Results 1 - 10
of
60
Counterexample-guided Abstraction Refinement
, 2000
"... We present an automatic iterative abstraction-refinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symb ..."
Abstract
-
Cited by 843 (71 self)
- Add to MetaCart
(Show Context)
We present an automatic iterative abstraction-refinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques which analyze such counterexamples and refine the abstract model correspondingly.
MONA: Monadic Second-Order Logic in Practice
- IN PRACTICE, IN TOOLS AND ALGORITHMS FOR THE CONSTRUCTION AND ANALYSIS OF SYSTEMS, FIRST INTERNATIONAL WORKSHOP, TACAS '95, LNCS 1019
, 1995
"... The purpose of this article is to introduce Monadic Second-order Logic as a practical means of specifying regularity. The logic is a highly succinct alternative to the use of regular expressions. We have built a tool MONA, which acts as a decision procedure and as a translator to finite-state au ..."
Abstract
-
Cited by 149 (20 self)
- Add to MetaCart
(Show Context)
The purpose of this article is to introduce Monadic Second-order Logic as a practical means of specifying regularity. The logic is a highly succinct alternative to the use of regular expressions. We have built a tool MONA, which acts as a decision procedure and as a translator to finite-state automata. The tool is based on new algorithms for minimizing finitestate automata that use binary decision diagrams (BDDs) to represent transition functions in compressed form. A byproduct of this work is a new bottom-up algorithm to reduce BDDs in linear time without hashing. The potential
Automatic Abstraction without Counterexamples
, 2002
"... A method of automatic abstraction is presented that uses proofs of unsatisfiability derived from SAT-based bounded model checking as a guide to choosing an abstraction for unbounded model checking. Unlike earlier methods, this approach is not based on analysis of abstract counterexamples. The perfo ..."
Abstract
-
Cited by 134 (9 self)
- Add to MetaCart
(Show Context)
A method of automatic abstraction is presented that uses proofs of unsatisfiability derived from SAT-based bounded model checking as a guide to choosing an abstraction for unbounded model checking. Unlike earlier methods, this approach is not based on analysis of abstract counterexamples. The performance of this approach on benchmarks derived from microprocessor verification indicates that SAT solvers are quite effective in eliminating logic that is not relevant to a given property. Moreover, benchmark results suggest that when bounded model checking successfully terminates, and the problem is unsatisfiable, the number of state variables in the proof of unsatisfiability tends to be small. In all cases tested, when bounded model checking succeeded, unbounded model checking of the resulting abstraction also succeeded.
Automated Abstraction Refinement for Model Checking Large State Spaces Using SAT Based Conflict Analysis
- IN PROCEEDINGS OF FMCAD
, 2002
"... We introduce a SAT based auto338m abstraction refinement framework for model checking systems with several thomGG4 state variables in the com o influenceo f the specificatio8 The abstractmo del iscoK060mEN8 by designating a large numbero f state variables as invisible. In co trast to previoN wo rk ..."
Abstract
-
Cited by 84 (12 self)
- Add to MetaCart
We introduce a SAT based auto338m abstraction refinement framework for model checking systems with several thomGG4 state variables in the com o influenceo f the specificatio8 The abstractmo del iscoK060mEN8 by designating a large numbero f state variables as invisible. In co trast to previoN wo rk where invisible variables were treated as free inputs we describe a co06NGmEG7430m mo0 advantageo3 approF h in which the abstract transitio relatio isappro ximated by pre-89889L6728 invisible variables during imageco8087FmEG0 The abstract co4 terexamplesorexamp fro mo del-checking the abstract mo del are symbo lically simulatedo the coG0K8K system using a state-oGNK7Kmo SAT checker. Ifno co43FK3 co4 terexample isfo640 a subseto f the invisible variables is reintro duced into the systemand thepro cess is repeated. The main co tributio o f this paper are two new algo37FmE fo identifying the relevant variablesto be reintro duced. Thesealgo78NNm mogo7 the SAT checking phase inom4F to analyze the impacto individual variables. Ourmetho d is co48NFF fo safetypro erties (AG p) in the sense that -- perfoN06G0 permitting -- a pro erty is either verifiedo dispro ved by aco4GKKm co4 terexample. Experimental results are givento demoGGmE40 the power of our method on real-world designs.
The software model checker BLAST: Applications to software engineering
- INTERNATIONAL JOURNAL ON SOFTWARE TOOLS TECHNOLOGY TRANSFER
, 2006
"... BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, ..."
Abstract
-
Cited by 63 (5 self)
- Add to MetaCart
(Show Context)
BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, since the problem is undecidable, does not terminate). BLAST constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolation-based predicate discovery. This paper gives an introduction to BLAST and demonstrates, through two case studies, how it can be applied to program verification and test-case generation. In the first case study, we use BLAST to statically prove memory safety for C programs. We use CCURED, a type-based memory-safety analyzer, to annotate a program with run-time assertions that check for safe memory operations. Then, we use BLAST to remove as many of the run-time checks as possible (by proving that these checks never fail), and to generate execution scenarios that violate the assertions for the remaining run-time checks. In our second case study, we use BLAST to automatically generate test suites that guarantee full coverage with respect to a given predicate. Given a C program and a target predicate p, BLAST determines the program locations q for which there exists a program execution that reaches q with p true, and automatically generates a set of test vectors that generate such executions. Our experiments show that BLAST can provide automated, precise, and scalable analysis for C programs.
Tree-Like Counterexamples in Model Checking
- In Proceedings of the 17 th Annual IEEE Symposium on Logic in Computer Science (LICS’02
, 2002
"... Counterexamples for specification violations provide engineers with important debugging information. Although counterexamples are considered one of the main advantages of model checking, state-of the art model checkers are restricted to relatively simple counterexamples, and surprisingly little rese ..."
Abstract
-
Cited by 61 (5 self)
- Add to MetaCart
(Show Context)
Counterexamples for specification violations provide engineers with important debugging information. Although counterexamples are considered one of the main advantages of model checking, state-of the art model checkers are restricted to relatively simple counterexamples, and surprisingly little research effort has been put into counterexamples. In this paper, we introduce a new general framework for counterexamples. The paper has three main contributions: (i) We determine the general form of ACTL counterexamples. To this end, we investigate the notion of counterexample and show that a large class of temporal logics beyond ACTL admits counterexamples with a simple tree-like transition relation. We show that the existence of tree-like counterexamples is related to a universal fragment of extended branching time logic based on ! regular temporal operators. (ii) We present new symbolic algorithms to generate tree-like counterexamples for ACTL specifications. (iii) Based on tree-like counterexamples we extend the abstraction refinement methodology developed recently by Clarke et al. (CAV'2000) to full ACTL. This demonstrates the conceptual simplicity and elegance of tree-like counterexamples.
Counter-Example Based Predicate Discovery in Predicate Abstraction
- IN FORMAL METHODS IN COMPUTER-AIDED DESIGN
, 2002
"... The application of predicate abstraction to parameterized systems requires the use of quantified predicates. These predicates cannot be found automatically by existing techniques and are tedious for the user to provide. In this work we demonstrate a method of discovering most of these predicates aut ..."
Abstract
-
Cited by 58 (2 self)
- Add to MetaCart
(Show Context)
The application of predicate abstraction to parameterized systems requires the use of quantified predicates. These predicates cannot be found automatically by existing techniques and are tedious for the user to provide. In this work we demonstrate a method of discovering most of these predicates automatically by analyzing spurious abstract counter-example traces. Since predicate discovery for unbounded state systems is an undecidable problem, it can fail on some problems.
A Survey of Automated Techniques for Formal Software Verification
- TRANSACTIONS ON CAD
, 2008
"... The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming erro ..."
Abstract
-
Cited by 49 (5 self)
- Add to MetaCart
The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming errors or prove their absence. The three techniques we consider are static analysis with abstract domains, model checking, and bounded model checking. We provide a short tutorial on the these techniques, highlighting their differences when applied to practical problems. We also survey the tools that are available implementing these techniques, and describe their merits and shortcomings.
Refining Approximations in Software Predicate Abstraction
- In: TACAS 04: Tools and Algorithms for Construction and Analysis of Systems, Springer-Verlag
, 2004
"... Predicate abstraction is an automatic technique that can be used to find abstract models of large or infinite-state systems. In tools like Slam, where predicate abstraction is applied to software model checking, a number of heuristic approximations must be used to improve the performance of comp ..."
Abstract
-
Cited by 45 (10 self)
- Add to MetaCart
(Show Context)
Predicate abstraction is an automatic technique that can be used to find abstract models of large or infinite-state systems. In tools like Slam, where predicate abstraction is applied to software model checking, a number of heuristic approximations must be used to improve the performance of computing an abstraction from a set of predicates.
Formal Property Verification by Abstraction Refinement with Formal, Simulation and Hybrid Engines
- In Proceedings of the DAC
, 2001
"... and BDD-based symbolic image computation to find an error trace on the subcircuit. RFN also computes a forward fixpoint using post-image computation to verify the unreachability property on the subcircuit. If the property is True for the subcircuit, RFN reports that the property is True for the orig ..."
Abstract
-
Cited by 42 (6 self)
- Add to MetaCart
(Show Context)
and BDD-based symbolic image computation to find an error trace on the subcircuit. RFN also computes a forward fixpoint using post-image computation to verify the unreachability property on the subcircuit. If the property is True for the subcircuit, RFN reports that the property is True for the original design and terminates. Otherwise it proceeds to Step 3. In Step 3 we want to find error traces on real-world designs. RFN utilizes the error trace found on the subcircuit to guide sequential ATPG to search for an error trace on the original design. If an error trace of the original design is found, RFN reports that the property is False, prints out the error trace and terminates. Otherwise RFN proceeds to Step 4. In Step 4 we select a set E of registers that are in the original model but not in the abstract model to refine the abstract model. The refined abstract model will be the current abstract model augmented with the set E of registers plus their transitive fanins up to register ...
