Dennis Dams

FM 2009: Formal Methods

Invited Papers.- Formal Methods for Privacy.- What Can Formal Methods Bring to Systems Biology?.- Guess and Verify - Back to the Future.- Verification, Testing and Statistics.- Security, Probability and Nearly Fair Coins in the Cryptographers Cafe.- Model Checking I.- Recursive Abstractions for Parameterized Systems.- Abstract Model Checking without Computing the Abstraction.- Three-Valued Spotlight Abstractions.- Fair Model Checking with Process Counter Abstraction.- Compositionality.- Systematic Development of Trustworthy Component Systems.- Partial Order Reductions Using Compositional Confluence Detection.- A Formal Method for Developing Provably Correct Fault-Tolerant Systems Using Partial Refinement and Composition.- Verification.- Abstract Specification of the UBIFS File System for Flash Memory.- Inferring Mealy Machines.- Formal Management of CAD/CAM Processes.- Concurrency.- Translating Safe Petri Nets to Statecharts in a Structure-Preserving Way.- Symbolic Predictive Analysis for Concurrent Programs.- On the Difficulties of Concurrent-System Design, Illustrated with a 2x2 Switch Case Study.- Refinement.- Sums and Lovers: Case Studies in Security, Compositionality and Refinement.- Iterative Refinement of Reverse-Engineered Models by Model-Based Testing.- Model Checking Linearizability via Refinement.- Static Analysis.- Its Doomed We Can Prove It.- Carbon Credits for Resource-Bounded Computations Using Amortised Analysis.- Field-Sensitive Value Analysis by Field-Insensitive Analysis.- Theorem Proving.- Making Temporal Logic Calculational: A Tool for Unification and Discovery.- A Tableau for CTL*.- Certifiable Specification and Verification of C Programs.- Formal Reasoning about Expectation Properties for Continuous Random Variables.- Semantics.- The Denotational Semantics of slotted-Circus.- Unifying Probability with Nondeterminism.- Towards an Operational Semantics for Alloy.- A Robust Semantics Hides Fewer Errors.- Special Track: Industrial Applications I.- Analysis of a Clock Synchronization Protocol for Wireless Sensor Networks.- Formal Verification of Avionics Software Products.- Formal Verification of Curved Flight Collision Avoidance Maneuvers: A Case Study.- Object-Orientation.- Connecting UML and VDM++ with Open Tool Support.- Language and Tool Support for Class and State Machine Refinement in UML-B.- Dynamic Classes: Modular Asynchronous Evolution of Distributed Concurrent Objects.- Abstract Object Creation in Dynamic Logic.- Pointers.- Reasoning about Memory Layouts.- A Smooth Combination of Linear and Herbrand Equalities for Polynomial Time Must-Alias Analysis.- Real-Time.- On the Complexity of Synthesizing Relaxed and Graceful Bounded-Time 2-Phase Recovery.- Verifying Real-Time Systems against Scenario-Based Requirements.- Special Track: Tools and Industrial Applications II.- Formal Specification of a Cardiac Pacing System.- Automated Property Verification for Large Scale B Models.- Reduced Execution Semantics of MPI: From Theory to Practice.- Model Checking II.- A Metric Encoding for Bounded Model Checking.- An Incremental Approach to Scope-Bounded Checking Using a Lightweight Formal Method.- Verifying Information Flow Control over Unbounded Processes.- Specification and Verification of Web Applications in Rewriting Logic.- Industry-Day Abstracts.- Verifying the Microsoft Hyper-V Hypervisor with VCC.- Industrial Practice in Formal Methods: A Review.- Model-Based GUI Testing Using Uppaal at Novo Nordisk.

The existence of finite abstractions for branching time model checking

Abstraction is often essential to verify a program with model checking. Typically, a concrete source program with an infinite (or finite, but large) state space is reduced to a small, finite state, abstract program on which a correctness property can be checked. The fundamental question we investigate in this paper is whether such a reduction to finite state programs is always possible, for arbitrary branching time temporal properties. We begin by showing that existing abstraction frameworks are inherently incomplete for verifying purely existential or mixed universal-existential properties. We then propose a new, complete abstraction framework which is based on a class of focused transition systems (FTSs). The key new feature in FTSs is a way of focusing an abstract state to a set of more precise abstract states. While focus operators have been defined for specific contexts, this result shows their fundamental usefulness for proving non-universal properties. The constructive completeness proof provides linear size maximal models for properties expressed in logics such as CTL and the mu-calculus. This substantially improves upon known (worst-case) exponential size constructions for their universal fragments.

