAT solvers as core engines in EDA applications grows, it becomes increasingly important to validate their correctness. In this paper, we describe the implementation of an independent resolutionbased checking procedure that can check the validity of unsatisfiable claims produced by th ..."
Abstract

Cited by 135 (6 self)
 Add to MetaCart
(Show Context)
As the use of SAT solvers as core engines in EDA applications grows, it becomes increasingly important to validate their correctness. In this paper, we describe the implementation of an independent resolutionbased checking procedure that can check the validity of unsatisfiable claims produced by the SAT solver zchaff. We examine the practical implementation issues of such a checker and describe two implementations with different pros and cons. Experimental results show low overhead for the checking process. Our checker can work with many other modern SAT solvers with minor modifications, and it can provide information for debugging when checking fails. Finally we describe additional results that can be obtained by the validation process and briefly discuss their applications. 1. Introduction and Previous
TemporalSafety Proofs for Systems Code
, 2002
"... We present a methodology and tool for verifying and certifying systems code. The veri cation is based on the lazyabstraction paradigm for intertwining the following three logical steps: construct a predicate abstraction from the code, model check the abstraction, and automatically re ne the a ..."
Abstract

Cited by 87 (11 self)
 Add to MetaCart
(Show Context)
We present a methodology and tool for verifying and certifying systems code. The veri cation is based on the lazyabstraction paradigm for intertwining the following three logical steps: construct a predicate abstraction from the code, model check the abstraction, and automatically re ne the abstraction based on counterexample analysis. The certi cation is based on the proofcarrying code paradigm. Lazy abstraction enables the automatic construction of small proof certi cates. The methodology is implemented in Blast, the Berkeley Lazy Abstraction Software veri cation Tool. We describe our experience applying Blast to Linux and Windows device drivers. Given the C code for a driver and for a temporalsafety monitor, Blast automatically generates an easily checkable correctness certi cate if the driver satis es the speci cation, and an error trace otherwise.
The existence of finite abstractions for branching time model checking
 In LICS (2004
"... Abstraction is often essential to verify a program with model checking. Typically, a concrete source program with an infinite (or finite, but large) state space is reduced to a small, finite state, abstract program on which a correctness property can be checked. The fundamental question we investig ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
Abstraction is often essential to verify a program with model checking. Typically, a concrete source program with an infinite (or finite, but large) state space is reduced to a small, finite state, abstract program on which a correctness property can be checked. The fundamental question we investigate in this paper is whether such a reduction to finite state programs is always possible, for arbitrary branching time temporal properties. We begin by showing that existing abstraction frameworks are inherently incomplete for verifying purely existential or mixed universalexistential properties. We then propose a new, complete abstraction framework which is based on a class of focused transition systems (FTS’s). The key new feature in FTS’s is a way of “focusing ” an abstract state to a set of more precise abstract states. While focus operators have been defined for specific contexts, this result shows their fundamental usefulness for proving nonuniversal properties. The constructive completeness proof provides linear size maximal models for properties expressed in logics such as CTL and the mucalculus. This substantially improves upon known (worstcase) exponential size constructions for their universal fragments. 1.
A gamebased framework for CTL counterexamples and 3valued abstractionrefinement
 In Computer Aided Verification (CAV), LNCS 2725
, 2003
"... Abstract. This work exploits and extends the gamebased framework of CTL model checking for counterexample and incremental abstractionrefinement. We define a gamebased CTL model checking for abstract models over the 3valued semantics, which can be used for verification as well as refutation. The ..."
Abstract

Cited by 27 (6 self)
 Add to MetaCart
(Show Context)
Abstract. This work exploits and extends the gamebased framework of CTL model checking for counterexample and incremental abstractionrefinement. We define a gamebased CTL model checking for abstract models over the 3valued semantics, which can be used for verification as well as refutation. The model checking may end with an indefinite result, in which case we suggest a new notion of refinement, which eliminates indefinite results of the model checking. This provides an iterative abstractionrefinement framework. It is enhanced by an incremental algorithm, where refinement is applied only where indefinite results exist and definite results from prior iterations are used within the model checking algorithm. We also define the notion of annotated counterexamples, which are sufficient and minimal counterexamples for full CTL. We present an algorithm that uses the game board of the model checking game to derive an annotated counterexample in case the examined system model refutes the checked formula. 1
Solving existentially quantified Horn clauses
 IN CAV
, 2013
"... Temporal verification of universal (i.e., valid for all computation paths) properties of various kinds of programs, e.g., procedural, multithreaded, or functional, can be reduced to finding solutions for equations in form of universally quantified Horn clauses extended with wellfoundedness condit ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
(Show Context)
Temporal verification of universal (i.e., valid for all computation paths) properties of various kinds of programs, e.g., procedural, multithreaded, or functional, can be reduced to finding solutions for equations in form of universally quantified Horn clauses extended with wellfoundedness conditions. Dealing with existential properties (e.g., whether there exists a particular computation path), however, requires solving forallexists quantified Horn clauses, where the conclusion part of some clauses contains existentially quantified variables. For example, a deductive approach to CTL verification reduces to solving such clauses. In this paper we present a method for solving forallexists quantified Horn clauses extended with wellfoundedness conditions. Our method is based on a counterexampleguided abstraction refinement scheme to discover witnesses for existentially quantified variables. We also present an application of our solving method to automation of CTL verification of software, as well as its experimental evaluation.
A type system equivalent to a model checker
 In Proc. of the European Symp. on Prog
, 2005
"... Type systems and model checking are two prevalent approaches to program verification. A prominent difference between them is that type systems are typically defined in a syntactic and modular style whereas model checking is usually performed in a semantic and wholeprogram style. This difference bet ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
(Show Context)
Type systems and model checking are two prevalent approaches to program verification. A prominent difference between them is that type systems are typically defined in a syntactic and modular style whereas model checking is usually performed in a semantic and wholeprogram style. This difference between the two approaches lends them complementary to each other: type systems are good at explaining why a program was accepted while model checkers are good at explaining why a program was rejected. We present a type system that is equivalent to a model checker for verifying temporal safety properties of imperative programs. The model checker is natural and may be instantiated with any finitestate abstraction scheme such as predicate abstraction. The type system, which is also parametric, type checks exactly those programs that are accepted by the model checker. It uses function types to capture flow sensitivity and intersection and union types to capture context sensitivity. Our result sheds light on the relationship between the two approaches, provides a methodology for studying their relative expressiveness, is a step towards sharing results between them, and motivates synergistic program analyses involving interplay between them.
Prooflike CounterExamples
 In Tools and Algorithms for the Construction and Analysis of Systems
, 2003
"... Counterexamples explain why a desired temporal logic property fails to hold, and as such considered to be the most useful form of output from modelcheckers. ..."
Abstract

Cited by 19 (7 self)
 Add to MetaCart
(Show Context)
Counterexamples explain why a desired temporal logic property fails to hold, and as such considered to be the most useful form of output from modelcheckers.
A Framework for Counterexample Generation and Exploration
 In Proceedings of Fundamental Approaches to Software Engineering (FASE’05), volume 3442 of LNCS
, 2005
"... Abstract. Modelchecking is becoming an accepted technique for debugging hardware and software systems. Debugging is based on the “Check / Analyze / Fix ” loop: check the system against a desired property, producing a counterexample when the property fails to hold; analyze the generated counterexamp ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
Abstract. Modelchecking is becoming an accepted technique for debugging hardware and software systems. Debugging is based on the “Check / Analyze / Fix ” loop: check the system against a desired property, producing a counterexample when the property fails to hold; analyze the generated counterexample to locate the source of the error; fix the flawed artifact – the property or the model. The success of modelchecking nontrivial systems critically depends on making this Check / Analyze / Fix loop as tight as possible. In this paper, we concentrate on the Analyze part of the debugging loop. To this end, we present a framework for generating, structuring and exploring counterexamples either interactively or with the help of userspecified strategies. 1
From Complementation to Certification
, 2004
"... In the automatatheoretic approach to model checking we check the emptiness of the product of a system S with an automaton A: for the complemented specification. This gives rise to two automatatheoretic problems: complementation of word automata, which is used in order to generate A: , and the ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
In the automatatheoretic approach to model checking we check the emptiness of the product of a system S with an automaton A: for the complemented specification. This gives rise to two automatatheoretic problems: complementation of word automata, which is used in order to generate A: , and the emptiness problem, to which model checking is reduced. Both problems have numerous other applications, and have been extensively studied for nondeterministic Buchi word automata (NBW). Nondeterministic generalized Buchi word automata (NGBW) have become popular in specification and verification and are now used in applications traditionally assigned to NBW. This is due to their richer acceptance condition, which leads to automata with fewer states and a simpler underlying structure.