Advertisement

Automated Software Engineering

, Volume 10, Issue 2, pp 203–232 | Cite as

Model Checking Programs

  • Willem Visser
  • Klaus Havelund
  • Guillaume Brat
  • SeungJoon Park
  • Flavio Lerda
Article

Abstract

The majority of work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers, proof checkers and model checkers. In this paper we will attempt to give convincing arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle big states, and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space. JPF has been applied to a real-time avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, runtime analysis, and slicing with model checking.

model checking Java symmetry abstraction runtime analysis static analysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ball, T., Chaki, S., and Rajamani, S. 2001a. Parameterized verification of multithreaded software libraries. In Proceedings of TACAS01: Tools and Algorithms for the Construction and Analysis of Systems. Genova, Italy.Google Scholar
  2. Ball, T., Podelski, A., and Rajamani, S. 2001b. Boolean and Cartesian abstractions for model checking C programs. In Proceedings of TACAS01: Tools and Algorithms for the Construction and Analysis of Systems, Genova, Italy.Google Scholar
  3. Ball, T. and Rajamani, S. 2000a. Bebop: A symbolic model checker for boolean programs. In Proceedings of the 7th International SPIN Workshop, vol. 1885 of LNCS. Stanford University, California, USA, Springer-Verlag.Google Scholar
  4. Ball, T. and Rajamani, S. 2000b. Checking temporal properties of software with Boolean programs. In Proceedings of Workshop on Advances in Verification.Google Scholar
  5. Barrett, C., Dill, D., and Levitt, J. 1996. Validity checking for combinations of theories with equality. In Formal Methods in Computer-Aided Design, vol. 1166 of LNCS, pp. 187–201.Google Scholar
  6. Binkley, D. 1993. Precise executable interprocedural slices. ACM Letters on Programming Languages and Systems, 2:31–45.Google Scholar
  7. Bjørner, D. and Jones, C.B. (eds.) 1982. Formal Specification and Software Development. Prentice-Hall International.Google Scholar
  8. Booch, G., Rumbaugh, J., and Jacobson, I. 1999. The Unified Modeling Language User Guide. Addison-Wesley.Google Scholar
  9. Cheng, J. 1997. Dependence analysis of parallel and distributed programs and its applications. In Proceedings of the 1997 Conference on advances in Parallel and Distributed Computing.Google Scholar
  10. Clarke, E., Emerson, E., Jha, S., and Sistla, A. 1998. Symmetry reductions in model checking. In Proceedings of the 10th International Conference for Computer-Aided Verification. Lecture Notes in Computer Science, 1427.Google Scholar
  11. Clarke, E., Filkorn, T., and Jha, S. 1993. Exploiting symmetry in temporal logic model checking. In Proceedings of the Fifth International Conference for Computer-Aided Verification. Lecture Notes in Computer Science, 697.Google Scholar
  12. Clarke, E., Fujita, M., Rajan, S., Reps, T., Shankar, S., and Teitelbaum, T. 1999. Program slicing of hardware description languages. Technical Report CMU-CS–99–103, Carnegie Mellon University, School of Computer Science.Google Scholar
  13. Clarke, E., Grumberg, O., Jha, S., Lu, Y., and Veith, H. 2000. Counterexample-guided abstraction refinement. In. Proceedings of the 12th International Conference for Computer-Aided Verification. Lecture Notes in Computer Science, 1855.Google Scholar
  14. Colón, M. and Uribe, T. 1998. Generating finite-state abstractions of reactive systems using decision procedures. In Proceedings of the 10th Conference on Computer-Aided Verification, vol. 1427 of LNCS.Google Scholar
  15. Corbett, J., Dwyer, M., Hatcliff, J. Pasareanu, C., Robby, Laubach, S., and Zheng, H. 2000a. Bandera: Extracting finite-state models from java source code. In Proceedings of the 22nd International Conference on Software Engineering. Limeric, Ireland, ACM Press.Google Scholar
  16. Corbett, J.C., Dwyer, M.B., Hatcliff, J., and Robby 2000b. A language framework for expressing checkable properties of dynamic software. In Proceedings of the 7th International SPIN Workshop, vol. 1885 of Lecture Notes in Computer Science, Springer-Verlag.Google Scholar
