Results 11  20
of
70
Nonlinear Loop Invariant Generation using Gröbner Bases
, 2004
"... We present a new technique for the generation of nonlinear (algebraic) invariants of a program. Our technique uses the theory of ideals over polynomial rings to reduce the nonlinear invariant generation problem to a numerical constraint solving problem. So far, the literature on invariant generati ..."
Abstract

Cited by 41 (4 self)
 Add to MetaCart
We present a new technique for the generation of nonlinear (algebraic) invariants of a program. Our technique uses the theory of ideals over polynomial rings to reduce the nonlinear invariant generation problem to a numerical constraint solving problem. So far, the literature on invariant generation has been focussed on the construction of linear invariants for linear programs. Consequently, there has been little progress toward nonlinear invariant generation. In this paper, we demonstrate a technique that encodes the conditions for a given template assertion being an invariant into a set of constraints, such that all the solutions to these constraints correspond to nonlinear (algebraic) loop invariants of the program. We discuss some tradeoffs between the completeness of the technique and the tractability of the constraintsolving problem generated. The application of the technique is demonstrated on a few examples.
An Overview of SAL
 LFM 2000: Fifth NASA Langley Formal Methods Workshop
, 2000
"... To become practical for assurance formal methods must be made more costeffective and must contribute to both debugging and certification. Furthermore, the style of interaction must reflect the concerns of a designer rather than the peculiarities of a prover. SAL (Symbolic Analysis Laboratory) attem ..."
Abstract

Cited by 39 (5 self)
 Add to MetaCart
To become practical for assurance formal methods must be made more costeffective and must contribute to both debugging and certification. Furthermore, the style of interaction must reflect the concerns of a designer rather than the peculiarities of a prover. SAL (Symbolic Analysis Laboratory) attempts to address these issues. It is a framework for combining different tools to calculate properties (i.e., performing symbolic analysis) of concurrent systems. The heart of SAL is a language, developed in collaboration with Stanford, Berkeley, and Verimag, for specifying concurrent systems in a compositional way. Our instantiation of the SAL framework augments PVS with tools for abstraction, invariant generation, program analysis (such as slicing), theorem proving, and model checking to calculate properties (i.e., perform symbolic analysis) of concurrent systems. We describe the motivation, the language, the tools, and their integration in SAL/PVS, and some preliminary experience of their use. ...
Formal Specification: a Roadmap
, 2000
"... Formal specifications have been a focus of software engineering research for many years and have been applied in a wide variety of settings. Their industrial use is still limited but has been steadily growing. After recalling the essence, role, usage, and pitfalls of formal specification, the pa ..."
Abstract

Cited by 34 (0 self)
 Add to MetaCart
Formal specifications have been a focus of software engineering research for many years and have been applied in a wide variety of settings. Their industrial use is still limited but has been steadily growing. After recalling the essence, role, usage, and pitfalls of formal specification, the paper reviews the main specification paradigms to date and discuss their evaluation criteria. It then provides a brief assessment of the current strengths and weaknesses of today's formal specification technology. This provides a basis for formulating a number of requirements for formal specification to become a core software engineering activity in the future.
Verification of Java Programs using Symbolic Execution and Invariant Generation
, 2004
"... Software verification is recognized as an important and difficult problem. We present a novel framework, based on symbolic execution, for the automated verification of software. The framework uses annotations in the form of method specifications and loop invariants. We present a novel iterative... ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
Software verification is recognized as an important and difficult problem. We present a novel framework, based on symbolic execution, for the automated verification of software. The framework uses annotations in the form of method specifications and loop invariants. We present a novel iterative...
Deductive verification of realtime systems using STeP
 COMPUTER SCIENCE DEPARTMENT, STANFORD UNIVERSITY
, 1998
"... We present a modular framework for proving temporal properties of realtime systems, based on clocked transition systems and lineartime temporal logic. We show how deductive verification rules, verification diagrams, and automatic invariant generation can be used to establish properties of realtim ..."
Abstract

Cited by 30 (8 self)
 Add to MetaCart
We present a modular framework for proving temporal properties of realtime systems, based on clocked transition systems and lineartime temporal logic. We show how deductive verification rules, verification diagrams, and automatic invariant generation can be used to establish properties of realtime systems in this framework. We also discuss global and modular proofs of the branchingtime property of nonZenoness. As an example, we present the mechanical verification of the generalized railroad crossing case study using the Stanford Temporal Prover, STeP.
Salsa: Combining Constraint Solvers with BDDs for Automatic Invariant Checking
, 2000
"... . Salsa is an invariant checker for specifications in SAL (the SCR Abstract Language). To establish a formula as an invariant without any user guidance Salsa carries out an induction proof that utilizes tightly integrated decision procedures, currently a combination of BDD algorithms and a const ..."
Abstract

