Xuezheng Liu,Aimin Pan,Wei Lin,Zheng Zhang

DOI: https://doi.org/10.1145/1095810.1118603

2005-01-01

Abstract:ABSTRACTA correct system is only derived from a correct implementation of a correct specification. Unfortunately, this imposes a heavy burden in the development process, especially for complex, distributed system ranging from machine room computing and storage services as well as large-scale P2P applications. A specification, if authored in formal language such as TLA+, Spec#, SPIN etc., is ready for model checking. The state explosion problem, however, prohibits all specification states to be thoroughly traversed. Often ad hoc heuristics are applied to drastically reduce the scale so as to make the model checking phase tractable. A correct implementation can be even more challenging, especially when we encounter non-deterministic bugs that are hard to reproduce. The gap between spec and implementation often leaves one to wonder whether the implementation or the spec is faulty, or even both. Motivated by our experiences in developing several complete large scale distributed systems, we are designing and implementing a suite of testing and debugging facility on top of our previously developed WiDS platform.

Lin Gui,Jun Sun,Yang Liu,Yuanjie Si,Jin Song Dong,Xinyu Wang

DOI: https://doi.org/10.1145/2483760.2483779

2013-01-01

Abstract:Testing provides a probabilistic assurance of system correctness. In general, testing relies on the assumptions that the system under test is deterministic so that test cases can be sampled. However, a challenge arises when a system under test behaves non-deterministiclly in a dynamic operating environment because it will be unknown how to sample test cases. In this work, we propose a method combining hypothesis testing and probabilistic model checking so as to provide the ``assurance" and quantify the error bounds. The idea is to apply hypothesis testing to deterministic system components and use probabilistic model checking techniques to lift the results through non-determinism. Furthermore, if a requirement on the level of ``assurance" is given, we apply probabilistic model checking techniques to push down the requirement through non-determinism to individual components so that they can be verified using hypothesis testing. We motivate and demonstrate our method through an application of system reliability prediction and distribution. Our approach has been realized in a toolkit named RaPiD, which has been applied to investigate two real-world systems.

Yuhong Zhao,Franz J. Rammig

DOI: https://doi.org/10.1109/isorc.2012.28

2012-01-01

Abstract:This paper presents a lightweight verification technique, which is applicable to dependable real-time systems, provided that the (abstract) model and the (concrete) implementation of the system under test are given in advance. In addition to the usual quality assurance techniques at design time (e.g., formal verification) and at implementation time (e.g., testing), we provide a special form of model checking at run time. That is, we check the correctness of an actual system execution by means of exploring a partial model space covering the current execution trace. In doing so, concrete state information is observed from time to time while the system to be checked is running. This runtime information is used to guide model checking to reduce the model space to be explored. In this sense, we call this method online model checking. Since we do not directly check the execution trace itself, our online checking at model level is capable of checking a running system some steps ahead of the actual state of execution. In this paper, we describe online model checking as well as the underlying system architecture in general, explain the basic algorithm and its extension to improve performance, and provide experimental results.

Xiu Tang,Sai Wu

DOI: https://doi.org/10.14778/3611540.3611584

IF: 2.5

2023-01-01

Proceedings of the VLDB Endowment

Abstract:Database management systems (DBMSs) are prone to logic bugs that can result in incorrect query results. Current debugging tools are limited to single table queries and struggle with issues like lack of ground-truth results and repetitive query space exploration. In this paper, we demonstrate DLBD, a system that automatically detects logic bugs in databases. DLBD offers holistic logic bug detection by providing automatic schema and query generation and ground-truth query result retrieval. Additionally, DLBD provides minimal test cases and root cause analysis for each bug to aid developers in reproducing and fixing detected bugs. DLBD incorporates heuristics and domain-specific knowledge to efficiently prune the search space and employs query space exploration mechanisms to avoid the repetitive search. Finally, DLBD utilizes a distributed processing framework to test database logic bugs in a scalable and efficient manner. Our system offers developers a reliable and effective way to detect and fix logic bugs in DBMSs.

Zhengwei Qi,Liang Liu,Alei Liang,Hao Wang,Ying Chen

DOI: https://doi.org/10.1109/ICPADS.2008.73

2008-01-01

Abstract:Modern software model checkers are usually used to find safety violations. However, checking liveness properties can offer a more natural and effective way to detect errors, particularly in complex concurrent and distributed e-business systems. Specifying global liveness properties which should always eventually be true proves to be more desirable, but it is hard for existing software model checkers to verify liveness in real codes because doing so requires finding an infinite execution. For solving such a challenge, this paper proposes an online checking tool to verify the safety and liveness properties of complex systems. We adopt the linear temporal logic to describe the semantics of the finite model checking, use binary instrumentation to obtain the distribute states and apply a checking engine to dynamically verify the finite trace linear temporal logic properties. At last, we demonstrate the method in a distributed system using distributed protocol Paxos and achieve good results by experiments.

