Device firmware is a piece of concurrent software that achieves high performance at the cost of software complexity. They contain subtle race conditions that make them difficult to debug using traditional debugging techniques. The problem is further compounded by the lack of debugging support on the devices. This is a serious problem because the device firmware is trusted by the operating system.Model checkers are designed to systematically verify properties of concurrent systems. Therefore, model checking is a promising approach to debugging device firmware. However, model checking involves an exponential search. Consequently, the models have to be small to allow effective model checking.This paper describes the abstraction techniques used by the ESP compiler to extract abstract models from device firmware written in ESP. The abstract models are small because they discard some of the details in the firmware that is irrelevant to the particular property being verified. The programmer is required to specify the abstractions to be performed. The ESP compiler uses the abstraction specification to extract models conservatively. Therefore, every bug in the original program will be present in the extracted model.This paper also presents our experience with using Spin model checker to develop and debug VMMC firmware for the Myrinet network interfaces. An earlier version of the ESP compiler yielded models that were too large to check for system-wide properties like absence of deadlocks. The new version of the compiler generated abstract models that were used to identify several subtle bugs in the firmware. So far, we have not encountered any bugs that were not caught by Spin.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Thomas Ball , Rupak Majumdar , Todd Millstein , Sriram K. Rajamani, Automatic predicate abstraction of C programs, Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, p.203-213, June 2001, Snowbird, Utah, United States
	2	Thomas Ball , Sriram K. Rajamani, Bebop: A Symbolic Model Checker for Boolean Programs, Proceedings of the 7th International SPIN Workshop on SPIN Model Checking and Software Verification, p.113-130, August 30-September 01, 2000
	3	A. Basu, T. von Eicken, and G. Morrisett. Promela++: A Language for Correct and Efficient Protocol Construction. In Infocom, 1998.
	4	Gérard Berry , Georges Gonthier, The ESTEREL synchronous programming language: design, semantics, implementation, Science of Computer Programming, v.19 n.2, p.87-152, Nov. 1992  [doi>10.1016/0167-6423(92)90005-V]
	5	M. A. Blumrich , K. Li , R. Alpert , C. Dubnicki , E. W. Felten , J. Sandberg, Virtual memory mapped network interface for the SHRIMP multicomputer, Proceedings of the 21ST annual international symposium on Computer architecture, p.142-153, April 18-21, 1994, Chicago, Illinois, United States
	6	Walid Dabbous , Sean O'Malley , Claude Castelluccia, Generating efficient protocol code from an abstract specification, Conference proceedings on Applications, technologies, architectures, and protocols for computer communications, p.60-72, August 28-30, 1996, Palo Alto, California, United States
	7	Thierry Cattel, Modelization and verification of a multiprocessor realtime OS kernel, Proceedings of the 7th IFIP WG6.1 International Conference on Formal Description Techniques VII, p.55-70, January 1995
	8	Satish Chandra , Brad Richards , James R. Larus, Teapot: language support for writing memory coherence protocols, Proceedings of the ACM SIGPLAN 1996 conference on Programming language design and implementation, p.237-248, May 21-24, 1996, Philadelphia, Pennsylvania, United States
	9	Andy Chou , Benjamin Chelf , Dawson Engler , Mark Heinrich, Using meta-level compilation to check FLASH protocol code, Proceedings of the ninth international conference on Architectural support for programming languages and operating systems, p.59-70, November 2000, Cambridge, Massachusetts, United States
	10	Christopher Colby , Patrice Godefroid , Lalita Jategaonkar Jagadeesan, Automatically closing open reactive programs, Proceedings of the ACM SIGPLAN 1998 conference on Programming language design and implementation, p.345-357, June 17-19, 1998, Montreal, Quebec, Canada
	11	James C. Corbett , Matthew B. Dwyer , John Hatcliff , Shawn Laubach , Corina S. Păsăreanu , Robby , Hongjun Zheng, Bandera: extracting finite-state models from Java source code, Proceedings of the 22nd international conference on Software engineering, p.439-448, June 04-11, 2000, Limerick, Ireland  [doi>10.1145/337180.337234]
	12	Robert DeLine , Manuel Fähndrich, Enforcing high-level protocols in low-level software, Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, p.59-69, June 2001, Snowbird, Utah, United States
	13	David L. Dill , Andreas J. Drexler , Alan J. Hu , C. Han Yang, Protocol Verification as a Hardware Design Aid, Proceedings of the 1991 IEEE International Conference on Computer Design on VLSI in Computer & Processors, p.522-525, October 11-14, 1992
	14	C. Dubnicki, A. Bilas, Y. Chen, S. Damianakis, and K. Li. VMMC-2: Efficient Support for Reliable, Connection-Oriented Communication. In Hot Interconnects, 1997.
