Results 1  10
of
60
Counterexampleguided Abstraction Refinement
, 2000
"... We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symb ..."
Abstract

Cited by 843 (71 self)
 Add to MetaCart
(Show Context)
We present an automatic iterative abstractionrefinement methodology in which the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques which analyze such counterexamples and refine the abstract model correspondingly.
MONA: Monadic SecondOrder Logic in Practice
 IN PRACTICE, IN TOOLS AND ALGORITHMS FOR THE CONSTRUCTION AND ANALYSIS OF SYSTEMS, FIRST INTERNATIONAL WORKSHOP, TACAS '95, LNCS 1019
, 1995
"... The purpose of this article is to introduce Monadic Secondorder Logic as a practical means of specifying regularity. The logic is a highly succinct alternative to the use of regular expressions. We have built a tool MONA, which acts as a decision procedure and as a translator to finitestate au ..."
Abstract

Cited by 149 (20 self)
 Add to MetaCart
(Show Context)
The purpose of this article is to introduce Monadic Secondorder Logic as a practical means of specifying regularity. The logic is a highly succinct alternative to the use of regular expressions. We have built a tool MONA, which acts as a decision procedure and as a translator to finitestate automata. The tool is based on new algorithms for minimizing finitestate automata that use binary decision diagrams (BDDs) to represent transition functions in compressed form. A byproduct of this work is a new bottomup algorithm to reduce BDDs in linear time without hashing. The potential
Automatic Abstraction without Counterexamples
, 2002
"... A method of automatic abstraction is presented that uses proofs of unsatisfiability derived from SATbased bounded model checking as a guide to choosing an abstraction for unbounded model checking. Unlike earlier methods, this approach is not based on analysis of abstract counterexamples. The perfo ..."
Abstract

Cited by 134 (9 self)
 Add to MetaCart
(Show Context)
A method of automatic abstraction is presented that uses proofs of unsatisfiability derived from SATbased bounded model checking as a guide to choosing an abstraction for unbounded model checking. Unlike earlier methods, this approach is not based on analysis of abstract counterexamples. The performance of this approach on benchmarks derived from microprocessor verification indicates that SAT solvers are quite effective in eliminating logic that is not relevant to a given property. Moreover, benchmark results suggest that when bounded model checking successfully terminates, and the problem is unsatisfiable, the number of state variables in the proof of unsatisfiability tends to be small. In all cases tested, when bounded model checking succeeded, unbounded model checking of the resulting abstraction also succeeded.
Automated Abstraction Refinement for Model Checking Large State Spaces Using SAT Based Conflict Analysis
 IN PROCEEDINGS OF FMCAD
, 2002
"... We introduce a SAT based auto338m abstraction refinement framework for model checking systems with several thomGG4 state variables in the com o influenceo f the specificatio8 The abstractmo del iscoK060mEN8 by designating a large numbero f state variables as invisible. In co trast to previoN wo rk ..."
Abstract

Cited by 84 (12 self)
 Add to MetaCart
We introduce a SAT based auto338m abstraction refinement framework for model checking systems with several thomGG4 state variables in the com o influenceo f the specificatio8 The abstractmo del iscoK060mEN8 by designating a large numbero f state variables as invisible. In co trast to previoN wo rk where invisible variables were treated as free inputs we describe a co06NGmEG7430m mo0 advantageo3 approF h in which the abstract transitio relatio isappro ximated by pre89889L6728 invisible variables during imageco8087FmEG0 The abstract co4 terexamplesorexamp fro mo delchecking the abstract mo del are symbo lically simulatedo the coG0K8K system using a stateoGNK7Kmo SAT checker. Ifno co43FK3 co4 terexample isfo640 a subseto f the invisible variables is reintro duced into the systemand thepro cess is repeated. The main co tributio o f this paper are two new algo37FmE fo identifying the relevant variablesto be reintro duced. Thesealgo78NNm mogo7 the SAT checking phase inom4F to analyze the impacto individual variables. Ourmetho d is co48NFF fo safetypro erties (AG p) in the sense that  perfoN06G0 permitting  a pro erty is either verifiedo dispro ved by aco4GKKm co4 terexample. Experimental results are givento demoGGmE40 the power of our method on realworld designs.
The software model checker BLAST: Applications to software engineering
 INTERNATIONAL JOURNAL ON SOFTWARE TOOLS TECHNOLOGY TRANSFER
, 2006
"... BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, ..."
Abstract

