Gerard J. Holzmann. The Model Checker Spin. IEEE Transactions on Software Engineering, Special issue on Formal Methods in Software Practice, Volume 23, Number 5, May 1997, 279-295.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....of the various components, and are hence extremely di#cult to test using traditional testing techniques. The many ways components can interact usually leads to a large search space, and model checkers typically incorporate various techniques for conquering this complexity. The SPIN model checker [36], for which Gerard Holzmann recently received the ACM Software System Award, has a large user community, and the SPIN workshop is a forum for this community, and generally for researchers with interest in automata based, explicit state model checking technologies for the analysis and verification ....

Gerard J. Holzmann. The Model Checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

....to be rather trivial and had no bearing on general complexity results. Nevertheless, the idea of doing model checking through the construction of automata was taken seriously, at least by some, and attempts were made to incorporate automata theoretic model checking into tools, notably into SPIN [Hol91,Hol97]. Of course, this required an e ective implementation of the logic to automaton translation algorithm and the pragmatics of doing this are not entirely obvious. A description of such an implementation was given in [GPVW95] and improved algorithms have been proposed since [DGV99,SB00] Note that ....

Gerard J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279-295, May 1997. Special Issue: Formal Methods in Software Practice.

....for B#chi automata is equivalent to the problem of Thetanding a cycle that is reachable from the initial state and contains an accepting state. This problem can be effectively solved using nested depth Thetarst search (NDFS) algorithm [HPY96] incorporated in the SPIN veri Thetacation tool [Hol97] The practical limitation of this algorithm is the amount of the randomly accessed memory which the algorithm requires. A very natural way how to overcome the memory limitation is to distribute the given graph onto several processors (computers) and to perform a distributed computation. As the ....

G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279#295, May 1997. Special Issue: Formal Methods in Software Practice.

....we had to perform. Keywords Model Checking, SPIN, ProMeLa, ZCSP,LTL 1. INTRODUCTION In this paper we consider the problem of specifying the model of ZCSP protocol[1] for LTL veri cation purpose with the model checker SPIN. Readers can nd brief description of Spin Model Checker in [4], and of protocols validation using this tool in [2] SPIN is a generic veri cation system that supports the design and veri cation of asynchronous process systems. Process interactions can be speci ed in rendez vous primitives , with asynchronous messages passing through typed bu ered ....

....SPIN is a generic veri cation system that supports the design and veri cation of asynchronous process systems. Process interactions can be speci ed in rendez vous primitives , with asynchronous messages passing through typed bu ered channels, through shared variablesorany combination of these [4]. SPIN accepts design speci cations written in the veri cation language ProMeLa (a Process Meta Language) and it accepts correctness claims speci ed in the syntax of standard Linear Temporal Logic (LTL) 6] To perform veri cation, SPIN takes a correcteness claim that is speci ed as a ....

G. Holzmann. The Model Checker Spin. #### ###### ## ######## ###########, 23(5):279-295, May 1997. Special issue on Formal Methods in Software Practice.

....of the various components, and are hence extremely difficult to test using traditional testing techniques. The many ways components can interact usually leads to a large search space, and model checkers typically incorporate various techniques for conquering this complexity. The SPIN model checker [36], for which Gerard Holzmann recently received the ACM Software System Award, has a large user community, and the SPIN workshop is a forum for this community, and generally for researchers with interest in automata based, explicit state model checking technologies for the analysis and verification ....

Gerard J. Holzmann. The Model Checker SPIN. IEEE Transactions on Software Engineering, 23(5):279 295, May 1997. Special issue on Formal Methods in Software Practice.

....resources are devoted to improving the practicality of such analysis tools. For example, the Java PathFinder (JPF) model checker has been applied to the verification of critical avionics software [2, 11, 13] JPF is a model checker which operates on principles similar to the SPIN model checker [7], i.e. given a closed environment for software, it performs a systematic exploration of the state space of the program by executing it. Therefore, JPF has to deal with issues such as generating an environment to close a system, deriving finite models from infinite state spaces, and curbing the ....

