Verification Methods and Tools

Work on verification is a central activity of the Laboratory. It aims at producing methods and tools for the comparison of programs with specifications which are either given by a set of properties or by a more abstract program with which the concrete program is compared modulo some implementation preorder. The methods studied are based on the analysis of a semantic model extracted from the program to be verified. Our aim is to provide methods making the verification process as automatic as possible which forces us to abandon completeness of the methods in the sense that :

• either they are applicable only to particular classes of problems. This is the case of the methods based on the enumeration of possibly all the states of the model applicable to programs with a finite (and ``reasonable'') number of states and for methods based on the use of decision procedures for verification problems expressible in decidable theories.
• or they produce only partial results in the sense that they can fail producing an answer. In this category can be included methods based on testing and approximate analysis techniques by abstract interpretation. The use of theorem provers by providing complex strategies is also in this category as it allows a high degree of automatisation by abandonning completeness.

Three important criteria have determined our design and implementation choices for verification tools:

• The use of high level languages such as LOTOS, LUSTRE, ARGOS, SDL
• Efficiency and possible automation of the method
• Possibility of reusing already existing software components to reduce the tool development effort.

Work is performed in the following directions :

1. Enumerative Verification Methods

A set of complementary enumerative verification techniques have been integrated in the ALDEBARAN verification tool. All these techniques allow to compare an explicit or implicit representation of the transition relation of a program against different types of specifications modulo some appropriate relation. In particular, this tool has efficient decision methods for the comparison modulo various behavioural equivalence or preorder relations defined in process algebras (strong or weak bisimulation, branching bisimulation, simulation relations etc.). These relations are based on abstraction criteria and can be used for compositional reasoning. Thus verifying that a given complex system satisfies a specification can be reduced to the verifying that some abstraction of it obtained by composition of abstractions of its components satisfies the specification. This approach has been successfully applied to the verification of complex systems. ALDEBARAN can be used for the verification of different models such as interpreted Petri nets, transition systems in different formats, in particular the compact format BCG ( Binary Coded Graphs). Furthermore, the OPEN/CAESAR environment allows the guided execution of a C implementation of LOTOS programs covering in that manner the hole spectrum of possibilities between complete verification on the fly and simulation.

In order to know more about these tools click here

2. Symbolic Verification Methods

Symbolic verification methods use a symbolic representation of the transition relation. The symbolic representations that we have considered so far are

• boolean expressions represented by BDD's ( Binary Decision Diagrams)
• linear constraints represented by convex polyhedra

These symbolic representations are used in different tools developed at VERIMAG:

• Initially the tool POLKA for the manipulation of convex polyhedra has been implemented for the verification of LUSTRE programs with integer variables.
• In the tool ALDEBARAN are implemented alternative methods for the comparison of systems modulo behavioural equivalences and preorders based on symbolic representations. Also an algorithm for the generation of a minimal model with respect to Milner's strong and weak bisimulation based on symbolic representations has been implemented. This algorithm avoids in many cases the state explosion due to the fact that there are many equivalent states in the "initially generated" model.
• Verification of Timed Systems :
  The KRONOS verification tool has been developed for the verification on timed automata of real-time properties specified in TCTL. The tool applies a symbolic verification technique by evaluating the meaning of the specification properties as sets of linear constraints of a certain type on clocks. By using KRONOS the correctness of non trivial systems with hard real-time constraints has been checked.

3. Abstract Interpretation

An important research direction is the application of abstract interpretation techniques for verification. These techniques are necessary in the case of infinite state systems but also when the size of the problem makes the application of exact verification methods problematic. Several applications of them are experimented.

An application example is the analysis of timed systems when exact verification methods are not applicable. For instance, decidability is lost for timed systems with multiform time or for most trivial extensions of timed automata. It is shown by using POLKA , that abstract interpretation techniques for properties described as linear constraints on variables give interesting results not only for timed systems but also for some classes of hybrid systems.

Another example of application of abstract interpretation techniques is the study of abstractions that preserve classes of properties described in temporal logics. These abstractions correspond to simulation relations parameterized by a relation between the data domains of a concrete and an abstract system. The results developed provide conditions for the preservation of classes of properties from the abstract to the concrete system. This allows a reduction of the verification of a complex system to some (simpler) abstraction of it. The method has been experimented by the verification of complex LOTOS programs using CAESAR/ALDEBARAN.

4. Verification Methods Based on Deductive Methods

In case that the verification problem cannot be expressed in a decidable theory (or the decision procedure for the theory is too expensive), it can be interesting to use deductive methods, even if it is impossible to have at once a complete method and complete automatisation. Work done in this domain aims more for maximal automation than for completeness.
We have implemented a tool that, given a program (a parallel composition of sequential components) and a safety property (an invariance property)

• computes in a compositional way a set of "structural invariants" obtained by static analysis from the the control graphs of each parallel component.
• In a second step, the tool tries to compute in an iterative way the greatest assertion that
• is implied by the predicate representing the set of initial states,
• is stable for the transition relation
• implies the predicate representing the invariance property to be verified

The structural invariants found in the first step allow very often to decrease significantly the number of iterations necessary in order to find the required predicate.

Each time the tool needs to know the validity of a predicate, it submits this predicate to the theorem prover PVS developed at SRI in which we have implemented tactics allowing to automatize most "simple" proofs (including some very simple tactics doing automatic inductions).

If you want to know more on this tool try here

5. Generation of conformance test suites

The generation of test sequences is often one of the most effort and time consuming part in a system development. Classical test generation involves hand writing of the test suites, and no clear-cut interpretation of the test results.

Our work in this domain concerns the formalization of the testing activities and the design and application of tools for automatic test suites generation. The results of these works is illustrated by TGV, which uses formal verification techniques for efficient and automatic generation of conformance test suites.

6. Methods for the Synthesis of real-time Controllers

try here