No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Model checking without a model
Abstract
VeriSoft is a tool for systematically exploring the state spaces of systems composed of several concurrent processes executing arbitrary code written in full-fledged programming languages such as C or C++. The state space of a concurrent system is a directed graph that represents the combined behavior of all concurrent components in the system. By exploring its state space, VeriSoft can automatically detect coordination problems between the processes of a concurrent system.We report in this paper our analysis with VeriSoft of the "Heart-Beat Monitor" (HBM), a telephone switching application developed at Lucent Technologies. The HBM of a telephone switch determines the status of different elements connected to the switch by measuring propagation delays of messages transmitted via these elements. This information plays an important role in the routing of data in the switch, and can significantly impact switch performance.We discuss the steps of our analysis of the HBM using VeriSoft. Because no modeling of the HBM code is necessary with this tool, the total elapsed time before being able to run the first tests was on the order of a few hours, instead of several days or weeks that would have been needed for the (error-prone) modeling phase required with traditional model checkers or theorem provers.We then present the results of our analysis. Since VeriSoft automatically generates, executes and evaluates thousands of tests per minute and has complete control over nondeterminism, our analysis revealed HBM behavior that is virtually impossible to detect or test in a traditional lab-testing environment. Specifically, we discovered flaws in the existing documentation on this application and unexpected behaviors in the software itself. These results are being used as the basis for the redesign of the HBM software in the next commercial release of the switching software.
... In in VeriSoft [GHJ98] dynamically on-the-fly system, Godefroid et al. developed a system similar to what we plan. VeriSoft systematically explores the state spaces of systems composed of concurrent processes executing arbitrary code without storing any intermediate states in memory. ...
... Based on the results, necessary modifications will be made to the monitor. When the monitor functionality and performance are satisfactory, other dynamic data race detection algorithms similar to the one used in VeriSoft [GHJ98] and RecPlay tool [ROB00] will be experimented with. ...
... Many works concern the analysis of concurrent programs with formal methods. We can cite :@BULLET Verification of distributed applications described in Promela or in C with the tool FeaVer or with the Spin model-checker at Bell Laboratories[11],[9],[7], or with the tool VeriSoft[5],[4]. @BULLET Multi-threaded Java source code verification with model checking techniques, using an adaptation of the Spin tool in the Bandera project[2]at Kansas State University. ...
In this paper we present an original and useful way for specifying and verifying temporal properties of concurrent programs with our tool named Quasar. Quasar is based on ASIS and uses formal methods (model checking). Properties that can be checked are either general, like deadlock or fairness, or more context specific, referring to tasks states or to value of variables; properties are then expressed in temporal logic. In order to simplify the expression of these properties, we define some templates that can be instantiated with specific items of the programs. We demonstrate the usefulness of these templates by verifying subtle variations of the Peterson algorithm. Thus, although Quasar uses up-to-date formal methods it remains accessible to a large class of practitioners.
... In particular this team developped the tool FeaVer [HS00], based on the Spin model-checker, that allows the verification of distributed applications written in ANSI-C source code. In parallel, P. Godefroid (also at Bell Laboratories) has developped a tool named VeriSoft [God97], [GHJ98]. ...
Concurrency introduces a high degree of combinatory which may be the source of subtle mistakes. We present a new tool, Quasar, which is based on ASIS and which uses fully the concept of patterns. The analysis of a concurrent Ada program by our tool proceeds in four steps: automatic extraction of the concurrent part of the program; translation of the simplified program into a formal model using predefined patterns that are combined by substitution and merging constructors; analysis of the model both by structural techniques and model-checking techniques; reporting deadlock or starvation results. We demonstrate the usefulness of Quasar by analyzing several variations of a non trivial concurrent program.
... we only know that it is a subset of AE È and that it contains × . Fortunately, this is not a problem, as it is possible to build Ë "on the fly" as we build the state space Ë [12]. ...
Petri nets and stochastic Petri nets have been widely adopted as one of the best tools to model the logical and timing behavior of discrete-state systems. However, their practical applicability is limited by the state-space explosion problem. We survey some of the techniques that have been used to cope with large state spaces, starting from early explicit methods, which require data structures of size proportional to the number of states or state-to-state transitions, then moving to implicit methods, which borrow ideas from symbolic model checking (binary decision diagrams) and numerical linear algebra (Kronecker operators) to drastically reduce the computational requirements.
Stateless model checking (SMC) is an automatic technique with low memory requirements for finding errors in concurrent programs or for checking for their absence. To be effective, SMC tools require algorithms that combat the combinatorial explosion in the number of process/thread interactions that need to be explored. In recent years, a plethora of such algorithms have emerged, which can be classified broadly in those that explore interleavings (i.e., complete serializations of events) and those that explore traces (i.e., graphs of events). In either case, an SMC algorithm is optimal if it explores exactly one representative from each class of equivalent executions. In this paper, we examine the parallelization of a state-of-the-art graph-based algorithm for SMC under sequential consistency, based on the reads-from relation. The algorithm is provably optimal, and in practice spends only polynomial time per equivalence class. We present the modifications to the algorithm that its parallelization requires and implementation aspects that allow us to make it scalable. We report on the performance and scalability that we were able to achieve on C/pthread programs, and how this performance compares to that of other SMC tools. Finally, we argue for the inherent advantages that graph-based algorithms have over interleaving-based ones for achieving scalability when parallelism enters the picture.
We present a new approach for stateless model checking (SMC) of multithreaded programs under Sequential Consistency (SC) semantics. To combat state-space explosion, SMC is often equipped with a partial-order reduction technique, which defines an equivalence on executions, and only needs to explore one execution in each equivalence class. Recently, it has been observed that the commonly used equivalence of Mazurkiewicz traces can be coarsened but still cover all program crashes and assertion violations. However, for this coarser equivalence, which preserves only the reads-from relation from writes to reads, there is no SMC algorithm which is (i) optimal in the sense that it explores precisely one execution in each reads-from equivalence class, and (ii) efficient in the sense that it spends polynomial effort per class. We present the first SMC algorithm for SC that is both optimal and efficient in practice, meaning that it spends polynomial time per equivalence class on all programs that we have tried. This is achieved by a novel test that checks whether a given reads-from relation can arise in some execution. We have implemented the algorithm by extending Nidhugg, an SMC tool for C/C++ programs, with a new mode called rfsc. Our experimental results show that Nidhugg/rfsc, although slower than the fastest SMC tools in programs where tools happen to examine the same number of executions, always scales similarly or better than them, and outperforms them by an exponential factor in programs where the reads-from equivalence is coarser than the standard one. We also present two non-trivial use cases where the new equivalence is particularly effective, as well as the significant performance advantage that Nidhugg/rfsc offers compared to state-of-the-art SMC and systematic concurrency testing tools.
We present a framework for the efficient application of stateless model checking (SMC) to concurrent programs running under the Release-Acquire (RA) fragment of the C/C++11 memory model. Our approach is based on exploring the possible program orders, which define the order in which instructions of a thread are executed, and read-from relations, which specify how reads obtain their values from writes. This is in contrast to previous approaches, which also explore the possible coherence orders, i.e., orderings between conflicting writes. Since unexpected test results such as program crashes or assertion violations depend only on the read-from relation, we avoid a potentially significant source of redundancy. Our framework is based on a novel technique for determining whether a particular read-from relation is feasible under the RA semantics. We define an SMC algorithm which is provably optimal in the sense that it explores each program order and read-from relation exactly once. This optimality result is strictly stronger than previous analogous optimality results, which also take coherence order into account. We have implemented our framework in the tool Tracer. Experiments show that Tracer can be significantly faster than state-of-the-art tools that can handle the RA semantics.
State-space exploration is a powerful technique for verification of concurrent software systems. Applying it to software systems written in standard programming languages requires powerful abstractions (of data) and reductions (of atomicity), which focus on simplifying the data and control, respectively, by aggregation. We propose a reduction that exploits a common pattern of synchronization, namely, the use of locks to protect shared data structures. This pattern of synchronization is particularly common in concurrent Java programs, because Java provides built-in locks. We describe the design of a new tool for state-less state-space exploration of Java programs that incorporates this reduction. We also describe an implementation of the reduction in Java PathFinder, a more traditional state-space exploration tool for Java programs.
