Results 11  20
of
22
Model checking system software with CMC
 In EW10: Proceedings of the 10th workshop on ACM SIGOPS European workshop: beyond the PC
, 2002
"... Complex systems have errors that involve mishandled corner cases in intricate sequences of events. Conventional testing techniques usually miss these errors. In recent years, formal verification techniques such as [5] have gained popularity in checking a property in all possible behaviors of a sy ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Complex systems have errors that involve mishandled corner cases in intricate sequences of events. Conventional testing techniques usually miss these errors. In recent years, formal verification techniques such as [5] have gained popularity in checking a property in all possible behaviors of a system. However, such techniques involve generating an abstract model of the system. Such an abstraction process is unreliable, difficult and miss a lot of implementation errors. CMC is a framework for model checking a broad class of software written in the C programming language. CMC runs the software implementation directly without deriving an abstract model of the code. We used CMC to model check an existing implementation of AODV (Ad Hoc On Demand Distance Vector) routing protocol and found a total of bugs in two implementations [7],[6] of the protocol. One of them is a bug in the actual specification of the AODV protocol [3]. We also used CMC on the IP Fragmentation module in the Linux TCP/IPv4 stack and verified its correctness for up to fragments per packet. 1
Hierarchical Adaptive State Space Caching based on Level Sampling
 in "Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems TACAS’2009
, 2009
"... Abstract. In the past, several attempts have been made to deal with the state space explosion problem by equipping a depthfirst search (DFS) algorithm with a state cache, or by avoiding collision detection, thereby keeping the state hash table at a fixed size. Most of these attempts are tailored sp ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. In the past, several attempts have been made to deal with the state space explosion problem by equipping a depthfirst search (DFS) algorithm with a state cache, or by avoiding collision detection, thereby keeping the state hash table at a fixed size. Most of these attempts are tailored specifically for DFS, and are often not guaranteed to terminate and/or to exhaustively visit all the states. In this paper, we propose a general framework of hierarchical caches which can also be used by breadthfirst searches (BFS). Our method, based on an adequate sampling of BFS levels during the traversal, guarantees that the BFS terminates and traverses all transitions of the state space. We define several (static or adaptive) configurations of hierarchical caches and we study experimentally their effectiveness on benchmark examples of state spaces and on several communication protocols, using a generic implementation of the cache framework that we developed within the CADP toolbox. 1
A NOTE ON THE WORSTCASE MEMORY REQUIREMENTS OF GENERALIZED NESTED DEPTHFIRST SEARCH
"... ABSTRACT: This report presents a new nested depthfirst search algorithmfor testing the emptiness of a language accepted by a generalized finite Bu"chi automaton. Given an automaton with n states, m> = 1 sets of acceptingtransitions and s bits in a state descriptor, the algorithm decides ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
ABSTRACT: This report presents a new nested depthfirst search algorithmfor testing the emptiness of a language accepted by a generalized finite Bu&quot;chi automaton. Given an automaton with n states, m> = 1 sets of acceptingtransitions and s bits in a state descriptor, the algorithm decides whether thelanguage accepted by the automaton is empty in at most m + 1 passes ofthe state space, using n\Gamma s + dlog2(m + 1)e\Delta bits of memory for the searchhash table in the worst case. In addition to the standard search stacks, the algorithm also needs O\Gamma m log2(nm)\Delta bits of memory for bookkeeping.
Efficient ComputerAided Verification of Parallel and Distributed Software Systems
, 2003
"... The society is becoming increasingly dependent on applications of distributed software systems, such as controller systems and wireless telecommunications. It is very difficult to guarantee the correct operation of this kind of systems with traditional software quality assurance methods, such as cod ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
The society is becoming increasingly dependent on applications of distributed software systems, such as controller systems and wireless telecommunications. It is very difficult to guarantee the correct operation of this kind of systems with traditional software quality assurance methods, such as code reviews and testing. Formal methods, which are based on mathematical theories, have been suggested as a solution. Unfortunately, the vast complexity of the systems and the lack of competent personnel have prevented the adoption of sophisticated methods, such as theorem proving. Computerised tools...
