Ramy Shahin,Sahar Kokaly,Marsha Chechik

DOI: https://doi.org/10.48550/arXiv.2105.00041

2021-04-30

Software Engineering

Abstract:Safety-critical software systems are in many cases designed and implemented as families of products, usually referred to as Software Product Lines (SPLs). Products within an SPL vary from each other in terms of which features they include. Applying existing analysis techniques to SPLs and their safety cases is usually challenging because of the potentially exponential number of products with respect to the number of supported features. In this paper, we present a methodology and infrastructure for certified \emph{lifting} of existing single-product safety analyses to product lines. To ensure certified safety of our infrastructure, we implement it in an interactive theorem prover, including formal definitions, lemmas, correctness criteria theorems, and proofs. We apply this infrastructure to formalize and lift a Change Impact Assessment (CIA) algorithm. We present a formal definition of the lifted algorithm, outline its correctness proof (with the full machine-checked proof available online), and discuss its implementation within a model management framework.

Zhou Conghua,Chen Zhenyu,Ju Shiguang

2008-01-01

Journal of Computer Research and Development

Abstract:For concurrent software systems, linear temporal logic SE-LTL is a specification language with high expressive power and the ability to reason about both states and events. Until now, the SE-LTL model checking algorithm is still explicit, and the state explosion is the primary verification difficulty. A bounded model checking procedure is introduced for SE-LTL which reduces model checking to propositional satisfiability. This new technique avoids the space blow up of BDDs, and sometimes speeds up the verification. For SE-LTL-X the procedure and stuttering equivalent technique is further integrated. The experiment result shows that the integration can reduce the verification time very much.

Daisuke Ishii,Takashi Tomita,Toshiaki Aoki,Quyen Ngo,Thi Bich Ngoc Do,Hideaki Takai

DOI: https://doi.org/10.48550/arXiv.2206.02992

2022-06-07

Abstract:The development of embedded systems requires formal analysis of models such as those described with MATLAB/Simulink. However, the increasing complexity of industrial models makes analysis difficult. This paper proposes a model checking method for Simulink models using SMT solvers. The proposed method aims at (1) automated, efficient and comprehensible verification of complex models, (2) numerically accurate analysis of models, and (3) demonstrating the analysis of Simulink models using an SMT solver (we use Z3). It first encodes a target model into a predicate logic formula in the domain of mathematical arithmetic and bit vectors. We explore how to encode various Simulink blocks exactly. Then, the method verifies a given invariance property using the k-induction-based algorithm that extracts a subsystem involving the target block and unrolls the execution paths incrementally. In the experiment, we applied the proposed method and other tools to a set of models and properties. Our method successfully verified most of the properties including those unverified with other tools.

Logic in Computer Science

Kuanjiu Zhou,Jiawei Yong,Xiaolong Wang,Longtao Ren,Gang Hou,Junwang Chang

DOI: https://doi.org/10.1007/978-3-642-45293-2_26

2013-01-01

Abstract:Model checking technique has been gradually applied to verify the reliability of software systems. However, as to software with large scale and complex structure, the verification procedure suffers from the state space explosion, thus leading to a low efficiency or resource exhaustion. In this paper, we propose a method of accelerating software model checking based on program backbone to verify the properties in ANSI-C source codes. We prune the program with respect to the assertion property, and compress the circular paths by maximal strongly connected components to extract the program backbone. Subsequently, the Hoare theory is used to generate an invariant from the compressed circular nodes, which reduces the length of path encoding. The assertion property is finally translated into a quantifier-free formula and checked for satisfiability by the SMT solver Z3. The experiments show that this method substantially improves the efficiency of program verification.

