Automated formal analysis and verification: an overview

This paper provides an overview of various existing approaches to automated formal analysis and verification. The most space is devoted to the approach of model checking, including its basic principles as well as the different techniques that have been proposed for dealing with the state space explosion problem in model checking. This paper, however, includes a brief discussion of theorem proving and static analysis too. All of the discussed approaches are introduced mostly on an informal level, with an attempt to provide the reader with their basic ideas and references to works where more details can be found.

[1]  Tomás Vojnar,et al.  Testing of Concurrent Programs Using Genetic Algorithms , 2012, SSBSE.

[2]  Gilles Audemard,et al.  Predicting Learnt Clauses Quality in Modern SAT Solvers , 2009, IJCAI.

[3]  Parosh Aziz Abdulla,et al.  Verifying Programs with Unreliable Channels , 1996, Inf. Comput..

[4]  廣松 毅 International Journal of General Systems : 抄録雑誌の概要 , 1987 .

[5]  Krzysztof R. Apt,et al.  Limits for Automatic Verification of Finite-State Concurrent Systems , 1986, Inf. Process. Lett..

[6]  Stephen N. Freund,et al.  FastTrack: efficient and precise dynamic race detection , 2009, PLDI '09.

[7]  Vineet Kahlon,et al.  Reducing Model Checking of the Many to the Few , 2000, CADE.

[8]  Tomás Vojnar,et al.  Healing data races on-the-fly , 2007, PADTAD '07.

[9]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[10]  David L. Dill,et al.  Timing Assumptions and Verification of Finite-State Concurrent Systems , 1989, Automatic Verification Methods for Finite State Systems.

[11]  Sriram K. Rajamani,et al.  SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft , 2004, IFM.

[12]  David L. Dill,et al.  Better verification through symmetry , 1996, Formal Methods Syst. Des..

[13]  Daniel Kroening,et al.  Dynamic Cutoff Detection in Parameterized Concurrent Programs , 2010, CAV.

[14]  A. Prasad Sistla,et al.  Reasoning about systems with many processes , 1992, JACM.

[15]  Alain Finkel,et al.  Unreliable Channels are Easier to Verify Than Perfect Channels , 1996, Inf. Comput..

[16]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[17]  Phil McMinn,et al.  Search‐based software test data generation: a survey , 2004, Softw. Test. Verification Reliab..

[18]  Dexter Kozen,et al.  RESULTS ON THE PROPOSITIONAL’p-CALCULUS , 2001 .

[19]  A. Prasad Sistla,et al.  SMC: A Symmetry Based Model Checker for Verification of Liveness Properties , 1997, CAV.

[20]  Nils Klarlund,et al.  MONA Version 1.4 - User Manual , 2001 .

[21]  David R. Cok,et al.  ESC/Java2: Uniting ESC/Java and JML Progress and Issues in Building and Using ESC/Java2, Including a Case Study Involving the Use of the Tool to Verify Portions of an Internet Voting Tally System , 2005 .

[22]  Stephan Thesing,et al.  New Developments in WCET Analysis , 2006, Program Analysis and Compilation.

[23]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[24]  Kenneth L. McMillan,et al.  Induction in Compositional Model Checking , 2000, CAV.

[25]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.

[26]  Joseph Y. Halpern,et al.  “Sometimes” and “not never” revisited: on branching versus linear time temporal logic , 1986, JACM.

[27]  Eitan Farchi,et al.  Multithreaded Java program test generation , 2001, JGI '01.

[28]  Jaco van de Pol,et al.  1 Motivation : A Modular , High-Performance Model Checker , 2010 .

[29]  Daniel Kroening,et al.  Interpolation-Based Software Verification with Wolverine , 2011, CAV.

[30]  Doron A. Peled,et al.  An efficient verification method for parallel and distributed programs , 1988, REX Workshop.

[31]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[32]  Amir Pnueli,et al.  Liveness with (0, 1, infty)-Counter Abstraction , 2002, CAV.

[33]  Parosh Aziz Abdulla Regular model checking , 2011, International Journal on Software Tools for Technology Transfer.

[34]  Vineet Kahlon,et al.  Model Checking Large-Scale and Parameterized Resource Allocation Systems , 2002, TACAS.

[35]  Amir Pnueli,et al.  Symbolic Model Checking with Rich ssertional Languages , 1997, CAV.

[36]  Alain Deutsch,et al.  STATIC VERIFICATION OF DYNAMIC PROPERTIES , 2003 .

[37]  Mihalis Yannakakis,et al.  On nested depth first search , 1996, The Spin Verification System.

[38]  Robert K. Brayton,et al.  ABC: An Academic Industrial-Strength Verification Tool , 2010, CAV.

[39]  Philippe Schnoebelen,et al.  On Verifying Fair Lossy Channel Systems , 2002, MFCS.

[40]  David L. Dill,et al.  Verifying Systems with Replicated Components in Murϕ , 1999, Formal Methods Syst. Des..

[41]  Tomás Vojnar,et al.  Self-healing Assurance Based on Bounded Model Checking , 2009, EUROCAST.

[42]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching Time Temporal Logic , 2008, 25 Years of Model Checking.

[43]  Lubos Brim,et al.  DiVinE: Parallel Distributed Model Checker , 2010, 2010 Ninth International Workshop on Parallel and Distributed Methods in Verification, and Second International Workshop on High Performance Computational Systems Biology.

[44]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[45]  Stefan Schwoon,et al.  Comparison of Algorithms for Checking Emptiness on Büchi Automata , 2009, MEMICS.

[46]  Jean-Eric Pin,et al.  Infinite words - automata, semigroups, logic and games , 2004, Pure and applied mathematics series.

[47]  Alain Finkel,et al.  Decidability of the termination problem for completely specified protocols , 1994, Distributed Computing.

[48]  Jeffrey D. Ullman,et al.  Monotone data flow analysis frameworks , 1977, Acta Informatica.

[49]  Gary A. Kildall,et al.  A unified approach to global program optimization , 1973, POPL.

[50]  Rajeev Alur,et al.  Model-Checking in Dense Real-time , 1993, Inf. Comput..

[51]  Joseph Sifakis,et al.  Specification and verification of concurrent systems in CESAR , 1982, Symposium on Programming.

[52]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[53]  Pierre Wolper,et al.  Iterating transducers in the large , 2003 .

[54]  Kedar S. Namjoshi,et al.  Automatic Verification of Parameterized Synchronous Systems (Extended Abstract) , 1996, CAV.

[55]  Parosh Aziz Abdulla,et al.  Regular Model Checking Made Simple and Efficient , 2002, CONCUR.

[56]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[57]  Panagiotis Manolios,et al.  Computer-aided reasoning : ACL2 case studies , 2000 .

[58]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[59]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[60]  Sagar Chaki,et al.  Automated Assume-Guarantee Reasoning for Simulation Conformance , 2005, CAV.

[61]  Vigyan Singhal,et al.  Planning for end-to-end formal using simulation-based coverage , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[62]  Darko Kirovski,et al.  Efficient Runtime Detection and Toleration of Asymmetric Races , 2012, IEEE Transactions on Computers.

[63]  Flemming Nielson,et al.  Type and Effect Systems , 1999, Correct System Design.

[64]  Amir Pnueli,et al.  Automatic Deductive Verification with Invisible Invariants , 2001, TACAS.

[65]  Edmund M. Clarke,et al.  Compositional model checking , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[66]  Tayssir Touili,et al.  Regular Symbolic Analysis of Dynamic Networks of Pushdown Systems , 2005, CONCUR.

[67]  Christel Baier,et al.  Principles of model checking , 2008 .

[68]  Dhananjay M. Dhamdhere,et al.  A generalized theory of bit vector data flow analysis , 1994, TOPL.

[69]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[70]  Vineet Kahlon,et al.  Parameterized Model Checking of Ring-Based Message Passing Systems , 2004, CSL.

[71]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[72]  Dragan Bosnacki,et al.  The Design of a Multicore Extension of the SPIN Model Checker , 2007, IEEE Transactions on Software Engineering.

[73]  A. W. Roscoe,et al.  Data Independent Induction over Structured Networks , 2000, PDPTA.

[74]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[75]  Amir Pnueli,et al.  Liveness and Acceleration in Parameterized Verification , 2000, CAV.

[76]  Nicolas Halbwachs,et al.  Automatic verification of parameterized linear networks of processes , 1997, POPL '97.

[77]  Ofer Strichman,et al.  Bounded model checking , 2003, Adv. Comput..

