Computer Aided Verification

In the verification community it is assumed that one has a specification of the program to be proven correct. In practice this is never true. Moreover, specifications for realistic software products are often unreadable when formalised. This talk will present and discuss more practical formal notation for software documentation and the role of such documentation in the verification process.

Model Checking is an algorithmic technique to determine whether a temporal property holds of a program. For linear time properties, a model checker produces a counterexample computation if the check fails. This computation acts as a “certificate” of failure, as it can be checked easily and independently of the model checker by simulating it on the program. On the other hand, no such certificate is produced if the check succeeds. In this paper, we show how this asymmetry can be eliminated with a certifying model checker. The key idea is that, with some extra bookkeeping, a model checker can produce a deductive proof on either success or failure. This proof acts as a certificate of the result, as it can be checked mechanically by simple, non-fixpoint methods that are independent of the model checker. We develop a deductive proof system for verifying branching time properties expressed in the mu-calculus, and show how to generate a proof in this system from a model checking run. Proofs for linear time properties form a special case. A model checker that generates proofs can be used for many interesting applications, such as better ways of exploring errors in a program, and a tight integration of model checking with automated theorem proving.

The byte-code verifier is advertised as a key component of the security and safety strategy for the Java language, making it possible to use and exchange Java programs without fearing too much damage due to erroneous programs or malignant program providers. As Java is likely to become one of the languages used to embed programs in all kinds of appliances or computer-based applications, it becomes important to verify that the claim of safety is justified.

A parameterized concurrent system represents an infinite family (of finite state systems) parameterized by a recursively defined type such as chains, trees. It is therefore natural to verify parameterized-systems by inducting over this type. We employ a program transformation based proof methodology to automate such induction proofs. Our proof technique is geared to automate nested induction proofs which do not involve strengthening of induction hypothesis. Based on this technique, we have designed and implemented a prover for parameterized protocols. The prover has been used to automatically verify safety properties of parameterized cache coherence protocols, including broadcast protocols and protocols with global conditions. Furthermore we also describe its successful use in verifying mutual exclusion in the Java Meta-Locking Algorithm, developed recently by Sun Microsystems for ensuring secure access of Java objects by an arbitrary number of Java threads.

This paper describes an approach to engineering efficient model checkers that are generic with respect to the temporal logic in which system properties are given. The methodology is based on the “compilation” of temporal formulas into variants of alternating tree automata called alternating Büchi tableau automata (ABTAs). The paper gives an efficient on-the-fly model-checking procedure for ABTAs and illustrates how translations of temporal logics into ABTAs may be concisely specified using inference rules, which may be thus seen as high-level definitions of “model checkers” for the logic given. Heuristics for simplifying ABTAs are also given, as are experimental results in the CWB-NC verification tool suggesting that, despite the generic ABTA basis, our approach can perform better than model checkers targeted for specific logics. The ABTA-based approach we advocate simplifies the retargeting of model checkers to different logics, and it also allows the use of “compile-time” simplifications on ABTAs that improves model-checker performance.

We present an algorithm to generate Büchi automata from LTL formulae. This algorithm generates a very weak alternating co-Büchi automaton and then transforms it into a Büchi automaton, using a generalized Büchi automaton as an intermediate step. Each automaton is simplified on-the-fly in order to save memory and time. As usual we simplify the LTL formula before any treatment. We implemented this algorithm and compared it with Spin: the experiments show that our algorithm is much more efficient than Spin. The criteria of comparison are the size of the resulting automaton, the time of the computation and the memory used. Our implementation is available on the web at the following address: http://verif.liafa.jussieu.fr/ltl2ba

In formal verification, we verify that a system is correct with respect to a specification. When verification succeeds and the system is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the system. In this paper we study coverage metrics for model checking from a practical point of view. Coverage metrics are based on modifications we apply to the system in order to check which parts of it were actually relevant for the verification process to succeed. We suggest several definitions of coverage, suitable for specifications given in linear temporal logic or by automata on infinite words. We describe two algorithms for computing the parts of the system that are not covered by the specification. The first algorithm is built on top of automata-based model-checking algorithms. The second algorithm reduces the coverage problem to the model-checking problem. Both algorithms can be implemented on top of existing model checking tools.

In this paper we propose an efficient algorithmic solution to the problem of determining a Bisimulation Relation on a finite structure. Starting from a set-theoretic point of view we propose an algorithm that optimizes the solution to the Relational coarsest Partition problem given by Paige and Tarjan in 1987 and its use in model-checking packages is briefly discussed and tested. Our algorithm reaches, in particular cases, a linear solution.

Symmetry reduction methods exploit symmetry in a system in order to efficiently verify its temporal properties. Two problems may prevent the use of symmetry reduction in practice: (1) the property to be checked may distinguish symmetric states and hence not be preserved by the symmetry, and (2) the system may exhibit little or no symmetry. In this paper, we present a general framework that addresses both of these problems.We introduce “Guarded Annotated Quotient Structures” for compactly representing the state space of systems even when those are asymmetric. We then present algorithms for checking any temporal property on such representations, including non-symmetric properties.

In this paper we present the application of generalized retiming for temporal property checking. Retiming is a structural transformation that relocates registers in a circuit-based design representation without changing its actual input-output behavior. We discuss the application of retiming to minimize the number of registers with the goal of increasing the capacity of symbolic state traversal. In particular, we demonstrate that the classical definition of retiming can be generalized for verification by relaxing the notion of design equivalence and physical implementability. This includes (1) omitting the need for equivalent reset states by using an initialization stump, (2) supporting negative registers, handled by a general functional relation to future time frames, and (3) eliminating peripheral registers by converting them into simple temporal offsets. The presented results demonstrate that the application of retiming in verification can significantly increase the capacity of symbolic state traversal. Our experiments also demonstrate that the repeated use of retiming interleaved with other structural simplifications can yield reductions beyond those possible with single applications of the individual approaches. This result suggests that a tool architecture based on re-entrant transformation engines can potentially decompose and solve verification problems that otherwise would be infeasible.

We propose a BDD based representation for Boolean functions, which extends conjunctive/disjunctive decompositions. The model introduced (Meta-BDD) can be considered as a symbolic representation of k-Layer automata describing Boolean functions. A layer is the set of BDD nodes labeled by a given variable, and its characteristic function is represented using BDDs. Meta-BDDs are implemented upon a standard BDD library and they support layered (decomposed) processing of Boolean operations used in formal verification problems. Besides targeting reduced BDD size, the theoretical advantage of this form over other decompositions is being closed under complementation, which makes Meta-BDDs applicable to a broader range of problems.

Formal equivalence verifiers for combinational circuits rely heavily on BDD algorithms. However, building monolithic BDDs is often not feasible for today's complex circuits. Thus, to increase the effectiveness of BDD-based comparisons, divide-and-conquer strategies based on cut-points are applied. Unfortunately, these algorithms may produce false negatives. Significant effort must then be spent for determining whether the failures are indeed real. In particular, if the design is actually incorrect, many cut-point based algorithms perform very poorly. In this paper we present a new algorithm that completely removes the problem of false negatives by introducing normalized functions instead of free variables at cut points. In addition, this approach handles the propagation of input assumptions to cut-points, is significantly more accurate in finding cut-points, and leads to more efficient counter-example generation for incorrect circuits. Although, naively, our algorithm 1 would appear to be more expensive than traditional cut-point techniques, the empirical data on more than 900 complex signals from a recent microprocessor design, shows rather the opposite.

We introduce a decision procedure for satisfiability of equivalence logic formulas with uninterpreted functions and predicates. In a previous work ([PRSS99]) we presented a decision procedure for this problem which started by reducing the formula into a formula in equality logic. As a second step, the formula structure was analyzed in order to derive a small range of values for each variable that is sufficient for preserving the formula's satisfiability. Then, a standard BDD based tool was used in order to check the formula under the new small domain. In this paper we change the reduction method and perform a more careful analysis of the formula, which results in significantly smaller domains. Both theoretical and experimental results show that the new method is superior to the previous one and to the method suggested in [BGV99].

We present a model checking algorithm for ∀CTL (and full CTL) which uses an iterative abstraction refinement strategy.It terminates at least for all transition systems M that have a finite simulation or bisimulation quotient. In contrast to other abstraction refinement algorithms, we always work with abstract models whose sizes depend only on the length of the formula θ (but not on the size of the system, which might be infinite).

