To formally verify a large software application, the standard method is to invest a considerable amount of time and expertise into the manual construction of an abstract model, which is then analyzed for its properties by either a mechanized or by a human prover. There are two main problems with this approach. The first problem is that this verification method can be no more reliable than the humans that perform the manual steps. If rate of error for human work is a function of problem size, this holds not only for the construction of the original application, but also for the construction of the model. This means that the verification process tends to become unreliable for larger applications. The second problem is one of timing and relevance. Software

This paper presetits a method for automatically gener-ating test cases to structural coverage criteria. We show how a niodel checker can be used to autoniutically gener-ate complete test sequetices that will provide a predefined coverage of uti? soffivare developnietit artifact that can be represented as a ffiriitr state niodel. Our goal is to help re-duce the high cost of developitig test cases for safep-critical sojfivare applications that require a certain level of cover-uge for certijicatioti, for example, safep-critical avionics sxstenis that need to denlotistrate MC/DC (modijied cotidi-tion arid decision) coverage of the code. We deftie aJmiial franiework suitable for modeling soft-\care artifacts, like, reqitirenients models, software spec$-cations, or inipletnetitatiotis. We then show how various structural coverage criteria can be formalized and used to make a triode1 checker provide test sequences to achieve this coverqe. To illustrate our approach, we demonstrate, for the first titiie, how a niodel checker can be used to generate test sequerice.sfor MUDC coverage of a mall case exam-ple. 1.

Finite-state verification (e.g., model checking) provides a powerful means to detect concurrency errors, which are often subtle and difficult to reproduce. Nevertheless, widespread use of this technology by developers is unlikely until tools provide automated support for extracting the required finite-state models directly from program source. Unfortunately, the dynamic features of modern languages such as Java complicate the construction of compact finitestate models for verification. In this paper, we show how shape analysis, which has traditionally been used for computing alias information in optimizers, can be used to greatly reduce the size of finite-state models of concurrent Java programs by determining which heap-allocated variables are accessible only by a single thread, and which shared variables are protected by locks. We also provide several other state-space reductions based on the semantics of Java monitors. A prototype implementation of the reductions demonstrates their ...

In these notes we will review the automata-theoretic verification method and propositional linear temporal logic, with specific emphasis on their potential application to distributed software verification. An important

Abstract. The i-protocol, an optimized sliding-window protocol for GNU uucp, first came to our attention in 1995 when we used the Concurrency Factory’s local model checker to detect, locate, and correct a non-trivial livelock in version 1.04 of the protocol. Since then, we have conducted a systematic case study on the protocol using four verification tools, viz. Cospan,Murϕ, Spin,and XMC, each of which supports some form of explicit-state model checking. Our results show that although the iprotocol is inherently complex – the size of its state space grows exponentially in the window size and it deploys several sophisticated optimizations aimed at minimizing control-message and retransmission overhead – it is nonetheless amenable to a number of general-purpose abstraction techniques whose application can significantly reduce the size of the protocol’s state space. Keywords: Explicit-state model checking – Livelock – Protocol verification – Sliding-window protocol 1

. A new algorithm for reducing the state space of compositional finite state systems is introduced. Its goal is similar to compositional minimization algorithms as it tries to preserve only the relevant information for checking properties. It works better than compositional minimization because it reduces components individually and does not need to compose components. Hence it does not suffer from state explosion. Instead, it uses information about interactions with other components, and merges interactions that do not lead to different relevant behaviour. Experiments show that it reduces state spaces dramatically in the cases when only a part of the system's behaviour is of interest 1 Introduction Model-checking encounters the state-explosion problem. To keep the state space manageable for model-checkers, models of systems should only include features relevant to the property being checked. Holzmann[12] showed it is possible check useful properties using very small models -...

Automated finite-state verification techniques have matured considerably in the past several years, but state-space explosion remains an obstacle to their use. Theoretical lower bounds on complexity imply that all of the techniques that have been developed to avoid or mitigate state-space explosion depend on models that are "well-formed" in some way, and will usually fail for other models. This further implies that, when analysis is applied to models derived from designs or implementations of actual software systems, a model of the system "as built" is unlikely to be suitable for automated analysis. In particular, compositional, hierarchical analysis (where state-space explosion is avoided by simplifying models of subsystems at several levels of abstraction) depend on the modular structure of the model to be analyzed. We describe how as-built finite-state models can be refactored for compositional state-space analysis, applying a series of transformations to produce an equivalent model whose structure exhibits suitable modularity. The process is supported by a parser which can parse a subset of Promela syntax and transform Promela code into refactored state graphs.

Finite state verication (FSV) and testing are usually viewed as competing approaches to software validation. In this short paper, we propose a technique for combining FSV synergistically with testing, with the goal of identifying faults more quickly and with less manual effort than with FSV alone and more eectively than with testing alone. We propose using information about potential faults obtained during the FSV analysis to direct selection, execution, and checking of test data, with the intent of conrming these faults. 1 Introduction In nite state verication, a nite model of the system is constructed, usually abstracting away many details, and the FSV tool (verier) explores the state space to determine whether a given property P holds. The model is constructed in such a way that if the verier determines that P holds for the model, then P also holds for all possible executions (and hence, for all possible test data) of the actual system. In this case, there is no need to te...

We describe a tool, called AX, that can be used in combination with the model checker SPIN to efficiently verify logical properties of distributed software systems implemented in ANSI-standard C [18]. AX, short for Automaton eXtractor, can extract verification models from C code at a user defined level of abstraction. Target applications include telephone switching software, distributed operating systems code, protocol implementations, concurrency control methods, and client-server applications.

Symbolic evaluation is the execution of software and software designs on inputs given as symbolic or explicit constants along with constraints on these inputs. Efficient symbolic evaluation is now feasible due to recent advances in efficient decision procedures and symbolic model checking. Symbolic evaluation can be applied to partially implemented descriptions and provides wider coverage and greater assurance than testing and traditional simulation alone. Unlike full formal verification, symbolic evaluation can be used in a partial manner that is more likely to succeed and yield some degree of assurance. Its main advantage is that it can be used within a smooth spectrum of analyses ranging from refutation based on explicit-state simulation to full-blown verification.