Previous approaches to systematic state-space exploration for testing
multi-threaded programs have proposed context-bounding and depth-bounding to be
effective ranking algorithms for testing multithreaded programs. This paper
proposes two new metrics to rank thread schedules for systematic state-space
exploration. Our metrics are based on characterization of a concurrency bug
using v (the minimum number of distinct variables that need to be involved for
the bug to manifest) and t (the minimum number of distinct threads among which
scheduling constraints are required to manifest the bug). Our algorithm is
based on the hypothesis that in practice, most concurrency bugs have low v
(typically 1- 2) and low t (typically 2-4) characteristics. We iteratively
explore the search space of schedules in increasing orders of v and t. We show
qualitatively and empirically that our algorithm finds common bugs in fewer
number of execution runs, compared with previous approaches. We also show that
using v and t improves the lower bounds on the probability of finding bugs
through randomized algorithms.
Systematic exploration of schedules requires instrumenting each variable
access made by a program, which can be very expensive and severely limits the
applicability of this approach. Previous work [5, 19] has avoided this problem
by interposing only on synchronization operations (and ignoring other variable
accesses). We demonstrate that by using variable bounding (v) and a static
imprecise alias analysis, we can interpose on all variable accesses (and not
just synchronization operations) at 10-100x less overhead than previous
approaches.
We present a novel framework for exploring very large state spaces of concurrent reactive systems. Our framework exploits
application-independent heuristics using genetic algorithms to guide a state-space search towards error states.We have implemented
this frameworkin conjunction with VeriSoft, a tool for exploring the state spaces of software applications composed of several
concurrent processes executing arbitrary code. We present experimental results obtained with several examples of programs,
including a C implementation of a public key authentication protocol.We discuss heuristics and properties of state spaces
that help a genetic search detect deadlocks and assertion violations. For finding errors in very large state spaces, our experiments
show that a genetic search using simple heuristics can significantly outperform random and systematic searches.
This paper summarises our experience in using model-checking technology to understand the behaviour of a system. A simple model of the system under test is created from the informal documentation. This model is used to create a test environment for the system. The behaviour of system combined with the test environment is then verified using the tool Verisoft. This requires a few changes to the original source code. The aim to minimize the number of changes to the original source code so that its original behaviour is not affected. The use of Verisoft to create a model, which can subsequently be used for testing is also studied. The main conclusion is that it is possible to use bounded model checking on source code with a view towards verifying key behavioural properties.
With a few exceptions, previous formal methods for reactive system design have focused on finite state machines represented in terms of boolean states and boolean next-state functions. By contrast, in many reactive system domains requirements engineers and developers think in terms of complex data types and expressive next-state functions. Formal methods for reactive system design must be extended to meet their needs as well. I term a reactive system function rich if expressing its state, next-state function, or output function naturally requires this higher expressive power. ISAT, a prototype formal-methods based tool environment, is intended to assist in the creation of function rich reactive systems. This paper describes a case study I have carried out using ISAT to design, validate, synthesize, and evolve controllers for the email agent components making up a novel spam-free email system that I deployed in a user trial in July 1999. The trial has been running since, with high availability, through several evolutionary specification changes and resulting software releases. In addition to summarizing ISAT and the trial, this paper discusses tool requirements placed by the domain and task, the simple and powerful platform/controller/pure-functions software architecture of the components, as well as lessons learned from the study.
