Results 1  10
of
40
The model checker SPIN
 IEEE Transactions on Software Engineering
, 1997
"... Abstract—SPIN is an efficient verification system for models of distributed software systems. It has been used to detect design errors in applications ranging from highlevel descriptions of distributed algorithms to detailed code for controlling telephone exchanges. This paper gives an overview of ..."
Abstract

Cited by 1254 (25 self)
 Add to MetaCart
Abstract—SPIN is an efficient verification system for models of distributed software systems. It has been used to detect design errors in applications ranging from highlevel descriptions of distributed algorithms to detailed code for controlling telephone exchanges. This paper gives an overview of the design and structure of the verifier, reviews its theoretical foundation, and gives an overview of significant practical applications. Index Terms—Formal methods, program verification, design verification, model checking, distributed systems, concurrency.
Combining Partial Order Reductions with Onthefly Modelchecking
, 1994
"... Abstract Partial order modelchecking is an approach to reduce time and memory in modelchecking concurrent programs. Onthefly modelchecking is a technique to eliminate part of the search by intersecting an automaton representing the (negation of the) checked property with the state space during i ..."
Abstract

Cited by 191 (14 self)
 Add to MetaCart
Abstract Partial order modelchecking is an approach to reduce time and memory in modelchecking concurrent programs. Onthefly modelchecking is a technique to eliminate part of the search by intersecting an automaton representing the (negation of the) checked property with the state space during its generation. We prove conditions under which these two methods can be combined in order to gain reduction from both methods. An extension of the modelchecker SPIN, which implements this combination, is studied, showing substantial reduction over traditional search, not only in the number of reachable states, but directly in the amount of memory and time used. We also describe how to apply partialorder modelchecking under given fairness assumptions.
An Analysis of Bitstate Hashing
, 1995
"... The bitstate hashing, or supertrace, technique was introduced in 1987 as a method to increase the quality of verification by reachability analyses for applications that defeat analysis by traditional means because of their size. Since then, the technique has been included in many research verificati ..."
Abstract

Cited by 82 (3 self)
 Add to MetaCart
The bitstate hashing, or supertrace, technique was introduced in 1987 as a method to increase the quality of verification by reachability analyses for applications that defeat analysis by traditional means because of their size. Since then, the technique has been included in many research verification tools, and was adopted in tools that are marketed commercially. It is therefore important that we understand well how and why the method works, what its limitations are, and how it compares with alternative methods over a broad range of problem sizes. The original
Symbolic Verification with Periodic Sets
, 1994
"... Symbolic approaches attack the state explosion problem by introducing implicit representations that allow the simultaneous manipulation of large sets of states. The most commonly used representation in this context is the Binary Decision Diagram (BDD). This paper takes the point of view that other s ..."
Abstract

Cited by 73 (6 self)
 Add to MetaCart
Symbolic approaches attack the state explosion problem by introducing implicit representations that allow the simultaneous manipulation of large sets of states. The most commonly used representation in this context is the Binary Decision Diagram (BDD). This paper takes the point of view that other structures than BDD's can be useful for representing sets of values, and that combining implicit and explicit representations can be fruitful. It introduces a representation of complex periodic sets of integer values, shows how this representation can be manipulated, and describes its application to the statespace exploration of protocols. Preliminary experimental results indicate that the method can dramatically reduce the resources required for statespace exploration.
Reliable Hashing without Collision Detection
 IN COMPUTER AIDED VERIFICATION. 5TH INTERNATIONAL CONFERENCE
, 1993
"... Thanks to a variety of new techniques, statespace exploration is becoming an increasingly effective method for the verification of concurrent programs. One of these techniques, hashing without collision detection, was proposed by Holzmann as a waytovastly reduce the amount of memory needed to s ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
Thanks to a variety of new techniques, statespace exploration is becoming an increasingly effective method for the verification of concurrent programs. One of these techniques, hashing without collision detection, was proposed by Holzmann as a waytovastly reduce the amount of memory needed to store the explored state space. Unfortunately, this reduction in memory use comes at the price of a high probability of ignoring part of the state space and hence of missing existing errors. In this paper, we carefully analyze this method and show that, by using a modified strategy, it is possible to reduce the risk of error to a negligible amount while maintaining the memory use advantage of Holzmann's technique. Our proposed strategy has been implemented and we describe experiments that confirm the excellent expected results.
DistributedMemory Model Checking with SPIN
 In Proceedings of the 6th International SPIN Workshop on Model Checking of Software (SPIN’99), volume 1680 of LNCS
, 1999
"... The main limiting factor of the model checker SPIN is currently the amount of available physical memory. This paper explores the possibility of exploiting a distributedmemory execution environment, such as a network of workstations interconnected by a standard LAN, to extend the size of the veri ca ..."
Abstract

