Theo C. Ruys

The bounded retransmission protocol must be on time

This paper concerns the transfer of files via a lossy communication channel. It formally specifies this file transfer service in a property-oriented way and investigates—using two different techniques—whether a given bounded retransmission protocol conforms to this service. This protocol is based on the well-known alternating bit protocol but allows for a bounded number of retransmissions of a chunk, i.e., part of a file, only. So, eventual delivery is not guaranteed and the protocol may abort the file transfer. We investigate to what extent real-time aspects are important to guarantee the protocols correctness and use Spin and Uppaal model checking for our purpose. Supported by the NWO/SION project 612-33-006.

Optimal scheduling using branch and bound with SPIN 4.0

The use of model checkers to solve discrete optimisation problems is appealing. A model checker can first be used to verify that the model of the problem is correct. Subsequently, the same model can be used to find an optimal solution for the problem. This paper describes how to apply the new Promela primitives of SPIN 4.0t o search effectively for the optimal solution. We show how Branch-and-Bound techniques can be added to the LTL property that is used to find the solution. The LTL property is dynamically changed during the verification. We also show how the syntactical reordering of statements and/or processes in the Promela model can improve the search even further. The techniques are illustrated using two running examples: the Travelling Salesman Problem and a job-shop scheduling problem.

Experience with Literate Programming in the Modelling and Validation of Systems

This paper discusses our experience with literate programming tools in the realm of the modelling and validation of systems. We propose the use of literate programming techniques to structure and control the validation trajectory. The use of literate programming is illustrated by means of a running example using Promela and Spin. The paper can also be read as a tutorial on the application of literate programming to formal methods.

Advanced SPIN Tutorial

Spin [9] is a model checker for the verification of distributed systems software. The tool is freely distributed, and often described as one of the most widely used verification systems. The Advanced Spin Tutorial is a sequel to [7] and is targeted towards intermediate to advanced Spin users.

Low-Fat Recipes for SPIN

Since the introduction of the first version of the model checker Spin in 1991, many papers have been written on improvements to the tool and on industrial applications of the tool. Less attention has been given to the pragmatic use of Spin. This paper presents several techniques to optimise both the modelling and verification activities when using Spin.

MoonWalker: Verification of .NET Programs

MoonWalker is a software model checker for cil bytecode programs, which is able to detect deadlocks and assertion violations in cil assemblies, better known as Microsoft .NET programs. The design of MoonWalker is inspired by the Java PathFinder ( jpf ), a model checker for Java programs. The performance of MoonWalker is on par with jpf . This paper presents the new version of MoonWalker and discusses its most important features.

MMC: the Mono Model Checker

The Mono Model Checker (mmc) is a software model checker for cil bytecode programs. mmc has been developed on the Mono platform. mmc is able to detect deadlocks and assertion violations in cil programs. The design of mmc is inspired by the Java PathFinder (jpf), a model checker for Java programs. The performance of mmc is comparable to jpf. This paper introduces mmc and presents its main architectural characteristics.

Managing the Verification Trajectory

Abstract.In this paper we take a closer look at the automated analysis of designs, in particular of verification by model checking. Model checking tools are increasingly being used for the verification of real-life systems in an industrial context. In addition to ongoing research aimed at curbing the complexity of dealing with the inherent state space explosion problem – which allows us to apply these techniques to ever larger systems – attention must now also be paid to the methodology of model checking, to decide how to use these techniques to their best advantage. Model checking “in the large” causes a substantial proliferation of interrelated models and model checking sessions that must be carefully managed in order to control the overall verification process. We show that in order to do this well both notational and tool support are required. We discuss the use of software configuration management techniques and tools to manage and control the verification trajectory. We present Xspin/Project, an extension to Xspin, which automatically controls and manages the validation trajectory when using the model checker Spin.

First Passage Time Analysis of Stochastic Process Algebra Using Partial Orders

This paper proposes a partial-order semantics for a stochastic process algebra that supports general (non-memoryless) distributions and combines this with an approach to numerically analyse the first passage time of an event. Based on an adaptation of McMillans complete finite prefix approach tailored to event structures and process algebra, finite representations are obtained for recursive processes. The behaviour between two events is now captured by a partial order that is mapped on a stochastic task graph, a structure amenable to numerical analysis. Our approach is supported by the (new) tool FOREST for generating the complete prefix and the (existing) tool PEPP for analysing the generated task graph. As a case study, the delay of the first resolution in the root contention phase of the IEEE 1394 serial bus protocol is analysed.

Effective bug hunting with spin and modex

This tutorial consists of two parts. In the first part we present an advanced overview of Spin [1][4], and illustrate its practical application to logic model checking problems. In the second part of the tutorial we present an overview of a related tool called Modex [2,3]. Modex can be used to extract Spin verification models directly from C source code. It supports the definition of user-defined abstractions, and cleverly exploits the capability in Spin version 4 to include embedded C code inside abstract verification models. We will show how to use Spin and Modex, separately and combined, in an effective way when searching for design errors in distributed software applications. Both Spin and Modex are written in ANSI-C and can freely be used on research projects.