|
 ABSTRACT
Many system errors do not emerge unless some intricate sequence of events occurs. In practice, this means that most systems have errors that only trigger after days or weeks of execution. Model checking [4] is an effective way to find such subtle errors. It takes a simplified description of the code and exhaustively tests it on all inputs, using techniques to explore vast state spaces efficiently. Unfortunately, while model checking systems code would be wonderful, it is almost never done in practice: building models is just too hard. It can take significantly more time to write a model than it did to write the code. Furthermore, by checking an abstraction of the code rather than the code itself, it is easy to miss errors.The paper's first contribution is a new model checker, CMC, which checks C and C++ implementations directly, eliminating the need for a separate abstract description of the system behavior. This has two major advantages: it reduces the effort to use model checking, and it reduces missed errors as well as time-wasting false error reports resulting from inconsistencies between the abstract description and the actual implementation. In addition, changes in the implementation can be checked immediately without updating a high-level description.The paper's second contribution is demonstrating that CMC works well on real code by applying it to three implementations of the Ad-hoc On-demand Distance Vector (AODV) networking protocol [7]. We found 34 distinct errors (roughly one bug per 328 lines of code), including a bug in the AODV specification itself. Given our experience building systems, it appears that the approach will work well in other contexts, and especially well for other networking protocols.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
 |
1
|
Thomas Ball , Rupak Majumdar , Todd Millstein , Sriram K. Rajamani, Automatic predicate abstraction of C programs, Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, p.203-213, June 2001, Snowbird, Utah, United States
|
| |
2
|
K. Bhargavan, D. Obradovic, and C. Gunter. Formal verification of standards for distance vector routing protocols, 1999.
|
| |
3
|
|
| |
4
|
|
| |
5
|
James C. Corbett , Matthew B. Dwyer , John Hatcliff , Shawn Laubach , Corina S. Păsăreanu , Robby , Hongjun Zheng, Bandera: extracting finite-state models from Java source code, Proceedings of the 22nd international conference on Software engineering, p.439-448, June 04-11, 2000, Limerick, Ireland
[doi> 10.1145/337180.337234]
|
| |
6
|
Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. 7th USENIX Security Conference, pages 63--78, San Antonio, Texas, jan 1998.
|
| |
7
|
C. Perkins, E. Royer, and S. Das. Ad Hoc On Demand Distance Vector (AODV) Routing. IETF Draft, http://www.ietf.org/internet-drafts/draft-ietf-manet-aodv-10.txt, January 2002.
|
| |
8
|
|
| |
9
|
David L. Detlefs, K. Rustan M. Leino, Greg Nelson, and James B. Saxe. Extended static checking, 1998.
|
| |
10
|
|
| |
11
|
D. R. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In Proceedings of the Fourth Symposium on Operating Systems Design and Implementation, October 2000.
|
| |
12
|
Erik Nordstrom et al. Ad hoc protocol evaluation testbed. http://apetestbed.sourceforge.net/.
|
| |
13
|
Erik Nordstrom et al. AODV-UU Implementation. http://user.it.uu.se/ henrikl/aodv/.
|
| |
14
|
David Evans , John Guttag , James Horning , Yang Meng Tan, LCLint: a tool for using specifications to check code, Proceedings of the 2nd ACM SIGSOFT symposium on Foundations of software engineering, p.87-96, December 06-09, 1994, New Orleans, Louisiana, United States
|
| |
15
|
|
| |
16
|
J. Hajek. Automatically verified data transfer protocols. In Proceedings of the 4th ICCC, pages 749--756, 1978.
|
| |
17
|
|
| |
18
|
|
| |
19
|
|
| |
20
|
Luke Klein-Berndt and et. al. Kernel AODV Implementation. http://w3.antd.nist.gov/wctg/aodv_kernel/.
|
| |
21
|
F. Lilieblad and et. al. Mad-hoc AODV Implementation. http://mad-hoc.flyinglinux.net/.
|
| |
22
|
S. McCanne and S. Floyd. UCB/LBNL/VINT network simulator - ns (version 2), April 1999. http://www.isi.edu/nsnam/ns/.
|
| |
23
|
K. L. McMillan and J. Schwalbe. Formal verification of the gigamax cache consistency protocol. In Proceedings of the International Symposium on Shared Memory Multiprocessing, pages 242--51. Tokyo, Japan Inf. Process. Soc., 1991.
