Results 11  20
of
152
Finding Feasible Counterexamples when Model Checking Abstracted Java Programs
 IN PROCEEDINGS OF TACAS
, 2001
"... Despite recent advances in model checking and in adapting model checking techniques to software, the state explosion problem remains a major hurdle in applying model checking to software. Recent work in automated program abstraction has shown promise as a means of scaling model checking to larg ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
(Show Context)
Despite recent advances in model checking and in adapting model checking techniques to software, the state explosion problem remains a major hurdle in applying model checking to software. Recent work in automated program abstraction has shown promise as a means of scaling model checking to larger systems. Most common abstraction techniques compute an upper approximation of the original program. Thus, when a specification is found true for the abstracted program, it is known to be true for the original program. Finding a specification to be false, however, is inconclusive since the specification may be violated on a behavior in the abstracted program which is not present in the original program. We have extended an explicitstate model checker, Java PathFinder (JPF), to analyze counterexamples in the presence of abstractions. We enhanced JPF to search for "feasible" counterexamples during model checking. Alternatively, an abstract counterexample can be used to guide the simulation of the concrete computation and thereby check feasibility of the counterexample. We demonstrate the effectiveness of these techniques on counterexamples from checks of several multithreaded Java programs.
Model checking security properties of control flow graphs
 Journal of Computer Security
"... graphs ..."
(Show Context)
CounterExample Guided Predicate Abstraction of Hybrid Systems
, 2003
"... Predicate abstraction has emerged to be a powerful technique for extracting finitestate models from infinitestate systems, and has been recently shown to enhance the effectiveness of the reachability computation techniques for hybrid systems. Given a hybrid system with linear dynamics and a set of ..."
Abstract

Cited by 44 (8 self)
 Add to MetaCart
(Show Context)
Predicate abstraction has emerged to be a powerful technique for extracting finitestate models from infinitestate systems, and has been recently shown to enhance the effectiveness of the reachability computation techniques for hybrid systems. Given a hybrid system with linear dynamics and a set of linear predicates, the verifier performs an onthefly search of the finite discrete quotient whose states correspond to the truth assignments to the input predicates. The success of this approach crucially depends on the choice of the predicates used for abstraction. In this paper, we focus on identifying these predicates automatically by analyzing spurious counterexamples generated by the search in the abstract statespace. We present the basic techniques for discovering new predicates that will rule out closely related spurious counterexamples, optimizations of these techniques, implementation of these in the verification tool, and case studies demonstrating the promise of the approach.
Equational abstractions
 of LNCS
, 2003
"... Abstract. Abstraction reduces the problem of whether an infinite state system satisfies version. The most common abstractions are quotients of the original system. We present a simple method of defining quotient abstractions by means of equations collapsing the set of states. Our method yields the m ..."
Abstract

Cited by 42 (14 self)
 Add to MetaCart
(Show Context)
Abstract. Abstraction reduces the problem of whether an infinite state system satisfies version. The most common abstractions are quotients of the original system. We present a simple method of defining quotient abstractions by means of equations collapsing the set of states. Our method yields the minimal quotient system together with a set of proof obligations that guarantee its executability and can be discharged with tools such as those in the Maude formal environment.
Predicate abstraction for reachability analysis of hybrid systems
 ACM Trans. Embedded Comput. Syst
, 2006
"... Embedded systems are increasingly finding their way into a growing range of physical devices. These embedded systems often consist of a collection of software threads interacting concurrently with each other and with a physical, continuous environment. While continuous dynamics have been well studie ..."
Abstract

Cited by 41 (3 self)
 Add to MetaCart
(Show Context)
Embedded systems are increasingly finding their way into a growing range of physical devices. These embedded systems often consist of a collection of software threads interacting concurrently with each other and with a physical, continuous environment. While continuous dynamics have been well studied in control theory, and discrete and distributed systems have been investigated in computer science, the combination of the two complexities leads us to the recent research on hybrid systems. This paper addresses the formal analysis of such hybrid systems. Predicate abstraction has emerged to be a powerful technique for extracting finitestate models from infinitestate discrete programs. This paper presents algorithms and tools for reachability analysis of hybrid systems by combining the notion of predicate abstraction with recent techniques for approximating the set of reachable states of linear systems using polyhedra. Given a hybrid system and a set of predicates, we consider the finite discrete quotient whose states correspond to all possible truth assignments to the input predicates. The tool performs an onthefly exploration of the abstract system. We present the basic techniques for guided search in the abstract statespace, optimizations of these techniques, implementation of these in our verifier, and case studies demonstrating the promise of the approach. We also address the completeness of our abstractionbased verification strategy by showing that predicate abstraction of hybrid systems can be used to prove bounded safety.
Refining Model Checking by Abstract Interpretation
 Automated Software Engineering
, 1999
"... In abstract modelchecking, the semantics of an infinite transition system is abstracted to get a finite approximation on which temporallogic/mucalculus modelchecking can be directly applied. The paper proposes two improvements of abstract modelchecking which can be applied to infinite abstract ..."
Abstract

Cited by 39 (4 self)
 Add to MetaCart
(Show Context)
In abstract modelchecking, the semantics of an infinite transition system is abstracted to get a finite approximation on which temporallogic/mucalculus modelchecking can be directly applied. The paper proposes two improvements of abstract modelchecking which can be applied to infinite abstract transition systems:  A new combination of forwards and backwards abstract fixedpoint modelchecking computations for universal safety. It computes a more precise result than that computed by conjunction of the forward and backward analyses alone, without needing to refine the abstraction;  When abstraction is unsound (as can happen in minimum/maximum pathlength problems), it is proposed to use the partial results of a classical combination of forward and backward abstract interpretation analyses for universal safety in order to reduce, onthefly, the concrete state space to be searched by modelchecking.
Compositional Minimisation of Finite State Systems Using Interface Specifications
, 1996
"... We present a method for the compositional construction of the minimal transition system that represents the semantics of a given distributed system. Our aim is to control the state explosion caused by the interleavings of actions of communicating parallel components by reduction steps that exploit g ..."
Abstract

Cited by 38 (7 self)
 Add to MetaCart
We present a method for the compositional construction of the minimal transition system that represents the semantics of a given distributed system. Our aim is to control the state explosion caused by the interleavings of actions of communicating parallel components by reduction steps that exploit global communication constraints given in terms of interface specifications. The effect of the method, which is developed for bisimulation semantics here, depends on the structure of the distributed system under consideration, and the accuracy of the interface specifications. However, its correctness is independent of the correctness of the interface specifications provided by the program designer.
Automatic Generation of State Invariants from Requirements Specifications
 FSE6
, 1998
"... Automatic generation of state invariants, properties that hold in every reachable state of a state machine model, can be valuable in software development. Not only can such invariants be presented to system users for validation, in addition, they can be used as auxiliary assertions in proving other ..."
Abstract

Cited by 38 (19 self)
 Add to MetaCart
(Show Context)
Automatic generation of state invariants, properties that hold in every reachable state of a state machine model, can be valuable in software development. Not only can such invariants be presented to system users for validation, in addition, they can be used as auxiliary assertions in proving other invariants. This paper describes an algorithm for the automatic generation of state invariants that, in contrast to most other such algorithms, which operate on programs, derives invariants from requirements specifications. Generating invariants from requirements specifications rather than programs has two advantages: 1) because requirements specifications, unlike programs, are at a high level of abstraction, generation of and analysis using such invariants is easier, and 2) using invariants to detect errors during the requirements phase is considerably more costeffective than using invariants later in software development. To illustrate the algorithm, we use it to generate state invariants from requirements specifications of an automobile cruise control system and a simple control system for a nuclear plant. The invariants are derived from specifications expressed in the SCR (Software Cost Reduction) tabular notation.
Symbolic Reachability Analysis Using Narrowing and its Application to Verification of Cryptographic Protocols
 Journal of HigherOrder and Symbolic Computation
, 2004
"... Narrowing was introduced, and has traditionally been used, to solve equations in initial and free algebras modulo a set of equations E. This paper proposes a generalization of narrowing which can be used to solve reachability goals in initial and free models of a rewrite theory R. We show that narro ..."
Abstract

Cited by 34 (12 self)
 Add to MetaCart
(Show Context)
Narrowing was introduced, and has traditionally been used, to solve equations in initial and free algebras modulo a set of equations E. This paper proposes a generalization of narrowing which can be used to solve reachability goals in initial and free models of a rewrite theory R. We show that narrowing is sound and weakly complete (i.e., complete for normalized solutions) under reasonable executability assumptions about R. We also show that in general narrowing is not strongly complete, that is, not complete when some solutions can be further rewritten by R. We then identify several large classes of rewrite theories, covering many practical applications, for which narrowing is strongly complete. Finally, we illustrate an application of narrowing to analysis of cryptographic protocols.