Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Methodology
References

Model checking of safety properties

Profile image of Moshe VardiMoshe Vardi

2001

Abstract

Of special interest in formal verification are safety properties, which assert that the system always stays within some allowed region. Proof rules for the verification of safety properties have been developed in the proof-based approach to verification, making verification of safety properties simpler than verification of general properties. In this paper we consider model checking of safety properties. A computation that violates a general linear property reaches a bad cycle, which witnesses the violation of the property.

Related papers

Towards Verified Systems
Jonathan Bowen

Real-Time Safety Critical Systems series, 1994

As the complexity of embedded computer-controlled systems increases, the present industrial practice for their development gives cause for concern, especially for safety-critical applications where human lives are at stake. The use of software in such systems has increased enormously in the last decade. Formal methods, based on rm mathematical foundations, provide one means to help with reducing the risk of introducing errors during speci cation and development. There is currently much interest in both academic and industrial circles concerning the issues involved, but the techniques still need further investigation and promulgation to make their widespread use a reality. This book presents some results of research into techniques to aid the formal veri cation of mixed hardware/software systems. Aspects of system speci cation and veri cation from requirements down to the underlying hardware are addressed, with particular regard to real-time issues. The work presented is largely based around the Occam programming language and Transputer microprocessor paradigm. The HOL theorem prover, based on higher order logic, has mainly been used in the application of machine-checked proofs. The book describes research work undertaken on the collaborative UK DTI/SERC funded Information Engineering Directorate SAFEMOS project. The partners were Inmos Ltd, Cambridge SRI, the Oxford University Computing Laboratory and the University of Cambridge Computer Laboratory, who investigated the problems of formally verifying embedded systems. The most important results of the project are presented in the form of a series of interrelated chapters by project members and associated personnel. In addition, overviews of two other ventures with similar objectives are included as appendices. The material in this book is intended for computing science researchers and advanced industrial practitioners interested in the application of formal methods to real-time safety-critical systems at all levels of abstraction from requirements to hardware. In addition, Chapters 1 and 11 contain material of a more general nature which may be of interest to managers in charge of projects applying formal methods, especially for safety-critical systems, and others who are considering their use. Book on the SAFEMOS project. Other contributors: Juanito Camilleri, Rachel Cardell-Oliver, Mike Gordon, Roger Hale, Hans Langmaack, C.A.R. Hoare, John Herbert, He Jifeng, Ian Page, Paritosh Pandya, Andrew Pitts, Anders Ravn, David Shepherd, Victoria Stavridou and Bill Young.

View PDFchevron_right
Formal Verification of Control Systems Properties with Theorem Proving
Dejanira Araiza Illan, Kerstin Eder, Arthur Richards

2014

This paper presents the deductive formal verification of high-level properties of control systems with theorem proving, using the Why3 tool. Properties that can be verified with this approach include stability, feedback gain, and robustness, among others. For the systems, modelled in Simulink, we propose three main steps to achieve the verification: specifying the properties of interest over the signals within the model using Simulink blocks, an automatic translation of the model into Why3, and the automatic verification of the properties with theorem provers in Why3. We present a methodology to specify the properties in the model and a library of relevant assertion blocks (logic expressions), currently in development. The functionality of the blocks in the Simulink models are automatically translated to Why3 as theories and verification goals by our tool implemented in MATLAB. A library of theories in Why3 corresponding to each supported block has been developed to facilitate the process of translation. The goals are automatically verified in Why3 with relevant theorem provers. A simple first-order discrete system is used to exemplify the specification of the Simulink model, the translation process from Simulink to the Why3 formal logic language, and the verification of Lyapunov stability.

View PDFchevron_right
An improvement in formal verification
Gerard Holzmann

1994

Critical safety and liveness properties of a concurrent system can often be proven with the help of a reachability analysis of a finite state model. This type of analysis is usually implemented as a depth−first search of the product state−space of all components in the system, with each (finite state) component modeling the behavior of one asynchronously executing process. Formal verification is achieved by coupling the depth−first search with a method for identifying those states or sequences of states that violate the correctness requirements.

