## Modular verification of software components in C (2003)

### Cached

### Download Links

- [pages.cs.wisc.edu]
- [www-2.cs.cmu.edu]
- [www.cs.cmu.edu]
- [www.cs.cmu.edu]
- [www.cs.cmu.edu]
- [www.cs.cmu.edu]
- [www-2.cs.cmu.edu]
- [www-2.cs.cmu.edu]
- [www-2.cs.cmu.edu]
- [pag.lcs.mit.edu]
- [www.eecs.umich.edu]
- [pag.csail.mit.edu]
- [www.ece.cmu.edu]
- [www-2.cs.cmu.edu]
- [www-2.cs.cmu.edu]
- [www.cs.cmu.edu]
- [www.cs.cmu.edu]
- [users.ece.cmu.edu]
- [www.ece.cmu.edu]
- [www.cs.cmu.edu]
- [www-2.cs.cmu.edu]
- [www-2.cs.cmu.edu]
- [www.cs.cmu.edu]
- [www.cs.cmu.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | IEEE TRANSACTIONS ON SOFTWARE ENGINEERING |

Citations: | 206 - 20 self |

### BibTeX

@INPROCEEDINGS{Chaki03modularverification,

author = {Sagar Chaki and Edmund Clarke and Alex Groce and et al.},

title = {Modular verification of software components in C},

booktitle = {IEEE TRANSACTIONS ON SOFTWARE ENGINEERING},

year = {2003},

pages = {385--395},

publisher = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present a new methodology for automatic verification of C programs against finite state machine specifications. Our approach is compositional, naturally enabling us to decompose the verification of large software systems into subproblems of manageable complexity. The decomposition reflects the modularity in the software design. We use weak simulation as the notion of conformance between the program and its specification. Following the abstractverify-refine paradigm, our tool MAGIC first extracts a finite model from C source code using predicate abstraction and theorem proving. Subsequently, simulation is checked via a reduction to Boolean satisfiability. MAGIC is able to interface with several publicly available theorem provers and SAT solvers. We report experimental results with procedures from the Linux kernel and the OpenSSL toolkit.

### Citations

3409 | Communicating Sequential Processes
- Hoare
(Show Context)
Citation Context ...sample LTSs used in our framework are shown in Figure 4. A formal definition will be given in Section III. The use of LTSs is also motivated by work in concurrency. Process algebras like CCS [8], CSP =-=[9]-=- and the #-calculus [10] have been used widely to formally reason about message passing concurrent systems. In these formalisms, actions are crucial for modeling the sending and receiving of messages ... |

3218 |
Communication and Concurrency
- Milner
- 1989
(Show Context)
Citation Context ...ss. Some sample LTSs used in our framework are shown in Figure 4. A formal definition will be given in Section III. The use of LTSs is also motivated by work in concurrency. Process algebras like CCS =-=[8]-=-, CSP [9] and the #-calculus [10] have been used widely to formally reason about message passing concurrent systems. In these formalisms, actions are crucial for modeling the sending and receiving of ... |

2426 | D.: Model Checking
- Clarke, Grumberg, et al.
- 2001
(Show Context)
Citation Context ...of Internet-based technologies, the significance of state machines has only increased. In particular, security protocols and communication protocols are naturally specified in terms of state machines =-=[3]-=-, [4], [5]. Similar applications of state machines can be found in other safety-critical domains including medicine and aerospace. Moreover, the dramatic change of focus from relatively monolithic sys... |

2131 | StateCharts: A visual Formalism for Complex Systems
- Harel
- 1987
(Show Context)
Citation Context ...portant artifact in the software development process; in fact, variants of state machines have been proposed for virtually all software engineering methodologies, including, most notably, Statecharts =-=[1]-=- and the UML [2]. The sustained success of state machines in software engineering stems from the fact that state machines provide for both a concise mathematical theory, and an intuitive semantics of ... |

1183 | Automatic verification of finite-state concurrent systems using temporal logics
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ...ormance. This choice reflects the area of security currently being our primary application domain. Except for MC and ESC Java, the above-mentioned tools are based on variations of model checking [3], =-=[35]-=-, and they all require abstraction methods to alleviate the state explosion problem, most notably data abstraction [36] and the more generally predicate abstraction [16]. The abstraction method used i... |

1119 | Chaff: Engineering an efficient SAT solver
- Moskewicz, Madigan, et al.
- 2001
(Show Context)
Citation Context ...ation is performed in Stage II. As mentioned above, weak simulation here is reduced to a form of Boolean satisfiability. MAGIC can interface with several publicly available SAT solvers, such as Chaff =-=[23]-=-, FGRASP [24] and SATO [25]. We also have our own efficient SAT solver implementation which leverages the specific nature of SAT formulas that arise in this stage to January 20, 2004 DRAFT TRANSACTION... |

625 | Model checking and abstraction
- Clarke, Grumberg, et al.
- 1994
(Show Context)
Citation Context ...C Java, the above-mentioned tools are based on variations of model checking [3], [35], and they all require abstraction methods to alleviate the state explosion problem, most notably data abstraction =-=[36]-=- and the more generally predicate abstraction [16]. The abstraction method used in SLAM and BLAST is closest to ours. However, due to compositionality, we can afford to invest more computing power int... |

603 | H.: Construction of abstract state graphs with PVS
- Graf, Saïdi
- 1997
(Show Context)
Citation Context ...ard G Spec and a set of predicates. In MAGIC, the model is computed from the control flow graph (CFG) of the program in combination with an abstraction method called predicate abstraction [12], [15], =-=[16]-=-. To decide properties such as equivalence of predicates, we use theorem provers. The details of this step are described in Section IV. . Step 2 : Verification. Check if M Spec safely abstracts M Imp ... |

602 | Counterexample-guided abstraction refinement
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...aph Target PA Other Library Routines Assumption PA Verification Steps Fig. 1. Example of compositional verification. D. Algorithms and Tool Description The MAGIC tool follows the CEGAR paradigm [11], =-=[12]-=-, [13], [14] that can be summarized as follows: . Step 1 : Model Creation. Extract an LTS M Imp from proc using the assumed PAs, the guard G Spec and a set of predicates. In MAGIC, the model is comput... |

587 |
Communicating and Mobile Systems: the π-Calculus
- Milner
- 1999
(Show Context)
Citation Context ... framework are shown in Figure 4. A formal definition will be given in Section III. The use of LTSs is also motivated by work in concurrency. Process algebras like CCS [8], CSP [9] and the π-calculus =-=[10]-=- have been used widely to formally reason about message passing concurrent systems. In these formalisms, actions are crucial for modeling the sending and receiving of messages across channels. Process... |

446 | Lazy abstraction
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ...A Other Library Routines Assumption PA Verification Steps Fig. 1. Example of compositional verification. D. Algorithms and Tool Description The MAGIC tool follows the CEGAR paradigm [11], [12], [13], =-=[14]-=- that can be summarized as follows: . Step 1 : Model Creation. Extract an LTS M Imp from proc using the assumed PAs, the guard G Spec and a set of predicates. In MAGIC, the model is computed from the ... |

396 | Automatic predicate abstraction of C programs
- Ball, Majumdar, et al.
- 2001
(Show Context)
Citation Context ...fe. We illustrate the use of A by the following important example: Given any C expression e1 and a normal C assignment s, we define the weakest precondition of e1 with respect to s in the same way as =-=[11]-=- and denote it by WP(s, e1). Intuitively, WP(s, e1) is a C expression which denotes the weakest assumption that has to be true before the execution of s in order for e1 to become true after the execut... |

386 | Automatically validating temporal safety properties of interfaces
- Ball, Rajamani
- 2001
(Show Context)
Citation Context ...all Graph Target PA Other Library Routines Assumption PA Verification Steps Fig. 1. Example of compositional verification. D. Algorithms and Tool Description The MAGIC tool follows the CEGAR paradigm =-=[11]-=-, [12], [13], [14] that can be summarized as follows: . Step 1 : Model Creation. Extract an LTS M Imp from proc using the assumed PAs, the guard G Spec and a set of predicates. In MAGIC, the model is ... |

360 | GRASP - a new search algorithm for satisfiability
- Silva, Sakallah
- 1996
(Show Context)
Citation Context ...ormed in Stage II. As mentioned above, weak simulation here is reduced to a form of Boolean satisfiability. MAGIC can interface with several publicly available SAT solvers, such as Chaff [23], FGRASP =-=[24]-=- and SATO [25]. We also have our own efficient SAT solver implementation which leverages the specific nature of SAT formulas that arise in this stage to January 20, 2004 DRAFT TRANSACTIONS OF SOFTWARE... |

