Model checking software systems: a case study

Abstract : Model checking is a proven successful technology for verifying hardware. It works, however, on only fInite state machines, and most software systems have infInitely many states. Our approach to applying model checking to software hinges on identifying appropriate abstractions that exploit the nature of both the system, S, and the property, phi to be verifIed. We check phi on an abstracted, but fInite, model of S. Following this approach we verified three cache coherence protocols used in distributed file systems. These protocols have to satisfy this property: 'If a client believes that a cached file is valid then the authorized server believes that the client's copy is valid.' In our finite model of the system, we need only represent the 'beliefs' that a client and a server have about a cached file; we can abstract from the caches, the files' contents, and even the files themselves. Moreover, by successive application of the generalization rule from predicate logic, we need only consider a model with at most two clients, one server, and one file. We used McMillan's SMV model checker; on our most complicated protocol, SMV took less than 1 second to check over 43,600 reachable states.

[1]  Mahadev Satyanarayanan,et al.  Using belief to reason about cache coherence , 1994, PODC '94.

[2]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[3]  Edmund M. Clarke,et al.  Automatic verification of asynchronous circuits using temporal logic , 1986 .

[4]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[5]  David Garlan,et al.  Formalizing Architectural Connection , 1994, ICSE.

[6]  Somesh Jha,et al.  Verification of the Futurebus+ cache coherence protocol , 1993, Formal Methods Syst. Des..

[7]  Mahadev Satyanarayanan,et al.  Scale and performance in a distributed file system , 1988, TOCS.

[8]  Joseph Y. Halpern,et al.  Knowledge and common knowledge in a distributed environment , 1984, JACM.

[9]  Dan Craigen,et al.  Formal Methods Reality Check: Industrial Usage , 1993, IEEE Trans. Software Eng..

[10]  Edmund M. Clarke,et al.  Automatic Verification of Sequential Circuits Using Temporal Logic , 1986, IEEE Transactions on Computers.

[11]  Dan Craigen,et al.  Formal Methods Reality Check: Industrial Usage , 1993, FME.

[12]  Mandana Vaziri-Farahani Model Checking Cache Coherence Protocols for Distributed File Systems , 1995 .

[13]  Mahadev Satyanarayanan,et al.  Large Granularity Cache Coherence for Intermittent Connectivity , 1994, USENIX Summer.

[14]  Shing-Chi Cheung,et al.  An integrated method for effective behaviour analysis of distributed systems , 1994, Proceedings of 16th International Conference on Software Engineering.

[15]  David Garlan,et al.  Formalizing architectural connection , 1994, Proceedings of 16th International Conference on Software Engineering.

[16]  Mark G. Staskauskas,et al.  Formal validation of virtual finite state machines , 1995, Proceedings of 1995 IEEE Workshop on Industrial-Strength Formal Specification Techniques.

[17]  Daniel Jackson,et al.  Abstract Model Checking of Infinite Specifications , 1994, FME.

[18]  Mahadev Satyanarayanan,et al.  The ITC distributed file system: principles and design , 1985, SOSP 1985.

[19]  Robert P. Kurshan,et al.  Software for analytical development of communications protocols , 1990, AT&T Technical Journal.

[20]  Joanne M. Atlee,et al.  State-based model checking of event-driven system requirements , 1991 .

[21]  Garth A. Gibson,et al.  Backward Error Recovery in Redundant Disk Arrays , 1994, Int. CMG Conference.

[22]  Rance Cleaveland,et al.  The concurrency workbench: a semantics-based tool for the verification of concurrent systems , 1993, TOPL.

[23]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[24]  Geoff Barrett,et al.  Model Checking in Practice: The T9000 Virtual Channel Processor , 1995, IEEE Trans. Software Eng..

[25]  Mahadev Satyanarayanan,et al.  Coda: A Highly Available File System for a Distributed Workstation Environment , 1990, IEEE Trans. Computers.

[26]  Somesh Jha,et al.  Verification of the Futurebus+ cache coherence protocol , 1993, Formal Methods Syst. Des..

[27]  Kenneth L. McMillan,et al.  Symbolic model checking: an approach to the state explosion problem , 1992 .

[28]  Joanne M. Atlee,et al.  State-Based Model Checking of Event-Driven System Requirements , 1993, IEEE Trans. Software Eng..