Presentation is loading. Please wait.

Presentation is loading. Please wait.

A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk."— Presentation transcript:

1 A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk

2 1 Motivation RequirementsSpecification Validation Code Validation Conformance Check Conformance Check Distributed Programs with Message-Passing Communicating Distributed Programs with Message-Passing Communicating

3 2 Related Work  Model Checking  Symbolic model checking (SMV,MURPHI,MOCHA)  Partial order reduction (SPIN,COSPAN)  Compositional reasoning  Assume-guarantee  Abstraction  Abstract interpretation, existential abstraction  Message-passing systems  CCS,  -Calculus  Simulation, bisimulation, …

4 3 Iterative Refinement Yes System OK Abstraction Model Counterexample Valid? Counterexample Valid? System Abstraction Guidance No Counterexample Abstraction Refinement Abstraction Refinement Improved Abstraction Guidance No Spurious Counterexample Yes Verification Spec

5 4 Related Work  Iterative Refinement (Kurshan)  Hardware  Yuan Lu ) Ph.D. thesis  SLAM (device drivers)  BLAST (lazy abstraction, thread modular safety)  Concurrent Software  SPIN, Behave!, ZING  Own modeling language  No iterative refinement  Safety properties

6 5 Contributions  Compositional Iterative Refinement (IR)  concurrent message-passing programs  simulation conformance  Combining predicate abstraction with existential abstraction  Predicate Minimization  Compositional IR for Liveness properties  Compositional IR for Deadlock detection

7 6 Basic Concepts  Var : set of variables  Expr : expressions over Var  Store : set of stores  Var ! Addresses  Addresses ! Values  AP : set of atomic propositions  Conc : AP $ Expr

8 7 Extended FSM  Transitions labeled with guarded commands  Guards are expressions  Command are actions or assignments x == 0 ? x++ x != 0 ?  true ? 

9 8 Control Flow Graph x=x+y lib() Component 1 2 x == 0 ? x++ x != 0 ?  true ?  EFSM ( lib )

10 9 Control Flow Graph x=x+y 1 2 x == 0 ? x++ x != 0 ?  true ?  Control Flow Graph

11 10 Labeled Kripke Structure  M = ( Q, I, , T, AP, L)  Q ´ non-empty set of states  I 2 Q ´ initial state   ´ set of actions ´ alphabet  T µ Q £  £ Q ´ transition relation  AP µ AP ´ set of atomic propositions  L : Q ! 2 AP ´ propositional labeling p q r        = { , , , , ,  } p,q p,r AP = { p,q,r,s }

12 11 Concurrent C Program  Set of components P = h C 1,…, C n i  Each C i is a single C procedure  Possibly calling library routines  Library routines are specified via EFSMs  Semantics of C is an LKS  Depends on the library specificationss

13 12 Context for P i  Context = (Init, EFSM, , , AP)  Init ´ An initial condition  EFSM : Lib ! EFSM  Specification EFSMs for all libraries  An internal action   AP µ AP ´ Set of atomic propositions   ´ alphabet

14 13 Concrete Semantics of C  Context = (Init, EFSM, , , AP)  S CFG ´ States of CFG  I CFG ´ Initial state of CFG  M C = ( Q, I,  [ , T, AP, L)  Q = S CFG £ Store  I = { (s,  ) j s = I CFG and  ² Init }  L(s,  ) = { p j  ² Conc(p) }

15 14 Transitions of P  (s,  ) ! (s’,  ’)  s ´ assignment  s’ = next(s) and  ’ =  (s)  s ´ branch with condition c  s’ = then(s) and  ² c  s’ = else(s) and  ² : c 

16 15 Transitions of P  (s,  ) ! (s’,  ’)   2   s ´ inlined EFSM state  s’ = next(s)  s ! s’ with guard g and action    ² g 

17 16 Concrete Semantics x=x+y 1 2 x == 0 ? x++ x != 0 ?  true ?  x=1,y=-3 x=-2,y=-3   p ´ x = 0 x=5,y=-5 x=1,y=-5 x=0,y=-5 x=1,y=-5    p

