research-article

Practical software model checking via dynamic interface reduction

Authors:

Lintao ZhangAuthors Info & Claims

SOSP '11: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles

Pages 265 - 278

https://doi.org/10.1145/2043556.2043582

Published: 23 October 2011 Publication History

Abstract

Implementation-level software model checking explores the state space of a system implementation directly to find potential software defects without requiring any specification or modeling. Despite early successes, the effectiveness of this approach remains severely constrained due to poor scalability caused by state-space explosion. DeMeter makes software model checking more practical with the following contributions: (i) proposing dynamic interface reduction, a new state-space reduction technique, (ii) introducing a framework that enables dynamic interface reduction in an existing model checker with a reasonable amount of effort, and (iii) providing the framework with a distributed runtime engine that supports parallel distributed model checking.

We have integrated DeMeter into two existing model checkers, MaceMC and MoDist, each involving changes of around 1,000 lines of code. Compared to the original MaceMC and MoDist model checkers, our experiments have shown state-space reduction from a factor of five to up to five orders of magnitude in representative distributed applications such as Paxos, Berkeley DB, Chord, and Pastry. As a result, when applied to a deployed Paxos implementation, which has been running in production data centers for years to manage tens of thousands of machines, DeMeter manages to explore completely a logically meaningful state space that covers both phases of the Paxos protocol, offering higher assurance of software reliability that was not possible before.

References

[1]

R. Alur and M. Yannakakis. Model checking of hierarchical state machines. ACM Transactions on Programming Languages and Systems (TOPLAS), 23(3):273--303, 2001.

Digital Library

[2]

T. Ball and S. K. Rajamani. Automatically validating temporal safety properties of interfaces. In Proceedings of the Eighth International SPIN Workshop on Model Checking of Software (SPIN '01), pages 103--122, May 2001.

Digital Library

[3]

T. Ball and S. K. Rajamani. The SLAM project: debugging system software via static analysis. In POPL '02: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 1--3, New York, NY, USA, 2002. ACM.

Digital Library

[4]

S. Berezin, S. V. A. Campos, and E. M. Clarke. Compositional reasoning in model checking. In COMPOS'97: Revised Lectures from the International Symposium on Compositionality: The Significant Difference, pages 81--102, London, UK, 1998. Springer-Verlag.

Digital Library

[5]

W. Bevier. Kit: A study in operating system verification. IEEE Transactions on Software Engineering, pages 1382--1396, 1989.

Digital Library

[6]

J. Burch, E. M. Clarke, and D. Long. Symbolic model checking with partitioned transition relations. In VLSI, pages 49--58. North-Holland, 1991.

[7]

C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the Eighth Symposium on Operating Systems Design and Implementation (OSDI '08), pages 209--224, Dec. 2008.

Digital Library

[8]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: automatically generating inputs of death. In Proceedings of the 13th ACM conference on Computer and communications security (CCS '06), pages 322--335, Oct.-Nov. 2006.

Digital Library

[9]

V. Chipounov, V. Georgescu, C. Zamfir, and G. Candea. Selective symbolic execution. In Workshop on Hot Topics in Dependable Systems, 2009.

[10]

E. Clarke, D. Kroening, and F. Lerda. A tool for checking ANSI-C programs. In K. Jensen and A. Podelski, editors, Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2004), volume 2988 of Lecture Notes in Computer Science, pages 168--176. Springer, 2004.

[11]

E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletons using branching-time temporal logic. In Logic of Programs, Workshop, pages 52--71, London, UK, 1982. Springer-Verlag.

Digital Library

[12]

E. M. Clarke, D. Long, and K. L. McMillan. Compositional model checking. In Proceedings of the Fourth Annual Symposium on Logic in computer science, pages 353--362, Piscataway, NJ, USA, 1989. IEEE Press.

Digital Library

[13]

B. Cook, A. Podelski, and A. Rybalchenko. Termination proofs for systems code. In PLDI '06: Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, pages 415--426, New York, NY, USA, 2006. ACM.

Digital Library

[14]

J. C. Corbett, M. B. Dwyer, J. Hatcliff, S. Laubach, C. S. Păsăreanu, Robby, and H. Zheng. Bandera: Extracting finite-state models from Java source code. In Proceedings of the 22nd International Conference on Software Engineering (ICSE '00), pages 439--448, June 2000.

Digital Library

[15]

M. Emmi, R. Jhala, E. Kohler, and R. Majumdar. Verifying reference counting implementations. Tools and Algorithms for the Construction and Analysis of Systems, pages 352--367, 2009.

Digital Library

[16]

C. Flanagan and P. Godefroid. Dynamic partial-order reduction for model checking software. In Proceedings of the 32nd Annual Symposium on Principles of Programming Languages (POPL '05), pages 110--121, Jan. 2005.

Digital Library

[17]

P. Godefroid. Partial-Order Methods for the Verification of Concurrent Systems: An Approach to the State-Explosion Problem, volume 1032 of LNCS. 1996.

Digital Library

[18]

P. Godefroid. Model checking for programming languages using verisoft. In POPL '97: Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 174--186, New York, NY, USA, 1997. ACM.