We consider the problem of establishing consistency of code implementing a network protocol with respect to the documentation as a standard RFC. The problem is formulated as a refinement checking between two models, the implementation extracted from code and the specification extracted from RFC. After simplifications based on assume-guarantee reasoning, and automatic construction of witness modules to deal with the hidden specification state, the refinement checking problem reduces to checking transition invariants. The methodology is illustrated on two case-studies involving popular network protocols, namely, PPP (point-to-point protocol for establishing connections remotely) and DHCP (dynamic-host-configuration-protocol for configuration management in mobile networks). We also present a symbolic implementation of a reduction scheme based on compressing internal transitions in a hierarchical manner, and demonstrate the resulting savings for refinement checking in terms of memory size.

This paper presents a new approach for verification of asynchronous circuits by using automatic abstraction. It attacks the state explosion problem by avoiding the generation of a flat state space for the whole design. Instead, it breaks the design into blocks and conducts verification on each of them. Using this approach, the speed of verification improves dramatically.

We consider the randomized consensus protocol of Aspnes and Herlihy for achieving agreement among N asynchronous processes that communicate via read/write shared registers. The algorithm guarantees termination in the presence of stopping failures within polynomial expected time. Processes proceed through possibly unboundedly many rounds; at each round, they read the status of all other processes and attempt to agree. Each attempt involves a distributed random walk: when processes disagree, a shared coin-flipping protocol is used to decide their next preferred value. Achieving polynomial expected time depends on the probability that all processes draw the same value being above an appropriate bound. For the non-probabilistic part of the algorithm, we use the proof assistant Cadence SMV to prove validity and agreement for all N and for all rounds. The coin-flipping protocol is verified using the probabilistic model checker PRISM. For a finite number of processes (up to 10) we automatically calculate the minimum probability of the processes drawing the same value. The correctness of the full protocol follows from the separately proved properties. This is the first time a complex randomized distributed algorithm has been mechanically verified.

Recursive state machines (RSMs) enhance the power of ordinary state machines by allowing vertices to correspond either to ordinary states or to potentially recursive invocations of other state machines. RSMs can model the control flow in sequential imperative programs containing recursive procedure calls. They can be viewed as a visual notation extending Statecharts-like hierarchical state machines, where concurrency is disallowed but recursion is allowed. They are also related to various models of pushdown systems studied in the verification and program analysis communities.After introducing RSMs, we focus on whether state-space analysis can be performed efficiently for RSMs. We consider the two central problems for algorithmic analysis and model checking, namely, reachability (is a target state reachable from initial states) and cycle detection (is there a reachable cycle containing an accepting state). We show that both these problems can be solved in time O(nθ(2) and space O(nθ), where n is the size of the recursive machine and θ is the maximum, over all component state machines, of the minimum of the number of entries and the number of exits of each component. We also study the precise relationship between RSMs and closely related models.

The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic model-checking techniques for both tasks. First, we show how to use model-checking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Next, we show that the premises of the standard deductive INV rule for proving invariance properties can be automatically resolved by finite-state (BDD-based) methods with no need for interactive theorem proving. Combining the automatic computation of invariants with the automatic resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying large classes of parameterized systems. The generated invariants can be transferred to the VC-validation phase without ever been examined by the user, which explains why we refer to them as “invisible”. The efficacy of the method is demonstrated by automatic verification of diverse parameterized systems in a fully automatic and efficient manner.

The property of Positive Equality [2] dramatically speeds up validity checking of formulas in the logic of Equality with Uninterpreted Functions and Memories (EUFM) [4]. The logic expresses correctness of high-level microprocessors. We present EVC (Equality Validity Checker)—a tool that exploits Positive Equality and other optimizations when translating a formula in EUFM to a propositional formula, which can then be evaluated by any Boolean satisfiability (SAT) procedure. EVC has been used for the automatic formal verification of pipelined, superscalar, and VLIW microprocessors.

