1,154 research outputs found
On Verifying Complex Properties using Symbolic Shape Analysis
One of the main challenges in the verification of software systems is the
analysis of unbounded data structures with dynamic memory allocation, such as
linked data structures and arrays. We describe Bohne, a new analysis for
verifying data structures. Bohne verifies data structure operations and shows
that 1) the operations preserve data structure invariants and 2) the operations
satisfy their specifications expressed in terms of changes to the set of
objects stored in the data structure. During the analysis, Bohne infers loop
invariants in the form of disjunctions of universally quantified Boolean
combinations of formulas. To synthesize loop invariants of this form, Bohne
uses a combination of decision procedures for Monadic Second-Order Logic over
trees, SMT-LIB decision procedures (currently CVC Lite), and an automated
reasoner within the Isabelle interactive theorem prover. This architecture
shows that synthesized loop invariants can serve as a useful communication
mechanism between different decision procedures. Using Bohne, we have verified
operations on data structures such as linked lists with iterators and back
pointers, trees with and without parent pointers, two-level skip lists, array
data structures, and sorted lists. We have deployed Bohne in the Hob and Jahob
data structure analysis systems, enabling us to combine Bohne with analyses of
data structure clients and apply it in the context of larger programs. This
report describes the Bohne algorithm as well as techniques that Bohne uses to
reduce the ammount of annotations and the running time of the analysis
Incremental bounded model checking for embedded software
Program analysis is on the brink of mainstream usage in embedded systems development. Formal verification of behavioural requirements, finding runtime errors and test case generation are some of the most common applications of automated verification tools based on bounded model checking (BMC). Existing industrial tools for embedded software use an off-the-shelf bounded model checker and apply it iteratively to verify the program with an increasing number of unwindings. This approach unnecessarily wastes time repeating work that has already been done and fails to exploit the power of incremental SAT solving. This article reports on the extension of the software model checker CBMC to support incremental BMC and its successful integration with the industrial embedded software verification tool BTC EMBEDDED TESTER. We present an extensive evaluation over large industrial embedded programs, mainly from the automotive industry. We show that incremental BMC cuts runtimes by one order of magnitude in comparison to the standard non-incremental approach, enabling the application of formal verification to large and complex embedded software. We furthermore report promising results on analysing programs with arbitrary loop structure using incremental BMC, demonstrating its applicability and potential to verify general software beyond the embedded domain
Proceedings of the 21st Conference on Formal Methods in Computer-Aided Design â FMCAD 2021
The Conference on Formal Methods in Computer-Aided Design (FMCAD) is an annual conference on the theory and applications of formal methods in hardware and system verification. FMCAD provides a leading forum to researchers in academia and industry for presenting and discussing groundbreaking methods, technologies, theoretical results, and tools for reasoning formally about computing systems. FMCAD covers formal aspects of computer-aided system design including verification, specification, synthesis, and testing
Diagrammatic Languages and Formal Verification : A Tool-Based Approach
The importance of software correctness has been accentuated as a growing number of safety-critical systems have been developed relying on software operating these systems. One of the more prominent methods targeting the construction of a correct program is formal verification. Formal verification identifies a correct program as a program that satisfies its specification and is free of defects. While in theory formal verification guarantees a correct implementation with respect to the specification, applying formal verification techniques in practice has shown to be difficult and expensive. In response to these challenges, various support methods and tools have been suggested for all phases from program specification to proving the derived verification conditions. This thesis concerns practical verification methods applied to diagrammatic modeling languages.
While diagrammatic languages are widely used in communicating system design (e.g., UML) and behavior (e.g., state charts), most formal verification platforms require the specification to be written in a textual specification language or in the mathematical language of an underlying logical framework. One exception is invariant-based programming, in which programs together with their specifications are drawn as invariant diagrams, a type of state transition diagram annotated with intermediate assertions (preconditions, postconditions, invariants). Even though the allowed program statesâcalled situationsâare described diagrammatically, the intermediate assertions defining a situationâs meaning in the domain of the program are still written in conventional textual form. To explore the use of diagrams in expressing the intermediate assertions of invariant diagrams, we designed a pictorial language for expressing array properties. We further developed this notation into a diagrammatic domain-specific language (DSL) and implemented it as an extension to the Why3 platform. The DSL supports expression of array properties. The language is based on Reynoldsâs interval and partition diagrams and includes a construct for mapping array intervals to logic predicates.
Automated verification of a program is attained by generating the verification conditions and proving that they are true. In practice, full proof automation is not possible except for trivial programs and verifying even simple properties can require significant effort both in specification and proof stages. An animation tool which supports run-time evaluation of the program statements and intermediate assertions given any user-defined input can support this process. In particular, an execution trace leading up to a failed assertion constitutes a refutation of a verification condition that requires immediate attention. As an extension to Socos, a verificion tool for invariant diagrams built on top of the PVS proof system, we have developed an execution model where program statements and assertions can be evaluated in a given program state. A program is represented by an abstract datatype encoding the program state, together with a small-step state transition function encoding the evaluation of a single statement. This allows the programâs runtime behavior to be formally inspected during verification. We also implement animation and interactive debugging support for Socos.
