A long-standing and elusive problem in software engineering is to devise reliable means that would allow us to check the correctness of distributed systems code mechanically. Writing reliable distributed code is notoriously difficult; locating the inevitable bugs in such code is therefore important. As is well-known and often repeated, traditional testing methods are of little use in this context, because the most pernicious bugs typically depend on subtle race conditions that produce peculiar and unexpected interleavings of events. Well-known are the deadlock and starvation problems that plagued the designers of the first distributed systems code in the 1960s and 1970s (see for instance [16] p.155). In simple cases, a small set of strictly enforced rules can preserve the sanity in a system. One such rule is the requirement that frequently used resources in an operating system can only be allocated in a fixed order, to prevent circular waiting. But the simple rules only cover the known problems. Each new system builds a new context, with its own peculiarities and hazards. This is illustrated by the well-publicized description of the hangup problem in the control software of the Mars Pathfinder a few years ago [11]. In retrospect, the hangup scenario could be understood in very simple terms, yet it was missed even in the long and unusually thorough (but traditional) software testing process that had been used.
[1]
Gerard J. Holzmann.
A Theory for Protocol Validation
,
1982,
IEEE Transactions on Computers.
[2]
Pierre Wolper,et al.
Simple on-the-fly automatic verification of linear temporal logic
,
1995,
PSTV.
[3]
Edmund M. Clarke,et al.
Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic
,
1981,
Logic of Programs.
[4]
Pierre Wolper,et al.
An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report)
,
1986,
LICS.
[5]
Richard William Watson,et al.
Timesharing system design concepts
,
1970
.
[6]
Kenneth L. McMillan,et al.
Symbolic model checking: an approach to the state explosion problem
,
1992
.
[7]
Fred Kröger,et al.
Temporal Logic of Programs
,
1987,
EATCS Monographs on Theoretical Computer Science.
[8]
De Villiers,et al.
Validation of a microkernel : a case study
,
1999
.
[9]
G. E. Reeves,et al.
What Really Happened on Mars
,
1998
.
[10]
Jean-Pierre Queille,et al.
LesSystème CESAR : description, spécification et analyse des applications réparties
,
1982
.
[11]
Gerard J. Holzmann,et al.
Design and validation of computer protocols
,
1991
.
[12]
Mihalis Yannakakis,et al.
On nested depth first search
,
1996,
The Spin Verification System.
[13]
James C. Corbett,et al.
Evaluating Deadlock Detection Methods for Concurrent Software
,
1996,
IEEE Trans. Software Eng..