[78]  Ahmed Bouajjani,et al.  Abstract Regular Model Checking , 2004, CAV.

[79]  Alexander Aiken,et al.  Introduction to Set Constraint-Based Program Analysis , 1999, Sci. Comput. Program..

[80]  PRASHANT AGGARWAL,et al.  End-to-End Formal using Abstractions to Maximize Coverage ( Invited Tutorial ) , 2011 .

[81]  Richard Mayr,et al.  Process rewrite systems , 1999, EXPRESS.

[82]  Bernhard Steffen,et al.  Model Checking the Full Modal mu-Calculus for Infinite Sequential Processes , 1997, Theor. Comput. Sci..

[83]  Sriram K. Rajamani,et al.  The SLAM Toolkit , 2001, CAV.

[84]  Vladimír Janousek,et al.  Generating and using state spaces of object-oriented Petri nets , 2001, Comput. Syst. Sci. Eng..

[85]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[86]  Igor Walukiewicz,et al.  Pushdown Processes: Games and Model-Checking , 1996, Inf. Comput..

[87]  Amir Pnueli,et al.  In Transition From Global to Modular Temporal Reasoning about Programs , 1989, Logics and Models of Concurrent Systems.

[88]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[89]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[90]  Daniel Marino,et al.  A generic type-and-effect system , 2009, TLDI '09.

[91]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[92]  Bertrand Jeannet,et al.  The APRON library for Numerical Abstract Domains , .

[93]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[94]  Sumit Gulwani,et al.  VS3: SMT Solvers for Program Verification , 2009, CAV.

[95]  Havehmd Using Runtime Analysis to Guide Model Checking of Java Programs , 2022 .

[96]  Ahmed Bouajjani,et al.  Abstract Regular Tree Model Checking of Complex Dynamic Data Structures , 2006, SAS.

[97]  Wolfgang Reisig,et al.  Lectures on Petri Nets I: Basic Models , 1996, Lecture Notes in Computer Science.

[98]  Thomas A. Henzinger,et al.  Software Verification with BLAST , 2003, SPIN.

[99]  Amir Pnueli,et al.  Symbolic model checking with rich assertional languages , 2001, Theor. Comput. Sci..

[100]  Dexter Kozen,et al.  Results on the Propositional µ-Calculus , 1982, ICALP.

[101]  Serdar Tasiran,et al.  Goldilocks: a race and transaction-aware java runtime , 2007, PLDI '07.

[102]  Dirk Beyer,et al.  CPAchecker: A Tool for Configurable Software Verification , 2009, CAV.

[103]  C. Rattray,et al.  Specification and Verification of Concurrent Systems , 1990, Workshops in Computing.

[104]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[105]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[106]  Ahmed Bouajjani,et al.  Verification of Parametric Concurrent Systems with Prioritized FIFO Resource Management , 2003, CONCUR.

[107]  Marta Z. Kwiatkowska,et al.  PRISM 4.0: Verification of Probabilistic Real-Time Systems , 2011, CAV.

[108]  Javier Esparza,et al.  Efficient Algorithms for Model Checking Pushdown Systems , 2000, CAV.

[109]  Shan Lu,et al.  Automated atomicity-violation fixing , 2011, PLDI '11.

[110]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[111]  Rajeev Alur,et al.  Symbolic Compositional Verification by Learning Assumptions , 2005, CAV.

[112]  Paul Gastin,et al.  Fast LTL to Büchi Automata Translation , 2001, CAV.

[113]  Daniel Kroening,et al.  SATABS: SAT-Based Predicate Abstraction for ANSI-C , 2005, TACAS.

[114]  Robert P. Kurshan,et al.  A Structural Induction Theorem for Processes , 1995, Inf. Comput..

[115]  Jens Palsberg,et al.  Type-based analysis and applications , 2001, PASTE '01.

[116]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[117]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[118]  Dawson R. Engler,et al.  Static Analysis versus Software Model Checking for Bug Finding , 2004, VMCAI.

[119]  Pierre Wolper,et al.  A direct symbolic approach to model checking pushdown systems , 1997, INFINITY.

[120]  Gerard J. Holzmann,et al.  On-the-fly model checking , 1996, CSUR.

