Results 1  10
of
103
Parameterized Verification with Automatically Computed Inductive Assertions
, 2001
"... The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic mo ..."
Abstract

Cited by 90 (9 self)
 Add to MetaCart
The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic modelchecking techniques for both tasks. First, we show how to use modelchecking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Next, we show that the premises of the standard deductive inv rule for proving invariance properties can be automatically resolved by finitestate (bddbased) methods with no need for interactive theorem proving. Combining the automatic computation of invariants with the automatic resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying large classes of parameterized systems. The generated invariants can be transferred to the VCvalidation phase without ever been examined by the user, which explains why we refer to them as "invisible". The efficacy of the method is demonstrated by automatic verification of diverse parameterized systems in a fully automatic and efficient manner.
Indexed Predicate Discovery for Unbounded System Verification
 IN CAV’04
, 2004
"... Predicate abstraction has been proved effective for verifying several infinitestate systems. In predicate abstraction, an abstract system is automatically constructed given a set of predicates. Predicate abstraction coupled with automatic predicate discovery provides for a completely automatic v ..."
Abstract

Cited by 50 (6 self)
 Add to MetaCart
(Show Context)
Predicate abstraction has been proved effective for verifying several infinitestate systems. In predicate abstraction, an abstract system is automatically constructed given a set of predicates. Predicate abstraction coupled with automatic predicate discovery provides for a completely automatic verification scheme. For systems with unbounded integer state variables (e.g. software), counterexample guided predicate discovery has been successful in identifying the necessary predicates. For
Certifying model checkers
 Proc of CAV ’01
, 2001
"... Abstract. Model Checking is an algorithmic technique to determine whether a temporal property holds of a program. For linear time properties, a model checker produces a counterexample computation if the check fails. This computation acts as a \certicate " of failure, as it can be checked easil ..."
Abstract

Cited by 45 (3 self)
 Add to MetaCart
Abstract. Model Checking is an algorithmic technique to determine whether a temporal property holds of a program. For linear time properties, a model checker produces a counterexample computation if the check fails. This computation acts as a \certicate " of failure, as it can be checked easily and independently of the model checker by simulating it on the program. On the other hand, no such certicate is produced if the check succeeds. In this paper, we show how this asymmetry can be eliminated with a certifying model checker. The key idea is that, with some extra bookkeeping, a model checker can produce a deductive proof on either success or failure. This proof acts as a certicate of the result, as it can be checked mechanically by simple, nonxpoint methods that are independent of the model checker. We develop a deductive proof system for verifying branching time properties expressed in the mucalculus, and show how to generate a proof in this system from a model checking run. Proofs for linear time properties form a special case. A model checker that generates proofs can be used for many interesting applications, such as better ways of exploring errors in a program, and a tight integration of model checking with automated theorem proving. 1
Regular Model Checking without Transducers (On Efficient Verification of Parameterized Systems)
, 2006
"... We give a simple and efficient method to prove safety properties for parameterized systems with linear topologies. A process in the system is a finitestate automaton, where the transitions are guarded by both local and global conditions. Processes may communicate via broadcast, rendezvous and share ..."
Abstract

Cited by 44 (18 self)
 Add to MetaCart
(Show Context)
We give a simple and efficient method to prove safety properties for parameterized systems with linear topologies. A process in the system is a finitestate automaton, where the transitions are guarded by both local and global conditions. Processes may communicate via broadcast, rendezvous and shared variables. The method derives an overapproximation of the induced transition system, which allows the use of a simple class of regular expressions as a symbolic representation. Compared to traditional regular model checking methods, the analysis does not require the manipulation of transducers, and hence its simplicity andefficiency. We have implemented a prototype which works well on several mutual exclusion algorithms and cache coherence protocols.
Environment abstraction for parameterized verification
 In 7 th VMCAI, LNCS 3855
, 2006
"... Abstract. Many aspects of computer systems are naturally modeled as parameterized systems which renders their automatic verification difficult. In wellknown examples such as cache coherence protocols and mutual exclusion protocols, the unbounded parameter is the number of concurrent processes which ..."
Abstract

Cited by 41 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Many aspects of computer systems are naturally modeled as parameterized systems which renders their automatic verification difficult. In wellknown examples such as cache coherence protocols and mutual exclusion protocols, the unbounded parameter is the number of concurrent processes which run the same distributed algorithm. In this paper, we introduce environment abstraction as a tool for the verification of such concurrent parameterized systems. Environment abstraction enriches predicate abstraction by ideas from counter abstraction; it enables us to reduce concurrent parameterized systems with unbounded variables to precise abstract finite state transition systems which can be verified by a finite state model checker. We demonstrate the feasibility of our approach by verifying the safety and liveness properties of Lamport’s bakery algorithm and Szymanski’s mutual exclusion algorithm. To the best of our knowledge, this is the first time both safety and liveness properties of the bakery algorithm have been verified at this level of automation. 1
Constructing Quantified Invariants via Predicate Abstraction
 CONFERENCE ON VERIFICATION, MODEL CHECKING AND ABSTRACT INTERPRETATION (VMCAI ’04), LNCS 2937
, 2004
"... Predicate abstraction provides a powerful tool for verifying properties of infinitestate systems using a combination of a decision procedure for a subset of firstorder logic and symbolic methods originally developed for finitestate model checking. We consider models where the system state conta ..."
Abstract

Cited by 39 (7 self)
 Add to MetaCart
(Show Context)
Predicate abstraction provides a powerful tool for verifying properties of infinitestate systems using a combination of a decision procedure for a subset of firstorder logic and symbolic methods originally developed for finitestate model checking. We consider models where the system state contains mutable function and predicate state variables. Such a model can describe systems containing arbitrarily large memories, buffers, and arrays of identical processes. We describe a form of predicate abstraction that constructs a formula over a set of universally quantified variables to describe invariant properties of the function state variables. We provide a formal justification of the soundness of our approach and describe how it has been used to verify several hardware and software designs, including a directorybased cache coherence protocol with unbounded FIFO channels.
Thread Quantification for Concurrent Shape Analysis
"... Abstract. We present new algorithms for automatically verifying properties of programs with an unbounded number of threads. Our algorithms are based on a new abstract domain whose elements represent threadquantified invariants: i.e., invariants satified by all threads. We exploit existing abstracti ..."
Abstract

Cited by 34 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present new algorithms for automatically verifying properties of programs with an unbounded number of threads. Our algorithms are based on a new abstract domain whose elements represent threadquantified invariants: i.e., invariants satified by all threads. We exploit existing abstractions to represent the invariants. Thus, our technique lifts existing abstractions by wrapping universal quantification around elements of the base abstract domain. Such abstractions are effective because they are threadmodular: e.g., they can capture correlations between the local variables of the same thread as well as correlations between the local variables of a thread and global variables, but forget correlations between the states of distinct threads. (The exact nature of the abstraction, of course, depends on the base abstraction lifted in this style.) We present techniques for computing sound transformers for the new abstraction by using transformers of the base abstract domain. We illustrate our technique in this paper by instantiating it to the Boolean Heap abstraction, producing a Quantified Boolean Heap abstraction. We have implemented an instantiation of our technique with Canonical Abstraction as the base abstraction and used it to successfully verify linearizability of datastructures in the presence of an unbounded number of threads. 1
A simple method for parameterized verification of cache coherence protocols
 in Formal Methods in Computer Aided Design
, 2004
"... Abstract. We present a simple method for verifying the safety properties of cache coherence protocols with arbitrarily many nodes. Our presentation begins with two examples. The first example describes in intuitive terms how the German protocol with arbitrarily many nodes can be verified using a com ..."
Abstract

Cited by 34 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a simple method for verifying the safety properties of cache coherence protocols with arbitrarily many nodes. Our presentation begins with two examples. The first example describes in intuitive terms how the German protocol with arbitrarily many nodes can be verified using a combination of Murphi model checking and apparently circular reasoning. The second example outlines a similar proof of the FLASH protocol. These are followed by a simple theory based on the classical notion of simulation proofs that justifies the apparently circular reasoning. We conclude the paper by discussing what remains to be done and by comparing our method with other approaches to the parameterized verification of cache coherence protocols, such as compositional model checking, machineassisted theorem proving, predicate abstraction, invisible invariants, and cutoff theorems. 1
Exact and efficient verification of parameterized cache coherence protocols
 Correct Hardware Design and Verification Methods (CHARME ’03), LNCS 2860
, 2003
"... Abstract. We propose new, tractably (in some cases provably) efficient algorithmic methods for exact (sound and complete) parameterized reasoning about cache coherence protocols. For reasoning about general snoopy cache protocols, history graph construction can be used to reason about safety propert ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We propose new, tractably (in some cases provably) efficient algorithmic methods for exact (sound and complete) parameterized reasoning about cache coherence protocols. For reasoning about general snoopy cache protocols, history graph construction can be used to reason about safety properties for this framework. Although the worst case size of the abstract history graph can be exponential in the size of the transition diagram of the given protocol, the actual size is small for standard cache protocols as is evidenced by our experimental results. The framework can handle all 8 of the cache protocols in [19] as well as their splittransaction versions. We next identify a framework called initialized broadcast protocols suitable for reasoning about invalidationbased snoopy cache protocols and show how to reduce reasoning about such systems with an arbitrary number of caches to a system with at most 7 caches. This yields a provably polynomial time algorithm for the parameterized verification of invalidation based snoopy protocols. Our results apply to both safety and liveness properties. Finally, we present a methodology for reducing parameterized reasoning about directory based protocols to snoopy protocols, thus leveraging techniques developed for verifying snoopy protocols to directory based ones, which are typically are much harder to reason about. We demonstrate by reducing reasoning about a directory based protocol suggested by German [17] to the ESI snoopy protocol, a modification of the MSI snoopy protocol. 1
Predicate Abstraction with Indexed Predicates
, 2007
"... Predicate abstraction provides a powerful tool for verifying properties of infinitestate systems using a combination of a decision procedure for a subset of firstorder logic and symbolic methods originally developed for finitestate model checking. We consider models containing firstorder state v ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
Predicate abstraction provides a powerful tool for verifying properties of infinitestate systems using a combination of a decision procedure for a subset of firstorder logic and symbolic methods originally developed for finitestate model checking. We consider models containing firstorder state variables, where the system state includes mutable functions and predicates. Such a model can describe systems containing arbitrarily large memories, buffers, and arrays of identical processes. We describe a form of predicate abstraction that constructs a formula over a set of universally quantified variables to describe invariant properties of the firstorder state variables. We provide a formal justification of the soundness of our approach and describe how it has been used to verify several hardware and software designs, including a directorybased cache coherence protocol.