Simon Lutz,Daniel Neider,Rajarshi Roy

DOI: https://doi.org/10.48550/arXiv.2206.06722

2022-06-14

Abstract:Virtually all verification and synthesis techniques assume that the formal specifications are readily available, functionally correct, and fully match the engineer's understanding of the given system. However, this assumption is often unrealistic in practice: formalizing system requirements is notoriously difficult, error-prone, and requires substantial training. To alleviate this severe hurdle, we propose a fundamentally novel approach to writing formal specifications, named specification sketching for Linear Temporal Logic (LTL). The key idea is that an engineer can provide a partial LTL formula, called an LTL sketch, where parts that are hard to formalize can be left out. Given a set of examples describing system behaviors that the specification should or should not allow, the task of a so-called sketching algorithm is then to complete a given sketch such that the resulting LTL formula is consistent with the examples. We show that deciding whether a sketch can be completed falls into the complexity class NP and present two SAT-based sketching algorithms. We also demonstrate that sketching is a practical approach to writing formal specifications using a prototype implementation.

Formal Languages and Automata Theory,Artificial Intelligence

Eleftherios Ioannidis,Yannick Zakowski,Steve Zdancewic,Sebastian Angel

2024-10-19

Abstract:Mechanized verification of liveness properties for programs with effects, nondeterminism, and nontermination is difficult. Existing temporal reasoning frameworks operate on the level of models (traces, automata) not executable code, creating a verification gap and losing the benefits of modularity and composition enjoyed by structural program logics. Reasoning about infinite traces and automata requires complex (co-)inductive proof techniques and familiarity with proof assistant mechanics (e.g., guardedness checker). We propose a structural approach to the verification of temporal properties with a new temporal logic that we call ictl. Using ictl, we internalize complex (co-)inductive proof techniques to structural lemmas and reasoning about variants and invariants. We show that it is possible to perform mechanized proofs of general temporal properties, while working in a high-level of abstraction. We demonstrate the benefits of ictl by giving mechanized proofs of safety and liveness properties for programs with queues, secure memory, and distributed consensus.

Programming Languages,Logic in Computer Science

Prasita Mukherjee,Benjamin Delaware

2024-10-19

Abstract:We present \synver{}, a novel synthesis and verification framework for C programs, that deploys a Large Language Model (LLM) to search for a candidate program that satisfies the given specification. Our key idea is to impose syntactic and semantic biases on programs generated by LLMs, such that the synthesized program is more amenable to automated verification. Based on this idea, we propose a novel specification-verification tool, built on top of Verified Software Toolchain, that help automate the process. Our experiments on a diverse set of benchmarks drawn from the deductive program synthesis community, shows that this approach is scalable and extensible. The benchmarks constitute of specifications comprising of basic coding examples, Separation Logic based assertions, and API specifications.

Programming Languages

Caleb Voss,David Heath,William Harris

DOI: https://doi.org/10.48550/arXiv.1710.03357

2017-10-10

Programming Languages

Abstract:The automatic verification of programs that maintain unbounded low-level data structures is a critical and open problem. Analyzers and verifiers developed in previous work can synthesize invariants that only describe data structures of heavily restricted forms, or require an analyst to provide predicates over program data and structure that are used in a synthesized proof of correctness. In this work, we introduce a novel automatic safety verifier of programs that maintain low-level data structures, named LTTP. LTTP synthesizes proofs of program safety represented as a grammar of a given program's control paths, annotated with invariants that relate program state at distinct points within its path of execution. LTTP synthesizes such proofs completely automatically, using a novel inductive-synthesis algorithm. We have implemented LTTP as a verifier for JVM bytecode and applied it to verify the safety of a collection of verification benchmarks. Our results demonstrate that LTTP can be applied to automatically verify the safety of programs that are beyond the scope of previously-developed verifiers.

Elaheh Ghassabani,Mohammad Abdollahi Azgomi

DOI: https://doi.org/10.48550/arXiv.1603.03535

2016-03-11

Abstract:Verification of large and complicated concurrent programs is an important issue in the software world. Stateless model checking is an appropriate method for systematically and automatically testing of large programs, which has proved its power in verifying code of large programs. Another well-known method in this area is runtime verification. Both stateless model checking and runtime verification are similar in some ways. One common approach in runtime verification is to construct runtime monitors for properties expressed in linear temporal logic. Currently, there are some semantics to check linear temporal logic formulae on finite paths proposed in the field of runtime verification, which can also be applied to stateless model checking. However, existing stateless model checkers do not support LTL formulae. In some settings, it is more advantageous to make use of stateless model checking instead of runtime verification. This paper proposes a novel encoding of one of the recent LTL semantics on finite paths into an actor-based system. We take a truly parallel approach without saving any program states or traces, which not only addresses important problems in runtime verification, but can also be applied to stateless model checking.

Programming Languages

Mishel Carelli,Orna Grumberg

2024-08-21

Abstract:This work proposes a novel approach for automatic verification and synthesis of infinite-state reactive programs with respect to ${CTL}^*$ specifications, based on translation to Existential Horn Clauses (EHCs). $CTL^*$ is a powerful temporal logic, which subsumes the temporal logics LTL and CTL, both widely used in specification, verification, and synthesis of complex systems. EHCs with its solver E-HSF, is an extension of Constrained Horn Clauses, which includes existential quantification as well as the power of handling well-foundedness. We develop the translation system \textit{Trans}, which given a verification problem consisting of a program $P$ and a specification $\phi$, builds a set of EHCs which is satisfiable iff $P$ satisfies $\phi$. We also develop a synthesis algorithm that given a program with holes in conditions and assignments, fills the holes so that the synthesized program satisfies the given $CTL^*$ specification. We prove that our verification and synthesis algorithms are both sound and relative complete. Finally, we present case studies to demonstrate the applicability of our algorithms for $CTL^*$ verification and synthesis.

Logic in Computer Science

Jorge Fandinno,Vladimir Lifschitz,Nathan Temple

2023-12-25

Abstract:Program completion is a translation from the language of logic programs into the language of first-order theories. Its original definition has been extended to programs that include integer arithmetic, accept input, and distinguish between output predicates and auxiliary predicates. For tight programs, that generalization of completion is known to match the stable model semantics, which is the basis of answer set programming. We show that the tightness condition in this theorem can be replaced by a less restrictive "local tightness" requirement. From this fact we conclude that the proof assistant anthem-p2p can be used to verify equivalence between locally tight programs. Under consideration for publication in Theory and Practice of Logic Programming

Logic in Computer Science,Artificial Intelligence

Tzanis Anevlavis,Matthew Philippe,Daniel Neider,Paulo Tabuada

DOI: https://doi.org/10.1145/3491216

2022-04-30

ACM Transactions on Computational Logic

Abstract:While most approaches in formal methods address system correctness, ensuring robustness has remained a challenge. In this article, we present and study the logic rLTL, which provides a means to formally reason about both correctness and robustness in system design. Furthermore, we identify a large fragment of rLTL for which the verification problem can be efficiently solved, i.e., verification can be done by using an automaton, recognizing the behaviors described by the rLTL formula φ, of size at most O(3 |φ |), where |φ | is the length of φ. This result improves upon the previously known bound of O(5|φ |) for rLTL verification and is closer to the LTL bound of O(2|φ |). The usefulness of this fragment is demonstrated by a number of case studies showing its practical significance in terms of expressiveness, the ability to describe robustness, and the fine-grained information that rLTL brings to the process of system verification. Moreover, these advantages come at a low computational overhead with respect to LTL verification.

computer science, theory & methods,logic

Zhou Conghua,Chen Zhenyu,Ju Shiguang

2008-01-01

Journal of Computer Research and Development

Abstract:For concurrent software systems, linear temporal logic SE-LTL is a specification language with high expressive power and the ability to reason about both states and events. Until now, the SE-LTL model checking algorithm is still explicit, and the state explosion is the primary verification difficulty. A bounded model checking procedure is introduced for SE-LTL which reduces model checking to propositional satisfiability. This new technique avoids the space blow up of BDDs, and sometimes speeds up the verification. For SE-LTL-X the procedure and stuttering equivalent technique is further integrated. The experiment result shows that the integration can reduce the verification time very much.

Igor Konnov,Markus Kuppe,Stephan Merz

DOI: https://doi.org/10.48550/arXiv.2211.07216

2022-11-14

Logic in Computer Science

Abstract:Using an algorithm due to Safra for distributed termination detection as a running example, we present the main tools for verifying specifications written in TLA+. Examining their complementary strengths and weaknesses, we suggest a workflow that supports different types of analysis and that can be adapted to the desired degree of confidence.