As new Internet applications emerge, new security protocols and systems need to be designed and implemented. Unfortunately the current protocol design and implementation process is often ad-hoc and error prone. To solve this problem, we have designed and implemented a toolkit AGVI, Automatic Generation, Verification, and Implementation of Security Protocols. With AGVI, the protocol designer inputs the system specification (such as cryptographic key setup) and security requirements. AGVI will then automatically find the near-optimal protocols for the specific application, proves the correctness of the protocols and implement the protocols in Java. Our experiments have successfully generated new and even simpler protocols than the ones documented in the literature.

Decision procedures are at the core of many industrial-strength verification systems such as ACL2 [KM97], PVS [ORS92], or STeP [MtSg96]. Effective use of decision procedures in these verification systems require the management of large assertional contexts. Many existing decision procedures, however, lack an appropriate API for managing contexts and efficiently switching between contexts, since they are typically used in a fire-and-forget environment.ICS (Integrated Canonizer and Solver) is a decision procedure developed at SRI International. It does not only efficiently decide formulas in a useful combination of theories but it also provides an API that makes it suitable for use in applications with highly dynamic environments such as proof search or symbolic simulation.The theory decided by ICS is a quantifier-free, first-order theory with uninterpreted function symbols and a rich combination of datatype theories including arithmetic, tuples, arrays, sets, and bit-vectors. This theory is particularly interesting for many applications in the realm of software and hardware verification. Combinations of a multitude of datatypes occur naturally in system specifications and the use of uninterpreted function symbols have proven to be essential for many real-world verifications.

µCRL [13] is a language for specifying and verifying distributed systems in an algebraic fashion. It targets the specification of system behaviour in a process-algebraic style and of data elements in the form of abstract data types. The µCRL toolset [21] (see http://www.cwi.nl/~mcrl) supports the analysis and manipulation of µCRL specifications. A µCRL specification can be automatically transformed into a linear process operator (LPO). All other tools in the µCRL toolset use LPOs as their starting point. The simulator allows the interactive simulation of an LPO. There are a number of tools that allow optimisations on the level of LPOs. The instantiator generates a labelled transition system (LTS) from an LPO (under the condition that it is finite-state), and the resulting LTS can be visualised, analysed and minimised.

Concurrent software and hardware systems play an increasing rôle in today’s applications. Due to the large number of states and to the high degree of non-determinism arising from the dynamic behavior of such systems, testing is generally not sufficient to ensure the correctness of their implementation. Formal specification and verification methods are therefore becoming more and more popular, aiming to give rigorous support for the system design and for establishing its correctness properties, respectively (cf. [2] for an overview).

The SLAM toolkit checks safety properties of software without the need for user-supplied annotations or abstractions. Given a safety property to check on a C program P, the SLAM process [4] iteratively refines a boolean program abstraction of P using three tools: - C2bp, a predicate abstraction tool that abstracts P into a boolean program BP(P,E) with respect to a set of predicates E over P1,2;- BEBOP, a tool for model checking boolean programs [3], and- NEWTON, a tool that discovers additional predicates to refine the boolean program, by analyzing the feasibility of paths in the C program.

Bytecode verification is a crucial security component for Java applets, on the Web and on embedded devices such as smart cards. This paper describes the main bytecode verification algorithms and surveys the variety of formal methods that have been applied to bytecode verification in order to establish its correctness.

Regular languages have proved useful for the symbolic state exploration of infinite state systems. They can be used to represent infinite sets of system configurations; the transitional semantics of the system consequently can be modeled by finite-state transducers. A standard problem encountered when doing symbolic state exploration for infinite state systems is how to explore all states in a finite amount of time.When representing the one-step transition relation of a system by a finite-state transducer T, this problem boils down to finding an appropriate finite-state representation T** for its transitive closure.In this paper we give a partial algorithm to compute a finite-state transducer T** for a general class of transducers. The construction builds a quotient of an underlying infinite-state transducer Tw, using a novel behavioural equivalence that is based past and future bisimulations computed on finite approximations of Tw. The extrapolation to Tw of these finite bisimulations capitalizes on the structure of the states of Tw, which are strings of states of T. We show how this extrapolation may be rephrased as a problem of detecting confluence properties of rewrite systems that represent the bisimulations. Thus, we can draw upon techniques that have been developed in the area of rewriting.A prototype implementation has been successfully applied to various examples.

