Computer-aided verification of embedded systems hinges on the availability of good verification models of the systems at hand. Because of the combinatorial complexities that are inherent in any process of verification, such models generally are only abstractions of the full design model or system specification. As they must both be small enough to be effectively verifiable and preserve the properties under verification, the development of verification models usually requires the experience, intuition and creativity of an expert. We argue that there is a great need for systematic methods for the construction of verification models to move on, and leave the current stage that can be characterised as that of “model hacking”. The ad-hoc construction of verification models obscures the relationship between models and the systems that they represent, and undermines the reliability and relevance of the verification results that are obtained. We propose some ingredients for a solution to this problem.

Abstract. Context-Bounded Analysis has emerged as a practical automatic formal analysis technique for fine-grained, shared-memory concurrent software. Two recent papers (in CAV 2008 and 2009) have proposed ingenious translation approaches that promise much better scalability, backed by compelling, but differing, theoretical and conceptual advantages. Empirical evidence comparing the translations, however, has been lacking. Furthermore, these papers focused exclusively on Boolean model checking, ignoring the also widely used paradigm of verification-condition checking. In this paper, we undertake a methodical, empirical evaluation of the three main source-to-source translations for context-bounded analysis of concurrent software, in a verification-condition-checking paradigm. We evaluate their scalability under a wide range of experimental conditions. Our results show: (1) The newest, CAV 2009 translation is the clear loser, with the CAV 2008 translation the best in most instances, but the oldest, brute-force translation doing surprisingly well. Clearly, previous results for Boolean model checking do not apply to verification-condition checking. (2) Disturbingly, confounding factors in the experimental design can change the relative performance of the translations, highlighting the importance of extensive and thorough experiments. For example, using a different (slower) SMT solver changes the relative ranking of the translations, potentially misleading researchers and practitioners to use an inferior translation. (3) SMT runtimes grow exponentially with verificationcondition length, but different translations and parameters give different exponential curves. This suggests that the practical scalability of a translation scheme might be estimated by combining the size of the queries with an empirical or theoretical measure of the complexity of solving that class of query. 1

On the one hand network and... In this paper we present the specification of a network model in Maude and some primitives for de ning simulation strategies. The use of the model is illustrated with a simple HELLO sub-protocol taken from the IETF PIMDM (Protocol Independent Multi-Cast-Dense Mode) RFC [6], and based on a pseudo-code specification [21]. The network model we present reflects the key aspects of the infra-structure on which typical communication protocols run. The model is designed so that we may execute isolated protocols as well as develop techniques for composing sub-protocols, to model the more complex protocols used in practice. The long term goal is to support simulation and formal analysis at many levels of detail...

Abstract. Exploring a graph through search is one of the most basic building blocks of various applications. In a setting with a huge state space, such as in testing and verification, optimizing the search may be crucial. We consider the problem of visiting all states in a graph where edges are generated by actions and the (reachable) states are not known in advance. Some of the actions may commute, i.e., they result in the same state for every order in which they are taken (this is the case when the actions are performed independently by different processes). We show how to use commutativity to achieve full coverage of the states traversing considerably fewer edges. 1

We propose an algorithm to find a counterexample to some property in a finite state program. This algorithm is derived from SPIN's one, but it finds a counterexample faster than SPIN does. In particular it still works in linear time. Compared with SPIN's algorithm, it requires only one additional bit per state stored. We further propose another algorithm to compute a counterexample of minimal size. Again, this algorithm does not use more memory than SPIN does to approximate a minimal counterexample. The cost to find a counterexample of minimal size is that one has to revisit more states than SPIN. We provide an implementation and discuss experimental results.

MAFTIA Workpackage 6 is concerned with the rigorous definition of the basic MAFTIA concepts, and the verification and assessment of the work on dependable middleware.

Fragestellungen als auch in Fragen nach dem „Zusammenpassen “ von Komponenten auftauchen. Um eine frühe Einschätzung von Kompatibilität durch Modellierung des untersuchten Systems zu ermöglichen, wurde die (Unified) Compatibility Modelling Language ((U)CML) an der Technischen Universität München entwickelt. Bisher ist (U)CML als vordergründig statisches Modell definiert worden. Die Nützlichkeit der Modellierung von Kompatibilität auch auf Kommunikation zwischen Komponenten auszudehnen ist Thema dieser Arbeit. Dafür wird der weit verbreitete Standard der Message Sequence Charts (MSC) mit einer an die Modellierung

Abstract. We describe a framework for the automated verification of multi-agent systems which do distributed problem solving, e.g., query answering. Each reasoner uses facts, messages and Horn clause rules to derive new information. We show how to verify correctness of distributed problem solving under resource constraints, such as the time required to answer queries and the number of messages exchanged by the agents. The framework allows the use of abstract specifications consisting of Linear Time Temporal Logic (LTL) formulas to specify some of the agents in the system. We illustrate the use of the framework on a simple example. 1

Abstract—Model checking is a technique for exhaustively searching the model’s state space for possible errors. Testing is a common method for enhancing the quality of a software product by checking for errors in program executions sampled according to some criterion called coverage criterion. Testing is a costly process especially if it is not supported by an appropriate method (and tool) for generating test suites, i.e. sets of test cases that fulfil a specific coverage criterion. This work introduces a method based on model checking, that supports generation of test cases for coverage based unit testing. As a proof of concept, we provide results obtained from the developed prototype tool support. Our method relies on automatically deriving from the source code a SPIN model with injected breakpoints. Test cases are obtained as counterexamples of violated Linear Temporal Logic (LTL) formulae that are automatically produced based on the selected coverage criterion.