Verification by state-space exploration, also often referred to as "model checking", is an effective method for analyzing the correctness of concurrent reactive systems (e.g., communication protocols). Unfortunately, existing model-checking techniques are restricted to the verification of properties of models, i.e., abstractions, of concurrent systems. In this paper, we discuss how model checking can be extended to deal directly with "actual" descriptions of concurrent systems, e.g., implementations of communication protocols written in programming languages such as C or C++. We then introduce a new search technique that is suitable for exploring the state spaces of such systems. This algorithm has been implemented in VeriSoft, a tool for systematically exploring the state spaces of systems composed of several concurrent processes executing arbitrary C code. As an example of application, we describe how VeriSoft successfully discovered an error in a 2500-line C program controlling rob...

. This paper describes an ongoing effort to verify the cache coherence protocol of the IEEE/ANSI Standard for Scalable Coherent Interface using the Mur' verification system. A model of the typical set protocol was constructed in the Mur' description language. This model was augmented with a specification of properties necessary for cache coherence. The Mur' verification system automatically checks if all reachable states in the model satisfy the given specification. Although verification is still under way, we have already found several errors in the C-code defining the protocol. Finally, we elucidate the experiences gained in the verification project. 1 Introduction The IEEE/ANSI Standard for Scalable Coherent Interface (SCI) includes a cache coherence protocol for distributed shared-memory multiprocessors. Designing a complex protocol -- like this cache coherence protocol -- is a challenging and difficult task. It is very hard for a designer to predict all possible interactions amon...

ion and Specification Using FSMs Although there is a variety of ways to specify a protocol model, we are interested in methodologies that employ finite state machines (FSMs) to form protocol models. Because cache protocols are essentially composed of component processes such as memory and cache controllers that exchange messages and respond to "events" generated by processors, a finite state machine model with such "events" as its inputs is a natural model. Specifically, we focus on verifying cache protocols where the behavior of an individual protocol component C is modeled as a finite state machine [FSM.sub.c] and the protocol machine is composed of all [FSM.sub.c]s. Inputs to these machines are processor-generated events and messages for maintaining data consistency. In general, the protocol models are abstracted representations. They are often kept simple to make the complexity of verification manageable, while preserving properties of interest. It is clear that the quality of a ve...

This paper presents the tools Ald' ebaran, Caesar, Caesar.adt and Cl' eop atre which constitute a toolbox for compiling and verifying Lotos programs. The principles of these tools are described, as well as their performances and limitations. Finally, the formal verification of the rel/REL atomic multicast protocol is given as an example to illustrate the practical use of the toolbox. Keywords: reliability, formal methods, Lotos, verification, validation, model-based methods, modelchecking, transition systems, bisimulations, temporal logics, diagnostics Introduction There is an increasing need for reliable software, which is especially critical in some areas such as communication protocols, distributed systems, real-time control systems, and hardware synthesis systems. It is now agreed that reliability can only be achieved through the use of rigorous design techniques. This has motivated a lot of research on specification formalisms and associated verification methods and tools. Ver...

We adapt the Coarsest Partition Refinement algorithm to its computation using the specific data structures of Binary Decision Diagrams. This allows to generate symbolically the set of equivalence classes of a finite automaton with respect to bisimulation, without constructing the automaton itself. These equivalence classes represent of course the (new) states of the canonical minimal automaton bisimilar to the early one. The method works from labeled synchronised vectors of automata as the distributed system description. We report on performances of Hoggar, a tool implementing our method. 1 Introduction Bisimulation is a central notion in the domain of verification of concurrent systems [18]. It was introduced as the major behavioural equivalence in the setting of process algebras [18, 2], but works at the interpretation level of labeled transition systems. Algorithmic properties of bisimulation in the finite state case have been widely studied [16, 20, 11], leading to a lar...

We reduce the state explosion problem in automatic verification of finite-state systems by automatically collapsing subgraphs of the state graph into abstract states. The key idea of the method is to identify state generation rules that can be inverted. It can be used for verification of deadlock-freedom, error and invariant checking and stuttering-invariant CTL model checking.

This paper deals with verification methods based on equivalence relations between labeled transition systems. More precisely, we are concerned by two practical needs: how to efficiently minimize and compare labeled transition systems with respect to bisimulation or simulation-based equivalence relations. First, we recall the principle of the classical algorithms for the existing equivalence relations, which are based on successive partition refinements of the state space of the labeled transition systems under consideration. However, in spite of their theoretical efficiency, the main drawback of these algorithms is that they require to generate and to store in memory the whole labeled transition systems to be compared or minimized. Therefore, the size of the systems which can be handled in practice remains limited. We propose here another approach, allowing to combine the generation and the verification phases, which is based on two algorithms respectively devoted to the comparison ("o...

Verification by state-space exploration is one of the most successful strategies for analyzing the correctness of finite-state concurrent reactive systems. Partial-order methods are algorithms for dynamically pruning the state space of such systems without incurring the risk of any incompleteness in the verification results. This paper presents results of experiments performed with these algorithms on real protocol examples, and discusses the practical significance of partial-order methods. 1. Introduction State-space exploration is one of the most successful strategies for checking the correctness of finite-state concurrent reactive systems. It consists in exploring a global state graph, called the state space, representing the combined behavior of all concurrent components in the system. Many different types of properties of a system can be checked by exploring its state space: deadlocks, dead code, unspecified receptions, violations of user-specified assertions, etc. Moreo...

In model checking for temporal logic, the correctness of a (concurrent) system with respect to a desired behavior is verified by checking whether a structure that models the system satisfies a formula describing the behaviour. Most existing verification techniques, and in particular those defined for concurrent calculi like as CCS, are based on a representation of the concurrent system by means of a labelled transition system. In this approach to verification, state explosion is one of the most serious problems. In this paper we present a new temporal logic, the selective mu-calculus, with the property that only the actions occurring in a formula are relevant to check the formula itself. We prove that the selective mu-calculus is as powerful as the mu-calculus. We define the notion of ae-bisimulation between transition systems: given a set of actions ae, a transition system ae-bisimulates another one if they have the same behaviour with respect to the actions in ae. We prove that, if t...

. This paper presents a novel reachability analysis technique which, while still maintaining a set of reached states, significantly reduces the size of this set through excluding a specific subset of those states, referred to as pseudo-root states. Pseudo-root states are states which are not reachable from the unexplored state space of the finite model. Such states may be safely discarded from state storage. The modified reachability analysis algorithm identifies and discards pseudo-root states at each iteration of the state search. For a set of three example problems, the presented algorithm results in 2 to 16 fold improvements in space requirements, while increasing the run time at most twice. 1 Introduction Exhaustive exploration of a finite state model is a key part of most automatic verification algorithms, which rely on checking all reachable states of the model against a specification of desired properties. Conventional algorithms for traversing the model starting from its init...