Huayang Guo
ABSTRACT
Implementation-level software model checking explores the state space of a system implementation directly to find potential software defects without requiring any specification or modeling. Despite early successes, the effectiveness of this approach remains severely constrained due to poor scalability caused by state-space explosion. DeMeter makes software model checking more practical with the following contributions: (i) proposing dynamic interface reduction, a new state-space reduction technique, (ii) introducing a framework that enables dynamic interface reduction in an existing model checker with a reasonable amount of effort, and (iii) providing the framework with a distributed runtime engine that supports parallel distributed model checking.
We have integrated DeMeter into two existing model checkers, MaceMC and MoDist, each involving changes of around 1,000 lines of code. Compared to the original MaceMC and MoDist model checkers, our experiments have shown state-space reduction from a factor of five to up to five orders of magnitude in representative distributed applications such as Paxos, Berkeley DB, Chord, and Pastry. As a result, when applied to a deployed Paxos implementation, which has been running in production data centers for years to manage tens of thousands of machines, DeMeter manages to explore completely a logically meaningful state space that covers both phases of the Paxos protocol, offering higher assurance of software reliability that was not possible before.
- R. Alur and M. Yannakakis. Model checking of hierarchical state machines. ACM Transactions on Programming Languages and Systems (TOPLAS), 23(3):273--303, 2001. Google Scholar
Digital Library
- T. Ball and S. K. Rajamani. Automatically validating temporal safety properties of interfaces. In Proceedings of the Eighth International SPIN Workshop on Model Checking of Software (SPIN '01), pages 103--122, May 2001. Google ScholarDigital Library
- T. Ball and S. K. Rajamani. The SLAM project: debugging system software via static analysis. In POPL '02: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 1--3, New York, NY, USA, 2002. ACM. Google ScholarDigital Library
- S. Berezin, S. V. A. Campos, and E. M. Clarke. Compositional reasoning in model checking. In COMPOS'97: Revised Lectures from the International Symposium on Compositionality: The Significant Difference, pages 81--102, London, UK, 1998. Springer-Verlag. Google ScholarDigital Library
- W. Bevier. Kit: A study in operating system verification. IEEE Transactions on Software Engineering, pages 1382--1396, 1989. Google ScholarDigital Library
- J. Burch, E. M. Clarke, and D. Long. Symbolic model checking with partitioned transition relations. In VLSI, pages 49--58. North-Holland, 1991.Google Scholar
- C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the Eighth Symposium on Operating Systems Design and Implementation (OSDI '08), pages 209--224, Dec. 2008. Google ScholarDigital Library
- C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: automatically generating inputs of death. In Proceedings of the 13th ACM conference on Computer and communications security (CCS '06), pages 322--335, Oct.-Nov. 2006. Google ScholarDigital Library
- V. Chipounov, V. Georgescu, C. Zamfir, and G. Candea. Selective symbolic execution. In Workshop on Hot Topics in Dependable Systems, 2009.Google Scholar
- E. Clarke, D. Kroening, and F. Lerda. A tool for checking ANSI-C programs. In K. Jensen and A. Podelski, editors, Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2004), volume 2988 of Lecture Notes in Computer Science, pages 168--176. Springer, 2004.Google Scholar
- E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletons using branching-time temporal logic. In Logic of Programs, Workshop, pages 52--71, London, UK, 1982. Springer-Verlag. Google ScholarDigital Library
- E. M. Clarke, D. Long, and K. L. McMillan. Compositional model checking. In Proceedings of the Fourth Annual Symposium on Logic in computer science, pages 353--362, Piscataway, NJ, USA, 1989. IEEE Press. Google ScholarDigital Library
- B. Cook, A. Podelski, and A. Rybalchenko. Termination proofs for systems code. In PLDI '06: Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, pages 415--426, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- J. C. Corbett, M. B. Dwyer, J. Hatcliff, S. Laubach, C. S. Păsăreanu, Robby, and H. Zheng. Bandera: Extracting finite-state models from Java source code. In Proceedings of the 22nd International Conference on Software Engineering (ICSE '00), pages 439--448, June 2000. Google ScholarDigital Library
- M. Emmi, R. Jhala, E. Kohler, and R. Majumdar. Verifying reference counting implementations. Tools and Algorithms for the Construction and Analysis of Systems, pages 352--367, 2009. Google ScholarDigital Library
- C. Flanagan and P. Godefroid. Dynamic partial-order reduction for model checking software. In Proceedings of the 32nd Annual Symposium on Principles of Programming Languages (POPL '05), pages 110--121, Jan. 2005. Google ScholarDigital Library
- P. Godefroid. Partial-Order Methods for the Verification of Concurrent Systems: An Approach to the State-Explosion Problem, volume 1032 of LNCS. 1996. Google ScholarDigital Library
- P. Godefroid. Model checking for programming languages using verisoft. In POPL '97: Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 174--186, New York, NY, USA, 1997. ACM. Google ScholarDigital Library
- P. Godefroid. Compositional dynamic test generation. In POPL '07: Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 47--54, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pages 213--223, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- S. Graf and H. Saïdi. Construction of abstract state graphs with pvs. In CAV '97: Proceedings of the 9th International Conference on Computer Aided Verification, pages 72--83, London, UK, 1997. Springer-Verlag. Google ScholarDigital Library