View PDFchevron_right
Model Checking Reductions to Convenient Computations
Shmuel Katz

In many applications, such as database serializability, shared memory sequential consistency, or as part of a layered proof of other properties, it is natural to ask whether every computation of a system can be reduced to one of the particular computations considered convenient due to their perceived regularity. Computations related by the reductions described here differ only in having independent operations occur in a different order. A general framework is presented in which, given a model and additional information including a description of the convenient computations and of the operations' independence, an augmented model using a transducer and temporal logic assertions for it are automatically defined and model checked. In the augmentation, a bounded history queue is added to the state variables, and new transitions are defined that exchange the order of independent operations and identify prefixes of convenient computations. If the model checking proves all the generated assertions, every computation can be reduced to a convenient one. Events can be predicted, and anti-events are used to guarantee that they actually occur. This new technique allows treating many cases of unbounded out-of-order of operations relative to the convenient computations. A prototype implementation based on Cadence SMV is described.

View PDFchevron_right
Proving More Properties with Bounded Model Checking
Mohammad Awedh

2004

Bounded Model Checking, although complete in theory, has been thus far limited in practice to falsification of properties that were not invariants. In this paper we propose a termination criterion for all of LTL, and we show its effectiveness through experiments. Our approach is based on converting the LTL formula to a Büchi automaton so as to reduce model checking to the verification of a fairness constraint. This reduction leads to one termination criterion that applies to all formulae. We also discuss cases for which a dedicated termination test improves bounded model checking efficiency.

View PDFchevron_right
Proof-based verification approaches for dynamic properties: application to the information system domain
Amel Mammar

Formal Aspects of Computing, 2014

This paper proposes a formal approach for generating necessary and sufficient proof obligations to demonstrate a set of dynamic properties using the B method. In particular, we consider reachability, non-interference and absence properties. Also, we show that these properties permit a wide range of property patterns introduced by Dwyer to be expressed. An overview of a tool supporting these approaches is also provided.

View PDFchevron_right
Efficient model checking of PSL safety properties
Keijo Heljanko

IET Computers & Digital Techniques, 2011

Safety properties are an important class of properties as in the industrial use of model checking a large majority of the properties to be checked are safety properties. This work presents an efficient approach to model check safety properties expressed in PSL (IEEE Std 1850 Property Specification Language), an industrial property specification language. The approach can also be used as a sound but incomplete bug hunting tool for general (nonsafety) PSL properties, and it will detect exactly the finite counterexamples that are the informative bad prefixes for the PSL formulae in question. The

View PDFchevron_right
Procedure-modular specification and verification of temporal safety properties
Marieke Huisman

Software & Systems Modeling, 2013

This paper describes ProMoVer, a tool for fully automated procedure-modular verification of Java programs equipped with method-local and global assertions that specify safety properties of sequences of method invocations. Modularity at the procedure-level is a natural instantiation of the modular verification paradigm, where correctness of global properties is relativized on the local properties of the methods rather than on their implementations. Here, it is based on the construction of maximal models for a program model that abstracts away from program data. This approach allows global properties to be verified in the presence of code evolution, multiple method implementations (as arising from software product lines), or even unknown method implementations (as in mobile code for open platforms). ProMoVer automates a typical verification scenario for a previously developed tool set for compositional verification of control flow safety properties, and provides appropriate pre-and post-processing. Both linear-time temporal logic and finite automata are supported as formalisms for expressing local and global safety properties, allowing the user to choose a suitable format for the property at hand. Modularity is exploited by a mechanism for proof reuse that Communicated by Dr. detects and minimizes the verification tasks resulting from changes in the code and the specifications. The verification task is relatively light-weight due to support for abstraction from private methods and automatic extraction of candidate specifications from method implementations. We evaluate the tool on a number of applications from the domains of Java Card and web-based application.

View PDFchevron_right
Proof and Model-checking, two complementary Approaches 1
Henri Habrias

We show with a small example, a two-places buffer, how proof, refinement and model-checking can be used in a complementary manner. Our software tools are Atelier B and LTSA.

View PDFchevron_right
Formal Verification of Safety Requirements on Complex Systems
ALESSANDRO FANTECHI

Safe Comp 96, 1997

View PDFchevron_right

References (48)

  1. ABG + 00] Y. Abarbanel, I. Beer, L. Gluhovsky, S. Keidar, and Y. Wolfstal. FoCs -automatic generation of simulation checkers from formal specifications. In Computer Aided Verification, Proc. 12th Int. Conference, volume 1855 of Lecture Notes in Computer Science, pages 538-542. Springer- Verlag, 2000.
  2. B. Alpern and F.B. Schneider. Defining liveness. Information processing letters, 21:181-185, 1985.
  3. B. Alpern and F.B. Schneider. Recognizing safety and liveness. Distributed computing, 2:117-126, 1987.
  4. BCC + 99] A. Biere, A. Cimatti, E.M. Clarke, M. Fujita, and Y. Zhu. Symbolic model checking using SAT procedures instead of BDDs. In Proc. 36th Design Automaion Conference, pages 317- 320. IEEE Computer Society, 1999.
  5. BCM + 92] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang. Symbolic model check- ing: 10 20 states and beyond. Information and Computation, 98(2):142-170, June 1992.
  6. R.S. Boyer and J.S. Moore. Proof-checking, theorem-proving and program verification. Tech- nical Report 35, Institute for Computing Science and Computer Applications, University of Texas at Austin, January 1983.
  7. E.M. Clarke and E.A. Emerson. Design and synthesis of synchronization skeletons using branching time temporal logic. In Proc. Workshop on Logic of Programs, volume 131 of Lecture Notes in Computer Science, pages 52-71. Springer-Verlag, 1981.
  8. E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8(2):244-263, January 1986.
  9. W. Canfield, E.A. Emerson, and A. Saha. Checking formal specifications under simulation. In Proc. International Conference on Computer Design, pages 455-460, 1997.
  10. A.K. Chandra, D.C. Kozen, and L.J. Stockmeyer. Alternation. Journal of the Association for Computing Machinery, 28(1):114-133, January 1981.
  11. C. Courcoubetis, M.Y. Vardi, P. Wolper, and M. Yannakakis. Memory efficient algorithms for the verification of temporal properties. Formal Methods in System Design, 1:275-288, 1992.
  12. E.A. Emerson. Alternative semantics for temporal logics. Theoretical Computer Science, 26:121-130, 1983.
  13. E.A. Emerson. Temporal and modal logic. Handbook of Theoretical Computer Science, pages 997-1072, 1990.
  14. N. Francez. Program verification. International Computer Science. Addison-Weflay, 1992.
  15. R. Gerth, D. Peled, M.Y. Vardi, and P. Wolper. Simple on-the-fly automatic verification of linear temporal logic. In P. Dembiski and M. Sredniawa, editors, Protocol Specification, Testing, and Verification, pages 3-18. Chapman & Hall, August 1995.
  16. P. Godefroid and P. Wolper. Using partial orders for the efficient verification of deadlock free- dom and safety properties. In Proc. 3rd Conference on Computer Aided Verification, volume 575 of Lecture Notes in Computer Science, pages 332-342, Aalborg, July 1991. Springer- Verlag.
  17. R.H. Hardin, R.P. Kurshan, S.K. Shukla, and M.Y. Vardi. A new heuristic for bad cycle detection using BDDs. In Computer Aided Verification, Proc. 9th Int. Conference, volume 1254 of Lecture Notes in Computer Science, pages 268-278. Springer-Verlag, 1997.
  18. H. Iwashita and T. Nakata. Forward model checking techniques oriented to buggy designs. In Proc. IEEE/ACM International Conference on Computer Aided Design, pages 400-404, 1997.
  19. N. Klarlund. Mona & Fido: The logic-automaton connection in practice. In Computer Science Logic, CSL '97, Lecture Notes in Computer Science, 1998.
  20. O. Kupferman and M.Y. Vardi. Weak alternating automata are not that weak. In Proc. 5th Israeli Symposium on Theory of Computing and Systems, pages 147-158. IEEE Computer Society Press, 1997.
  21. O. Kupferman and M.Y. Vardi. Freedom, weakness, and determinism: from linear-time to branching-time. In Proc. 13th IEEE Symposium on Logic in Computer Science, pages 81-92, June 1998.
  22. O. Kupferman, M.Y. Vardi, and P. Wolper. An automata-theoretic approach to branching- time model checking. Journal of the ACM, 47(2), March 2000.
  23. L. Lamport. Logical foundation. In Distributed systems -methods and tools for specification, volume 190 of Lecture Notes in Computer Science. Springer-Verlag, 1985.
  24. O. Lichtenstein and A. Pnueli. Checking that finite state concurrent programs satisfy their linear specification. In Proc. 12th ACM Symposium on Principles of Programming Languages, pages 97-107, New Orleans, January 1985.
  25. Y. Luo, T. Wongsonegoro, and A. Aziz. Hybrid techniques for fast functional simulation. In Proc. 35th Design Automation Conference. IEEE Computer Society, 1998.
  26. MAB + 94] Z. Manna, A. Anuchitanukul, N. Bjorner, A. Browne, E. Chang, M. Colon, L. De Alfaro, H. Devarajan, H. Sipma, and T. Uribe. STeP: The Stanford Temporal Prover. Technical Report STAN-CS-TR-94-1518, Dept. of Computer Science, Stanford University, 1994.
  27. K.L. McMillan. Using unfolding to avoid the state explosion problem in the verification of asynchronous circuits. In Proc. 4th Conference on Computer Aided Verification, volume 663 of Lecture Notes in Computer Science, pages 164-174, Montreal, June 1992. Springer-Verlag.
  28. A.R. Meyer and M.J. Fischer. Economy of description by automata, grammars, and formal systems. In Proc. 12th IEEE Symp. on Switching and Automata Theory, pages 188-191, 1971.
  29. S. Miyano and T. Hayashi. Alternating finite automata on ω-words. Theoretical Computer Science, 32:321-330, 1984.
  30. Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems: Specifi- cation. Springer-Verlag, Berlin, January 1992.
  31. Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems: Safety. Springer-Verlag, New York, 1995.
  32. S. Melzer and S. Roemer. Deadlock checking using net unfoldings. In Computer Aided Verification, Proc. 9th Int. Conference, volume 1254 of Lecture Notes in Computer Science, pages 364-375. Springer-Verlag, 1997.
  33. A.R. Meyer and L.J. Stockmeyer. The equivalence problem for regular expressions with squaring requires exponential time. In Proc. 13th IEEE Symp. on Switching and Automata Theory, pages 125-129, 1972.
  34. S. Owicki and L. Lamport. Proving liveness properties of concurrent programs. ACM Trans- actions on Programming Languages and Systems, 4(3):455-495, July 1982.
  35. J.P. Queille and J. Sifakis. Specification and verification of concurrent systems in Cesar. In Proc. 5th International Symp. on Programming, volume 137, pages 337-351. Springer-Verlag, Lecture Notes in Computer Science, 1981.
  36. K. Ravi and F. Somenzi. High-density reachability analysis. In Proc. Int'l Conf. on Computer- Aided Design, pages 154-158, San Jose, 1995.
  37. S. Safra. On the complexity of ω-automata. In Proc. 29th IEEE Symposium on Foundations of Computer Science, pages 319-327, White Plains, October 1988.
  38. A.P. Sistla and E.M. Clarke. The complexity of propositional linear temporal logic. Journal ACM, 32:733-749, 1985.
  39. A.P. Sistla. Satefy, liveness and fairness in temporal logic. Formal Aspects of Computing, 6:495-511, 1994.
  40. R.E. Shankar, S. Owre, and J.M. Rushby. The PVS proof checker: A reference manual (beta release). Technical report, Computer Science laboratory, SRI International, Menlo Park, California, March 1993.
  41. H.J. Touati, R.K. Brayton, and R. Kurshan. Testing language containment for ω-automata using BDD's. Information and Computation, 118(1):101-109, April 1995.
  42. A. Valmari. On-the-fly verification with stubborn sets. In Proc. 5nd Conference on Computer Aided Verification, volume 697 of Lecture Notes in Computer Science. Springer-Verlag, 1993.
  43. M.Y. Vardi. An automata-theoretic approach to linear temporal logic. In F. Moller and G. Birtwistle, editors, Logics for Concurrency: Structure versus Automata, volume 1043 of Lecture Notes in Computer Science, pages 238-266. Springer-Verlag, Berlin, 1996.
  44. M.Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program verifica- tion. In Proc. First Symposium on Logic in Computer Science, pages 332-344, Cambridge, June 1986.
  45. M.Y. Vardi and P. Wolper. Automata-theoretic techniques for modal logics of programs. Journal of Computer and System Science, 32(2):182-221, April 1986.
  46. M.Y. Vardi and P. Wolper. Reasoning about infinite computations. Information and Com- putation, 115(1):1-37, November 1994.
  47. P. Wolper. Synthesis of Communicating Processes from Temporal Logic Specifications. PhD thesis, Stanford University, 1982.
  48. J. Yuan, J. Shen, J. Abraham, and A. Aziz. On combining formal and informal verification. In Computer Aided Verification, Proc. 9th Int. Conference, volume 1254 of Lecture Notes in Computer Science, pages 376-387. Springer-Verlag, 1997.

