Results 1  10
of
43
Vacuity Detection in Temporal Model Checking
, 1999
"... One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelcheckin ..."
Abstract

Cited by 74 (15 self)
 Add to MetaCart
(Show Context)
One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a sy...
Formal Verification of the AAMP5 Microprocessor  A Case Study in the . . .
, 1995
"... This paper describes the experiences of Collins Commercial Avionics and SRI International in formally specifying and verifying the microcode for the AAMP5 microprocessor with the PVS verification system. This project was conducted to determine if an industrial microprocessor designed for use in real ..."
Abstract

Cited by 64 (1 self)
 Add to MetaCart
This paper describes the experiences of Collins Commercial Avionics and SRI International in formally specifying and verifying the microcode for the AAMP5 microprocessor with the PVS verification system. This project was conducted to determine if an industrial microprocessor designed for use in realtime embedded systems could be formally specified at the instruction set and register transfer levels and if formal proofs could be used to prove the microcode correct. The paper provides a brief technical overview, but its emphasis is on the lessons learned in using PVS for an example of this size and the implications for using formal methods in an industrial setting. Keywords: Formal Methods, Formal Specification, Formal Verification, Microprocessor Verification, Microcode Verification, Hardware Verification, High Integrity Systems, Safety Critical Systems, PVS #### Software and digital hardware are increasingly being used in situations where failure could be life threatening, such as a...
Architecture Validation for Processors
, 1995
"... Modern, high performance microprocessors are extremely complex machines which require substantial validation effort to ensure functional correctness prior to tapeout. Generating the corner cases to test these designs is a mostly manual process, where completion is hard to judge. Experience shows tha ..."
Abstract

Cited by 63 (0 self)
 Add to MetaCart
(Show Context)
Modern, high performance microprocessors are extremely complex machines which require substantial validation effort to ensure functional correctness prior to tapeout. Generating the corner cases to test these designs is a mostly manual process, where completion is hard to judge. Experience shows that the errors that are caught late in the design, many postsilicon, are interactions between different components in very improbable corner case situations. In this paper we present a technique that targets such errorcausing interactions by automatically generating test vectors that will cause the processor to exercise all transitions of the control logic in simulation. We use techniques from formal verification to derive transition tours of a fully enumerated state graph of the control logic of the processor. Our system works from a Verilog description of the original machine and is currently being used to validate an embedded dualissue processor in the node controller of the Stanford FLA...
Efficient Detection of Vacuity in ACTL Formulas
 FMSD
, 1997
"... Propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is true trivially because the precondition of the implication is not satisfiable. In other words, the postcondition of the implication does not affect the truth value of the formula. We ca ..."
Abstract

Cited by 47 (4 self)
 Add to MetaCart
(Show Context)
Propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is true trivially because the precondition of the implication is not satisfiable. In other words, the postcondition of the implication does not affect the truth value of the formula. We call this a vacuous pass, and extend the definition of vacuity to cover other kinds of trivial passes in temporal logic. We define wACTL, a subset of CTL and show by construction that for every wACTL formula \phi there is a formula w(\phi), such that: both \phi and w(\phi) are true in some model M iff \phi passes vacuously. A useful sideeffect of w(\phi) is that if false, any counterexample is also a nontrivial witness of the original formula \phi.
Enhanced Vacuity Detection in Linear Temporal Logic
, 2003
"... One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to a correctness query with a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelche ..."
Abstract

Cited by 35 (4 self)
 Add to MetaCart
(Show Context)
One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to a correctness query with a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness of the importance of suspecting the system or the specification of containing an error also in cases where model checking succeeds.
Coverage metrics for temporal logic model checking
 in Lecture Notes in Computer Science
, 2001
"... Abstract. In formal verification, we verify that a system is correct with respect to a specification. Even when the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In this paper we study cov ..."
Abstract