|
| |
24
|
G. Nelson. Techniques for program verification. Available as Xerox PARC Research Report CSL-81--10, June, 1981, Stanford University, 1981.
|
| |
25
|
|
| |
26
|
Charles E. Perkins, Elizabeth M. Royer, and Samir R. Das. Private Email Communication.
|
| |
27
|
Rational Software. Purify: Advanced runtime error checking for C/C++ developers. http://www.rational.com/products/purify_unix/.
|
| |
28
|
Ulrich Stern , David L. Dill, A new scheme for memory-efficient probabilistic verification, IFIP TC6/ 6.1 international conference on formal description techniques IX/protocol specification, testing and verification XVI on Formal description techniques IX : theory, application and tools: theory, application and tools, p.333-348, January 1996, Kaiserslautern, Germany
|
| |
29
|
|
| |
30
|
C. H. West. General technique for communications protocol validation. IBM Journal of Research and Development, 22(4), 1978.
|
CITED BY 43
|
|
Bruno Blanchet , Patrick Cousot , Radhia Cousot , Jérome Feret , Laurent Mauborgne , Antoine Miné , David Monniaux , Xavier Rival, A static analyzer for large safety-critical software, ACM SIGPLAN Notices, v.38 n.5, May 2003
|
|
|
|
|
|
Jian Yin , Jean-Philippe Martin , Arun Venkataramani , Lorenzo Alvisi , Mike Dahlin, Separating agreement from execution for byzantine fault tolerant services, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
P. de la Cámara , M. M. Gallardo , P. Merino , D. Sanán, Model checking software with well-defined APIs: the socket case, Proceedings of the 10th international workshop on Formal methods for industrial critical systems, p.17-26, September 05-06, 2005, Lisbon, Portugal
|
|
|
|
|
|
Margaret DeLap , Björn Knutsson , Honghui Lu , Oleg Sokolsky , Usa Sammapun , Insup Lee , Christos Tsarouchis, Is runtime verification applicable to cheat detection?, Proceedings of 3rd ACM SIGCOMM workshop on Network and system support for games, August 30-30, 2004, Portland, Oregon, USA
|
|
|
|
|
|
|
|
|
R. Shetty , M. Kharbutli , Y. Solihin , M. Prvulovic, HeapMon: a helper-thread approach to programmable, automatic, and low-overhead memory bug detection, IBM Journal of Research and Development, v.50 n.2/3, p.261-275, March 2006
|
|
|
David Brumley , Juan Caballero , Zhenkai Liang , James Newsome , Dawn Song, Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
|
|
|
Haryadi S. Gunawi , Cindy Rubio-González , Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dussea , Ben Liblit, EIO: error handling is occasionally correct, Proceedings of the 6th USENIX Conference on File and Storage Technologies, p.1-16, February 26-29, 2008, San Jose, California
|
|
|
Pin Zhou , Wei Liu , Long Fei , Shan Lu , Feng Qin , Yuanyuan Zhou , Samuel Midkiff , Josep Torrellas, AccMon: Automatically Detecting Memory-Related Bugs via Program Counter-Based Invariants, Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, p.269-280, December 04-08, 2004, Portland, Oregon
|
|
|
David Currie , Xiushan Feng , Masahiro Fujita , Alan J. Hu , Mark Kwan , Sreeranga Rajan, Embedded software verification using symbolic execution and uninterpreted functions, International Journal of Parallel Programming, v.34 n.1, p.61-91, Febraury 2006
|
|
|
|
|
|
|
|
|
Greta Yorsh , Thomas Ball , Mooly Sagiv, Testing, abstraction, theorem proving: better together!, Proceedings of the 2006 international symposium on Software testing and analysis, July 17-20, 2006, Portland, Maine, USA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Junfeng Yang , Tisheng Chen , Ming Wu , Zhilei Xu , Xuezheng Liu , Haoxiang Lin , Mao Yang , Fan Long , Lintao Zhang , Lidong Zhou, MODIST: transparent model checking of unmodified distributed systems, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.213-228, April 22-24, 2009, Boston, Massachusetts
|
|
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