The thesis also explores visualization of system development in the context of model decomposition in Event-B. Decomposing a software system becomes increasingly critical as the system grows larger, since the workload on the theorem provers must be distributed effectively. Decomposition techniques have been suggested in several verification platforms to split the models into smaller units, each having fewer verification conditions and therefore imposing a lighter load on automatic theorem provers. In this work, we have investigated a refinement-based decomposition technique that makes the development process more resilient to change in specification and allows parallel development of sub-models by a team. As part of the research, we evaluated the technique on a small case study, a simplified version of a landing gear system verification presented by Boniol and Wiels, within the Event-B specification language.Vikten av programvaras korrekthet har accentuerats dÄ ett vÀxande antal sÀkerhetskritiska system, vilka Àr beroende av programvaran som styr dessa, har utvecklas. En av de mer framtrÀdande metoderna som riktar in sig pÄ utveckling av korrekt programvara Àr formell verifiering. Inom formell verifiering avses med ett korrekt program ett program som uppfyller sina specifikationer och som Àr fritt frÄn defekter. Medan formell verifiering teoretiskt sett kan garantera ett korrekt program med avseende pÄ specifikationerna, har tillÀmpligheten av formella verifieringsmetod visat sig i praktiken vara svÄr och dyr. Till svar pÄ dessa utmaningar har ett stort antal olika stödmetoder och automatiseringsverktyg föreslagits för samtliga faser frÄn specifikationen till bevisningen av de hÀrledda korrekthetsvillkoren. Denna avhandling behandlar praktiska verifieringsmetoder applicerade pÄ diagrambaserade modelleringssprÄk.
Medan diagrambaserade sprĂ„k ofta anvĂ€nds för kommunikation av programvarudesign (t.ex. UML) samt beteende (t.ex. tillstĂ„ndsdiagram), krĂ€ver de flesta verifieringsplattformar att specifikationen kodas medelst ett textuellt specifikationsspĂ„k eller i sprĂ„ket hos det underliggande logiska ramverket. Ett undantag Ă€r invariantbaserad programmering, inom vilken ett program tillsammans med dess specifikation ritas upp som sk. invariantdiagram, en typ av tillstĂ„ndstransitionsdiagram annoterade med mellanliggande logiska villkor (förvillkor, eftervillkor, invarianter). Ăven om de tillĂ„tna programtillstĂ„ndenâsk. situationerâbeskrivs diagrammatiskt Ă€r de logiska predikaten som beskriver en situations betydelse i programmets domĂ€n fortfarande skriven pĂ„ konventionell textuell form. För att vidare undersöka anvĂ€ndningen av diagram vid beskrivningen av mellanliggande villkor inom invariantbaserad programming, har vi konstruerat ett bildbaserat sprĂ„k för villkor över arrayer. Vi har dĂ€refter vidareutvecklat detta sprĂ„k till ett diagrambaserat domĂ€n-specifikt sprĂ„k (domain-specific language, DSL) och implementerat stöd för det i verifieringsplattformen Why3. SprĂ„ket lĂ„ter anvĂ€ndaren uttrycka egenskaper hos arrayer, och Ă€r baserat pĂ„ Reynolds intevall- och partitionsdiagram samt inbegriper en konstruktion för mappning av array-intervall till logiska predikat.
Automatisk verifiering av ett program uppnÄs genom generering av korrekthetsvillkor och Ätföljande bevisning av dessa. I praktiken kan full automatisering av bevis inte uppnÄs utom för trivial program, och Àven bevisning av enkla egenskaper kan krÀva betydande anstrÀngningar bÄde vid specifikations- och bevisfaserna. Ett animeringsverktyg som stöder exekvering av sÄvÀl programmets satser som mellanliggande villkor för godtycklig anvÀndarinput kan vara till hjÀlp i denna process. SÀrskilt ett exekveringspÄr som leder upp till ett falskt mellanliggande villkor utgör ett direkt vederlÀggande (refutation) av ett bevisvillkor, vilket krÀver omedelbar uppmÀrksamhet frÄn programmeraren. Som ett tillÀgg till Socos, ett verifieringsverktyg för invariantdiagram baserat pÄ bevissystemet PVS, har vi utvecklat en exekveringsmodell dÀr programmets satser och villkor kan evalueras i ett givet programtillstÄnd. Ett program representeras av en abstrakt datatyp för programmets tillstÄnd tillsammans med en small-step transitionsfunktion för evalueringen av en enskild programsats. Detta möjliggör att ett programs exekvering formellt kan analyseras under verifieringen. Vi har ocksÄ implementerat animation och interaktiv felsökning i Socos.
Avhandlingen undersöker ocksÄ visualisering av systemutveckling i samband med modelluppdelning inom Event-B. Uppdelning av en systemmodell blir allt mer kritisk dÄ ett systemet vÀxer sig större, emedan belastningen pÄ underliggande teorembe visare mÄste fördelas effektivt. Uppdelningstekniker har föreslagits inom mÄnga olika verifieringsplattformar för att dela in modellerna i mindre enheter, sÄ att varje enhet har fÀrre verifieringsvillkor och dÀrmed innebÀr en mindre belastning pÄ de automatiska teorembevisarna. I detta arbete har vi undersökt en refinement-baserad uppdelningsteknik som gör utvecklingsprocessen mer kapabel att hantera förÀndringar hos specifikationen och som tillÄter parallell utveckling av delmodellerna inom ett team. Som en del av forskningen har vi utvÀrderat tekniken pÄ en liten fallstudie: en förenklad modell av automationen hos ett landningsstÀll av Boniol and Wiels, uttryckt i Event-B-specifikationsprÄket
Solving the bank with Rebel: on the design of the Rebel specification language and its application inside a bank
Large organizations like banks suffer from the ever growing complexity of their systems. Evolving the software becomes harder and harder since a single change can affect a much larger part of the system than predicted upfront. A large contributing factor to this problem is that the actual domain knowledge is often implicit, incomplete, or out of date, making it difficult to reason about the correct behavior of the system as a whole. With Rebel we aim to capture and centralize the domain knowledge and relate it to the running systems. Rebel is a formal specification language for controlling the intrinsic complexity of software for financial enterprise systems. In collaboration with ING, a large Dutch bank, we developed the Rebel specification language and an Integrated Specification Environment (ISE), currently offering automated simulation and checking of Rebel specifications using a Satisfiability Modulo Theories (SMT) solver. In this paper we report on our design choices for Rebel, the implementation and features of the ISE, and our initial observations on the application of Rebel inside the bank
Bridging the Gap Between Requirements and Model Analysis : Evaluation on Ten Cyber-Physical Challenge Problems
Formal verfication and simulation are powerful tools to validate requirements against complex systems. [Problem] Requirements are developed in early stages of the software lifecycle and are typically written in ambiguous natural language. There is a gap between such requirements and formal notations that can be used by verification tools, and lack of support for proper association of requirements with software artifacts for verification. [Principal idea] We propose to write requirements in an intuitive, structured natural language with formal semantics, and to support formalization and model/code verification as a smooth, well-integrated process. [Contribution] We have developed an end-to-end, open source requirements analysis framework that checks Simulink models against requirements written in structured natural language. Our framework is built in the Formal Requirements Elicitation Tool (fret); we use fret's requirements language named fretish, and formalization of fretish requirements in temporal logics. Our proposed framework contributes the following features: 1) automatic extraction of Simulink model information and association of fretish requirements with target model signals and components; 2) translation of temporal logic formulas into synchronous dataflow cocospec specifications as well as Simulink monitors, to be used by verification tools; we establish correctness of our translation through extensive automated testing; 3) interpretation of counterexamples produced by verification tools back at requirements level. These features support a tight integration and feedback loop between high level requirements and their analysis. We demonstrate our approach on a major case study: the Ten Lockheed Martin Cyber-Physical, aerospace-inspired challenge problems
Modular Construction of Shape-Numeric Analyzers
The aim of static analysis is to infer invariants about programs that are
precise enough to establish semantic properties, such as the absence of
run-time errors. Broadly speaking, there are two major branches of static
analysis for imperative programs. Pointer and shape analyses focus on inferring
properties of pointers, dynamically-allocated memory, and recursive data
structures, while numeric analyses seek to derive invariants on numeric values.
Although simultaneous inference of shape-numeric invariants is often needed,
this case is especially challenging and is not particularly well explored.
Notably, simultaneous shape-numeric inference raises complex issues in the
design of the static analyzer itself.
In this paper, we study the construction of such shape-numeric, static
analyzers. We set up an abstract interpretation framework that allows us to
reason about simultaneous shape-numeric properties by combining shape and
numeric abstractions into a modular, expressive abstract domain. Such a modular
structure is highly desirable to make its formalization and implementation
easier to do and get correct. To achieve this, we choose a concrete semantics
that can be abstracted step-by-step, while preserving a high level of
expressiveness. The structure of abstract operations (i.e., transfer, join, and
comparison) follows the structure of this semantics. The advantage of this
construction is to divide the analyzer in modules and functors that implement
abstractions of distinct features.Comment: In Proceedings Festschrift for Dave Schmidt, arXiv:1309.455
- âŠ