We propose a new symbolic model checking algorithm for parameterized concurrent systems modeled as (Lossy) Petri Nets, and (Lossy) Vector Addition Systems, based on the following ingredients: a rich assertional language based on the graph-based symbolic representation of upward-closed sets introduced in [DR00], the combination of the backward reachability algorithm of [ACJT96] lifted to the symbolic setting with a new heuristic rule based on structural properties of Petri Nets. We evaluate the method on several Petri Nets and parameterized systems taken from the literature [ABC+95,EM00,Fin93,MC99], and we compare the results with other finite and infinite-state verification tools.

We present a model checking algorithm for safety properties that is applicable to parameterized systems and hence provides a unifying approach of model checking for parameterized systems. By analysing the conditions under which the proposed algorithm terminates, we obtain a characterisation of a subclass for which this problem is decidable. The known decidable subclasses, token rings and broadcast systems, fall in our subclass, while the main novel feature is that (unnested) quantification over index variables is allowed, which means that global guards can be expressed.

We present a model-checker for boolean programs with (possibly recursive) procedures and the temporal logic LTL. The checker is guaranteed to terminate even for (usually faulty) programs in which the depth of the recursion is not bounded. The algorithm uses automata to finitely represent possibly infinite sets of stack contents and BDDs to compactly represent finite sets of values of boolean variables. We illustrate the checker on some examples and compare it with the Bebop tool of Ball and Rajamani.

Web design is an inherently error-prone process. To help with the detection of errors in the structure and connectivity of Web pages, we propose to apply model-checking techniques to the analysis of the World Wide Web. Model checking the Web is different in many respects from ordinary model checking of system models, since the Kripke structure of theWeb is not known in advance, but can only be explored in a gradual fashion. In particular, the model-checking algorithms cannot be phrased in ordinary μ-calculus, since some operations, such as the computation of sets of predecessor Web pages and the computations of greatest fixpoints, are not possible on the Web. We introduce constructive μ-calculus, a fixpoint calculus similar to μ-calculus, but whose formulas can be effectively evaluated over the Web; and we show that its expressive power is very close to that of ordinary μ-calculus. Constructive μ-calculus can be used not only for phrasing Web model-checking algorithms, but also for the analysis of systems having a large, irregular state space that can be only gradually explored, such as software systems. On the basis of these ideas, we have implemented the Web model checker MCWEB, and we describe some of the issues that arose in its implementation, as well as the type of errors that it was able to find.

In this paper we propose a distributed symbolic algorithm for model checking of propositional μ-calculus formulas. μ-calculus is a powerful formalism and many problems like (fair) CTL and LTL model checking can be solved using the μ-calculus model checking. Previous works on distributed symbolic model checking were restricted to reachability analysis and safety properties. This work thus significantly extends the scope of properties that can be verified for very large designs.The algorithm distributively evaluates subformulas. It results in sets of states which are evenly distributed among the processes.We show that this algorithm is scalable, and thus can be implemented on huge distributed clusters of computing nodes. In this way, the memory modules of the computing nodes collaborate to create a very large store, thus enables the checking of much larger designs. We formally prove the correctness of the parallel algorithm. We complement the distribution of the state sets by showing how to distribute the transition relation.

Since the introduction of temporal logic for the specification of computer programs [5], usability has been an issue, because a difficult-to-use formalism is a barrier to the wide adoption of formal methods. Our solution is Sugar, the temporal logic used by the RuleBase formal verification tool [2]. Sugar adds the power of regular expressions to CTL [4], as well as an extensive set of operators which provide syntactic sugar. That is, while these operators do not add expressive power, they allow properties to be expressed more succinctly than in the basic language. Experience shows that Sugar allows hardware engineers to easily and intuitively specify their designs. The full language is used for model checking, and a significant portion can be model checked on-the-fly [3]. The automatic generation of simulation checkers from the same portion of Sugar is described in [1]. While previous papers have described various features of the language, this paper presents the first complete description of Sugar.

Finite-state model-checkers such as Smv [13] and Spin [11] do not allow to deal with important aspects that appear in modelling and analysing complex systems, e.g., communication protocols. Among these aspects: real-time constraints, manipulation of unbounded data structures like counters, communication through unbounded channels, parametric reasoning, etc.

