G. J. Holzmann and M. H. Smith. A Practical Method for the Verification of Event Driven Systems. In Proc. Int. Conf. on Software Engineering, ICSE99, pages 597608, 1999.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....exploratory phase of a verification effort, to study problem variants with possibly lower complexity than the full problem that is to be solved. We next discuss three main types of abstraction methods in more detail below: program and model slicing, predicate abstraction, and tabled abstraction [HS99a], HS99b] 5. Program and model slicing As an example we will consider a simple wordcount program, written in Promela, the input language of the Spin model checker. The program receives characters, encoded as integers, over the channel stdin, and simply counts the number of newlines, characters, ....

....for introducing abbreviations uses the Substitute rule that was shown earlier. Substitute rules take effect only on mappings of type keep, and they are applied in the order in which they are defined in the abstraction table. 6.5. Example The tabled abstraction method was first described in [HS99a], HS99b] and used at Bell Labs to prove the correctness of the call processing software for a new commercial switching system. We ll illustrate the use of the tabled abstraction method here with a much smaller example: an implementation in ANSI C [KR88] of the well known alternating bit protocol ....

G.J. Holzmann, and M.H. Smith, A practical method for the verification of event driven systems. Proc. Int. Conf. on Software Engineering, Los Angeles, May 1999, pp. 597-608.

....is itself no longer used, it inspired a number of other verification tools, several being sold commercially today. An early prototype of a model extractor for C code was constructed in August 1998, to support the direct verification of a commercial call processing application, as documented in [15]. The call processing software is written in ANSI C, annotated with special markers to identify the main control states. We wrote a parser for this application, and used it to mechanically extract SPIN models from the code. These models were then checked against a library of generic call ....

....generalized the model extraction method by removing the reliance on the special annotation for control states. The new model extractor was embedded it into a publicly available parser for programs written in full ANSIstandard C, 5] By doing so we could replace two programs (named Pry and Catch [15]) with a single one (AX) The revision took approximately one month, and produced a fully general model checking environment for programs written in C, without making any assumptions about the specifics of the code and, importantly, without 1 Online references for SPIN can be ....

[Article contains additional citation context not shown here]

G.J. Holzmann, and M.H. Smith, A practical method for the verification of event driven systems. Proc. Int. Conf. on Software Engineering, ICSE99, Los Angeles, pp. 597-608, May 1999.

....by concerns other than the ontime delivery of efficient and functional code. We now turn the verification problem upside down and instead of deriving the implementation from a high level abstraction using refinement, we derive the high level model from the implementation, using abstraction [1,4,9]. We will review a model extraction technique for distributed software applications written in the programming language C that works in this way. The model extractor acts as a preprocessor for the model checker Spin [8] If time permits, we will also discuss some recent results with the ....

Holzmann, G.J., and Smith, M.H, A practical method for the verification of event driven systems. Proc. Int. Conf. on Software Engineering, Los Angeles, May 1999, pp. 597-608.

.... instance, it means that under the abstractions that we make we cannot check that a device driver administers dialtone correctly when given the appropriate command by the controller, but we can check that the controller can only issue the appropriate commands when required, and cannot fail to do so [HS99]. In the PathStar code the function of the controller is specified in a large routine that defines the central state machine for all basic call processing and feature behavior. This routine, roughly 1,600 lines of C source, is executed concurrently by a varying number of processes, jointly ....

....on behavior. Typically, a week s worth of upgrades of the call processing code translates into ten minutes of work on a revision of the conversion table before a fully mechanized verification of all properties can be repeated. More detail on the definition of conversion tables can be found in [HS99]. Assumptions about the Environment The call processing code in PathStar interacts with a number of entities in its environment: subscribers, remote switches, database servers, and the like. The task of constructing precisely detailed behavior definitions for each of these entities would be both ....

Holzmann, G.J., and Smith, M.H, A practical method for the verification of event driven systems. Proc. Int. Conf. on Software Engineering, ICSE99, Los Angeles, pp. 597-608, May 1999.

....of several years. The call processing software, one of many software modules in PathStar, was developed over a period of approximately nine months by Phil Winterbottom and Ken Thompson. The call processing software was verified with the methodology that we have outlined here, and detailed in [HS99]. This application is, as far as known to us, the first use of software model checking in a commercial product development at this scale. The call processing code for PathStar was designed to adhere to the recommendations on call processing and feature processing published and maintained by ....

....call screening, call forwarding, three way calling, etc. The more standard software modules with sequential code, e.g. defining the specifics of device drivers, switch administration, and operating systems interfaces, are tested separately, without use of model checking techniques. As detailed in [HS99], the control logic for the PathStar system is written in C, in a format devised by Ken Thompson to simplify the definition of the underlying state machine. The code defines the conventional transition tuples of source state, guard condition, actions, and destination state. From this code we ....

Holzmann, G.J., and Smith, M.H, A practical method for the verification of event driven systems, Proc. Int. Conf. on Software Engineering, ICSE99, Los Angeles, May 1999.

No context found.

G. J. Holzmann and M. H. Smith. A Practical Method for the Verification of Event Driven Systems. In Proc. Int. Conf. on Software Engineering, ICSE99, pages 597608, 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC