Skip to main content

Model Checking Programs

Automated Software Engineering volume 10pages 203–232 (2003)Cite this article

Abstract

The majority of work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers, proof checkers and model checkers. In this paper we will attempt to give convincing arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle big states, and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space. JPF has been applied to a real-time avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, runtime analysis, and slicing with model checking.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

USD 39.95

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

References

  • Ball, T., Chaki, S., and Rajamani, S. 2001a. Parameterized verification of multithreaded software libraries. In Proceedings of TACAS01: Tools and Algorithms for the Construction and Analysis of Systems. Genova, Italy.

  • Ball, T., Podelski, A., and Rajamani, S. 2001b. Boolean and Cartesian abstractions for model checking C programs. In Proceedings of TACAS01: Tools and Algorithms for the Construction and Analysis of Systems, Genova, Italy.

  • Ball, T. and Rajamani, S. 2000a. Bebop: A symbolic model checker for boolean programs. In Proceedings of the 7th International SPIN Workshop, vol. 1885 of LNCS. Stanford University, California, USA, Springer-Verlag.

    Google Scholar 

  • Ball, T. and Rajamani, S. 2000b. Checking temporal properties of software with Boolean programs. In Proceedings of Workshop on Advances in Verification.

  • Barrett, C., Dill, D., and Levitt, J. 1996. Validity checking for combinations of theories with equality. In Formal Methods in Computer-Aided Design, vol. 1166 of LNCS, pp. 187–201.

    Google Scholar 

  • Binkley, D. 1993. Precise executable interprocedural slices. ACM Letters on Programming Languages and Systems, 2:31–45.

    Google Scholar 

  • Bjørner, D. and Jones, C.B. (eds.) 1982. Formal Specification and Software Development. Prentice-Hall International.

  • Booch, G., Rumbaugh, J., and Jacobson, I. 1999. The Unified Modeling Language User Guide. Addison-Wesley.

  • Cheng, J. 1997. Dependence analysis of parallel and distributed programs and its applications. In Proceedings of the 1997 Conference on advances in Parallel and Distributed Computing.

  • Clarke, E., Emerson, E., Jha, S., and Sistla, A. 1998. Symmetry reductions in model checking. In Proceedings of the 10th International Conference for Computer-Aided Verification. Lecture Notes in Computer Science, 1427.

  • Clarke, E., Filkorn, T., and Jha, S. 1993. Exploiting symmetry in temporal logic model checking. In Proceedings of the Fifth International Conference for Computer-Aided Verification. Lecture Notes in Computer Science, 697.

  • Clarke, E., Fujita, M., Rajan, S., Reps, T., Shankar, S., and Teitelbaum, T. 1999. Program slicing of hardware description languages. Technical Report CMU-CS–99–103, Carnegie Mellon University, School of Computer Science.

  • Clarke, E., Grumberg, O., Jha, S., Lu, Y., and Veith, H. 2000. Counterexample-guided abstraction refinement. In. Proceedings of the 12th International Conference for Computer-Aided Verification. Lecture Notes in Computer Science, 1855.

  • Colón, M. and Uribe, T. 1998. Generating finite-state abstractions of reactive systems using decision procedures. In Proceedings of the 10th Conference on Computer-Aided Verification, vol. 1427 of LNCS.

  • Corbett, J., Dwyer, M., Hatcliff, J. Pasareanu, C., Robby, Laubach, S., and Zheng, H. 2000a. Bandera: Extracting finite-state models from java source code. In Proceedings of the 22nd International Conference on Software Engineering. Limeric, Ireland, ACM Press.

    Google Scholar 

  • Corbett, J.C., Dwyer, M.B., Hatcliff, J., and Robby 2000b. A language framework for expressing checkable properties of dynamic software. In Proceedings of the 7th International SPIN Workshop, vol. 1885 of Lecture Notes in Computer Science, Springer-Verlag.

  • Cornes, C., Courant, J., Filliatre, J., Huet, G., Manoury, P., Paulin-Mohring, C., Munoz, C., Murthy, C., Parent, C., Saibi, A., and Werner, B. 1995. The Coq proof assistant reference manual, version 5.10. Technical Report, INRIA, Rocquencourt, France. This version is newer than the version used to verify the BRP-protocol in Helmink et al. (1994).