In this paper we present a tool which operates as a pre- and postprocessor for RTL property checking and simplifies word-level specifications before verification, thus speeding up property checking runtimes and allowing larger design sizes to be verified. The basic idea is to scale down design sizes by exploiting word-level information. BooStER implements a new technique which computes a one-to-one RTL abstraction of a digital design in which the widths of word-level signals are reduced with respect to a property, i.e. the property holds for the abstract RTL if and only if it holds for the original RTL. The property checking task is completely carried out on the scaled-down version of the design. If the property fails then the tool computes counterexamples for the original RTL from counterexamples found on the reduced model.

SDLcheck is a verification tool developed to support model checking for asynchronous (concurrent) programs written in SDL 1, 2. Given an SDL program and a specification of a desired behavior of the program, SDLcheck generates a verification model that consists of two .-automata, P and T : P models the program and T the specification. Then, the automaton language containment, L(P) . L(T ), is tested by model checking with Cospan [3].

Telecommunication protocol standards have in the past and typically still use both an English description of the protocol and an ASN.1[5] specification of the data-model. ASN.1 (Abstract Syntax Notation One) is an ITU/ISO data definition language which has been developed to describe abstractly the values protocol data units can assume; this is of considerable interest for model checking as ASN.1 can be used to constrain/construct the state space of the protocol accurately. However, with current practice, any change to the English description cannot easily be checked for consistency while protocols are being developed. In this work, we have developed a SPIN-based tool called EASN (Enhanced ASN.1) where the behavior can be formally specified through a language based upon Promela for control structures but with data models from ASN.1.We use the X/Open standard on ASN.1/C++ translation so that our tool can be realised with pluggable components.We have used EASN to validate a simplified RLC in the W-CDMA (3G GSM) stack. In this short paper1, we discuss the EASN language, the tool, and an example usage.

Model checking 613 is an automated procedure for determining whether a finite state program satisfies a temporal property.Model checking tools, due to the complex nature of the specification methods, are used most effectively by verification experts. In order to make these tools more accessible to non-expert users, who may not be familiar with these formal notations, we need to make model checkers easier to use. Visually intuitive specification methods may provide an alternative way to specify temporal behavior.

The correct behavior of real-time applications depends not only on the correctness of the results of computations but also on the times at which these results are produced. As a matter of fact, violations of real-time constraints in embedded systems are the most difficult errors to detect, because they are extremely sensitive both to the patterns of external events stimulating the system and to the timing behavior of the system itself. Clearly, the development of real-time systems requires rigorous methods and tools to reduce development costs and “time-to-market” while guaranteeing the quality of the produced code (in particular, respect of the temporal constraints).

Compositional model checking is used to verify a processor microarchitecture containing most of the features of a modern microprocessor, including branch prediction, speculative execution, out-of-order execution and a load-store buffer supporting re-ordering and load forwarding. We observe that the proof methodology scales well, in that the incremental proof cost of each feature is low. The proof is also quite concise with respect to proofs of similar microarchitecture models using other methods.

We describe an algorithm for simplifying a class of symbolic expressions that arises in the symbolic execution of formal state machine models. These expressions are compositions of state access and change functions and if-then-else expressions, laced together with local variable bindings (e.g., lambda applications). The algorithm may be used in a stand-alone way, but is designed to be part of a larger system employing a mix of other strategies. The algorithm generalizes to a rewriting algorithm that can be characterized as outside-in or lazy, with respect both to variable instantiation and equality replacement. The algorithm exploits memoization or caching.

In this paper we propose a methodology for verifying the sequential consistency of caching algorithms. The scheme combines times-tamping and an auxiliary history table to construct a serial execution ‘matching’ any given execution of the algorithm. We believe that this approach is applicable to an interesting class of sequentially consistent algorithms in which the buffering of cache updates allows stale values to be read from cache. We illustrate this methodology by verifying the high level specifications of the lazy caching and ring algorithms.

The usefulness of Bounded Model Checking (BMC) based on propositional satisfiability (SAT) methods for bug hunting has already been proven in several recent work. In this paper, we present two industrial strength systems performing BMC for both verification and falsification. The first is Thunder, which performs BMC on top of a new satisfiability solver, SIMO. The second is Forecast, which performs BMC on top of a BDD package. SIMO is based on the Davis Logemann Loveland procedure (DLL) and features the most recent search methods. It enjoys static and dynamic branching heuristics, advanced back-jumping and learning techniques. SIMO also includes new heuristics that are specially tuned for the BMC problem domain. With Thunder we have achieved impressive capacity and productivity for BMC. Real designs, taken from Intel’s Pentium_©4, with over 1000 model variables were validated using the default tool settings and without manual tuning. In Forecast, we present several alternatives for adapting BDD-based model checking for BMC. We have conducted comparison of Thunder and Forecast on a large set of real and complex designs and on almost all of them Thunder has demonstrated clear win over Forecast in two important aspects: capacity and productivity.

We describe the techniques we have used to search for bugs in the memory subsystem of a next-generation Alpha microprocessor. Our approach is based on two model checking methods that use satisfiability (SAT) solvers rather than binary decision diagrams (BDDs). We show that the first method, bounded model checking, can reduce the verification runtime from days to minutes on real, deep, microprocessor bugs when compared to a state-of-the-art BDD-based model checker. We also present experimental results showing that the second method, a version of symbolic trajectory evaluation that uses SAT-solvers instead of BDDs, can find as deep bugs, with even shorter runtimes. The tradeoff is that we have to spend more time writing specifications. Finally, we present our experiences with the two SAT-solvers that we have used, and give guidelines for applying a combination of bounded model checking and symbolic trajectory evaluation to industrial strength verification.The bugs we have found are significantly more complex than those previously found with methods based on SAT-solvers.

The Galois field is an important number system that is GF(2m) widely used in applications such as error correction codes (ECC), and complicated combinations of arithmetic operations are performed in those applications. However, few practical formal methods for algorithm verification at the word-level have ever been developed. We have defined a logic system, GF_2m -arithmetic, that can treat non-linear and non-convex GF2m constraints, for describing specifications and implementations of arithmetic algorithms over GF(2m). We have investigated various decision GF_2m -arithmetic and its subclasses, and have performed an automatic correctness proof of a (n, n 4) Reed-Solomon ECC decoding algorithm. Because the correctness criterion is in an efficient subclass of the GF_2m -arithmetic K-field-size independent), the proof is completed in significantly reduced time, less than one second for any and , m ≥ 3 and n ≥ 5, by using a combination of polynomial division and variable elimination over GF(2m), without using any costly techniques such as factoring or a decision over GF(2)that can easily increase the verification time to more than a day.

In this paper we show how the classical job-shop scheduling problem can be modeled as a special class of acyclic timed automata. Finding an optimal schedule corresponds, then, to finding a shortest (in terms of elapsed time) path in the timed automaton. This representation provides new techniques for solving the optimization problem and, more importantly, it allows to model naturally more complex dynamic resource allocation problems which are not captured so easily in traditional models of operation research. We present several algorithms and heuristics for finding the shortest paths in timed automata and test their implementation in the tool Kronos on numerous benchmark examples.

In this paper we present an algorithm for efficiently computing optimal cost of reaching a goal state in the model of Linearly Priced Timed Automata (LPTA). The central contribution of this paper is a priced extension of so-called zones. This, together with a notion of facets of a zone, allows the entire machinery for symbolic reachability for timed automata in terms of zones to be lifted to cost-optimal reachability using priced zones. We report on experiments with a cost-optimizing extension of Uppaal on a number of examples.

We consider pushdown timed automata (PTAs) that are timed automata (with dense clocks) augmented with a pushdown stack. A configuration of a PTA includes a control state, dense clock values and a stack word. By using the pattern technique, we give a decidable characterization of the binary reachability (i.e., the set of all pairs of configurations such that one can reach the other) of a PTA. Since a timed automaton can be treated as a PTA without the pushdown stack, we can show that the binary reachability of a timed automaton is definable in the additive theory of reals and integers. The results can be used to verify a class of properties containing linear relations over both dense variables and unbounded discrete variables. The properties previously could not be verified using the classic region technique nor expressed by timed temporal logics for timed automata and CTL* for pushdown systems.