Providing information about other users and their activites is a central function of many collaborative applications. The data that provide this "presence awareness" are usually automatically generated and highly dynamic. For example, services such as AOL Instant Messenger allow users to observe the status of one another and to initiate and participate in chat sessions. As such services become more powerful, privacy and security issues regarding access to sensitive user data become critical. Two key software engineering challenges arise in this context:Policies regarding access to data in collaborative applications have subtle complexities, and must be easily modifiable during a collaboration.Users must be able to have a high degree of confidence that the implementations of these policies are correct.In this paper, we propose a framework that uses an automated verification approach to ensure that such systems conform to complex policies. Our approach takes advantage of VeriSoft, a recent tool for systematically testing implementations of concurrent systems, and is applicable to a wide variety of specification and development platforms for collaborative applications. we illustrate the key features of our framework by applying it to the development of a presence awareness system.
Testing or model-checking an open reactive system often requires generating a model of the environment. We describe a static analysis for Java that computes a partition of a system's inputs: inputs in the same equivalence class lead to identical behavior. The partition provides a basis for generation of code for a most general environment of the system, i.e., one that exercises all possible behaviors of the system. The partition also helps the generated environment avoid exercising the same behavior multipletimes. Many distributed systems with security requirements can be regarded as open reactive systems whose environment is an adversary-controlled network. We illustrate our approach by applying it to a fault-tolerant and intrusion-tolerant distributed voting system and model-checking the system together with the generated environment.
We present a novel frameworkfor,exploring very large state spaces of concurrent reactive systems. Our frameworkexploits application-independent heuristics using genetic algorithms to guide a state-space search towards error states. We have implemented this frameworkin conjunction with VeriSoft, a tool for exploring the state spaces of software applications composed,of several concurrent processes executing arbitrary code. We present experimental results obtained with several examples of programs, including a C implementation of a publickey authentication protocol. We discuss heuristics and properties of state spaces that help a genetic search detect deadlocks and assertion violations. For finding errors in very large state spaces, our experiments show that a genetic search using simple heuristics can significantly outperform random,and systematic searches.
Passive monitoring or testing of complex systems and networks running in the field can provide valuable insights into their behavior in actual environments of use. In certain contexts, such as network management and intrusion detection for security, passive monitoring is the most applicable methodology for assuring correctness of the system's behavior. More generally, it can serve to complement and extend functional testing and fault detection efforts that take place during the software/product development lifecycle. Two distinguishing aspects of passive monitoring are that: (a) the fault detection process cannot influence the execution of the system by providing particular inputs to the system, and (b) observations are obtained mid-stream, from an unknown state in the middle of the execution of the system. In this paper, we present results on passively testing for real-time behavioral properties that can be applied to a large class of systems including those that can be modeled as timed automata. Our results provide a natural extension of the passive testing study conducted in [17] for untimed properties. We have implemented our approach using the real-time model checker UPPAAL, and we report on its application to passively test fault tolerance software in a telecommunications switch developed at Lucent Technologies.
We study how to exploit symmetry induced by identical processes or data structures when systematically exploring the state spaces of concurrent software applications such as implementations of communication protocols. Existing model-checking symmetry reduction methods are based on equivalence classes of states, and assume that every system state can easily be encoded by a unique string of bits. When dealing with processes described by software programs written in full-fledged programming languages such as C, C++ or Java, this assumption is not valid anymore. Indeed, the state of each process is determined by the values of all the memory locations that can be accessed by the process and influence its behavior (including activation records associated to procedure calls). This amount of information is typically far too large and complex to be efficiently computed at each step of a state-space exploration.
We develop in this paper a simple theory based on equivalence classes of sequences of transitions for representing symmetries in a system. We then present a state-space exploration algorithm for exploiting symmetries on transitions which does not rely on explicit encodings of system states. This algorithm can be used to dynamically prune the state spaces of implementations of concurrent reactive software systems in a reliable way.
We report on the design, implementation, and use of C Wolf, a toolset which extracts finite labeled transition systems from
C programs. The extraction process is guided by user input on how a program should be abstracted, and what events should be
made observable to the user. The output is an abstracted model suitable for input to the Concurrency Workbench. Additionally,
facilities are provided to carry out simple observational equivalence-preserving transformations which reduce the size of
the generated model. Finally, we report our experiences in using the toolset to analyze the GNU i-protocol(V ersion 1.04)
and the BSD ftp daemon (Version 0.3.3).
Several concurrent implementations of familiar data abstractions such as queues, sets, or maps typically do not follow locking disciplines, and often use lock-free synchronization to gain performance. Since such algorithms are exposed to a weak memory model, they are notoriously hard to get correct, as witnessed by many bugs found in published algorithmsWe outline a technique for analyzing correctness of concurrent algorithms under weak memory models, in which a model checker is used to search for correctness violations. The algorithm to be analyzed is transformed into a form where statements may be reordered according to a particular weak memory ordering. The transformed algorithm can then be analyzed by a model-checking tool, e.g., by enumerative state exploration. We illustrate the approach on a small example of a queue, which allows an enqueue operation to be concurrent with a dequeue operation, which we analyze with respect to the RMO memory model defined in SPARC v9.
An asynchronous message-passing program P is nondeterministic. Given the same input, multiple executions of P may exercise different send/receive event sequences (or SR-sequences) and may even produce different results. Such nondeterminacy makes it difficult to determine the correctness of P. Let X be an input of P. Assume that any execution of P with X terminates. Reachability testing of P with X is to execute, in a systematic manner, all possible SR-sequences of P with X such that the correctness of P with X can be determined. The basic idea of reachability testing is described as follows. We first execute P with X nondeterministically to collect one or more SR-sequences. For each collected SR-sequence, we analyze its race conditions and generate race variants, which are prefixes of other SR-sequences. We replay race variants to generate new SR-sequences. For each new SR-sequence, we repeat the same process until we eventually execute all possible SR-sequences of P with X. We describe an efficient implementation of reachability testing of asynchronous message-passing programs. Our technique deals with partially-ordered SR-sequences and reduces the complexity and redundancy caused by totally-ordered SR-sequences.
This paper summarises our experience in using model checking technology to test concurrent programs. We use the tool Verisoft to understand various aspects of a firewall tool kit by instrumenting three components of the firewall tool kit with hooks to test their behaviour. Some of the key changes include changing socket communication to message passing queues and adding appropriate synchronisations so that the behaviour of the system can be tracked. We aim to minimize the number of changes to the original source code so that its original behaviour is not affected The main conclusion is that it is possible to inspect source code with a view towards verifying key behavioural properties without understanding the entire behaviour of the system.
P. Godefroid (1997) developed a state-space exploration technique that does not store states in memory. This stateless search technique is effective for testing concurrent programs. It performs deterministic executions of a concurrent program by automatically controlling the execution of synchronization operations. This technique also uses partial order reduction methods to reduce the chance of executing two or more different totally-ordered paths with the same partial order. In this paper, we propose extensions to Godefroid's technique and compare it with other stateless search techniques for testing concurrent programs. Our empirical results indicate that a combination of stateless searching and a simple cycle prediction method is very cost-effective for detecting deadlocks and violations of assertions
Verification by state-space exploration, also often referred to as model checking, is an effective method for analyzing the correctness of concurrent reactive systems (for instance, communication protocols). Unfortunately, traditional model checking is restricted to the verification of properties of models, i.e., abstractions, of concurrent systems. We discuss in this paper how model checking can be extended to analyze arbitrary software, such as implementations of communication protocols written in programming languages like C or C++. We then introduce a search technique that is suitable for exploring the state spaces of such systems. This algorithm has been implemented in VeriSoft, a tool for systematically exploring the state spaces of systems composed of several concurrent processes executing arbitrary code. During the past five years, VeriSoft has been applied successfully for analyzing several software products developed in Lucent Technologies, and has also been licensed to hundreds of users in industry and academia. We discuss applications, strengths and limitations of VeriSoft, and compare it to other approaches to software model checking, analysis and testing.
The significance of software systems has rapidly increased. The assurance of software systems has become a critical requirement of the information age. Formal verification on the design of a system and testing on a system implementation with a variety of inputs has been used for this purpose. However, verifying a design can not guarantee the correctness of an implementation. Although testing is performed on implementation, it does not give formal guarantees because it is not possible to test exhaustively. Run-time formal analysis is proposed to combat the weaknesses of formal verification and testing. Run-time formal analysis aims to assure the correctness of the current execution at run-time. Run-time formal analysis is performed based on a formal specification of system requirements. This dissertation proposes a framework for run-time formal analysis. We investigate general issues for the framework. We show that a set of the properties run-time formal analysis can detect is a subset...
this paper we propose a partial order reduction for FLAVERS, a finite verification approach based on data flow analysis [2]. Although the program model that FLAVERS uses does not enumerate all possible states of the concurrent system under analysis, it uses a special type of edges to represent possible interleavings between events in different processes. The optimization that we propose in this paper uses partial orders to eliminate some of these edges, thereby improving efficiency of the FLAVERS analysis
We give an efficient procedure for verifying that a finite-state concurrent system meets a specification expressed in a (propositional, branching-time) temporal logic. Our algorithm has complexity linear in both the size of the specification and the size of the global state graph for the concurrent system. We also show how this approach can be adapted to handle fairness. We argue that our technique can provide a practical alternative to manual proof construction or use of a mechanical theorem prover for verifying many finite-state concurrent systems. Experimental results show that state machines with several hundred states can be checked in a matter of seconds.
A program denotes computations in some universe of objects. Abstract interpretation of programs consists in using that denotation to describe computations in another universe of abstract objects, so that the results of abstract execution give some information on the actual computations. An intuitive example (which we borrow from Sintzoff [72]) is the rule of signs. The text -1515 * 17 may be understood to denote computations on the abstract universe {(+), (-), (±)} where the semantics of arithmetic operators is defined by the rule of signs. The abstract execution -1515 * 17 → -(+) * (+) → (-) * (+) → (-), proves that -1515 * 17 is a negative number. Abstract interpretation is concerned by a particular underlying structure of the usual universe of computations (the sign, in our example). It gives a summary of some facets of the actual executions of a program. In general this summary is simple to obtain but inaccurate (e.g. -1515 + 17 → -(+) + (+) → (-) + (+) → (±)). Despite its fundamentally incomplete results abstract interpretation allows the programmer or the compiler to answer questions which do not need full knowledge of program executions or which tolerate an imprecise answer, (e.g. partial correctness proofs of programs ignoring the termination problems, type checking, program optimizations which are not carried in the absence of certainty about their feasibility, …).
This paper presents the tools Ald' ebaran, Caesar, Caesar.adt and Cl' eop atre which constitute a toolbox for compiling and verifying Lotos programs. The principles of these tools are described, as well as their performances and limitations. Finally, the formal verification of the rel/REL atomic multicast protocol is given as an example to illustrate the practical use of the toolbox. Keywords: reliability, formal methods, Lotos, verification, validation, model-based methods, modelchecking, transition systems, bisimulations, temporal logics, diagnostics Introduction There is an increasing need for reliable software, which is especially critical in some areas such as communication protocols, distributed systems, real-time control systems, and hardware synthesis systems. It is now agreed that reliability can only be achieved through the use of rigorous design techniques. This has motivated a lot of research on specification formalisms and associated verification methods and tools. Ver...
Flowback analysis is a powerful technique for debugging programs. It allows the programmer to examine dynamic dependences in a program's execution history without having to re-execute the program. The goal is to present to the programmer a graphical view of the dynamic program dependences. We are building a system, called PPD, that performs flowback analysis while keeping the execution time overhead low. We also extend the semantics of flowback analysis to parallel programs. This paper describes details of the graphs and algorithms needed to implement efficient flowback analysis for parallel programs. Execution time overhead is kept low by recording only a small amount of trace during a program's execution. We use semantic analysis and a technique called incremental tracing to keep the time and space overhead low. As part of the semantic analysis, PPD uses a static program dependence graph structure that reduces the amount of work done at compile time and takes advantage of the dynami...
We present an algorithm for checking satisfiability of a linear time temporal logic formula over a finite state concurrent program. The running time of the algorithm is exponential in the size of the formula but linear in the size of the checked program. The algorithm yields also a formal proof in case the formula is valid over the program. The algorithm has four versions that check satisfiability by unrestricted, impartial, just and fair computations of the given program.