    Google Scholar 

  • Cousot, P. and Cousot, R. 1992. Abstract interpretation frameworks. Journal of Logic and Computation, 4(2):511–547.

    Google Scholar 

  • Cousot, P. and Cousot, R. 1997. Parallel combination of abstract interpretation and model-based automatic analysis of software. In Proceedings of the First ACM SIGPLAN Workshop on Automatic Analysis of Software, AAS'97. pp. 91–98.

  • Das, S., Dill, D., and Park, S. 1999. Experience with predicate abstraction. In CAV' 99: 11th International Conference on Computer Aided Verification, vol. 1633 of LNCS.

  • Demartini, C., Iosif, R., and Sisto, R. 1999a. A deadlock detection tool for concurrent Java programs. Software Practice and Experience, 29(7):577–603.

    Google Scholar 

  • Demartini, C., Iosif, R., and Sisto, R. 1999b. dSPIN: A dynamic extension of SPIN. In Proceedings of the 6th SPIN Workshop, vol. 1680 of LNCS.

  • Drusinsky, D. 2000. The temporal rover and the ATG rover. In K. Havelund, J. Penix, and W. Visser, editors. SPIN Model Checking and Software Verification, vol. 1885 of Lecture Notes in Computer Science, Springer, pp. 323–330.

  • Dwyer, M., Hatcliff, J., Joehanes, R., Laubach, S., Pasareanu, C., Robby, Visser, W., and Zheng, H. 2001. Toolsupported program abstraction for finite-state verification. In Proceedings of the 23rd International Conference on Software Engineering, Toronto, Canada, ACM Press.

    Google Scholar 

  • Emerson, E. and Sistla, A. 1993. Symmetry and model checking. In CAV' 93: 5th International Conference on Computer Aided Verification, vol. 697 of Lecture Notes in Computer Science.

  • Godefroid, P. 1996. Partial-Order Methods for theVerification of Concurrent Systems, vol. 1032 of LNCS, Springer-Verlag.

  • Godefroid, P. 1997. Model checking for programming languages using veriSoft. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages, Paris, pp. 174–186.

  • Gordon, M.J.C. 1988. HOL: A proof generating system for higher-order logic. In G. Birtwistle and P.A. Subrahmanyam, editors, VLSI Specification, Verification and Synthesis. Dordrecht, The Netherlands: Kluwer, pp. 73–128.

    Google Scholar 

  • Graf, S. and Saidi, H. 1997. Construction of abstract state graphs with PVS. In CAV' 97: 6th International Conference on Computer Aided Verification, vol. 1254 of LNCS.

  • Harel, D. 1987. Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8:231–274.

    Google Scholar 

  • Harrow, J. 2000. Runtime checking of multithreaded applications with visual threads. In K. Havelund, J. Penix, and W. Visser, editors, SPIN Model Checking and Software Verification, vol. 1885 of Lecture Notes in Computer Science, Springer, pp. 331–342.

  • Hatcliff, J., Corbett, J., Dwyer, M., Sokolowski, S., and Zheng, H. 1999. A formal study of slicing for multithreaded programs with JVM concurrency primitives. In Proceedings on the 1999 International Symposium on Static Analysis, pp. 1–18.

  • Havelund, K. 1999a. Java PathFinder, a translator from Java to Promela. In Theoretical and Practical Aspects of SPIN Model Checking-5th and 6th International SPIN Workshops, vol. 1680 of LNCS, Springer-Verlag. Trento, Italy-Toulouse, France (presented at the 6th Workshop).

    Google Scholar 

  • Havelund, K. 1999b. Mechanical verification of a Garbage collector. In D. Méry and B. Sanders, editors, FMPPTA'99: Fourth International Workshop on Formal Methods for Parallel Programming: Theory and Applications, Springer-Verlag. San Juan, Puerto Rico, USA.

    Google Scholar 

  • Havelund, K. 2000. Using runtime analysis to guide model checking of Java programs. In K. Havelund, J. Penix, and W. Visser, editors, SPIN Model Checking and Software Verification, vol. 1885 of Lecture Notes in Computer Science, Springer, pp. 245–264.

  • Havelund, K., Lowry, M., Park, S., Pecheur, C., Penix, J., Visser, W., and White, J. 2000. Formal analysis of the remote agent before and after flight. In Proceedings of the 5th NASA Langley Formal Methods Workshop.

  • Havelund, K., Lowry, M., and Penix, J. 1998. Formal analysis of a space craft controller using SPIN. In Proceedings of the 4th SPIN workshop, Paris, France. To appear in IEEE Transactions of Software Engineering.

  • Havelund, K. and Pressburger, T. 1999. Model checking Java programs using Java PathFinder. To appear in a special issue of International Journal on Software Tools for Technology Transfer (STTT) containing selected submissions to the 4th SPIN workshop, Paris, France, 1998.

  • Havelund, K. and Shankar, N. 1996. Experiments in theorem proving and model checking for protocol verification. In M.-C. Gaudel and J. Woodcock, editors, FME'96: Industrial Benefit and Advances in Formal Methods, vol. 1051 of LNCS, Springer-Verlag, pp. 662–681.

  • Havelund, K. and Skakkebaek, J. 1999. Practical application of model checking in software verification. In Proceedings of the 6th Workshop on the SPIN Verification System, vol. 1680 of LNCS, Toulouse, France.

  • Helmink, L., Sellink, M., and Vaandrager, F. 1994. Proof-checking a data link protocol. Technical Report CS-R9420, Centrum voor Wiskunde en Informatica (CWI), Computer Science/Department of Software Technology.

  • Hoare, C.A.R. 1969. An axiomatic basis for computer programming. Comm. ACM, 12(10):576–580.

    Google Scholar 

  • Holzmann, G. 1997a. State compression in Spin. In Proceedings of the Third Spin Workshop. Twente University, The Netherlands.

    Google Scholar 

  • Holzmann, G. 1997b. The model checker Spin. IEEE Trans. on Software Engineering, 23(5):279–295. Special issue on Formal Methods in Software Practice.

    Google Scholar 

  • Holzmann, G. 2000. Logic verification of ANSI-C code with Spin. In Proceedings of the 7th International SPIN Workshop, vol. 1885 of LNCS, Springer Verlag, pp. 131–147.

    Google Scholar 

  • Holzmann, G. and Peled, D. 1994. An improvement in formal verification. In Proc. FORTE94, Berne, Switzerland.

  • Holzmann, G. and Smith, M.H. 1999. Software model checking-Extracting verification models from source code. In Formal Methods for Protocol Engineering and Distributed Systems, Kluwer Academic Publ., pp. 481–497.

  • Holzmann, G. and Smith, M.H. 2000. Automating software feature verification. Bell Labs Technical Journal, 5(2):72–87. Issue on Software Complexity.

    Google Scholar 

  • Iosif, R. and Sisto, R. 2000. Using garbage collection in model checking. In Proceedings of the 7th International SPIN Workshop, vol. 1885 of LNCS, Stanford University, California, USA, Springer-Verlag.

    Google Scholar 

  • Ip, C. and Dill, D. 1993. Better verification through symmetry. In Proceedings of the Eleventh International Symposium on Computer Hardware Description Languages and their Application, North Holland.

  • JavaClass: 2000, ‘JavaClass’. http://www.inf.fu-berlin.de/~dahm/JavaClass/.

  • Larsen, K.G., Pettersson, P., and Yi, W. 1998. UPPAAL in a nutshell. Int. Journal on Software Tools for Technology Transfer, 1(1/2):134–152.

    Google Scholar 

  • Lee, I., Kannan, S., Kim, M., Sokolsky, O., and Viswanathan, M. 1999. Runtime assurance based on formal specifications. In Proceedings of the International Conference on Parallel and Distributed Processing Techniques and Applications.

  • Lerda, F. and Visser, W. 2001. Addressing dynamic issues of program model checking. In Proceedings of the 8th International SPIN Workshop, vol. 2057 of LNCS 2057, Springer-Verlag.

  • McMillan, K. 1993. Symbolic Model Checking. Boston: Kluwer Academic Publishers.

    Google Scholar 

  • Melton, R., Dill, D., Ip, C.N., and Stern, U. 1996. Murphi annotated reference manual, release 3.0. Technical Report, Stanford University, Palo Alto, California, USA.

    Google Scholar 

  • Millett, L.I. and Teitelbaum, T. 1998. Slicing promela and its application to model checking, simulation, and protocol understanding. In Proceedings of the 4th International SPIN Workshop.

  • Muscettola, N., Nayak, P., Pell, B., and Williams, B. 1998. Remote agent: To boldly go where no AI system has gone before. Artificial Intelligence, 103(1/2):5–48.

    Google Scholar 

  • Owre, S., Rajan, S., Rushby, J., Shankar, N., and Srivas, M. 1996. PVS: Combining specifi-cation, proof checking, and model checking. In R. Alur and T.A. Henzinger, editors, Computer-Aided Verification, CAV' 96. New Brunswick, NJ, Springer-Verlag, pp. 411–414.

    Google Scholar 

  • Park, D., Stern, U., Skakkebaek, J., and Dill, D. 2000. Java model checking. In Proceedings of the 15th IEEE International Conference on Automated Software Engineering, pp. 253–256.

  • Pasareanu, C., Dwyer, M., and Visser, W. 2001. Finding feasible counter-examples when model checking abstracted Java programs. In Proceedings of TACAS01: Tools and Algorithms for the Construction and Analysis of Systems, Genova, Italy.

  • Penix, J., Visser, W., Engstrom, E., Larson, A., and Weininger, N. 2000. Verification of time partitioning in the DEOSscheduler kernel. In Proceedings of the 22nd International Conference on Software Engineering, Limeric, Ireland, ACM Press.

    Google Scholar 

  • Russinoff, D.M. 1994. A mechanically verified incremental garbage collector. Formal Aspects of Computing, 6:359–390.

    Google Scholar 

  • Saidi, H. 1999. Modular and incremental analysis of concurrent software systems. In Proceedings of the 14th IEEE International Conference on Automated Software Engineering, pp. 92–101.

  • Saidi, H. 2000. Model checking guided abstraction and analysis. In Proceedings of the 7th Static Analysis Symposium.

  • Saïdi, H. and Shankar, N. 1999. Abstract andModel check while you prove. In Proceedings of the 11th Conference on Computer-Aided Verification, vol. 1633 of LNCS, pp. 443–454.

    Google Scholar 

  • Savage, S., Burrows, M., Nelson, G., and Sobalvarro, P. 1997. Eraser: A dynamic data race detector for multithreaded programs. ACM Transactions on Computer Systems, 15(4):391–411.

    Google Scholar 

  • Spivey, M. 1992. The Z Notation: A Reference Manual, 2nd edn. Prentice Hall: International Series in Computer Science.

    Google Scholar 

  • Stoller, S. 2000. Model-checking multi-threaded distributed Java programs. In Procceedings of the 7th International SPIN Workshop, vol. 1885 of LNCS, Stanford University, California, USA, Springer-Verlag.

    Google Scholar 

  • The RAISE Language Group 1992. The RAISE Specification Language. Prentice-Hall: The BCS Practitioners Series.

    Google Scholar 

  • Tip, F. 1995. A survey of program slicing techniques. Journal of Programming Languages, 3:121–189.

    Google Scholar 

  • Valle-Rai, R., Hendren, L., Sundaresan, V., Lam, P., Gagnon, E., and Co, P. 1999. Soot-a Java optimization framework. In Proceedings of CASCON 1999.

  • Visser, W., Havelund, K., and Penix, J. 1999. Adding active objects to SPIN. In Proceedings of the 5th Workshop on the SPIN Verification System, Trento, Italy.

  • Visser, W., Park, S., and Penix, J. 2000. Using predicate abstraction to reduce object-oriented programs for model checking. In Proceedings of the 3rd ACM SIGSOFT Workshop on Formal Methods in Software Practice.

  • Weiser, M. 1984. Program slicing. IEEE Transaction on Software Engineering.

Download references

Author information

Authors and Affiliations

  1. RIACS/NASA Ames Research Center, Moffet Field, CA, 94035, USA

    Willem Visser, SeungJoon Park & Flavio Lerda

  2. Kestrel Technologies/NASA Ames Research Center, Moffet Field, CA, 94035, USA

    Klaus Havelund & Guillaume Brat

Authors
  1. Willem Visser
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Klaus Havelund
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guillaume Brat
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. SeungJoon Park
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Flavio Lerda
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Visser, W., Havelund, K., Brat, G. et al. Model Checking Programs. Automated Software Engineering 10, 203–232 (2003). https://doi.org/10.1023/A:1022920129859

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1023/A:1022920129859

  • model checking
  • Java
  • symmetry
  • abstraction
  • runtime analysis
  • static analysis