A Case Study in Domain-customized Model Checking for Real-time Component Software

Despite a decade of intensive research on general techniques for reducing the complexity of model checking, scalability remains the chief obstacle to its widespread adoption. Past experience has shown that domain-specific information can often be leveraged to obtain state-space reductions that go beyond general purpose reductions by customizing existing model checker implementations or by building new model-checking engines dedicated to a particular domain. Unfortunately, these strategies limit the dissemination of model checking across a number of domains since it is often infeasible for domain experts to build their own dedicated model checkers or to modify existing model checking engines. To enable researchers to more easily tailor a model checking engine to a particular software-related domain, we have constructed an extensible and highly explicit-state software model checking framework called Bogor. In this paper, we describe our experience in customizing Bogor to check design models of avionics systems built using real-time CORBA component-based middleware. This includes modeling the semantics of a real-time CORBA event channel as a Bogor abstract data type, implementing a customized distributed state-space exploration algorithm that leverages the quasi-cyclic nature of periodic real-time computation, and encapsulating the Bogor checking engine in a robust full-featured development environment called Cadena that we have built for designing, analyzing, synthesizing, and implementing systems using the CORBA Component Model.

[1]  Radu Iosif,et al.  Symmetry Reduction Criteria for Software Model Checking , 2002, SPIN.

[2]  Radu Mateescu,et al.  Parallel state space construction for model-checking , 2001, SPIN '01.

[3]  Claudio Demartini,et al.  dSPIN: A Dynamic Extension of SPIN , 1999, SPIN.

[4]  Matthew B. Dwyer,et al.  Bogor: an extensible and highly-modular software model checking framework , 2003, ESEC/FSE-11.

[5]  Stephan Merz,et al.  Model Checking , 2000 .

[6]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[7]  W. Visser,et al.  Second Generation of a Java Model Checker , 2000 .

[8]  Masaaki Mizuno,et al.  Invariant-based specification, synthesis, and verification of synchronization in concurrent programs , 2002, ICSE '02.

[9]  Assaf Schuster,et al.  Scalable Distributed On-the-Fly Symbolic Model Checking , 2000, FMCAD.

[10]  Matthew B. Dwyer,et al.  Space Reductions for Model Checking Quasi-Cyclic Systems , 2003, EMSOFT.

[11]  Assaf Schuster,et al.  Achieving Scalability in Parallel Reachability Analysis of Very Large Circuits , 2000, CAV.

[12]  Matthew B. Dwyer,et al.  Model-Checking Middleware-Based Event-Driven Real-Time Embedded Software , 2002, FMCO.

[13]  Michael D. Jones,et al.  Explicit State Model Checking with Hopper , 2004, SPIN.

[14]  Willem Visser,et al.  Addressing dynamic issues of program model checking , 2001, SPIN '01.

[15]  Dragan Bosnacki,et al.  Symmetric Spin , 2002, International Journal on Software Tools for Technology Transfer.

[16]  Matthew B. Dwyer,et al.  Cadena: an integrated development, analysis, and verification environment for component-based systems , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[17]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[18]  David Notkin,et al.  Optimizing Symbolic Model Checking for Statecharts , 2001, IEEE Trans. Software Eng..

[19]  M. Robby,et al.  Bogor : An Extensible and Highly Modular Model Checking Framework , 2003 .