Herbert Rocha,Hussama Ismail,Lucas Cordeiro,Raimundo Barreto

DOI: https://doi.org/10.48550/arXiv.1509.02471

2015-09-08

Logic in Computer Science

Abstract:We present a proof by induction algorithm, which combines k-induction with invariants to model check embedded C software with bounded and unbounded loops. The k-induction algorithm consists of three cases: in the base case, we aim to find a counterexample with up to k loop unwindings; in the forward condition, we check whether loops have been fully unrolled and that the safety property P holds in all states reachable within k unwindings; and in the inductive step, we check that whenever P holds for k unwindings, it also holds after the next unwinding of the system. For each step of the k-induction algorithm, we infer invariants using affine constraints (i.e., polyhedral) to specify pre- and post-conditions. Experimental results show that our approach can handle a wide variety of safety properties in typical embedded software applications from telecommunications, control systems, and medical devices; we demonstrate an improvement of the induction algorithm effectiveness if compared to other approaches.

Dirk Beyer,Nian-Ze Lee,Philipp Wendler

2024-03-13

Abstract:The article "Interpolation and SAT-Based Model Checking" (McMillan, 2003) describes a formal-verification algorithm, which was originally devised to verify safety properties of finite-state transition systems. It derives interpolants from unsatisfiable BMC queries and collects them to construct an overapproximation of the set of reachable states. Although 20 years old, the algorithm is still state-of-the-art in hardware model checking. Unlike other formal-verification algorithms, such as k-induction or PDR, which have been extended to handle infinite-state systems and investigated for program analysis, McMillan's interpolation-based model-checking algorithm from 2003 has not been used to verify programs so far. Our contribution is to close this significant, two decades old gap in knowledge by adopting the algorithm to software verification. We implemented it in the verification framework CPAchecker and evaluated the implementation against other state-of-the-art software-verification techniques on the largest publicly available benchmark suite of C safety-verification tasks. The evaluation demonstrates that McMillan's interpolation-based model-checking algorithm from 2003 is competitive among other algorithms in terms of both the number of solved verification tasks and the run-time efficiency. Our results are important for the area of software verification, because researchers and developers now have one more approach to choose from.

Software Engineering,Programming Languages

Liangze Yin,Fei He,Ming Gu

DOI: https://doi.org/10.1109/TASE.2013.11

2013-01-01

Abstract:This paper considers bounded model checking for extended labeled transition systems. Bounded model checking relies on a SAT solver to prove (or disprove) the existence of a counterexample with a bounded length. During the translation of a BMC problem to a SAT problem, much useful information is lost. This paper proposes an algorithm to analyze the transition system model, and then utilize the structure information hidden in the model to refine the decision ordering of variables in SAT solving. The basic idea is to guide the search process of SAT solving by the structure of the transition system. Experiments with this heuristic on real industrial designs show 5-12 times speedup over standard bounded model checking.

litian xiao,mengyuan li,ming gu,jiaguang sun

DOI: https://doi.org/10.1109/icma.2014.6885893

2014-01-01

Abstract:The correctness of PLC (Programmable Logic Controller) program in automatic control is vital to this kind of safety-critical applications. In this paper, we present a useful method of combinational model-checking for correctness of PLC programs. The method is based on the denotational semantics of PLC program and the semantic functions for basic instructions. Because the state space explosion problem limits the use of general model-checking in real PLC programs, the paper firstly defines a set of combinational verification rules based on the denotational semantics. Then the paper proposes a series of general and PLC domain specific strategies for combinational model-checking. The rules and strategies can effectively reduce state space and their correctness is proved. The validity of our method is shown by an example.

