Results 1  10
of
93
The model checker SPIN
 IEEE Transactions on Software Engineering
, 1997
"... Abstract—SPIN is an efficient verification system for models of distributed software systems. It has been used to detect design errors in applications ranging from highlevel descriptions of distributed algorithms to detailed code for controlling telephone exchanges. This paper gives an overview of ..."
Abstract

Cited by 1254 (25 self)
 Add to MetaCart
Abstract—SPIN is an efficient verification system for models of distributed software systems. It has been used to detect design errors in applications ranging from highlevel descriptions of distributed algorithms to detailed code for controlling telephone exchanges. This paper gives an overview of the design and structure of the verifier, reviews its theoretical foundation, and gives an overview of significant practical applications. Index Terms—Formal methods, program verification, design verification, model checking, distributed systems, concurrency.
Bandera: Extracting Finitestate Models from Java Source Code
 IN PROCEEDINGS OF THE 22ND INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING
, 2000
"... Finitestate verification techniques, such as model checking, have shown promise as a costeffective means for finding defects in hardware designs. To date, the application of these techniques to software has been hindered by several obstacles. Chief among these is the problem of constructing a fini ..."
Abstract

Cited by 567 (33 self)
 Add to MetaCart
Finitestate verification techniques, such as model checking, have shown promise as a costeffective means for finding defects in hardware designs. To date, the application of these techniques to software has been hindered by several obstacles. Chief among these is the problem of constructing a finitestate model that approximates the executable behavior of the software system of interest. Current bestpractice involves handconstruction of models which is expensive (prohibitive for all but the smallest systems), prone to errors (which can result in misleading verification results), and difficult to optimize (which is necessary to combat the exponential complexity of verification algorithms). In this paper, we describe an integrated collection of program analysis and transformation components, called Bandera, that enables the automatic extraction of safe, compact finitestate models from program source code. Bandera takes as input Java source code and generates a program model in the input language of one of several existing verification tools; Bandera also maps verifier outputs back to the original source code. We discuss the major components of Bandera and give an overview of how it can be used to model check correctness properties of Java programs.
RacerX: Effective, Static Detection of Race Conditions and Deadlocks
 SOSP'03
, 2003
"... This paper describes RacerX, a static tool that uses flowsensitive, interprocedural analysis to detect both race conditions and deadlocks. It is explicitly designed to find errors in large, complex multithreaded systems. It aggressively infers checking information such as which locks protect which o ..."
Abstract

Cited by 240 (2 self)
 Add to MetaCart
This paper describes RacerX, a static tool that uses flowsensitive, interprocedural analysis to detect both race conditions and deadlocks. It is explicitly designed to find errors in large, complex multithreaded systems. It aggressively infers checking information such as which locks protect which operations, which code contexts are multithreaded, and which shared accesses are dangerous. It tracks a set of code features which it uses to sort errors both from most to least severe. It uses novel techniques to counter the impact of analysis mistakes. The tool is fast, requiring between 214 minutes to analyze a 1.8 million line system. We have applied it to Linux, FreeBSD, and a large commercial code base, finding serious errors in all of them.
Atomizer: a dynamic atomicity checker for multithreaded programs
 In POPL
, 2004
"... Ensuring the correctness of multithreaded programs is difficult, due to the potential for unexpected interactions between concurrent threads. We focus on the fundamental noninterference property of atomicity and present a dynamic analysis for detecting atomicity violations. This analysis combines i ..."
Abstract

Cited by 200 (14 self)
 Add to MetaCart
Ensuring the correctness of multithreaded programs is difficult, due to the potential for unexpected interactions between concurrent threads. We focus on the fundamental noninterference property of atomicity and present a dynamic analysis for detecting atomicity violations. This analysis combines ideas from both Lipton’s theory of reduction and earlier dynamic race detectors such as Eraser. Experimental results demonstrate that this dynamic atomicity analysis is effective for detecting errors due to unintended interactions between threads. In addition, the majority of methods in our benchmarks are atomic, supporting our hypothesis that atomicity is a standard methodology in multithreaded programming. 1 The Need for Atomicity Multiple threads of control are widely used in software development because they help reduce latency and provide better utilization of multiprocessor machines. However, reasoning about the correctness of multithreaded code is complicated by the nondeterministic interleaving of threads and the potential for unexpected interference between concurrent threads. Since exploring all possible interleavings of the executions of the various threads is clearly impractical, methods for specifying and controlling the interference between concurrent threads are crucial for the development of reliable multithreaded software. Much previous work on controlling thread interference has focused on race conditions, which occur when two threads simultaneously access the same data variable, and at least one of the accesses is a write [1]. Unfortunately, the absence of race conditions is not sufficient to ensure the absence of errors due to unexpected interference between threads. As a concrete illustration of
An Improvement of McMillan's Unfolding Algorithm
 Formal Methods in System Design
, 1996
"... McMillan has recently proposed a new technique to avoid the state explosion problem in the verification of systems modelled with finitestate Petri nets. The technique requires to construct a finite initial part of the unfolding of the net. McMillan's algorithm for this task may yield initial parts ..."
Abstract