[121]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[122]  Mary Sheeran,et al.  Checking Safety Properties Using Induction and a SAT-Solver , 2000, FMCAD.

[123]  Robert P. Kurshan,et al.  A structural induction theorem for processes , 1989, PODC.

[124]  Gerard J. Holzmann,et al.  On Limits and Possibilities of Automated Protocol Analysis , 1987, PSTV.

[125]  Petr Ročkai,et al.  DiVinE: Parallel Distributed Model Checker (Tool paper) , 2010 .

[126]  Thomas A. Henzinger,et al.  Symbolic Model Checking for Real-Time Systems , 1994, Inf. Comput..

[127]  Jeffrey D. Ullman,et al.  Global Data Flow Analysis and Iterative Algorithms , 1976, J. ACM.

[128]  Ahmed Bouajjani,et al.  Verification of parametric concurrent systems with prioritised FIFO resource management , 2008, Formal Methods Syst. Des..

[129]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[130]  Karsten Stahl,et al.  Abstracting WS1S Systems to Verify Parameterized Networks , 2000, TACAS.

[131]  Madan Musuvathi,et al.  Iterative context bounding for systematic testing of multithreaded programs , 2007, PLDI '07.

[132]  Kim G. Larsen,et al.  A Tutorial on Uppaal , 2004, SFM.

[133]  Helmut Veith,et al.  Verification by Network Decomposition , 2004, CONCUR.

[134]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multi-threaded programs , 1997, TOCS.

[135]  Pierre Wolper,et al.  Verifying Properties of Large Sets of Processes with Network Invariants , 1990, Automatic Verification Methods for Finite State Systems.

[136]  Pierre Wolper,et al.  Using partial orders for the efficient verification of deadlock freedom and safety properties , 1991, Formal Methods Syst. Des..

[137]  Amir Pnueli,et al.  Liveness with (0, 1, ∞)-counter abstraction , 2002 .

[138]  Andreas Podelski,et al.  Transition predicate abstraction and fair termination , 2005, POPL '05.

[139]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[140]  Andreas Zeller,et al.  Simplifying and Isolating Failure-Inducing Input , 2002, IEEE Trans. Software Eng..

[141]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[142]  Moshe Y. Vardi Automata-Theoretic Model Checking Revisited , 2007, VMCAI.

[143]  Panagiotis Manolios,et al.  Computer-Aided Reasoning: An Approach , 2011 .

[144]  Antti Valmari,et al.  The State Explosion Problem , 1996, Petri Nets.

[145]  David L. Dill,et al.  Verifying Systems with Replicated Components in Murphi , 1996, CAV.

[146]  Lubos Brim,et al.  Employing Multiple CUDA Devices to Accelerate LTL Model Checking , 2010, 2010 IEEE 16th International Conference on Parallel and Distributed Systems.

[147]  Kenneth L. McMillan,et al.  The SMV System , 1993 .

[148]  Lukás Holík,et al.  Forest Automata for Verification of Heap Manipulation , 2011, CAV.

[149]  Donald W. Loveland,et al.  A machine program for theorem-proving , 2011, CACM.

[150]  Klaus Havelund,et al.  Using Runtime Analysis to Guide Model Checking of Java Programs , 2013, SPIN.

[151]  Tomás Vojnar,et al.  ANaConDA: A Framework for Analysing Multi-threaded C/C++ Programs on the Binary Level , 2012, RV.

[152]  Lubos Brim,et al.  Cluster-Based I/O-Efficient LTL Model Checking , 2009, 2009 IEEE/ACM International Conference on Automated Software Engineering.

[153]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[154]  Somesh Jha,et al.  Exploiting symmetry in temporal logic model checking , 1993, Formal Methods Syst. Des..

[155]  Kenneth L. McMillan,et al.  Applications of Craig Interpolants in Model Checking , 2005, TACAS.

[156]  Carsten Sinz,et al.  LLBMC: Bounded Model Checking of C and C++ Programs Using a Compiler IR , 2012, VSTTE.

[157]  Vineet Kahlon,et al.  Reasoning About Threads Communicating via Locks , 2005, CAV.

[158]  Andreas Podelski,et al.  Boolean and Cartesian abstraction for model checking C programs , 2001, International Journal on Software Tools for Technology Transfer.

[159]  Marcus Nilsson,et al.  Regular Model Checking , 2000, CAV.