Results 1  10
of
16
Model Checking Programs
, 2003
"... The majority of work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers, proof checkers and model checkers. In this pape ..."
Abstract

Cited by 470 (61 self)
 Add to MetaCart
The majority of work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers, proof checkers and model checkers. In this paper we will attempt to give convincing arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle big states, and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space. JPF has been applied to a realtime avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, runtime analysis, and slicing with model checking.
Experience with Predicate Abstraction
 IN COMPUTER AIDED VERIFICATION
, 1999
"... This reports some experiences with a recentlyimplemented prototype system for verification using predicate abstraction, based on the method of Graf and Saidi [9]. Systems are described using a language of iterated guarded commands, called MurOE \Gamma\Gamma (since it is a simplified version o ..."
Abstract

Cited by 131 (5 self)
 Add to MetaCart
This reports some experiences with a recentlyimplemented prototype system for verification using predicate abstraction, based on the method of Graf and Saidi [9]. Systems are described using a language of iterated guarded commands, called MurOE \Gamma\Gamma (since it is a simplified version of our MurOE protocol description language). The system makes use of two libraries: SVC [1] (an efficient decision procedure for quantifierfree firstorder logic) and the CMU BDD library. The use of these libraries increases the scope of problems that can be handled by predicate abstraction through increased efficiency, especially in SVC, which is typically called thousands of times. The verification system also provides limited support for quantifiers in formulas. The system ...
Local Reasoning about a Copying Garbage Collector
 In 31st ACM POPL
, 2004
"... We present a programming language, model, and logic appropriate for implementing and reasoning about a memory management system. We then state what is meant by correctness of a copying garbage collector, and employ a variant of the novel separation logics [18, 23] to formally specify partial correct ..."
Abstract

