Model Checking in Bits and Pieces

Summary form only given. Model checking is a formal method that verifies whether a finite state model of a system satisfies a specification given as a temporal logic formula. The most severe problem model checking suffers from is the so called state explosion problem. Distribution is one of the techniques that combat the state explosion. The aim is to distribute the state space among a number of computers so as to be able to verify larger systems. Another approach that deals with the state explosion problem is modularity, i.e. exploiting the structure of the system. We propose to employ modular techniques to the distributed model checking problem. This can be useful especially for software, as the software model checking algorithms suffer from state explosion more severely than the hardware model checking techniques even when the system consists of one sequential finite-state component. Moreover, software programs have typically richer syntactic structure that can be exploited. Besides elaborating a theoretical background for distributed model checking based on the modular approach, we also intend to develop modular approaches to partitioning the state space, in particular to define partition functions that reduce the necessary communication in the distributed environment.

State explosion in model checking continues to be the primary obstacle to widespread use of software model checking. The large input ranges of variables used in software is the main cause of state explosion. As software grows in size and complexity, the problem only becomes worse. As such, model checking research into data abstraction as a way of mitigating state explosion has become more and more important. Data abstractions aim to reduce the effect of large input ranges. This work focuses on a static program analysis technique called dead variable analysis. The goal of dead variable analysis is to discover variable assignments that are not used. When applied to model checking, this allows us to ignore the entire input range of dead variables and thus reduce the size of the explored state space.Prior research into dead variable analysis for model checking does not make full use of dynamic run-time information that is present during model checking. We present an algorithm for intraprocedural dead variable analysis that uses dynamic run-time information to find more dead variables on-the-fly and further reduce the size of the explored state space. We introduce a definition for the maximal state space reduction possible through an on-the-fly dead variable analysis and then show that our algorithm produces a maximal reduction in the absence of non-determinism.KeywordsState SpaceModel CheckExecution PathProgram LocationState ExplosionThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Software model checking suffers from the so-called state explosion problem, and relaxed memory consistency models even worsen this situation. What is worse, parameterizing model checking by memory consistency models, that is, to make the model checker as flexible as we can supply definitions of memory consistency models as an input, intensifies state explosion. This paper explores specific reasons for state explosion in model checking with multiple memory consistency models, provides some optimizations intended to mitigate the problem, and applies them to McSPIN, a model checker for memory consistency models that we are developing. The effects of the optimizations and the usefulness of McSPIN are demonstrated experimentally by verifying copying protocols of concurrent copying garbage collection algorithms. To the best of our knowledge, this is the first model checking of the concurrent copying protocols under relaxed memory consistency models.

We present a framework for the specification and verification of reactive concurrent programs using general-purpose mechanical theorem proving. We define specifications for concurrent programs by formalizing a notion of refinements analogous to stuttering trace containment. The formalization supports the definition of intuitive specifications of the intended behavior of a program. We present a collection of proof rules that can be effectively orchestrated by a theorem prover to reason about complex programs using refinements. The proof rules systematically reduce the correctness proof for a concurrent program to the definition and proof of an invariant. We include automated support for discharging this invariant proof with a predicate abstraction tool that leverages the existing theorems proven about the components of the concurrent programs. The framework is integrated with the ACL2 theorem prover and we demonstrate its use in the verification of several concurrent programs in ACL2.

LOTOS is a formal specification language for concurrent and distributed systems. Basic LOTOS is the version of LOTOS without value-passing. A widely used approach to the verification of temporal properties is model checking. Often, in this approach the formal specification is translated into a labeled transition system on which formulae expressing properties are checked. A problem with this verification technique is state explosion: concurrent systems are often represented by automata with a prohibitive number of states. In this paper we show how, given a set ρ of actions, it is possible to automatically obtain for a Basic LOTOS program a reduced transition system to which only the arcs labeled by actions in ρ belong. The set ρ of actions plays a fundamental role in conjunction with a temporal logic defined by the authors in a previous paper: selective mu-calculus. The reduced system with respect to ρ preserves the truth value of all selective mu-calculus formulae with actions from the set ρ. We act at both syntactic and semantic levels. From a syntactic point of view, we define a set of transformation rules obtaining a smaller program. On the semantic side, we define a non-standard semantics which dynamically reduces the transition system during generation. We present a tool implementing both the syntactic and the semantic reduction. Copyright © 1999 John Wiley & Sons, Ltd.

Model checking is an automatic method for verifying correctness of reactive programs. Originally proposed as part of the dissertation work of the author, model checking is based on efficient algorithms searching for the presence or absence of temporal patterns. In fact, model checking rests on a theoretical foundation of basic principles from modal logic, lattice theory, as well as automata theory that permits program reasoning to be completely automated in principle and highly automated in practice. Because of this automation, the practice of model checking is nowadays well-developed, and the range of successful applications is growing. Model checking is used by most major hardware manufacturers to verify microprocessor circuits, while there have been promising advances in its use in software verification as well. The key obstacle to applicability of model checking is, of course, the state explosion problem. This paper discusses part of our ongoing research program to limit state explosion. The relation of theory to practice is also discussed.KeywordsModel CheckModal LogicTemporal LogicMutual ExclusionSymmetry ReductionThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This paper describes a reduction technique which is very useful against the state explosion problem which occurs when model checking many distributed systems. Timestamps are often used to keep track of the relative order of events. They are usually implemented with very large counters and therefore they generate state explosion. The aim of this paper is to present a very efficient reduction of the state space generated by a model checker when using timestamps. The basic idea is to map the timestamps values to the smallest possible range. This is done dynamically and on-the-fly by adding to the model checker a call to a reduction function after each newly generated state. Our reduction works for model checkers using explicit state enumeration and does not require any change in the model. Our method has been applied to an industrial example and the reduction obtained was spectacular.

Model checking the state space (all possible behaviors) of software systems is a promising technique for verification and validation. Bugs such as security vulnerabilities, file storage issues, deadlocks and data races can occur anywhere in the state space and are often triggered by corner cases; therefore, it becomes important to explore and model check all runtime choices. However, large and complex software systems generate huge numbers of behaviors leading to ‘state explosion’. eXplode is a lightweight, deterministic and depth-bound model checker that explores all dynamic choices at runtime. Given an application-specific test-harness, eXplode performs state search in a serialized fashion which limits its scalability and performance. This paper proposes a distributed eXplode engine that uses multiple host machines concurrently in order to achieve more state space coverage in less time, and is very helpful to scale up the software verification and validation effort. Test results show that Distributed eXplode runs several times faster and covers more state space than the standalone eXplode.

Explicit-State Model Checking is a well-studied technique for the verification of concurrent programs. Due to exponential costs associated with model checking, researchers often focus on applying model checking to software units rather than whole programs. Recently, we have introduced a framework that allows developers to specify and model check rich properties of Java software units using the Java Modeling Language (JML). An often overlooked problem in research on model checking software units is the problem of environment generation: how does one develop code for a test harness (representing the behaviors of contexts in which a unit may eventually be deployed) for the purpose of driving the unit being checked along relevant execution paths?In this paper, we build on previous work in the testing community and we focus on the use of coverage information to assess the appropriateness of environments and to guide the design/modification of environments for model checking software units. A novel aspect of our work is the inclusion of specification coverage of JML specifications in addition to code coverage in an approach for assessing the quality of both environments and specifications. To study these ideas, we have built a framework called MAnTA on top of the Bogor Software Model Checking Framework that allows the integration of a variety of coverage analyses with the model checking process. We show how we have used this framework to add two different types of coverage analysis to our model checker (Bogor) and how it helped us find coverage holes in several examples. We make an initial effort to describe a methodology for using code and specification coverage to aid in the development of appropriate environments and JML specifications for model checking Java units.KeywordsModel CheckCoverage AnalysisCoverage InformationJava Modeling LanguageCoverage MetricsThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Testing object-oriented programs is still a hard task, despite many studies on criteria to better cover the test space. Test criteria establish requirements one want to achieve in testing programs to help in finding software defects. On the other hand, program verification guarantees that a program preserves its specification but its application is not very straightforward in many cases. Both program testing and verification are expensive tasks and could be used to complement each other.This paper presents a new approach to automate and integrate testing and program verification for fault-tolerant systems. In this approach we show how to assess information from programs verification in order to reduce the test space regarding exceptions definition/use testing criteria. As properties on exception-handling mechanisms are checked using a model checker(Java PathFinder), programs are traced. Information from these traces can be used to realize how much testing criteria have been covered, reducing the further program test space.