Horatiu Cirstea,Markus A. Kuppe,Benjamin Loillier,Stephan Merz

2024-09-18

Abstract:TLA+ is a formal language for specifying systems, including distributed algorithms, that is supported by powerful verification tools. In this work we present a framework for relating traces of distributed programs to high-level specifications written in TLA+. The problem is reduced to a constrained model checking problem, realized using the TLC model checker. Our framework consists of an API for instrumenting Java programs in order to record traces of executions, of a collection of TLA+ operators that are used for relating those traces to specifications, and of scripts for running the model checker. Crucially, traces only contain updates to specification variables rather than full values, and developers may choose to trace only certain variables. We have applied our approach to several distributed programs, detecting discrepancies between the specifications and the implementations in all cases. We discuss reasons for these discrepancies, best practices for instrumenting programs, and how to interpret the verdict produced by TLC.

Programming Languages,Software Engineering

Rayhana Amjad,Rob van Glabbeek,Liam O'Connor

DOI: https://doi.org/10.4204/EPTCS.412.4

2024-11-22

Abstract:LTL3 is a multi-valued variant of Linear-time Temporal Logic for runtime verification applications. The semantic descriptions of LTL3 in previous work are given only in terms of the relationship to conventional LTL. Our approach, by contrast, gives a full model-based inductive accounting of the semantics of LTL3, in terms of families of definitive prefix sets. We show that our definitive prefix sets are isomorphic to linear-time temporal properties (sets of infinite traces), and thereby show that our semantics of LTL3 directly correspond to the semantics of conventional LTL. In addition, we formalise the formula progression evaluation technique, popularly used in runtime verification and testing contexts, and show its soundness and completeness up to finite traces with respect to our semantics. All of our definitions and proofs are mechanised in Isabelle/HOL.

Logic in Computer Science

Litao Zhou,Jianxing Qin,Qinshi Wang,Andrew W. Appel,Qinxiang Cao

2023-10-26

Abstract:Program verifiers for imperative languages such as C may be annotation-based, in which assertions and invariants are put into source files and then checked, or tactic-based, where proof scripts separate from programs are interactively developed in a proof assistant such as Coq. Annotation verifiers have been more automated and convenient, but some interactive verifiers have richer assertion languages and formal proofs of soundness. We present VST-A, an annotation verifier that uses the rich assertion language of VST, leverages the formal soundness proof of VST, but allows users to describe functional correctness proofs intuitively by inserting assertions. VST-A analyzes control flow graphs, decomposes every C function into control flow paths between assertions, and reduces program verification problems into corresponding straightline Hoare triples. Compared to existing foundational program verification tools like VST and Iris, in VST-A, such decompositions and reductions are allowed to be nonstructural, which makes VST-A more flexible to use. VST-A's decomposition and reduction is defined in Coq, proved sound in Coq, and computed in a call-by-value way in Coq. The soundness proof for reduction is totally logical, independent of the complicated semantic model (and soundness proof) of VST's Hoare triple. Because of the rich assertion language, not all reduced proof goals can be automatically checked, but the system allows users to prove residual proof goals using the full power of the Coq proof assistant.

Programming Languages

Ritam Raha,Rajarshi Roy,Nathanael Fijalkow,Daniel Neider,Guillermo A. Perez

DOI: https://doi.org/10.48550/arXiv.2310.17410

IF: 14.4

2023-10-26

Artificial Intelligence

Abstract:In runtime verification, manually formalizing a specification for monitoring system executions is a tedious and error-prone process. To address this issue, we consider the problem of automatically synthesizing formal specifications from system executions. To demonstrate our approach, we consider the popular specification language Metric Temporal Logic (MTL), which is particularly tailored towards specifying temporal properties for cyber-physical systems (CPS). Most of the classical approaches for synthesizing temporal logic formulas aim at minimizing the size of the formula. However, for efficiency in monitoring, along with the size, the amount of "lookahead" required for the specification becomes relevant, especially for safety-critical applications. We formalize this notion and devise a learning algorithm that synthesizes concise formulas having bounded lookahead. To do so, our algorithm reduces the synthesis task to a series of satisfiability problems in Linear Real Arithmetic (LRA) and generates MTL formulas from their satisfying assignments. The reduction uses a novel encoding of a popular MTL monitoring procedure using LRA. Finally, we implement our algorithm in a tool called TEAL and demonstrate its ability to synthesize efficiently monitorable MTL formulas in a CPS application.

Céline Bellanger,Pierre-Loïc Garoche,Matthieu Martel,Célia Picard

DOI: https://doi.org/10.4204/EPTCS.395.14

2023-11-16

Abstract:Signal Temporal Logic (STL) is a convenient formalism to express bounded horizon properties of autonomous critical systems. STL extends LTL to real-valued signals and associates a non-singleton bound interval to each temporal operators. In this work we provide a rigorous encoding of non-nested discrete-time STL formulas into Lustre synchronous observers. Our encoding provides a three-valued online semantics for the observers and therefore enables both the verification of the property and the search of counter-examples. A key contribution of this work is an instrumented proof of the validity of the implementation. Each node is proved correct with respect to the original STL semantics. All the experiments are automated with the Kind2 model-checker and the Z3 SMT solver.