Digital Library

[19]

P. Godefroid. Compositional dynamic test generation. In POPL '07: Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 47--54, New York, NY, USA, 2007. ACM.

Digital Library

[20]

P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pages 213--223, New York, NY, USA, 2005. ACM.

Digital Library

[21]

S. Graf and H. Saïdi. Construction of abstract state graphs with pvs. In CAV '97: Proceedings of the 9th International Conference on Computer Aided Verification, pages 72--83, London, UK, 1997. Springer-Verlag.

Digital Library

[22]

O. Grumberg and D. Long. Model checking and modular verification, May 1994.

Digital Library

[23]

R. Guerraoui and M. Yabandeh. Model checking a networked system without the network. In Proceedings of the 8th USENIX conference on Networked Systems Design and Implementation, NSDI' 11, Berkeley, CA, USA, 2011. USENIX Association.

Digital Library

[24]

T. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Software verification with BLAST. In Proceedings of the 10th international conference on Model checking software, pages 235--239. Springer-Verlag, 2003.

Digital Library

[25]

T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In Proceedings of the 29th Annual Symposium on Principles of Programming Languages, pages pp. 58--70. ACM Press, 2002.

Digital Library

[26]

G. J. Holzmann. The model checker SPIN. Software Engineering, 23(5):279--295, 1997.

Digital Library

[27]

G. J. Holzmann. From code to models. In Proceedings of the Second International Conference on Applications of Concurrency to System Design (ACSD '01), June 2001.

Digital Library

[28]

C. N. Ip and D. L. Dill. Better verification through symmetry. Form. Methods Syst. Des., 9(1--2):41--75, 1996.

Digital Library

[29]

C. Killian, J. W. Anderson, R. Jhala, and A. Vahdat. Life, death, and the critical transition: Finding liveness bugs in systems code. In Proceedings of the Fourth Symposium on Networked Systems Design and Implementation (NSDI '07), pages 243--256, April 2007.

Digital Library

[30]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, pages 207--220. ACM, 2009.

Digital Library

[31]

K. Laster and O. Grumberg. Modular model checking of software. In TACAS '98: Proceedings of the 4th International Conference on Tools and Algorithms for Construction and Analysis of Systems, pages 20--35, 1998.

Digital Library

[32]

M. Musuvathi, D. Y. Park, A. Chou, D. R. Engler, and D. L. Dill. CMC: A pragmatic approach to model checking real code. In Proceedings of the Fifth Symposium on Operating Systems Design and Implementation (OSDI '02), pages 75--88, Dec. 2002.

Digital Library

[33]

M. Musuvathi and S. Qadeer. Iterative context bounding for systematic testing of multithreaded programs. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation (PLDI '07), June 2007.

Digital Library

[34]

J.-P. Queille and J. Sifakis. Specification and verification of concurrent systems in cesar. In Proceedings of the 5th Colloquium on International Symposium on Programming, pages 337--351, London, UK, 1982.

Digital Library

[35]

H. J. Touati, H. Savoj, B. Lin, R. K. Brayton, and A. Sangiovanni-Vincentelli. Implicit state enumeration of finite state machines using BDD's. In IEEE Int. Conf. Computer-Aided Design, pages 130--133, 1990.

[36]

W. Visser, K. Havelund, G. Brat, S. Park, and F. Lerda. Model checking programs. Automated Software Engineering, 10(2):203--232, 2003.

Digital Library

[37]

B. Walker, R. Kemmerer, and G. Popek. Specification and verification of the UCLA Unix security kernel. Communications of the ACM, 23(2): 131, 1980.

Digital Library

[38]

M. Yabandeh, N. Knezevic, D. Kostic, and V. Kuncak. CrystalBall: Predicting and preventing inconsistencies in deployed distributed systems. In Proceedings of the Sixth Symposium on Networked Systems Design and Implementation (NSDI '09), Apr. 2009.

Digital Library

[39]

J. Yang, T. Chen, M. Wu, Z. Xu, X. Liu, H. Lin, M. Yang, F. Long, L. Zhang, and L. Zhou. Modist: Transparent model checking of unmodified distributed systems. In Proceedings of the Sixth Symposium on Networked Systems Design and Implementation (NSDI '09), Apr. 2009.

Digital Library

[40]

J. Yang, C. Sar, and D. Engler. Explode: A lightweight, general system for finding serious storage system errors. In Proceedings of the Seventh Symposium on Operating Systems Design and Implementation (OSDI '06), pages 131--146, Nov. 2006.

Digital Library

[41]

J. Yang, P. Twohey, D. Engler, and M. Musuvathi. Using model checking to find serious file system errors. In Proceedings of the Sixth Symposium on Operating Systems Design and Implementation (OSDI '04), pages 273--288, Dec. 2004.

Digital Library

[42]

C. Zamfir and G. Candea. Execution synthesis: A technique for automated software debugging. In Proceedings of the 5th European conference on Computer systems, pages 321--334. ACM, 2010.

