Saddek Bensalem

Statistical model checking: an overview

Quantitative properties of stochastic systems are usually specified in logics that allow one to compare the measure of executions satisfying certain temporal properties with thresholds. The model checking problem for stochastic systems with respect to such logics is typically solved by a numerical approach [31,8,35,22,21,5] that iteratively computes (or approximates) the exact measure of paths satisfying relevant subformulas; the algorithms themselves depend on the class of systems being analyzed as well as the logic used for specifying the properties. Another approach to solve the model checking problem is to simulate the system for finitely many executions, and use hypothesis testing to infer whether the samples provide a statistical evidence for the satisfaction or violation of the specification. In this tutorial, we survey the statistical approach, and outline its main advantages in terms of efficiency, uniformity, and simplicity.

Computing Abstractions of Infinite State Systems Compositionally and Automatically

We present a method for computing abstractions of infinite state systems compositionally and automatically. Given a concrete system S = S 1 ||... || S n of programs and given an abstraction function a, using our method one can compute an abstract system S a = S 1 a || ... || S n a such that S simulates S a . A distinguishing feature of our method is that it does not produce a single abstract state graph but rather preserves the structure of the concrete system. This feature is a prerequisite to benefit from the techniques developed in the context of model-checking for mitigating the state explosion. Moreover, our method has the advantage that the process of constructing the abstract system does not depend on whether the computation model is synchronous or asynchronous.

Powerful Techniques for the Automatic Generation of Invariants

When proving invariance properties of programs one is faced with two problems. The first problem is related to the necessity of proving tautologies of the considered assertion language, whereas the second manifests in the need of finding sufficiently strong invariants. This paper focuses on the second problem and describes techniques for the automatic generation of invariants. The first set of these techniques is applicable on sequential transition systems and allows to derive so-called local invariants, i.e. predicates which are invariant at some control location. The second is applicable on networks of transition systems and allows to combine local invariants of the sequential components to obtain local invariants of the global systems. Furthermore, a refined strengthening technique is presented that allows to avoid the problem of size-increase of the considered predicates which is the main drawback of the usual strengthening technique. The proposed techniques are illustrated by examples.

Property Preserving Simulations

We study property preserving transformations for reactive systems. A key idea is the use of -simulations which are simulations parameterized by a Galois connection (ϕ, ψ), relating the lattices of properties of two systems.

D-Finder: A Tool for Compositional Deadlock Detection and Verification

D-Finder tool implements a compositional method for the verification of component-based systems described in BIP language encompassing multi-party interaction. For deadlock detection, D-Finder applies proof strategies to eliminate potential deadlocks by computing increasingly stronger invariants.

Incremental Verification by Abstraction

We present a methodology for constructing abstractions and refining them by analyzing counter-examples. We also present a uniform verification method that combines abstraction, model-checking and deductive verification in a novel way. In particular, it allows and shows how to use the set of reachable states of the abstract system in a deductive proof even when the abstract model does not satisfy the specification and when it simulates the concrete system with respect to a weaker simulation notion than Milners.

Automatic Generation of Invariants

When proving invariance properties of programs, one is faced with two problems. The first problem is related to the necessity of proving tautologies of the considered assertion language, whereas the second manifests itself in the need of finding sufficiently strong invariants. This paper focuses on the second problem and describes techniques for the automatic generation of invariants. The first set of these techniques is applicable to sequential transition systems and allows deriving so-called local invariants, i.e., predicates which are invariant at some control location. The second is applicable on networks of transition systems and allows combining local invariants of the sequential components to obtain local invariants of the global system.

Dynamic deadlock analysis of multi-threaded programs

This paper presents a dynamic program analysis algorithm that can detect deadlock potentials in a multi-threaded program by examining a single execution trace, obtained by running an instrumented version of the program. The algorithm is interesting because it can identify deadlock potentials even though no deadlocks occur in the examined execution, and therefore it scales very well in contrast to more formal approaches to deadlock detection. It is an improvement of an existing algorithm in that it reduces the number of false positives (false warnings). The paper describes an implementation and an application to three case studies.

Confirmation of deadlock potentials detected by runtime analysis

This paper presents a framework for confirming deadlock potentials detected by runtime analysis of a single run of a multi-threaded program. The multi-threaded program under examination is instrumented to emit lock and unlock events. When the instrumented program is executed, a trace is generated consisting of the lock and unlock operations performed during that specific run. A lock graph is constructed which can reveal deadlock potentials in the form of cycles. The effectiveness of this analysis is caused by the fact that successful non-deadlocking runs yield as good, and normally better, information as deadlocking runs. Each cycle is then used to construct an observer that can detect the occurrence of the corresponding real deadlock, should it occur during subsequent test runs; and a controller, which, when composed with the program, determines the optimal scheduling strategy that will maximize the probability for the corresponding real deadlock to occur. The framework is formalized in terms of transition systems and is implemented in Java.

Designing autonomous robots

Autonomous robots are complex systems that require the interaction or cooperation of numerous heterogeneous software components. Nowadays, robots are getting closer to humans and as such are becoming critical systems that must meet safety properties including logical, temporal, and real-time constraints.