Logic in Computer Science

M. Hadi Zibaeenejad,Jun Liu

DOI: https://doi.org/10.1109/tac.2019.2953452

IF: 6.549

2020-10-01

IEEE Transactions on Automatic Control

Abstract:Controller design for continuous systems with linear temporal logic (LTL) specifications is a computationally intensive task. ing a discrete transition system from a real-world continuous-state system often results in a state machine with a large number of states and nondeterministic transitions. This makes controller synthesis for LTL specifications difficult specially when the design specification is lengthy. To reduce the complexity, we consider the specifications that are in the conjunctive form of practical LTL patterns. We use auditor product to incrementally restrict the system to satisfy the safety part of each subspecification. The control strategy, that satisfies the liveness part is then calculated by solving a generalized Buchi game on the result of the auditor product of the discrete transition system with all subspecifications. This approach has the same worst case computational complexity as $text{GR}(1)$ synthesis, but avoids some of the fundamental limitations involved with $Assumption Rightarrow Guarantee$ formulation of the problem.

automation & control systems,engineering, electrical & electronic

Ramy Medhat,Yogi Joshi,Borzoo Bonakdarpour,Sebastian Fischmeister

DOI: https://doi.org/10.48550/arXiv.1411.2239

2014-11-09

Abstract:Runtime verification is an effective automated method for specification-based offline testing and analysis as well as online monitoring of complex systems. The specification language is often a variant of regular expressions or a popular temporal logic, such as LTL. This paper presents a novel and efficient parallel algorithm for verifying a more expressive version of LTL specifications that incorporates counting semantics, where nested quantifiers can be subject to numerical constraints. Such constraints are useful in evaluating thresholds (e.g., expected uptime of a web server). The significance of this extension is that it enables us to reason about the correctness of a large class of systems, such as web servers, OS kernels, and network behavior, where properties are required to be instantiated for parameterized requests, kernel objects, network nodes, etc. Our algorithm uses the popular {\em MapReduce} architecture to split a program trace into variable-based clusters at run time. Each cluster is then mapped to its respective monitor instances, verified, and reduced collectively on a multi-core CPU or the GPU. Our algorithm is fully implemented and we report very encouraging experimental results, where the monitoring overhead is negligible on real-world data sets.

Logic in Computer Science

Jinwoo Kim,Shaan Nagy,Thomas Reps,Loris D'Antoni

2024-10-21

Abstract:Applications like program synthesis sometimes require proving that a property holds for all of the infinitely many programs described by a grammar - i.e., an inductively defined set of programs. Current verification frameworks overapproximate programs' behavior when sets of programs contain loops, including two Hoare-style logics that fail to be relatively complete when loops are allowed. In this work, we prove that compositionally verifying simple properties for infinite sets of programs requires tracking distinct program behaviors over unboundedly many executions. Tracking this information is both necessary and sufficient for verification. We prove this fact in a general, reusable theory of denotational semantics that can model the expressivity and compositionality of verification techniques over infinite sets of programs. We construct the minimal compositional semantics that captures simple properties of sets of programs and use it to derive the first sound and relatively complete Hoare-style logic for infinite sets of programs. Thus, our methods can be used to design minimally complex, compositional verification techniques for sets of programs.

Programming Languages

Yann Thierry-Mieg,Etienne Renault,Emmanuel Paviot-Adet,Denis Poitrenaud

DOI: https://doi.org/10.1016/j.scico.2024.103089

IF: 1.039

2024-02-08

Science of Computer Programming

Abstract:In [1] we proposed to verify LTL properties using a fine grain analysis classifying formulae into four classes (stutter, shortening, lengthening insensitive or none of these). With this classification we extend the applicability of structural reduction to two new classes of formulas, when classical techniques are only applicable for stutter insensitive formulas. This comes at the price of a semi-decision procedure where only some verdicts are reliable. In this paper, we present an implementation of this approach, built as an extension to the ITS-Tools model-checker that relies on the Spot library to analyze automata. This new approach significantly improves the ITS-tools model-checker when verifying properties that are not stutter insensitive. It can also be used as a front-end simplification step for any other model-checker.

computer science, software engineering