Cited by 29 (8 self)
 Add to MetaCart
. Salsa is an invariant checker for specifications in SAL (the SCR Abstract Language). To establish a formula as an invariant without any user guidance Salsa carries out an induction proof that utilizes tightly integrated decision procedures, currently a combination of BDD algorithms and a constraint solver for integer linear arithmetic, for discharging the verification conditions. The user interface of Salsa is designed to mimic the interfaces of model checkers; i.e., given a formula and a system description, Salsa either establishes the formula as an invariant of the system (but returns no proof) or provides a counterexample. In either case, the algorithm will terminate. Unlike model checkers, Salsa returns a state pair as a counterexample and not an execution sequence. Also, due to the incompleteness of induction, users must validate the counterexamples. The use of induction enables Salsa to combat the state explosion problem that plagues model checkers  it can handle...
Automatic Generation of State Invariants from Requirements Specifications
 FSE6
, 1998
"... Automatic generation of state invariants, properties that hold in every reachable state of a state machine model, can be valuable in software development. Not only can such invariants be presented to system users for validation, in addition, they can be used as auxiliary assertions in proving other ..."
Abstract

Cited by 28 (15 self)
 Add to MetaCart
Automatic generation of state invariants, properties that hold in every reachable state of a state machine model, can be valuable in software development. Not only can such invariants be presented to system users for validation, in addition, they can be used as auxiliary assertions in proving other invariants. This paper describes an algorithm for the automatic generation of state invariants that, in contrast to most other such algorithms, which operate on programs, derives invariants from requirements specifications. Generating invariants from requirements specifications rather than programs has two advantages: 1) because requirements specifications, unlike programs, are at a high level of abstraction, generation of and analysis using such invariants is easier, and 2) using invariants to detect errors during the requirements phase is considerably more costeffective than using invariants later in software development. To illustrate the algorithm, we use it to generate state invariants from requirements specifications of an automobile cruise control system and a simple control system for a nuclear plant. The invariants are derived from specifications expressed in the SCR (Software Cost Reduction) tabular notation.
Verification of a leader election protocol  formal methods applied to IEEE 1394
 IEEE 1394. Formal Methods in System Design
, 1997
"... The IEEE 1394 high performance serial multimedia bus protocol allows several components to communicate with each other at high speed. In this paper we present a formal model and verification of a leader election algorithm that forms the core of the tree identify phase of the physical layer of the 13 ..."
Abstract

Cited by 28 (7 self)
 Add to MetaCart
The IEEE 1394 high performance serial multimedia bus protocol allows several components to communicate with each other at high speed. In this paper we present a formal model and verification of a leader election algorithm that forms the core of the tree identify phase of the physical layer of the 1394 protocol. We describe the algorithm formally in the I/O automata model of Lynch and Tuttle, and verify that for an arbitrary tree topology exactly one leader is elected. A large part of our verification has been checked mechanically with PVS, a verification system for higherorder logic.
A technique for invariant generation
 In TACAS 2001 (2001), vol. 2031 of LNCS
, 2001
"... Abstract. Most of the properties established during verification are either invariants or depend crucially on invariants. The effectiveness of automated formal verification is therefore sensitive to the ease with which invariants, even trivial ones, can be automatically deduced. While the strongest ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
Abstract. Most of the properties established during verification are either invariants or depend crucially on invariants. The effectiveness of automated formal verification is therefore sensitive to the ease with which invariants, even trivial ones, can be automatically deduced. While the strongest invariant can be defined as the least fixed point of the strongest postcondition of a transition system starting with the set of initial states, this symbolic computation rarely converges. We present a method for invariant generation and strengthening that relies on the simultaneous construction of least and greatest fixed points, restricted widening and narrowing, and quantifier elimination. The effectiveness of the method is demonstrated on a number of examples. 1 Introduction The majority of properties established during the verification of programs are either invariants or depend crucially on invariants. Indeed, safety properties can be reduced to invariant properties, and to prove progress one usually needs to establish auxiliary invariance properties too. Consequently, the discovery and strengthening of invariants is a central technique in the analysis and verification of both sequential programs and reactive systems, especially for infinite state systems.
InVeSt: A Tool for the Verification of Invariants
 Computer Aided Verification, volume 1427 of LNCS
, 1998
"... ions: The abstraction module implements the method presented in [1] for computing abstractions of infinite state systems. For a given concrete system and a given abstraction function, it computes an abstraction of the concrete system compositionally and automatically. The process of generation of th ..."
Abstract

Cited by 27 (6 self)
 Add to MetaCart
ions: The abstraction module implements the method presented in [1] for computing abstractions of infinite state systems. For a given concrete system and a given abstraction function, it computes an abstraction of the concrete system compositionally and automatically. The process of generation of the abstract system does not depend on the assumed semantics of the parallel operator; it works for the synchronous as well as for the asynchronous computation model. The generated abstract system has the same structure as the concrete one and there is a clear correspondence between the transitions of both systems. This does not only allow to apply further abstractions and techniques to mitigate the state explosion problem but also facilitates the debugging of the concrete system. Indeed, traces of the abstract system can be transformed into concrete traces, which are then checked whether they are behaviors of the concrete system. The generated abstract system is represented optionally in the ...