340 | S.: Checking system rules using systemspecific, programmer-written compiler extensions. In: OSDI
- Engler, Chelf, et al.
- 2000
(Show Context)
Citation Context ...computing power have promoted renewed interest in software verification. The resulting systems -- most notably Bandera [27] and Java PathFinder [28], [29], ESC Java [30], SLAM [31], BLAST [32] and MC =-=[33]-=-, [34] -- are increasingly able to handle industrial software. Among the six mentioned systems, the first three focus on Java, while the last three all deal with C. Java verification is quite differen... |

317 | Model checking Java programs using Java PathFinder
- Havelund, Pressburger
(Show Context)
Citation Context ...dvances in verification methodology as well as in computing power have promoted renewed interest in software verification. The resulting systems -- most notably Bandera [27] and Java PathFinder [28], =-=[29]-=-, ESC Java [30], SLAM [31], BLAST [32] and MC [33], [34] -- are increasingly able to handle industrial software. Among the six mentioned systems, the first three focus on Java, while the last three al... |

310 |
Concurrency – state models and Java programs
- Magee, Kramer
- 2006
(Show Context)
Citation Context ...ontaining textual descriptions of M Spec , G Spec and a set of predicates for abstraction. The textual descriptions of LTSs are given using an extended version of the FSP notation by Magee and Kramer =-=[17]-=-. For example, the LTS Do A shown in Figure 4 is described textually as follows: A1 = (a -> A2), A2 = (return {} -> STOP). E. Tool Overview The schematic in Figure 2 explains the software architecture... |

196 | A system and language for building system-specific, static analyses
- Hallem, Chelf, et al.
(Show Context)
Citation Context ...ing power have promoted renewed interest in software verification. The resulting systems -- most notably Bandera [27] and Java PathFinder [28], [29], ESC Java [30], SLAM [31], BLAST [32] and MC [33], =-=[34]-=- -- are increasingly able to handle industrial software. Among the six mentioned systems, the first three focus on Java, while the last three all deal with C. Java verification is quite different from... |

193 | SATO: An efficient propositional prover
- Zhang
- 1997
(Show Context)
Citation Context ... II. As mentioned above, weak simulation here is reduced to a form of Boolean satisfiability. MAGIC can interface with several publicly available SAT solvers, such as Chaff [23], FGRASP [24] and SATO =-=[25]-=-. We also have our own efficient SAT solver implementation which leverages the specific nature of SAT formulas that arise in this stage to January 20, 2004 DRAFT TRANSACTIONS OF SOFTWARE ENGINEERING, ... |

161 | Boolean and cartesian abstraction for model checking C programs
- Ball, Podelski, et al.
(Show Context)
Citation Context ...AM and BLAST is closest to ours. However, due to compositionality, we can afford to invest more computing power into computing abstractions, and are therefore able to improve on Cartesian abstraction =-=[12]-=-. Generally, we believe Figure 3. Overall architecture of MAGIC. Our Implementation YES NO + Diagnostic Feedback that the form of compositionality provided by MAGIC is unique among existing software v... |

131 | Experience with predicate abstraction
- Das, Dill, et al.
- 1999
(Show Context)
Citation Context ...the guard G Spec and a set of predicates. In MAGIC, the model is computed from the control flow graph (CFG) of the program in combination with an abstraction method called predicate abstraction [12], =-=[15]-=-, [16]. To decide properties such as equivalence of predicates, we use theorem provers. The details of this step are described in Section IV. . Step 2 : Verification. Check if M Spec safely abstracts ... |

114 | CVC: A Cooperating Validity Checker
- Stump, Barrett, et al.
(Show Context)
Citation Context ...assumed PAs, G Spec and the predicates. As described later, this process requires the use of theorem provers. MAGIC can interact with several public domain theorem provers, such as Simplify [18], CVC =-=[19]-=-, ICS [20], CVC Lite [21], and CPROVER [22]. Verification is performed in Stage II. As mentioned above, weak simulation here is reduced to a form of Boolean satisfiability. MAGIC can interface with se... |

