Supporting Abstraction when Model Checking ASM

Model checking as a method for automatic tool support for verification highly stimulates industry's interests. It is limited, however, with respect to the size of the systems' state space. In earlier work, we developed an interface between the ASM Workbench and the SMV model checker that allows model checking of finite ASM models. In this work, we add a means for abstraction in case the model to be checked is infinite and therefore not feasible for the model checking approach. We facilitate the ASM specification language (ASM-SL) with a notion for abstract types and introduce an interface between ASM-SL and Multiway Decision Graphs (MDGs). MDGs are capable of representing transition systems with abstract types and functions and provide the functionality necessary for symbolic model checking. Our interface maps abstract ASM models into MDGs in a semantic preserving way. It provides a very simple means for generating abstract models that are infinite but can be checked by a model checker based on MDGs

First order model checking of w-Automata using multiway decision graphs

As the complexity of hardware digital systems increases, their correctness becomes a major concern. Traditional verification by simulation is infeasible to exhaustively test and guarantee correctness. More than a decade ago, however, formal verification has been introduced as complement technique to simulation. Formal methods establish that a design implementation satisfies its specification by mathematical reasoning. Among several techniques, model checking is one of the most successful technology, which is based on the exploration of the design state space. In this thesis, we propose a new model checking method based on the theory of }-automata and multiway decision graphs (MDGs). Unlike reduced ordered binary decision diagrams (ROBDDs), MDGs allow system models to be described using abstract state machines (ASMs) through abstract data sorts and uninterpreted function symbols, hence enabling the verification of larger designs independent of the datapath width. Given an ASM and a first-order linear time temporal logic property, the model checking problem proposed in this thesis is reduced to a language emptiness checking of an }-automaton that accepts all }-words produced by the system violating the property formula. The checking method comprises four steps: (1) transforming the first-order property into a propositional formula by constructing ASMs for the atomic formulas of the property; (2) generating an }-automaton from the negation of the transformed propositional formula; (3) computing the product of the generated automaton, the system model ASM and the constructed ASMs; and (4) applying a language emptiness checking algorithm on the product automaton. Three different checking algorithms have been developed, implemented, and proved correct in this thesis. To evaluate the performance of the proposed model checking method and implemented tool, we conducted several experimentations and case studies. We also compared the efficiency of our tool with an existing MDG regular model checking application, as well as with popular ROBDD-based automata model checking tools such as VIS. Our model checker was found to be outperforming the above tools

Integrating MDG variable ordering in a VHDL-MDG design verification system

Thèse numérisée par la Direction des bibliothèques de l'Université de Montréal

The verification of MDG algorithms in the HOL theorem prover

Formal verification of digital systems is achieved, today, using one of two main approaches: states exploration (mainly model checking and equivalence checking) or deductive reasoning (theorem proving). Indeed, the combination of the two approaches, states exploration and deductive reasoning promises to overcome the limitation and to enhance the capabilities of each. Our research is motivated by this goal. In this thesis, we provide the entire necessary infrastructure (data structure + algorithms) to define high level states exploration in the HOL theorem prover named as MDG-HOL platform. While related work has tackled the same problem by representing primitive Binary Decision Diagram (BDD) operations as inference rules added to the core of the theorem prover, we have based our approach on the Multiway Decision Graphs (MDGs). MDG generalizes ROBDD to represent and manipulate a subset of first-order logic formulae. With MDGs, a data value is represented by a single variable of an abstract type and operations on data are represented in terms of uninterpreted function. Considering MDGs instead of BDDs will raise the abstraction level of what can be verified using a state exploration within a theorem prover. The MDGs embedding is based on the logical formulation of an MDG as a Directed Formulae (DF). The DF syntax is defined as HOL built-in data types. We formalize the basic MDG operations using this syntax within HOL following a deep embedding approach. Such approach ensures the consistency of our embedding. Then, we derive the correctness proof for each MDG basic operator. Based on this platform, the MDG reachability analysis is defined in HOL as a conversion that uses the MDG theory within HOL. Then, we demonstrate the effectiveness of our platform by considering four case studies. Our obtained results show that this verification framework offers a considerable gain in terms of automation without sacrificing CPU time and memory usage compared to automatic model checker tools. Finally, we propose a reduction technique to improve MDGs model checking based on the MDG-HOL platform. The idea is to prune the transition relation of the circuits using pre-proved theorems and lemmas from the specification given at system level. We also use the consistency of the specifications to verify if the reduced model is faithful to the original one. We provide two case studies, the first one is the reduction using SAT-MDG of an Island Tunnel Controller and the second one is the MDG-HOL assume-guarantee reduction of the Look-Aside Interface. The obtained results of our approach offers a considerable gain in terms of heuristics and reduction techniques correctness as to commercial model checking; however a small penalty is paid in terms of CPU time and memory usag

Emerging trends proceedings of the 17th International Conference on Theorem Proving in Higher Order Logics: TPHOLs 2004

technical reportThis volume constitutes the proceedings of the Emerging Trends track of the 17th International Conference on Theorem Proving in Higher Order Logics (TPHOLs 2004) held September 14-17, 2004 in Park City, Utah, USA. The TPHOLs conference covers all aspects of theorem proving in higher order logics as well as related topics in theorem proving and verification. There were 42 papers submitted to TPHOLs 2004 in the full research cate- gory, each of which was refereed by at least 3 reviewers selected by the program committee. Of these submissions, 21 were accepted for presentation at the con- ference and publication in volume 3223 of Springer?s Lecture Notes in Computer Science series. In keeping with longstanding tradition, TPHOLs 2004 also offered a venue for the presentation of work in progress, where researchers invite discussion by means of a brief introductory talk and then discuss their work at a poster session. The work-in-progress papers are held in this volume, which is published as a 2004 technical report of the School of Computing at the University of Utah

Model reductions in MDG-based model checking

Thèse numérisée par la Direction des bibliothèques de l'Université de Montréal

Performance-Based Financing: Report on Feasibility and Implementation Options Final September 2007

This study examines the feasibility of introducing a performance-related bonus scheme in the health sector. After describing the Tanzania health context, we define “Performance-Based Financing”, examine its rationale and review the evidence on its effectiveness. The following sections systematically assess the potential for applying the scheme in Tanzania. On the basis of risks and concerns identified, detailed design options and recommendations are set out. The report concludes with a (preliminary) indication of the costs of such a scheme and recommends a way forward for implementation. We prefer the name “Payment for Performance” or “P4P”. This is because what is envisaged is a bonus payment that is earned by meeting performance targets1. The dominant financing for health care delivery would remain grant-based as at present. There is a strong case for introducing P4P. Its main purpose will be to motivate front-line health workers to improve service delivery performance. In recent years, funding for council health services has increased dramatically, without a commensurate increase in health service output. The need to tighten focus on results is widely acknowledged. So too is the need to hold health providers more accountable for performance at all levels, form the local to the national. P4P is expected to encourage CHMTs and health facilities to “manage by results”; to identify and address local constraints, and to find innovative ways to raise productivity and reach under-served groups. As well as leveraging more effective use of all resources, P4P will provide a powerful incentive at all levels to make sure that HMIS information is complete, accurate and timely. It is expected to enhance accountability between health facilities and their managers / governing committees as well as between the Council Health Department and the Local Government Authority. Better performance-monitoring will enable the national level to track aggregate progress against goals and will assist in identifying under-performers requiring remedial action. We recommend a P4P scheme that provides a monetary team bonus, dependent on a whole facility reaching facility-specific service delivery targets. The bonus would be paid quarterly and shared equally among health staff. It should target all government health facilities at the council level, and should also reward the CHMT for “whole council” performance. All participating facilities/councils are therefore rewarded for improvement rather than absolute levels of performance. Performance indicators should not number more than 10, should represent a “balanced score card” of basic health service delivery, should present no risk of “perverse incentive” and should be readily measurable. The same set of indicators should be used by all. CHMTs would assist facilities in setting targets and monitoring performance. RHMTs would play a similar role with respect to CHMTs. The Council Health Administration would provide a “check and balance” to avoid target manipulation and verify bonus payments due. The major constraint on feasibility is the poor state of health information. Our study confirmed the findings of previous ones, observing substantial omission and error in reports from facilities to CHMTs. We endorse the conclusion of previous reviewers that the main problem lies not with HMIS design, but with its functioning. We advocate a particular focus on empowering and enabling the use of information for management by facilities and CHMTs. We anticipate that P4P, combined with a major effort in HMIS capacity building – at the facility and council level – will deliver dramatic improvements in data quality and completeness. We recommend that the first wave of participating councils are selected on the basis that they can first demonstrate robust and accurate data. We anticipate that P4P for facilities will not deliver the desired benefits unless they have a greater degree of control to solve their own problems. We therefore propose - as a prior and essential condition – the introduction of petty cash imprests for all health facilities. We believe that such a measure would bring major benefits even to facilities that have not yet started P4P. It should also empower Health Facility Committees to play a more meaningful role in health service governance at the local level. We recommend to Government that P4P bonuses, as described here, are implemented across Mainland Tanzania on a phased basis. The main constraint on the pace of roll-out is the time required to bring information systems up to standard. Councils that are not yet ready to institute P4P should get an equivalent amount of money – to be used as general revenue to finance their comprehensive council health plans. We also recommend that up-to-date reporting on performance against service delivery indicators is made a mandatory requirement for all councils and is also agreed as a standard requirement for the Joint Annual Health Sector Review. P4P can also be applied on the “demand-side” – for example to encourage women to present in case of obstetric emergencies. There is a strong empirical evidence base from other countries to demonstrate that such incentives can work. We recommend a separate policy decision on whether or not to introduce demand-side incentives. In our view, they are sufficiently promising to be tried out on an experimental basis. When taken to national scale (all councils, excepting higher level hospitals), the scheme would require annual budgetary provision of about 6 billion shillings for bonus payments. This is equivalent to 1% of the national health budget, or about 3% of budgetary resources for health at the council level. We anticipate that design and implementation costs would amount to about 5 billion shillings over 5 years – the majority of this being devoted to HMIS strengthening at the facility level across the whole country

Providing a formal linkage between MDG and HOL based on a verified MDG system.

Formal verification techniques can be classified into two categories: deductive theorem proving and symbolic state enumeration. Each method has complementary advantages and disadvantages. In general, theorem provers are high reliability systems. They can be applied to the expressive formalisms that are capable of modelling complex designs such as processors. However, theorem provers use a glass-box approach. To complete a verification, it is necessary to understand the internal structure in detail. The learning curve is very steep and modeling and verifying a system is very time-consuming. In contrast, symbolic state enumeration tools use a black-box approach. When verifying a design, the user does not need to understand its internal structure. Their advantages are their speed and ease of use. But they can only be used to prove relatively simple designs and the system security is much lower than the theorem proving system. Many hybrid tools have been developed to reap the benefits of both theorem proving Systems and symbolic state enumeration Systems. Normally, the verification results from one system are translated to another system. In other words, there is a linkage between the two Systems. However, how can we ensure that this linkage can be trusted? How can we ensure the verification system itself is correct? The contribution of this thesis is that we have produced a methodology which can provide a formal linkage between a symbolic state enumeration system and a theorem proving system based on a verified symbolic state enumeration system. The methodology has been partly realized in two simplified versions of the MDG system (a symbolic state enumeration system) and the HOL system (a theorem proving system) which involves the following three steps. First, we have verified aspects of correctness of two simplified versions of the MDG system. We have made certain that the semantics of a program is preserved in those of its translated form. Secondly, we have provided a formal linkage between the MDG system and the HOL system based on importing theorems. The MDG verification results can be formally imported into HOL to form the HOL theorems. Thirdly, we have combined the translator correctness theorems with the importing theorems. This combination allows the low level MDG verification results to be imported into HOL in terms of the semantics of a high level language (MDG-HDL). We have also summarized a general method which is used to prove the existential theorem for the specification and implementation of the design. The feasibility of this approach has been demonstrated in a case study: the verification of the correctness and usability theorems of a vending machine

Model checking for a first-order temporal logic using multiway decision graphs

Thèse numérisée par la Direction des bibliothèques de l'Université de Montréal