Papers by Gerard Holzmann
Lecture Notes in Computer Science, 2005
This tutorial consists of two parts. In the first part we present an advanced overview of Spin [1... more This tutorial consists of two parts. In the first part we present an advanced overview of Spin [1, 4], and illustrate its practical application to logic model checking problems. In the second part of the tutorial we present an overview of a related tool called Modex [2, 3]. Modex can be used to extract Spin verification models directly from C source code. It supports the definition of user-defined abstractions, and cleverly exploits the capability in Spin version 4 to include embedded C code inside abstract verification models. We will show how to use Spin and Modex, separately and combined, in an effective way when searching for design errors in distributed software applications. Both Spin and Modex are written in ANSI-C and can freely be used on research projects.
Lecture Notes in Computer Science, 2004
Spin [9] is a model checker for the verification of distributed systems software. The tool is fre... more Spin [9] is a model checker for the verification of distributed systems software. The tool is freely distributed, and often described as one of the most widely used verification systems. The Advanced Spin Tutorial is a sequel to [7] and is targeted towards intermediate to ...
IFIP Advances in Information and Communication Technology, 1996
The bitstate hashing, or supertrace, technique was introduced in 1987 as a method to increase the... more The bitstate hashing, or supertrace, technique was introduced in 1987 as a method to increase the quality of verification by reachability analyses for applications that defeat analysis by traditional means because of their size. Since then, the technique has been included in many research verification tools, and was adopted in tools that are marketed commercially. It is therefore important that we understand well how and why the method works, what its limitations are, and how it compares with alternative methods over a broad range of problem sizes. The original motivation for the bitstate hashing technique was based on empirical evidence of its effectiveness. In this paper we provide an analytical argument. We compare the technique with two alternatives that have been proposed in the recent literature. We also describe a sequential bitstate hashing technique that can be of value when confronted with very large problem sizes.
Proceeding of the 24th ACM SIGPLAN conference companion on Object oriented programming systems languages and applications - OOPSLA '09, 2009
ABSTRACT Agile development deemphasizes long-term planning in favor of short-term adaptiveness. T... more ABSTRACT Agile development deemphasizes long-term planning in favor of short-term adaptiveness. This is a strength in a rapidly changing development environment. However, this short-term focus creates a temptation to neglect best practices that are essential ...
Lecture Notes in Computer Science, 1999
In a recent study a series of model checkers, among which Spin , SMV [9], and a newer system call... more In a recent study a series of model checkers, among which Spin , SMV [9], and a newer system called XMC [10], were compared on performance. The measurements used for this comparison focused on a model of the i-protocol from GNU uucp version 1.04. Eight versions of this iprotocol model were obtained by varying window size, assumptions about the transmission channel, and the presence or absence of a patch for a known livelock error. The results as published in [1] show the XMC system to outperform the other model checking systems on most of the tests. It also contains a challenge to the builders of the other model checkers to match the results. This paper answers that challenge for the Spin model checker. We show that with either default Spin verification runs, or a reasonable choice of parameter settings, the version of Spin that was used for the tests in [1] (Spin 2.9.7) can outperform the results obtained with XMC in six out of eight tests. Inspired by the comparisons, and the description in of the optimizations used in XMC, we also extended Spin with some of the same optimizations, leading to a new Spin version 3.3.0. We show that with these changes Spin can outperform XMC on all eight tests.
Lecture Notes in Computer Science, 1996
The ISO standard for MSC provides a useful tool for visualizing communication protocols. MSCs pre... more The ISO standard for MSC provides a useful tool for visualizing communication protocols. MSCs present a model for concurrency that is di erent from the model of nite state systems, used frequently in automated veri cation. Thus, the MSC model poses new and interesting problems related to automatic veri cation of communication protocols. In this paper, some of the recent results related to MSCs are surveyed.
Computer Networks (1976), 1984
PANDORA is an interactive system for the analysis, synthesis, and real-time assessment of data co... more PANDORA is an interactive system for the analysis, synthesis, and real-time assessment of data communication protocols. The Pandora system is being developed at the Delft University of Technology in cooperation with the Dr. Neher Laboratories of the Netherlands PTT. This paper gives an overview of the structure of the system and discusses the main design goals.
Proceedings of the 21st international conference on Software engineering - ICSE '99, 1999
Formal verification methods are used only sparingly in software development. The most successful ... more Formal verification methods are used only sparingly in software development. The most successful methods to date are based on the use of model checking tools. To use such tools, the user must first define a faithful abstraction of the application (the model), specify how the application interacts with its environment, and then formulate the properties that it should satisfy. Each step in this process can become an obstacle. To complete the verification process successfully often requires specialized knowledge of verification techniques and a considerable investment of time.
Lecture Notes in Computer Science, 2000
We describe a tool, called AX, that can be used in combination with the model checker SPIN to eff... more We describe a tool, called AX, that can be used in combination with the model checker SPIN to efficiently verify logical properties of distributed software systems implemented in ANSI-standard C . AX, short for Automaton eXtractor, can extract verification models from C code at a user defined level of abstraction. Target applications include telephone switching software, distributed operating systems code, protocol implementations, concurrency control methods, and client-server applications. This paper discusses how AX is currently implemented, and how we plan to extend it. The tool was used in the formal verification of two substantial software applications: a commercial checkpoint management system and the call processing code for a new telephone switch.
Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering - PASTE '01, 2001
Lecture Notes in Computer Science, 1996
ABSTRACT A traditional formal verification method becomes an effective weapon in the arsenal of a... more ABSTRACT A traditional formal verification method becomes an effective weapon in the arsenal of a designer only after sufficient insightinto a design problem has been developed for a draft solution to be formalized.
Lecture Notes in Computer Science, 2010
ABSTRACT Spin and its immediate predecessors were originally designed for the verification of dat... more ABSTRACT Spin and its immediate predecessors were originally designed for the verification of data communication protocols. It didn’t take long, though, for us to realize that a data communications protocol is just a special case of a general distributed process system, with asynchronously executing and interacting concurrent processes. This covers both multi-threaded software systems with shared memory, and physically distri- buted systems, interacting via network channels. The tool tries to provide a generic capability to prove (or as the case may be, to disprove) the correctness of interactions in complex software systems. This means a reliable and easy-to-use method to discover the types of things that are virtually impossible to detect reliably with traditional software test methods, such as race conditions and deadlocks. As initially primarily a research tool, Spin has been remarkably successful, with well over one million downloads since it was first made available by Bell Labs in 1989. But our goal is te development of a tool that is not only grounded in foundational theory, but also usable by all developers of multi-threaded software, not requiring specialized knowledge of formal methods. In this talk we try to answer the question how close we have come to reach these goals, and where especially we are still lacking. We will see that our understanding has changed of what a verification tool can do – and what it should do.
Lecture Notes in Computer Science, 2011
The application of formal methods in software development does not have to be an all-or-nothing p... more The application of formal methods in software development does not have to be an all-or-nothing proposition. Progress can be made with the introduction of relatively unobtrusive techniques that simplify analysis. This approach is meant replace traditional analysis-agnostic coding with an analysis-aware style of software development.
Lecture Notes in Computer Science, 1996
Page 1. Early Fault Detection Tools Gerard J. Holzmann* ... The authors, editors and referees tog... more Page 1. Early Fault Detection Tools Gerard J. Holzmann* ... The authors, editors and referees together form a peer group, where each person from the group could at various times fulfill any one of the three functions mentioned (authoring, editing, refereeing). ...
Lecture Notes in Computer Science, 1995
SPIN is an on-the-fly model checking system for finite state systems, that is optimized for the v... more SPIN is an on-the-fly model checking system for finite state systems, that is optimized for the verification of linear time temporal logic (LTL) properties. 1 SPIN's input language, PROMELA, can be used to specify concurrent systems with dynamically changing numbers of interacting processes, where process interactions can be either synchronous (rendez-vous) or asynchronous (buffered). In the tutorial we will examine some of the algorithms that determine SPIN's functionality and performance. After a brief summary of the automata theoretic foundation of SPIN, we consider the methodology for LTL model checking, the recognition of Büchi acceptance conditions, cycle detection, and the handling of very large verification problems. __________________ 1. All source is available via anonymous ftp from the machine netlib.att.com, directory /netlib/spin.
Innovations in Systems and Software Engineering, 2010
This paper describes a tool called SCRUB (Source Code Review User Browser) that was developed to ... more This paper describes a tool called SCRUB (Source Code Review User Browser) that was developed to support a more effective and tool-based code review process. The tool was designed to support a large team-based software development effort of mission critical software at JPL, but can also be used for individual software development on small projects. The tool combines classic peer code review with machine-generated analyses from a customizable range of source code analyzers. All reports, whether generated by humans or by background tools, are accessed through a single uniform interface provided by SCRUB.
Lecture Notes in Computer Science, 2013
Lecture Notes in Computer Science, 2012
We describe an extension of the Spin model checker that allows us to take advantage of the increa... more We describe an extension of the Spin model checker that allows us to take advantage of the increasing number of cpu-cores available on standard desktop systems. Our main target is to speed up the verification process for safety properties, the mode used most frequently, but we also describe a small modification of the parallel search algorithm, called the piggyback algorithm, that is remarkably effective in catching violations for an interesting class of liveness properties at little cost.
ACM SIGSOFT Software Engineering Notes, 2002
Real-life bugs are successful because of their unfailing ability to adapt. In particular this app... more Real-life bugs are successful because of their unfailing ability to adapt. In particular this applies to their ability to adapt to strategies that are meant to eradicate them as a species. Software bugs have some of these same traits. We will discuss these traits, and consider what we can do about them.
Advances in Computers, 2005
The aim of this chapter is to give anoverviewofthe theoretical foundation and the practical appli... more The aim of this chapter is to give anoverviewofthe theoretical foundation and the practical application of logic model checking techniques for the verification of multi-threaded software (rather than hardware) systems. The treatment is focused on the logic model checker SPIN,w hich was designed for this specific domain of application. SPIN implements an automata-theoretic method of verification. Although the tool has been available for over15years, it continues to ev olve, adopting newoptimization strategies from time to time to help it tackle larger verification problems. This chapter explains howt he tool works, and which types of software verification problems it is designed to handle. Abstraction 23 7. Perspective2 3 8. References 23 tems. An upt to date overviewc an be found on the web. 1 In this description we will focus on SPIN [36] as one of the leading tools in this class. SPIN is distributed freely in source form. 2 Tw o notable trends have contributed to the recent successes of the logic model checkers in the verification of distributed software systems. The first trend is the continuing improvement in algorithms and tool design in this area, which makeitpossible to handle ev erl arger and more complexv erification problems. We will reviewt he main improvements of this type in this chapter.Asecond significant trend is the steady increase in basic compute power,which continues to followthe curvethat was tentatively suggested by Gordon Moore nearly forty years ago . The trends that have turned software verification from a theoretical curiosity into a practical reality are paralleled by similar trends in hardware verification. The difference in the nature of hardware and software, though, makes that there is surprisingly little overlap in the algorithms, data structures, and specific logics that are used in these twof ields. We will discuss some of the main reasons for these differences towards the end of this chapter. The most commonly used method to validate software systems today remains testing. In au nit test, a single process or module of the system is placed in isolation and probed on its functional correctness. Once successful, a series of unit tests is followed by a system integration test. In an integration test multiple units are linked together to form part or all of the envisioned system. The limitations of this method of system validation are as well known as its benefits. For sequential software systems, where one is primarily interested in verifying the computational aspects of a system, the classical testing techniques still have few competitors, event hough much could be done to improve precision and coverage by a more aggressive use of formal methods based approaches. In distributed software systems, the verification task is larger,since nowwedonot just need to worry about computional correctness but also about a range of concurrencyr elated problems that can prevent proper execution. Concurrencydoes not just increase the obligations of the tester or verifier,i ta lso significantly complicates the already existing obligations for demonstrating the correcness of sequential computations. Concurrencyc an introduce race conditions, data corruption, delay,p rocess or thread starvation, or evens ystem-wide deadlock. The unpredictable nature of the interleaving of process executions in distributed systems makes that test executions are not always reproducible. Each single execution is typically only one of a virtually unimaginably large set of possible interleavedexecutions. What is needed to address these problems is an effective method for probing the system for conveniently defined classes of behavior,r ather than isolated instances of behavior.L ogic model checkers promise to provide such a technique, but theytoo comes with some limitations. The current limitations of model checking are of twok inds: computational 1.
Uploads
Papers by Gerard Holzmann