Yueling Zhang,Jianwen Li,G. Pu,Shufang Zhu,Moshe Y. Vardi

DOI: https://doi.org/10.1109/ICCAD.2017.8203765

2016-11-15

Abstract:Formal-verification techniques, such as model checking, are becoming popular in hardware design. SAT-based model checking techniques, such as IC3/PDR, have gained a significant success in the hardware industry. In this paper, we present a new framework for SAT-based safety model checking, named Complementary Approximate Reachability (CAR). CAR is based on standard reachability analysis, but instead of maintaining a single sequence of reachable-state sets, CAR maintains two sequences of over- and under-approximate reachable-state sets, checking safety and unsafety at the same time. To construct the two sequences, CAR uses standard Boolean-reasoning algorithms, based on satisfiability solving, one to find a satisfying cube of a satisfiable Boolean formula, and one to provide a minimal unsatisfiable core of an unsatisfiable Boolean formula. We applied CAR to 548 hardware model-checking instances, and compared its performance with IC3/PDR. Our results show that CAR is able to solve 42 instances that cannot be solved by IC3/PDR. When evaluated against a portfolio that includes IC3/PDR and other approaches, CAR is able to solve 21 instances that the other approaches cannot solve. We conclude that CAR should be considered as a valuable member of any algorithmic portfolio for safety model checking.

Mathematics,Computer Science,Engineering

Shamim Ripon,Sk. Jahir Hossain,Touhid Bhuiyan

DOI: https://doi.org/10.5121/ijsea.2013.4505

2013-10-01

Abstract:Modelling software product line (SPL) features plays a crucial role to a successful development of SPL. Feature diagram is one of the widely used notations to model SPL variants. However, there is a lack of precisely defined formal notations for representing and verifying such models. This paper presents an approach that we adopt to model SPL variants by using UML and subsequently verify them by using first-order logic. UML provides an overall modelling view of the system. First-order logic provides a precise and rigorous interpretation of the feature diagrams. We model variants and their dependencies by using propositional connectives and build logical expressions. These expressions are then validated by the Alloy verification tool. The analysis and verification process is illustrated by using Computer Aided Dispatch (CAD) system.

Software Engineering

Yuesheng Zhu,Deke Yu

DOI: https://doi.org/10.2991/iccnce.2013.70

2013-01-01

Abstract:Model checking is one of main formal verification methods that are used in the process of circuit design and verification. However, there is a problem of state memory explosion in traditional model checking methods. Bounded model checking (BMC), in which the Davis-Putnam-Logemann-Loveland (DPLL) algorithm based Satisfiability (SAT) solver is used to verify the circuits, can avoid this problem, whereas, its efficiency depends on the performance of the solver. Hybrid SAT solver combines the advantages of the completeness of DPLL and the fast solving property of stochastic local search algorithm, e.g. WalkSAT, and is proved to be an efficient improving way. However, it is noted that the noise parameter in WalkSAT could affect the solver's overall performance. In this paper, an adaptive noise mechanism is proposed to integrate with the hybrid algorithm framework to further improve the solver's performance. Our experimental results have shown that the designed hybrid solver with adaptive noise performs well in BMC instances and some other circuits.

Peter Schrammel,Daniel Kroening,Martin Brain,Ruben Martins,Tino Teige,Tom Bienmüller

DOI: https://doi.org/10.48550/arXiv.1409.5872

2014-09-20

Abstract:Program analysis is on the brink of mainstream in embedded systems development. Formal verification of behavioural requirements, finding runtime errors and automated test case generation are some of the most common applications of automated verification tools based on Bounded Model Checking. Existing industrial tools for embedded software use an off-the-shelf Bounded Model Checker and apply it iteratively to verify the program with an increasing number of unwindings. This approach unnecessarily wastes time repeating work that has already been done and fails to exploit the power of incremental SAT solving. This paper reports on the extension of the software model checker CBMC to support incremental Bounded Model Checking and its successful integration with the industrial embedded software verification tool BTC EmbeddedTester. We present an extensive evaluation over large industrial embedded programs, which shows that incremental Bounded Model Checking cuts runtimes by one order of magnitude in comparison to the standard non-incremental approach, enabling the application of formal verification to large and complex embedded software.

