Integrating Verification Components

Over the last few years, a number of impressive verification tools and techniques have been developed for verifying limited classes of systems and properties. These verification methods include test case generation, static analysis, type checking, model checking, decision procedures, and interactive theorem provers. Effective large-scale verification requires the careful integration of these verification tools so that deeper properties of large systems emerge through the cooperative use of a suite of tools. The integration of verification components must occur at both the fine-grain and coarse-grain levels. It should facilitate the coordination of different tools in the construction of single, coherent verification. We outline some of the challenges in achieving such an integration for logic-based tools. Computer-aided verification through the use of model checkers and theorem provers has become a critical technology in the design of reliable systems. The efforts of researchers over the past 50 years has yielded an impressive array of verification tools. However, no single tool or technique is going to solve the verification problem. We instead need a spectrum of formal methods and tools ranging from test case generators, runtime verifiers, static analyzers, and type checkers, to invariant generators, decision procedures, bounded model checkers, explicit and symbolic model checkers, and program verifiers. These tools and techniques are used to calculate properties of designs and implementations to varying degrees of assurance [TRS03]. They are also interdependent so that a useful verification system typically combines several of these techniques. Tool integration has become critical need in computer-aided verification for a variety of reasons. The individual tools have become quite sophisticated and specialized and their development and maintenance requires a substantial investment of time and effort. Few research groups have the resources to afford the development of custom tools. The range of applications of verification technology has been broadened to include a wide array of analyses such as test case ? Funded by NSF Grant Nos. CCR-ITR-0326540 and CCR-ITR-0325808, DARPA REAL project, and SRI International. generation, extended static checking, runtime verification, invariant generation, controller synthesis, and proof-carrying code, to name a few recent developments. Several of these applications make opportunistic use of available tools to achieve partial but effective analyses that uncover a large class of bugs. Specialized tools need to be employed in order to address the requirements of individual application domains such as hardware, operating systems, embedded real-time and hybrid systems, and cryptographic protocols. Predicate abstraction [SG97] is a good example of the integration of various verification tools. Predicates over the concrete state space are used to construct a finite-state approximation of the transitions and properties through the use of theorem proving. Model checking is then used to explore the abstract state space. If an abstract counterexample is found, a satisfiability checker can be used to construct a corresponding concrete counterexample. If there is no such concrete counterexample, techniques like interpolation [JM05] can be applied to proof of unsatisfiability to refine the abstraction predicates so as to exclude spurious abstract counterexamples. We therefore argue that a program verifier as envisioned in the Verified Software Grand Challenge ought to consist of interconnected components for analysis and verification specialized to specific theories, logics, and logic fragments. The challenge here is to design a verification architecture that supports coherent integration between inference components for fine-grained and coarse-grained interaction. Cooperating decision procedures in the style of the Nelson–Oppen method [NO79] provide an example of fine-grained interaction. The combination of propositional satisfiability and ground decision procedures can be carried out through fine-grained interaction as in the lazy approach [BDS02,dMRS02,FJOS03] where a satisfiability solver is modified to produce assertions and queries for a decision procedure. Such a combination can also be realized through a coarse-grained interaction as in the eager approach of using a decision procedure to generate lemmas that assist a satisfiability solver interaction [BLS02]. PVS [ORS92] is a general-purpose proof assistant that supports both a fine-grained interaction with a decision procedure and rewriter as well as the coarse-grained integration of various inference procedures including a model checker. This position paper reports on the theoretical and practical challenges of building component tools as well as integrating components into a larger system. The practical challenges are mainly in managing the trade-off between efficiency and modularity, whereas the theoretical challenges are in achieving cohesive fine-grained and coarse-grained interaction between specialized components. We present two related challenges for a component technology for verification. The first challenge addresses the interfaces that these components must support for ease of integration. The second challenge focuses on the architectural frameworks for coarse-grained and fine-grained integration of verification components.