Robert P. Kurshan

A Structural Induction Theorem for Processes

This paper deals with the formal verification of finite state systems that hav an arbitrary number of isomorphic components. We present a technique for inductively generalizing tests on a system of fixed size in order to show that a system of arbitrary size satisfies a given specification. This makes it possible to use finite state verification systems, such as COSPAN, to verify parameterized protocols. The method also may be useful for verifying systems of fixed but large size, since it reduces the size of the system that must be checked automatically. The basis of the method is a structural induction theorem for processes, which is stated and proved in this paper. The theorem applies to a variety of process formalisms satisfying simple algebraic laws. We give examples of proofs using the calculus of communicating systems (CCS) and the s/r model.

A structural induction theorem for processes

In verifying finite state systems such as communication protocols or hardware controllers, we may be required to reason about systems comprised of a finite but effectively unbounded number of components. Examples are a network with an unspecified number of hosts, a multiprocessor with an unspecified number of CPU’s, or a queue with an unspecified number of buffers. We would like to show that the system performs a certain set of tasks, regardless of the number of components. There are two problems which prevent the direct application of automatic verification systems which use state-space search (e.g., COSPAN [HK88]) to such a problem. The first problem is that such methods can be applied directly only to a fixed state space; it is generally not possible to quantify over the number of processes. The second problem is commonly referred to as the state space explosion problem. In principle, the verification method could be applied exhaustively to the l-process system, the 2-process system, etc., until the largest possible system was verified. In practice, the fact that the number of states in a system increases geometrically with the number of components makes this approach infeasible. We present an induction method that allows us to infer properties of systems of unbounded size, but constructed by a uniform rule, from properties automatically verified on a system of fixed (and, presumably, small) size. The basis of this method is the sirvctzlral induction theorem for processes. Three methods have been described previously for verifying properties of systems with an unbounded number of identical processes. Homomorphic reduction [Kur85, Kur87] is a general framework for reducing the complexity of testing arbitrary w-regular properties in finite-state systems. The regularity of systems

Syntactic Program Transformations for Automatic Abstraction

We present an algorithm that constructs a finite state “abstract” program from a given, possibly infinite state, “concrete” program by means of a syntactic program transformation. Starting with an initial set of predicates from a specification, the algorithm iteratively computes the predicates required for the abstraction relative to that specification. These predicates are represented by boolean variables in the abstract program. We show that the method is sound, in that the abstract program is always guaranteed to simulate the original. We also show that the method is complete, in that, if the concrete program has a finite abstraction with respect to simulation (bisimulation) equivalence, the algorithm can produce a finite simulation-equivalent (bisimulation-equivalent) abstract program. Syntactic abstraction has two key advantages: it can be applied to infinite state programs or programs with large data paths, and it permits the effective application of other reduction methods for model checking. We show that our method generalizes several known algorithms for analyzing syntactically restricted, data-insensitive programs.

Static Partial Order Reduction

A static partial order reduction generator and process result in a substantially reduced state space graph of a multi-process system, independently of the model checking process. The process of this invention creates a modified state graph generator with appended rules that allow any desired state searching tactic (breadth first, depth first, etc.) to be employed when states and transitions are considered in the course of verification. This permits use of existing model checking tools without needing to modify them. The static partial order reduction is made possible by realizing that a prior art condition that at least one state along each cycle of the reduced state graph must be fully expanded can be guaranteed by considering the individual processes that make up the system and identifying certain transitions in those processes.

An analysis of SAT-based model checking techniques in an industrial environment

Model checking is a formal technique for automatically verifying that a finite-state model satisfies a temporal property. In model checking, generally Binary Decision Diagrams (BDDs) are used to efficiently encode the transition relation of the finite-state model. Recently model checking algorithms based on Boolean satisfiability (SAT) procedures have been developed to complement the traditional BDD-based model checking. These algorithms can be broadly classified into three categories: (1) bounded model checking which is useful for finding failures (2) hybrid algorithms that combine SAT and BDD based methods for unbounded model checking, and (3) purely SAT-based unbounded model checking algorithms. The goal of this paper is to provide a uniform and comprehensive basis for evaluating these algorithms. The paper describes eight bounded and unbounded techniques, and analyzes the performance of these algorithms on a large and diverse set of hardware benchmarks.

A Practical Approach to Coverage in Model Checking

In formal verification, we verify that a system is correct with respect to a specification. When verification succeeds and the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In this paper we study coverage metrics for model checking from a practical point of view. Coverage metrics are based on modifications we apply to the system in order to check which parts of it were actually relevant for the verification process to succeed. We suggest several definitions of coverage, suitable for specifications given in linear temporal logic or by automata on infinite words. We describe two algorithms for computing the parts of the system that are not covered by the specification. The first algorithm is built on top of automata-based model-checking algorithms. The second algorithm reduces the coverage problem to the model-checking problem. Both algorithms can be implemented on top of existing model checking tools.

Analysis of digital circuits through symbolic reduction

The authors describe a semi-algorithmic method to extract finite-state models from an analog circuit-level model by means of homomorphic (behavior preserving) transformations. Properties to be verified are defined by omega -automata. Efficient algorithms for testing language containment of automata can then be applied to verify properties of the finite-state models. Proof of the property in the finite-state model guarantees the property in the analog circuit-level model over a continuous range of input waveforms and circuit parameters. While in practice this method applies directly only to smaller circuit components, it can be used to analyze larger circuits as well by deriving a hierarchy of increasingly abstract models, through repeated applications of homomorphic transformations. Examples of extraction, homomorphism, and verification are described. >

Verifying Abstractions of Timed Systems

Given two descriptions of a real-time system at different levels of abstraction, we consider the problem of proving that the refined representation is a correct implementation of the abstract one. To avoid the complexity of building a representation for the refined system in its entirety, we develop a compositional framework for the implementation check to be carried out in a module-by-module manner using assume-guarantee style proof rules. On the algorithmic side, we show that the problem of checking the existence of timed simulation relations, a sufficient condition for correct implementation, is decidable. We study state homomorphisms as a way of specifying a correspondence between two modules. We present an algorithm for checking if a given mapping is a homomorphism preserving timed behaviors. We have implemented this check in the verifier Cospan, and applied our method to the compositional verification of an asynchronous queue circuit.

Timing analysis in COSPAN

We describe how to model and verify real-time systems using the formal verification tool Cospan. The verifier supports automata-theoretic verification of coordinating processes with timing constraints. We discuss different heuristics, and our experiences with the tool for certain benchmark problems appearing in the verification literature.

Formal verification in a commercial setting

This tutorial addresses the following questions:¿ why do formal verification?¿ who is doing it today?¿ what are they doing?¿ how are they doing it?¿ what about the future?