Results 1  10
of
171
Model Checking for Programming Languages using VeriSoft
 IN PROCEEDINGS OF THE 24TH ACM SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 1997
"... Verification by statespace exploration, also often referred to as "model checking", is an effective method for analyzing the correctness of concurrent reactive systems (e.g., communication protocols). Unfortunately, existing modelchecking techniques are restricted to the verification of ..."
Abstract

Cited by 442 (13 self)
 Add to MetaCart
Verification by statespace exploration, also often referred to as "model checking", is an effective method for analyzing the correctness of concurrent reactive systems (e.g., communication protocols). Unfortunately, existing modelchecking techniques are restricted to the verification of properties of models, i.e., abstractions, of concurrent systems. In this paper, we discuss how model checking can be extended to deal directly with "actual" descriptions of concurrent systems, e.g., implementations of communication protocols written in programming languages such as C or C++. We then introduce a new search technique that is suitable for exploring the state spaces of such systems. This algorithm has been implemented in VeriSoft, a tool for systematically exploring the state spaces of systems composed of several concurrent processes executing arbitrary C code. As an example of application, we describe how VeriSoft successfully discovered an error in a 2500line C program controlling rob...
Verifying Programs with Unreliable Channels (Extended Abstract)
 Information and Computation
, 1992
"... The research on algorithmic verification methods for concurrent and parallel systems has mostly focussed on finitestate systems, with applications in e.g. communication protocols and hardware systems. For infinitestate systems, e.g. systems that operate on data from unbounded domains, algorithmic ..."
Abstract

Cited by 217 (39 self)
 Add to MetaCart
The research on algorithmic verification methods for concurrent and parallel systems has mostly focussed on finitestate systems, with applications in e.g. communication protocols and hardware systems. For infinitestate systems, e.g. systems that operate on data from unbounded domains, algorithmic verification is more difficult, since most verification problems are in general undecidable. In this paper, we consider the verification of a particular class of infinitestate systems, namely systems consisting of finitestate processes that communicate via unbounded lossy FIFO channels. This class is able to model e.g. link protocols such as the Alternating Bit Protocol and HDLC. The unboundedness of the channels makes these systems infinitestate. For this class of systems, we show that several interesting verification problems are decidable by giving algorithms for verifying the following classes of properties.
All from one, one for all: on model checking using representatives
 LNCS
, 1993
"... Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequences, based ..."
Abstract

Cited by 184 (6 self)
 Add to MetaCart
Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequences, based on infinite traces such that for each equivalence class, either all or none of the sequences satisfy the checked formula. We present an algorithm for constructing a state graph that contains at least one representative sequence for each equivalence class. This allows applying existing model checking algorithms to the reduced state graph rather than on the larger full state graph of the program. It also allows model checking under fairness assumptions, and exploits these assumptions to obtain smaller state graphs. A formula rewriting technique is presented to allow coarser equivalence relation among sequences, such that less representatives are needed. 1
Model Checking of Safety Properties
, 1999
"... Of special interest in formal verification are safety properties, which assert that the system always stays within some allowed region. Proof rules for the verification of safety properties have been developed in the proofbased approach to verification, making verification of safety properties simp ..."
Abstract

Cited by 146 (20 self)
 Add to MetaCart
(Show Context)
Of special interest in formal verification are safety properties, which assert that the system always stays within some allowed region. Proof rules for the verification of safety properties have been developed in the proofbased approach to verification, making verification of safety properties simpler than verification of general properties. In this paper we consider model checking of safety properties. A computation that violates a general linear property reaches a bad cycle, which witnesses the violation of the property. Accordingly, current methods and tools for model checking of linear properties are based on a search for bad cycles. A symbolic implementation of such a search involves the calculation of a nested fixedpoint expression over the system's state space, and is often impossible. Every computation that violates a safety property has a finite prefix along which the property is violated. We use this fact in order to base model checking of safety properties on a search for ...
Evaluating Deadlock Detection Methods for Concurrent Software
 IEEE Transactions on Software Engineering
, 1996
"... Static analysis of concurrent programs has been hindered by the well known state explosion problem. Although many different techniques have been proposed to combat this state explosion, there is little empirical data comparing the performance of the methods. This information is essential for assessi ..."
Abstract

Cited by 132 (6 self)
 Add to MetaCart
(Show Context)
Static analysis of concurrent programs has been hindered by the well known state explosion problem. Although many different techniques have been proposed to combat this state explosion, there is little empirical data comparing the performance of the methods. This information is essential for assessing the practical value of a technique and for choosing the best method for a particular problem. In this paper, we carry out an evaluation of three techniques for combating the state explosion problem in deadlock detection: reachability search with a partial order state space reduction, symbolic model checking, and inequality necessary conditions. We justify the method used for the comparison, and carefully analyze several sources of potential bias. The results of our evaluation provide valuable data on the kinds of programs to which each technique might best be applied. Furthermore, we believe that the methodological issues we discuss are of general significance in comparison of analysis te...
Slicing Software for Model Construction
 Higherorder and Symbolic Computation
, 1999
"... Applying finitestate verification techniques (e.g., model checking) to software requires that program source code be translated to a finitestate transition system that safely models program behavior. Automatically checking such a transition system for a correctness property is typically very cos ..."
Abstract

