With the use of state and memory reduction techniques in verification by explicit state enumeration, runtime becomes a major limiting factor. We describe a parallel version of the explicit state enumeration verifier Murφ for distributed memory multiprocessors and networks of workstations that is based on the message passing paradigm. In experiments with three complex cache coherence protocols, parallel Murφ shows close to linear speedups, which are largely insensitive to communication latency and bandwidth. There is some slowdown with increasing communication overhead, for which a simple yet relatively accurate approximation formula is given. Techniques to reduce overhead and required bandwidth and to allow heterogeneity and dynamically changing load in the parallel machine are discussed, which we expect will allow good speedups when using conventional networks of workstations.

This paper presents initial results in model checking multi-threaded Java programs. Java programs are translated into the SAL (Symbolic Analysis Laboratory) intermediate language, which supports dynamic constructs such as object instantiations and thread call stacks. The SAL model checker then exhaustively checks the program description for deadlocks and assertion failures. Basic model checking optimizations that help curb the state explosion problem have been implemented. To deal with large Java programs in practice, however, supplementary program analysis tools must work in conjunction with the model checker to make verification manageable. The SAL language framework provides a good starting point to interface new and existing analysis methods with the model checker. 1 Introduction The Java programming language is becoming increasingly popular for writing multi-threaded applications. In particular, many Internet servers are written in Java. Since Java has multi-threading built in a...

Abstract. TLA+ is a specification language for concurrent and reactive systems that combines the temporal logic TLA with full first-order logic and ZF set theory. TLC is a new model checker for debugging a TLA+ specification by checking invariance properties of a finite-state model of the specification. It accepts a subclass of TLA+ specifications that should include most descriptions of real system designs. It has been used by engineers to find errors in the cache coherence protocol for a new Compaq multiprocessor. We describe TLA+ specifications and their TLC models, how TLC works, and our experience using it. 1 Introduction Model checkers are usually judged by the size of system they can handle and the class of properties they can check [3, 16, 4]. The system is generally described in either a hardware-description language or a language tailored to the needs of the model checker. The criteria that inspired the model checker TLC are completely different. TLC checks specifications written in TLA+, a rich language with a well-defined semantics that was designed for expressiveness and ease of formal reasoning, not model checking. Two main goals led us to this approach:- The systems that interest us are too large and complicated to be completely

In verification by explicit state enumeration a randomly accessed state table is maintained. In practice, the total main memory available for this state table is a major limiting factor in verification. We describe a version of the explicit state enumeration verifier Mur' that allows using magnetic disk instead of main memory for storing almost all of the state table. The algorithm avoids costly random accesses to disk and amortizes the cost of linearly reading the state table from disk over all states in a certain breadth-first level. The remaining runtime overhead for accessing the disk can be strongly reduced by combining the scheme with hash compaction. We show how to do this combination efficiently and analyze the resulting algorithm. In experiments with three complex cache coherence protocols, the new algorithm achieves memory savings factors of one to two orders of magnitude with a runtime overhead of typically only around 15%. Keywords protocol verification, expli...

Abstract. Explicit model checking algorithms explore the full state space of a system. We have gathered a large collection of state spaces and performed an extensive study of their structural properties. The results show that state spaces have several typical properties and that they differ significantly from both random graphs and regular graphs. We point out how to exploit these typical properties in practical model checking algorithms. 1

This paper describes and analyzes a probabilistic technique to reduce the memory requirement of the table of reached states maintained in verification by explicit state enumeration. The memory savings of the new scheme come at the price of a certain probability that the search becomes incomplete. However, this probability can be made negligibly small by using typically 40 bits of memory per state. From this point of view, this new scheme improves substantially on Holzmann's bitstate hashing, which has a high probability of producing an incomplete search even when using close to 1000 bits per state. The proposed scheme has been implemented in the contexts of the SPIN and Mur' verification systems. Experiments on sample protocols nicely match the predictions of the analysis. For large protocols, memory savings of two orders of magnitude are obtained. We also show how to efficiently combine the new scheme with state space caching, and we analyze bitstate hashing in order to compare it wit...

Explicit model checking algorithms explore the full state space of a system. State spaces are usually treated as directed graphs without any specific features. We gather a large collection of state spaces and extensively study their structural properties. Our results show that state spaces have several typical properties, i.e., they are not arbitrary graphs. We also demonstrate that state spaces differ significantly from random graphs and that different classes of models (application domains, academic vs industrial) have different properties. We discuss consequences of these results for model checking experiments and we point out how to exploit typical properties of state spaces in practical model checking algorithms.

. TLA + is a specification language for concurrent and reactive systems that combines the temporal logic TLA with full first-order logic and ZF set theory. TLC is a new model checker for debugging a TLA + specification by checking invariance properties of a finite-state model of the specification. It accepts a subclass of TLA + specifications that should include most descriptions of real system designs. It has been used by engineers to find errors in the cache coherence protocol for a new Compaq multiprocessor. We describe TLA + specifications and their TLC models, how TLC works, and our experience using it. 1 Introduction Model checkers are usually judged by the size of system they can handle and the class of properties they can check [3, 16, 4]. The system is generally described in either a hardware-description language or a language tailored to the needs of the model checker. The criteria that inspired the model checker TLC are completely di#erent. TLC checks specif...

Abstract not found