Software Engineering

Manish Goyal,David Bergman,Parasara Sridhar Duggirala

2023-11-27

Abstract:The control design tools for linear systems typically involves pole placement and computing Lyapunov functions which are useful for ensuring stability. But given higher requirements on control design, a designer is expected to satisfy other specification such as safety or temporal logic specification as well, and a naive control design might not satisfy such specification. A control designer can employ model checking as a tool for checking safety and obtain a counterexample in case of a safety violation. While several scalable techniques for verification have been developed for safety verification of linear dynamical systems, such tools merely act as decision procedures to evaluate system safety and, consequently, yield a counterexample as an evidence to safety violation. However these model checking methods are not geared towards discovering corner cases or re-using verification artifacts for another sub-optimal safety specification. In this paper, we describe a technique for obtaining complete characterization of counterexamples for a safety violation in linear systems. The proposed technique uses the reachable set computed during safety verification for a given temporal logic formula, performs constraint propagation, and represents all modalities of counterexamples using a binary decision diagram (BDD). We introduce an approach to dynamically determine isomorphic nodes for obtaining a considerably reduced (in size) decision diagram. A thorough experimental evaluation on various benchmarks exhibits that the reduction technique achieves up to $67\%$ reduction in the number of nodes and $75\%$ reduction in the width of the decision diagram.

Systems and Control,Robotics

Ming-e Jing,Gengshen Chen,Wenbo Yin,Dian Zhou

DOI: https://doi.org/10.1109/asicon.2009.5351339

2009-01-01

Abstract:Bounded model checking shows that satisfiability (SAT) problem can be widely used for model checking. The performance of SAT solver depends heavily on the quality of the learnt clauses in the conflict analysis process. Combining with the characters of model checking, we propose to add efficient implied clauses to the clause database to enhance the conflict analysis. Experimental results show that the average running time of our algorithm is reduced by 35% compared with the traditional FUIP algorithm(1).

Mo Xia,Mian Sun,Guiming Luo,Xibin Zhao

DOI: https://doi.org/10.1109/icci-cc.2013.6622270

2013-01-01

Abstract:Programmable Logic Controller (PLC) have been widely used in industries, and safety and reliability of them has been urgently concerned. However, it's hard to verify all the cases to discover the logical flaws of complex systems by traditional testing. Formal verification methods introduce mathematical rigor in their analysis thereby guaranteeing exhaustive state space coverage. But there is not an effective and efficient tool for PLC verification, and the general-purpose formal tools need lots of relevant knowledge. This paper proposes an automatic verification tool for PLC systems. It includes graphical modeling, syntax check, code generation, code optimization and representation of the counter-examples which violate some system properties.

Haitao Zhang,Zhuo Cheng,Cong Tian,Yonggang Lu,Guoqiang Li

DOI: https://doi.org/10.1109/icis.2016.7550826

2016-01-01

Abstract:OSEK/VDX, a standard of automobile OS, has been widely adopted by many manufacturers to design and implement a vehicle-mounted OS. Currently, with increasing functionalities in vehicles, more and more complex applications are developed based on the OSEK/VDX OS. However, how to ensure the reliability of developed applications is becoming a challenge for developers. Based on our previous work, in this paper we present an efficient approach to verify the developed OSEK/VDX applications. In the presented approach, SMT-based bounded model checking technique is used to carry out verification in order to handle complex applications. Moreover, a series of optimization strategies are proposed and employed to improve the checking capability of our approach. We have implemented a tool according to the proposed approach and conducted many experiments. The experiment results show that our approach is capable of checking the safety property of large-scale OSEK/VDX applications. We also compared our approach with existing checking method, the comparison results indicate that our approach is an efficient and powerful technique in verifying OSEK/VDX applications.

Kedar S. Namjoshi

DOI: https://doi.org/10.4204/EPTCS.129.25

2013-09-20

Abstract:Fully automated verification of concurrent programs is a difficult problem, primarily because of state explosion: the exponential growth of a program state space with the number of its concurrently active components. It is natural to apply a divide and conquer strategy to ameliorate state explosion, by analyzing only a single component at a time. We show that this strategy leads to the notion of a "split" invariant, an assertion which is globally inductive, while being structured as the conjunction of a number of local, per-component invariants. This formulation is closely connected to the classical Owicki-Gries method and to Rely-Guarantee reasoning. We show how the division of an invariant into a number of pieces with limited scope makes it possible to apply new, localized forms of symmetry and abstraction to drastically simplify its computation. Split invariance also has interesting connections to parametric verification. A quantified invariant for a parametric system is a split invariant for every instance. We show how it is possible, in some cases, to invert this connection, and to automatically generalize from a split invariant for a small instance of a system to a quantified invariant which holds for the entire family of instances.

Logic in Computer Science

Logan Murphy,Torin Viger,Alessio Di Sandro,Marsha Chechik

2024-07-15

Abstract:In critical software engineering, structured assurance cases (ACs) are used to demonstrate how key properties (e.g., safety, security) are supported by evidence artifacts (e.g., test results, proofs). ACs can also be studied as formal objects in themselves, such that formal methods can be used to establish their correctness. Creating rigorous ACs is particularly challenging in the context of software product lines (SPLs), wherein a family of related software products is engineered simultaneously. Since creating individual ACs for each product is infeasible, AC development must be lifted to the level of product lines. In this work, we propose PLACIDUS, a methodology for integrating formal methods and software product line engineering to develop provably correct ACs for SPLs. To provide rigorous foundations for PLACIDUS, we define a variability-aware AC language and formalize its semantics using the proof assistant Lean. We provide tool support for PLACIDUS as part of an Eclipse-based model management framework. Finally, we demonstrate the feasibility of PLACIDUS by developing an AC for a product line of medical devices.

Software Engineering

Lu Chen,Jian Jiao,Jiping Fan,Fuchun Ren

DOI: https://doi.org/10.1109/rams.2016.7447978

2016-01-01

Abstract:Fault propagation identification is an indispensable task in complex system safety analysis. With the growing of system scale and complexity, it is hard for the traditional safety analysis techniques, which depend mainly on analysts' personal skills and experiences, to keep completeness and timeliness; moreover, some failure modes may be neglected and failure effects misjudged during the analysis. Formal science provides a new way to solve this problem, where formal verification method such as model checking can automatically validate whether the system design satisfies the given safety requirements, which can reduce an analysts' repetitive work and design cost, and improve the efficiency and quality of safety analysis. However, there is lack of a deliberate and reasonable way to build system models because of the diversity and flexibility of languages used for model checking, which results in that it is difficult to specify and model system quickly and accurately, and leads to some deviation in model checking. In this paper, a system modeling and safety property specifying approach using symbolic language SMV is proposed, including guidance on the mapping relationships between the formal language elements and system functions, architecture and failure modes; moreover, how to define system specifications and safety requirements using temporal logic formulas is discussed as well. Finally, a case study about airborne system safety analysis is provided, in which the counter-examples that do not meet system specifications can be identified automatically using model checker NuSMV to find out fault events and their propagation that can result in accidents.

Zhengwei Qi,Liang Liu,Alei Liang,Hao Wang,Ying Chen

DOI: https://doi.org/10.1109/ICPADS.2008.73

2008-01-01

Abstract:Modern software model checkers are usually used to find safety violations. However, checking liveness properties can offer a more natural and effective way to detect errors, particularly in complex concurrent and distributed e-business systems. Specifying global liveness properties which should always eventually be true proves to be more desirable, but it is hard for existing software model checkers to verify liveness in real codes because doing so requires finding an infinite execution. For solving such a challenge, this paper proposes an online checking tool to verify the safety and liveness properties of complex systems. We adopt the linear temporal logic to describe the semantics of the finite model checking, use binary instrumentation to obtain the distribute states and apply a checking engine to dynamically verify the finite trace linear temporal logic properties. At last, we demonstrate the method in a distributed system using distributed protocol Paxos and achieve good results by experiments.