Sufyan Samara,Yuhong Zhao,Franz J. Rammig

DOI: https://doi.org/10.1007/978-3-642-15234-4_11

2010-01-01

Abstract:This paper presents a novel flexible, dependable, and reliable operating system design for distributed reconfigurable system on chip. The dependability and reliability are achieved by integrating online model checking technique. Each OS service has different implementations which are further partitioned into small blocks. This operating system design allows the OS service to be adapted at runtime according to the given resource requirements and response time. Such adaptable services may be required by real time safety-critical applications. The flexibility introduced in executing adaptable OS services also gives rise to a potential safety problem. Thus, online model checking is integrated to the operating system so as to improve the dependability, reliability, and fault tolerance of these adaptable OS services.

Yuqi Zhang,Yu Huang,Hengfeng Wei,Xiaoxing Ma

DOI: https://doi.org/10.1002/smr.2555

2023-01-01

Journal of Software Evolution and Process

Abstract:Internet-scale distributed systems often replicate data at multiple geographic locations to provide low latency and high availability. The Conflict-free Replicated Data Type (CRDT) is a framework that provides a principled approach to maintaining eventual consistency among data replicas. CRDTs have been notoriously difficult to design and implement correctly. Subtle deep bugs lie in the complex and tedious handling of all possible cases of conflicting data updates. We argue that the CRDT design should be formally specified and model-checked to uncover deep bugs. The implementation further needs to be systematically tested. On the one hand, the testing needs to inherit the exhaustive nature of the model checking and ensures the coverage of testing. On the other hand, the testing is expected to find coding errors which cannot be detected by design level verification. Towards the challenges above, we propose the Model Checking-driven Explorative Testing (MET) framework. At the design level, MET uses TLA+ to specify and model check CRDT designs. At the implementation level, MET conducts model checking-driven explorative testing, in the sense that the test cases are automatically generated from the model checking traces. The system execution is controlled to proceed deterministically, following the model checking trace. The explorative testing systematically controls and permutes all nondeterministic message reorderings. We apply MET in our practical development of CRDTs. The bugs in both designs and implementations of CRDTs are found. As for bugs which can be found by traditional testing techniques, MET greatly reduces the cost of fixing the bugs. Moreover, MET can find subtle deep bugs which cannot be found by existing techniques at a reasonable cost. We further discuss how MET provides us with sufficient confidence in the correctness of our CRDT designs and implementations.

Lamia Allal,Ghalem Belalem,Philippe Dhaussy

DOI: https://doi.org/10.1007/978-81-322-2755-7_56

2016-01-01

Abstract:In the life cycle of any software system, a crucial phase formalization and validation through verification or testing induces an identification of errors infiltrated during its design. This is achieved through verification by model checking. A model checking algorithm is based on two steps: the construction of state space of the system specification and the verification of this state space. However, these steps are limited by the state explosion problem, which occurs when models are large. In this paper, we propose a solution to this problem to improve performance in execution time and memory space by performing the exploration of state space in a distributed architecture consisting of several machines.

Xuezheng Liu,Wei Lin,Aimin Pan,Zheng Zhang

2007-01-01

Abstract:Despite many efforts, the predominant practice of debugging a distributed system is still printf-based log mining, which is both tedious and error-prone. In this paper, we present WiDS Checker, a unified framework that can check distributed systems through both simulation and reproduced runs from real deployment. All instances of a distributed system can be executed within one simulation process, multiplexed properly to observe the "happensbefore" relationship, thus accurately reveal full system state. A versatile script language allows a developer to refine system properties into straightforward assertions, which the checker inspects for violations. Combining these two components, we are able to check distributed properties that are otherwise impossible to check. We applied WiDS Checker over a suite of complex and real systems and found non-trivial bugs, including one in a previously proven Paxos specification. Our experience demonstrates the usefulness of the checker and allows us to gain insights beneficial to future research in this area.

Zhi-Hong Tao,Hans Kleine Büning,Li-Fu Wang

DOI: https://doi.org/10.1007/s11390-006-0944-5

2006-01-01

Abstract:During the last decade, Model Checking has proven its efficacy and power in circuit design, network protocol analysis and bug hunting. Recent research on automatic verification has shown that no single model-checking technique has the edge over all others in all application areas. So, it is very difficult to determine which technique is the most suitable for a given model. It is thus sensible to apply different techniques to the same model. However, this is a very tedious and time-consuming task, for each algorithm uses its own description language. Applying Model Checking in software design and verification has been proved very difficult. Software architectures (SA) are engineering artifacts that provide high-level and abstract descriptions of complex software systems. In this paper a Direct Model Checking (DMC) method based on Kripke Structure and Matrix Algorithm is provided. Combined and integrated with domain specific software architecture description languages (ADLs), DMC can be used for computing consistency and other critical properties.

ZhiHong Tao,Hans Kleine Büning,Decheng Ding

2004-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:During the past two decades Model Checking based on Kripke Semantics Structure has proven its efficacy and powerful in circuit design, network protocol analysis, program verification and bug hunting. Recently there has been considerable research on Model Checking without OBDDs such as using SAT Solver or Bounded Model Checking (BMC). A Dynamic Kripke Semantics Structure is introduced through allow the AP set changed. Based on this method, a new direct model checking algorithm is proposed.

Prantik Chatterjee,Subhajit Roy,Bui Phi Diep,Akash Lal

DOI: https://doi.org/10.48550/arXiv.2005.08063

2020-05-17

Abstract:Program verification is a resource-hungry task. This paper looks at the problem of parallelizing SMT-based automated program verification, specifically bounded model-checking, so that it can be distributed and executed on a cluster of machines. We present an algorithm that dynamically unfolds the call graph of the program and frequently splits it to create sub-tasks that can be solved in parallel. The algorithm is adaptive, controlling the splitting rate according to available resources, and also leverages information from the SMT solver to split where most complexity lies in the search. We implemented our algorithm by modifying CORRAL, the verifier used by Microsoft's Static Driver Verifier (SDV), and evaluate it on a series of hard SDV benchmarks.

Programming Languages,Software Engineering

Carlos E. Budde,Pedro R. D’Argenio,Arnd Hartmanns,Sean Sedwards

DOI: https://doi.org/10.1007/s10009-020-00563-2

2020-05-28

International Journal on Software Tools for Technology Transfer

Abstract:Abstract Statistical model checking avoids the state space explosion problem in verification and naturally supports complex non-Markovian formalisms. Yet as a simulation-based approach, its runtime becomes excessive in the presence of rare events, and it cannot soundly analyse nondeterministic models. In this article, we present : a statistical model checker that combines fully automated importance splitting to estimate the probabilities of rare events with smart lightweight scheduler sampling to approximate optimal schedulers in nondeterministic models. As part of the Modest Toolset , it supports a variety of input formalisms natively and via the Jani exchange format. A modular software architecture allows its various features to be flexibly combined. We highlight its capabilities using experiments across multi-core and distributed setups on three case studies and report on an extensive performance comparison with three current statistical model checkers.

computer science, software engineering

Carlos E. Budde,Pedro R. D’Argenio,Arnd Hartmanns,Sean Sedwards

DOI: https://doi.org/10.1007/978-3-319-89963-3_20

2018-01-01

Abstract:Statistical model checking avoids the state space explosion problem in verification and naturally supports complex non-Markovian formalisms. Yet as a simulation-based approach, its runtime becomes excessive in the presence of rare events, and it cannot soundly analyse nondeterministic models. In this tool paper, we present modes: a statistical model checker that combines fully automated importance splitting to efficiently estimate the probabilities of rare events with smart lightweight scheduler sampling to approximate optimal schedulers in nondeterministic models. As part of the Modest Toolset, it supports a variety of input formalisms natively and via the Jani exchange format. A modular software architecture allows its various features to be flexibly combined. We highlight its capabilities with an experimental evaluation across multi-core and distributed setups on three exemplary case studies.

Yann Thierry-Mieg

DOI: https://doi.org/10.48550/arXiv.2005.12911

2021-12-18

Abstract:Brute-force model-checking consists in exhaustive exploration of the state-space of a Petri net, and meets the dreaded state-space explosion problem. In contrast, this paper shows how to solve model-checking problems using a combination of techniques that stay in complexity proportional to the size of the net structure rather than to the state-space size. We combine an SMT based over-approximation to prove that some behaviors are unfeasible, an under-approximation using memory-less sampling of runs to find witness traces or counter-examples, and a set of structural reduction rules that can simplify both the system and the property. This approach was able to win by a clear margin the model-checking contest 2020 for reachability queries as well as deadlock detection, thus demonstrating the practical effectiveness and general applicability of the system of rules presented in this paper.