Cited by 105 (18 self)
 Add to MetaCart
Applying finitestate verification techniques (e.g., model checking) to software requires that program source code be translated to a finitestate transition system that safely models program behavior. Automatically checking such a transition system for a correctness property is typically very costly, thus it is necessary to reduce the size of the transition system as much as possible. In fact, it is often the case that much of a program's source code is irrelevant for verifying a given correctness property. In this paper, we apply program slicing techniques to remove automatically such irrelevant code and thus reduce the size of the corresponding transition system models. We give a simple extension of the classical slicing definition, and prove its safety with respect to model checking of linear temporal logic (LTL) formulae. We discuss how this slicing strategy fits into a general methodology for deriving effective software models using abstractionbased program specializati...
Symbolic Verification with Periodic Sets
, 1994
"... Symbolic approaches attack the state explosion problem by introducing implicit representations that allow the simultaneous manipulation of large sets of states. The most commonly used representation in this context is the Binary Decision Diagram (BDD). This paper takes the point of view that other s ..."
Abstract

Cited by 78 (6 self)
 Add to MetaCart
Symbolic approaches attack the state explosion problem by introducing implicit representations that allow the simultaneous manipulation of large sets of states. The most commonly used representation in this context is the Binary Decision Diagram (BDD). This paper takes the point of view that other structures than BDD's can be useful for representing sets of values, and that combining implicit and explicit representations can be fruitful. It introduces a representation of complex periodic sets of integer values, shows how this representation can be manipulated, and describes its application to the statespace exploration of protocols. Preliminary experimental results indicate that the method can dramatically reduce the resources required for statespace exploration.
Timed petri nets and BQOs
 In Proc. ICATPN’01
, 2001
"... Abstract. We consider (unbounded) Timed Petri Nets (TPNs) where each token is equipped with a realvalued clock representing the “age” of the token. Each arc in the net is provided with a subinterval of the natural numbers, restricting the ages of the tokens travelling the arc. We apply a methodolog ..."
Abstract

Cited by 63 (9 self)
 Add to MetaCart
Abstract. We consider (unbounded) Timed Petri Nets (TPNs) where each token is equipped with a realvalued clock representing the “age” of the token. Each arc in the net is provided with a subinterval of the natural numbers, restricting the ages of the tokens travelling the arc. We apply a methodology developed in [AN00], based on the theory of better quasi orderings (BQOs), to derive an efficient constraint system for automatic verification of safety properties for TPNs. We have implemented a prototype based on our method and applied it for verification of a parametrized version of Fischer’s protocol. 1
Reasoning about threads communicating via locks
 In CAV
, 2005
"... Abstract. We propose a new technique for the static analysis of concurrent programs comprised of multiple threads. In general, the problem is known to be undecidable even for programs with only two threads but where the threads communicate using CCSstyle pairwise rendezvous [10]. However, in practi ..."
Abstract

Cited by 62 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new technique for the static analysis of concurrent programs comprised of multiple threads. In general, the problem is known to be undecidable even for programs with only two threads but where the threads communicate using CCSstyle pairwise rendezvous [10]. However, in practice, a large fraction of concurrent programs can either be directly modeled as threads communicating solely using locks or can be reduced to such systems either by applying standard abstract interpretation techniques or by exploiting separation of control from data. For such a framework, we show that for the commonly occurring case of threads with nested access to locks, the problem is efficiently decidable. Our technique involves reducing the analysis of a concurrent program with multiple threads to individually analyzing augmented versions of the given threads. Thus not only yields decidability but also avoids construction of the state space of the concurrent program at hand and thus bypasses the state explosion problem making our technique scalable. We go on to show that for programs with threads that have nonnested access to locks, the static analysis problem for programs with even two threads becomes undecidable even for reachability, thus sharpening the result of [10]. As a case study, we consider the Daisy file system [1] which is a benchmark for analyzing the efficacy of different methodologies for debugging concurrent programs and show the existence of several bugs. 1
Coverage Preserving Reduction Strategies for Reachability Analysis
"... We study the effect of three new reduction strategies for conventional reachability analysis, as used in automated protocol validation algorithms. The first two strategies are implementations of partial order semantics rules that attempt to minimize the number of execution sequences that need to be ..."
Abstract

Cited by 61 (7 self)
 Add to MetaCart
We study the effect of three new reduction strategies for conventional reachability analysis, as used in automated protocol validation algorithms. The first two strategies are implementations of partial order semantics rules that attempt to minimize the number of execution sequences that need to be explored for a full state space exploration. The third strategy is the implementation of a state compression scheme that attempts to minimize the amount of memory that is used to built a state space. The three strategies are shown to have a potential for substantially improving the performance of a conventional search. The paper discusses the optimal choices for reducing either run time or memory requirements by four to six times. The strategies can readily be combined with each other and with alternative state space reduction techniques such as supertrace or state space caching methods.