18 17 Predicate Abstraction  Pred µ Expr  Set of expressions (predicates) associated with each state of the CFG  Pred ¶ { Conc(p) j p 2 AP }  Predicate corresponding to every atomic proposition must be associated with each state of the CFG  In practice each CFG state has a different set of associated predicates

19 18 Valuation : Two Views  Valuation ´ minterm Pred  Set of all valuations ´ 2 Pred  Pred = { x = 0, y = 0 }  x  0 Æ y  0, {}  x = 0 Æ y  0, {x = 0}  x  0 Æ y = 0, {y = 0}  x = 0 Æ y = 0, {x = 0, y=0} Expression Subset of Pred

20 19 Compatibility  Given expressions e 1 and e 2  e 1 ° e 2 iff e 1 Æ e 2 is satisfiables  9  2 Store ¦  ² e 1 Æ  ² e 2  e 1 ° e 2 ´ e 1 and e 2 are compatible  Each valuation v is an expression  v ° e and v ° v’ defined as above

21 20 Abstract Semantics of C  Context = (Init, EFSM, , , AP, Pred)  S CFG ´ States of CFG  I CFG ´ Initial state of CFG  M [C] = ( Q, I,  [ , T, AP, L)  Q = S CFG £ 2 Pred  I = { (s,v) j s = I CFG and v ° Init }  L(s,v) = { p j Conc(p) 2 v }

22 21 Transitions of P  (s,v) ! (s’,v’)  s ´ assignment  s’ = next(s) and v ° WP [v’] (s)  s ´ branch with condition c  s’ = then(s) and v ² c Æ v’  s’ = else(s) and v ² : c Æ v’ 

23 22 Transitions of P  (s,v) ! (s’,v’)   2   s ´ inlined EFSM state  s’ = next(s)  s ! s’ with guard g and action   v ² g Æ v’ 

24 23 Abstract Semantics x=x+y 1 2 x == 0 ? x++ x != 0 ?  true ?  x  0,y=0   p ´ x = 0 x=0,y=0 x  0,y=0 x=0,y=0 X  0,y=0    p p

25 24 Simulation  M 1 = ( Q 1, I 1, , T 1, AP, L 1 )  M 2 = ( Q 2, I 2, , T 2, AP, L 2 )  R µ Q 1 £ Q 2 is a simulation relation if  s 1 R s 2 )  L 1 (s 1 ) = L 2 (s 2 )  8 (s 1, , s’ 1 ) 2 T 1 ¦ 9 s’ 2 ¦ (s 2, , s’ 2 ) 2 T 2 Æ s’ 1 R s’ 2  M 1 4 M 2 ´ 9 R µ Q 1 £ Q 2 ¦ 8 s 1 2 I 1 ¦ 9 s 2 2 I 2 ¦ s 1 R s 2

26 25 Satisfaction   ( e) ´ evaluation of e under    ² e ´  (e)  0   ( stmt) ´ new store after executing statement stmt in store 

27 26 M C 4 M [C]   ( e) ´ evaluation of e under    ² e ´  (e)  0  Define relation R µ Q C £ Q [C]  (s,m) R (s,v), m ² v  R is a simulation relation  8 s 2 I C ¦ 9 [s] 2 I [C] ¦ s R [s]

28 27 Parallel Composition  M 1 = ( Q 1, I 1,   , T 1, AP 2, L 1 )  M 2 = ( Q 2, I 2,  2 , T 2, AP 1, L 2 )  M 1 || M 2 = ( Q 1 £ Q 2, I 1 £ I 2,  1 [  2 , T, AP 1 [ AP 2, L)  L(s 1,s 2 ) = L 1 (s 1 ) [ L 2 (s 2 )  ((s 1, s 2 ), , (s’ 1, s’ 2 )) 2 T iff for i 2 {1,2}     i Æ (s i, , s’ i ) 2 T i     i Æ s i = s’ i

29 28 Program Semantics  P = h C, C’ i  M P = M C || M C’  M [P] = M [C] || M [C’]  Abstraction is done modularly 4 44

