This paper is a survey of several techniques that have proven useful in establishing compatibility among behaviorally similar programs (e.g., system upgrades, object sub- and supertypes, system components produced by different vendors, etc.). We give a comparative analysis of the techniques by evaluating their applicability to various aspects of the compatibility problem.

Temporal logic model checking, first developed by Clarke and Emerson [1] and independently discovered by Queille and Sifakis [2], is an automated technique for the verification of finite-state systems. The specification is expressed as a

Abstract. We present a fully automatic approach for counterexample guided abstraction refinement of real-time systems modelled in a subset of timed automata. Our approach is implemented in the MOBY/RT tool environment, which is a CASE tool for embedded system specifications. Verification in MOBY/RT is done by constructing abstractions of the semantics in terms of timed automata which are fed into the model checker UPPAAL. Since the abstractions are overapproximations, absence of abstract counterexamples implies a valid result for counterexample is found by UPPAAL. The generated abstract counterexample is used to construct either a concrete counterexample for the full model or to identify a slightly refined abstraction in which the found spurious counterexample cannot occur anymore. Hence, the approach allows for a fully automatic abstraction refinement loop starting from the coarsest abstraction towards an abstraction for which a valid verification result is found. Nontrivial case studies demonstrate that this approach computes small abstractions fast without any user interaction. 1

Component-based software construction relies on suitable models underlying components, and in particular the coordinators which orchestrate component behaviour. Verifying correctness and safety of such systems amounts to model checking the underlying system model, where model checking techniques not only need to be correct but—since system sizes increase—also scalable and efficient. In this paper, we present a SAT-based approach for bounded model checking of Timed Constraint Automata. We present an embedding of bounded model checking into propositional logic with linear arithmetic, which overcomes the state explosion problem to deal with large systems by defining a product that is linear in the size of the system. To further improve model checking performance, we show how to embed our approach into an extension of counterexample guided abstraction refinement with Craig interpolants.

Abstract. Abstracting infinite or large state spaces to ones feasible for model checking has met with much success. We have implemented an abstraction framework in HOL, on top of a deep-embedded model checker. We present the implementation, highlighting the role of HOL. 1

The development of digital systems is particularly challenging, if their correctness depends on the right timing of operations. One approach to enhance the reliability of such systems is model-based development. This allows for a formal analysis throughout all stages of design. Model-based

We argue that the detection and refutation of non-theorems, and the discovery of appropriate counterexamples, is of vital importance to the Grand Challenge of a Program Verifier.

Ever-growing complexity is forcing logic design to move above the register transfer level (RTL). For example, functional specifications are being written in software. These specifications are written for clarity, and are not optimized or intended for synthesis. Since the software is the target of functional validation, equivalence ver-ification between the software specification and the RTL implementation is needed. This thesis introduces new techniques to reduce the complexity of this veri-fication and increase the capability of current verification techniques. The first contribution improves the efficiency of sequential equivalence verifi-cation. I introduce a partitioned model checking approach using Annotated Control Flow Graphs (ACFG) to represent software specifications for sequential circuits. The approach partitions the software and hardware states based on the structure of the ACFG, and uses the flow and the edge annotations in the ACFG to guide the state-space exploration. Experimental results show that the new partitioned model checking approach runs faster than the standard global reachability analysis.

The static scheduling problem often arises as a fundamental problem in real-time systems and grid computing. We consider the problem of statically scheduling a large job expressed as a task graph on a large number of computing nodes, such as a data center. This paper solves the large-scale static scheduling problem using abstraction refinement, a technique commonly used in formal verification to efficiently solve computationally hard problems. A scheduler based on abstraction refinement first attempts to solve the scheduling problem with abstract representations of the job and the computing resources. As abstract representations are generally small, the scheduling can be done reasonably fast. If the obtained schedule does not meet specified quality conditions (like

Predicate abstraction is a technique used to prove properties in a finite or infinite state system. It employs decision procedures to abstract a concrete state system into a finite state abstraction system, which will then be model checked and refined. In this paper, we present an approach for implementing predicate abstraction for Murphi[1] using CVC Lite[2]. Two cases for each property(i.e. SAT and UnSAT), are tried in model checking. When a fixed point is reached finally, the validity of each property is declared. We applied our tool(called PAM) on the FLASH[3] and German[4] protocols. The preliminary result To verify interesting properties in a concurrent system, traditional approaches based on simulation and testing are often not adequate. This is because many concurrent systems, such as cache coherence protocols, are characterized by very large state spaces so that simulation and testing cannot achieve a reasonable coverage. To overcome this limitation,