Results 1  10
of
36
Regular Model Checking
, 2000
"... . We present regular model checking, a framework for algorithmic verification of infinitestate systems with, e.g., queues, stacks, integers, or a parameterized linear topology. States are represented by strings over a finite alphabet and the transition relation by a regular lengthpreserving re ..."
Abstract

Cited by 165 (25 self)
 Add to MetaCart
(Show Context)
. We present regular model checking, a framework for algorithmic verification of infinitestate systems with, e.g., queues, stacks, integers, or a parameterized linear topology. States are represented by strings over a finite alphabet and the transition relation by a regular lengthpreserving relation on strings. Major problems in the verification of parameterized and infinitestate systems are to compute the set of states that are reachable from some set of initial states, and to compute the transitive closure of the transition relation. We present two complementary techniques for these problems. One is a direct automatatheoretic construction, and the other is based on widening. Both techniques are incomplete in general, but we give sufficient conditions under which they work. We also present a method for verifying !regular properties of parameterized systems, by computation of the transitive closure of a transition relation. 1 Introduction This paper presents regular ...
Liquid types
, 2008
"... We present Logically Qualified Data Types, abbreviated to Liquid Types, a system that combines HindleyMilner type inference with Predicate Abstraction to automatically infer dependent types precise enough to prove a variety of safety properties. Liquid types allow programmers to reap many of the be ..."
Abstract

Cited by 67 (10 self)
 Add to MetaCart
(Show Context)
We present Logically Qualified Data Types, abbreviated to Liquid Types, a system that combines HindleyMilner type inference with Predicate Abstraction to automatically infer dependent types precise enough to prove a variety of safety properties. Liquid types allow programmers to reap many of the benefits of dependent types, namely static verification of critical properties and the elimination of expensive runtime checks, without the heavy price of manual annotation. We have implemented liquid type inference in DSOLVE, which takes as input an OCAML program and a set of logical qualifiers and infers dependent types for the expressions in the OCAML program. To demonstrate the utility of our approach, we describe experiments using DSOLVE to statically verify the safety of array accesses on a set of OCAML benchmarks that were previously annotated with dependent types as part of the DML project. We show that when used in conjunction with a fixed set of array bounds checking qualifiers, DSOLVE reduces the amount of manual annotation required for proving safety from 31 % of program text to under 1%.
Software Model Checking
"... Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis o ..."
Abstract

Cited by 50 (0 self)
 Add to MetaCart
Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis of logical questions. The undecidability theorem [Turing 1936] ruled out the possibility of a sound and complete algorithmic solution for any sufficiently powerful programming model, and even under restrictions (such as finite state spaces), the correctness problem remained computationally intractable. However, just because a problem is hard does not mean it never appears in practice. Also, just because the general problem is undecidable does not imply that specific instances of the problem will also be hard. As the complexity of software systems grew, so did the need for some reasoning mechanism about correct behavior. (While we focus here on analyzing the behavior of a program relative to given correctness specifications, the development of specification mechanisms happened in parallel, and merits a different survey.) Initially, the focus of program verification research was on manual reasoning, and
Automated AssumeGuarantee Reasoning for Simulation Conformance
 In Proc. of CAV’05, volume 3576 of LNCS
, 2005
"... Abstract. The applicability of assumeguarantee reasoning in practice has been limited since it requires the right assumptions to be constructed manually. In this article, we address the issue of efficiently automating assumeguarantee reasoning for simulation conformance between finite state system ..."
Abstract

Cited by 29 (9 self)
 Add to MetaCart
(Show Context)
Abstract. The applicability of assumeguarantee reasoning in practice has been limited since it requires the right assumptions to be constructed manually. In this article, we address the issue of efficiently automating assumeguarantee reasoning for simulation conformance between finite state systems and specifications. We focus on a noncircular assumeguarantee proof rule, and show that there is a weakest assumption that can be represented canonically by a deterministic tree automata (DTA). We then present an algorithm L T that learns this DTA automatically in an incremental fashion, in time that is polynomial in the number of states in the equivalent minimal DTA. The algorithm assumes a teacher that can answer membership queries pertaining to the language of the unknown DTA, and can also test a conjecture and provide a counter example if the conjecture is false. We show how the teacher and its interaction with L T are implemented in a model checker. We have implemented this framework in the ComFoRT toolkit and we report encouraging results (up to 41 and 14 times improvement in memory and time consumption respectively) on nontrivial benchmarks.
Counterexample guided abstraction refinement via program execution
 Formal Methods and Software Engineering: 6th International Conference on Formal Engineering Methods
, 2004
"... ..."
(Show Context)
The ComFoRT reasoning framework
 In Proceedings of Computer Aided Verification (CAV
, 2005
"... Model checking is a promising technology for verifying critical behavior of software. However, software model checking is hamstrung by scalability issues and is difficult for software engineers to use directly. The second challenge arises ..."
Abstract

Cited by 23 (13 self)
 Add to MetaCart
(Show Context)
Model checking is a promising technology for verifying critical behavior of software. However, software model checking is hamstrung by scalability issues and is difficult for software engineers to use directly. The second challenge arises
Proving thread termination
 In PLDI
"... Concurrent programs are often designed such that certain functions executing within critical threads must terminate. Examples of such cases can be found in operating systems, web servers, email clients, etc. Unfortunately, no known automatic program termination prover supports a practical method ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
Concurrent programs are often designed such that certain functions executing within critical threads must terminate. Examples of such cases can be found in operating systems, web servers, email clients, etc. Unfortunately, no known automatic program termination prover supports a practical method of proving the termination of threads. In this paper we describe such a procedure. The procedure’s scalability is achieved through the use of environment models that abstract away the surrounding threads. The procedure’s accuracy is due to a novel method of incrementally constructing environment abstractions. Our method finds the conditions that a thread requires of its environment in order to establish termination by looking at the conditions necessary to prove that certain paths through the thread represent wellfounded relations if executed in isolation of the other threads. The paper gives a description of experimental results using an implementation of our procedure on Windows device drivers, and a description of a previously unknown bug found with the tool.
G.: BLASTing Linux Code
 In Proc. of the 11th International Workshop on Formal Methods for Industrial Critical Systems (FMICS 06), volume 4346 of LNCS
, 2007
"... Abstract. Computer programs can only run reliably if the underlying operating system is free of errors. In this paper we evaluate, from a practitioner’s point of view, the utility of the popular software model checker Blast for revealing errors in Linux kernel code. The emphasis is on important erro ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Computer programs can only run reliably if the underlying operating system is free of errors. In this paper we evaluate, from a practitioner’s point of view, the utility of the popular software model checker Blast for revealing errors in Linux kernel code. The emphasis is on important errors related to memory safety in and locking behaviour of device drivers. Our conducted case studies show that, while Blast’s abstraction and refinement techniques are efficient and powerful, the tool has deficiencies regarding usability and support for analysing pointers, which are likely to prevent kernel developers from using it. 1
Verifying Information Flow Control Over Unbounded Processes
"... Abstract. Decentralized Information Flow Control (DIFC) systems enable programmers to express a desired DIFC policy, and to have the policy enforced via a reference monitor that restricts interactions between system objects, such as processes and files. Past research on DIFC systems focused on the r ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Decentralized Information Flow Control (DIFC) systems enable programmers to express a desired DIFC policy, and to have the policy enforced via a reference monitor that restricts interactions between system objects, such as processes and files. Past research on DIFC systems focused on the referencemonitor implementation, and assumed that the desired DIFC policy is correctly specified. The focus of this paper is an automatic technique to verify that an application, plus its calls to DIFC primitives, does indeed correctly implement a desired policy. We present an abstraction that allows a model checker to reason soundly about DIFC programs that manipulate potentially unbounded sets of processes, principals, and communication channels. We implemented our approach and evaluated it on a set of realworld programs. 1
Directed proof generation for machine code
, 2010
"... Abstract. We present the algorithms used in MCVETO (MachineCode VErification TOol), a tool to check whether a stripped machinecode program satisfies a safety property. The verification problem that MCVETO addresses is challenging because it cannot assume that it has access to (i) certain structures ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We present the algorithms used in MCVETO (MachineCode VErification TOol), a tool to check whether a stripped machinecode program satisfies a safety property. The verification problem that MCVETO addresses is challenging because it cannot assume that it has access to (i) certain structures commonly relied on by sourcecode verification tools, such as controlflow graphs and callgraphs, and (ii) metadata, such as information about variables, types, and aliasing. It cannot even rely on outofscope local variables and return addresses being protected from the program’s actions. What distinguishes MCVETO from other work on software model checking is that it shows how verification of machinecode can be performed, while avoiding conventional techniques that would be unsound if applied at the machinecode level. 1