G. Holzmann. The Model Checker Spin. IEEE Trans. on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

....in particular logics such as temporal logic. Temporal logics are extensions of classical logic, with operators that deal with time. They have been used in a wide variety of areas within Computer Science and Artificial Intelligence, for example robotics [17] databases [18] hardware verification [10] and agent based systems [16] In particular, propositional temporal logics have already made significant impact within Computer Science, having been applied to: the specification and verification of distributed or concurrent systems [14] the synthesis of programs from temporal ....

.... Computer Science, having been applied to: the specification and verification of distributed or concurrent systems [14] the synthesis of programs from temporal specifications [15, 13] the semantics of executable temporal logic [9] algorithmic verification via model checking [10, 2]; and knowledge representation and reasoning [6, 1, 20] In developing such techniques, temporal proof is often required, and we base our work on practical proof techniques on the clausal resolution approach to temporal logic. The clausal resolution method for propositional linear time ....

G. J. Holzmann. The Model Checker Spin. IEEE Trans. on Software Engineering, 23(5):279--295, May 1997. Special Issue on Formal Methods in Software Practice.

.... # # This problem occurs frequently when trying to apply model checking techniques to the veri cation of Java or C programs [23, 8, 10, 5] Traditionally, LTL model checking is accomplished by rst translating the LTL formula into a Bchi automaton [4] and then proving properties on them [11, 4]. Although [23] discusses why such a solution is not ideal to the runtime veri cation on nite traces, this approach is used by the JPaX runtime analysis tool [8] Dealing with past tense operators gives us an advantage. The dynamic programming algorithm presented in [23] requires as input the ....

G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279295, May 1997. Special Issue: Formal Methods in Software Practice.

....on hardware design, and was one of the first model checkers to introduce bridges to Convention CIFRE 413 99 LAAS CNRS Twam Informatique F. Taani, M. Paludetto, T. Cros some theorem proving concepts. The last one, KRONOS, is a representative of dense time model checkers. 3. 2 SPIN SPIN [Holz97] is a model checker that has been developed at the Computer Science Research Center of the Bell Laboratories. Historically SPIN goes back to the beginning of the 80 s when the Bell Labs Formal Method Group started working on automatic protocol verification. Since then the tool has been constantly ....

....relevant to the considered property is explored. SPIN fully integrates the Linear Temporal Logic (LTL) as formalism for input requirement. SPIN offers both exhaustive and partial proof techniques. SPIN uses partial order and optionally BDD like storage for state space reduction. [Holz97] gives a very good overview of the tool architecture and functionalities. In the remainder of this section we will only give a basic introduction to the SPIN concepts, and spirit. Interested readers are referred to that first article for more details. 3.2.2 Processes The first step when using ....

[Article contains additional citation context not shown here]

GERARD J. HOLZMANN, The Model Checker SPIN, IEEE Transactions on Software Engineering, Special issue on Formal Methods in Software Practice, May 1997

....in particular logics such as temporal logic. Temporal logics are extensions of classical logic, with operators that deal with time. They have been used in a wide variety of areas within Computer Science and Arti cial Intelligence, for example robotics [20] databases [21] hardware veri cation [13] and agent based systems [19] In particular, propositional temporal logics have already made signi cant impact within Computer Science, having been applied to: the speci cation and veri cation of reactive (e.g. distributed or concurrent) systems [17] the synthesis of programs from ....

G. J. Holzmann. The Model Checker Spin. IEEE Trans. on Software Engineering, 23(5):279-295, May 1997. Special Issue on Formal Methods in Software Practice.

....than explicitly computing the entire product automaton in advance and storing it in memory, to reduce space we could perform the depth rst search generating states lazily on the y. Also, we could use hashing to keep a bit vector of previously visited states to further reduce memory consumption [9, 10]. If this is not enough, we could even use techniques from symbolic modelchecking to represent the automata A and M using BDD s and then compute their product symbolically with standard algorithms [16] However, we have found that these fancy optimizations seem unnecessary in practice. The simple ....

G.J. Holzmann, \The Model Checker Spin," IEEE Trans. on Software Engineering, Special issue on Formal Methods in Software Practice, May 1997.

....Statechart behaviour. Behaviour that is otherwise obfuscated in the original notation, such as inter level transitions, is explicitly specified in the new notation. The resulting hierarchical automata could then be used as an intermediate formalism to interface with tools such as the SPIN [Hol97] model checker. However, these tools would still need to interpret the semantics of hierarchical automata in order to process the specification and a further translation to an intermediate formalism (such as that used by the model checking tool) is required. Other work by the same authors ....

....approach is better suited for testing primitive data types rather than the larger specifications that would be produced for the systems of interest to this thesis. 2.4 Automated formal analysis 2.4. 1 Automated formal analysis of Statechart specifications Model checking techniques [CK96, CW96, Hol97] have recently been applied to the problem of analysing certain properties of Statecharts. Model checking is a highly automated technique that exhaustively explores the state space of a specification searching for counterexamples to particular user specified properties. One of the main tasks ....

[Article contains additional citation context not shown here]

G. J. Holzmann. The model checker spin. IEEE Transactions On Software Engineering, Special Issue on Formal Methods in Software Practice, 23(5):279-- 295, May 1997.

....be computed more efficiently by deriving a Buchi automaton from the negation of an LTL formula. Therefore, in the SPIN validation tool LTL formulae representing a desired property are first negated, and then translated into an equivalent Buchi automaton. In the parlance of the SPIN model checker [18] and its Promela input language this automaton is called a never claim,andwe will adopt this terminology throughout this paper. As an example we consider the commonly used response property which states that, whenever a certain request event occurred, a response event will eventually follow. ....

....for safety properties, the search stacks will be used to construct the witness. In case a property violation is discovered, the first stack will contain the path into an accepting state, while the second stack will illustrate the cycle through the accepting state. 2. 3 The Model Checker SPIN SPIN [18] is a model checking tool implementing the above discussed approach to automata based model checking. Its input language Promela permits the definition of concurrent processes, called proctypes in Promela parlance, as well as synchronous or asynchronous communication channels and alimitedset of 5 ....

G. J. Holzmann. The model checker Spin. IEEE Trans. on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

....a parallel version of the verifier Mur#.In their approach, the table of all reached states is partitioned over the nodes of the parallel machine, which allows the table to be larger than on a single node. The explicit state enumeration is then performed in parallel. For the model checker SPIN [Hol97], a similar approach towards distributed reachability analysis was proposed in [LS99] This distributed version of SPIN uses di#erent ways to partition the state space than Parallel Mur#. Yet another distributed reachability algorithm was proposed in [AAC87] but has not been implemented. Other ....

Gerard J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special Issue: Formal Methods in Software Practice.

....a parallel version of the veri er Mur . In their approach, the table of all reached states is partitioned over the nodes of the parallel machine, which allows the table to be larger than on a single node. The explicit state enumeration is then performed in parallel. For the model checker SPIN [Hol97], a similar approach towards distributed reachability analysis was proposed in [LS99] This distributed version of SPIN uses di erent ways to partition the state space than Parallel Mur . Yet another distributed reachability algorithm was proposed in [AAC87] but has not been implemented. Other ....

Gerard J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279-295, May 1997. Special Issue: Formal Methods in Software Practice.

....negative cycles simply coincide with accepting cycles and the problem of B uchi automaton emptiness reduces to the negative cycle problem. The algorithm used in LTL model checkers is very effective nested depth first search (NDFS) algorithm [HPY96] For instance, SPIN verification tool [Hol97] uses this algorithm. In its distributed version the graph is divided over processors like in the DSP algorithm. Only one processor, namely the one owning the actual vertex in the NDFS search, is executing the nested search at a time. The network is in fact running the sequential algorithm with ....

G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special Issue: Formal Methods in Software Practice.

....and verification of open systems [AHK97,KV99] Many decision and synthesis problems have automata based solutions and no other solution for them is known [EJ88,PR89,KV00] Automata based methods have been implemented in industrial automated verification tools (c.f. COSPAN [HHK96] and SPIN [Hol97,VB99] The automata theoretic approach, however, has long been thought to be inapplicable for effective reasoning about infinite state systems. The reason, essentially, lies in the fact that the automata theoretic techniques involve constructions in which the state space of the system directly ....

G.J. Holzmann. The model checker SPIN. IEEE Trans. on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

....of telecommunication protocols to reactive controllers to hardware designs. Originally, model checking was implemented by means of explicit state techniques, where single states of the FSM are analyzed and stored. One of the most notable examples of explicit state model checking is SPIN [17], that is very e ective in the analysis of asynchronous systems. In general, for many application domains, the large amount of computational resources needed to analyze real size designs (the so called state explosion problem) may be a signi cant limitation. The introduction of Symbolic Model ....

G. J. Holzmann. The model checker Spin. IEEE Trans. on Software Engineering, 23(5):279-295, May 1997. Special issue on Formal Methods in Software Practice.

....cycles simply coincide with accepting cycles and the problem of B # uchi automaton emptiness reduces to the negative cycle problem. The algorithm used in LTL model checkers is very effective nested depth Thetarst search (NDFS) algorithm [HPY96] For instance, SPIN veri Thetacation tool [Hol97] uses this algorithm. In its distributed version the graph is divided over processors like in the DSP algorithm. Only one processor, namely the one owning the actual vertex in the NDFS search, is executing the nested search at a time. The network is in fact running the sequential algorithm with ....

G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279#295, May 1997. Special Issue: Formal Methods in Software Practice.

No context found.

Gerard J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279-295, May 1997. Special Issue: Formal Methods in Software Practice.

No context found.

G.J. Holzmann. The model checker SPIN. IEEE Trans. on Software Engineering, 23(5):279-295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

Gerard J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279-295, May 1997. Special Issue: Formal Methods in Software Practice.

No context found.

G. J. Holzmann. The model checker spin. IEEE Transactions on Software Engineering, Special Issue on Formal Methods in Software Practice, 23(5), May 1997.

No context found.

G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

....problem for Bchi automata is equivalent to the problem of finding a cycle that is reachable from the initial state and contains an accepting state. This problem can be effectively solved using nested depth first search (NDFS) algorithm [HPY96] incorporated in the SPIN verification tool [Hol97] The practical limitation of this algorithm is the amount of the randomly accessed memory which the algorithm requires. A very natural way how to overcome the memory limitation is to distribute the given graph onto several processors (computers) and to perform a distributed computation. As ....

G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special Issue: Formal Methods in Software Practice.

....progress in automated verification techniques for finite state systems. One such technique, called model checking [5, 6, 22, 20, 23] explores the state space of a finite state system and checks that a desired temporal property is satisfied. In recent years, model checkers like SMV [20] and SPIN [16] have been successful in some industrial level applications. Successes in finite state modelchecking have inspired researchers to develop model checking techniques for infinitestate systems (e.g. arithmetic programs that contain integer variables and parameters) However, for infinite state ....

G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special Issue: Formal Methods in Software Practice.

.... This problem appears frequently when trying to apply model checking techniques to the verification of Java or C programs [11, 25, 8, 10, 5, 15] Traditionally, LTL model checking is accomplished by first translating the LTL formula in a Buchi automata [4] and then proving properties on them [13, 4]. Although in [25, 11] the authors discuss why such a solution is not ideal to the runtime verification on finite traces, this approach is nevertheless used by the JPaX runtime analysis tool [8] Dealing with past tense operators gives us an advantage. The dynamic programming algorithm presented ....

G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special Issue: Formal Methods in Software Practice. 35

....approach and a formula approach. In the automata approach one could translate the formula into an automaton, and then take the synchronized product of the automaton and the execution trace. This is for example how B uchi automata are used in explicitstate model checkers for representing formulae [14, 5]. A B uchi automaton is a special automaton which accepts in nite traces (words) certain states are designated as acceptance states, and an in nite trace is in the language of the automaton if it brings the automaton through an acceptance state in nitely often. A model checker can detect such in ....

....the formula. The naive suggestion would be to drive the automaton A by t until the end of the trace, and then observe whether the automaton is in an acceptance state or not. This will, however, generally not work. In experiments made using the LTL to B uchi automata translator in the SPIN system [14] 7 such as trace may bring the automaton to a state that is not an acceptance state. Hence, one can generally not conclude anything from the resulting state. A potential solution would be to pretend that an in nite sequence of stuttering transitions is appended to the trace, where a stuttering ....

Gerard J. Holzmann. The Model Checker SPIN. IEEE Transactions on Software Engineering, 23(5):279-295, May 1997. Special issue on Formal Methods in Software Practice.

....can one test whether t satis es A potential solution would be to translate the formula into an automaton and then take the synchronized product of the automaton and the execution trace. This is for example how B uchi automata are used in explicit state model checkers for representing formulae [13, 6]. A B uchi automaton is a special automaton which accepts in nite traces (words) certain states are designated as acceptance states, and an in nite trace is in the language of the automaton if and only if it brings the automaton through an acceptance state in nitely often. A model checker can ....

....the formula. The naive suggestion would be to drive the automaton A by t until the end of the trace, and then observe whether the automaton is in an acceptance state or not. This will, however, generally not work. In experiments made using the LTL to B uchi automata translator in the SPIN system [13], such a trace may bring the automaton to a state that is not an acceptance state. Hence, one can generally not conclude anything from the resulting state. A potential solution would be to pretend that an in nite sequence of stuttering transitions is appended to the trace, where a stuttering ....

Gerard J. Holzmann. The Model Checker SPIN. IEEE Transactions on Software Engineering, 23(5):279-295, May 1997. Special issue on Formal Methods in Software Practice.

....or shared variables. Typically, the communication structure o#ers asymmetries that can be exploited by means of introducing property preserving abstractions of sub components. Our specific motivation is a safety property preserving optimization of a model checking algorithm. Model checking [CE82, CK96, Hol97] is widely accepted as a useful technique for the formal verification of high level designs in hardware and communication protocols. Since it typically requires search in the global state space, much research aims at providing heuristics to make this step less time and space consuming. Consider 4 ....

G.J. Holzmann. The model checker spin. IEEE Trans. on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

....[28, 21] Advances in reasoning about linked data structures [71, 51] might be a useful starting point for veri cation tools, although ecient manipulation of properties in veri cation tools results in different representation requirements than manual reasoning. A combination of model checking [47] and sound automatic model extraction [5] might be an appropriate implementation technique for verifying program properties, but the applicability of this approach for verifying heap invariants remains to be proven. 85 86 Chapter 8 Conclusion We proposed two key ideas: aliasing relationships ....

G. J. Holzmann. The model checker spin. IEEE Trans. on Software Engineering, 23(5):279-295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

Gerard J. Holzmann. The Model Checker Spin. IEEE Transactions on Software Engineering, Special issue on Formal Methods in Software Practice, Volume 23, Number 5, May 1997, 279-295.

No context found.

G.J. Holzmann. The model checker SPIN. IEEE Trans. on Software Engineering, 23(5):279-- 295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

Holzmann, G.J.: The model checker Spin. IEEE Trans. on Software Engineering 23(5): 279--295, May 1997. Special issue on Formal Methods in Software Practice

No context found.

Holzmann, G.J.: The Model Checker Spin. IEEE Trans. on Software Engineering 23 (1997) 279--295 Special issue on Formal Methods in Software Practice.

No context found.

G.J. Holzmann. The model checker SPIN. IEEE Trans. on Software Engineering, 23(5):279-- 295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

G.J. Holzmann. The model checker SPIN. IEEE Trans. on Software Engineering, 23(5):279-- 295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

G. J. Holzmann. The model checker Spin. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

G.J.Holzmann. ThemodelcheckerSPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special Issue: Formal Methods in Software Practice.

No context found.

Holzmann, G.J.: The model checker Spin. IEEE Transactions on Software Engineering, Special issue on Formal Methods in Software Practice, 23(5):279--295, May 1997

No context found.

G. J. Holzmann. The Model Checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

G. J. Holzmann. The model checker spin. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

G.J. Holzmann. The model checker SPIN. IEEE Trans. on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

G. Holzmann. The model checker spin. IEEE Trans. on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

G.J.Holzmann. ThemodelcheckerSPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special Issue: Formal Methods in Software Practice.

No context found.

G.J. Holzmann. The model checker SPIN. IEEE Trans. on Software Engineering, 23(5):279-- 295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

G.J. Holzmann. The model checker SPIN. IEEE Trans. on Software Engineering, 23(5):279-- 295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

No context found.

G. Holzmann. The Model Checker Spin. IEEE Trans. on Software Engineering, 23(5):279--295, May 1997. Special issue on Formal Methods in Software Practice.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC