4 Citations (Scopus)

Abstract

Device firmware is a piece of concurrent software that achieves high performance at the cost of software complexity. They contain subtle race conditions that make them difficult to debug using traditional debugging techniques. The problem is further compounded by the lack of debugging support on the devices. This is a serious problem because the device firmware is trusted by the operating system. Model checkers are designed to systematically verify properties of concurrent systems. Therefore, model checking is a promising approach to debugging device firmware. However, model checking involves an exponential search. Consequently, the models have to be small to allow effective model checking. This paper describes the abstraction techniques used by the ESP compiler to extract abstract models from device firmware written in ESP. The abstract models are small because they discard some of the details in the firmware that is irrelevant to the particular property being verified. The programmer is required to specify the abstractions to be performed. The ESP compiler uses the abstraction specification to extract models conservatively. Therefore, every bug in the original program will be present in the extracted model. This paper also presents our experience with using Spin model checker to develop and debug VMMC firmware for the Myrinet network interfaces. An earlier version of the ESP compiler yielded models that were too large to check for system-wide properties like absence of deadlocks. The new version of the compiler generated abstract models that were used to identify several subtle bugs in the firmware. So far, we have not encountered any bugs that were not caught by Spin.

Original languageEnglish (US)
Pages (from-to)61-74
Number of pages14
JournalOperating Systems Review (ACM)
Volume36
Issue numberSpecial Issue
DOIs
StatePublished - Dec 31 2002
Event5th Symposium on Operating Systems Design and Implementation, OSDI 2002 - Boston, United States
Duration: Dec 9 2002Dec 11 2002

Fingerprint

Firmware
Model checking
Hazards and race conditions
Computer operating systems
Interfaces (computer)
Specifications

All Science Journal Classification (ASJC) codes

  • Information Systems
  • Hardware and Architecture
  • Computer Networks and Communications

Cite this

Kumar, Sanjeev ; Li, Kai. / Using model checking to debug device Firmware. In: Operating Systems Review (ACM). 2002 ; Vol. 36, No. Special Issue. pp. 61-74.
@article{34592a2af55b4e48879537fbb2c5af72,
title = "Using model checking to debug device Firmware",
abstract = "Device firmware is a piece of concurrent software that achieves high performance at the cost of software complexity. They contain subtle race conditions that make them difficult to debug using traditional debugging techniques. The problem is further compounded by the lack of debugging support on the devices. This is a serious problem because the device firmware is trusted by the operating system. Model checkers are designed to systematically verify properties of concurrent systems. Therefore, model checking is a promising approach to debugging device firmware. However, model checking involves an exponential search. Consequently, the models have to be small to allow effective model checking. This paper describes the abstraction techniques used by the ESP compiler to extract abstract models from device firmware written in ESP. The abstract models are small because they discard some of the details in the firmware that is irrelevant to the particular property being verified. The programmer is required to specify the abstractions to be performed. The ESP compiler uses the abstraction specification to extract models conservatively. Therefore, every bug in the original program will be present in the extracted model. This paper also presents our experience with using Spin model checker to develop and debug VMMC firmware for the Myrinet network interfaces. An earlier version of the ESP compiler yielded models that were too large to check for system-wide properties like absence of deadlocks. The new version of the compiler generated abstract models that were used to identify several subtle bugs in the firmware. So far, we have not encountered any bugs that were not caught by Spin.",
author = "Sanjeev Kumar and Kai Li",
year = "2002",
month = "12",
day = "31",
doi = "https://doi.org/10.1145/844128.844135",
language = "English (US)",
volume = "36",
pages = "61--74",
journal = "Operating Systems Review (ACM)",
issn = "0163-5980",
publisher = "Association for Computing Machinery (ACM)",
number = "Special Issue",

}

Using model checking to debug device Firmware. / Kumar, Sanjeev; Li, Kai.

In: Operating Systems Review (ACM), Vol. 36, No. Special Issue, 31.12.2002, p. 61-74.

Research output: Contribution to journalConference article

TY - JOUR

T1 - Using model checking to debug device Firmware

AU - Kumar, Sanjeev

AU - Li, Kai

PY - 2002/12/31

Y1 - 2002/12/31

N2 - Device firmware is a piece of concurrent software that achieves high performance at the cost of software complexity. They contain subtle race conditions that make them difficult to debug using traditional debugging techniques. The problem is further compounded by the lack of debugging support on the devices. This is a serious problem because the device firmware is trusted by the operating system. Model checkers are designed to systematically verify properties of concurrent systems. Therefore, model checking is a promising approach to debugging device firmware. However, model checking involves an exponential search. Consequently, the models have to be small to allow effective model checking. This paper describes the abstraction techniques used by the ESP compiler to extract abstract models from device firmware written in ESP. The abstract models are small because they discard some of the details in the firmware that is irrelevant to the particular property being verified. The programmer is required to specify the abstractions to be performed. The ESP compiler uses the abstraction specification to extract models conservatively. Therefore, every bug in the original program will be present in the extracted model. This paper also presents our experience with using Spin model checker to develop and debug VMMC firmware for the Myrinet network interfaces. An earlier version of the ESP compiler yielded models that were too large to check for system-wide properties like absence of deadlocks. The new version of the compiler generated abstract models that were used to identify several subtle bugs in the firmware. So far, we have not encountered any bugs that were not caught by Spin.

AB - Device firmware is a piece of concurrent software that achieves high performance at the cost of software complexity. They contain subtle race conditions that make them difficult to debug using traditional debugging techniques. The problem is further compounded by the lack of debugging support on the devices. This is a serious problem because the device firmware is trusted by the operating system. Model checkers are designed to systematically verify properties of concurrent systems. Therefore, model checking is a promising approach to debugging device firmware. However, model checking involves an exponential search. Consequently, the models have to be small to allow effective model checking. This paper describes the abstraction techniques used by the ESP compiler to extract abstract models from device firmware written in ESP. The abstract models are small because they discard some of the details in the firmware that is irrelevant to the particular property being verified. The programmer is required to specify the abstractions to be performed. The ESP compiler uses the abstraction specification to extract models conservatively. Therefore, every bug in the original program will be present in the extracted model. This paper also presents our experience with using Spin model checker to develop and debug VMMC firmware for the Myrinet network interfaces. An earlier version of the ESP compiler yielded models that were too large to check for system-wide properties like absence of deadlocks. The new version of the compiler generated abstract models that were used to identify several subtle bugs in the firmware. So far, we have not encountered any bugs that were not caught by Spin.

UR - http://www.scopus.com/inward/record.url?scp=84978405260&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84978405260&partnerID=8YFLogxK

U2 - https://doi.org/10.1145/844128.844135

DO - https://doi.org/10.1145/844128.844135

M3 - Conference article

VL - 36

SP - 61

EP - 74

JO - Operating Systems Review (ACM)

JF - Operating Systems Review (ACM)

SN - 0163-5980

IS - Special Issue

ER -