Spring 2006
CS 498: Software Model-Checking
2:00-3:15 Wed and Fri
1131 Siebel Ctr.

Verified software is one of the grand challenges of computer science. As the complexity of software increases and as systems pervade our day-to-day activities, verification of systems ranging from cell phones to medical equipment to aircraft software to secure programs, has become a vibrant and important field.

We will study various approaches to analyse and verify software, with emphasis on automatic techniques. We will entirely avoid techniques where substantial human help is required (such as manual theorem proving).

The course will concentrate on mainly three verification paradigms:
(a) dataflow analysis techniques (fast, scalable, but coarse analysis)
(b) explicit software verification techniques (eg. SPIN, JPF) and
(c) techniques where the system is abstracted into a tractable model which is then algorithmically/symbolically verified (eg. SLAM).
We will also discuss various specification languages that can formally describe properties of software and decision procedures to verify them.

Specific topics will include: dataflow analysis, flow sensitive/insensitive analysis, control-flow abstraction, abstract interpretation, predicate abstraction using theorem proving, finite and pushdown models, state-space exploration, symbolic techniques, abstraction refinement, abstraction of data structures and shape analysis, symbolic evaluation, reactive systems, and analysis of concurrent software. Basis of tools such as SMV, SPIN, SLAM, Bandera, Java Path Finder, Zing and TVLA will be covered.
[ This course will have little overlap with CS 476 (Software verification) and CS 477 (Formal Software Dev Methods). ]
This course requires mathematical maturity, and some knowledge of automata theory (CS 273) and basic propositional logic.

See here for a similar course offered in Spring last year and an overview of its content.

References:

  • Principles of Program Analysis, by Nielson, Nielson, and Hankin
  • Model Checking, by Clarke, Grumberg, and Peled

    • Lectures

  • Lecture#1 (Wed, Jan 18): Introduction, motivation, and review of research

  • Lecture#2 (Fri, Jan 20): The control flow graph of a program; a simple while-programing language syntax

  • Lecture#3 (Wed, Jan 25): Dataflow analysis I: Available expression analysis, recursive equations, least and greatest fixed points, Tarski-Knaster theorem.

  • Lecture#4 (Fri, Jan 27): Dataflow analysis II: Reaching definitions, Very busy expressions, Live variable analysis.

  • Lecture#5 (Wed, Feb 1): Finite state reachability games, solving games, determinacy, and checking emptiness of pushdown automata. (Slides)

  • Lecture#6 (Fri, Feb 3): Regularity of reachable configurations of a pushdown automaton; regularity of pre*(L) where L is regular; model-checking algorithms for pushdown systems.
    Ref:     Efficient Algorithms for Model Checking Pushdown Systems, by Esparza, Hansel, Rossmanith, and Schwoon.

  • Lecture#7 (Wed, Feb 8): Interprocedural dataflow analysis
    Ref: Precise Interprocedural Dataflow Analysis via Graph Reachability, by Thomas Reps, Susan Horwitz, Mooly Sagiv

  • Homework 1:: Due Feb 17

  • Lecture#8 (Fri, Feb 10): Recap of Interprocedural dataflow analysis, Finding bad programming practices in code for security violations.
    Ref: MOPS: MOdelchecking Programs for Security properties, by Hao Chen and David Wagner. (See ACM CCS 2002 paper on the page)

  • Lecture#9 (Wed, Feb 15): Binary decision diagrams; OBDDs, canonicity
    Lecture Slides
    Ref: Graph based algorithms for Boolean Function Manipulation, by Randal Bryant.

  • Lecture#10 (Fri, Feb 17): Model-checking using BDDs; binary operations; checking reachability

  • Lecture#11 (Wed, Feb 22): Computation Tree Logic (CTL), explicit model checking of CTL

  • Lecture#12 (Fri, Feb 24): Symbolic model checking of CTL using BDDs, fixed-point formulations, mu-calculus and model-checking the mu-calculus

  • Homework 2:: Due Mar 8

  • Lecture#13 (Wed, Mar 1): The notion of reactive systems; Linear-time Temporal Logic (LTL): syntax and semantics using infinite words; Buchi automata
    Ref: Linear-time temporal logic and Buchi automata -- Madhavan Mukund..

  • Lecture#14 (Fri, Mar 3): Generalized Buchi automata; emptiness checking; translating LTL to Buchi automata; model-checking LTL.

  • Lecture#15 (Wed, Mar 8): Predicate abstraction and SLAM

  • Lecture#16 (Fri, Mar 10): Predicate abstraction theory: Graf and Saidi

  • Lecture#17 (Wed, Mar 15): Predicate abstraction theory contd: Graf and Saidi

  • Lecture#18 (Fri, Mar 17): Revisiting SLAM: abstraction, symbolic evaluation and refinement

  • Lecture#19 (Wed, Mar 29): Bounded model checking using SAT.

  • Lecture#20 (Fri, Mar 31): The internals of a SAT solver

  • Lecture#21 (Wed, Apr 5): Shape analysis for analyzing heaps
    Shape Analysis -- analyzing dynamic data with pointers -- Reps, Sagiv, Wilhelm
    See the papers:
  • Static Program Analysis via 3-valued logic CAV'04 invited talk
  • Parametric Shape Analysis via a 3-valued logic, TOPLAS'02 (has all details)
    • See talk: Static Program Analysis via 3-valued logic, CAV'04 invited talk.

  • Lecture#22 (Fri, Apr 7): Shape analysis for analyzing heaps (contd.)

  • Lecture#23 (Wed, Apr 12): Pointer analysis: flow-insensitive; interprocedural.
    See Points-to Analysis in Almost Linear Time, by Bjarne Steensgard, POPL 1996.

  • Lecture#24 (Fri, Apr 14): Checking concurrent programs with recursion; decidability of bounded context-switching programs.

  • Lecture#25 (Wed, Apr 19): Atomicity in concurrent programs; transactions; checking atomicity using transactional types.

  • Lecture#26 (Fri, Apr 21): Concurrency theory: Petri nets, unfoldings, modeling control of concurrent programs using nets, atomicity.

  • Presentation (Wed, Apr 26) by Ralf Sasse : Static checking using theorem proving: ESC/Java2
    See
  • ESC/Java2 paper CASSIS 2004
  • Simplify theorem prover HPL technical report
  • original ESC/Java paper
  • User manual
  • Full program verification alternative using JML, KeY