Abstract
Model checking of software programs has two goals – the verification of correct software and the discovery of errors in faulty software. Some techniques for dealing with the most crucial problem in model checking, the state space explosion problem, concentrate on the first of these goals. In this paper we present an array of heuristic model checking techniques for combating the state space explosion when searching for errors. Previous work on this topic has mostly focused on property-specific heuristics closely related to particular kinds of errors. We present structural heuristics that attempt to explore the structure (branching structure, thread interdependency structure, abstraction structure) of a program in a manner intended to expose errors efficiently. Experimental results show the utility of this class of heuristics. In contrast to these very general heuristics, we also present very lightweight techniques for introducing program-specific heuristic guidance.
Similar content being viewed by others
Explore related subjects
Discover the latest articles and news from researchers in related subjects, suggested using machine learning.References
Ammann P, Black P (2000) Test generation and recognition with formal methods. In: Proceedings of the 1st international workshop on automated program analysis, testing, and verication, Limerick, Ireland, June 2000, pp 64–67
Ammann P, Black P, Majurski W (1998) Using model checking to generate tests from specifications. In: Proceedings of the 2nd IEEE international conference on formal engineering methods, Brisbane, Australia, December 1998, pp 46–54
Ball T, Rajamani SK (2001) Automatically Validating Temporal Safety Properties of Interfaces. In: Proceedings of the 8th international SPIN workshop on model checking of software, Toronto, May 2001, pp 103–122
Beizer B (1990) Software testing techniques, 2nd edn. Van Nostrand Reinhold, New York
Bloem R, Ravi K, Somenzi F (2000) Symbolic guided search for CTL model checking. In: Proceedings of the conference on design automation (DAC), Los Angeles, June 2000, pp 29–34
Chaki S, Clarke E, Groce A, Jha S, Veith H (2003) Modular Verification of Software Components in C. In: Proceedings of the 25th international conference on software engineering, Portland, OR, May 2003, pp 385–395
Clarke EM, Grumberg O, Jha S, Lu Y, Veith H (2000) Counterexample-guided abstraction refinement. In: Proceedings of the 12th conference on computer aided verification, Chicago, July 2000, pp 154–169
Clarke EM, Grumberg O, Long DE (1994) Model checking and abstraction. ACM Trans Programm Lang Sys 16(5):1512–1542
Clarke EM, Grumberg O, Peled D (2000) Model checking. MIT Press, Cambridge, MA
Cobleigh JM, Clarke LA, Osterweil LJ (2001) The right algorithm at the right time: comparing data flow analysis algorithms for finite state verification. In: Proceedings of the 23rd international conference on software engineering, Toronto, May 2001, pp 37–46
Corbett JC, Dwyer M, Hatcliff J, Păsăreanu C, Robby, Laubach S, Zheng H (2000) Bandera: extracting finite-state models from Java source code. In: Proceedings of the 22nd international conference on software engineering, Limerick, Ireland, June 2000, pp 439–448
Dwyer M, Hatcliff J, Joehanes R, Laubach S, Păsăreanu CS, Robby, Visser W, Zheng H (2001) Tool-supported Program Abstraction for Finite-state Verification. In: Proceedings of the 23rd international conference on software engineering, Toronto, May 2001, pp 177–187
Edelkamp S, Mehler T (2003) Byte code distance heuristics and trail direction for model checking Java programs. In: Proceedings of the workshop on model checking and artificial intelligence (MoChArt), Acapulco, Mexico, August 2003
Edelkamp S, Reffel F (1998) OBDDs in heuristic search. In: Proceedings of the 22nd annual German conference on advances in artificial intelligence (KI-98), Berlin, Germany, September 1998, pp 81–92
Edelkamp S, Lafuente AL, Leue S (2001a) Directed explicit model checking with HSF-Spin. In: Proceedings of the 8th international SPIN workshop on model checking of software, Toronto, May 2001, pp 57–79
Edelkamp S, Lafuente AL, Leue S (2001b) Trail-directed model checking. In: Proceedings of the workshop on software model checking, Electronic notes in theoretical computer science. Elsevier, Amsterdam, 5(3)
Edelkamp S, Lafuente AL, Leue S (2002a) Directed explicit-state model checking in the validation of communication protocols. Int J Softw Tools Technol Transfer http://www.springerlink.com/app/home/issue.asp?wasp=6ea5d385hl2uyg5c6q9x&referrer=parent&backto=journal,1,15;linkingpublicationresults,id:101563,1
Edelkamp S, Lafuente AL, Leue S (2002b) Partial order reduction in directed model checking. In: Proceedings of the 9th international SPIN workshop on model checking of software, Grenoble, France, April 2002, pp 112–127
Engels A, Feijs L, Mauw S (1997) Test generation for intelligent networks using model checking. In: Proceedings of the conference on tools and algorithms for construction and analysis of systems, Enschede, The Netherlands, April 1997, pp 384–398
Fernandez JC, Jard C, Jeron T, Viho G (1996) Using on-the-fly verification techniques for the generation of test suites. In: Proceedings of the 8th conference on computer aided verification, New Brunswick, NJ, July 1996, pp 348–359
Friedman G, Hartman A, Nagin K, Shiran T (2002) Projected state machine coverage for software testing. In: Proceedings of the international symposium on software testing and analysis (ISSTA 2002), Rome, July 2002, pp 134–143
Ganai AK, Aziz A (1998) Efficient coverage directed state space search. In: Proceedings of the international workshop on logic synthesis, Lake Tahoe, CA, May 1998, pp 267–275
Garagantini A, Heitmeyer C (1999) Using model checking to generate tests from requirements specifications. In: Proceedings of the joint 7th European software engineering conference and 7th ACM SIGSOFT international symposium on foundations of software engineering, Toulouse, France, September 1999, pp 146–162
Godefroid P (1997) VeriSoft: a tool for the automatic analysis of concurrent reactive software. In: Proceedings of the 9th conference on computer aided verification, Haifa, Israel, June 1997, pp 172–186
Godefroid P, Khurshid S (2002) Exploring very large state spaces using genetic algorithms. In: Proceedings of the conference on tools and algorithms for construction and analysis of systems, Grenoble, France, April 2002, pp 266–280
Graf S, Saidi H (1997) Construction of abstract state graphs with PVS. In: Proceedings of the 9th conference on computer aided verification, Haifa, Israel, June 1997, pp 72–83
Groce A, Visser W (2002a) Heuristic model checking for Java programs. In: Proceedings of the 9th international SPIN workshop on model checking of software, Grenoble, France, April 2002, pp 242–245
Groce A, Visser W (2002b) Model checking Java programs using structural heuristics. In: Proceedings of the international symposium on software testing and analysis (ISSTA 2002), Rome, July 2002, pp 12–21
Hart PE, Nilsson NJ, Raphael B (1968) A formal basis for heuristic determination of minimum path cost. IEEE Trans Sys Sci Cybern 4(2):100–107
Havelund K, Lowry M, Park S, Pecheur C, Penix J, Visser W, White J (2000) Formal analysis of the remote agent before and after flight. In: Proceedings of the 5th NASA Langley formal methods workshop, Hampton, VA, June 2000
Henzinger TA, Jhala R, Majumdar R, Sutre G (2002) Lazy abstraction. In: Proceedings of the ACM SIGPLAN-SIGACT conference on principles of programming languages, Portland, OR, January 2002, pp 58–70
Holzmann GJ (1990) Algorithms for automated protocol verification. AT&T Tech J 69(2):32–44. Special Issue on Protocol Testing, Specification, and Verification
Holzmann GJ, Peled D (1996) The state of SPIN. In: Proceedings of the 8th conference on computer aided verification, New Brunswick, NJ, July 1996, pp 385–389
Holzmann GJ, Smith MH (2000) Automating software feature verification. In: Bell Labs Tech J 5(2):72–87
Iosif R, Sisto R (1999) dSPIN: a dynamic extension of SPIN. In: Proceedings of the 6th international SPIN workshop on model checking of software, Toulouse, France, September 1999, pp 261–276
Jensen RM, Bryant RE, Veloso MM (2002a) An efficient BDD-based A* algorithm. In: Proceedings of the AIPS-02 workshop on planning via model checking, Toulouse, France, April 2002, pp 72–80
Jensen RM, Bryant RE, Veloso MM (2002b) SetA*: an efficient BDD-based heuristic search algorithm. In: Proceedings of the 18th national conference on artificial intelligence (AAAI-02), Edmonton, Alberta, Canada, July 2002, pp 668–673
Khurshid S, Păsăreanu CS, Visser W (2003) Generalized symbolic execution for model checking and testing. In: Proceedings of the conference on tools and algorithms for construction and analysis of systems, Warsaw, Poland, April 2003, pp 553–568
Korel B (1990) Automated software test data generation. IEEE Trans Softw Eng 16(8):870–879
Lin FJ, Chu PM, Liu MT (1987) Protocol verification using reachability analysis: the state space explosion problem and relief strategies. ACM SIGCOMM Comput Commun Rev 17(5)
Musuvathi M, Park D, Chou A, Engler D, Dill D (2002) CMC: a pragmatic approach to model checking real code. In: Proceedings of the 5th symposium on operating system design and implementation, Boston, December 2002
Pageot JM, Jard C (1988) Experience in guiding simulation. In: Proceedings of the 8th workshop of protocol specification, testing, and verification, Atlantic City, NJ
Păsăreanu CS, Dwyer MB, Visser W (2003) Finding feasible counter-examples when model checking abstracted Java programs. Int J Softw Tools Technol Transfer 5(1):34–48
Penix J, Visser W, Engstrom E, Larson A, Weininger N (2000) Verification of time partitioning in the DEOS scheduler kernel. In: Proceedings of the 22nd international conference on software engineering, Limerick, Ireland, June 2000, pp 488–497
Pretschner A (2001) Classical search strategies for test case generation with Constraint Logic Programming. In: Proceedings of the workshop on formal approaches to testing of software, Aalborg, Denmark, August 2001, pp 47–60
Rayadurgam S, Heimdahl MP (2001) Coverage based test-case generation using model checkers. In: Proceedings of the 8th annual IEEE international conference and workshop on the engineering of computer based systems, Washington, DC, April 2001, pp 83–93
RTCA Special Committee 167 (1992) Software considerations in airborne systems and equipment certification. Technical Report DO-178B, RTCA Inc, Washington, DC, December 1992
Saidi H (1999) Modular and incremental analysis of concurrent software systems. In: Proceedings of the 14th IEEE international conference on automated software engineering (ASE), Cocoa Beach, FL, October 1999, pp 92–101
Savage S, Burrows M, Nelson G, Sobalvarro P (1997) Eraser: a dynamic data race detector for multithreaded programs. In: ACM Trans Comput Sys 15(4):391–411
Sun R, Sessions C (2001) Learning plans without a priori knowledge. Adapt Behav 8(3/4):225–254
Tracey N, Clark J, Mander K, McDermid J (1998) An automated framework for structural test-data generation. In: Proceedings of the 13th IEEE international conference on automated software engineering (ASE), Honolulu, October 1998, pp 285–288
Visser W, Havelund K, Brat G, Park S (2000a) Model checking programs. In: Proceedings of the 15th IEEE international conference on automated software engineering (ASE), Grenoble, France, September 2000, pp 3–11
Visser W, Park S, Penix J (2000b) Using predicate abstraction to reduce object-oriented programs for model checking. In: Proceedings of the 3rd ACM SIGSOFT workshop on formal methods in software practice, Portland, OR, August 2000, pp 3–12
Yang HC, Dill DL (1998) Validation with guided search of the state space. In: Proceedings of the conference on design automation (DAC), San Francisco, June 1998, pp 599–604
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Groce, A., Visser, W. Heuristics for model checking Java programs. Int J Softw Tools Technol Transfer 6, 260–276 (2004). https://doi.org/10.1007/s10009-003-0130-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10009-003-0130-9