Arshad Beg
Andrew Butterfield
ABSTRACT
We present our experience of working with the Failures-Divergence Refinement (FDR) toolkit while extending our modelling of the behaviour of Flash Memory. This effort is a step towards the low-level modelling of data-storage technology that is the target of the POSIX filestore minichallenge. The key objective was to advance previous work presented in [4, 2] to cover the full Open Nand-Flash Interface (ONFi) 2.1 model. The previous work covered a sub-model of the mandatory features of ONFi 1.0. The FDR toolkit was used for refinement/model-checking. In addition to the compression techniques available in FDR, we also experimented with FDR Explorer - an application-programming interface (API) that allowed us to get a better picture of FDR performance. This paper summarises the progress we made, and the limits we encountered. We are now able to verify many of the operations in ONFi 2.1 model using full Failures-Divergence refinement checking, rather than just trace refinement. Through the use of compression techniques available in the FDR toolkit and in particular by hiding the events deeper in the model, we were able to get compression of the state-space. The work also reports the number of attempts to compile the full ONFi 2.1 model.
- A. Butterfield, L. Freitas, and J. Woodcock. Mechanising a formal model of flash memory. Science of Computer Programming, 74(4):219--237, 2009. Special Issue on the Grand Challenge. Google Scholar
Digital Library
- A. Butterfield and A. Ó Catháin. Concurrent models of flash memory device behaviour. Formal Methods: Foundations and Applications: 12th Brazilian Symposium on Formal Methods, SBMF 2009 Gramado, Brazil, August 19--21, 2009Revised Selected Papers, pages 70--83, 2009. Google ScholarDigital Library
- A. Butterfield and J. Woodcock. Formalising flash memory: First steps. In ICECCS, pages 251--260. IEEE Computer Society, 2007. Google ScholarDigital Library
- A. O. Catháin. Modelling flash memory device behaviour using CSP. Taught M. Sc dissertation, School of Computer Science and Statistics, Trinity College Dublin, 2008. Also published as techreport TCD-CS-2008-47.Google Scholar
- E. M. Clarke, D. Kroening, and F. Lerda. A tool for checking ANSI-C programs. In K. Jensen and A. Podelski, editors, TACAS, volume 2988 of Lecture Notes in Computer Science, pages 168--176. Springer, 2004.Google Scholar
- M. Ferreira, S. Silva, and J. Oliveira. Verifying intel flash file system core specification. In P. L. J. S. Fitzgerald and S. Sahara, editors, Modelling and Analysis in VDM: Proceedings of the Fourth VDM/Overture Workshop, pages 54--71, School of Computing Science, Newcastle University, 2008. Technical Report CS-TR-1099.Google Scholar
- M. A. Ferreira and J. N. Oliveira. An integrated formal methods tool-chain and its application to verifying a file system model. Formal Methods: Foundations and Applications: 12th Brazilian Symposium on Formal Methods, SBMF 2009 Gramado, Brazil, August 19--21, 2009 Revised Selected Papers, pages 153--169, 2009. Google ScholarDigital Library
- Formal Systems (Europe) Ltd. Failures-Divergence Refinement, FDR2 User Manual, 6th edition, June 2005.Google Scholar
- L. Freitas and J. Woodcock. FDR explorer. Formal Asp. Comput, 21(1--2):133--154, 2009. Google ScholarCross Ref
- T. Hoare. The verifying compiler: A grand challenge for computing research. Journal of the ACM, 50(1):63--69, 2003. Google ScholarDigital Library
- T. Hoare, G. T. Leavens, J. Misra, and N. Shankar. The verified software initiative: A manifesto. http://qpq.csl.sri.com/vsr/manifesto.pdf, 2007.Google Scholar
- Hynix Semiconductor et al. Open NAND Flash Interface Specification. Technical Report Revision 1.0, ONFI, www.onfi.org, 28th December 2006.Google Scholar
- Hynix Semiconductor et al. Open NAND Flash Interface Specification. Technical Report Revision 2.1, ONFI, www.onfi.org, 14th January 2009.Google Scholar
- R. Joshi and G. J. Holzmann. A mini challenge: Build a verifiable filesystem. In Proc. Verified Software: Theories, Tools, Experiments (VSTTE), Zürich, 2005.Google Scholar
- E. Kang and D. Jackson. Formal modeling and analysis of a flash filesystem in alloy. In E. Börger, M. J. Butler, J. P. Bowen, and P. Boca, editors, ABZ, volume 5238 of Lecture Notes in Computer Science, pages 294--308. Springer, 2008. Google ScholarDigital Library
- E. Kang and D. Jackson. Designing and analyzing a flash file system with alloy. International Journal of Software and Informatics (IJSI) 2009, Vol 3, No. 1, 2009.Google Scholar
- M. Kim, Y. Choi, Y. Kim, and H. Kim. Pre-testing flash device driver through model checking techniques. In ICST, pages 475--484. IEEE Computer Society, 2008. Google ScholarDigital Library
- M. Kim and Y. Kim. Concolic testing of the multi-sector read operation for flash memory file system. Formal Methods: Foundations and Applications: 12th Brazilian Symposium on Formal Methods, SBMF 2009 Gramado, Brazil, August 19--21, 2009 Revised Selected Papers, pages 251--265, 2009. Google ScholarDigital Library
- B. Mahony and J. S. Dong. Timed Communicating Object Z. IEEE Transactions on Software Engineering, 26(2):150--177, Feb. 2000. Google ScholarDigital Library
- R. Milner. A calculus of communicating systems. LNCS, 92, 1980. Google ScholarDigital Library
- A. Roscoe. The Theory and Practise of Concurrency. Prentice-Hall (Pearson), 1997. revised to 2000 and lightly revised to 2005. Google ScholarDigital Library
- S. Schneider and H. Treharne. Csp theorems for communicating b machines. Formal Asp. Comput., 17(4):390--422, 2005.Google ScholarDigital Library
- J. Woodcock. First steps in the verified software grand challenge. IEEE Computer, 39(10):57--64, 2006. Google ScholarDigital Library
Index Terms
- Modelling flash devices with FDR: progress and limits
Recommendations
VyrdMC: Driving Runtime Refinement Checking with Model Checkers
This paper presents VyrdMC, a runtime verification tool we are building for concurrent software components. The correctness criterion checked by VyrdMC is refinement: Each execution of the implementation must be consistent with an atomic execution of ...
Randomized Refinement Checking of Timed I/O Automata
Dependable Software Engineering. Theories, Tools, and ApplicationsAbstractTo combat the state-space explosion problem and ease system development, we present a new refinement checking (falsification) method for Timed I/O Automata based on random walks. Our memory-less heuristics Random Enabled Transition (RET) and ...
A BSP algorithm for on-the-fly checking CTL* formulas on security protocols
This paper presents a distributed (Bulk-Synchronous Parallel or bsp) algorithm to compute on-the-fly whether a structured model of a security protocol satisfies a ctl $$^*$$ formula. Using the structured nature of the security protocols allows us to design a ...
Comments