Skip to main content
SpringerLink
Log in

Software Model Checking: The VeriSoft Approach

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

Verification by state-space exploration, also often referred to as model checking, is an effective method for analyzing the correctness of concurrent reactive systems (for instance, communication protocols). Unfortunately, traditional model checking is restricted to the verification of properties of models, i.e., abstractions, of concurrent systems.

We discuss in this paper how model checking can be extended to analyze arbitrary software, such as implementations of communication protocols written in programming languages like C or C++. We then introduce a search technique that is suitable for exploring the state spaces of such systems. This algorithm has been implemented in VeriSoft, a tool for systematically exploring the state spaces of systems composed of several concurrent processes executing arbitrary code.

During the past five years, VeriSoft has been applied successfully for analyzing several software products developed in Lucent Technologies, and has also been licensed to hundreds of users in industry and academia. We discuss applications, strengths and limitations of VeriSoft, and compare it to other approaches to software model checking, analysis and testing.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. A. Aho, J. Hopcroft, and J. Ullman, The Design and Analysis of Computer Algorithms, Addison-Wesley, 1974.

  2. T. Ball and S. Rajamani, “The SLAM Toolkit,” in Proceedings of CAV’2001 (13th Conference on Computer Aided Verification), volume 2102 of Lecture Notes in Computer Science, Springer-Verlag: Paris, July 2001, pp. 260–264.

  3. M. Benedikt, J. Freire, and P. Godefroid, “VeriWeb: Automatically Testing Dynamic Web Sites,” in Proceedings of WWW’2002 (11th International World Wide Web Conference), Honolulu, May 2002.

  4. B. Boigelot and P. Godefroid, “Model checking in practice: An analysis of the ACCESS.bus protocol using SPIN,” in Proceedings of Formal Methods Europe’96, volume 1051 of Lecture Notes in Computer Science, Springer-Verlag: Oxford, March 1996, pp. 465–478.

  5. B. Boigelot and P. Godefroid, “Automatic synthesis of specifications from the dynamic observation of reactive programs,” in Proceedings of the Third International Workshop on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’97), volume 1217 of Lecture Notes in Computer Science, Springer-Verlag: Twente, April 1997. pp. 321–333.

  6. R.E. Bryant, “Symbolic boolean manipulation with ordered binary-decision diagrams,” ACM Computing Surveys, Vol. 24, No. 3, pp. 293–318, 1992.

    Article  Google Scholar 

  7. J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang, “Symbolic model checking: 1020 states and beyond,” in Proceedings of the 5th Symposium on Logic in Computer Science, Philadelphia, June 1990, pp. 428–439.

  8. J. Chang, D. Richardson, and S. Sankar, “Structural Specification-based Testing with ADL,” in Proceedings of ISSTA’96 (International Symposium on Software Testing and Analysis), San Diego, January 1996, pp. 62–70.

  9. S. Chandra, P. Godefroid, and C. Palm, “Software Model Checking in Practice: An Industrial Case Study,” in Proceedings of ICSE’2002 (24th International Conference on Software Engineering), ACM: Orlando, May 2002, pp. 431–441.

  10. J.-D. Choi, B.P. Miller, and R.H.B. Netzer, “Techniques for debugging parallel programs with flowback analysis,” ACM Transactions on Programming Languages and Systems, October 1991, pp. 491–530.

  11. E.M. Clarke, E.A. Emerson, and A.P. Sistla, “Automatic verification of finite-state concurrent systems using temporal logic specifications,” ACM Transactions on Programming Languages and Systems, Vol. 8, No. 2, pp. 244–263, 1986.

    Article  Google Scholar 

  12. E.M. Clarke, O. Grumberg, H. Hiraishi, S. Jha, D.E. Long, K.L. McMillan, and L.A. Ness, “Verification of the Futurebus+ cache coherence protocol,” in Proceedings of the Eleventh International Symposium on Computer Hardware Description Languages and Their Apllications, North-Holland, 1993.

  13. E.M. Clarke, O. Grumberg, and D.E. Long, “Model checking and abstraction,” in Proceedings of the 19th Annual ACM Symposium on Principles of Programming Languages, January 1992.