Cited by 63 (8 self)
 Add to MetaCart
We present a programming language, model, and logic appropriate for implementing and reasoning about a memory management system. We then state what is meant by correctness of a copying garbage collector, and employ a variant of the novel separation logics [18, 23] to formally specify partial correctness of Cheney's copying garbage collector [8]. Finally, we prove that our implementation of Cheney's algorithm meets its specification, using the logic we have given, and auxiliary variables [19].
Mechanical Verification of a Garbage Collector
 FMPPTA'99: Fourth International Workshop on Formal Methods for Parallel Programming : Theory and Applications, number 1586 in LNCS
, 1999
"... Abstract. We describe how the PVS verification system has been used to verify a safety property of a garbage collection algorithm, originally suggested by BenAri. The safety property basically says that “nothing but garbage is ever collected”. Although the algorithm is relatively simple, its parall ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
Abstract. We describe how the PVS verification system has been used to verify a safety property of a garbage collection algorithm, originally suggested by BenAri. The safety property basically says that “nothing but garbage is ever collected”. Although the algorithm is relatively simple, its parallel composition with a “user ” program that (nearly) arbitrarily modifies the memory makes the verification quite challenging. The garbage collection algorithm and its composition with the user program is regarded as a concurrent system with two processes working on a shared memory. Such concurrent systems can be encoded in PVS as state transition systems, very similar to the models of, for example, UNITY and TLA. The algorithm is an excellent testcase for formal methods, be they based on theorem proving or model checking. Various handwritten proofs of the algorithm have been developed, some of which are wrong. David Russinoff has verified the algorithm in the BoyerMoore prover, and our proof is an adaption of this proof to PVS. We also model check a finite state version of the algorithm in the Stanford model checker Murphi, and we compare the result with the PVS verification. 1
CGCExplorer: A SemiAutomated Search Procedure for Provably Correct Concurrent Collectors
, 2007
"... Concurrent garbage collectors are notoriously hard to design, implement, and verify. We present a framework for the automatic exploration of a space of concurrent markandsweep collectors. In our framework, the designer specifies a set of “building blocks” from which algorithms can be constructed. ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
Concurrent garbage collectors are notoriously hard to design, implement, and verify. We present a framework for the automatic exploration of a space of concurrent markandsweep collectors. In our framework, the designer specifies a set of “building blocks” from which algorithms can be constructed. These blocks reflect the designer’s insights about the coordination between the collector and the mutator. Given a set of building blocks, our framework automatically explores a space of algorithms, using model checking with abstraction to verify algorithms in the space. We capture the intuition behind some common markandsweep algorithms using a set of building blocks. We utilize our framework to automatically explore a space of more than 1, 600, 000 algorithms built from these blocks, and derive over 100 correct finegrained algorithms with various space, synchronization, and precision tradeoffs.
Correctnesspreserving derivation of concurrent garbage collection algorithms
 Available at http://www.worldbank.org/en_breve Jalan, Jyotsna and Martin Ravallion. 2001. “Does piped water reduce diarrhea for children in Rural India.” Policy Research Working Paper
, 2006
"... Constructing correct concurrent garbage collection algorithms is notoriously hard. Numerous such algorithms have been proposed, implemented, and deployed – and yet the relationship among them in terms of speed and precision is poorly understood, and the validation of one algorithm does not carry ove ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Constructing correct concurrent garbage collection algorithms is notoriously hard. Numerous such algorithms have been proposed, implemented, and deployed – and yet the relationship among them in terms of speed and precision is poorly understood, and the validation of one algorithm does not carry over to others. As programs with low latency requirements written in garbagecollected languages become part of society’s missioncritical infrastructure, it is imperative that we raise the level of confidence in the correctness of the underlying system, and that we understand the tradeoffs inherent in our algorithmic choice. In this paper we present correctnesspreserving transformations that can be applied to an initial abstract concurrent garbage collection algorithm which is simpler, more precise, and easier to prove correct than algorithms used in practice — but also more expensive and with less concurrency. We then show how both preexisting and new algorithms can be synthesized from the abstract algorithm by a series of our transformations. We relate the algorithms formally using a new definition of precision, and informally with respect to overhead and concurrency. This provides many insights about the nature of concurrent collection, allows the direct synthesis of new and useful algorithms, reduces the burden of proof to a single simple algorithm, and lays the groundwork for the automated synthesis of correct concurrent collectors. 1.
A Mechanized Refinement Proof for a Garbage Collector
 Formal Aspects of Computing
, 1998
"... . We describe how the PVS verification system has been used to verify a safety property of a widely studied garbage collection algorithm. The safety property asserts that "nothing but garbage is ever collected." The garbage collection algorithm and its composition with the user program can be regar ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
. We describe how the PVS verification system has been used to verify a safety property of a widely studied garbage collection algorithm. The safety property asserts that "nothing but garbage is ever collected." The garbage collection algorithm and its composition with the user program can be regarded as a concurrent system with two processes working on a shared memory. Such concurrent systems are encoded in PVS as state transition systems using a model similar to TLA [Lam94]. The safety criterion is formulated as a refinement and proved using refinement mappings. Russinoff [Rus94] has verified the algorithm in the BoyerMoore prover, but his proof is not based on refinement and safety property cannot be appreciated without a glass box view of the workings of the algorithm. Using refinement, however, the safety criterion makes sense independent of the garbage collection algorithm. As a byproduct, we encode a a version of the theory of refinement mappings in PVS. 1 Supported by a Eur...
Formal verification of machinecode programs
, 2009
"... Formal program verification provides mathematical means of increasing assurance for the correctness of software. Most approaches to program verification are either fully automatic and prove only weak properties, or alternatively are manual and labour intensive to apply; few target realistically mode ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
Formal program verification provides mathematical means of increasing assurance for the correctness of software. Most approaches to program verification are either fully automatic and prove only weak properties, or alternatively are manual and labour intensive to apply; few target realistically modelled machine code. The work presented in this dissertation aims to ease the effort required in proving properties of programs on top of detailed models of machine code. The contributions are novel approaches for both verification of existing programs and methods for automatically constructing correct code. For program verification, this thesis presents a new approach based on translation: the problem of proving properties of programs is reduced, via fullyautomatic deduction, to a problem of proving properties of recursive functions. The translation from programs to recursive functions is shown to be implementable in a theorem prover both for simple whileprograms as well as real machine code. This verificationaftertranslation approach has several advantages over established approaches of verification condition generation. In particular, the new approach does not require annotating the program with assertions. More
Reusable verification of a copying collector
"... Abstract. Garbage collectors are very hard to implement correctly due to their lowlevel manipulation of memory. In this paper, we construct a copying garbage collector which we have proved to be functionally correct. Our verification proof is structured as a sequence of refinements to aid clarity a ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. Garbage collectors are very hard to implement correctly due to their lowlevel manipulation of memory. In this paper, we construct a copying garbage collector which we have proved to be functionally correct. Our verification proof is structured as a sequence of refinements to aid clarity and proof reuse; it is the first to map implementations into three different machine languages and, unlike some noteworthy published proofs, our verified implementations of memory allocation handle termination and the ‘outofmemory ’ case properly. The work presented here has been developed in the HOL4 theorem prover. 1
Birrell’s Distributed Reference Listing Revisited
"... The Java RMI collector is arguably the most widely used distributed garbage collector. Its distributed reference listing algorithm was introduced by Birrell in the context of Network Objects, where the description was informal and heavily biased toward implementation. In this paper, we formalise thi ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
The Java RMI collector is arguably the most widely used distributed garbage collector. Its distributed reference listing algorithm was introduced by Birrell in the context of Network Objects, where the description was informal and heavily biased toward implementation. In this paper, we formalise this algorithm in an implementationindependent manner, which allows us to clarify weaknesses of the initial presentation. In particular, we discover cases critical to the correctness of the algorithm that are not accounted for by Birrell. We use our formalisation to derive an invariantbased proof of correctness of the algorithm that avoids notoriously difficult temporal reasoning. Furthermore, we offer a novel graphical representation of the state transition diagram, which we use to provide intuitive explanations of the algorithm and to investigate its tolerance to faults in a systematic manner. Finally, we examine how the algorithm may be optimised, either by placing constraints on message channels or by tightening the coupling between application program and distributed garbage collector.