Cited by 180 (9 self)
 Add to MetaCart
McMillan has recently proposed a new technique to avoid the state explosion problem in the verification of systems modelled with finitestate Petri nets. The technique requires to construct a finite initial part of the unfolding of the net. McMillan's algorithm for this task may yield initial parts that are larger than necessary (exponentially larger in the worst case). We present a refinement of the algorithm which overcomes this problem. 1 Introduction In a seminal paper [10], McMillan has proposed a new technique to avoid the state explosion problem in the verification of systems modelled with finitestate Petri nets. The technique is based on the concept of net unfolding, a well known partial order semantics of Petri nets introduced in [12], and later described in more detail in [4] under the name of branching processes. The unfolding of a net is another net, usually infinite but with a simpler structure. McMillan proposes an algorithm for the construction of a finite initial part...
Pointer Analysis for Multithreaded Programs
 ACM SIGPLAN 99
, 1999
"... This paper presents a novel interprocedural, flowsensitive, and contextsensitive pointer analysis algorithm for multithreaded programs that may concurrently update shared pointers. For each pointer and each program point, the algorithm computes a conservative approximation of the memory locations ..."
Abstract

Cited by 135 (13 self)
 Add to MetaCart
This paper presents a novel interprocedural, flowsensitive, and contextsensitive pointer analysis algorithm for multithreaded programs that may concurrently update shared pointers. For each pointer and each program point, the algorithm computes a conservative approximation of the memory locations to which that pointer may point. The algorithm correctly handles a full range of constructs in multithreaded programs, including recursive functions, function pointers, structures, arrays, nested structures and arrays, pointer arithmetic, casts between pointer variables of different types, heap and stack allocated memory, shared global variables, and threadprivate global variables. We have implemented the algorithm in the SUIF compiler system and used the implementation to analyze a sizable set of multithreaded programs written in the Cilk multithreaded programming language. Our experimental results show that the analysis has good precision and converges quickly for our set of Cilk programs.
Slicing Software for Model Construction
 Higherorder and Symbolic Computation
, 1999
"... Applying finitestate verification techniques (e.g., model checking) to software requires that program source code be translated to a finitestate transition system that safely models program behavior. Automatically checking such a transition system for a correctness property is typically very cos ..."
Abstract

Cited by 88 (16 self)
 Add to MetaCart
Applying finitestate verification techniques (e.g., model checking) to software requires that program source code be translated to a finitestate transition system that safely models program behavior. Automatically checking such a transition system for a correctness property is typically very costly, thus it is necessary to reduce the size of the transition system as much as possible. In fact, it is often the case that much of a program's source code is irrelevant for verifying a given correctness property. In this paper, we apply program slicing techniques to remove automatically such irrelevant code and thus reduce the size of the corresponding transition system models. We give a simple extension of the classical slicing definition, and prove its safety with respect to model checking of linear temporal logic (LTL) formulae. We discuss how this slicing strategy fits into a general methodology for deriving effective software models using abstractionbased program specializati...
Types for safe locking: Static race detection for Java
 ACM Transactions on Programming Languages and Systems
, 2006
"... This article presents a static racedetection analysis for multithreaded sharedmemory programs, focusing on the Java programming language. The analysis is based on a type system that captures many common synchronization patterns. It supports classes with internal synchronization, classes that requi ..."
Abstract

Cited by 66 (8 self)
 Add to MetaCart
This article presents a static racedetection analysis for multithreaded sharedmemory programs, focusing on the Java programming language. The analysis is based on a type system that captures many common synchronization patterns. It supports classes with internal synchronization, classes that require clientside synchronization, and threadlocal classes. In order to demonstrate the effectiveness of the type system, we have implemented it in a checker and applied it to over 40,000 lines of handannotated Java code. We found a number of race conditions in the standard Java libraries and other test programs. The checker required fewer than 20 additional type annotations per 1,000 lines of code. This article also describes two improvements that facilitate checking much larger programs: an algorithm for annotation inference and a user interface that clarifies warnings generated by the checker. These extensions have enabled us to use the checker for identifying race conditions in largescale software systems with up to 500,000 lines of code.
Using Logic Programs with Stable Model Semantics to Solve Deadlock and Reachability Problems for 1Safe Petri Nets
, 1999
"... McMillan has presented a deadlock detection method for Petri nets based on finite complete prefixes (i.e. net unfoldings). The approach transforms the PSPACEcomplete deadlock detection problem for a 1safe Petri net into a potentially exponentially larger NPcomplete problem of deadlock detection f ..."
Abstract

Cited by 51 (7 self)
 Add to MetaCart
McMillan has presented a deadlock detection method for Petri nets based on finite complete prefixes (i.e. net unfoldings). The approach transforms the PSPACEcomplete deadlock detection problem for a 1safe Petri net into a potentially exponentially larger NPcomplete problem of deadlock detection for a finite complete prefix. McMillan devised a branchandbound algorithm for deadlock detection in prefixes. Recently, Melzer and Römer have presented another approach, which is based on solving mixed integer programming problems. In this work it is shown that instead of using mixed integer programming, a constraintbased logic programming framework can be employed, and a linearsize translation from deadlock detection in prexes into the problem of finding a stable model of a logic program is presented. As a side result also such a translation for solving the reachability problem is devised. Correctness proofs of both the translations are presented. Experimental results are given from an implementation combining a prefix generator from a PEP tool, the translation, and an implementation of a constraint logic programming framework, the smodels system. The experiments show the approach to be quite competetive, when compared to the approaches of McMillan and Melzer/Römer.