  17. Cornes, C., Courant, J., Filliatre, J., Huet, G., Manoury, P., Paulin-Mohring, C., Munoz, C., Murthy, C., Parent, C., Saibi, A., and Werner, B. 1995. The Coq proof assistant reference manual, version 5.10. Technical Report, INRIA, Rocquencourt, France. This version is newer than the version used to verify the BRP-protocol in Helmink et al. (1994).Google Scholar
  18. Cousot, P. and Cousot, R. 1992. Abstract interpretation frameworks. Journal of Logic and Computation, 4(2):511–547.Google Scholar
  19. Cousot, P. and Cousot, R. 1997. Parallel combination of abstract interpretation and model-based automatic analysis of software. In Proceedings of the First ACM SIGPLAN Workshop on Automatic Analysis of Software, AAS'97. pp. 91–98.Google Scholar
  20. Das, S., Dill, D., and Park, S. 1999. Experience with predicate abstraction. In CAV' 99: 11th International Conference on Computer Aided Verification, vol. 1633 of LNCS.Google Scholar
  21. Demartini, C., Iosif, R., and Sisto, R. 1999a. A deadlock detection tool for concurrent Java programs. Software Practice and Experience, 29(7):577–603.Google Scholar
  22. Demartini, C., Iosif, R., and Sisto, R. 1999b. dSPIN: A dynamic extension of SPIN. In Proceedings of the 6th SPIN Workshop, vol. 1680 of LNCS.Google Scholar
  23. Drusinsky, D. 2000. The temporal rover and the ATG rover. In K. Havelund, J. Penix, and W. Visser, editors. SPIN Model Checking and Software Verification, vol. 1885 of Lecture Notes in Computer Science, Springer, pp. 323–330.Google Scholar
  24. Dwyer, M., Hatcliff, J., Joehanes, R., Laubach, S., Pasareanu, C., Robby, Visser, W., and Zheng, H. 2001. Toolsupported program abstraction for finite-state verification. In Proceedings of the 23rd International Conference on Software Engineering, Toronto, Canada, ACM Press.Google Scholar
  25. Emerson, E. and Sistla, A. 1993. Symmetry and model checking. In CAV' 93: 5th International Conference on Computer Aided Verification, vol. 697 of Lecture Notes in Computer Science.Google Scholar
  26. Godefroid, P. 1996. Partial-Order Methods for theVerification of Concurrent Systems, vol. 1032 of LNCS, Springer-Verlag.Google Scholar
  27. Godefroid, P. 1997. Model checking for programming languages using veriSoft. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages, Paris, pp. 174–186.Google Scholar
  28. Gordon, M.J.C. 1988. HOL: A proof generating system for higher-order logic. In G. Birtwistle and P.A. Subrahmanyam, editors, VLSI Specification, Verification and Synthesis. Dordrecht, The Netherlands: Kluwer, pp. 73–128.Google Scholar
  29. Graf, S. and Saidi, H. 1997. Construction of abstract state graphs with PVS. In CAV' 97: 6th International Conference on Computer Aided Verification, vol. 1254 of LNCS.Google Scholar
  30. Harel, D. 1987. Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8:231–274.Google Scholar
  31. Harrow, J. 2000. Runtime checking of multithreaded applications with visual threads. In K. Havelund, J. Penix, and W. Visser, editors, SPIN Model Checking and Software Verification, vol. 1885 of Lecture Notes in Computer Science, Springer, pp. 331–342.Google Scholar
  32. Hatcliff, J., Corbett, J., Dwyer, M., Sokolowski, S., and Zheng, H. 1999. A formal study of slicing for multithreaded programs with JVM concurrency primitives. In Proceedings on the 1999 International Symposium on Static Analysis, pp. 1–18.Google Scholar
  33. Havelund, K. 1999a. Java PathFinder, a translator from Java to Promela. In Theoretical and Practical Aspects of SPIN Model Checking-5th and 6th International SPIN Workshops, vol. 1680 of LNCS, Springer-Verlag. Trento, Italy-Toulouse, France (presented at the 6th Workshop).Google Scholar
  34. Havelund, K. 1999b. Mechanical verification of a Garbage collector. In D. Méry and B. Sanders, editors, FMPPTA'99: Fourth International Workshop on Formal Methods for Parallel Programming: Theory and Applications, Springer-Verlag. San Juan, Puerto Rico, USA.Google Scholar
  35. Havelund, K. 2000. Using runtime analysis to guide model checking of Java programs. In K. Havelund, J. Penix, and W. Visser, editors, SPIN Model Checking and Software Verification, vol. 1885 of Lecture Notes in Computer Science, Springer, pp. 245–264.Google Scholar
  36. Havelund, K., Lowry, M., Park, S., Pecheur, C., Penix, J., Visser, W., and White, J. 2000. Formal analysis of the remote agent before and after flight. In Proceedings of the 5th NASA Langley Formal Methods Workshop.Google Scholar
  37. Havelund, K., Lowry, M., and Penix, J. 1998. Formal analysis of a space craft controller using SPIN. In Proceedings of the 4th SPIN workshop, Paris, France. To appear in IEEE Transactions of Software Engineering.Google Scholar
  38. Havelund, K. and Pressburger, T. 1999. Model checking Java programs using Java PathFinder. To appear in a special issue of International Journal on Software Tools for Technology Transfer (STTT) containing selected submissions to the 4th SPIN workshop, Paris, France, 1998.Google Scholar
  39. Havelund, K. and Shankar, N. 1996. Experiments in theorem proving and model checking for protocol verification. In M.-C. Gaudel and J. Woodcock, editors, FME'96: Industrial Benefit and Advances in Formal Methods, vol. 1051 of LNCS, Springer-Verlag, pp. 662–681.Google Scholar
  40. Havelund, K. and Skakkebaek, J. 1999. Practical application of model checking in software verification. In Proceedings of the 6th Workshop on the SPIN Verification System, vol. 1680 of LNCS, Toulouse, France.Google Scholar
  41. Helmink, L., Sellink, M., and Vaandrager, F. 1994. Proof-checking a data link protocol. Technical Report CS-R9420, Centrum voor Wiskunde en Informatica (CWI), Computer Science/Department of Software Technology.Google Scholar
  42. Hoare, C.A.R. 1969. An axiomatic basis for computer programming. Comm. ACM, 12(10):576–580.Google Scholar
  43. Holzmann, G. 1997a. State compression in Spin. In Proceedings of the Third Spin Workshop. Twente University, The Netherlands.Google Scholar
  44. Holzmann, G. 1997b. The model checker Spin. IEEE Trans. on Software Engineering, 23(5):279–295. Special issue on Formal Methods in Software Practice.Google Scholar
  45. Holzmann, G. 2000. Logic verification of ANSI-C code with Spin. In Proceedings of the 7th International SPIN Workshop, vol. 1885 of LNCS, Springer Verlag, pp. 131–147.Google Scholar
  46. Holzmann, G. and Peled, D. 1994. An improvement in formal verification. In Proc. FORTE94, Berne, Switzerland.Google Scholar
  47. Holzmann, G. and Smith, M.H. 1999. Software model checking-Extracting verification models from source code. In Formal Methods for Protocol Engineering and Distributed Systems, Kluwer Academic Publ., pp. 481–497.Google Scholar
  48. Holzmann, G. and Smith, M.H. 2000. Automating software feature verification. Bell Labs Technical Journal, 5(2):72–87. Issue on Software Complexity.Google Scholar
  49. Iosif, R. and Sisto, R. 2000. Using garbage collection in model checking. In Proceedings of the 7th International SPIN Workshop, vol. 1885 of LNCS, Stanford University, California, USA, Springer-Verlag.Google Scholar
  50. Ip, C. and Dill, D. 1993. Better verification through symmetry. In Proceedings of the Eleventh International Symposium on Computer Hardware Description Languages and their Application, North Holland.Google Scholar
  51. JavaClass: 2000, ‘JavaClass’. http://www.inf.fu-berlin.de/~dahm/JavaClass/.Google Scholar
  52. Larsen, K.G., Pettersson, P., and Yi, W. 1998. UPPAAL in a nutshell. Int. Journal on Software Tools for Technology Transfer, 1(1/2):134–152.Google Scholar
  53. Lee, I., Kannan, S., Kim, M., Sokolsky, O., and Viswanathan, M. 1999. Runtime assurance based on formal specifications. In Proceedings of the International Conference on Parallel and Distributed Processing Techniques and Applications.Google Scholar
  54. Lerda, F. and Visser, W. 2001. Addressing dynamic issues of program model checking. In Proceedings of the 8th International SPIN Workshop, vol. 2057 of LNCS 2057, Springer-Verlag.Google Scholar
  55. McMillan, K. 1993. Symbolic Model Checking. Boston: Kluwer Academic Publishers.Google Scholar
  56. Melton, R., Dill, D., Ip, C.N., and Stern, U. 1996. Murphi annotated reference manual, release 3.0. Technical Report, Stanford University, Palo Alto, California, USA.Google Scholar
  57. Millett, L.I. and Teitelbaum, T. 1998. Slicing promela and its application to model checking, simulation, and protocol understanding. In Proceedings of the 4th International SPIN Workshop.Google Scholar
  58. Muscettola, N., Nayak, P., Pell, B., and Williams, B. 1998. Remote agent: To boldly go where no AI system has gone before. Artificial Intelligence, 103(1/2):5–48.Google Scholar
  59. Owre, S., Rajan, S., Rushby, J., Shankar, N., and Srivas, M. 1996. PVS: Combining specifi-cation, proof checking, and model checking. In R. Alur and T.A. Henzinger, editors, Computer-Aided Verification, CAV' 96. New Brunswick, NJ, Springer-Verlag, pp. 411–414.Google Scholar
  60. Park, D., Stern, U., Skakkebaek, J., and Dill, D. 2000. Java model checking. In Proceedings of the 15th IEEE International Conference on Automated Software Engineering, pp. 253–256.Google Scholar
  61. Pasareanu, C., Dwyer, M., and Visser, W. 2001. Finding feasible counter-examples when model checking abstracted Java programs. In Proceedings of TACAS01: Tools and Algorithms for the Construction and Analysis of Systems, Genova, Italy.Google Scholar
  62. Penix, J., Visser, W., Engstrom, E., Larson, A., and Weininger, N. 2000. Verification of time partitioning in the DEOSscheduler kernel. In Proceedings of the 22nd International Conference on Software Engineering, Limeric, Ireland, ACM Press.Google Scholar
  63. Russinoff, D.M. 1994. A mechanically verified incremental garbage collector. Formal Aspects of Computing, 6:359–390.Google Scholar
  64. Saidi, H. 1999. Modular and incremental analysis of concurrent software systems. In Proceedings of the 14th IEEE International Conference on Automated Software Engineering, pp. 92–101.Google Scholar
  65. Saidi, H. 2000. Model checking guided abstraction and analysis. In Proceedings of the 7th Static Analysis Symposium.Google Scholar
  66. Saïdi, H. and Shankar, N. 1999. Abstract andModel check while you prove. In Proceedings of the 11th Conference on Computer-Aided Verification, vol. 1633 of LNCS, pp. 443–454.Google Scholar
  67. Savage, S., Burrows, M., Nelson, G., and Sobalvarro, P. 1997. Eraser: A dynamic data race detector for multithreaded programs. ACM Transactions on Computer Systems, 15(4):391–411.Google Scholar
  68. Spivey, M. 1992. The Z Notation: A Reference Manual, 2nd edn. Prentice Hall: International Series in Computer Science.Google Scholar
  69. Stoller, S. 2000. Model-checking multi-threaded distributed Java programs. In Procceedings of the 7th International SPIN Workshop, vol. 1885 of LNCS, Stanford University, California, USA, Springer-Verlag.Google Scholar
  70. The RAISE Language Group 1992. The RAISE Specification Language. Prentice-Hall: The BCS Practitioners Series.Google Scholar
  71. Tip, F. 1995. A survey of program slicing techniques. Journal of Programming Languages, 3:121–189.Google Scholar
  72. Valle-Rai, R., Hendren, L., Sundaresan, V., Lam, P., Gagnon, E., and Co, P. 1999. Soot-a Java optimization framework. In Proceedings of CASCON 1999.Google Scholar
  73. Visser, W., Havelund, K., and Penix, J. 1999. Adding active objects to SPIN. In Proceedings of the 5th Workshop on the SPIN Verification System, Trento, Italy.Google Scholar
  74. Visser, W., Park, S., and Penix, J. 2000. Using predicate abstraction to reduce object-oriented programs for model checking. In Proceedings of the 3rd ACM SIGSOFT Workshop on Formal Methods in Software Practice.Google Scholar
  75. Weiser, M. 1984. Program slicing. IEEE Transaction on Software Engineering.Google Scholar

Copyright information

© Kluwer Academic Publishers 2003

Authors and Affiliations

  • Willem Visser
    • 1
  • Klaus Havelund
    • 2
  • Guillaume Brat
    • 2
  • SeungJoon Park
    • 1
  • Flavio Lerda
    • 1
  1. 1.RIACS/NASA Ames Research CenterMoffet FieldUSA
  2. 2.Kestrel Technologies/NASA Ames Research CenterMoffet FieldUSA

Personalised recommendations