Computation Tree Logic (CTL) model checking is sensitive to state explosion. Conventionally, CTL semantics is defined over Kripke structure where each state is labelled with all the atomic propositions. For open systems, this necessitates input labeling of the states. In contrast, the common model, which is used for sequential circuit design, is the finite state machine (FSM) model, or equivalently, the state transition diagram (STD), where the inputs are associated not with the states but with the transitions. Thus, to use a conventional CTL model checker, the STD has to be converted first to the Kripke structure and then applying the model checking algorithm on the Kripke structure. The need for associating input labels to the states results in state explosion which finally tells upon the model checking efficiency. The paper presents the CTL semantics over STD structures and develops a model checking algorithm which works directly over the STD. A performance gain over conventional model checking by an exponential factor results in the process, especially for open systems.

We study the problem of model checking software product line (SPL) behaviours against temporal properties. This is more difficult than for single systems because an SPL with n features yields up to 2n individual systems to verify. As each individual verification suffers from state explosion, it is crucial to propose efficient formalisms and heuristics. We recently proposed featured transition systems (FTS), a compact representation for SPL behaviour, and defined algorithms for model checking FTS against linear temporal properties. Although they showed to outperform individual system verifications, they still face a state explosion problem as they enumerate and visit system states one by one. In this paper, we tackle this latter problem by using symbolic representations of the state space. This lead us to consider computation tree logic (CTL) which is supported by the industry-strength symbolic model checker NuSMV. We first lay the foundations for symbolic SPL model checking by defining a feature-oriented version of CTL and its dedicated algorithms. We then describe an implementation that adapts the NuSMV language and tool infrastructure. Finally, we propose theoretical and empirical evaluations of our results. The benchmarks show that for certain properties, our algorithm is over a hundred times faster than model checking each system with the standard algorithm.

Exploiting Design Structure in Model Checking: Invited Speaker

SummaryIn existing computer systems, file systems are indispensable for organizing user data and system codes. However, several studies have reported certain file system errors that cause significant data loss or system crashes. Most of these errors are due to external failures, such as an unexpected power outage. However, comprehensively evaluating file system robustness to detect these errors is challenging. The various types of file systems use different data structures and algorithms for various applications. Moreover, file system errors may be triggered by an unpredictable external condition. In addition, a file system works in an operating system's kernel layer as a passive module and runs in a multi‐thread mode, which makes file system testing time‐intensive. Furthermore, the large number of states in file systems leads to greedy checking, which results in a state explosion. In this study, we comprehensively evaluated the robustness expected in multiple properties of file systems using a model checking approach. The evaluation covered the majority of the mainstream file system types and included both single‐thread and multi‐thread modes. We developed Promela models that abstracted the real file systems and subsequently checked them using a SPIN model checker. Our model was optimized to avoid state explosion during model checking. Using the model checking, we successfully detected corner‐case errors during an unexpected power outage. By analysing counterexamples generated by model checking, we determined an improved file system model capable of preventing errors in most mainstream file system types. Finally, we rechecked the improved file system model and verified the absence of all critical errors.

Computation Tree Logic (CTL) model checking is sensitive to state explosion. Conventionally, CTL semantics is defined over Kripke structure where each state is labelled with all the atomic propositions. For open systems, this necessitates input labeling of the states. In contrast, the common model, which is used for sequential circuit design, is the finite state machine (FSM) model, or equivalently, the state transition diagram (STD), where the inputs are associated not with the states but with the transitions. Thus, to use a conventional CTL model checker, the STD has to be converted first to the Kripke structure and then applying the model checking algorithm on the Kripke structure. The need for associating input labels to the states results in state explosion which finally tells upon the model checking efficiency. The paper presents the CTL semantics over STD structures and develops a model checking algorithm which works directly over the STD. A performance gain over conventional model checking by an exponential factor results in the process, especially for open systems.