Shape Analysis through Predicate Abstraction and Model Checking

We propose a new framework, based on predicate abstraction and model checking, for shape analysis of programs. Shape analysis is used to statically collect information -- such as possible reachability and sharing -- about program stores. Rather than use a specialized abstract interpretation based on shape graphs, we instantiate a generic and automated abstraction procedure with shape predicates from a correctness property. This results in a predicate-discovery procedure that identifies predicates relevant for correctness, using an analysis based on weakest preconditions, and creates a finite state abstract program. The correctness property is then checked on the abstraction with a model checking tool. To enable this process, we calculate weakest preconditions for common shape properties, and present heuristics for accelerating convergence. Exploring abstract state spaces with model checkers enables one to tap into a wealth of techniques and highly optimized implementations for state space exploration, and to analyze properties that go beyond invariances. We illustrate this simple and flexible framework with the analysis of some classical list manipulation programs, using our implementation of the abstraction algorithm, and the SPIN and COSPAN model checkers for state space exploration.

Incremental algorithms for inter-procedural analysis of safety properties

Automaton-based static program analysis has proved to be an effective tool for bug finding. Current tools generally re-analyze a program from scratch in response to a change in the code, which can result in much duplicated effort. We present an inter-procedural algorithm that analyzes incrementally in response to program changes and present experiments for a null-pointer dereference analysis. It shows a substantial speed-up over re-analysis from scratch, with a manageable amount of disk space used to store information between analysis runs.

Automata as abstractions

We propose the use of tree automata as abstractions in the verification of branching time properties, and show several benefits. In this setting, soundness and completeness are trivial. It unifies the abundance of frameworks in the literature, and clarifies the role of concepts therein in terms of the well-studied field of automata theory. Moreover, using automata as models simplifies and generalizes results on maximal model theorems.

Orion: high-precision methods for static error analysis of c and c++ programs

We describe the algorithmic and implementation ideas behind a tool, Orion, for finding common programming errors in C and C++ programs using static code analysis. We aim to explore the fundamental trade-off between the cost and the precision of such analyses. Analysis methods that use simple dataflow domains run the risk of producing a high number of false error reports. On the other hand, the use of complex domains reduces the number of false errors, but limits the size of code that can be analyzed. n nOrion employs a two-level approach: potential errors are identified by an efficient search based on a simple domain; each discovered error path is then scrutinized by a high-precision feasibility analysis aimed at filtering out as many false errors as possible. n nWe describe the algorithms used and their implementation in a GCC-based tool. Experimental results on a number of software programs bear out the expectation that this approach results in a high signal-to-noise ratio of reported errors, at an acceptable cost.

Abstracting C with abC

A conceptually simple and practically very useful form of data abstraction in model checking is variable hiding, which amounts to suppressing all information about a given set of variables. The abC tool automates this for programs written in the C programming language. It features an integrated demand-driven pointer analysis, and has been implemented as an extension of GCC.

Pointer Analysis, Conditional Soundness, and Proving the Absence of Errors

It is well known that the use of points-to information can substantially improve the accuracy of a static program analysis. Commonly used algorithms for computing points-to information are known to be sound only for memory-safe programs. Thus, it appears problematic to utilize points-to information to verify the memory safety property without giving up soundness. We show that a sound combination is possible, even if the points-to information is computed separately and only conditionally sound. This result is based on a refined statement of the soundness conditions of points-to analyses and a general mechanism for composing conditionally sound analyses.

Comparing Abstraction Refinement Algorithms

Abstract We present a generic algorithm that provides a unifying scheme for the comparison of abstraction refinement algorithms. It is centered around the notion of refinement cue which generalizes counterexamples. It is demonstrated how the essential features of several refinement algorithms can be captured as instances. We argue that the generic algorithm does not limit the completeness of instances, and show that the proposed generalization of counterexamples is necessary for completeness — thus addressing a shortcoming of more limited notions of counterexample-guided refinement.

Abstraction in Software Model Checking: Principles and Practice

This paper provides a brief description, including a bibliography, of the SPIN2002 tutorial on abstraction in model checking of software.