Cited by 33 (14 self)
 Add to MetaCart
(Show Context)
Abstract. In formal verification, we verify that a system is correct with respect to a specification. Even when the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In this paper we study coverage metrics for model checking. Coverage metrics are based on modifications we apply to the system in order to check which parts of it were actually relevant for the verification process to succeed. We introduce two principles that we believe should be part of any coverage metric for model checking: a distinction between statebased and logicbased coverage, and a distinction between the system and its environment. We suggest several coverage metrics that apply these principles, and we describe two algorithms for finding the uncovered parts of the system under these definitions. The first algorithm is a symbolic implementation of a naive algorithm that model checks many variants of the original system. The second algorithm improves the naive algorithm by exploiting overlaps in the variants. We also suggest a few helpful outputs to the user, once the uncovered parts are found. 1
Efficient Detection of Vacuity in Temporal Model Checking
 Formal Methods in System Design
, 2001
"... Abstract. The ability to generate a counterexample is an important feature of model checking tools, because a counterexample provides information to the user in the case that the formula being checked is found to be nonvalid. In this paper, we turn our attention to providing similar feedback to t ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
(Show Context)
Abstract. The ability to generate a counterexample is an important feature of model checking tools, because a counterexample provides information to the user in the case that the formula being checked is found to be nonvalid. In this paper, we turn our attention to providing similar feedback to the user in the case that the formula is found to be valid, because valid formulas can hide real problems in the model. For instance, propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is trivially valid because the precondition of the implication is not satisfiable. We call this vacuity, and extend the definition to cover other kinds of trivial validity. For nonvacuously valid formulas, we define an interesting witness as a nontrivial example of the validity of the formula. We formalize the notions of vacuity and interesting witness, and show how to detect vacuity and generate interesting witnesses in temporal model checking. Finally, we provide a practical solution for a useful subset of ACTL formulas.
A practical approach to coverage in model checking
 In Computer Aided Verification, Proc. 13th International Conference
, 2001
"... Abstract. In formal verification, we verify that a system is correct with respect to a specification. When verification succeeds and the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In th ..."
Abstract

Cited by 30 (11 self)
 Add to MetaCart
(Show Context)
Abstract. In formal verification, we verify that a system is correct with respect to a specification. When verification succeeds and the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In this paper we study coverage metrics for model checking from a practical point of view. Coverage metrics are based on modifications we apply to the system in order to check which parts of it were actually relevant for the verification process to succeed. We suggest several definitions of coverage, suitable for specifications given in linear temporal logic or by automata on infinite words. We describe two algorithms for computing the parts of the system that are not covered by the specification. The first algorithm is built on top of automatabased modelchecking algorithms. The second algorithm reduces the coverage problem to the modelchecking problem. Both algorithms can be implemented on top of existing model checking tools. 1
Sanity Checks in Formal Verification
 In Proc. of CONCUR’06, LNCS
, 2006
"... Abstract. One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most mo ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
(Show Context)
Abstract. One of the advantages of temporallogic modelchecking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most modelchecking tools provide no additional information. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. The goal of sanity checks is to detect such errors by further automatic reasoning. Two leading sanity checks are vacuity and coverage. In vacuity, the goal is to detect cases where the system satisfies the specification in some unintended trivial way. In coverage, the goal is to increase the exhaustiveness of the specification by detecting components of the system that do not play a role in verification process. For both checks, the challenge is to define vacuity and coverage formally, develop algorithms for detecting vacuous satisfaction and low coverage, and suggest methods for returning to the user helpful information. We survey existing work on vacuity and coverage and argue that, in many aspects, the two checks are essentially the same: both are based on repeating the verification process on some mutant input. In vacuity, mutations are in the specifications, whereas in coverage, mutations are in the system. This observation enables us to adopt work done in the context of vacuity to coverage, and vise versa. 1
Experimental evaluation of classical automata constructions
 In In LPAR 2005, LNCS 3835
, 2005
"... Abstract. There are several algorithms for producing the canonical DFA from a given NFA. While the theoretical complexities of these algorithms are known, there has not been a systematic empirical comparison between them. In this work we propose a probabilistic framework for testing the performance ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
(Show Context)
Abstract. There are several algorithms for producing the canonical DFA from a given NFA. While the theoretical complexities of these algorithms are known, there has not been a systematic empirical comparison between them. In this work we propose a probabilistic framework for testing the performance of automatatheoretic algorithms. We conduct a direct experimental comparison between Hopcroft’s and Brzozowski’s algorithms. We show that while Hopcroft’s algorithm has better overall performance, Brzozowski’s algorithm performs better for “highdensity” NFA. We also consider the universality problem, which is traditionally solved explicitly via the subset construction. We propose an encoding that allows this problem to be solved symbolically via a modelchecker. We compare the performance of this approach to that of the standard explicit algorithm, and show that the explicit approach performs significantly better. 1