Fighting Livelock in the i-Protocol: A Comparative Study of Verification Tools

The i-protocol, an optimized sliding-window protocol for GNU UUCP, came to our attention two years ago when we used the Concurrency Factory's local model checker to detect, locate, and correct a non-trivial livelock in version 1.04 of the protocol. Since then, we have repeated this verification effort with five widely used model checkers, namely, COSPAN, Murϕ, SMV, Spin, and XMC. It is our contention that the i-protocol makes for a particularly compelling case study in protocol verification and for a formidable benchmark of verification-tool performance, for the following reasons: 1) The i-protocol can be used to gauge a tool's ability to detect and diagnose livelock errors. 2) The size of the i-protocol's state space grows exponentially in the window size, and the entirety of this state space must be searched to verify that the protocol, with the livelock error eliminated, is deadlock- or livelock-free. 3) The i-protocol is an asynchronous, low-level software system equipped with a number of optimizations aimed at minimizing control-message and retransmission overhead. It lacks the regular structure that is often present in hardware designs. In this sense, it provides any verification tool with a vigorous test of its analysis capabilities.

[1]  Rance Cleaveland,et al.  The Concurrency Factory: A Development Environment for Concurrent Systems , 1996, CAV.

[2]  Stephan Merz,et al.  Model Checking , 2000 .

[3]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[4]  Natarajan Shankar,et al.  PVS: Combining Specification, Proof Checking, and Model Checking , 1996, FMCAD.

[5]  James C. Corbett,et al.  Evaluating Deadlock Detection Methods for Concurrent Software , 1996, IEEE Trans. Software Eng..

[6]  David L. Dill,et al.  The Murphi Verification System , 1996, CAV.

[7]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[8]  N. Shankar,et al.  Pvs: Combining Speciication, Proof Checking, and Model Checking ? 1 Combining Theorem Proving and Typechecking , 1996 .

[9]  Gerard J. Holzmann,et al.  The State of SPIN , 1996, CAV.

[10]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[11]  Pierre Wolper,et al.  Expressing interesting properties of programs in propositional temporal logic , 1986, POPL '86.

[12]  K. Mani Chandy Parallel program design , 1989 .

[13]  Peter Sestoft,et al.  Partial evaluation and automatic program generation , 1993, Prentice Hall international series in computer science.

[14]  Edmund M. Clarke,et al.  Formal Methods: State of the Art and Future Directions Working Group Members , 1996 .

[15]  Lori A. Clarke,et al.  Experimental Design for Comparing Static Concurrency Analysis , 1996 .

[16]  C. R. Ramakrishnan,et al.  Efficient Model Checking Using Tabled Resolution , 1997, CAV.

[17]  Scott A. Smolka,et al.  Partial-Order Reduction in the Weak Modal Mu-Calculus , 1997, CONCUR.

[18]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[19]  Y. S. Ramakrishna,et al.  Eecient Model Checking Using Tabled Resolution ? , 1997 .