Automated refinement checking of concurrent systems

Electronic Notes in Theoretical Computer Science, 2003

The state space explosion problem in model checking remains the chief obstacle to the practical verification of real-world distributed systems. We attempt to address this problem in the context of verifying concurrent (message-passing) C programs against safety specifications. More specifically, we present a fully automated compositional framework which combines two orthogonal abstraction techniques (operating respectively on data and events) within a counterexample-guided abstraction refinement (CEGAR) scheme. In this way, our algorithm incrementally increases the granularity of the abstractions until the specification is either established or refuted. Our explicit use of compositionality delays the onset of state space explosion for as long as possible. To our knowledge, this is the first compositional use of CEGAR in the context of model checking concurrent C programs. We describe our approach in detail, and report on some very encouraging preliminary experimental results obtained with our tool MAGIC.

Lecture Notes in Computer Science, 2006

Electronic Notes in Theoretical Computer Science, 2008

Formal specification provides a system description that is much more precise than the natural language one and it can help to solve a lot of specification problems. But even a formal specification of a system can contain mistakes or can disagree with system's requirements. To cover this, we integrate a specification framework with a verification system. Given a system, represented in a formal specification framework Focus, one can verify its properties by translating the specification to a Higher-Order Logic and subsequently using the theorem prover Isabelle/HOL. Moreover, using this approach one can validate the refinement relation between two given systems. The approach uses the idea of refinement-based verification: we see any proof about a system as the proof that a more concrete system specification is a refinement of a more abstract one. The case when one needs to prove a single property of a system specification can also be seen as a refinement relation: this property can be defined as a Focus specification itself and then one needs just show that the system specification is its refinement. The major aspects of this approach are exemplified here by a case study on telematics (electronic data transmission) gateway.

Lecture Notes in Computer Science, 2014

We present a technique to verify user-defined model transformations, in order to step-wise develop formal models of concurrent systems. The main benefit is that the changes applied to a model can be verified in isolation. In particular, the preservation of safety and liveness properties of such a modification can be determined independent of the input model. This is particularly useful for model-driven development approaches, where systems are designed and created by first developing an abstract model, and iteratively modifying this model until it is concrete enough to automatically generate source code from it. Properties that already hold on the initial model and should remain valid throughout the development in later models can be maintained with our tool Refiner, by which the effort of verifying those properties over and over again can be avoided. This paper generalises our earlier results in various ways, removing several restrictions, improving the focus of the verification method on transformations, and introducing the possibility to add completely new components at any time during the development.

2011

Simulink/Stateflow charts are widely used in industry for the specification of control systems, which are often safety-critical. This suggests a need for a formal treatment of such models. In previous work, we have proposed a technique for automatic generation of formal models of Stateflow blocks to support refinement-based reasoning. In this article, we present a refinement strategy that supports the verification of automatically generated sequential C implementations of Stateflow charts. In particular, we discuss how this strategy can be specialised to take advantage of architectural features in order to allow a higher level of automation.

ACM SIGSOFT Software Engineering Notes, 1993

We describe how formal specifications given in terms of a high-level timed Petri net formalism (TB nets) can be analyzed to check the temporal properties of bounded invariance (the systems stays in a given state until time τ) and bounded response (the system will enter a given state within time τ). In particular, we concentrate on specifications given in a hierarchical, top-down manner, where one specification level refines a more abstract level. Our goal is to define the conditions under which the properties that are proven to hold at a given abstraction level are preserved at the next refined level. To do so, we define the concept of correct refinement, and we show that bounded invariance and bounded response are preserved by a correct refinement. We also provide a set of constructive rules that may be applied to refine a net in such a way that the resulting net is a correct refinement.

Lecture Notes in Computer Science, 2004

In areas like manufacturing, communications, transportation or aerospace, the increasing size and complexity of reactive systems make their verification difficult to handle. Compositional reasoning is a way to master this problem. In this paper, we propose an approach based on a constraint synchronized product to specify and to verify such systems. This approach supports a compositional refinement for both labelled transition systems and their composition. In this framework, we show how to verify local and global invariance properties during a refinement verification. Thus, these properties are preserved through refinement. The different aspects of our work are illustrated on the example of a communication protocol between an integrated chip card and a reader interface device.

IEEE Transactions on Computers, 2014

This paper presents a compositional framework to address the state explosion problem in model checking of concurrent systems. This framework takes as input a system model described as a network of communicating components in a high-level description language, finds the local state transition models for each individual component where local properties can be verified, and then iteratively reduces and composes the component state transition models to form a reduced global model for the entire system where global safety properties can be verified. The state space reductions used in this framework result in a reduced model that contains the exact same set of observably equivalent executions as in the original model, therefore, no false counterexamples result from the verification of the reduced model. This approach allows designs that cannot be handled monolithically or with partial-order reduction to be verified without difficulty. The experimental results show significant scaleup of this compositional verification framework on a number of non-trivial concurrent system models.

Serp, 2006

A process for rigorous inspection of concurrent systems using tabular specification was developed and applied to the classic Readers/Writers concurrent program by Jin in [1]. The process involved describing the program by a table and then performing a manual "column-by-column" inspection for safety and clean completion properties. The key step in the process is obtaining an invariant strong enough to prove the properties of interest. This paper presents partial automation of this approach. Model checking is first used to validate a formal model of the system with a small, fixed number of concurrent process instances. The verification of the system for an arbitrary number of processes is then performed using automated theorem proving together with model checking on the earlier model to validate potential invariants before they are used in the formal proof. This method was used to check the manual proof of the Readers/Writers problem given in [1], discovering several random and one systematic mistake of the proof. Subsequently, a new, significantly automated proof was performed.

arXiv (Cornell University), 2024

Cyber-Physical Systems (CPS) consist of software interacting with the physical world, such as robots, vehicles, and industrial processes. CPS are frequently responsible for the safety of lives, property, or the environment, and so software correctness must be determined with a high degree of certainty. To that end, simply testing a CPS is insufficient, as its interactions with the physical world may be difficult to predict, and unsafe conditions may not be immediately obvious. Formal verification can provide stronger safety guarantees but relies on the accuracy of the verified system in representing the real system. Bringing together verification and implementation can be challenging, as languages that are typically used to implement CPS are not easy to formally verify, and languages that lend themselves well to verification often abstract away low-level implementation details. Translation between verification and implementation languages is possible, but requires additional assurances in the translation process and increases software complexity; having both in a single language is desirable. This paper presents a formalization of MARVeLus, a CPS language which combines verification and implementation. We develop a metatheory for its synchronous refinement type system and demonstrate verified synchronous programs executing on real systems.