Anca Browne

Automatic generation of invariants and intermediate assertions

Verifying temporal specifications of reactive and concurrent systems commonly relies on generating auxiliary assertions and strengthening given properties of the system. Two dual approaches find solutions to these problems: the bottom-up method performs an abstract forward propagation of the system, generating auxiliary properties; the top-down method performs an abstract backward propagation to strengthen given properties. Exact application of these methods is complete but is usually infeasible for large-scale verification. An approximate analysis can often supply enough information to complete the verification.

STeP: Deductive-Algorithmic Verification of Reactive and Real-Time Systems

The Stanford Temporal Prover, STeP, combines deductive methods with algorithmic techniques to verify linear-time temporal logic specifications of reactive and real-time systems. STeP uses verification rules, verification diagrams, automatically generated invariants, model checking, and a collection of decision procedures to verify finite- and infinite-state systems.

An improved algorithm for the evaluation of fixpoint expressions

Many automated finite-state verification procedures can be viewed as fixpoint computations over a finite lattice (typically the powerset of the set of system states). Hence, fixpoint calculi such as the propositional Μ-calculus have proven useful, both as ways to describe verification algorithms and as specification formalisms in their own right. We consider the problem of evaluating expressions in a fixpoint calculus over a given model. A naive algorithm for this task may require time n q , where n is the maximum length of a chain in the lattice and q is the depth of fixpoint nesting. In 1986, Emerson and Lei presented a method requiring about n d steps, where d is the number of alternations between least and greatest fixpoints. More recent algorithms have reduced the exponent by one or two, but the complexity has remained at about nd. In this paper, we present a new algorithm that makes extensive use of monotonicity considerations to solve the problem in about nd/2 steps. Thus, the time required by our method is only about the square root of the time required by the earlier algorithms.

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial

We review a number of formal verification techniques supported by STeP, the Stanford Temporal Prover, describing how the tool can be used to verify properties of several versions of the Bakery Mutual exclusion algorithm for mutual exclusion. We verify the classic two-process algorithm and simple variants, as well as an atomic parameterized version. The methods used include deductive verification rules, verification diagrams, automatic invariant generation, and finite-state model checking and abstraction.

An Improved Algorithm for the Evaluation of Fixpoint Expressions

Many automated finite-state verification procedures can be viewed as fixpoint computations over a finite lattice (typically the powerset of the set of system states). Hence, fixpoint calculi such as the propositional Μ-calculus have proven useful, both as ways to describe verification algorithms and as specification formalisms in their own right. We consider the problem of evaluating expressions in a fixpoint calculus over a given model. A naive algorithm for this task may require time n q , where n is the maximum length of a chain in the lattice and q is the depth of fixpoint nesting. In 1986, Emerson and Lei presented a method requiring about n d steps, where d is the number of alternations between least and greatest fixpoints. More recent algorithms have reduced the exponent by one or two, but the complexity has remained at about nd. In this paper, we present a new algorithm that makes extensive use of monotonicity considerations to solve the problem in about nd/2 steps. Thus, the time required by our method is only about the square root of the time required by the earlier algorithms.

Visual Abstractions for Temporal Verification

Generalized Verification Diagrams combine deductive and algorithmic verification to establish general temporal properties of finite-and infinite-state reactive systems. The diagram serves as an abstraction of the system. This abstraction is deductively justified and algorithmically model checked. We present a new simple class of verification diagrams, using Muller acceptance conditions, and show how they can be used to verify general temporal properties of reactive systems.

An Update on STeP: Deductive-Algorithmic Verification of Reactive Systems

The Stanford Temporal Prover, STeP, is a tool for the computer-aided formal verification of reactive systems, including real-time and hybrid systems, based on their temporal specification. STeP integrates methods for deductive and algorithmic verification, including model checking, theorem proving, automatic invariant generation, abstraction and modular reasoning. We describe the most recent version of STeP, Version 2.0.

Linking STeP with SPIN

We have connected ST e P, the Stanford Temporal Prover, with SPIN, an LTL model checker. In this paper we describe the translation of fair transition systems into Promela, in particular how weak and strong fairness constraints are handled. The paper presents some preliminary experimental results using this connection.

The ‘Cash-Point’ Service: A Verification Case Study Using STeP

Abstract. STeP, the Stanford Temporal Prover, supports the computer-aided formal verification of concurrent and reactive systems based on temporal specifications [MBB99]. Automated model checking is combined with computer-aided deductive methods to allow for the verification of a broad class of systems, including parameterised (N-component) circuit designs, parameterised (N-process) programs, and programs with infinite data domains.