Assumption generation for software component verification

Model checking is an automated technique that can be used to determine whether a system satisfies certain required properties. The typical approach to verifying properties of software components is to check them for all possible environments. In reality, however, a component is only required to satisfy properties in specific environments. Unless these environments are formally characterized and used during verification (assume-guarantee paradigm), the results returned by verification can be overly pessimistic. This work defines a framework that brings a new dimension to model checking of software components. When checking a component against a property, our model checking algorithms return one of the following three results: the component satisfies a property for any environment; the component violates the property for any environment; or finally, our algorithms generate an assumption that characterizes exactly those environments in which the component satisfies its required property. Our approach has been implemented in the LTSA tool and has been applied to the analysis of a NASA application.

[1]  Hasan Ural,et al.  Submodule construction from concurrent system specifications , 1999, Inf. Softw. Technol..

[2]  Stephan Merz,et al.  Model Checking , 2000 .

[3]  Gregor von Bochmann,et al.  On the Construction of Submodule Specifications and Communication Protocols , 1983, TOPL.

[4]  Dimitra Giannakopoulou,et al.  Behaviour Analysis of Software Architectures , 1999, WICSA.

[5]  Shing-Chi Cheung,et al.  Context constraints for compositional reachability analysis , 1996, TSEM.

[6]  S. Balemi,et al.  Supervisory control of a rapid thermal multiprocessor , 1993, IEEE Trans. Autom. Control..

[7]  Jeff Magee,et al.  Concurrency - state models and Java programs , 2006 .

[8]  Kim G. Larsen,et al.  Equation solving using modal transition systems , 1990, [1990] Proceedings. Fifth Annual IEEE Symposium on Logic in Computer Science.

[9]  Deepinder P. Sidhu,et al.  Constructing Submodule Specifications and Network Protocols , 1988, IEEE Trans. Software Eng..

[10]  Paola Inverardi,et al.  Connectors synthesis for deadlock-free component based architectures , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[11]  Jozef Hooman,et al.  Concurrency Verification: Introduction to Compositional and Noncompositional Methods , 2001, Cambridge Tracts in Theoretical Computer Science.

[12]  Laurent Mounier,et al.  Compositional State Space Generation from Lotos Programs , 1997, TACAS.

[13]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[14]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[15]  Joachim Parrow,et al.  Submodule Construction as Equation Solving in CCS , 1989, Theor. Comput. Sci..

[16]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[17]  Paola Inverardi,et al.  Static checking of system behaviors using derived component assumptions , 2000, TSEM.

[18]  Enrico Tronci Automatic synthesis of controllers from formal specifications , 1998, Proceedings Second International Conference on Formal Engineering Methods (Cat.No.98EX241).

[19]  M. W. Shields Implicit System Specification and the Interface Equation , 1989, Comput. J..

[20]  Stephen N. Freund,et al.  Thread-Modular Verification for Shared-Memory Programs , 2002, ESOP.

[21]  Grigore Rosu,et al.  Monitoring Java Programs with Java PathExplorer , 2001, RV@CAV.

[22]  Naranker Dulay,et al.  A constructive development environment for parallel and distributed programs , 1994, Proceedings of 2nd International Workshop on Configurable Distributed Systems.

[23]  Tiziano Villa,et al.  Model matching for finite-state machines , 2001, IEEE Trans. Autom. Control..

[24]  Thomas A. Henzinger,et al.  MOCHA: Modularity in Model Checking , 1998, CAV.

[25]  Robert K. Brayton,et al.  Supervisory Control of Finite State Machines , 1995, CAV.

[26]  Shing-Chi Cheung,et al.  Behaviour Analysis of Distributed Systems Using the Tracta Approach , 2004, Automated Software Engineering.

[27]  Shing-Chi Cheung,et al.  Checking safety properties using compositional reachability analysis , 1999, TSEM.

[28]  Kim G. Larsen,et al.  A modal process logic , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[29]  Thomas A. Henzinger,et al.  Interface Theories for Component-Based Design , 2001, EMSOFT.

[30]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[31]  Willem P. de Roever,et al.  The Need for Compositional Proof Systems: A Survey , 1997, COMPOS.

[32]  Martín Abadi,et al.  Composing Specifications , 1989, REX Workshop.

[33]  Naranker Dulay,et al.  Regis: a constructive development environment for distributed programs , 1994, Distributed Syst. Eng..

[34]  Michael Huth,et al.  Assume-Guarantee Model Checking of Software: A Comparative Case Study , 1999, SPIN.

[35]  Dimitra Giannakopoulou,et al.  Graphical animation of behavior models , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[36]  Robert K. Brayton,et al.  Engineering change in a non-deterministic FSM setting , 1996, 33rd Design Automation Conference Proceedings, 1996.

[37]  Ketil Stølen,et al.  A Method for the Development of Totally Correct Shared-State Parallel Programs , 1991, CONCUR.

[38]  Thomas A. Henzinger,et al.  Alternating-time temporal logic , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[39]  Thomas A. Henzinger,et al.  Interface automata , 2001, ESEC/FSE-9.