- O. Grumberg and D. Long. Model checking and modular verification, May 1994. Google ScholarDigital Library
- R. Guerraoui and M. Yabandeh. Model checking a networked system without the network. In Proceedings of the 8th USENIX conference on Networked Systems Design and Implementation, NSDI' 11, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarDigital Library
- T. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Software verification with BLAST. In Proceedings of the 10th international conference on Model checking software, pages 235--239. Springer-Verlag, 2003. Google ScholarDigital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In Proceedings of the 29th Annual Symposium on Principles of Programming Languages, pages pp. 58--70. ACM Press, 2002. Google ScholarDigital Library
- G. J. Holzmann. The model checker SPIN. Software Engineering, 23(5):279--295, 1997. Google ScholarDigital Library
- G. J. Holzmann. From code to models. In Proceedings of the Second International Conference on Applications of Concurrency to System Design (ACSD '01), June 2001. Google ScholarDigital Library
- C. N. Ip and D. L. Dill. Better verification through symmetry. Form. Methods Syst. Des., 9(1--2):41--75, 1996. Google ScholarDigital Library
- C. Killian, J. W. Anderson, R. Jhala, and A. Vahdat. Life, death, and the critical transition: Finding liveness bugs in systems code. In Proceedings of the Fourth Symposium on Networked Systems Design and Implementation (NSDI '07), pages 243--256, April 2007. Google ScholarDigital Library
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, pages 207--220. ACM, 2009. Google ScholarDigital Library
- K. Laster and O. Grumberg. Modular model checking of software. In TACAS '98: Proceedings of the 4th International Conference on Tools and Algorithms for Construction and Analysis of Systems, pages 20--35, 1998. Google ScholarDigital Library
- M. Musuvathi, D. Y. Park, A. Chou, D. R. Engler, and D. L. Dill. CMC: A pragmatic approach to model checking real code. In Proceedings of the Fifth Symposium on Operating Systems Design and Implementation (OSDI '02), pages 75--88, Dec. 2002. Google ScholarDigital Library
- M. Musuvathi and S. Qadeer. Iterative context bounding for systematic testing of multithreaded programs. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation (PLDI '07), June 2007. Google ScholarDigital Library
- J.-P. Queille and J. Sifakis. Specification and verification of concurrent systems in cesar. In Proceedings of the 5th Colloquium on International Symposium on Programming, pages 337--351, London, UK, 1982. Google ScholarDigital Library
- H. J. Touati, H. Savoj, B. Lin, R. K. Brayton, and A. Sangiovanni-Vincentelli. Implicit state enumeration of finite state machines using BDD's. In IEEE Int. Conf. Computer-Aided Design, pages 130--133, 1990.Google ScholarCross Ref
- W. Visser, K. Havelund, G. Brat, S. Park, and F. Lerda. Model checking programs. Automated Software Engineering, 10(2):203--232, 2003. Google ScholarDigital Library
- B. Walker, R. Kemmerer, and G. Popek. Specification and verification of the UCLA Unix security kernel. Communications of the ACM, 23(2): 131, 1980. Google ScholarDigital Library
- M. Yabandeh, N. Knezevic, D. Kostic, and V. Kuncak. CrystalBall: Predicting and preventing inconsistencies in deployed distributed systems. In Proceedings of the Sixth Symposium on Networked Systems Design and Implementation (NSDI '09), Apr. 2009. Google ScholarDigital Library
- J. Yang, T. Chen, M. Wu, Z. Xu, X. Liu, H. Lin, M. Yang, F. Long, L. Zhang, and L. Zhou. Modist: Transparent model checking of unmodified distributed systems. In Proceedings of the Sixth Symposium on Networked Systems Design and Implementation (NSDI '09), Apr. 2009. Google ScholarDigital Library
- J. Yang, C. Sar, and D. Engler. Explode: A lightweight, general system for finding serious storage system errors. In Proceedings of the Seventh Symposium on Operating Systems Design and Implementation (OSDI '06), pages 131--146, Nov. 2006. Google ScholarDigital Library
- J. Yang, P. Twohey, D. Engler, and M. Musuvathi. Using model checking to find serious file system errors. In Proceedings of the Sixth Symposium on Operating Systems Design and Implementation (OSDI '04), pages 273--288, Dec. 2004. Google ScholarDigital Library
- C. Zamfir and G. Candea. Execution synthesis: A technique for automated software debugging. In Proceedings of the 5th European conference on Computer systems, pages 321--334. ACM, 2010. Google ScholarDigital Library
Index Terms
- Practical software model checking via dynamic interface reduction
Recommendations
Dynamic partial-order reduction for model checking software
Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesWe present a new approach to partial-order reduction for model checking software. This approach is based on initially exploring an arbitrary interleaving of the various concurrent processes/threads, and dynamically tracking interactions between these to ...
Efficient modular glass box software model checking
OOPSLA '10: Proceedings of the ACM international conference on Object oriented programming systems languages and applicationsGlass box software model checking incorporates novel techniques to identify similarities in the state space of a model checker and safely prune large numbers of redundant states without explicitly checking them. It is significantly more efficient than ...
Dynamic partial-order reduction for model checking software
POPL '05: Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesWe present a new approach to partial-order reduction for model checking software. This approach is based on initially exploring an arbitrary interleaving of the various concurrent processes/threads, and dynamically tracking interactions between these to ...
Comments