Results 1 - 10
of
109
Counterexample-guided Abstraction Refinement
, 2000
"... We present an automatic iterative abstraction-refinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symb ..."
Abstract
-
Cited by 843 (71 self)
- Add to MetaCart
We present an automatic iterative abstraction-refinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques which analyze such counterexamples and refine the abstract model correspondingly.
Regular Model Checking
, 2000
"... . We present regular model checking, a framework for algorithmic verification of infinite-state systems with, e.g., queues, stacks, integers, or a parameterized linear topology. States are represented by strings over a finite alphabet and the transition relation by a regular length-preserving re ..."
Abstract
-
Cited by 164 (25 self)
- Add to MetaCart
(Show Context)
. We present regular model checking, a framework for algorithmic verification of infinite-state systems with, e.g., queues, stacks, integers, or a parameterized linear topology. States are represented by strings over a finite alphabet and the transition relation by a regular length-preserving relation on strings. Major problems in the verification of parameterized and infinite-state systems are to compute the set of states that are reachable from some set of initial states, and to compute the transitive closure of the transition relation. We present two complementary techniques for these problems. One is a direct automatatheoretic construction, and the other is based on widening. Both techniques are incomplete in general, but we give sufficient conditions under which they work. We also present a method for verifying !-regular properties of parameterized systems, by computation of the transitive closure of a transition relation. 1 Introduction This paper presents regular ...
Formal Analysis of a Space Craft Controller using SPIN
- In Proceedings of the 4th SPIN workshop
, 1998
"... Abstract. This report documents an application of the nite state model checker Spin to formally verify a multi{threaded plan execution programming language. The plan execution language is one componentof NASA's New Millennium Remote Agent, an arti cial intelligence based spacecraft control syst ..."
Abstract
-
Cited by 88 (27 self)
- Add to MetaCart
(Show Context)
Abstract. This report documents an application of the nite state model checker Spin to formally verify a multi{threaded plan execution programming language. The plan execution language is one componentof NASA's New Millennium Remote Agent, an arti cial intelligence based spacecraft control system architecture that is scheduled to launch inDecember of 1998 as part of the Deep Space 1 mission to Mars. The language is concretely named Esl (Executive Support Language) and is basically a language designed to support the construction of reactive control mechanisms for autonomous robots and space crafts. It o ers advanced control constructs for managing interacting parallel goal-andevent driven processes, and is currently implemented as an extension to amulti-threaded Common Lisp. A total of 5 errors were in fact identi ed, 4 of which were important. This is regarded as a very successful result. According to the Remote Agent programming team the e ort has had a major impact, locating errors that would probably not have been
Tool-supported Program Abstraction for Finite-state Verification
- In Proceedings of the 23rd International Conference on Software Engineering
, 2000
"... Numerous researchers have reported success in reasoning about properties of small programs using finite-state verification techniques. We believe, as do most researchers in this area, that in order to scale those initial successes to realistic programs, aggressive abstraction of program data will be ..."
Abstract
-
Cited by 73 (8 self)
- Add to MetaCart
Numerous researchers have reported success in reasoning about properties of small programs using finite-state verification techniques. We believe, as do most researchers in this area, that in order to scale those initial successes to realistic programs, aggressive abstraction of program data will be necessary. Furthermore, we believe that to make abstraction-based verification usable by non-experts significant tool support will be required. In this paper, we describe how several different program analysis and transformation techniques are integrated into the Bandera toolset to provide facilities for abstracting Java programs to produce compact, finite-state models that are amenable to verification, for example via model checking. We illustrate the application of Bandera's abstraction facilities to analyze a realistic multi-threaded Java program. 1. Introduction Finite-state verification techniques, such as model checking, are rekindling interest in program verification. Such techniqu...
Infinite state model checking by abstract interpretation and program specialisation
- Logic-Based Program Synthesis and Transformation. Proceedings of LOPSTR’99, LNCS 1817
, 2000
"... Abstract. We illustrate the use of logic programming techniques for finite model checking of CTL formulae. We present a technique for infinite state model checking of safety properties based upon logic program specialisation and analysis techniques. The power of the approach is illustrated on severa ..."
Abstract
-
Cited by 67 (27 self)
- Add to MetaCart
(Show Context)
Abstract. We illustrate the use of logic programming techniques for finite model checking of CTL formulae. We present a technique for infinite state model checking of safety properties based upon logic program specialisation and analysis techniques. The power of the approach is illustrated on several examples. For that, the efficient tools logen and ecce are used. We discuss how this approach has to be extended to handle more complicated infinite state systems and to handle arbitrary CTL formulae. 1
Finding Feasible Counter-examples when Model Checking Abstracted Java Programs
- IN PROCEEDINGS OF TACAS
, 2001
"... Despite recent advances in model checking and in adapting model checking techniques to software, the state explosion problem remains a major hurdle in applying model checking to software. Recent work in automated program abstraction has shown promise as a means of scaling model checking to larg ..."
Abstract
-
Cited by 49 (5 self)
- Add to MetaCart
(Show Context)
Despite recent advances in model checking and in adapting model checking techniques to software, the state explosion problem remains a major hurdle in applying model checking to software. Recent work in automated program abstraction has shown promise as a means of scaling model checking to larger systems. Most common abstraction techniques compute an upper approximation of the original program. Thus, when a specification is found true for the abstracted program, it is known to be true for the original program. Finding a specification to be false, however, is inconclusive since the specification may be violated on a behavior in the abstracted program which is not present in the original program. We have extended an explicit-state model checker, Java PathFinder (JPF), to analyze counter-examples in the presence of abstractions. We enhanced JPF to search for "feasible" counter-examples during model checking. Alternatively, an abstract counter-example can be used to guide the simulation of the concrete computation and thereby check feasibility of the counter-example. We demonstrate the effectiveness of these techniques on counter-examples from checks of several multi-threaded Java programs.
An Approach to Symbolic Test Generation
- In Proc. Integrated Formal Methods
, 2000
"... . Test generation is a program-synthesis problem: starting from the formal specification of a system under test, and from a test purpose describing a set of behaviours to be tested, compute a reactive program that observes an implementation of the system to detect non-conformant behaviour, while try ..."
Abstract
-
Cited by 49 (7 self)
- Add to MetaCart
(Show Context)
. Test generation is a program-synthesis problem: starting from the formal specification of a system under test, and from a test purpose describing a set of behaviours to be tested, compute a reactive program that observes an implementation of the system to detect non-conformant behaviour, while trying to control it towards satisfying the test purpose. In this paper we describe an approach for generating symbolic test cases, in the form of input-output automata with variables and parameters. 1 Introduction It is widely recognized that testing is an essential component of the full lifecycle of software systems. Among the many di#erent testing techniques, conformance testing [11] is one of the most rigorous. The usual theoretical approach [5, 16] is to consider a formal specification of the intended behaviour of the Implementation Under Test (IUT). It allows to define the notion of conformance relation, which defines the correct implementations with respect to the specification. It also...
An Overview of SAL
- LFM 2000: Fifth NASA Langley Formal Methods Workshop
, 2000
"... To become practical for assurance formal methods must be made more cost-effective and must contribute to both debugging and certification. Furthermore, the style of interaction must reflect the concerns of a designer rather than the peculiarities of a prover. SAL (Symbolic Analysis Laboratory) attem ..."
Abstract
-
Cited by 46 (6 self)
- Add to MetaCart
To become practical for assurance formal methods must be made more cost-effective and must contribute to both debugging and certification. Furthermore, the style of interaction must reflect the concerns of a designer rather than the peculiarities of a prover. SAL (Symbolic Analysis Laboratory) attempts to address these issues. It is a framework for combining different tools to calculate properties (i.e., performing symbolic analysis) of concurrent systems. The heart of SAL is a language, developed in collaboration with Stanford, Berkeley, and Verimag, for specifying concurrent systems in a compositional way. Our instantiation of the SAL framework augments PVS with tools for abstraction, invariant generation, program analysis (such as slicing), theorem proving, and model checking to calculate properties (i.e., perform symbolic analysis) of concurrent systems. We describe the motivation, the language, the tools, and their integration in SAL/PVS, and some preliminary experience of their use. ...
Equational abstractions
- of LNCS
, 2003
"... Abstract. Abstraction reduces the problem of whether an infinite state system satisfies version. The most common abstractions are quotients of the original system. We present a simple method of defining quotient abstractions by means of equations collapsing the set of states. Our method yields the m ..."
Abstract
-
Cited by 42 (14 self)
- Add to MetaCart
(Show Context)
Abstract. Abstraction reduces the problem of whether an infinite state system satisfies version. The most common abstractions are quotients of the original system. We present a simple method of defining quotient abstractions by means of equations collapsing the set of states. Our method yields the minimal quotient system together with a set of proof obligations that guarantee its executability and can be discharged with tools such as those in the Maude formal environment.
