Abstract
Stateless model checking is a useful state-space exploration technique for systematically testing complex real-world software. Existing stateless model checkers are limited to the verification of safety properties on terminating programs. However, realistic concurrent programs are nonterminating, a property that significantly reduces the efficacy of stateless model checking in testing them. Moreover, existing stateless model checkers are unable to verify that a nonterminating program satisfies the important liveness property of livelock-freedom, a property that requires the program to make continuous progress for any input.
To address these shortcomings, this paper argues for incorporating a fair scheduler in stateless exploration. The key contribution of this paper is an explicit scheduler that is (strongly) fair and at the same time sufficiently nondeterministic to guarantee full coverage of safety properties.We have implemented the fair scheduler in the CHESS model checker. We show through theoretical arguments and empirical evaluation that our algorithm satisfies two important properties: 1) it visits all states of a finite-state program achieving state coverage at a faster rate than existing techniques, and 2) it finds all livelocks in a finite-state program. Before this work, nonterminating programs had to be manually modified in order to apply CHESS to them. The addition of fairness has allowed CHESS to be effectively applied to real-world nonterminating programs without any modification. For example, we have successfully booted the Singularity operating system under the control of CHESS.
- S. Aggarwal, C. Courcoubetis, and P. Wolper. Adding liveness properties to coupled finite-state machines. ACM Transactions on Programming Languages and Systems, 12(2):303--339, 1990. Google Scholar
Digital Library
- K.R. Apt and E.-R. Olderog. Proof rules and transformations dealing with fairness. Science of Computer Programming, 3:65--100, 1983.Google Scholar
Cross Ref
- Krzysztof R. Apt, Nissim Francez, and Shmuel Katz. Appraising fairness in languages for distributed programming. In POPL 87: Principles of Programming Languages, pages 189--198, 1987. Google Scholar
Digital Library
- Satish Chandra, Patrice Godefroid, and Christopher Palm. Software model checking in practice: an industrial case study. In ICSE 02: International Conference on Software Engineering, pages 431--441, 2002. Google Scholar
Digital Library
- E.M. Clarke and E.A. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In Logic of Programs, LNCS 131, pages 52--71. Springer-Verlag, 1981. Google Scholar
Digital Library
- Nissim Francez. Fairness. In Texts and Monographs in Computer Science. Springer-Verlag, 1986. Google Scholar
Digital Library
- Matteo Frigo, Charles E. Leiserson, and Keith H. Randall. The implementation of the Cilk-5 multithreaded language. In PLDI 98: Programming Language Design and Implementation, pages 212--223. ACM Press, 1998. Google Scholar
Digital Library
- P. Godefroid. Model checking for programming languages using Verisoft. In POPL 97: Principles of Programming Languages, pages 174--186. ACM Press, 1997. Google Scholar
Digital Library
- Patrice Godefroid. Partial-Order Methods for the Verification of Concurrent Systems: An Approach to the State-Explosion Problem. LNCS 1032. Springer-Verlag, 1996. Google Scholar
Digital Library
- Orna Grumberg, Nissim Francez, and Shmuel Katz. Fair termination of communicating processes. In PODC 84: Principles of Distributed Computing, pages 254--265. ACM Press, 1984. Google Scholar
Digital Library
- Joseph L. Hellerstein. Achieving service rate objectives with decay usage scheduling. IEEE Transactions on Software Engineering, 19(8):813--825, 1993. Google Scholar
Digital Library
- G. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Google Scholar
Digital Library
- Galen C. Hunt, Mark Aiken, Manuel Fähndrich, Chris Hawblitzeland Orion Hodson, James R. Larus, Steven Levi, Bjarne Steensgaard, David Tarditi, and Ted Wobber. Sealing OS processes to improve dependability and safety. In Proceedings of the EuroSys Conference, pages 341--354, 2007. Google Scholar
Digital Library
- Radu Iosif. Exploiting heap symmetries in explicit-state model checking of software. In ASE 01: Automated Software Engineering, pages 254--261, 2001. Google Scholar
Digital Library
- Michael Isard, Mihai Budiu, Yuan Yu, Andrew Birrell, and Dennis Fetterly. Dryad: distributed data-parallel programs from sequential building blocks. In Proceedings of the EuroSys Conference, pages 59--72, 2007. Google Scholar
Digital Library
- J. Kay and P. Lauder. A fair share scheduler. Communications of the ACM, 31(1):44--55, 1988. Google Scholar
Digital Library
- Charles Edwin Killian, James W. Anderson, Ranjit Jhala, and Amin Vahdat. Life, death, and the critical transition: Finding liveness bugs in systems code. In NSDI 07: Symposium on Networked Systems Design and Implementation, pages 243--256, 2007. Google Scholar
Digital Library
- M. Z. Kwiatkowska. Survey of fairness notions. Information and Software Technology, 31(7):371--386, 1989. Google Scholar
Digital Library
- Daniel J. Lehmann, Amir Pnueli, and Jonathan Stavi. Impartiality, justice and fairness: The ethics of concurrent termination. In ICALP 81: International Conference on Automata Languages and Programming, pages 264--277, 1981. Google Scholar
Digital Library
- Daan Leijen. Futures: a concurrency library for C#. Technical Report MSR-TR-2006-162, Microsoft Research, 2006.Google Scholar
- M. Musuvathi, D. Park, A. Chou, D. Engler, and D. L. Dill. CMC: A pragmatic approach to model checking real code. In OSDI 02: Operating Systems Design and Implementation, pages 75--88, 2002. Google Scholar
Digital Library
- Madanlal Musuvathi and Shaz Qadeer. Iterative context bounding for systematic testing of multithreaded programs. In PLDI 07: Programming Language Design and Implementation, pages 446--455, 2007. Google Scholar
Digital Library
- Amir Pnueli. The temporal logic of programs. In FOCS 77: Foundations of Computer Science, pages 46--57, 1977. Google Scholar
Digital Library
- J. Queille and J. Sifakis. Specification and verification of concurrent systems in CESAR. In Fifth International Symposium on Programming, LNCS 137, pages 337--351. Springer-Verlag, 1981. Google Scholar
Digital Library
- M. Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program verification. In LICS 86: Logic in Computer Science, pages 322--331. IEEE Computer Society Press, 1986.Google Scholar
- W. Visser, K. Havelund, G. Brat, and S. Park. Model checking programs. In ASE 00: Automated Software Engineering, pages 3--12, 2000. Google Scholar
Digital Library
- Carl A. Waldspurger and William E. Weihl. Lottery scheduling: Flexible proportional-share resource management. In OSDI 94: Operating Systems Design and Implementation, pages 1--11, 1994. Google Scholar
Digital Library
- Junfeng Yang, Paul Twohey, Dawson R. Engler, and Madanlal Musuvathi. Using model checking to find serious file system errors. ACM Transactions on Computer Systems, 24(4):393--423, 2006. Google Scholar
Digital Library
Index Terms
Fair stateless model checking
Recommendations
Fair stateless model checking
PLDI '08: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and ImplementationStateless model checking is a useful state-space exploration technique for systematically testing complex real-world software. Existing stateless model checkers are limited to the verification of safety properties on terminating programs. However, ...
Model Checking Liveness Properties under Fairness & Anti-fairness Assumptions
APSEC '13: Proceedings of the 2013 20th Asia-Pacific Software Engineering Conference (APSEC) - Volume 01Model checking liveness properties needs antifairnessas well as fairness assumptions. As a formula expressing fairness assumptions becomes too long to make livenessmodel checking feasible, so does one expressing anti-fairness ones. ABP is used as an ...
Bounded partial-order reduction
OOPSLA '13: Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applicationsEliminating concurrency errors is increasingly important as systems rely more on parallelism for performance. Exhaustively exploring the state-space of a program's thread interleavings finds concurrency errors and provides coverage guarantees, but ...







Comments