Finite-state verification techniques, such as model checking, have shown promise as a cost-effective means for finding defects in hardware designs. To date, the application of these techniques to software has been hindered by several obstacles. Chief among these is the problem of constructing a finite-state model that approximates the executable behavior of the software system of interest. Current best-practice involves handconstruction of models which is expensive (prohibitive for all but the smallest systems), prone to errors (which can result in misleading verification results), and difficult to optimize (which is necessary to combat the exponential complexity of verification algorithms). In this paper, we describe an integrated collection of program analysis and transformation components, called Bandera, that enables the automatic extraction of safe, compact finite-state models from program source code. Bandera takes as input Java source code and generates a program model in the input language of one of several existing verification tools; Bandera also maps verifier outputs back to the original source code. We discuss the major components of Bandera and give an overview of how it can be used to model check correctness properties of Java programs.

Applying finite-state verification techniques (e.g., model checking) to software requires that program source code be translated to a finite-state transition system that safely models program behavior. Automatically checking such a transition system for a correctness property is typically very costly, thus it is necessary to reduce the size of the transition system as much as possible. In fact, it is often the case that much of a program's source code is irrelevant for verifying a given correctness property. In this paper, we apply program slicing techniques to remove automatically such irrelevant code and thus reduce the size of the corresponding transition system models. We give a simple extension of the classical slicing definition, and prove its safety with respect to model checking of linear temporal logic (LTL) formulae. We discuss how this slicing strategy fits into a general methodology for deriving effective software models using abstraction-based program specializati...

. Previous work has shown that program slicing can be a useful step in model-checking software systems. We are interested in applying these techniques to construct models of multi-threaded Java programs. Past work does not address the concurrency primitives found in Java, nor does it provide the rigorous notions of slice correctness that are necessary for reasoning about programs with non-deterministic behaviour and potentially infinite computation traces. In this paper, we define the semantics of a simple multi-threaded language with concurrency primitives matching those found in the Java Virtual Machine, we propose a bisimulation-based notion of correctness for slicing in this setting, we identify notions of dependency that are relevant for slicing multi-threaded Java programs, and we use these dependencies to specify a program slicer for the language presented in the paper. Finally, we discuss how these dependencies can be refined to take into account common programmin...

. Model checking techniques have been successfully applied to the verification of correctness properties of complex hardware systems and communication protocols. This success has fueled the application of these techniques to software systems. To date, those efforts have been targeted at concurrent software whose complexity lies, primarily, in the large number of possible execution orderings of asynchronously executing program actions. In this paper, we apply existing model checking techniques to parameterizable implementations of container data structures. In contrast to most of the concurrent systems that have been studied in the model checking literature, the complexity of these implementations lies in their data structures and algorithms. We report our experiences model checking specifications of correctness properties of queue, stack and priority queue data structures implemented in Ada. Keywords : Model checking, temporal logic, assume-guarantee reasoning, generic containers 1 Int...

Program slicing is becoming increasingly popular as an initial step in the construction of finite-state models for automated verification. As part of a project aimed at building tools to automate the extraction of compact, sound finitestate models of concurrent Java programs, we have developed the theoretical foundations of slicing threaded programs that use Java monitors and wait/notify synchronization. In this paper, we describe how these foundations are incorporated into a tool that slices multi-threaded Java programs. We describe a simple static analysis that can be used to refine the underlying dependences used by the slicer and illustrate the effectiveness of this refinement by describing the slicing of a realistic Java program.

Finite-state verification techniques, such as model checking, are a promising technique for finding defects in software systems. However, there are several obstacles that hinder the application of software model checking in practice. One of the obstacles is the property specification problem: taking the informal requirements of the system and writing their property specifications. The current practice in property specification for model checking requires analysts to translate the property to the model level. This has several disadvantages: (1) it forces the specification to be stated in terms of the model's representation. This requires the understanding of these typically highly optimized representations to accurately render the specifications. (2) The model representations may change depending on which optimizations and abstractions were used when generating the model. When changed, it requires the specifications to be changed. (3) Model checker tools have different inputs (temporal logics) for property specification. If more than one model checker is used, then the specifications have to be recoded and maintained in a different language. (4) Analysts sometimes find it difficult to use temporal logics to accurately express the properties of software. Once written, these specifications are often hard to reason about, debug, and modify. Even greater difficulties are encountered when describing dynamic component properties such as heap-allocated structures. In this thesis, we present Bandera Specification Language (BSL), a source level specification language for model checking Java programs. BSL addresses the property specification problem by leveraging the property specification to the source level, and by using temporal specification patterns to abstract away from specific temporal logics and to ease writing and maintaining the specifications. We present the syntax and informal semantics of BSL. We also present how program slicing can be driven by properties that are specified in BSL. We then present how quantifications are supported in BSL for describing dynamic component properties. Finally, we give a methodology for using BSL and show some examples of BSL applied to non-trivial programs.

. This paper presents our experiences in applying the Java PathFinder (Jpf), a recently developed Java to Promela translator, in the search for synchronization bugs in a Chinese Chess game server application written in Java. We give an overview of Jpf and the subset of Java that it supports and describe an initial effort to abstract and analyze the game server. Finally, we evaluate the results of the effort. 1 Introduction Model checking has increasingly gained acceptance within hardware [15, 1] and protocol verification [13] as an additional means to discovering bugs. However, verifying programs is different from verifying hardware or protocols: the state space is often much bigger and the relationships harder to understand because of asynchronous behavior and a more complicated underlying semantics. The size and complexity of software pushes current formal verification technology beyond its limits. It is therefore likely that effective application of model checking to software...