scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Model checking programs

TL;DR: A verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing, and uses state compression to handle big states and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space.
Abstract: The majority of the work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers and model checkers. In this paper, we give arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy, we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle large states, and partial order reduction, slicing, abstraction and run-time analysis techniques to reduce the state space. JPF has been applied to a real-time avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, run-time analysis and slicing with model checking.

Content maybe subject to copyright    Report

Citations
More filters
Proceedings ArticleDOI
08 Dec 2008
TL;DR: A new symbolic execution tool, KLEE, capable of automatically generating tests that achieve high coverage on a diverse set of complex and environmentally-intensive programs, and significantly beat the coverage of the developers' own hand-written test suite is presented.
Abstract: We present a new symbolic execution tool, KLEE, capable of automatically generating tests that achieve high coverage on a diverse set of complex and environmentally-intensive programs. We used KLEE to thoroughly check all 89 stand-alone programs in the GNU COREUTILS utility suite, which form the core user-level environment installed on millions of Unix systems, and arguably are the single most heavily tested set of open-source programs in existence. KLEE-generated tests achieve high line coverage -- on average over 90% per tool (median: over 94%) -- and significantly beat the coverage of the developers' own hand-written test suite. When we did the same for 75 equivalent tools in the BUSYBOX embedded system suite, results were even better, including 100% coverage on 31 of them.We also used KLEE as a bug finding tool, applying it to 452 applications (over 430K total lines of code), where it found 56 serious bugs, including three in COREUTILS that had been missed for over 15 years. Finally, we used KLEE to crosscheck purportedly identical BUSYBOX and COREUTILS utilities, finding functional correctness errors and a myriad of inconsistencies.

2,896 citations

01 Jan 2009
TL;DR: This paper presents a meta-modelling framework for modeling and testing the robustness of the modeled systems and some of the techniques used in this framework have been developed and tested in the field.
Abstract: ing WS1S Systems to Verify Parameterized Networks . . . . . . . . . . . . 188 Kai Baukus, Saddek Bensalem, Yassine Lakhnech and Karsten Stahl FMona: A Tool for Expressing Validation Techniques over Infinite State Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 J.-P. Bodeveix and M. Filali Transitive Closures of Regular Relations for Verifying Infinite-State Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Bengt Jonsson and Marcus Nilsson Diagnostic and Test Generation Using Static Analysis to Improve Automatic Test Generation . . . . . . . . . . . . . 235 Marius Bozga, Jean-Claude Fernandez and Lucian Ghirvu Efficient Diagnostic Generation for Boolean Equation Systems . . . . . . . . . . . . 251 Radu Mateescu Efficient Model-Checking Compositional State Space Generation with Partial Order Reductions for Asynchronous Communicating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Jean-Pierre Krimm and Laurent Mounier Checking for CFFD-Preorder with Tester Processes . . . . . . . . . . . . . . . . . . . . . . . 283 Juhana Helovuo and Antti Valmari Fair Bisimulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Thomas A. Henzinger and Sriram K. Rajamani Integrating Low Level Symmetries into Reachability Analysis . . . . . . . . . . . . . 315 Karsten Schmidt Model-Checking Tools Model Checking Support for the ASM High-Level Language . . . . . . . . . . . . . . 331 Giuseppe Del Castillo and Kirsten Winter Table of

1,687 citations

Proceedings ArticleDOI
17 May 2002
TL;DR: The Extended Static Checker for Java (ESC/Java) is introduced, an experimental compile-time program checker that finds common programming errors and provides programmers with a simple annotation language with which programmer design decisions can be expressed formally.
Abstract: Software development and maintenance are costly endeavors. The cost can be reduced if more software defects are detected earlier in the development cycle. This paper introduces the Extended Static Checker for Java (ESC/Java), an experimental compile-time program checker that finds common programming errors. The checker is powered by verification-condition generation and automatic theorem-proving techniques. It provides programmers with a simple annotation language with which programmer design decisions can be expressed formally. ESC/Java examines the annotated software and warns of inconsistencies between the design decisions recorded in the annotations and the actual code, and also warns of potential runtime errors in the code. This paper gives an overview of the checker architecture and annotation language and describes our experience applying the checker to tens of thousands of lines of Java programs.

1,357 citations


Cites methods from "Model checking programs"

  • ...Other tools that verify properties of software systems using finite-state models are Bandera [5] and Java PathFinder 2 [46]....

    [...]

