Abstract:
The i-protocol, an optimized sliding-window protocol for GNU UUCP, came to our attention two years ago when we used the Concurrency Factory's local model checker to detect, locate, and correct a non-trivial livelock in version~1.04 of the protocol. Since then, we have repeated this verification effort with five widely used model checkers, namely, \cospan, \murphi, SMV, \spin, and XMC. It is our contention that the i-protocol makes for a particularly compelling case study in protocol verification and for a formidable benchmark of verification-tool performance, for the following reasons: 1) The i-protocol can be used to gauge a tool's ability to detect and diagnose livelock errors. 2) The size of the i-protocol's state space grows exponentially in the window size, and the entirety of this state space must be searched to verify that the protocol, with the livelock error eliminated, is deadlock- or livelock-free. 3) The i-protocol is an asynchronous, low-level software system equipped with a number of optimizations aimed at minimizing control-message and retransmission overhead. It lacks the regular structure that is often present in hardware designs. In this sense, it provides any verification tool with a vigorous test of its analysis capabilities.
Bibtex Entry:
@inproceedings{DDR+:TACAS99, author = {Yifei Dong and Xiaoqun Du and Y. S. Ramakrishna and C. R. Ramakrishnan and I. V. Ramakrishnan and Scott A. Smolka and Oleg Sokolsky and Eugene W. Stark and David S. Warren}, title = {Fighting Livelock in the i-Protocol: A Comparative Study of Verification Tools}, booktitle = {Fifth International Conference on Tools and Algorithms for the Construction and Analysis of Systems ({TACAS})}, address = {Amsterdam, The Netherlands}, month = {March}, series = {Lecture Notes in Computer Science}, volume = {1579}, publisher = {Springer}, pages = {74--88}, year = {1999} }
| Full Paper: | [pdf] |
C. R. Ramakrishnan
(cram@cs.sunysb.edu)