Results 1  10
of
64
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 2407 (62 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
The model checker SPIN
 IEEE Transactions on Software Engineering
, 1997
"... Abstract—SPIN is an efficient verification system for models of distributed software systems. It has been used to detect design errors in applications ranging from highlevel descriptions of distributed algorithms to detailed code for controlling telephone exchanges. This paper gives an overview of ..."
Abstract

Cited by 1254 (25 self)
 Add to MetaCart
Abstract—SPIN is an efficient verification system for models of distributed software systems. It has been used to detect design errors in applications ranging from highlevel descriptions of distributed algorithms to detailed code for controlling telephone exchanges. This paper gives an overview of the design and structure of the verifier, reviews its theoretical foundation, and gives an overview of significant practical applications. Index Terms—Formal methods, program verification, design verification, model checking, distributed systems, concurrency.
A note on onthefly verification algorithms
 In Proc. of TACAS’05, LNCS
, 2005
"... Abstract. The automatatheoretic approach to verification of LTL relies on an algorithm for finding accepting cycles in the product of the system and a B"uchi automaton for the negation of the formula. Explicitstate model checkers typically construct the product space "on the fly " a ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
Abstract. The automatatheoretic approach to verification of LTL relies on an algorithm for finding accepting cycles in the product of the system and a B"uchi automaton for the negation of the formula. Explicitstate model checkers typically construct the product space "on the fly " and explore the states using depthfirst search. We survey algorithms proposed for this purpose and propose two improved algorithms, one based on nested DFS, the other on strongly connected components. We compare these algorithms both theoretically and experimentally and determine cases where both algorithms can be useful. 1 Introduction The modelchecking problem for finitestate systems and lineartime temporal logic (LTL) is usually reduced to checking the emptiness of a B"uchi automaton, i.e. the product of the system and an automaton for the negated formula [23]. Various strategies exist for reducing the size of the automaton. For instance, symbolic model checking employs data structures to compactly represent large sets of states. This strategy combines well with breadthfirst search, leading to solutions whose worstcase time is essentially O(n2) or O(n log n), if n is the size of the product. A survey of symbolic emptiness algorithms can be found in [8]. Explicitstate model checkers, on the other hand, construct the product automaton `on the fly', i.e. while searching the automaton. Thus, the model checker may be able to find a counterexample without ever constructing the complete state space. Onthefly verification can be combined with partial order methods [18, 15] to reduce the effect of state explosion.
Parallel randomized statespace search
 in International Conference on Software Engineering
"... Model checkers search the space of possible program behaviors to detect errors and to demonstrate their absence. Despite major advances in reduction and optimization techniques, statespace search can still become costprohibitive as program size and complexity increase. In this paper, we present a ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
Model checkers search the space of possible program behaviors to detect errors and to demonstrate their absence. Despite major advances in reduction and optimization techniques, statespace search can still become costprohibitive as program size and complexity increase. In this paper, we present a technique for dramatically improving the costeffectiveness of statespace search techniques for error detection using parallelism. Our approach can be composed with all of the reduction and optimization techniques we are aware of to amplify their benefits. It was developed based on insights gained from performing a large empirical study of the costeffectiveness of randomization techniques in statespace analysis. We explain those insights and our technique, and then show through a focused empirical study that our technique speeds up analysis by factors ranging from 2 to over 1000 as compared to traditional modes of statespace search, and does so with relatively small numbers of parallel processors. 1.
A New Scheme for MemoryEfficient Probabilistic Verification
 in IFIP TC6/WG6.1 Joint International Conference on Formal Description Techniques for Distributed Systems and Communication Protocols, and Protocol Specification, Testing, and Verification
, 1996
"... In verification by explicit state enumeration, for each reachable state of the protocol being verified the full state descriptor is stored in a state table. Two probabilistic methods  bitstate hashing and hash compaction  have been proposed in the literature that store much fewer bits for each s ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
In verification by explicit state enumeration, for each reachable state of the protocol being verified the full state descriptor is stored in a state table. Two probabilistic methods  bitstate hashing and hash compaction  have been proposed in the literature that store much fewer bits for each state but come at the price of some probability that not all reachable states will be explored during the search, and that the verifier may thus produce false positives. Holzmann introduced bitstate hashing and derived an approximation formula for the average probability that a particular state is not omitted during the search, but this formula does not give a bound on the probability of false positives. In contrast, the analysis for hash compaction, introduced by Wolper and Leroy and improved upon by Stern and Dill, yielded a bound on the probability that not even one state is omitted during the search, thus providing a bound on the probability of false positives. In this paper, we propose a...