Distributed, Parallel, and Cluster Computing,Formal Languages and Automata Theory,Logic in Computer Science

Jipeng Wu,Shanshan Lv,Eryu Ding,Bin Luo

DOI: https://doi.org/10.1109/icsess.2015.7338994

2015-01-01

Abstract:There are two types of software defects: (1)implementation defects(i.e., discrepancies between a implementation and its specification), and (2)specification defects(Systems implemented correctly may also fail due to its defective specification design). This paper presents a specification defects detection method called Specification Defects Detection Using Statecharts (SDDS), and applies it to 5 classes from open source software. SDDS converts source codes to statecharts and then find intrinsic design defects or risks of specifications from their statecharts. We applied this method in our case study and proved that at least 3 types of specification defects exist and can be detected by SDDS.

Bin LEI,Lin-Zhang WANG,Xuan-Dong LI,Guo-Liang ZHENG

DOI: https://doi.org/10.3969/j.issn.1002-137X.2006.01.042

2006-01-01

Computer Science

Abstract:Utilization of design model to improve testing automation is an important subject in software testing re- search.UML Sequence Diagram is widely used for specifying software scenario.In this paper,we develope a scenario specification-oriented runtime testing method,and built a prototype tool SDT.It can parse the sequence diagram infor- mation from Rational Rose specification file and generate directed acyclic graph (DAG) which stands for expected be- havior property,and interpolate java code implementation of the design model,then use random test cases to run the code,and generate runtime execution trace (RET) from trace file,at last compare DAG with RET to verify the con- formance between design and implementation.

Daniel Kroening,Peter Schrammel,Michael Tautschnig

DOI: https://doi.org/10.48550/arXiv.2302.02384

2023-02-05

Abstract:The C Bounded Model Checker (CBMC) demonstrates the violation of assertions in C programs, or proves safety of the assertions under a given bound. CBMC implements a bit-precise translation of an input C program, annotated with assertions and with loops unrolled to a given depth, into a formula. If the formula is satisfiable, then an execution leading to a violated assertion exists. CBMC is one of the most successful software verification tools. Its main advantages are its precision, robustness and simplicity. CBMC is shipped as part of several Linux distributions. It has been used by thousands of software developers to verify real-world software, such as the Linux kernel, and powers commercial software analysis and test generation tools. Table 1 gives an overview of CBMC's features. CBMC is also a versatile tool that can be applied to solve many practical program analysis problems such as bug finding, property checking, test input generation, detection of security vulnerabilities, equivalence checking and program synthesis. This chapter will give an introduction into CBMC, including practical examples and pointers to further reading. Moreover, we give insights about the development of CBMC itself, showing how its performance evolved over the last decade.

Software Engineering,Logic in Computer Science,Programming Languages

Fei He,Yuan Gao,Liangze Yin

DOI: https://doi.org/10.1007/s11704-016-6048-7

IF: 2.6688

2018-01-01

Frontiers of Computer Science

Abstract:Software product line (SPL) engineering is increasingly being adopted in safety-critical systems. It is highly desirable to rigorously show that these systems are designed correctly. However, formal analysis for SPLs is more difficult than for single systems because an SPL may contain a large number of individual systems. In this paper, we propose an efficient model-checking technique for SPLs using induction and a SAT (Boolean satisfiability problem) solver. We show how an induction-based verification method can be adapted to the SPLs, with the help of a SAT solver. To combat the state space explosion problem, a novel technique that exploits the distinguishing characteristics of SPLs, called feature cube enlargement, is proposed to reduce the verification efforts. The incremental SAT mechanism is applied to further improve the efficiency. The correctness of our technique is proved. Experimental results show dramatic improvement of our technique over the existing binary decision diagram (BDD)-based techniques.

F. Brglez,Matthias F. Stallmann,Xiao Yu,Qing Li

2003-01-01

Abstract:Analysis of our recent experiments for a group of SAT solvers and several classes of problem instances suggests a common mathemat- ical framework with experiments in component reliability. In the latter, we observe the distribution of component lifetime; in the former, we observe the distribution of execution time (runtime). A lifetime distri- bution for hardware components is frequently found to have an expo- nential, Weibull, Pareto, or gamma distribution. Our experiments with state-of-the-art SAT solvers reveal normal distributions and exponential distributions of runtime and other related random variables, as well as other distributions commonly observed in reliability applications. SATbed, an experimental testbed for SAT solvers, emulates the reli- ability framework: equivalence classes of isomorphic problem instances (replicated hardware components), subjected to tests with specific SAT solvers (specifically controlled environments), observations of runtime, implications, etc. (lifetime), statistical analysis and modeling, based on random variable samples. The testbed not only facilitates systematic study and reliable improvement of any SAT solver but also supports the introduction and validation of new problem instance classes.