Journal ArticleDOI
TL;DR: This article presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code by solving the current path constraints to find concrete values using its own co-designed constraint solver, STP.
Abstract: This article presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code. Instead of running code on manually or randomly constructed input, EXE runs it on symbolic input initially allowed to be anything. As checked code runs, EXE tracks the constraints on each symbolic (i.e., input-derived) memory location. If a statement uses a symbolic value, EXE does not run it, but instead adds it as an input-constraint; all other statements run as usual. If code conditionally checks a symbolic expression, EXE forks execution, constraining the expression to be true on the true branch and false on the other. Because EXE reasons about all possible values on a path, it has much more power than a traditional runtime tool: (1) it can force execution down any feasible program path and (2) at dangerous operations (e.g., a pointer dereference), it detects if the current path constraints allow any value that causes a bug. When a path terminates or hits a bug, EXE automatically generates a test case by solving the current path constraints to find concrete values using its own co-designed constraint solver, STP. Because EXE’s constraints have no approximations, feeding this concrete input to an uninstrumented version of the checked code will cause it to follow the same path and hit the same bug (assuming deterministic code).EXE works well on real code, finding bugs along with inputs that trigger them in: the BSD and Linux packet filter implementations, the dhcpd DHCP server, the pcre regular expression library, and three Linux file systems.

912 citations


Cites methods from "Model checking programs"

  • ...7.2 Software Model Checking Model checkershavebeenused to .ndbugsinboth thedesignand theimple­mentation of software[Holzmann1997,2001;Brat et al.2000;Corbett et al. 2000; Ball and Rajamani 2001; Godefroid 1997; Yang et al. 2004]....

    [...]

  • ...Model checkers have been used to find bugs in both the design and the implementation of software [31, 32, 9, 16, 5, 26, 47]....

    [...]

References
More filters
Journal ArticleDOI
TL;DR: It is intended to demonstrate here that statecharts counter many of the objections raised against conventional state diagrams, and thus appear to render specification by diagrams an attractive and plausible approach.

7,184 citations


"Model checking programs" refers background in this paper

  • ...Hence, design verification is a very important research topic, with the most recent popular subject being analysis of statecharts [15], such as for example found in UML [3]....

    [...]

Book
01 Jan 1999
TL;DR: In The Unified Modeling Language User Guide, the original developers of the UML provide a tutorial to the core aspects of the language in a two-color format designed to facilitate learning.
Abstract: In The Unified Modeling Language User Guide, the original developers of the UML--Grady Booch, James Rumbaugh, and Ivar Jacobson--provide a tutorial to the core aspects of the language in a two-color format designed to facilitate learning. Starting with a conceptual model of the UML, the book progressively applies the UML to a series of increasingly complex modeling problems across a variety of application domains. This example-driven approach helps readers quickly understand and apply the UML. For more advanced developers, the book includes a learning track focused on applying the UML to advanced modeling problems.With The Unified Modeling Language User Guide, readers will:Understand what the UML is, what it is not, and why it is relevant to the development of software-intensive systemsMaster the vocabulary, rules, and idioms of the UML in order to "speak" the language effectivelyLearn how to apply the UML to a number of common modeling problemsSee illustrations of the UML's use interspersed with use cases for specific UML features, andGain insight into the UML from the original creators of the UML.

6,634 citations


"Model checking programs" refers background in this paper

  • ...In fact, the distinction between design and program gets blurred since final code may get generated from the UML designs....

    [...]

  • ...Hence, design verification is a very important research topic, with the most recent popular subject being analysis of statecharts [15], such as for example found in UML [3]....

    [...]

  • ...This is to some extent already an applied idea within UML where statechart transitions (between control states) can be annotated with code fragments in your favorite programming language....

    [...]

Journal ArticleDOI
Gerard J. Holzmann1
01 May 1997
TL;DR: An overview of the design and structure of the verifier, its theoretical foundation, and an overview of significant practical applications are given.
Abstract: SPIN is an efficient verification system for models of distributed software systems. It has been used to detect design errors in applications ranging from high-level descriptions of distributed algorithms to detailed code for controlling telephone exchanges. The paper gives an overview of the design and structure of the verifier, reviews its theoretical foundation, and gives an overview of significant practical applications.

4,159 citations


"Model checking programs" refers background in this paper

  • ...In a few cases, modeling languages have been designed to resemble programming languages [26], although the focus has been on protocol designs....

    [...]

  • ...A nice side-effect of developing our own model checker was the ease with which we are able to extend the model checker with interesting new search algorithms—this would, in general, not have been easy to achieve with existing model checkers (especially not with Spin)....

    [...]

  • ...The initial system, that could only handle integer based bytecodes (i.e. the same language subset as the Java model checkers translating to Spin), was developed in 3 man-months....

    [...]

  • ...Some work is being done on extending the Spin model checker to handle dynamic memory allocation [11, 42], but again in terms of Java this only covers a part of the language and much more is required before full Java language coverage will be achieved this way....

    [...]

  • ...It is well established from experience with the Spin model checker that partial-order reductions achieve an enormous state-space reduction in almost all cases....

    [...]

Book
01 Jun 1992
TL;DR: Tutorial introduction background the Z language the mathematical tool-kit sequential systems syntax summary and how to use it to solve sequential systems problems.
Abstract: Tutorial introduction background the Z language the mathematical tool-kit sequential systems syntax summary.

3,547 citations


"Model checking programs" refers background in this paper

  • ...Typical examples are formal specification languages [40, 2, 39], purely logic based languages used in theorem provers [13, 33, 7], and guarded command languages used in model checkers [30, 29, 28]....

    [...]