Typical structural properties of state spaces
 In Proc. of SPIN Workshop, volume 2989 of LNCS
, 2004
"... Abstract. Explicit model checking algorithms explore the full state space of a system. We have gathered a large collection of state spaces and performed an extensive study of their structural properties. The results show that state spaces have several typical properties and that they differ signific ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
Abstract. Explicit model checking algorithms explore the full state space of a system. We have gathered a large collection of state spaces and performed an extensive study of their structural properties. The results show that state spaces have several typical properties and that they differ significantly from both random graphs and regular graphs. We point out how to exploit these typical properties in practical model checking algorithms. 1
Formal Verification of EServices and Workflows
 Proc. ESSW
, 2002
"... Abstract. We study the verification problem for eservice (and workflow) specifications, aiming at efficient techniques for guiding the construction of composite eservices to guarantee desired properties (e.g., deadlock avoidance, bounds on resource usage, response times). Based on previously propo ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
Abstract. We study the verification problem for eservice (and workflow) specifications, aiming at efficient techniques for guiding the construction of composite eservices to guarantee desired properties (e.g., deadlock avoidance, bounds on resource usage, response times). Based on previously proposed eservice frameworks such as AZTEC and eFLow, decision flow language Vortex, and our early work on verifying Vortex specifications using model checking and infinite state verification tools, we introduce a very simple eservice model for our investigation of verification issues. We first show how three different model checking techniques are applied to verification of specifications in simple eservice model, where the number of processes is limited to a predetermined number. We then introduce pid quantified constraints, a new symbolic representation that can encode infinite system states, to verify systems with unbounded and dynamic process instantiations. We think that it is a versatile technique and more suitable for verification of eservice specifications. If this is combined with other techniques such as abstraction and widening, it is possible to solve a large category of interesting verification problems for eservices. 1
A Generalised SweepLine Method for Safety Properties
 In Proc. of FME'02, volume 2391 of LNCS
, 2002
"... The recently developed sweepline method exploits progress present in many concurrent systems to explore the full state space of the system while storing only small fragments of the state space in memory at a time. A disadvantage of the sweepline method is that it relies on a monotone and global no ..."
Abstract

Cited by 17 (12 self)
 Add to MetaCart
The recently developed sweepline method exploits progress present in many concurrent systems to explore the full state space of the system while storing only small fragments of the state space in memory at a time. A disadvantage of the sweepline method is that it relies on a monotone and global notion of progress. This prevents the method from being used for many reactive systems. In this paper we generalise the sweepline method such that it can be used for verifying safety properties of reactive systems exhibiting local progress. The basic idea is to relax the monotone notion of progress and to recognise the situations where this could cause the state space exploration not to terminate. The generalised sweepline method explores all reachable states of the system, but may explore a state several times. We demonstrate the practical application of the generalised sweepline method on two case studies demonstrating a reduction in peak memory usage to typically 10 % compared to the use of ordinary full state spaces.
Fast and Accurate Bitstate Verification for SPIN
 In Proceedings of the 11th International SPIN Workshop on Model Checking of Software (SPIN
, 2004
"... Bitstate hashing in SPIN has proved invaluable in probabilistically detecting errors in large models, but in many cases, the number of omitted states is much higher than it would be if SPIN allowed more than two hash functions to be used. For example, adding just one more hash function can reduce th ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
Bitstate hashing in SPIN has proved invaluable in probabilistically detecting errors in large models, but in many cases, the number of omitted states is much higher than it would be if SPIN allowed more than two hash functions to be used. For example, adding just one more hash function can reduce the probability of omitting states at all from 99% to under 3%. Because hash computation accounts for an overwhelming portion of the total execution cost of bitstate verification with SPIN, adding additional independent hash functions would slow down the process tremendously. We present efficient ways of computing multiple hash values that, despite sacrificing independence, give virtually the same accuracy and even yield a speed improvement in the two hash function case when compared to the current SPIN implementation. Another key to accurate bitstate hashing is utilizing as much memory as is available. The current SPIN implementation is limited to only 512MB and allows only poweroftwo granularity (256MB, 128MB, etc). However, using 768MB instead of 512MB could reduce the probability of a single omission from 20% to less than one chance in 10,000, which demonstrates the magnitude of both the maximum and the granularity limitation. We have modified SPIN to utilize any addressable amount of memory and use any number of efficientlycomputed hash functions, and we present empirical results from extensive experimentation comparing various configurations of our modified version to the original SPIN.
Enhancing random walk state space exploration
 In Proc. of Formal Methods for Industrial Critical Systems (FMICS’05
, 2005
"... Abstract. We study the behaviour of the random walk method in the context of model checking and its capacity to explore a state space. We describe the methodology we have used for observing the random walk and report on the results obtained. We also describe many possible enhancements of the random ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Abstract. We study the behaviour of the random walk method in the context of model checking and its capacity to explore a state space. We describe the methodology we have used for observing the random walk and report on the results obtained. We also describe many possible enhancements of the random walk and study their behaviour and limits. Finally, we discuss some practically important but often neglected issues like counterexamples, coverage estimation, and setting of parameters. Similar methodology can be used for studying other state space exploration techniques like bitstate hashing, partial storage methods, or partial order reduction. 1