106 |
Techniques for program verification
- Nelson
- 1981
(Show Context)
Citation Context ...using the assumed PAs, G Spec and the predicates. As described later, this process requires the use of theorem provers. MAGIC can interact with several public domain theorem provers, such as Simplify =-=[18]-=-, CVC [19], ICS [20], CVC Lite [21], and CPROVER [22]. Verification is performed in Stage II. As mentioned above, weak simulation here is reduced to a form of Boolean satisfiability. MAGIC can interfa... |

100 |
Communicating and mobile systems: the -calculus
- Milner
- 1999
(Show Context)
Citation Context ... framework are shown in Figure 4. A formal definition will be given in Section III. The use of LTSs is also motivated by work in concurrency. Process algebras like CCS [8], CSP [9] and the #-calculus =-=[10]-=- have been used widely to formally reason about message passing concurrent systems. In these formalisms, actions are crucial for modeling the sending and receiving of messages across channels. Process... |

65 | Tool-supported program abstraction for finitestate verification
- Dwyer, Hatcliff, et al.
- 2001
(Show Context)
Citation Context ...rget PA Other Library Routines Assumption PA Verification Steps Fig. 1. Example of compositional verification. D. Algorithms and Tool Description The MAGIC tool follows the CEGAR paradigm [11], [12], =-=[13]-=-, [14] that can be summarized as follows: . Step 1 : Model Creation. Extract an LTS M Imp from proc using the assumed PAs, the guard G Spec and a set of predicates. In MAGIC, the model is computed fro... |

63 | a compiler for the analysis of security protocols
- Lowe
- 1998
(Show Context)
Citation Context ...t-based technologies, the significance of state machines has only increased. In particular, security protocols and communication protocols are naturally specified in terms of state machines [3], [4], =-=[5]-=-. Similar applications of state machines can be found in other safety-critical domains including medicine and aerospace. Moreover, the dramatic change of focus from relatively monolithic systems to hi... |

62 |
N.: ICS: Integrated canonizer and solver
- Filliatre, Owre, et al.
(Show Context)
Citation Context ...s, G Spec and the predicates. As described later, this process requires the use of theorem provers. MAGIC can interact with several public domain theorem provers, such as Simplify [18], CVC [19], ICS =-=[20]-=-, CVC Lite [21], and CPROVER [22]. Verification is performed in Stage II. As mentioned above, weak simulation here is reduced to a form of Boolean satisfiability. MAGIC can interface with several publ... |

55 | Verifying security protocols with Brutus
- Clarke, Jha, et al.
(Show Context)
Citation Context ...ternet-based technologies, the significance of state machines has only increased. In particular, security protocols and communication protocols are naturally specified in terms of state machines [3], =-=[4]-=-, [5]. Similar applications of state machines can be found in other safety-critical domains including medicine and aerospace. Moreover, the dramatic change of focus from relatively monolithic systems ... |

18 |
On-line algorithms for polynomially solvable satisfiability problems
- Ausiello, Italiano
- 1991
(Show Context)
Citation Context ...wn polynomial time algorithm), satisfiability of weakly negated HORN formulas can be solved in linear time [20]. As part of MAGIC, we have implemented an online linear time HORNSAT algorithm based on =-=[10]-=-. MAGIC can also interface with public domain general SAT solvers like Chaff [35], FGRASP [31] and SATO [40]. 3 Model Creation Let MSpec = (SSpec, S0,Spec, Act Spec, TSpec) and the assumption PAs be {... |

11 |
H.: Counter-example Guided Abstraction Refinement
- Clarke, Grumberg, et al.
(Show Context)
Citation Context ...automated and require the use of theorem provers. In this paper we focus on model creation and verification; details about counterexample validation and abstraction refinement are presented elsewhere =-=[26]-=-. The rest of this paper is organized as follows: In Section II we present related work. This is followed in Section III by some basic definitions that are used in the rest of this article. In Section... |

4 | Application specific higher order logic theorem proving
- Kroening
- 2002
(Show Context)
Citation Context ...described later, this process requires the use of theorem provers. MAGIC can interact with several public domain theorem provers, such as Simplify [18], CVC [19], ICS [20], CVC Lite [21], and CPROVER =-=[22]-=-. Verification is performed in Stage II. As mentioned above, weak simulation here is reduced to a form of Boolean satisfiability. MAGIC can interface with several publicly available SAT solvers, such ... |