Using Abstraction and Model Checking to Detect Safety Violations in Requirements Specifications

Exposing inconsistencies can uncover many defects in software specifications. One approach to exposing inconsistencies analyzes two redundant specifications, one operational and the other property-based, and reports discrepancies. This paper describes a "practical" formal method, based on this approach and the SCR (software cost reduction) tabular notation, that can expose inconsistencies in software requirements specifications. Because users of the method do not need advanced mathematical training or theorem-proving skills, most software developers should be able to apply the method without extraordinary effort. This paper also describes an application of the method which exposed a safety violation in the contractor-produced software requirements specification of a sizable, safety-critical control system. Because the enormous state space of specifications of practical software usually renders direct analysis impractical, a common approach is to apply abstraction to the specification. To reduce the state space of the control system specification, two "pushbutton" abstraction methods were applied, one which automatically removes irrelevant variables and a second which replaces the large, possibly infinite, type sets of certain variables with smaller type sets. Analyzing the reduced specification with the model checker Spin uncovered a possible safety violation. Simulation demonstrated that the safety violation was not spurious but an actual defect in the original specification.

[1]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[2]  Kathryn L. Heninger Specifying Software Requirements for Complex Systems: New Techniques and Their Application , 2001, IEEE Transactions on Software Engineering.

[3]  D. L. Parnas,et al.  Using documentation as a software design medium , 1981, The Bell System Technical Journal.

[4]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[5]  A. P. Sistla,et al.  Automatic verification of finite-state concurrent systems using temporal logic specifications , 1986, TOPL.

[6]  R. P. Kurshan,et al.  Reducibility in analysis of coordination , 1988 .

[7]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[8]  M. Young,et al.  How to leave out details: error-preserving abstractions of state-space models , 1988, [1988] Proceedings. Second Workshop on Software Testing, Verification, and Analysis.

[9]  Patrice Godefroid Using Partial Orders to Improve Automatic Verification Methods , 1990, CAV.

[10]  David Lorge Parnas,et al.  Assessment of safety-critical software in nuclear power plants , 1991 .

[11]  Martin Peschke,et al.  Design and Validation of Computer Protocols , 2003 .

[12]  Gérard Berry,et al.  The Esterel Synchronous Programming Language: Design, Semantics, Implementation , 1992, Sci. Comput. Program..

[13]  David Lorge Parnas,et al.  Software Requirements for the A-7E Aircraft. , 1992 .

[14]  John W. Brackett,et al.  The Core method for real-time requirements , 1992, IEEE Software.

[15]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[16]  Alan J. Hu,et al.  Protocol verification as a hardware design aid , 1992, Proceedings 1992 IEEE International Conference on Computer Design: VLSI in Computers & Processors.

[17]  Robyn R. Lutz Targeting safety-related errors during software requirements analysis , 1993, SIGSOFT '93.

[18]  Claire Loiseaux,et al.  A Tool for Symbolic Program Verification and Abstration , 1993, CAV.

[19]  Joanne M. Atlee,et al.  State-Based Model Checking of Event-Driven System Requirements , 1993, IEEE Trans. Software Eng..

[20]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[21]  Susanne Graf,et al.  Verification of a Distributed Cache Memory by Using Abstractions , 1994, CAV.

[22]  L. Finneran,et al.  Experience applying the CoRE method to the Lockheed C-130J software requirements , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[23]  Aloysius K. Mok,et al.  Modechart: A Specification Language for Real-Time Systems , 1994, IEEE Trans. Software Eng..

[24]  David Lorge Parnas,et al.  Functional Documents for Computer Systems , 1995, Sci. Comput. Program..

[25]  Joseph Sifakis,et al.  Property preserving abstractions for the verification of concurrent systems , 1995, Formal Methods Syst. Des..

[26]  Constance L. Heitmeyer,et al.  SCR: a toolset for specifying and analyzing requirements , 1995, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[27]  Natarajan Shankar,et al.  Experiments in Theorem Proving and Model Checking for Protocol Verification , 1996, FME.

[28]  David Notkin,et al.  Model checking large software specifications , 1996, SIGSOFT '96.

[29]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[30]  Joanne M. Atlee,et al.  Feasibility of model checking software requirements: a case study , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[31]  Somesh Jha,et al.  Faster checking of software specifications by eliminating isomorphs , 1996, POPL '96.

[32]  Constance L. Heitmeyer,et al.  Automated consistency checking of requirements specifications , 1996, TSEM.

[33]  Nancy G. Leveson,et al.  Completeness and Consistency in Hierarchical State-Based Requirements , 1996, IEEE Trans. Software Eng..

[34]  Joanne M. Atlee,et al.  A logic-model semantics for SCR software requirements , 1996, ISSTA '96.

[35]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[36]  Robert P. Kurshan Formal verification in a commercial setting , 1997, DAC.

[37]  Robyn R. Lutz,et al.  Applying the SCR* Requirements Toolset to DS-1 Fault Protection , 1997 .

[38]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[39]  Constance L. Heitmeyer,et al.  Tools for formal specification, verification, and validation of requirements , 1997, Proceedings of COMPASS '97: 12th Annual Conference on Computer Assurance.

[40]  Orna Grumberg,et al.  Abstract interpretation of reactive systems , 1997, TOPL.

[41]  Constance L. Heitmeyer,et al.  Verifying SCR Requirements Specifications Using State Exploration , 1997 .

[42]  Jonathan S. Ostroff,et al.  A visual toolset for the design of real-time discrete-event systems , 1997, IEEE Trans. Control. Syst. Technol..

[43]  Constance L. Heitmeyer,et al.  Applying the SCR requirements method to a weapons control panel: an experience report , 1998, FMSP '98.

[44]  Steven P. Miller Specifying the mode logic of a flight guidance system in CoRE and SCR , 1998, FMSP '98.

[45]  Steve Easterbrook,et al.  Formal methods for verification and validation of partial specifications: A case study , 1998, J. Syst. Softw..

[46]  Steve Sims,et al.  TAME: A PVS Interface to Simplify Proofs for Automata Models , 1998 .

[47]  Constance L. Heitmeyer,et al.  On the Need for Practical Formal Methods , 1998, FTRTFT.

[48]  John Kelly,et al.  Experiences Using Lightweight Formal Methods for Requirements Modeling , 1998, IEEE Trans. Software Eng..

[49]  Constance L. Heitmeyer,et al.  SCR*: A Toolset for Specifying and Analyzing Software Requirements , 1998, CAV.

[50]  Constance L. Heitmeyer,et al.  Automatic generation of state invariants from requirements specifications , 1998, SIGSOFT '98/FSE-6.

[51]  Susanne Graf,et al.  Characterization of a sequentially consistent memory and verification of a cache memory by abstraction , 1999, Distributed Computing.

[52]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .