Proceedings of the 2008 International Conference on Formal Methods in Computer Aided Design, 2008
Synchronous Data flow (SDF) graphs have a simple and elegant semantics (essentially linear algebr... more Synchronous Data flow (SDF) graphs have a simple and elegant semantics (essentially linear algebra) which makes SDF graphs eminently suitable as a vehicle for studying scheduling optimisations. We extend, and improve on related work on using SPIN to experiment with scheduling optimisations aimed at minimising buffer requirements. We show that for a benchmark of commonly used case studies the performance of our SPIN based scheduler is comparable to that of state of the art research tools. The key to success is creating abstract SPIN models, using the semantics of SDF to prove when using (even unsound and/or incomplete) abstractions are justified. The main benefit of our approach lies in gaining deep insight in the optimisations at relatively low cost.
This tutorial consists of two parts. In the first part we present an advanced overview of Spin [1... more This tutorial consists of two parts. In the first part we present an advanced overview of Spin [1, 4], and illustrate its practical application to logic model checking problems. In the second part of the tutorial we present an overview of a related tool called Modex [2, 3]. Modex can be used to extract Spin verification models directly from C source code. It supports the definition of user-defined abstractions, and cleverly exploits the capability in Spin version 4 to include embedded C code inside abstract verification models. We will show how to use Spin and Modex, separately and combined, in an effective way when searching for design errors in distributed software applications. Both Spin and Modex are written in ANSI-C and can freely be used on research projects.
Model checking tools are increasingly being used for the validation of real-life systems in an in... more Model checking tools are increasingly being used for the validation of real-life systems in an industrial context. This paper discusses two val- idation approaches with respect to the application of model checkers. The verification approach tries to ascertain the correctness of a formal model of a sys- tem, whereas the debugging approach tries to find errors in the model. This paper discusses the dif- ferences between the two complementing approaches and shows for each approach its advantages and dis- advantages.
This paper concerns the transfer of les via a lossy communication channel. It formally speci es t... more This paper concerns the transfer of les via a lossy communication channel. It formally speci es this le transfer service in a property-oriented way and investigates|using two di erent techniques|whether a given bounded retransmission protocol conforms to this service. This protocol is based on the wellknown alternating bit protocol but allows for a bounded numberof retransmissions of a chunk, i.e., part of a le, only. So, eventual delivery is not guaranteed and the protocol may abort the le transfer. We i n v estigate to what extent realtime aspects are important to guarantee the protocol's correctness and use Spin and Uppaal model checking for our purpose.
This paper concerns the transfer of files via a lossy communication channel. It formally specifie... more This paper concerns the transfer of files via a lossy communication channel. It formally specifies this file transfer service in a property-oriented way and investigates---using two different techniques--- whether a given bounded retransmission protocol conforms to this service. This protocol is based on the well-known alternating bit protocol but allows for a bounded number of retransmission of a frame, i.e., part of a file, only. So, eventual delivery is not guaranteed and the protocol may abort the file transfer. We investigate to what extent real-time aspects are important to guarantee the protocol's correctness and use Spin and Uppaal model checking for our purpose. A comparison between these approaches is made and our experiences are reported.
International Journal on Software Tools for Technology Transfer, 2014
ABSTRACT The Rigorous Examination of Reactive Systems’ (rers) Challenges provide a forum for expe... more ABSTRACT The Rigorous Examination of Reactive Systems’ (rers) Challenges provide a forum for experimental evaluation based on specifically synthesized benchmark suites. In this paper, we report on our ‘brute-force attack’ of the rers 2012 and 2013 Challenges. We connected the rers problems to two state-of-the-art explicit state model checkers: LTSmin and Spin. Apart from an effective compression of the state vector, we did not analyze the source code of the problems. Our brute-force approach was successful: it won both editions of the rers Challenge.
2008 Formal Methods in Computer-Aided Design, 2008
Synchronous Data flow (SDF) graphs have a simple and elegant semantics (essentially linear algebr... more Synchronous Data flow (SDF) graphs have a simple and elegant semantics (essentially linear algebra) which makes SDF graphs eminently suitable as a vehicle for studying scheduling optimisations. We extend, and improve on related work on using SPIN to experiment with scheduling optimisations aimed at minimising buffer requirements. We show that for a benchmark of commonly used case studies the performance of our SPIN based scheduler is comparable to that of state of the art research tools. The key to success is creating abstract SPIN models, using the semantics of SDF to prove when using (even unsound and/or incomplete) abstractions are justified. The main benefit of our approach lies in gaining deep insight in the optimisations at relatively low cost.
ABSTRACT This paper discusses several different ways to model the well-known gossiping girls prob... more ABSTRACT This paper discusses several different ways to model the well-known gossiping girls problem in promela. The highly symmetric nature of the problem is exploited using plain promela, topspin (an extension to Spin for symmetry reduction), and by connecting Spin to bliss (a tool to compute canonical representations of graphs). The model checker Spin is used to compare the consequences of the various modelling choices. This --- tutorial style --- paper is meant as a road map of the various ways of modelling symmetric systems that can be explored.
Spin [9] is a model checker for the verification of distributed systems software. The tool is fre... more Spin [9] is a model checker for the verification of distributed systems software. The tool is freely distributed, and often described as one of the most widely used verification systems. The Advanced Spin Tutorial is a sequel to [7] and is targeted towards intermediate to ...
Experience with Literate Programming in the Modelling and Validation of Systems Theo C. Ruys and ... more Experience with Literate Programming in the Modelling and Validation of Systems Theo C. Ruys and Ed Brinksma Faculty of Computer Science, University of Twente. ... In our modelling work we used the literate programming tool noweb [9, 16, 17] developed by Norman Ramsey. ...
MoonWalker is a software model checker for cil bytecode programs, which is able to detect deadloc... more MoonWalker is a software model checker for cil bytecode programs, which is able to detect deadlocks and assertion violations in cil assemblies, better known as Microsoft .NET programs. The design of MoonWalker is inspired by the Java PathFinder (jpf), a model checker for Java programs. The performance of MoonWalker is on par with jpf. This paper presents the new version of MoonWalker and discusses its most important features.
Virtual machine based software model checkers like jpf and MoonWalker spend up to half of their v... more Virtual machine based software model checkers like jpf and MoonWalker spend up to half of their verification time on garbage collection. This is no surprise as after nearly each transition the heap has to be cleaned from garbage. To improve this, this paper presents the Memoised Garbage Collection (MGC) algorithm, which exploits the (typical) locality of transitions to incrementally perform garbage collection. MGC tracks the depths of objects efficiently and only purges objects whose depths have become infinite, hence unreachable. MGC was experimentally evaluated via an implementation in our model checker MoonWalker and benchmarks using the parallel Java Grande Forum benchmark suite. By using MGC, a performance increase up to 78% was measured over the traditional Mark&Sweep implementation.
This paper discusses a generalised incremental hashing scheme for explicit state model checkers. ... more This paper discusses a generalised incremental hashing scheme for explicit state model checkers. The hashing scheme has been implemented into the model checker Spin. The incremental hashing scheme works for Spin's exhaustive and both approximate verification modes: bitstate hashing and hash compaction. An implementation has been provided for 32-bit and 64-bit architectures. We performed extensive experiments on the BEEM benchmarks to compare the incremental hash functions against Spin's traditional hash functions. In almost all cases, incremental hashing is faster than traditional hashing. The amount of performance gain depends on several factors, though. We conclude that incremental hashing performs best for the (64-bits) Spin's bitstate hashing mode, on models with large state vectors, and using a verifier, that has been optimised by the C compiler.
SPIN (2, 11) is a model checker for the verication of distributed sys- tems software. The tool is... more SPIN (2, 11) is a model checker for the verication of distributed sys- tems software. The tool is freely distributed, and often described as one of the most widely used verication systems. (2) describes SPIN 4.0, the latest version of the tool. SPIN was awarded the ACM Software System Award for 2001 (1). Advanced SPIN is a 'sequel' tutorial to (9) and is targeted towards intermediate to advanced SPIN users. The tutorial starts with a brief overview of the latest additions to PROMELA, the specication language of SPIN. General patterns are discussed to contruct ef- cient PROMELA models and how to use SPIN in the most effective way. Topics to be discussed include: SPIN's optimisation algorithms, directives and options to tune verication runs with SPIN and guidelines for effective PROMELA modelling (e.g. invariance, atomicity, time, lossy channels, scheduling, etc.). The second part of the tutorial looks in more detail at the theoretical underpin- nings of SPIN, and discu...
International Journal on Software Tools for Technology Transfer, 2013
ABSTRACT Software model checking has come of age. After one and a half decade, several successful... more ABSTRACT Software model checking has come of age. After one and a half decade, several successful model checking tools have emerged. One of the most prominent approaches is the virtual machine-based approach, pioneered by Java PathFinder (jpf). And although the virtual machine-based approach has been rather successful, it lags behind classic model checking in terms of speed and memory consumption. Fortunately, with respect to the implementation of virtual-based model checkers, there is still ample room for innovation and optimizations. This paper presents three novel (optimization) techniques that have been implemented into MoonWalker, a software model checker for .Net programs. (a) .Net specifies an exception handling mechanism called structured exception handling (seh). seh is one of the most sophisticated and fine-grained exception handling mechanisms for application platforms. Its implementation within MoonWalker is the most sophisticated in a model checker to date. (b) To decrease memory use within MoonWalker, a collapsing scheme has been developed for collapsing the metadata used by stateful dynamic partial order reduction. The reduction of memory is—in some cases—more than a factor of two. (c) Finally, to decrease the verification time, the memoised garbage collection (mgc) algorithm has been developed. It has a lower time-complexity than the often used Mark & Sweep garbage collector. Its main idea is that it only traverses changed parts of the heap instead of the full heap. The average time reduction is up to 25%. We have used the Java Grande Forum benchmark suite to compare MoonWalker against jpf and observed that the average performance of MoonWalker is on par with jpf.
International Journal on Software Tools for Technology Transfer (STTT), 2003
In this paper we take a closer look at the automated analysis of designs, in particular of verifi... more In this paper we take a closer look at the automated analysis of designs, in particular of verification by model checking. Model checking tools are increasingly being used for the verification of real-life systems in an industrial context. In addition to ongoing research aimed at curbing the complexity of dealing with the inherent state space explosion problem -which allows us to apply these techniques to ever larger systems -attention must now also be paid to the methodology of model checking, to decide how to use these techniques to their best advantage. Model checking "in the large" causes a substantial proliferation of interrelated models and model checking sessions that must be carefully managed in order to control the overall verification process. We show that in order to do this well both notational and tool support are required. We discuss the use of software configuration management techniques and tools to manage and control the verification trajectory. We present Xspin/Project, an extension to Xspin, which automatically controls and manages the validation trajectory when using the model checker Spin.
Concurrent systems are usually studied using interleaving se- mantic models, which consider the e... more Concurrent systems are usually studied using interleaving se- mantic models, which consider the events of a system to be totally or- dered. An alternative to these models is to use non-interleaving (true concurrency) models, which consider events to be just partially ordered. An important exponent of the latter approach was introduced by McMil- lan and later refined by several others. It embodies the construction of the complete finite prefix of the (usually) infinite unfolding of a concur- rent system. The algorithm to construct such a complete finite prefix is parameterized by a special kind of partial order on the configurations of the system. Historically, these orders have been defined on the basis of the syntactical structure of the system description. This means that it is impossible to have control on the structure of a prefix. For eciently using a prefix in reachability analysis and model checking, it is very important to be able to generate prefixes with a "nice" structure. Therefore, in this paper, we present the family of such orders generated by a special enumeration of the nodes of an unfolding. The concept of conflict point is introduced and aids the definition of this family. Conflict points mark the actual diversions between configu- rations. This has the advantage that the adequate order does no need to be specified a priori, but instead can be constructed "on the fly". Experimental evidence is provided.
This paper introduces JFK, a tool to construct a representation of the reachable state space of a... more This paper introduces JFK, a tool to construct a representation of the reachable state space of a system according to its true concurrency semantics. The unfolding of the system is driven by an on-the-fly adequate order.
This paper discusses validation projects carried out for the Mobile Communication Division of Rob... more This paper discusses validation projects carried out for the Mobile Communication Division of Robert Bosch GmbH. We veri ed parts of their Mobile Communication Network (MCNet), a communication system which is to be used in infotainment systems of future cars. The protocols of the MCNet have been modelled in Promela and validated with Spin. Apart from the validation results, this paper discusses some observations and recommendations of the use of Promela and Spin.
Proceedings of the 2008 International Conference on Formal Methods in Computer Aided Design, 2008
Synchronous Data flow (SDF) graphs have a simple and elegant semantics (essentially linear algebr... more Synchronous Data flow (SDF) graphs have a simple and elegant semantics (essentially linear algebra) which makes SDF graphs eminently suitable as a vehicle for studying scheduling optimisations. We extend, and improve on related work on using SPIN to experiment with scheduling optimisations aimed at minimising buffer requirements. We show that for a benchmark of commonly used case studies the performance of our SPIN based scheduler is comparable to that of state of the art research tools. The key to success is creating abstract SPIN models, using the semantics of SDF to prove when using (even unsound and/or incomplete) abstractions are justified. The main benefit of our approach lies in gaining deep insight in the optimisations at relatively low cost.
This tutorial consists of two parts. In the first part we present an advanced overview of Spin [1... more This tutorial consists of two parts. In the first part we present an advanced overview of Spin [1, 4], and illustrate its practical application to logic model checking problems. In the second part of the tutorial we present an overview of a related tool called Modex [2, 3]. Modex can be used to extract Spin verification models directly from C source code. It supports the definition of user-defined abstractions, and cleverly exploits the capability in Spin version 4 to include embedded C code inside abstract verification models. We will show how to use Spin and Modex, separately and combined, in an effective way when searching for design errors in distributed software applications. Both Spin and Modex are written in ANSI-C and can freely be used on research projects.
Model checking tools are increasingly being used for the validation of real-life systems in an in... more Model checking tools are increasingly being used for the validation of real-life systems in an industrial context. This paper discusses two val- idation approaches with respect to the application of model checkers. The verification approach tries to ascertain the correctness of a formal model of a sys- tem, whereas the debugging approach tries to find errors in the model. This paper discusses the dif- ferences between the two complementing approaches and shows for each approach its advantages and dis- advantages.
This paper concerns the transfer of les via a lossy communication channel. It formally speci es t... more This paper concerns the transfer of les via a lossy communication channel. It formally speci es this le transfer service in a property-oriented way and investigates|using two di erent techniques|whether a given bounded retransmission protocol conforms to this service. This protocol is based on the wellknown alternating bit protocol but allows for a bounded numberof retransmissions of a chunk, i.e., part of a le, only. So, eventual delivery is not guaranteed and the protocol may abort the le transfer. We i n v estigate to what extent realtime aspects are important to guarantee the protocol's correctness and use Spin and Uppaal model checking for our purpose.
This paper concerns the transfer of files via a lossy communication channel. It formally specifie... more This paper concerns the transfer of files via a lossy communication channel. It formally specifies this file transfer service in a property-oriented way and investigates---using two different techniques--- whether a given bounded retransmission protocol conforms to this service. This protocol is based on the well-known alternating bit protocol but allows for a bounded number of retransmission of a frame, i.e., part of a file, only. So, eventual delivery is not guaranteed and the protocol may abort the file transfer. We investigate to what extent real-time aspects are important to guarantee the protocol's correctness and use Spin and Uppaal model checking for our purpose. A comparison between these approaches is made and our experiences are reported.
International Journal on Software Tools for Technology Transfer, 2014
ABSTRACT The Rigorous Examination of Reactive Systems’ (rers) Challenges provide a forum for expe... more ABSTRACT The Rigorous Examination of Reactive Systems’ (rers) Challenges provide a forum for experimental evaluation based on specifically synthesized benchmark suites. In this paper, we report on our ‘brute-force attack’ of the rers 2012 and 2013 Challenges. We connected the rers problems to two state-of-the-art explicit state model checkers: LTSmin and Spin. Apart from an effective compression of the state vector, we did not analyze the source code of the problems. Our brute-force approach was successful: it won both editions of the rers Challenge.
2008 Formal Methods in Computer-Aided Design, 2008
Synchronous Data flow (SDF) graphs have a simple and elegant semantics (essentially linear algebr... more Synchronous Data flow (SDF) graphs have a simple and elegant semantics (essentially linear algebra) which makes SDF graphs eminently suitable as a vehicle for studying scheduling optimisations. We extend, and improve on related work on using SPIN to experiment with scheduling optimisations aimed at minimising buffer requirements. We show that for a benchmark of commonly used case studies the performance of our SPIN based scheduler is comparable to that of state of the art research tools. The key to success is creating abstract SPIN models, using the semantics of SDF to prove when using (even unsound and/or incomplete) abstractions are justified. The main benefit of our approach lies in gaining deep insight in the optimisations at relatively low cost.