Cited by 60 (2 self)
 Add to MetaCart
The main limiting factor of the model checker SPIN is currently the amount of available physical memory. This paper explores the possibility of exploiting a distributedmemory execution environment, such as a network of workstations interconnected by a standard LAN, to extend the size of the veri cation problems that can be successfully handled by SPIN. A distributed version of the algorithm used by SPIN to verify safety properties is presented, and its compatibility with the main memory and complexity reduction mechanisms of SPIN is discussed. Finally, some preliminary experimental results are presented.
A Partial Order Approach to Branching Time Logic Model Checking
 Information and Computation
, 1994
"... Partial order techniques enable reducing the size of the state graph used for model checking, thus alleviating the `state space explosion' problem. These reductions are based on selecting a subset of the enabled operations from each program state. So far, these methods have been studied, implemented ..."
Abstract

Cited by 55 (14 self)
 Add to MetaCart
Partial order techniques enable reducing the size of the state graph used for model checking, thus alleviating the `state space explosion' problem. These reductions are based on selecting a subset of the enabled operations from each program state. So far, these methods have been studied, implemented and demonstrated for assertional languages that model the executions of a program as computation sequences, in particular the logic LTL (linear temporal logic). The present paper shows, for the first time, how this approach can be applied to languages that model the behavior of a program as a tree. We study here partial order reductions for branching temporal logics, e.g., the logics CTL and CTL (all logics with the nexttime operator removed) and process algebras such as CCS. Conditions on the subset of successors from each node to guarantee reduction that preserves CTL properties are given. Provided experimental results show that the reduction is substantial. 1 Introduction Partial ord...
State Compression in SPIN: Recursive Indexing And Compression Training Runs
 IN PROCEEDINGS OF THIRD INTERNATIONAL SPIN WORKSHOP
, 1997
"... The verification algorithm of SPIN is based on an explicit enumeration of a subset of the reachable statespace of a system that is obtained through the formalization of a correctness requirement as an automaton. This automaton restricts the statespace to precisely the subset that may contain ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
The verification algorithm of SPIN is based on an explicit enumeration of a subset of the reachable statespace of a system that is obtained through the formalization of a correctness requirement as an automaton. This automaton restricts the statespace to precisely the subset that may contain the counterexamples to the original correctness requirement, if they exist. This method of verification conforms to the method for automatatheoretic verification outlined in [VW86]. SPIN derives
On the Verification of Temporal Properties
, 1993
"... We present a new algorithm that can be used for solving the modelchecking problem for lineartime temporal logic. This algorithm can be viewed as the combination of two existing algorithms plus a new state representation technique introduced in this paper. The new algorithm is simpler than the t ..."
Abstract

Cited by 32 (10 self)
 Add to MetaCart
We present a new algorithm that can be used for solving the modelchecking problem for lineartime temporal logic. This algorithm can be viewed as the combination of two existing algorithms plus a new state representation technique introduced in this paper. The new algorithm is simpler than the traditional algorithm of Tarjan to check for maximal strongly connected components in a directed graph which is the classical algorithm used for modelchecking. It has the same time complexity as Tarjan's algorithm, but requires less memory. Our algorithm is also compatible with other important complexity management techniques, such as bitstate hashing and state space caching.
Checking Subsystem Safety Properties in Compositional Reachability Analysis
 IN PROCEEDINGS OF THE 18TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING
, 1995
"... The software architecture of a distributed system can be described as a hierarchical composition of subsystems, with interacting processes as the leaves of the hierarchy. Process behaviour can be specified using finitestate machines. A global state machine describing the overall system behaviour ca ..."
Abstract

Cited by 25 (7 self)
 Add to MetaCart
The software architecture of a distributed system can be described as a hierarchical composition of subsystems, with interacting processes as the leaves of the hierarchy. Process behaviour can be specified using finitestate machines. A global state machine describing the overall system behaviour can be constructed using compositional reachability analysis techniques. These techniques compose the global state machine of a system from its component processes in stages, based on the specified hierarchy. The key to the success of these analysis techniques is to employ a modular software architecture and hide as many internal actions as possible in each subsystem. A subsystem containing fewer observable actions can generally be represented by a simpler state machine. However, the properties that are available for reasoning (analysis) in the global state machine are constrained by the set of remaining globally observable actions. In this paper, we introduce a technique to check safety prope...