## Combinations of model checking and theorem proving (2000)

### Cached

### Download Links

- [theory.stanford.edu]
- [theory.stanford.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | Proceedings of the Third Intl. Workshop on Frontiers of Combining Systems, volume 1794 of LNCS |

Citations: | 11 - 0 self |

### BibTeX

@INPROCEEDINGS{Uribe00combinationsof,

author = {Tomás E. Uribe},

title = {Combinations of model checking and theorem proving},

booktitle = {Proceedings of the Third Intl. Workshop on Frontiers of Combining Systems, volume 1794 of LNCS},

year = {2000},

pages = {151--170},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. The two main approaches to the formal verification of reactive systems are based, respectively, on model checking (algorithmic verification) and theorem proving (deductive verification). These two approaches have complementary strengths and weaknesses, and their combination promises to enhance the capabilities of each. This paper surveys a number of methods for doing so. As is often the case, the combinations can be classified according to how tightly the different components are integrated, their range of application, and their degree of automation. 1

### Citations

2934 | Graph-Based Algorithms for Boolean Function Manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...elations, and automated support for validity and satisfiability checking (which need not be complete). Examples of other suitable assertion languages include ordered binary decision diagrams (OBDD’s) =-=[12]-=- and their variants, for finite-state systems (see Section 3), and the abstract domains used in invariant generation (see Section 5.1). The initial condition is now expressed as an assertion, characte... |

2424 | Model Checking
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...inds of computations. The logic CTL* includes both the branching-time computation tree logic (CTL) and LTL, and is strictly more expressive than both. Due to space limitations, we refer the reader to =-=[44, 16]-=- for the corresponding definitions. A temporal formula is S-valid if it holds at all the initial states of the kripke structures of S, considering only the fair runs of the system. For LTL, a convenie... |

1890 |
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot
- 1976
(Show Context)
Citation Context ...tems that can be model checked. It can also mitigate the state explosion problem in the finite-state case, by constructing abstract systems with a more manageable state-space. Abstract interpretation =-=[18]-=- provides a general framework and a methodology for automatically producing abstract systems given a choice of the abstract domain ΣA. The goal is to construct abstractions whose state-space can be re... |

1298 | Symbolic Model Checking - McMillan - 1993 |

1213 |
The temporal logic of programs
- Pnueli
- 1977
(Show Context)
Citation Context ...ng interaction with their environment. Such systems do not necessarily terminate, so their computations are modeled as infinite sequences of states and their properties specified using temporal logic =-=[48]-=-. The verification problem is that of determining if a given reactive system satisfies a given temporal property. Reactive systems cover a wide range of hardware and software artifacts, including conc... |

794 |
Design and synthesis of synchronization skeletons using branching-time temporal logic
- Clarke, Emerson
- 1981
(Show Context)
Citation Context ...t is, L(S) ⊆ L(ϕ). 3 Finite-State Model Checking Given a reactive system S and a temporal property ϕ, the verification problem is to establish whether S |= ϕ. For finite-state systems, model checking =-=[14, 50]-=- answers this question by a systematic exploration of the state-space of S, based on the observation that checking that a formula is true in a particular model is generally easier than checking that i... |

769 |
Design and Validation of Computer Protocols
- Holzmann
- 1991
(Show Context)
Citation Context ... model is generally easier than checking that it is true in all models; the Kripke structure of S is the particular model in question, and ϕ is the formula being checked. Model checkers, such as SPIN =-=[32]-=-, SMV [45], Murϕ [24], and those in STeP [7], take as input what is essentially a finite-state fair transition system and a temporal formula in some subset of CTL*, and automatically check that the sy... |

603 | Construction of abstract state graphs with PVS
- Graf, Saidi
- 1997
(Show Context)
Citation Context ...h assertion in ϕ A by its concretization. Since the abstract system is described in terms of logical formulas, off-the-shelf theorem proving can be used to construct and manipulate it. Graf and Saidi =-=[28]-=- presented the first automatic procedure for generating such abstractions, using theorem proving to explicitly generate the abstract state-space. Given an abstract state s, an approximation of its suc... |

388 |
Temporal Verification of Reactive Systems: Safety
- Manna, Pnueli
- 1995
(Show Context)
Citation Context ... represented in some other form: a hardware description, a program, or an ω-automaton. Fair transition systems are a convenient formalism for specifying both finiteand infinite-state reactive systems =-=[44]-=-. They are “low-level” in the sense that many other formalisms can be translated or compiled into them. The state-space of the system is determined by a set of system variables V, where each variable ... |

291 | Extended static checking
- Detlefs, Leino, et al.
- 1998
(Show Context)
Citation Context .... Fortunately, the required quantifier instantiations are often “obvious,” and use instances that can be provided by the decision procedures themselves. Both the Extended Static Checking system (ESC) =-=[23]-=- and the Stanford Temporal Prover (STeP) [6, 7, 9] feature integrations of first-order reasoning and decision procedures that can automatically prove many verification conditions that would otherwise ... |

263 | Symbolic model checking using SAT procedures instead of BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...tes. For instance, extensions of OBDD’s are used to move from bit-level to word-level representations [15]; more expressive assertions are used in [36]. Similarly, finite-state bounded model checking =-=[5]-=- abandons BDD’s and relies instead on the “blackbox” use of a propositional validity checker. This method can find counterexamples in cases for which BDD-based symbolic model checking fails. 4 Deducti... |

207 | PVS: Combining specification, proof checking, and model checking
- Owre, Rajan, et al.
- 1996
(Show Context)
Citation Context ...ems. To achieve completeness, interactive theorem proving must be used, and the above techniques must be integrated into interactive theorem proving frameworks, as done, for instance, in STeP and PVS =-=[47]-=-. Combining decision procedures, validity checkers and theorem provers, and extending them to ever-more expressive assertion languages, are ongoing challenges. 5 Abstraction and Invariant Generation A... |

151 | Validity checking for combinations of theories with equality
- Barrett, Dill, et al.
- 1996
(Show Context)
Citation Context ...t-Order Reasoning Decision procedures usually operate only at the ground level, where no quantification is allowed. This is sufficient in many cases; for instance, the Stanford Validity Checker (SVC) =-=[2]-=- is an efficient checker specialized to handle large ground formulas, including uninterpreted function symbols, that occur in hardware verification. However, program features such as parameterization ... |

138 | Property preserving abstractions for the verification of concurrent systems
- Loiseaux, Graf, et al.
- 1995
(Show Context)
Citation Context ...original system. Originally designed for deriving safety properties in static program analysis, this framework has recently been extended to include reactive systems and general temporal logic, e.g., =-=[39, 20]-=-. One simple but useful instance of this framework is based on Galois connections. Two functions, α : 2 ΣC ↦→ ΣA and γ : ΣA ↦→ 2 ΣC , connect the lattice 8sof sets of concrete states and an abstract d... |

136 | The Murϕ verification system
- Dill
- 1996
(Show Context)
Citation Context ...asier than checking that it is true in all models; the Kripke structure of S is the particular model in question, and ϕ is the formula being checked. Model checkers, such as SPIN [32], SMV [45], Murϕ =-=[24]-=-, and those in STeP [7], take as input what is essentially a finite-state fair transition system and a temporal formula in some subset of CTL*, and automatically check that the system satisfies the pr... |

131 | Experience with predicate abstraction
- Das, Dill, et al.
- 1999
(Show Context)
Citation Context ...erating only under the assumption of soundness; more powerful checkers will yield better abstractions. For instance, SVC [2] (see Section 4.1) has been used to generate predicate abstractions as well =-=[21]-=-. As with invariant generation, these methods can be parameterized by the abstract assertion language and validity checker used. Note that some user interaction is still necessary, in the choice of as... |

110 |
Specification and verification of concurrent systems
- Queille, Sifakis
- 1982
(Show Context)
Citation Context ...t is, L(S) ⊆ L(ϕ). 3 Finite-State Model Checking Given a reactive system S and a temporal property ϕ, the verification problem is to establish whether S |= ϕ. For finite-state systems, model checking =-=[14, 50]-=- answers this question by a systematic exploration of the state-space of S, based on the observation that checking that a formula is true in a particular model is generally easier than checking that i... |

100 |
Abstract interpretation and partition refinement for model checking
- Dams
- 1996
(Show Context)
Citation Context ...original system. Originally designed for deriving safety properties in static program analysis, this framework has recently been extended to include reactive systems and general temporal logic, e.g., =-=[39, 20]-=-. One simple but useful instance of this framework is based on Galois connections. Two functions, α : 2 ΣC ↦→ ΣA and γ : ΣA ↦→ 2 ΣC , connect the lattice 8sof sets of concrete states and an abstract d... |

99 | Computing abstractions of infinite state systems automatically and compositionally
- Bensalem, Lakhnech, et al.
- 1998
(Show Context)
Citation Context ...large to enumerate explicitly, but can still be handled by a symbolic model checker. The price paid by this approach, compared to [28], is that a coarser abstraction may be obtained. Bensalem et. al. =-=[3]-=- present a similar framework for generating abstractions. Here, the invariant to be proved is assumed when generating the abstraction, yielding a better abstract system. From the combination point of ... |

91 | Symbolic model checking with rich assertional languages
- Kesten, Maler, et al.
- 1997
(Show Context)
Citation Context ... language used to describe and manipulate sets of states. For instance, extensions of OBDD’s are used to move from bit-level to word-level representations [15]; more expressive assertions are used in =-=[36]-=-. Similarly, finite-state bounded model checking [5] abandons BDD’s and relies instead on the “blackbox” use of a propositional validity checker. This method can find counterexamples in cases for whic... |

88 | An integration of model-checking with automated proof checking
- Rajan, Shankar, et al.
- 1995
(Show Context)
Citation Context ...s of an I/O-automata abstraction, which is then model checked. Hungar [33] constructs model-checkable abstractions based on data independence and modularity. Abstraction is also used by Rajan et. al. =-=[51]-=- to obtain subgoals that can be model checked, where the correctness of the abstraction is proved deductively. Kurshan and Lamport [38] use deductive modular decomposition to reduce the correctness of... |

86 |
Abstract and model check while you prove
- SAIDI, SHANKAR
- 1999
(Show Context)
Citation Context ...uce a concrete counterexample. Conjectures generated during the refinement process are given to the theorem prover, and the process repeated. 16sA similar methodology is proposed by Saidi and Shankar =-=[54]-=-. The ongoing Symbolic Analysis Laboratory (SAL) project at SRI [52] proposes a collection of multiple different analysis tools, including theorem provers, model checkers, abstraction and invariant ge... |

80 | HYTECH: The Cornell Hybrid Technology Tool
- Henzinger, Ho
- 1995
(Show Context)
Citation Context ... exploration of a finite quotient of the state-space is sufficient. For others, the convergence of fixpoint operations is ensured by the right choice of abstract assertion language, such as polyhedra =-=[30]-=- or Presburger arithmetic [13]. The underlying principles are explored in [26, 31]. A number of “local model checking” procedures for general infinite-state systems, such as that of Bradfield and Stir... |

74 | Completing the temporal picture
- Manna, Pnueli
- 1989
(Show Context)
Citation Context ...t provides relatively complete proof systems, which can prove any temporal property that indeed holds over the given system, provided the theorem proving tools used are expressive and powerful enough =-=[42]-=-. Unfortunately, if the property fails to hold, deductive methods normally do not give much useful feedback, and the user must try to determine whether the fault lies with the system and property bein... |

67 | T.E.: Generating finite-state abstractions of reactive systems using decision procedures
- Colón, Uribe
- 1998
(Show Context)
Citation Context ...tates S is α(S) def = �A {a ∈ ΣA | S ⊆ γ(a)} . This is the smallest point in the abstract domain that represents all the elements of S. In practice, it is enough to soundly over-approximate such sets =-=[17]-=-. Definition 4 (Abstraction and concretization of CTL* properties). For a concrete CTL* temporal property ϕ, its abstraction α t (ϕ) is obtained by replacing each assertion f in ϕ by an abstract asser... |

63 | Symbolic Model Checking of Infinite State Systems Using Presburger Arithmetic
- Bultan, Gerber, et al.
- 1997
(Show Context)
Citation Context ...ent of the state-space is sufficient. For others, the convergence of fixpoint operations is ensured by the right choice of abstract assertion language, such as polyhedra [30] or Presburger arithmetic =-=[13]-=-. The underlying principles are explored in [26, 31]. A number of “local model checking” procedures for general infinite-state systems, such as that of Bradfield and Stirling [10], are also hybrid com... |

60 | Program analysis as model checking of abstract interpretations
- Schmidt, Steffen
(Show Context)
Citation Context ...ues to be the subject of much research. Static program analysis methods based on abstract interpretation have been recently re-formulated in terms of model checking. For instance, Schmidt and Steffen =-=[55]-=- show how many program analysis techniques can be understood as the model checking of particular kinds of abstractions. ESC [23] and Nitpick [34] are tools that automatically detect errors in software... |

56 | Generalized verification diagrams
- Browne, Manna, et al.
- 1995
(Show Context)
Citation Context ...ct [7]. They offer deductivealgorithmic proof methods that are applicable to arbitrary temporal properties. Static Abstractions: GVD’s: The Generalized Verification Diagrams (GVD’s) of Browne et. al. =-=[11]-=- provide a graphical representation of the verification conditions needed to establish an arbitrary temporal formula, extending the specialized diagrams of Manna and Pnueli [43]. 14sA GVD serves as a ... |

56 | K.S.: On model checking for non-deterministic infinite-state systems
- Emerson, Namjoshi
- 1998
(Show Context)
Citation Context ..., the convergence of fixpoint operations is ensured by the right choice of abstract assertion language, such as polyhedra [30] or Presburger arithmetic [13]. The underlying principles are explored in =-=[26, 31]-=-. A number of “local model checking” procedures for general infinite-state systems, such as that of Bradfield and Stirling [10], are also hybrid combinations of deductive verification rules and model ... |

55 | Hybrid decision diagrams overcoming the limitations of MTBDDs and BMDs
- CLARKE, FUJITA, et al.
- 1995
(Show Context)
Citation Context ...l checking is parameterized by the constraint language used to describe and manipulate sets of states. For instance, extensions of OBDD’s are used to move from bit-level to word-level representations =-=[15]-=-; more expressive assertions are used in [36]. Similarly, finite-state bounded model checking [5] abandons BDD’s and relies instead on the “blackbox” use of a propositional validity checker. This meth... |

51 | STeP: Deductive-algorithmic verification of reactive and real-time systems
- Bjørner, Browne, et al.
(Show Context)
Citation Context ... it is true in all models; the Kripke structure of S is the particular model in question, and ϕ is the formula being checked. Model checkers, such as SPIN [32], SMV [45], Murϕ [24], and those in STeP =-=[7]-=-, take as input what is essentially a finite-state fair transition system and a temporal formula in some subset of CTL*, and automatically check that the system satisfies the property. (See [16] for a... |

48 | Automatic generation of invariants and intermediate assertions - Bjorner, Manna - 1997 |

46 | Combining model checking and deduction for I/O-automata
- Müller, Nipkow
- 1995
(Show Context)
Citation Context ...d modular verification are often performed manually and then proved correct. If done within a general theorem proving environment, these steps can be formally checked. For instance, Müller and Nipkow =-=[46]-=- use the Isabelle theorem prover to prove the soundness of an I/O-automata abstraction, which is then model checked. Hungar [33] constructs model-checkable abstractions based on data independence and ... |

46 | Deductive model checking
- Sipma, Uribe, et al.
- 1999
(Show Context)
Citation Context ...es not include refinement operations in the case that the proof attempt fails, it is static. Dynamic Abstractions: Deductive Model Checking: Deductive Model Checking (DMC), presented by Sipma et. al. =-=[57]-=-, is a method for the interactive model checking of possibly infinite-state systems. To prove a property ϕ, DMC searches for a counterexample computation by refining an abstraction of the (S, ¬ϕ) prod... |

44 | A classification of symbolic transition systems
- Henzinger, Majumdar, et al.
- 2005
(Show Context)
Citation Context ..., the convergence of fixpoint operations is ensured by the right choice of abstract assertion language, such as polyhedra [30] or Presburger arithmetic [13]. The underlying principles are explored in =-=[26, 31]-=-. A number of “local model checking” procedures for general infinite-state systems, such as that of Bradfield and Stirling [10], are also hybrid combinations of deductive verification rules and model ... |

43 |
C.Stirling. Local model checking for infinite state spaces
- Bradfield
- 1992
(Show Context)
Citation Context ...resburger arithmetic [13]. The underlying principles are explored in [26, 31]. A number of “local model checking” procedures for general infinite-state systems, such as that of Bradfield and Stirling =-=[10]-=-, are also hybrid combinations of deductive verification rules and model checking. Another top-down approach is presented by Damm et. al. [19] as a “truly symbolic” model checking procedure, analyzing... |

43 | A platform for combining deductive with algorithmic verification
- Pnueli, Shahar
- 1996
(Show Context)
Citation Context ...ge. So is devising invariant generation methods that take advantage of system properties already proven. Invariants can also be used to constrain the set of states explored in symbolic model checking =-=[49]-=-, for extra efficiency. Here, too, it may be necessary to translate the invariant into a form useful to the model checker, e.g. if an individual component or an abstracted finite-state version is bein... |

35 | Verification of a multiplier: 64 bits and beyond
- Kurshan, Lamport
- 1993
(Show Context)
Citation Context ...ndence and modularity. Abstraction is also used by Rajan et. al. [51] to obtain subgoals that can be model checked, where the correctness of the abstraction is proved deductively. Kurshan and Lamport =-=[38]-=- use deductive modular decomposition to reduce the correctness of a large hardware system to that of smaller components that can be model checked. 6.3 Abstraction Generation Using Theorem Proving Many... |

20 |
Combining model checking and theorem proving to verify parallel processes
- Hungar
- 1993
(Show Context)
Citation Context ...t, these steps can be formally checked. For instance, Müller and Nipkow [46] use the Isabelle theorem prover to prove the soundness of an I/O-automata abstraction, which is then model checked. Hungar =-=[33]-=- constructs model-checkable abstractions based on data independence and modularity. Abstraction is also used by Rajan et. al. [51] to obtain subgoals that can be model checked, where the correctness o... |

19 | Visual abstractions for temporal verification
- Manna, Browne, et al.
- 1999
(Show Context)
Citation Context ...grams of Manna and Pnueli [43]. 14sA GVD serves as a proof object, but is also a weakly-preserving assertionbased abstraction of the system, where the basis is the set of formulas used in the diagram =-=[41]-=-. Each node in the diagram is labeled with an assertion f, and corresponds to an abstract state representing the set of states that satisfy f. The diagram Φ is identified with a set of computations L(... |

19 | On proving safety properties by integrating static analysis, theorem proving and abstraction
- Rusu, Singerman
- 1998
(Show Context)
Citation Context ...odel checking succeeds under a given set of assumptions. In the latter case, the assumptions are deductively verified over the concrete system. If they hold, the proof is complete. Rusu and Singerman =-=[53]-=- present a framework that combines abstraction, abstraction refinement and theorem proving specialized to the case of invariants, where the different components are treated as “black boxes.” After an ... |

17 |
Abstraction-based deductive-algorithmic verification of reactive systems. http://wwwstep.stanford.edu/papers/dissertations/tomas.pdf
- URIBE
- 1999
(Show Context)
Citation Context ...e work on formal verification during the last decade is related to the subject of this paper, the bibliography can only describe a subset of the work in the field. Furthermore, this paper is based on =-=[58]-=-, which presents the author’s own view on the subject, and thus carries all the biases which that particular proposal may have. For this, we apologize in advance. 2 Preliminaries 2.1 Kripke Structures... |

16 |
Integrating Decision Procedures for Temporal Verification
- Bjørner
- 1998
(Show Context)
Citation Context ...allenge is to integrate existing decision procedures for the different decidable fragments and their combination into theorem-proving methods that can be effectively used in verification. See Bjørner =-=[6]-=- for examples of such combinations. 7s4.2 Validity Checking and First-Order Reasoning Decision procedures usually operate only at the ground level, where no quantification is allowed. This is sufficie... |

16 | Modularization and abstraction: The keys to practical formal verification
- Kesten, Pnueli
- 1998
(Show Context)
Citation Context ...d Invariant Generation Abstraction is a fundamental and widely-used verification technique. Together with modularity, it is the basis of most combinations of model checking and deductive verification =-=[37]-=-, as we will see in Sections 6 and 7. Abstraction reduces the verification of a property ϕ over a concrete system S, to checking a related property ϕ A over a simpler abstract system A. It allows the ... |

12 | Integrated formal verification: Using model checking with automated abstraction, invariant generation, and theorem proving
- Rushby
- 1999
(Show Context)
Citation Context ...tively. Abstraction and modularity are orthogonal to each other: modules can be abstracted, and abstractions can be decomposed. Together, they form a powerful basis for scaling up formal verification =-=[37, 52]-=-. 6.2 General Deductive Environments A general-purpose theorem prover can formalize modular decomposition and assume-guarantee reasoning, formalize and verify the correctness of abstractions, apply ve... |

11 | Deductive verification of modular systems
- Finkbeiner, Manna, et al.
- 1998
(Show Context)
Citation Context ... and automatic invariant generation, which share a common system and property specification language. To this, modularity and compositional verification are being added as well—see Finkbeiner et. al. =-=[27]-=-. Dingel and Filkorn [25] apply abstraction and error trace analysis to infinitestate systems. The abstract system is generated automatically given a data abstraction that maps concrete variables and ... |

11 | Reducing manual abstraction in formal verification of out-of-order execution
- Jones, Skakkebæk, et al.
- 1998
(Show Context)
Citation Context ... an infinite-state abstract domain has proved useful here, namely, using uninterpreted function symbols and symbolically executing the system using a decidable logic, as shown, e.g., by Jones et. al. =-=[35]-=-. 7.3 Integrated Approaches A number of verification environments and methodologies have been proposed that combine the above ingredients in a systematic way. As mentioned above, STeP [7] includes ded... |

9 | Temporal verification by diagram transformations
- Alfaro, Manna
- 1996
(Show Context)
Citation Context ...ible even in the case of finite-state systems. Sipma [56] describes DMC, GVD’s, and their application to the verification of real-time and hybrid systems. The fairness diagrams of de Alfaro and Manna =-=[22]-=- present an alternate dynamic refinement method that combines the top-down and bottom-up approaches. 7.2 Model Checking for Infinite-State Systems Abstraction is also the basis of model checking algor... |

8 | A practical integration of firstorder reasoning and decision procedures
- Bjørner, Stickel, et al.
- 1997
(Show Context)
Citation Context ...tiations are often “obvious,” and use instances that can be provided by the decision procedures themselves. Both the Extended Static Checking system (ESC) [23] and the Stanford Temporal Prover (STeP) =-=[6, 7, 9]-=- feature integrations of first-order reasoning and decision procedures that can automatically prove many verification conditions that would otherwise require the use of an interactive prover. Finally,... |

8 |
Nitpick Reference Manual
- Jackson, Damon
- 1996
(Show Context)
Citation Context ...s of model checking. For instance, Schmidt and Steffen [55] show how many program analysis techniques can be understood as the model checking of particular kinds of abstractions. ESC [23] and Nitpick =-=[34]-=- are tools that automatically detect errors in software systems by combining static analysis and automatic theorem proving methods. Another challenge is to further combine program analysis techniques ... |