Concurrent real-time software is used in many safety-critical applications. Assuring the quality of such software requires the use of formal methods. Before a program can be analyzed formally, however, we must construct a mathematical model that captures the aspects of the program we want to verify. In this paper, we show how to construct mathematical models of concurrent real-time software that are suitable for analyzing the program's timing properties. Our approach differs from schedulability analysis in that we do not assume that the software has a highly restricted structure (e.g., a set of periodic tasks). Also, unlike most more abstract models of real-time systems, we account for essential properties of real implementations, such as resource constraints and run-time overhead.
In this paper, we describe a testing technique, called structural specification-based testing (SST), which utilizes the formal specification of a program unit as the basis for test selection and test coverage measurement. We also describe an automated testing tool, called ADLscope, which supports SST for program units specified in Sun Microsystems' Assertion Definition Language (ADL). ADLscope automatically generates coverage conditions from a program's ADL specification. While the program is tested, ADLscope determines which of these conditions are covered by the tests. An uncovered condition exhibits aspects of the specification inadequately exercised during testing. The tester uses this information to develop new test data to exercise the uncovered conditions.
We provide an overview of SST's specification-based test criteria and describe the design and implementation of ADLscope. Specification-based testing is guided by a specification, whereby the testing activity is directly related to what a component under test is supposed to do, rather than what it actually does. Specification-based testing is a significant advance in testing, because it is often more straightforward to accomplish and it can reveal failures that are often missed by traditional code-based testing techniques. As an initial evaluation of the capabilities of specification-based testing, we conducted an experiment to measure defect detection capabilities, code coverage and usability of SST/ADLscope; we report here on the results.
Developing and verifying concurrent programs presents several problems. A static analysis algorithm is presented here that addresses the following problems: how processes are synchronized, what determines when programs are run in parallel, and how errors are detected in the synchronization structure. Though the research focuses on Ada, the results can be applied to other concurrent programming languages such as CSP.
The role of automatic formal protocol verification in hardware
design is considered. Principles that maximize the benefits of protocol
verification while minimizing the labor and computation required are
identified. A novel protocol description language and verifier (both
called Murφ) are described, along with experiences in applying them
to two industrial protocols that were developed as part of hardware
designs
State-space exploration techniques are increasingly being used for debugging and proving correct finite-state concurrent reactive systems. The reason for this success is mainly the simplicity of these techniques. Indeed, they are easy to understand, easy to implement and, last but not least, easy to use: they are fully automatic. Moreover, the range of properties that they can verify has been substantially broadened thanks to the development of model-checking methods for various temporal logics. The main limit of state-space exploration verification techniques is the often excessive size of the state space due, among other causes, to the modeling of concurrency by interleaving. However, exploring all interleavings of concurrent events is not a priori necessary for verification: interleavings corresponding to the same concurrent execution contain related information. One can thus hope to be able to verify properties of a concurrent system without exploring all interleavings of its concu...
The Concurrency Workbench is an automated tool for analyzing networks of finite-state processes expressed in Milner's Calculus of Communicating Systems. Its key feature is its breadth: a variety of different verification methods, including equivalence checking, preorder checking, and model checking, are supported for several different process semantics. One experience from our work is that a large number of interesting verification methods can be formulated as combinations of a small number of primitive algorithms. The Workbench has been applied to the verification of communications protocols and mutual exclusion algorithms and has proven a valuable aid in teaching and research. 1 Introduction This paper describes the Concurrency Workbench [11, 12, 13], a tool that supports the automatic verification of finite-state processes. Such tools are practically motivated: the development of complex distributed computer systems requires sophisticated verification techniques to guarante...
Recognizing safeiy and liveness
- B Alpern
- F B Schneider
- Alpern B.
Software for ana~ lyrical development of communication protocols. AT~4T Technical Journal , 1990 . Z. Her'S1 and R. P. Kurshan. Software for ana~ lyrical development of communication protocols
- Z Her
- R P Kurshan
- Kurshan Z.