Cited by 63 (5 self)
 Add to MetaCart
(Show Context)
BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, since the problem is undecidable, does not terminate). BLAST constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolationbased predicate discovery. This paper gives an introduction to BLAST and demonstrates, through two case studies, how it can be applied to program verification and testcase generation. In the first case study, we use BLAST to statically prove memory safety for C programs. We use CCURED, a typebased memorysafety analyzer, to annotate a program with runtime assertions that check for safe memory operations. Then, we use BLAST to remove as many of the runtime checks as possible (by proving that these checks never fail), and to generate execution scenarios that violate the assertions for the remaining runtime checks. In our second case study, we use BLAST to automatically generate test suites that guarantee full coverage with respect to a given predicate. Given a C program and a target predicate p, BLAST determines the program locations q for which there exists a program execution that reaches q with p true, and automatically generates a set of test vectors that generate such executions. Our experiments show that BLAST can provide automated, precise, and scalable analysis for C programs.
TreeLike Counterexamples in Model Checking
 In Proceedings of the 17 th Annual IEEE Symposium on Logic in Computer Science (LICS’02
, 2002
"... Counterexamples for specification violations provide engineers with important debugging information. Although counterexamples are considered one of the main advantages of model checking, stateof the art model checkers are restricted to relatively simple counterexamples, and surprisingly little rese ..."
Abstract

Cited by 61 (5 self)
 Add to MetaCart
(Show Context)
Counterexamples for specification violations provide engineers with important debugging information. Although counterexamples are considered one of the main advantages of model checking, stateof the art model checkers are restricted to relatively simple counterexamples, and surprisingly little research effort has been put into counterexamples. In this paper, we introduce a new general framework for counterexamples. The paper has three main contributions: (i) We determine the general form of ACTL counterexamples. To this end, we investigate the notion of counterexample and show that a large class of temporal logics beyond ACTL admits counterexamples with a simple treelike transition relation. We show that the existence of treelike counterexamples is related to a universal fragment of extended branching time logic based on ! regular temporal operators. (ii) We present new symbolic algorithms to generate treelike counterexamples for ACTL specifications. (iii) Based on treelike counterexamples we extend the abstraction refinement methodology developed recently by Clarke et al. (CAV'2000) to full ACTL. This demonstrates the conceptual simplicity and elegance of treelike counterexamples.
CounterExample Based Predicate Discovery in Predicate Abstraction
 IN FORMAL METHODS IN COMPUTERAIDED DESIGN
, 2002
"... The application of predicate abstraction to parameterized systems requires the use of quantified predicates. These predicates cannot be found automatically by existing techniques and are tedious for the user to provide. In this work we demonstrate a method of discovering most of these predicates aut ..."
Abstract

Cited by 58 (2 self)
 Add to MetaCart
(Show Context)
The application of predicate abstraction to parameterized systems requires the use of quantified predicates. These predicates cannot be found automatically by existing techniques and are tedious for the user to provide. In this work we demonstrate a method of discovering most of these predicates automatically by analyzing spurious abstract counterexample traces. Since predicate discovery for unbounded state systems is an undecidable problem, it can fail on some problems.
A Survey of Automated Techniques for Formal Software Verification
 TRANSACTIONS ON CAD
, 2008
"... The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming erro ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming errors or prove their absence. The three techniques we consider are static analysis with abstract domains, model checking, and bounded model checking. We provide a short tutorial on the these techniques, highlighting their differences when applied to practical problems. We also survey the tools that are available implementing these techniques, and describe their merits and shortcomings.
Refining Approximations in Software Predicate Abstraction
 In: TACAS 04: Tools and Algorithms for Construction and Analysis of Systems, SpringerVerlag
, 2004
"... Predicate abstraction is an automatic technique that can be used to find abstract models of large or infinitestate systems. In tools like Slam, where predicate abstraction is applied to software model checking, a number of heuristic approximations must be used to improve the performance of comp ..."
Abstract

Cited by 45 (10 self)
 Add to MetaCart
(Show Context)
Predicate abstraction is an automatic technique that can be used to find abstract models of large or infinitestate systems. In tools like Slam, where predicate abstraction is applied to software model checking, a number of heuristic approximations must be used to improve the performance of computing an abstraction from a set of predicates.
Formal Property Verification by Abstraction Refinement with Formal, Simulation and Hybrid Engines
 In Proceedings of the DAC
, 2001
"... and BDDbased symbolic image computation to find an error trace on the subcircuit. RFN also computes a forward fixpoint using postimage computation to verify the unreachability property on the subcircuit. If the property is True for the subcircuit, RFN reports that the property is True for the orig ..."
Abstract

Cited by 42 (6 self)
 Add to MetaCart
(Show Context)
and BDDbased symbolic image computation to find an error trace on the subcircuit. RFN also computes a forward fixpoint using postimage computation to verify the unreachability property on the subcircuit. If the property is True for the subcircuit, RFN reports that the property is True for the original design and terminates. Otherwise it proceeds to Step 3. In Step 3 we want to find error traces on realworld designs. RFN utilizes the error trace found on the subcircuit to guide sequential ATPG to search for an error trace on the original design. If an error trace of the original design is found, RFN reports that the property is False, prints out the error trace and terminates. Otherwise RFN proceeds to Step 4. In Step 4 we select a set E of registers that are in the original model but not in the abstract model to refine the abstract model. The refined abstract model will be the current abstract model augmented with the set E of registers plus their transitive fanins up to register ...