Digital Library

Cited By

Liu BLim GBeckett RGodfrey PBagchi SZhang Y(2024)KiviProceedings of the 2024 USENIX Conference on Usenix Annual Technical Conference10.5555/3691992.3692024(509-527)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.5555/3691992.3692024
Wu HPan JHuang PVanbever LZhang I(2024)Efficient exposure of partial failure bugs in distributed systems with inferred abstract statesProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation10.5555/3691825.3691895(1267-1283)Online publication date: 16-Apr-2024
https://dl.acm.org/doi/10.5555/3691825.3691895
Kim B(2024)VConMC: Enabling Consistency Verification for Distributed Systems Using Implementation-Level Model Checkers and Consistency OraclesElectronics10.3390/electronics1306115313:6(1153)Online publication date: 21-Mar-2024
https://doi.org/10.3390/electronics13061153
Show More Cited By

Index Terms

Practical software model checking via dynamic interface reduction

Recommendations

Dynamic partial-order reduction for model checking software
Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages

We present a new approach to partial-order reduction for model checking software. This approach is based on initially exploring an arbitrary interleaving of the various concurrent processes/threads, and dynamically tracking interactions between these to ...
Efficient modular glass box software model checking
OOPSLA '10: Proceedings of the ACM international conference on Object oriented programming systems languages and applications

Glass box software model checking incorporates novel techniques to identify similarities in the state space of a model checker and safely prune large numbers of redundant states without explicitly checking them. It is significantly more efficient than ...
Dynamic partial-order reduction for model checking software
POPL '05: Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages

We present a new approach to partial-order reduction for model checking software. This approach is based on initially exploring an arbitrary interleaving of the various concurrent processes/threads, and dynamically tracking interactions between these to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SOSP '11: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles

October 2011

417 pages

ISBN:9781450309776

DOI:10.1145/2043556

General Chair:
Ted Wobber
MSR Silicon Valley
,
Program Chair:
Peter Druschel
MPI-SWS

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

INESC: Systems and Computer Engineering Institute
SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

SOSP '11

Sponsor:

INESC
SIGOPS

SOSP '11: ACM SIGOPS 23nd Symposium on Operating Systems Principles

October 23 - 26, 2011

Cascais, Portugal

Acceptance Rates

Overall Acceptance Rate 174 of 961 submissions, 18%

Upcoming Conference

SOSP '25

Sponsor:
sigops

ACM SIGOPS 31st Symposium on Operating Systems Principles

October 13 - 16, 2025

Seoul , Republic of Korea

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

74
Total Citations
View Citations
606
Total Downloads

Downloads (Last 12 months)31
Downloads (Last 6 weeks)5

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liu BLim GBeckett RGodfrey PBagchi SZhang Y(2024)KiviProceedings of the 2024 USENIX Conference on Usenix Annual Technical Conference10.5555/3691992.3692024(509-527)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.5555/3691992.3692024
Wu HPan JHuang PVanbever LZhang I(2024)Efficient exposure of partial failure bugs in distributed systems with inferred abstract statesProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation10.5555/3691825.3691895(1267-1283)Online publication date: 16-Apr-2024
https://dl.acm.org/doi/10.5555/3691825.3691895
Kim B(2024)VConMC: Enabling Consistency Verification for Distributed Systems Using Implementation-Level Model Checkers and Consistency OraclesElectronics10.3390/electronics1306115313:6(1153)Online publication date: 21-Mar-2024
https://doi.org/10.3390/electronics13061153
Tang RSun XHuang YWei YOuyang LMa X(2024)SandTable: Scalable Distributed System Model Checking with Specification-Level State ExplorationProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650077(736-753)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3627703.3650077
Zhang YWang LWang ZShangguan D(2024)Exploring Use of Symbolic Execution for Service Analysis2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S)10.1109/DSN-S60304.2024.00014(12-16)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN-S60304.2024.00014
Hackett FHosseini SCosta RDo MBeschastnikh IAamodt TJerger NSwift M(2023)Compiling Distributed System Models with PGoProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3575693.3575695(159-175)Online publication date: 27-Jan-2023
https://dl.acm.org/doi/10.1145/3575693.3575695
Zhang YHuang YWei HMa X(2023)Model‐checking‐driven explorative testing of CRDT designs and implementationsJournal of Software: Evolution and Process10.1002/smr.2555Online publication date: 15-Mar-2023
https://doi.org/10.1002/smr.2555
Lu JLi HLiu CLi LCheng KYin HStavrou ACremers CShi E(2022)Detecting Missing-Permission-Check Vulnerabilities in Distributed Cloud SystemsProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560589(2145-2158)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560589
Meng RDong ZLi JBeschastnikh IRoychoudhury ADwyer MDamian DZeller A(2022)Linear-time temporal logic guided greybox fuzzingProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510082(1343-1355)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510082
Lu JLi FLiu CLi LFeng XXue J(2022)CloudRaid: Detecting Distributed Concurrency Bugs via Log Mining and EnhancementIEEE Transactions on Software Engineering10.1109/TSE.2020.299936448:2(662-677)Online publication date: 1-Feb-2022
https://doi.org/10.1109/TSE.2020.2999364
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten