Model checking large software specifications

In this paper we present our results and experiences of using symbolic model checking to study the specification of an aircraft collision avoidance system. Symbolic model checking has been highly successful when applied to hardware systems. We are interested in the question of whether or not model checking techniques can be applied to large software specifications.To investigate this, we translated a portion of the finite-state requirements specification of TCAS II (Traffic Alert and Collision Avoidance System) into a form accepted by a model checker (SMV). We successfully used the model checker to investigate a number of dynamic properties of the system.We report on our experiences, describing our approach to translating the specification to the SMV language and our methods for achieving acceptable performance in model checking, and giving a summary of the properties that we were able to check. We consider the paper as a data point that provides reason for optimism about the potential for successful application of model checking to software systems. In addition, our experiences provide a basis for characterizing features that would be especially suitable for model checkers built specifically for analyzing software systems.The intent of this paper is to evaluate symbolic model checking of state-machine based specifications, not to evaluate the TCAS II specification. We used a preliminary version of the specification, the version 6.00, dated March, 1993, in our study. We did not have access to later versions, so we do not know if the properties identified here are present in later versions.

[1]  David Notkin,et al.  Improving efficiency of symbolic model checking for state-based system requirements , 1998, ISSTA '98.

[2]  David Notkin,et al.  Combining Constraint Solving and Symbolic Model Checking for a Class of a Systems with Non-linear Constraints , 1997, CAV.

[3]  William Pugh,et al.  Symbolic Model Checking of Infinite State Programs Using Presburger Artihmetic , 1998 .

[4]  David L. Dill,et al.  The Murphi Verification System , 1996, CAV.

[5]  Nancy G. Leveson,et al.  Requirements Specification for Process-Control Systems , 1994, IEEE Trans. Software Eng..

[6]  Nancy G. Leveson,et al.  Software Requirements Analysis for Real-Time Process-Control Systems , 1991, IEEE Trans. Software Eng..

[7]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[8]  Xudong Zhao,et al.  Word Level Symbolic Model Checking: A New Approach for Verifying Arithmetic Circuits , 1995 .

[9]  Edmund M. Clarke,et al.  Word level model checking—avoiding the Pentium FDIV error , 1996, DAC '96.

[10]  Gérard Berry,et al.  The Esterel Synchronous Programming Language: Design, Semantics, Implementation , 1992, Sci. Comput. Program..

[11]  Rance Cleaveland,et al.  The concurrency workbench: a semantics-based tool for the verification of concurrent systems , 1993, TOPL.

[12]  Stephen Ponzio,et al.  A lower bound for integer multiplication with read-once branching programs , 1995, STOC '95.

[13]  Amir Pnueli,et al.  What is in a Step: On the Semantics of Statecharts , 1991, TACS.

[14]  Mats Per Erik Heimdahl,et al.  Using PVS to analyze hierarchical state-based requirements for completeness and consistency , 1996, Proceedings. IEEE High-Assurance Systems Engineering Workshop (Cat. No.96TB100076).

[15]  David Lorge Parnas,et al.  Software Requirements for the A-7E Aircraft. , 1992 .

[16]  Daniel Jackson,et al.  Abstract Model Checking of Infinite Specifications , 1994, FME.

[17]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[18]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[19]  T. S. Jayram,et al.  On the Limitations of Ordered Representations of Functions , 1998, CAV.

[20]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[21]  Amnon Naamad,et al.  The STATEMATE semantics of statecharts , 1996, TSEM.

[22]  Peter Neumann,et al.  Safeware: System Safety and Computers , 1995, SOEN.

[23]  Hardi Hungar,et al.  Statecharts: Using graphical specification languages and symbolic model checking in the verification of a production cell , 1995 .

[24]  Randal E. Bryant,et al.  On the Complexity of VLSI Implementations and Graph Representations of Boolean Functions with Application to Integer Multiplication , 1991, IEEE Trans. Computers.

[25]  Edmund M. Clarke,et al.  Symbolic model checking for sequential circuit verification , 1993, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[26]  Thomas A. Henzinger,et al.  The Algorithmic Analysis of Hybrid Systems , 1995, Theor. Comput. Sci..

[27]  A. P. Sistla,et al.  Automatic verification of finite-state concurrent systems using temporal logic specifications , 1986, TOPL.

[28]  Nancy G. Leveson,et al.  Software Deviation Analysis , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[29]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[30]  Joanne M. Atlee,et al.  Feasibility of model checking software requirements: a case study , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[31]  E. Clarke,et al.  Automatic Veriication of Nite-state Concurrent Systems Using Temporal-logic Speciications. Acm , 1993 .

[32]  Randal E. Bryant,et al.  Verification of Arithmetic Circuits with Binary Moment Diagrams , 1995, 32nd Design Automation Conference.

[33]  George S. Avrunin,et al.  Property specification patterns for finite-state verification , 1998, FMSP '98.

[34]  Nancy G. Leveson,et al.  Completeness and Consistency Analysis of State-Based Requirements , 1995, 1995 17th International Conference on Software Engineering.

[35]  Ellen Sentovich,et al.  A Brief Study of BDD Package Performance , 1996, FMCAD.

[36]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[37]  David Garlan,et al.  Architectural Mismatch: Why Reuse Is So Hard , 1995, IEEE Softw..

[38]  Robin Milner,et al.  An Algebraic Definition of Simulation Between Programs , 1971, IJCAI.

[39]  Peter Kelb,et al.  An OBDD-representation of statecharts , 1994, Proceedings of European Design and Test Conference EDAC-ETC-EUROASIC.

[40]  Kathryn L. Heninger Specifying Software Requirements for Complex Systems: New Techniques and Their Application , 2001, IEEE Transactions on Software Engineering.

[41]  Natarajan Shankar,et al.  PVS: Combining Specification, Proof Checking, and Model Checking , 1996, FMCAD.

[42]  R. Bryant,et al.  Verification of Arithmetic Functions with Binary Moment Diagrams , 1994 .

[43]  James C. Corbett,et al.  Evaluating Deadlock Detection Methods for Concurrent Software , 1996, IEEE Trans. Software Eng..

[44]  Jeannette M. Wing,et al.  Model checking software systems: a case study , 1995, SIGSOFT FSE.

[45]  Automatic Verification of a Hydroelectric Power Plant , 1996, FME.

[46]  Patrice Godefroid,et al.  Symbolic Verification of Communication Protocols with Infinite State Spaces Using QDDs (Extended Abstract) , 1996, CAV.

[47]  Nancy G. Leveson,et al.  Completeness and Consistency in Hierarchical State-Based Requirements , 1996, IEEE Trans. Software Eng..

[48]  Richard Gerber,et al.  Symbolic Model Checking of Infinite State Systems Using Presburger Arithmetic , 1997, CAV.

[49]  Farn Wang,et al.  Symbolic model checking for event-driven real-time systems , 1997, TOPL.

[50]  Joanne M. Atlee,et al.  A logic-model semantics for SCR software requirements , 1996, ISSTA '96.

[51]  Constance L. Heitmeyer,et al.  Verifying SCR Requirements Specifications Using State Exploration , 1997 .

[52]  Judith Crow,et al.  Formalizing Space Shuttle Software Requirements , 1996 .

[53]  Joanne M. Atlee,et al.  State-Based Model Checking of Event-Driven System Requirements , 1993, IEEE Trans. Software Eng..

[54]  Richard Gerber,et al.  Symbolic Model Checking of Innnite State Programs Using Presburger Arithmetic , 1996 .

[55]  Jeannette M. Wing,et al.  A Case study in Model Checking Software Systems , 1997, Sci. Comput. Program..

[56]  Amir Pnueli,et al.  What is in a step , 1989 .

[57]  Daniel Jackson,et al.  Elements of style: analyzing a software design feature with a counterexample detector , 1996, ISSTA '96.

[58]  Thomas A. Henzinger,et al.  Computing simulations on finite and infinite graphs , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[59]  Kenneth L. McMillan,et al.  Fitting Formal Methods into the Design Cycle , 1994, 31st Design Automation Conference.

[60]  Orna Kupferman,et al.  Module Checking , 1996, Inf. Comput..

[61]  Somesh Jha,et al.  Exploiting Symmetry In Temporal Logic Model Checking , 1993, CAV.