Enhanced Probabilistic Verification with 3Spin and 3Murphi
"... Abstract. 3Spin and 3Murphi are modified versions of the Spin model checker and the Murϕ verifier. Our modifications enhance the probabilistic algorithms and data structures for storing visited states, making them more effective and more usable for verifying huge transition systems. The tools also s ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. 3Spin and 3Murphi are modified versions of the Spin model checker and the Murϕ verifier. Our modifications enhance the probabilistic algorithms and data structures for storing visited states, making them more effective and more usable for verifying huge transition systems. The tools also support a verification methodology designed to minimize time to finding errors, or to reaching desired certainty of errorfreedom. This methodology calls for bitstate hashing, hash compaction, and integrated analyses of both to provide feedback and advice to the user. 3Spin and 3Murphi are the only tools to offer this support, and do so with the most powerful and flexible currentlyavailable implementations of the underlying algorithms and data structures. 1
Fast, AllPurpose State Storage
, 2009
"... Existing techniques for approximate storage of visited states in a model checker are too specialpurpose and too DRAMintensive. Bitstate hashing, based on Bloom filters, is good for exploring most of very large state spaces, and hash compaction is good for highassurance verification of more tract ..."
Abstract
 Add to MetaCart
Existing techniques for approximate storage of visited states in a model checker are too specialpurpose and too DRAMintensive. Bitstate hashing, based on Bloom filters, is good for exploring most of very large state spaces, and hash compaction is good for highassurance verification of more tractable problems. We describe a scheme that is good at both, because it adapts at run time to the number of states visited. It does this within a fixed memory space and with remarkable speed and accuracy. In many cases, it is faster than existing techniques, because it only ever requires one random access to main memory per operation; existing techniques require several to have good accuracy. Adapting to accomodate more states happens in place using streaming access to memory; traditional rehashing would require extra space, random memory accesses, and hash computation. The structure can also incorporate search stack matching for partialorder reductions, saving the need for extra resources dedicated to an additional structure. Our scheme is wellsuited for a future in which random accesses to memory are more of a limiting factor than the size of memory.
Abstract Model Checking Large Network Protocol Implementations
"... Network protocols must work. The effects of protocol specification or implementation errors range from reduced performance, to security breaches, to bringing down entire networks. However, network protocols are difficult to test due to the exponential size of the state space they define. Ideally, a ..."
Abstract
 Add to MetaCart
Network protocols must work. The effects of protocol specification or implementation errors range from reduced performance, to security breaches, to bringing down entire networks. However, network protocols are difficult to test due to the exponential size of the state space they define. Ideally, a protocol implementation must be validated against all possible events (packet arrivals, packet losses, timeouts, etc.) in all possible protocol states. Conventional means of testing can explore only a minute fraction of these possible combinations. This paper focuses on how to effectively find errors in large network protocol implementations using model checking, a formal verification technique. Model checking involves a systematic exploration of the possible states of a system, and is wellsuited to finding intricate errors lurking deep in exponential state spaces. Its primary limitation has been the effort needed to use it on software. The primary contribution of this paper are novel techniques that allow us to model check complex, realworld, welltested protocol implementations with reasonable effort. We have implemented these techniques in CMC, a C model checker [30] and applied the result to the Linux TCP/IP implementation, finding four errors in the protocol implementation. 1
Precision On Demand:
, 2007
"... In explicit state (enumerative) model checking, state vectors are often represented in a compressed form in order to reduce storage needs, typically employing fingerprints, bithashes, or state signatures. When using this kind of techniques, it could happen that the compressed image of a nonvisited s ..."
Abstract
 Add to MetaCart
In explicit state (enumerative) model checking, state vectors are often represented in a compressed form in order to reduce storage needs, typically employing fingerprints, bithashes, or state signatures. When using this kind of techniques, it could happen that the compressed image of a nonvisited state s matches that of a visited state s ′ � = s, thus s and potentially many of its descendants are omitted from search. If any of these omitted states was an error state, we could also have false positives. We present a new technique which reduces the number of omitted states, by requiring a slightly higher computation time, but without employing any additional memory. Our technique works for depthfirst search based state exploration, and exploits the fact that when a nonterminal state t is represented in the hash table, then one of the successors of t (the first to be expanded next, typically the leftmost) is also represented in the visited states hash table. Therefore, instead of backing off when the compressed state images match, our algorithm persists to see if any of the leftmost successors also matches (the number of successors which are considered for each state is userdefined, thus we name our approach Precision on Demand or POD). This paper provides a scientific evaluation of the pros and cons of this approach. We have implemented the algorithm in two versions of the Murphi explicit state model checker, one based on hash compaction and the other based on Bloom filters, and present experimental results. Our results indicate that PODhashing has the potential to reduce storage requirements or increase the number of bugs likely to be caught when operating within a given amount of storage, with the execution time likely to increase by a factor of 1.8 or less.