ABSTRACT This paper discusses several different ways to model the well-known gossiping girls prob... more ABSTRACT This paper discusses several different ways to model the well-known gossiping girls problem in promela. The highly symmetric nature of the problem is exploited using plain promela, topspin (an extension to Spin for symmetry reduction), and by connecting Spin to bliss (a tool to compute canonical representations of graphs). The model checker Spin is used to compare the consequences of the various modelling choices. This --- tutorial style --- paper is meant as a road map of the various ways of modelling symmetric systems that can be explored.
Spin [9] is a model checker for the verification of distributed systems software. The tool is fre... more Spin [9] is a model checker for the verification of distributed systems software. The tool is freely distributed, and often described as one of the most widely used verification systems. The Advanced Spin Tutorial is a sequel to [7] and is targeted towards intermediate to ...
Experience with Literate Programming in the Modelling and Validation of Systems Theo C. Ruys and ... more Experience with Literate Programming in the Modelling and Validation of Systems Theo C. Ruys and Ed Brinksma Faculty of Computer Science, University of Twente. ... In our modelling work we used the literate programming tool noweb [9, 16, 17] developed by Norman Ramsey. ...
MoonWalker is a software model checker for cil bytecode programs, which is able to detect deadloc... more MoonWalker is a software model checker for cil bytecode programs, which is able to detect deadlocks and assertion violations in cil assemblies, better known as Microsoft .NET programs. The design of MoonWalker is inspired by the Java PathFinder (jpf), a model checker for Java programs. The performance of MoonWalker is on par with jpf. This paper presents the new version of MoonWalker and discusses its most important features.
Virtual machine based software model checkers like jpf and MoonWalker spend up to half of their v... more Virtual machine based software model checkers like jpf and MoonWalker spend up to half of their verification time on garbage collection. This is no surprise as after nearly each transition the heap has to be cleaned from garbage. To improve this, this paper presents the Memoised Garbage Collection (MGC) algorithm, which exploits the (typical) locality of transitions to incrementally perform garbage collection. MGC tracks the depths of objects efficiently and only purges objects whose depths have become infinite, hence unreachable. MGC was experimentally evaluated via an implementation in our model checker MoonWalker and benchmarks using the parallel Java Grande Forum benchmark suite. By using MGC, a performance increase up to 78% was measured over the traditional Mark&Sweep implementation.
This paper discusses a generalised incremental hashing scheme for explicit state model checkers. ... more This paper discusses a generalised incremental hashing scheme for explicit state model checkers. The hashing scheme has been implemented into the model checker Spin. The incremental hashing scheme works for Spin's exhaustive and both approximate verification modes: bitstate hashing and hash compaction. An implementation has been provided for 32-bit and 64-bit architectures. We performed extensive experiments on the BEEM benchmarks to compare the incremental hash functions against Spin's traditional hash functions. In almost all cases, incremental hashing is faster than traditional hashing. The amount of performance gain depends on several factors, though. We conclude that incremental hashing performs best for the (64-bits) Spin's bitstate hashing mode, on models with large state vectors, and using a verifier, that has been optimised by the C compiler.
SPIN (2, 11) is a model checker for the verication of distributed sys- tems software. The tool is... more SPIN (2, 11) is a model checker for the verication of distributed sys- tems software. The tool is freely distributed, and often described as one of the most widely used verication systems. (2) describes SPIN 4.0, the latest version of the tool. SPIN was awarded the ACM Software System Award for 2001 (1). Advanced SPIN is a 'sequel' tutorial to (9) and is targeted towards intermediate to advanced SPIN users. The tutorial starts with a brief overview of the latest additions to PROMELA, the specication language of SPIN. General patterns are discussed to contruct ef- cient PROMELA models and how to use SPIN in the most effective way. Topics to be discussed include: SPIN's optimisation algorithms, directives and options to tune verication runs with SPIN and guidelines for effective PROMELA modelling (e.g. invariance, atomicity, time, lossy channels, scheduling, etc.). The second part of the tutorial looks in more detail at the theoretical underpin- nings of SPIN, and discu...
International Journal on Software Tools for Technology Transfer, 2013
ABSTRACT Software model checking has come of age. After one and a half decade, several successful... more ABSTRACT Software model checking has come of age. After one and a half decade, several successful model checking tools have emerged. One of the most prominent approaches is the virtual machine-based approach, pioneered by Java PathFinder (jpf). And although the virtual machine-based approach has been rather successful, it lags behind classic model checking in terms of speed and memory consumption. Fortunately, with respect to the implementation of virtual-based model checkers, there is still ample room for innovation and optimizations. This paper presents three novel (optimization) techniques that have been implemented into MoonWalker, a software model checker for .Net programs. (a) .Net specifies an exception handling mechanism called structured exception handling (seh). seh is one of the most sophisticated and fine-grained exception handling mechanisms for application platforms. Its implementation within MoonWalker is the most sophisticated in a model checker to date. (b) To decrease memory use within MoonWalker, a collapsing scheme has been developed for collapsing the metadata used by stateful dynamic partial order reduction. The reduction of memory is—in some cases—more than a factor of two. (c) Finally, to decrease the verification time, the memoised garbage collection (mgc) algorithm has been developed. It has a lower time-complexity than the often used Mark & Sweep garbage collector. Its main idea is that it only traverses changed parts of the heap instead of the full heap. The average time reduction is up to 25%. We have used the Java Grande Forum benchmark suite to compare MoonWalker against jpf and observed that the average performance of MoonWalker is on par with jpf.
International Journal on Software Tools for Technology Transfer (STTT), 2003
In this paper we take a closer look at the automated analysis of designs, in particular of verifi... more In this paper we take a closer look at the automated analysis of designs, in particular of verification by model checking. Model checking tools are increasingly being used for the verification of real-life systems in an industrial context. In addition to ongoing research aimed at curbing the complexity of dealing with the inherent state space explosion problem -which allows us to apply these techniques to ever larger systems -attention must now also be paid to the methodology of model checking, to decide how to use these techniques to their best advantage. Model checking "in the large" causes a substantial proliferation of interrelated models and model checking sessions that must be carefully managed in order to control the overall verification process. We show that in order to do this well both notational and tool support are required. We discuss the use of software configuration management techniques and tools to manage and control the verification trajectory. We present Xspin/Project, an extension to Xspin, which automatically controls and manages the validation trajectory when using the model checker Spin.
Concurrent systems are usually studied using interleaving se- mantic models, which consider the e... more Concurrent systems are usually studied using interleaving se- mantic models, which consider the events of a system to be totally or- dered. An alternative to these models is to use non-interleaving (true concurrency) models, which consider events to be just partially ordered. An important exponent of the latter approach was introduced by McMil- lan and later refined by several others. It embodies the construction of the complete finite prefix of the (usually) infinite unfolding of a concur- rent system. The algorithm to construct such a complete finite prefix is parameterized by a special kind of partial order on the configurations of the system. Historically, these orders have been defined on the basis of the syntactical structure of the system description. This means that it is impossible to have control on the structure of a prefix. For eciently using a prefix in reachability analysis and model checking, it is very important to be able to generate prefixes with a "nice" structure. Therefore, in this paper, we present the family of such orders generated by a special enumeration of the nodes of an unfolding. The concept of conflict point is introduced and aids the definition of this family. Conflict points mark the actual diversions between configu- rations. This has the advantage that the adequate order does no need to be specified a priori, but instead can be constructed "on the fly". Experimental evidence is provided.
This paper introduces JFK, a tool to construct a representation of the reachable state space of a... more This paper introduces JFK, a tool to construct a representation of the reachable state space of a system according to its true concurrency semantics. The unfolding of the system is driven by an on-the-fly adequate order.
This paper discusses validation projects carried out for the Mobile Communication Division of Rob... more This paper discusses validation projects carried out for the Mobile Communication Division of Robert Bosch GmbH. We veri ed parts of their Mobile Communication Network (MCNet), a communication system which is to be used in infotainment systems of future cars. The protocols of the MCNet have been modelled in Promela and validated with Spin. Apart from the validation results, this paper discusses some observations and recommendations of the use of Promela and Spin.
Uploads
Papers by Theo Ruys