  14. R. Cleaveland, J. Parrow, and B. Steffen, “The concurrency workbench: A semantics based tool for the verification of concurrent systems,” ACM Transactions on Programming Languages and Systems, Vol. 1 No. 15, pp. 36–72, 1993.

    Article  Google Scholar 

  15. C. Colby, “Analyzing the communication topology of concurrent programs,” in Proceedings of the Symposium on Partial Evaluation and Semantics-Based Program Manipulation, ACM Press: New York, NY, USA, June 1995, pp. 202–213.

  16. C. Colby, P. Godefroid, and L. J. Jagadeesan, “Automatically closing open reactive programs,” in Proceedings of 1998 ACM SIGPLAN Conference on Programming Language Design and Implementation, ACM Press: Montreal, June 1998, pp. 345–357.

  17. J.C. Corbett, “Constructing abstract models of concurrent real-time software,” in Proceedings of ISSTA’96 (International Symposium on Software Testing and Analysis), San Diego, January 1996, pp. 250–260.

  18. J.C. Corbett, M.B. Dwyer, J. Hatcliff, S. Laubach, C.S. Pasareanu, Robby, and H. Zheng, “Bandera: Extracting Finite-State Models from Java Source Code,” in Proceedings of the 22nd International Conference on Software Engineering, 2000.

  19. R. Cridlig, “Semantic analysis of shared-memory concurrent languages using abstract model-checking,” in Proceedings of the Symposium on Partial Evaluation and Semantics-Based Program Manipulation, ACM Press: New York, NY, USA, June 1995, pp. 214–225.

  20. D.L. Dill, A.J. Drexler, A.J. Hu, and C.H. Yang, “Protocol verification as a hardware design aid,” in 1992 IEEE International Conference on Computer Design: VLSI in Computers and Processors, IEEE Computer Society: Cambridge, MA, October 1992, pp. 522–525.

  21. L.K. Dillon and Q. Yu, “Oracles for checking temporal properties of concurrent systems,” Software Engineering Notes, Vol. 19, No. 5, pp. 140–153, 1994. in Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of Software Engineering.

  22. D. Drusinsky, “The temporal rover and the ATG rover,” in Proceedings of the 2000 SPIN Workshop, volume 1885 of Lecture Notes in Computer Science, Springer-Verlag, 2000, pp. 323–330.

  23. A.R. Flora-Holmquist and M. Staskauskas, “Formal validation of virtual finite state machines,” in Proc. Workshop on Industrial-Strength Formal Specification Techniques (WIFT’95), Boca Raton, April 1995, pp. 122–129,

  24. J.C. Fernandez, H. Garavel, L. Mounier, A. Rasse, C. Rodriguez, and J. Sifakis, “A toolbox for the verification of LOTOS programs,” in Proc. of the 14th International Conference on Software Engineering ICSE’14, ACM: Melbourne, Australia, May 1992.

  25. J.-C. Fernandez, C. Jard, Th. Jeron, and C. Viho, “Using on-the-fly verification techniques for the generation of test suites,” in Proc. 8th Conference on Computer Aided Verification, volume 1102 of Lecture Notes in Computer Science, New Brunswick, Springer-Verlag, August 1996.

  26. P. Godefroid, “Using partial orders to improve automatic verification methods,” in Proc. 2nd Workshop on Computer Aided Verification, volume 531 of Lecture Notes in Computer Science, Rutgers, June 1990, pp. 176–185, Springer-Verlag. Extended version in ACM/AMS DIMACS Series, Volume 3, pp. 321–340, 1991.

  27. P. Godefroid, Partial-Order Methods for the Verification of Concurrent Systems —An Approach to the State-Explosion Problem, Volume 1032 of Lecture Notes in Computer Science. Springer-Verlag, January 1996.

  28. P. Godefroid, “Model Checking for Programming Languages using VeriSoft,” in Proceedings of the 24th ACM Symposium on Principles of Programming Languages, Paris, January 1997, pp. 174–186

  29. P. Godefroid, “Exploiting symmetry when model-checking software,” in Proceedings of FORTE/PSTV’99 (Formal Description Techniques and Protocol Specification, Testing and Verification), Beijing, October 1999, pp. 257–275.