30 29 Program Semantics  P = C || C’  [P] = [C] || [C’] 4 44

31 30 Verification  Specification is an LKS Spec  Given P and Spec, check if P 4 Spec 1.Construct [P] 2.Check if [P] 4 Spec 1.P 4 [P] Æ [P] 4 Spec ) P 4 Spec 2.Otherwise …

32 31 Counterexample  : ([P] 4 Spec) )  9 CE ¦ CE 4 [P] Æ : ( CE 4 Spec )  CE has a tree structure  Look at Chapter 5 for the procedure to check [P] 4 Spec and construct CE if necessary

33 32 Counterexample Validation  Check if CE 4 P  : ( CE 4 Spec ) Æ CE 4 P ) : ( P 4 Spec )  Real  P = C || C’

34 33 Problems CE 4 C || C’ Infinite States Statespace Explosion Symbolic RepresentationCompositional Reasoning

35 34 LKS Projection p q r        = { , , , , ,  } p,q p,r AP = { p,q,r,s } M  ’ = { , ,  }AP’ = { p,r,t }   [ ’  [ ’

36 35 LKS Projection pr        Å  ’ [ {  } p r AP Å AP’ M ¼ {  ’,AP’ }  ’ = { , ,  }AP’ = { p,r,t }   [ ’  [ ’ M’ = ( …,  ’, AP’, …) ) M ¼ M’ ´ M ¼ {  ’, AP’ }

37 36 Weak Simulation  M 1 = ( Q 1, I 1,  [ {  }, T 1, AP, L 1 )  M 2 = ( Q 2, I 2, , T 2, AP, L 2 )  R µ Q 1 £ Q 2 is a weak simulation relation if  s 1 R s 2 )  L 1 (s 1 ) = L 2 (s 2 )  8 (s 1, , s’ 1 ) 2 T 1 ¦ 9 s’ 2 ¦ (s 2, , s’ 2 ) 2 T 2 Æ s’ 1 R s’ 2  8 (s 1, , s’ 1 ) 2 T 1 ¦ s’ 1 R s 2  M 1 - M 2 ´ 9 R µ Q 1 £ Q 2 ¦ 8 s 1 2 I 1 ¦ 9 s 2 2 I 2 ¦ s 1 R s 2

38 37 Compositional Validation CE 4 C || C’, CE ¼ C - C Æ CE ¼ C’ - C’

39 38 Compositional Validation CE 4 C || C’, CE ¼ - C Æ CE ¼ - C’ Infinite States Symbolic Representation

40 39 Symbolic Representation  M C = ( Q, I, , T, AP, L)  There exists a class R µ 2 Q  Each r 2 R has a finite representation  Q 2 R  R closed under intersection and pre-image  Given r 2 R can check if r = ;

41 40 CE ¼ - C CE ¼ C      Q Q  Q) Q Q Q  Q) Q

42 41 CE ¼ - C      Q Q  Q) QQ Q Å  Q) Q  Q Å  Q))  Q)  Q) CE ¼ C

43 42 CE ¼ - C      Q Q  Q) QQ Q Å  Q) Q  Q) Å  (Q) Å  Q Å  Q)) = ; ? CE ¼ C

44 43 Abstraction Refinement  Check if CE 4 P  CE 4 P ) Real  Update the set Pred such that for the new [P] we have : ( CE 4 [P] )  Chapter 6  Minimize number of predicates to be added  Chapter 7

45 44 Case Study: SSL Handshake  Verify that OpenSSL correctly implements the SSL handshake  Server and client code  Each about 2500 LOC  400 LOC after abstracting away library routine calls  Analyzed client and server separately and together

46 45 SSL Results NAME LINES OF CODE NO. OF ITER AVG. MODEL SIZE AVG. MODEL TIME (SEC) SPEC SIZE (ST/TR) AVG. HORN VAR NUM AVG. HORN CLAUSE NUM VERIF TIME TOTAL TIME (SEC) MEMORY (MB) SERVER 2483 64 8984 40.2 32 / 67 287472 352150 1636 8639 743 CLIENT 2484 71 6747 28.7 29 / 60 195635 238296 1217 7437 185 SRVR-CLNT 4967 175 77474 3.3 6 / 5 387375 1386980 13786 21134 1105

47 46 SSL Results NAME LINES OF CODE NO. OF ITER AVG. MODEL SIZE AVG. MODEL TIME (SEC) SPEC SIZE (ST/TR) AVG. HORN VAR NUM AVG. HORN CLAUSE NUM VERIF TIME TOTAL TIME (SEC) MEMORY (MB) SERVER 2483 64 8984 40.2 32 / 67 287472 352150 1636 8639 743 CLIENT 2484 71 6747 28.7 29 / 60 195635 238296 1217 7437 185 SRVR-CLNT 4967 175 77474 3.3 6 / 5 387375 1386980 13786 21134 1105

48 47 Thoughts  Predicate abstraction alone inadequate for concurrent systems  States from different control locations are always kept distinct  They might be merged  How do we combine other kinds of abstractions with predicate abstraction

49 48 Iterative Refinement System OK Abstraction Model Counterexample Valid? Counterexample Valid? System No Abstraction Refinement Abstraction Refinement Improved Abstraction Guidance No Verification Spec

50 49 IR ´ Model Checking System OK Abstraction Model Counterexample Valid? System No Abstraction Refinement Improved Abstraction Guidance No Verification Spec

51 50 Verification ´ IR System OK Abstraction Model Counterexample Valid? Counterexample Valid? System No Abstraction Refinement Abstraction Refinement Improved Abstraction Guidance No Iterative Refinement Iterative Refinement Spec

52 51 Existential Abstraction  M = ( Q, I, , T, AP, L)  Equivalence R µ Q £ Q  Compatible with propositional labeling  s R s’ ) L(s) = L(s’)  [s] ´ equivalence class of s  Induces a quotient LKS M R

53 52 Quotient LKS  M = ( Q, I, , T, AP, L), R µ Q £ Q  M R = ( Q R, I R, , T R, AP, L R )  Q R = { [s] j s 2 Q }  I R = { [s] j s 2 I }  ([s], , [s’]) 2 T R, (s, , s’) 2 T  L R ([s]) = L(s)  R compatible with L ) L R well-defined

54 53 Example 1 23 46 ab be M Theorem M ¹ M R Proof (s R [s]) is a simulation relation 57 ac d MRMR eb [2,3] [4,5][6,7] [1] ab ca d q p

55 54 Verification  Given [P] = [C] || [C’] and Spec 1.Use equivalence relations R and R’  Initially R and R’ are maximal 2.Construct [P] RR’ = [C] R || [C’] R’  [P] 4 [P] RR’ 3.Check if [P] RR’ 4 Spec 1.[P] 4 [P] RR’ Æ [P] RR’ 4 Spec ) [P] 4 Spec 2.Otherwise …

56 55 Counterexample Validation  : ([P] RR’ 4 Spec) )  9 CE ¦ CE 4 [P] RR’ Æ : ( CE 4 Spec )  CE has a tree structure  Check if CE 4 [P] = [C] || [C’]  Same as CE ¼ - [C] Æ CE ¼ - [C’]  : ( CE 4 Spec ) Æ CE 4 [P] ) : ( [P] 4 Spec )

57 56 Refinement  Suppose : (CE ¼ - [C])  We know CE 4 [P] RR’ = [C] R || [C’] R’  Hence CE ¼ - [C] R  By transitivity : ([C] R - [C])  Can split some equivalence class of R

58 57 Splitting R CE ¼ [C] R   [C] R -   [C] 4  

59 58 Splitting R     Repeated Splitting ) C R converges to bisimulation quotient of C CE ¼ [C] R [C] R -

60 59 Two Level IR C1C1 Spec 4 [C 1 ] 4 Spec Predicate Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Existential Abstraction 4 Spec A1A1 A2A2 A3A3 A4A4

61 60 Two Level IR C1C1 Spec 4 [C 1 ]Spec Predicate Abstraction Existential Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Spec A1A1 A2A2 A3A3 A4A4 A1A1 Existential Refinement 4 4

62 61 Two Level IR C1C1 Spec [C 1 ]Spec Predicate Abstraction Existential Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Spec A1A1 A2A2 A4A4 A1A1 Existential Refinement A3A3 A3A3 4 4 4

63 62 Two Level IR C1C1 Spec [C 1 ]Spec Predicate Abstraction Existential Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Spec A1A1 A2A2 A4A4 A1A1 Existential Refinement A3A3 A3A3 A1A1 4 4 4

64 63 Two Level IR C1C1 Spec [C 1 ]Spec Predicate Abstraction Existential Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Spec A1A1 A4A4 A1A1 Existential Refinement A3A3 A3A3 A1A1 4 4 4 A2A2 A2A2

65 64 Two Level IR C1C1 Spec [C 1 ]Spec Predicate Abstraction Existential Abstraction [C 2 ][C 3 ][C 4 ] C2C2 C3C3 C4C4 Spec A1A1 A2A2 A4A4 Existential Refinement A3A3 A3A3 [C 2 ] A1A1 A1A1 4 4 4 No bugs or real

66 65 Test Name One LevelTwo Level Gain S1S1 M1M1 T1T1 S2S2 M2M2 T2T2 T 1 /T 2 M 1 /M 2 SSL-1 SSL-2 SSL-3 SSL-4 SSL-5 SSL-6 SSL-7 SSL-8 SSL-9 SSL-10 SSL-11 SSL-12 SSL-13 Results

67 66 Test Name One LevelTwo Level Gain S1S1 M1M1 T1T1 S2S2 M2M2 T2T2 T 1 /T 2 M 1 /M 2 SSL-115726610238861584012210810.828.39 SSL-2201940107016456072645003.2916.72 SSL-3203728100310692017213018050.597.72 SSL-420194064011847808694822.469.28 SSL-518406078013556240644073.3312.19 SSL-61588984266952310562193.177.61 SSL-71035662504477743744720.953.38 SSL-816158094510714617643872.7714.77 SSL-921498914751515138001067162.1213.92 SSL-101183536636283024604021.5611.05 SSL-1120470811317948820794461.7814.32 SSL-121211703733032079562041.496.66 SSL-131527963615793780603491.666.02 Results

68 67 Test Name One LevelTwo Level Gain S1S1 M1M1 T1T1 S2S2 M2M2 T2T2 T 1 /T 2 M 1 /M 2 SSL-115726610238861584012210810.828.39 SSL-2201940107016456072645003.2916.72 SSL-3203728100310692017213018050.597.72 SSL-420194064011847808694822.469.28 SSL-518406078013556240644073.3312.19 SSL-61588984266952310562193.177.61 SSL-71035662504477743744720.953.38 SSL-816158094510714617643872.7714.77 SSL-921498914751515138001067162.1213.92 SSL-101183536636283024604021.5611.05 SSL-1120470811317948820794461.7814.32 SSL-121211703733032079562041.496.66 SSL-131527963615793780603491.666.02 Results

69 68 Summary  Compositional IR for concurrent programs  Message-passing communication  Simulation conformance  Combine predicate abstraction and existential abstraction in a two-level compositional IR algorithm  Experimental validation

70 69 Thank you!  Edmund Clarke  Exemplary advisor  Alex Groce, Somesh Jha, Helmut Veith  The original magicians  Tom Ball, Sriram Rajamani, Jakob Rehof  Superb summer job mentors  Orna Grumberg, Joel Ouaknine, Natalia Sharygina, Ofer Strichman, Karen Yorav  Awesome guides  Randal Bryant, David Garlan  Excellent thesis committee members

71 70 Questions?

Download ppt "A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk."

Similar presentations

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Possibilistic and probabilistic abstraction-based model checking Michael Huth Computing Imperial College London, United Kingdom.

Possibilistic and probabilistic abstraction-based model checking Michael Huth Computing Imperial College London, United Kingdom.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
1 Model Checking, Abstraction- Refinement, and Their Implementation Orna Grumberg Verification seminar March 2006.

1 Model Checking, Abstraction- Refinement, and Their Implementation Orna Grumberg Verification seminar March 2006.

Similar presentations

Ads by Google