Results 1 
6 of
6
Software Verification and System Assurance
, 2009
"... Littlewood [1] introduced the idea that software may be possibly perfect and that we can contemplate its probability of (im)perfection. We review this idea and show how it provides a bridge between correctness, which is the goal of software verification (and especially formal verification), and the ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
Littlewood [1] introduced the idea that software may be possibly perfect and that we can contemplate its probability of (im)perfection. We review this idea and show how it provides a bridge between correctness, which is the goal of software verification (and especially formal verification), and the probabilistic properties such as reliability that are the targets for systemlevel assurance. We enumerate the hazards to formal verification, consider how each of these may be countered, and propose relative weightings that an assessor may employ in assigning a probability of perfection.
Modeling timetriggered protocols and verifying their realtime schedules
 In Proceedings of Formal Methods in Computer Aided Design (FMCAD’07
, 2007
"... Timetriggered systems are distributed systems in which the nodes are independentlyclocked but maintain synchrony with one another. Timetriggered protocols depend on the synchrony assumption the underlying system provides, and the protocols are often formally verified in an untimed or synchronous ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Timetriggered systems are distributed systems in which the nodes are independentlyclocked but maintain synchrony with one another. Timetriggered protocols depend on the synchrony assumption the underlying system provides, and the protocols are often formally verified in an untimed or synchronous model based on this assumption. An untimed model is simpler than a realtime model, but it abstracts away timing assumptions that must hold for the model to be valid. In the first part of this paper, we extend previous work by Rushby [1] to prove, using mechanical theoremproving, that for an arbitrary timetriggered protocol, its realtime implementation satisfies its untimed specification. The second part of this paper shows how the combination of a bounded modelchecker and a satisfiability modulo theories (SMT) solver can be used to prove that the timing characteristics of a hardware realization of a protocol satisfy the assumptions of the timetriggered model. The upshot is a formallyverified connection between the untimed specification and the hardware realization of a timetriggered protocol with respect to its timing parameters. 1
Formal Verification of TimeTriggered Systems
, 2005
"... Faulttolerant realtime distributed control systems are being developed for nextgeneration aircraft and automobiles. They employ numerous complex protocols; because their uses are safetycritical, the design and implementation of these protocols must be errorfree. The following modeling considera ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Faulttolerant realtime distributed control systems are being developed for nextgeneration aircraft and automobiles. They employ numerous complex protocols; because their uses are safetycritical, the design and implementation of these protocols must be errorfree. The following modeling considerations make the formal verification of these protocols difficult: faults, realtime constraints, distributed control, nonfunctional behavioral requirements, and intricate protocol interactions. We describe a methodology for the formal verification of timetriggered systems, a class of synchronized faulttolerant control and communication architectures. The methodology
Reasoning about the Reliability Of Diverse TwoChannel Systems In which One Channel is “Possibly Perfect”
, 2009
"... should appear on the left and oddnumbered pages on the right when opened as a doublepage This report refines and extends an earlier paper by the first author [25]. It considers the problem of reasoning about the reliability of faulttolerant systems with two “channels” (i.e., components) of which o ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
should appear on the left and oddnumbered pages on the right when opened as a doublepage This report refines and extends an earlier paper by the first author [25]. It considers the problem of reasoning about the reliability of faulttolerant systems with two “channels” (i.e., components) of which one, A, because it is conventionally engineered and presumed to contain faults, supports only a claim of reliability, while the other, B, by virtue of extreme simplicity and extensive analysis, supports a plausible claim of “perfection.” We begin with the case where either channel can bring the system to a safe state. The reasoning about system probability of failure on demand (pfd) is divided into two steps. The first concerns aleatory uncertainty about (i) whether channel A will fail on a randomly selected demand and (ii) whether channel B is imperfect. It is shown that, conditional upon knowing pA (the probability that A fails on a randomly selected demand) and pB (the probability that channel B is imperfect), a conservative bound on the probability that the system fails on a randomly selected demand is simply pA × pB. That is, there is conditional independence between the events “A fails ” and “B is imperfect. ” The second
doi:10.1155/2009/548324 Research Article A Formal Approach to the Verification of Networks on Chip
, 2009
"... The current technology allows the integration on a single die of complex systemsonchip (SoCs) that are composed of manufactured blocks (IPs), interconnected through specialized networks on chip (NoCs). IPs have usually been validated by diverse techniques (simulation, test, formal verification) an ..."
Abstract
 Add to MetaCart
The current technology allows the integration on a single die of complex systemsonchip (SoCs) that are composed of manufactured blocks (IPs), interconnected through specialized networks on chip (NoCs). IPs have usually been validated by diverse techniques (simulation, test, formal verification) and the key problem remains the validation of the communication infrastructure. This paper addresses the formal verification of NoCs by means of a mechanized proof tool, the ACL2 theorem prover. A metamodel for NoCs has been developed and implemented in ACL2. This metamodel satisfies a generic correctness statement. Its verification for a particular NoC instance is reduced to discharging a set of proof obligations for each one of the NoC constituents. The methodology is demonstrated on a realistic and stateoftheart design, the Spidergon network from STMicroelectronics. Copyright © 2009 Dominique Borrione et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. 1.