Related papers

Safety verification proofs for physical systems
Richard Fikes

Proc. of the 12th Intl. Workshop on …, 1998

While much progress has been made on verification of discrete systems such as computer programs, work on formal verification of continuous, physical systems has been limited. We present a technique for verification of safety properties of such systems. Our ...

View PDFchevron_right
Termination Criteria for Bounded Model Checking: Extensions and Comparison
Mohammad Awedh

Electronic Notes in Theoretical Computer Science, 2006

Increasing attention has been paid recently to criteria that allow one to conclude that a structure models a linear-time property from the knowledge that no counterexamples exist up to a certain length. These termination criteria effectively turn Bounded Model Checking into a full-fledged verification technique and sometimes result in considerable time savings. In [M. Awedh and F. Somenzi. Proving more properties with bounded model checking. In R. Alur and D. Peled, editors, Sixteenth Conference on Computer Aided Verification (CAV'04), pages 96–108. Springer-Verlag, Berlin, July 2004. LNCS 3114] we presented a criterion based on the translation of the linear-time specification into a Büchi automaton. BMC can be terminated if no fair cycle is found up to a given length, and one can prove that no fair cycle exists beyond that length. The maximum length for which counterexamples are explicitly checked is called the termination length; it obviously depends on the model, the property, and the termination criterion. In this paper we improve the criterion of [M. Awedh and F. Somenzi. Proving more properties with bounded model checking. In R. Alur and D. Peled, editors, Sixteenth Conference on Computer Aided Verification (CAV'04), pages 96–108. Springer-Verlag, Berlin, July 2004. LNCS 3114] by adding a check that often substantially reduces termination length. Our previous work employed translation to a non-generalized Büchi automaton. Though a well-known technique converts a generalized automaton into that form by composing it with a counter, it has the undesirable effect of considerably lengthening the cycles in the graph to be searched. We propose several alternatives to that approach and compare them experimentally. The translation to automata can be accomplished in more than one way, and in this paper we contrast two of them: one based on the algorithms of [F. Somenzi and R. Bloem. Efficient Büchi automata from LTL formulae. In E. A. Emerson and A. P. Sistla, editors, Twelfth Conference on Computer Aided Verification (CAV'00), pages 248–263. Springer-Verlag, Berlin, July 2000. LNCS 1855], and one based on the notion of tight automaton of [E. Clarke, O. Grumberg, and K. Hamaguchi. Another look at LTL model checking. In D. L. Dill, editor, Sixth Conference on Computer Aided Verification (CAV'94), pages 415–427. Springer-Verlag, Berlin, 1994. LNCS 818]. The latter yields shorter counterexamples, but the former often leads to earlier termination. In addition, it can help in identifying safety properties, for which termination checks are much more efficient than for the general case. We finally present results on comparing techniques based on cycle detection to the technique of [V. Schuppan and A. Biere. Efficient reduction of finite state model checking to reachability analysis. Software Tools for Technology Transfer, 5(2–3):185–204, Mar. 2004], which converts liveness properties into safety properties by augmentation of the model.

View PDFchevron_right
Deterministic Compilation of Temporal Safety Properties in Explicit State Model Checking
Moshe Vardi

Abstract. The translation of temporal logic specifications constitutes an essential step in model checking and a major influence on the efficiency of formal verification via model checking. We devise a new explicit-state translation of Linear Temporal Logic to automata for the class of LTL specifications that describe safety properties, arguably the most used formal specifications in real-world systems.

View PDFchevron_right
Validating Formal Verification using Safety Analysis Techniques
Amer Saeed

1999

The increased interest in the use of automated safety analysis is supported by the claim that manual safety analysis based on traditional techniques is error-prone, costly and not necessarily complete. It is also claimed that traditional techniques are not able to deal with the inherent complexities of software intensive systems. However, we show in this paper that a transition (from manual to automatic approaches) in the assessment process and technologies is accompanied by an inherent risk of obtaining false confidence, unless safeguards are provided. The safeguard presented in this paper integrates traditional deductive and inductive analysis techniques with model checking, a form of formal verification. The aim is to provide the safety analyst with a rigourous approach for the validation of formal models. The feasibility of the overall approach is illustrated in terms of a case study.

View PDFchevron_right
Formal verification of hardware correctness: introduction and survey of current research
Paolo Prinetto

Computer, 1988

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved