”Have I Written Enough Properties?” - A Method of Comparison Between Specification and Implementation

Katz, Shmuel; Grumberg, Orna; Geist, Daniel

doi:10.1007/3-540-48153-2_21

Cited by 88 publications

(57 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The algorithm we present in this section is symbolic, and it computes the relation C that is defined as follows. (w,v,w'): w,v E W,w' E W', and w' simulates win Iv,q}· Then, v is q-covered by S if there is w0 E W0 such that for all wb E W&, we have (wo, v, wb) ¢ C. Several symbolic simulation algorithms are described in the literature [McMillan, 1993;Henzinger et al, 1995;Katz et al, 1999]. We build our coverage algorithm on top of the straightforward symbolic implementation of Milner's fixed-point expression for simulation (see 8 in Section 2).…”

Section: Symbolic Approachmentioning

confidence: 99%

“…In order to do so, we use early quantification and variable interleaving in the OBDDs. Both techniques are used in [Katz et al, 1999] (see also [Katz, 2001]) in order to reduce the number of OBDD variables required for computing the simulation relation B from 4n to 2n.…”

Section: Symbolic Approachmentioning

confidence: 99%

“…In [Katz et al, 1999], early quantification is used for computing simulation as follows. Recall that B is the greatest fixed point of the expression 8 = { (w,w'): B0 (w,w') A Vu 3u': [R(w,u') A B(u,u') ,x) 1\g(z,x)).…”

Section: Symbolic Approachmentioning

confidence: 99%

“…There are two different approaches to coverage in model checking, where the specification is given as a temporal logic formula. One approach, introduced in Katz et al, 1999, states that a well-covered implementation should closely resemble the reduced tableau of its specification. Thus the coverage criteria of Katz et al are based on the analysis of the differences between the implementation and the tableau of its specification.…”

Section: Introductionmentioning

confidence: 99%

“…It has been recently shown in [Katz et al, 1999;Katz, 2001] how early quantification and variable interleaving in the OBDD can be used in order to reduce the number of required variables to 2n. Similarly, a naive implementation of the fixed-point expression with which the relation C is computed requires 4n + 2n' OBDD variables.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Coverage of Implementations by Simulating Specifications

Chockler

Kupferman

2002

Foundations of Information Technology in the Era of Network and Mobile Computing

View full text Add to dashboard Cite

In formal verification, we verify that an implementation is correct with respect to a specification. When verification succeeds and the implementation is proven to be correct, there is still a question of how complete the specification is, and whether it really covers all the behaviors of the implementation. In this paper we study coverage for simulation-based formal verification, where both the implementation and the specification are modelled by labeled state-transition graphs, and an implementation I satisfies a specificationS if S simulates I. Our measure of coverage is based on small modifications we apply to I. A part of I is covered by S if the mutant implementation in which this part is modified is no longer simulated by S. Thus, "mutation coverage" tells us which parts of the implementation were actually essential for the success of the verification. We describe two algorithms for finding the parts of the implementation that are covered by S. The first algorithm improves a naive algorithm that checks the mutant implementations one by one by exploiting the significant overlaps among the mutant implementations. The second algorithm is symbolic, and it improves a naive symbolic algorithm by reducing the number of variables in the OBDDs involved. In addition, we compare our coverage measure with other approaches for measuring coverage.

show abstract

Section: Symbolic Approachmentioning

confidence: 99%

Section: Symbolic Approachmentioning

confidence: 99%

Section: Symbolic Approachmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Coverage of Implementations by Simulating Specifications

Chockler

Kupferman

2002

Foundations of Information Technology in the Era of Network and Mobile Computing

View full text Add to dashboard Cite

show abstract

Hardware Design and Simulation for Verification

Bombieri

Fummi

Pravadelli

2006

Formal Methods for Hardware Verification

View full text Add to dashboard Cite

Sanity Checks in Formal Verification

Kupferman

2006

CONCUR 2006 – Concurrency Theory

View full text Add to dashboard Cite

Abstract.One of the advantages of temporal-logic model-checking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most model-checking tools provide no additional information. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. The goal of sanity checks is to detect such errors by further automatic reasoning. Two leading sanity checks are vacuity and coverage. In vacuity, the goal is to detect cases where the system satisfies the specification in some unintended trivial way. In coverage, the goal is to increase the exhaustiveness of the specification by detecting components of the system that do not play a role in verification process. For both checks, the challenge is to define vacuity and coverage formally, develop algorithms for detecting vacuous satisfaction and low coverage, and suggest methods for returning to the user helpful information. We survey existing work on vacuity and coverage and argue that, in many aspects, the two checks are essentially the same: both are based on repeating the verification process on some mutant input. In vacuity, mutations are in the specifications, whereas in coverage, mutations are in the system. This observation enables us to adopt work done in the context of vacuity to coverage, and vise versa.

show abstract

”Have I Written Enough Properties?” - A Method of Comparison Between Specification and Implementation

Cited by 88 publications

References 10 publications

Coverage of Implementations by Simulating Specifications

Coverage of Implementations by Simulating Specifications

Hardware Design and Simulation for Verification

Sanity Checks in Formal Verification

Contact Info

Product

Resources

About