Flavio Lerda

A Tool for Checking ANSI-C Programs

We present a tool for the formal verification of ANSI-C programs using Bounded Model Checking (BMC). The emphasis is on usability: the tool supports almost all ANSI-C language features, including pointer constructs, dynamic memory allocation, recursion, and the float and double data types. From the perspective of the user, the verification is highly automated: the only input required is the BMC bound. The tool is integrated into a graphical user interface. This is essential for presenting long counterexample traces: the tool allows stepping through the trace in the same way a debugger allows stepping through a program.

Distributed-Memory Model Checking with SPIN

The main limiting factor of the model checker SPIN is currently the amount of available physical memory. This paper explores the possibility of exploiting a distributed-memory execution environment, such as a network of workstations interconnected by a standard LAN, to extend the size of the verification problems that can be successfully handled by SPIN. A distributed version of the algorithm used by SPIN to verify safety properties is presented, and its compatibility with the main memory and complexity reduction mechanisms of SPIN is discussed. Finally, some preliminary experimental results are presented.

From States to Transitions: Improving Translation of LTL Formulae to Büchi Automata

Model checking is an automated technique for checking that a system satisfies a set of required properties. With explicit-state model checkers, properties are typically defined in linear-time temporal logic (LTL), and are translated into Buchi automata in order to be checked. This paper describes how, by labeling automata transitions rather than states, we significantly reduce the size of automata generated by existing tableau-based translation algorithms. Our optimizations apply to the core of the translation process, where generalized Buchi automata are constructed. These automata are subsequently transformed in a single efficient step into Buchi automata as used by model checkers. The tool that implements the work described here is released as part of the Java Path-Finder software (JPF), an explicit state model checker of Java programs under development at the NASA Ames Research Center.

Addressing dynamic issues of program model checking

Model checking real programs has recently become an active research area. Programs however exhibit two characteristics that make model checking difficult: the complexity of their state and the dynamic nature of many programs. Here we address both these issues within the context of the Java PathFinder (JPF) model checker. Firstly, we will show how the state of a Java program can be encoded efficiently and how this encoding can be exploited to improve model checking. Next we show how to use symmetry reductions to alleviate some of the problems introduced by the dynamic nature of Java programs. Lastly, we show how distributed model checking of a dynamic program can be achieved, and furthermore, how dynamic partitions of the state space can improve model checking. We support all our findings with results from applying these techniques within the JPF model checker.

Understanding Counterexamples with explain

The counterexamples produced by model checkers are often lengthy and difficult to understand. In practical verification, showing the existence of a (potential) bug is not enough: the error must be understood, determined to not be a result of faulty specification or assumptions, and, finally, located and corrected. The explain tool uses distance metrics on program executions to provide automated assistance in understanding and localizing errors in ANSI-C programs. explain is integrated with CBMC, a bounded model checker for the C language, and features a GUI front-end that presents error explanations to the user.

Verification of Supervisory Control Software Using State Proximity and Merging

This paper describes an approach for bounded-time verification of safety properties of supervisory control software interacting with a continuous-time plant. A combination of software Model Checking and numerical simulation is used to compute a conservative approximation of the reachable states. The technique verifies system properties in the presence of nondeterministic behavior in the software due to, for instance, interleaving of tasks. A notion of program equivalenceis used to characterize the behaviors of the controller, and the bisimulation functions of Girard and Pappas are employed to characterize the behaviors of the plant. The approach can conservatively merge traces that reach states that are in proximity to each other. The technique has been implemented for the case of affine plant dynamics, which allows efficient operations on ellipsoidal sets based on convex optimization involving linear matrix inequalities (LMIs). We present an illustrative example for a model of the position controller of an unmanned aerial vehicle (UAV).

Symbolic Model Checking of Software

Abstract Model checking is a popular formal verification technique for both software and hardware. The verification of concurrent software predominantly employs explicit-state model checkers, such as SPIN, that use partial-order reduction as a main technique to deal with large state spaces efficiently. In the hardware domain, the introduction of symbolic model checking has been considered a breakthrough, allowing the verification of systems clearly out-of-reach of any explicit-state model checker. This paper introduces I m P roviso , a new algorithm for model checking of software that efficiently combines the advantages of partial-order reduction with symbolic exploration. I M P ROVISO uses implicit BDD representations for both the state space and the transition relation together with a new implicit in-stack proviso for efficient partial-order reduction. The new approach is inspired by the T wophase partial-order reduction algorithm for explicit-state model checking. Initial experimental results show that the proposed algorithm improves the existing symbolic model checking approach and can be used to tackle problems that are not tractable using explicit-state methods.

Control software model checking using bisimulation functions for nonlinear systems

This paper extends a method for integrating source-code model checking with dynamic system analysis to verify properties of controllers for nonlinear dynamic systems. Source-code model checking verifies the correctness of control systems including features that are introduced by the software implementation, such as concurrency and task interleaving. Sets of reachable continuous states are computed using numerical simulation and bisimulation functions. The technique as originally proposed handles stable dynamic systems with affine state equations for which quadratic bisimulation functions can be computed easily. The extension in this paper handles nonlinear systems with polynomial state equations for which bisimulation functions can be computed in some cases using sum-of-squares (SoS) techniques. The paper presents the convex optimizations required to perform control system verification using a source-code model checker, and the method is illustrated for an example of a supervisory control system.

Model checking in-the-loop: Finding counterexamples by systematic simulation

Model checkers for program verification have enjoyed considerable success in recent years. In the control systems domain, however, they suffer from an inability to account for the physical environment. For control systems, simulation is the most widely used approach for validating system designs. We present a new technique for finding counterexamples that uses a software model checker to perform a systematic simulation of the software implementation of a controller coupled with a continuous plant. Instead of performing a large set of independent simulations, our approach uses the model checking notion of state-space exploration by piecing together numerical simulations of the plant and transitions of the controller. Our implementation of this technique uses an explicit-state source-code model checker to analyze the software and the MATLAB/Simulink environment to model and simulate the plant. We present an illustrative example involving a supervisory controller for an unmanned aerial vehicle (UAV). We show that our technique is able to detect an error in the controller design.

An Abstraction Technique for Real-Time Verification

In real-time systems, correctness depends on the time at which events occur. Examples of real-time systems include timed protocols and many embedded system controllers. Timed automata are an extension of finite-state automata that include real-valued clock variables used to measure time. Given a timed automaton, an equivalent finite-state region automaton can be constructed, which guarantees decidability. Timed model checking tools like Uppal, Kronos, and Red use specialized data structures to represent the real-valued clock variables. A different approach, called integer-discretization, is to define clock variables that can assume only integer values, but, in general, this does not preserve continuous-time semantics. This paper describes an implicit representation of the region automaton to which ordinary model checking tools can be applied directly. This approach differs from integer discretization because it is able to handle real-valued clock variables using a finite representation and preserves the continuous-time semantics of timed automata. In this framework, we introduce the GoAbstraction, a technique to reduce the size of the state space. Based on a conservative approximation of the region automaton, GoAbstraction makes it possible to verify larger systems. In order to make the abstraction precise enough to prove meaningful properties, we introduce auxiliary variables, called Go variables, that limit the drifting of clock variables in the abstract system. The paper includes preliminary experimental results showing the effectiveness of our technique using both symbolic and bounded model checking tools.