  30. P. Godefroid, R.S. Hanmer, and L.J. Jagadeesan, “Model Checking Without a Model: An Analysis of the Heart-Beat Monitor of a Telephone Switch using VeriSoft,” in Proceedings of ACM SIGSOFT ISSTA’98 (International Symposium on Software Testing and Analysis), Clearwater Beach, March 1998, pp. 124–133.

  31. P. Godefroid, J. Herbsleb, L. Jagadeesan, and D. Li, “Ensuring Privacy in Presence Awareness Systems: An Automated Verification Approach,” in Proceedings of CSCW’2000 (ACM Conference on Computer Supported Cooperative Work), Philadelphia, December 2000.

  32. P. Godefroid, G.J. Holzmann, and D. Pirottin, “State-Space Caching Revisited,” Formal Methods in System Design, Vol. 7, No. 3, pp. 1–15, 1995.

    Article  Google Scholar 

  33. P. Godefroid, L. Jagadeesan, R. Jagadeesan, and K. Laufer, “Automated Systematic Testing for Constraint-Based Interactive Services,” in Proceedings of FSE’2000 (8th International Symposium on the Foundations of Software Engineering), San Diego, November 2000, pp. 40–49

  34. P. Godefroid and S. Khurshid, “Exploring Very Large State Spaces Using Genetic Algorithms,” in Proceedings of TACAS’2002 (8th Conference on Tools and Algorithms for the Construction and Analysis of Systems), Grenoble, April 2002.

  35. P. Godefroid and D. Pirottin, “Refining dependencies improves partial-order verification methods,” in Proc. 5th Conference on Computer Aided Verification, Volume 697 of Lecture Notes in Computer Science, Elounda, Springer-Verlag, June 1993, pp. 438–449.

  36. P. Godefroid and P. Wolper, “Using partial orders for the efficient verification of deadlock freedom and safety properties,” Formal Methods in System Design, Vol. 2, No. 2, pp. 149–164, 1993.

    Article  Google Scholar 

  37. Z. Har’El and R.P. Kurshan, “Software for analytical development of communication protocols,” AT&T Technical Journal, 1990.

  38. G.J. Holzmann, “Tracing protocols,” AT&T Technical Journal, Vol. 64, No. 12, pp. 2413–2434, 1985.

    Google Scholar 

  39. G.J. Holzmann, Design and Validation of Computer Protocols, Prentice Hall, 1991.

  40. G.J. Holzmann and J. Patti, “Validating SDL specifications: An experiment,” in Proc. 9th IFIP WG 6.1 International Symposium on Protocol Specification, Testing, and Verification, North-Holland, 1989.

  41. K. Havelund and G. Rosu, “Monitoring java programs with java pathExplorer,” in Proceedings of RV’2001 (First Workshop on Runtime Verification), Volume 55 of Electronic Notes in Theoretical Computer Science, Paris, July 2001.

  42. G.J. Holzmann and M.H. Smith, “A Practical Method for Verifying Event-Driven Software,” in Proceedings of the 21st International Conference on Software Engineering, 1999, pp. 597–607.

  43. C. Jard and Th. Jeron, “Bounded-memory algorithms for verification on-the-fly,” in Proc. 3rd Workshop on Computer Aided Verification, Volume 575 of Lecture Notes in Computer Science, Aalborg Springer-Verlag, July 1991.

  44. L. Jagadeesan, A. Porter, C. Puchol, J.C. Ramming, and L. Votta, “Specification-based testing of reactive software: Tools and experiments,” in Proceedings of the 19th IEEE International Conference on Software Engineering, 1997.

  45. S. Katz and D. Peled, “Defining conditional independence using collapses,” Theoretical Computer Science, Vol. 101, pp. 337–359, 1992.

    Article  Google Scholar 

  46. L. Lamport, “Proving the correctness of multiprocess programs,” IEEE Transactions on Software Engineering, Vol. SE-3, No. 2, pp. 125–143, 1977.

    Google Scholar 

  47. D.L. Long and L.A. Clarke, “Data flow analysis of concurrent systems that use the rendezvous model of synchronization,” in Proceedings of ACM Symposium on Testing, Analysis, and verification (TAV4), Vancouver, October 1991, pp. 21–35.