	15	G. Duval and J. Julliand. Modeling and verification of the RUBIS μ-Kernel with Spin. In International Spin Workshop, 1995.
	16	D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions. In Operating Systems Design and Implementation, 2000.
	17	Patrice Godefroid, Model checking for programming languages using VeriSoft, Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.174-186, January 15-17, 1997, Paris, France  [doi>10.1145/263699.263717]
	18	K. Havelund and T. Pressburger. Model checking Java programs using Java PathFinder. In International Journal on Software Tools for Technology Transfer, 1999.
	19	C. A. R. Hoare, Communicating sequential processes, Communications of the ACM, v.21 n.8, p.666-677, Aug. 1978  [doi>10.1145/359576.359585]
	20	Gerard J. Holzmann , Doron Peled, An improvement in formal verification, Proceedings of the 7th IFIP WG6.1 International Conference on Formal Description Techniques VII, p.197-211, January 1995
	21	Gerard J. Holzmann, The Model Checker SPIN, IEEE Transactions on Software Engineering, v.23 n.5, p.279-295, May 1997  [doi>10.1109/32.588521]
	22	Gerard J. Holzmann , Margaret H. Smith, A practical method for verifying event-driven software, Proceedings of the 21st international conference on Software engineering, p.597-607, May 16-22, 1999, Los Angeles, California, United States  [doi>10.1145/302405.302710]
	23	Sanjeev Kumar , Kai Li, Dynamic memory management for programmable devices, Proceedings of the 3rd international symposium on Memory management, June 20-21, 2002, Berlin, Germany
	24	S. Kumar and K. Li. Performance Impact of Using ESP to Implement VMMC Firmware. In Workshop on Novel Uses of System Area Networks (SAN-1), 2002.
	25	Sanjeev Kumar , Yitzhak Mandelbaum , Xiang Yu , Kai Li, ESP: a language for programmable devices, Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, p.309-320, June 2001, Snowbird, Utah, United States
	26	David Lie , Andy Chou , Dawson Engler , David L. Dill, A simple method for extracting models for protocol code, Proceedings of the 28th annual international symposium on Computer architecture, p.192-203, June 30-July 04, 2001, Göteborg, Sweden
	27	R. Pike, D. Pressoto, K. Thompson, and G. Holzmann. Process sleep and wakeup on shared-memory multiprocessors. In EurOpen Conference, 1991.
	28	Stefan Savage , Michael Burrows , Greg Nelson , Patrick Sobalvarro , Thomas Anderson, Eraser: a dynamic data race detector for multithreaded programs, ACM Transactions on Computer Systems (TOCS), v.15 n.4, p.391-411, Nov. 1997  [doi>10.1145/265924.265927]
	29	F. Tip. A Survey of Program Slicing Techniques. Journal of Programming Languages, 3:121--189, 1995.
	30	P. Tullmann , J. Turner , J. McCorquodale , J. Lepreau , A. Chitturi , G. Back, Formal Methods: A Practical Tool for OS Implementors, Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), p.20, May 05-06, 1997
	31	M. Weiser. Program slicing. IEEE Transactions on Software Engineering, 10:352--357, 1984.