Results 1  10
of
20
Transition Invariants
"... Proof rules for program verification rely on auxiliary assertions. We propose a (sound and relatively complete) proof rule whose auxiliary assertions are transition invariants. A transition invariant of a program is a binary relation over program states that contains the transitive closure of the tr ..."
Abstract

Cited by 119 (22 self)
 Add to MetaCart
(Show Context)
Proof rules for program verification rely on auxiliary assertions. We propose a (sound and relatively complete) proof rule whose auxiliary assertions are transition invariants. A transition invariant of a program is a binary relation over program states that contains the transitive closure of the transition relation of the program. A relation is disjunctively wellfounded if it is a finite union of wellfounded relations. We characterize the validity of termination or another liveness property by the existence of a disjunctively wellfounded transition invariant. The main contribution of
Environment abstraction for parameterized verification
 In 7 th VMCAI, LNCS 3855
, 2006
"... Abstract. Many aspects of computer systems are naturally modeled as parameterized systems which renders their automatic verification difficult. In wellknown examples such as cache coherence protocols and mutual exclusion protocols, the unbounded parameter is the number of concurrent processes which ..."
Abstract

Cited by 41 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Many aspects of computer systems are naturally modeled as parameterized systems which renders their automatic verification difficult. In wellknown examples such as cache coherence protocols and mutual exclusion protocols, the unbounded parameter is the number of concurrent processes which run the same distributed algorithm. In this paper, we introduce environment abstraction as a tool for the verification of such concurrent parameterized systems. Environment abstraction enriches predicate abstraction by ideas from counter abstraction; it enables us to reduce concurrent parameterized systems with unbounded variables to precise abstract finite state transition systems which can be verified by a finite state model checker. We demonstrate the feasibility of our approach by verifying the safety and liveness properties of Lamport’s bakery algorithm and Szymanski’s mutual exclusion algorithm. To the best of our knowledge, this is the first time both safety and liveness properties of the bakery algorithm have been verified at this level of automation. 1
Towards SMT model checking of arraybased systems
, 2008
"... Abstract. We introduce the notion of arraybased system as a suitable abstraction of infinite state systems such as broadcast protocols or sorting programs. By using a class of quantifiedfirst order formulae to symbolically represent arraybased systems, we propose methods to check safety (invaria ..."
Abstract

Cited by 25 (15 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the notion of arraybased system as a suitable abstraction of infinite state systems such as broadcast protocols or sorting programs. By using a class of quantifiedfirst order formulae to symbolically represent arraybased systems, we propose methods to check safety (invariance) and liveness (recurrence) properties on top of Satisfiability Modulo Theories solvers. We find hypotheses under which the verification procedures for such properties can be fully mechanized. 1
Parameterised Boolean Equation Systems
 In Theoretical Computer Science
, 2004
"... Boolean equation system are a useful tool for verifying formulas from modal mucalculus on transition systems (see [18] for an excellent treatment). We are interested in an extension of boolean equation systems with data. This allows to formulate and prove a substantially wider range of properties ..."
Abstract

Cited by 21 (9 self)
 Add to MetaCart
(Show Context)
Boolean equation system are a useful tool for verifying formulas from modal mucalculus on transition systems (see [18] for an excellent treatment). We are interested in an extension of boolean equation systems with data. This allows to formulate and prove a substantially wider range of properties on much larger and even infinite state systems. In previous works [11, 15] it has been outlined how to transform a modal formula and a process, both containing data, to a socalled parameterised boolean equation system, or equation system for short. In this article we focus on techniques to solve such equation systems.
Making Prophecies with Decision Predicates
"... We describe a new algorithm for proving temporal properties expressed in LTL of infinitestate programs. Our approach takes advantage of the fact that LTL properties can often be proved more efficiently using techniques usually associated with the branchingtime logic CTL than they can with native LT ..."
Abstract

Cited by 13 (8 self)
 Add to MetaCart
(Show Context)
We describe a new algorithm for proving temporal properties expressed in LTL of infinitestate programs. Our approach takes advantage of the fact that LTL properties can often be proved more efficiently using techniques usually associated with the branchingtime logic CTL than they can with native LTL tools. The caveat is that, in certain instances, nondeterminism in the system’s transition relation can cause CTL methods to report counterexamples that are spurious with respect to the original LTL formula. To address this problem we describe an algorithm that, as it attempts to apply CTL proof methods, finds and then removes problematic nondeterminism via an analysis on the potentially spurious counterexamples. Problematic nondeterminism is characterized using decision predicates, and removed using a partial and symbolic determinization procedure that introduces new prophecy variables to predict the future outcome of these decisions. We demonstrate—using examples taken from the PostgreSQL database server, Apache web server, and Windows OS kernel—that our method can yield enormous performance improvements in comparison to known tools, allowing us to automatically prove properties of programs where we could not prove them before. 1.
Liveness with incomprehensible ranking
 In Proc. 10 th Intl. Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’04), LNCS
, 2004
"... Abstract. The methods of Invisible Invariants and Invisible Ranking were developed originally in order to verify temporal properties of parameterized systems in a fully automatic manner. These methods are based on an instantiateprojectandgeneralize heuristic for the automatic generation of auxilia ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The methods of Invisible Invariants and Invisible Ranking were developed originally in order to verify temporal properties of parameterized systems in a fully automatic manner. These methods are based on an instantiateprojectandgeneralize heuristic for the automatic generation of auxiliary constructs and a small model property implying that it is sufficient to check validity of a deductive rule premises using these constructs on small instantiations of the system. The previous version of the method of Invisible Ranking was restricted to cases where the helpful assertions and ranking functions for a process depended only on the local state of this process and not on any neighboring process, which seriously restricted the applicability of the method, and often required the introduction of auxiliary variables. In this paper we extend the method of Invisible Ranking to cases where the helpful assertions and ranking functions of a process may also refer to other processes. We first develop an enhanced version of the small model property, making it applicable to assertions that refer both to processes and their immediate neighbors. This enables us to apply the Invisible Ranking method to parameterized systems with ring topologies. For cases where the auxiliary assertions refer to all processes, we develop a novel proof rule which simplifies the selection of the next helpful transition, and enables the validation of the premises possible under the (old) small model theorem. 1
Proving liveness by backwards reachability
 Proc. CONCUR 2006, 17 th Int. Conf. on Concurrency Theory, volume 4137 of Lecture Notes in Computer Science
, 2006
"... Abstract. We present a new method for proving liveness and termination properties for fair concurrent programs, which does not rely on finding a ranking function or on computing the transitive closure of the transition relation. The set of states from which termination or some liveness property is ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new method for proving liveness and termination properties for fair concurrent programs, which does not rely on finding a ranking function or on computing the transitive closure of the transition relation. The set of states from which termination or some liveness property is guaranteed is computed by a backwards reachability analysis. A central technique for handling concurrency is a check for certain commutativity properties. The method is not complete. However, it can be seen as a complement to other methods for proving termination, in that it transforms a termination problem into a simpler one with a larger set of terminated states. We show the usefulness of our method by applying it to existing programs from the literature. We have also implemented it in the framework of Regular Model Checking, and used it to automatically verify nonstarvation for parameterized algorithms. 1
L.: IIV: An invisible invariant verifier
 In: Computer Aided Verification (CAV
, 2005
"... This paper describes the Invisible Invariant Verifier (IIV)—an automatic tool for the generation of inductive invariants, based on the work in [4, 1, 2, 6]. The inputs to IIV are a parameterized system and an invariance property p, and the output of IIV is “success” if it finds an inductive invarian ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
This paper describes the Invisible Invariant Verifier (IIV)—an automatic tool for the generation of inductive invariants, based on the work in [4, 1, 2, 6]. The inputs to IIV are a parameterized system and an invariance property p, and the output of IIV is “success” if it finds an inductive invariant that strengthens p and “fail ” otherwise. IIV can be run
On Verifying Fault Tolerance of Distributed Protocols
"... Abstract. Distributed systems are composed of processes connected in some network. Distributed systems may suffer from faults: processes may stop, may be interrupted, and may be maliciously attacked. Faulttolerant protocols are designed to be resistant to faults. Proving the resistance of protocols ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. Distributed systems are composed of processes connected in some network. Distributed systems may suffer from faults: processes may stop, may be interrupted, and may be maliciously attacked. Faulttolerant protocols are designed to be resistant to faults. Proving the resistance of protocols to faults is a very challenging problem, as it combines the parameterized setting that distributed systems are basedon, with the need to consider a hostile environment that produces the faults. Considering all the possible fault scenarios for a protocol is very difficult. Thus, reasoning about faulttolerance protocols utterly needs formal methods. In this paper we describe a framework for verifying the fault tolerance of (synchronous or asynchronous) distributed protocols. In addition to the description of the protocol and the desired behavior, the user provides the fault type (e.g., failstop, Byzantine,...) and its distribution (e.g., a strict minority of the processes are faulty,...). Our framework is based on augmenting the description of the configurations of the system by a mask describing which processes are faulty. We focus on regular model checking and show how it is possible to compile the input for the modelchecking problem to one that takes the faults and their distribution into an account, and perform regular modelchecking on the compiled input. We demonstrate the effectiveness of our framework and argue for its generality. 1
Separating fairness and wellfoundedness for the analysis of fair discrete systems
 In TACAS’05: Tools and Algorithms for the Construction and Analysis of Systems (2005
"... Abstract. Fair discrete systems (FDSs) are a computational model of concurrent programs where fairness assumptions are specified in terms of sets of states. The analysis of fair discrete systems involves a nontrivial interplay between fairness and wellfoundedness (ranking functions). This interpla ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Fair discrete systems (FDSs) are a computational model of concurrent programs where fairness assumptions are specified in terms of sets of states. The analysis of fair discrete systems involves a nontrivial interplay between fairness and wellfoundedness (ranking functions). This interplay has been an obstacle for automation. The contribution of this paper is a new analysis of temporal properties of FDSs. The analysis uses a domain of binary relations over states labeled by sets of indices of fairness requirements. The use of labeled relations separates the reasoning on wellfoundedness and fairness. 1