About
28
Publications
3,266
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,093
Citations
Publications
Publications (28)
JayHorn is a model checker for verifying sequential Java programs annotated with assertions expressing safety conditions. JayHorn uses the Soot library to read Java bytecode and translate it to the Jimple three-address format, then converts the Jimple code in several stages to a set of constrained Horn clauses, and solves the Horn clauses using sol...
Counterexamples—execution traces of the system that illustrate how an error state can be reached from the initial state—are essential for understanding verification failures. They are one of the most salient features of Model Checkers, which distinguish them from Abstract Interpretation and other Static Analysis techniques by providing a user with...
Writing specifications about program behavior is hard. Writing specifications about non-functional effects such as resource usage is often even harder. If manually instrumenting the program is not an option, programmers have to rely on comment-based specification languages like JML to introduce ghost variables and other fairly abstract concepts tha...
The Java PathFinder extension Psyco generates interfaces of Java components using a combination of dynamic symbolic execution and automata learning to explore different combinations of method invocations on a component. Such interfaces are useful in contract-based compositional verification of component-based systems. Psyco relies on testing for va...
Building a competitive program verifiers is becoming cheaper. On the front-end side, openly available compiler infrastructure and optimization frameworks take care of hairy problems such as alias analysis, and break down the subtleties of modern languages into a handful of simple instructions that need to be handled. On the back-end side, theorem p...
In model based development, embedded systems are modeled using a mix of dataflow formalism, that capture the flow of computation, and hierarchical state machines, that capture the modal behavior of the system. For safety analysis, existing approaches rely on a compilation scheme that transform the original model (dataflow and state machines) into a...
Contract-based software development has long been a leading methodology for the construction of component-based reactive systems, embedded systems in particular. Contracts are an effective way to establish boundaries between components and can be used efficiently to verify global properties by using compositional reasoning techniques. A contract sp...
In this work, we present a novel approach based on recent advances in software model checking to synthesize ranking functions and prove termination (and non-termination) of imperative programs.
Our approach incrementally refines a termination argument from an under-approximation of the terminating program state. Specifically, we learn bits of infor...
In this paper, we present SeaHorn, a software verification framework. The key distinguishing feature of SeaHorn is its modular design that separates the concerns of the syntax of the programming language, its operational semantics, and the verification semantics. SeaHorn encompasses several novelties: it (a) encodes verification conditions using an...
Turing in his seminal paper "Checking a Large Routine" [Turing 1949] already asked the question whether it was possible to check a routine was right . Among other contributions, he proposed flowcharts as a concise program representation. He also described a method based on the insight that a programmer should make a number of definite assertions wh...
Synchronous languages have long been the standard formalism for modeling and implementing embedded control software in critical domains like avionics, automotive or railway system development. Those languages are equipped with qualified compilers that generate the target final embedded code. An extensively used technique to define the expected beha...
seahorn is a framework and tool for verification of safety properties in C programs. The distinguishing feature of seahorn is its modular design that separates how program semantics is represented from the verification engine. This paper describes its verification approach as well as the instructions on how to install and use it.
In this paper, we explore different techniques to synthesize modular
invariants for synchronous code encoded as Horn clauses. Modular invariants are
a set of formulas that characterizes the validity of predicates. They are very
useful for different aspects of analysis, synthesis, testing and program
transformation. We describe two techniques to gen...
In this paper we present a novel lightweight approach to validate compilers for synchronous languages. Instead of verifying a compiler for all input programs or providing a fixed suite of regression tests, we extend the compiler to generate a test-suite with high behavioral coverage and geared towards discovery of faults for every compiled artifact...
Formal analysis tools for system models often require or benefit from the availability of auxiliary system invariants. Abstract interpretation is currently one of the best approaches for discovering useful invariants, in particular numerical ones. However, its application is limited by two orthogonal issues: (i) developing an abstract interpretatio...
CSP-CASL is but one of the many languages for which Bernd Krieg-Brueckner (BKB) had a great deal of influence throughout its development process: from the initial idea of working towards an integration of the process algebra CSP with the algebraic specification language CASL, to the design of the concrete syntax, and also to tool support for CSP-CA...
The use of formal analysis tools on models or source code often requires the
availability of auxiliary invariants about the studied system. Abstract
interpretation is currently one of the best approaches to discover useful
invariants, especially numerical ones. However, its application is limited by
two orthogonal issues: (i) developing an abstract...
We describe two complementary techniques to aid the automatic verification of safety properties of synchronous systems by model checking. A first technique allows the automatic generation of certain inductive invariants for mode variables. Such invariants are crucial in the verification of safety properties in systems with complex modal behavior. A...
PKind is a novel parallel k-induction-based model checker of invariant
properties for finite- or infinite-state Lustre programs. Its architecture,
which is strictly message-based, is designed to minimize synchronization delays
and easily accommodate the incorporation of incremental invariant generators to
enhance basic k-induction. We describe PKin...
We present a general scheme for automated instantiation-based invariant discovery. Given a transition system, the scheme produces
k-inductive invariants from templates representing decidable predicates over the system’s data types. The proposed scheme relies
on efficient reasoning engines such as SAT and SMT solvers, and capitalizes on their abilit...
In this paper, we develop a testing theory for specification-based software product line development. Starting with a framework for the evaluation of test cases with respect to formal specifications, we develop a notion of enhancement, which allows to re-use test cases in a horizontal systems development process. In such a process, more and more fe...
The aim of this work is to obtain an interactive proof en- vironment based on Isabelle/HOL for reasoning formally about crypto- graphic protocols, expressed as processes of the spi calculus (a -calculus with cryptographic primitives). To this end, we formalise syntax, se- mantics, and hedged bisimulation, an environment-sensitive bisimulation which...
In this paper we present various notions of the combined refinement for data and processes within the specification language CSP-CASL. We develop proof support for our refinement notions and demonstrate how to employ them for system development and for system analysis. Finally, we apply our technique to an industrial standard for an electronic paym...
In this paper, we develop a testing theory for specification-based software product line development. Starting with a framework for the evaluation of test cases with respect to formal specifications, we develop a notion of enhancement, which allows to re-use test cases in a hor- izontal systems development process. In such a process, more and more...
In this paper, we present a theory for the evaluation of test cases with respect to formal specifications. In particular, we use the specification language CSP-CASL to define and evaluate black-box tests for reactive systems. Using loose semantics and three-valued test oracles, our approach is well-suited to deal with the refinement of specificatio...
The Rolls-Royce BR725 is a newly designed jet engine for ultra-long-range and high-speed business jets. In this paper we apply our theory of formal testing [5,6] to the starting system of the Rolls-Royce BR725 control software. To this end we model the system in CSP, evaluate test suites against the formal model, and finally execute test suites in...