  48. O. Lichtenstein and A. Pnueli, “Checking that finite state concurrent programs satisfy their linear specification,” in Proceedings of the Twelfth ACM Symposium on Principles of Programming Languages, New Orleans, January 1985, pp. 97–107.

  49. Z. Manna and A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems: Specification, Springer-Verlag, 1992.

  50. S.P. Masticola and B.G. Ryder, “Non-concurrency analysis,” in Proceedings of Fourth ACM SIGPLAN Symposium on Principles & Practice of Parallel programming, San Diego, May 1993, pp. 129–138.

  51. A. Mazurkiewicz, “Trace theory,” in Petri Nets: Applications and Relationships to Other Models of Concurrency, Advances in Petri Nets 1986, Part II; Proceedings of an Advanced Course, Volume 255 of Lecture Notes in Computer Science, Springer-Verlag, 1986, pp. 279–324.

  52. K.L. McMillan, Symbolic Model Checking, Kluwer Academic Publishers, 1993.

  53. W.T. Overman, “Verification of Concurrent Systems: Function and Timing,” PhD thesis, University of California Los Angeles, 1981.

  54. D. Peled, “All from one, one for all: on model checking using representatives,” in Proc. 5th Conference on Computer Aided Verification, Volume 697 of Lecture Notes in Computer Science, Springer-Verlag, Elounda, June 1993, pp. 409–423.

  55. J.P. Quielle and J. Sifakis, “Specification and verification of concurrent systems in CESAR,” in Proc. 5th Int’l Symp. on Programming, Volume 137 of Lecture Notes in Computer Science, Springer-Verlag, 1981, pp. 337–351.

  56. D.J. Richardson, “TAOS: Testing with analysis and oracle support,” in Proceedings of the 1994 International Symposium on Software Testing and Analysis, August 1994.

  57. H. Rudin, “Protocol development success stories: Part I,” in Proc. 12th IFIP WG 6.1 International Symposium on Protocol Specification, Testing, and Verification, Lake Buena Vista, Florida, North-Holland, June 1992.

  58. S.D. Stoller, “Model Checking Multi-Threaded Distributed Java Programs,” in Proceedings of SPIN’2000 (7th SPIN Workshop), Volume 1885 of Lecture Notes in Computer Science, Springer-Verlag, 2000.

  59. R.N. Taylor, “A general-purpose algorithm for analyzing concurrent programs,” Communications of the ACM, May 1983, pp. 362–376.

  60. A. Valmari, “Stubborn sets for reduced state space generation,” in Advances in Petri Nets 1990, Volume 483 of Lecture Notes in Computer Science, Springer-Verlag, 1991, pp. 491–515.

  61. M.Y. Vardi and P. Wolper, “An automata-theoretic approach to automatic program verification,” in Proceedings of the First Symposium on Logic in Computer Science, Cambridge, June 1986, pp. 322–331.

  62. A. Venet, “Abstract interpretation of the π-calculus,” in Mads Dam (Ed.), Analysis and Verification of Multiple-Agent Languages (Proceedings of the Fifth LOMAPS Workshop), volume 1192 of Lecture Notes in Computer Science, Springer-Verlag, 1997, pp. 51–75.

  63. W. Visser, K. Havelund, G. Brat, and S. Park, “Model checking programs,” in Proceedings of ASE’2000 (15th International Conference on Automated Software Engineering), Grenoble, September 2000.

  64. M. Yannakakis and D. Lee, “Testing Finite-State Machines,” in Proceedings of the 23rd Annual ACM Symposium on the Theory of Computing, 1991, pp. 476–485.

Download references

Author information

Authors and Affiliations

  1. Bell Laboratories, Lucent Technologies, 2701 Lucent Lane, Lisle, IL, 60532, USA

    Patrice Godefroid

Authors
  1. Patrice Godefroid
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Patrice Godefroid.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Godefroid, P. Software Model Checking: The VeriSoft Approach. Form Method Syst Des 26, 77–101 (2005). https://doi.org/10.1007/s10703-005-1489-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-005-1489-x

Keywords

Search

Navigation