Verifying the Safety of a Flight-Critical System

This paper describes our work on demonstrating verification technologies on a flight-critical system of realistic functionality, size, and complexity. Our work targeted a commercial aircraft control system named Transport Class Model (TCM), and involved several stages: formalizing and disambiguating requirements in collaboration with do- main experts; processing models for their use by formal verification tools; applying compositional techniques at the architectural and component level to scale verification. Performed in the context of a major NASA milestone, this study of formal verification in practice is one of the most challenging that our group has performed, and it took several person months to complete it. This paper describes the methodology that we followed and the lessons that we learned.Comment: 17 pages, 5 figure

The JKind Model Checker

JKind is an open-source industrial model checker developed by Rockwell Collins and the University of Minnesota. JKind uses multiple parallel engines to prove or falsify safety properties of infinite state models. It is portable, easy to install, performance competitive with other state-of-the-art model checkers, and has features designed to improve the results presented to users: inductive validity cores for proofs and counterexample smoothing for test-case generation. It serves as the back-end for various industrial applications.Comment: CAV 201

Automatic Abstraction in SMT-Based Unbounded Software Model Checking

Software model checkers based on under-approximations and SMT solvers are very successful at verifying safety (i.e. reachability) properties. They combine two key ideas -- (a) "concreteness": a counterexample in an under-approximation is a counterexample in the original program as well, and (b) "generalization": a proof of safety of an under-approximation, produced by an SMT solver, are generalizable to proofs of safety of the original program. In this paper, we present a combination of "automatic abstraction" with the under-approximation-driven framework. We explore two iterative approaches for obtaining and refining abstractions -- "proof based" and "counterexample based" -- and show how they can be combined into a unified algorithm. To the best of our knowledge, this is the first application of Proof-Based Abstraction, primarily used to verify hardware, to Software Verification. We have implemented a prototype of the framework using Z3, and evaluate it on many benchmarks from the Software Verification Competition. We show experimentally that our combination is quite effective on hard instances.Comment: Extended version of a paper in the proceedings of CAV 201

Phase resolved cross-correlation spectroscopy on surface barrier discharges in air at atmospheric pressure

Microdischarges in a surface barrier discharge with special asymmetric needle-needle arrangement were investigated by means of cross-correlation spectroscopy (with sub-ns and sub-mm resolution) and an intensified CCD camera equipped with a far field microscope. The surface barrier discharge was driven at conditions (overvoltage) resulting in several microdischarges per half period of the applied sinusoidal voltage. At these conditions and in this arrangement regular patterns of microdischarges between the two electrodes points are formed due to local charging of the dielectric surface. The cross-correlation spectroscopy setup enables the recording of microdischarge development for different phases of the applied voltage. Distinct differences in the microdischarge development between the subsequent phase channels in the positive half period can be observed, while the first channel shows similar behavior as in the single-microdischarge mode which was conducted recently

SMT-based Model Checking for Recursive Programs

We present an SMT-based symbolic model checking algorithm for safety verification of recursive programs. The algorithm is modular and analyzes procedures individually. Unlike other SMT-based approaches, it maintains both "over-" and "under-approximations" of procedure summaries. Under-approximations are used to analyze procedure calls without inlining. Over-approximations are used to block infeasible counterexamples and detect convergence to a proof. We show that for programs and properties over a decidable theory, the algorithm is guaranteed to find a counterexample, if one exists. However, efficiency depends on an oracle for quantifier elimination (QE). For Boolean Programs, the algorithm is a polynomial decision procedure, matching the worst-case bounds of the best BDD-based algorithms. For Linear Arithmetic (integers and rationals), we give an efficient instantiation of the algorithm by applying QE "lazily". We use existing interpolation techniques to over-approximate QE and introduce "Model Based Projection" to under-approximate QE. Empirical evaluation on SV-COMP benchmarks shows that our algorithm improves significantly on the state-of-the-art.Comment: originally published as part of the proceedings of CAV 2014; fixed typos, better wording at some place

A decision procedure for satisfiability in separation logic with inductive predicates

We show that the satisfiability problem for the "symbolic heap" fragment of separation logic with general inductively defined predicates - which includes most fragments employed in program verification - is decidable. Our decision procedure is based on the computation of a certain fixed point from the definition of an inductive predicate, called its "base", that exactly characterises its satisfiability. A complexity analysis of our decision procedure shows that it runs, in the worst case, in exponential time. In fact, we show that the satisfiability problem for our inductive predicates is EXPTIME-complete, and becomes NP-complete when the maximum arity over all predicates is bounded by a constant. Finally, we provide an implementation of our decision procedure, and analyse its performance both on a synthetically generated set of test formulas, and on a second test set harvested from the separation logic literature. For the large majority of these test cases, our tool reports times in the low milliseconds

Extended reaction kinetics model for non-thermal argon plasmas and its test against experimental data

An extended reaction kinetics model (RKM) suitable for the analysis of weakly ionised, non-thermal argon plasmas with gas temperatures around 300 K at sub-atmospheric and atmospheric pressures is presented. It considers 23 different species including electrons as well as the ground state atom, an atomic and molecular ion, four excited molecular states, and 15 excited atomic states of argon, where all individual 1s and 2p states (in Paschen notation) are included as a separate species. This 23-species RKM involves 409 collision processes and radiative transitions and recent electron collision cross section data. It is evaluated by means of results of time- and space-dependent fluid modelling of argon discharges and their comparison with measured data for two different dielectric barrier discharge configurations as well as a micro-scaled atmospheric-pressure plasma jet setup. The results are also compared with those obtained by use of a previously established 15-species RKM involving only the two lumped 2p states 2p10…5 and 2´p4 … 1. It is found that the 23-species RKM shows generally better agreement with experimental data and provides more options for direct comparison with measurements than the frequently used 15-species RKM

PrIC3: Property Directed Reachability for MDPs

IC3 has been a leap forward in symbolic model checking. This paper proposes PrIC3 (pronounced pricy-three), a conservative extension of IC3 to symbolic model checking of MDPs. Our main focus is to develop the theory underlying PrIC3. Alongside, we present a first implementation of PrIC3 including the key ingredients from IC3 such as generalization, repushing, and propagation

Finding Finite Models in Multi-Sorted First-Order Logic

This work extends the existing MACE-style finite model finding approach to multi-sorted first order logic. This existing approach iteratively assumes increasing domain sizes and encodes the related ground problem as a SAT problem. When moving to the multi-sorted setting each sort may have a different domain size, leading to an explosion in the search space. This paper focusses on methods to tame that search space. The key approach adds additional information to the SAT encoding to suggest which domains should be grown. Evaluation of an implementation of techniques in the Vampire theorem prover shows that they dramatically reduce the search space and that this is an effective approach to find finite models in multi-sorted first order logic.Comment: SAT 201

Generalized Property-Directed Reachability for Hybrid Systems

Generalized property-directed reachability (GPDR) belongs to the family of the model-checking techniques called IC3/PDR. It has been successfully applied to software verification; for example, it is the core of Spacer, a state-of-the-art Horn-clause solver bundled with Z3. However, it has yet to be applied to hybrid systems, which involve a continuous evolution of values over time. As the first step towards GPDR- based model checking for hybrid systems, this paper formalizes HGPDR, an adaptation of GPDR to hybrid systems, and proves its soundness. We also implemented a semi-automated proof-of-concept verifier, which allows a user to provide hints to guide verification steps.Comment: To appear in VMCAI 202