论文信息 - "Have I written enough Properties?" - A Method of Comparison between Specification and Implementation

"Have I written enough Properties?" - A Method of Comparison between Specification and Implementation

This work presents a novel approach for evaluatingthe quality of the model checkingpro cess. Given a model of a design (or implementation) and a temporal logic formula that describes a specification, model checkingde termines whether the model satisfies the specification. Assume that all specification formulas were successfully checked for the implementation. Are we sure that the implementation is correct? If the specification is incomplete, we may fail to find an error in the implementation. On the other hand, if the specification is complete, then the model checkingpro cess can be stopped without adding more specification formulas. Thus, knowingwh ether the specification is complete may both avoid missed implementation errors and save precious verification time. The completeness of a specification with respect to a given implementation is determined as follows. The specification formula is first transformed into a tableau. The simulation preorder is then used to compare the implementation model and the tableau model. We suggest four comparison criteria, each revealinga certain dissimilarity between the implementation and the specification. If all comparison criteria are empty, we conclude that the tableau is bisimilar to the implementation model and that the specification fully describes the implementation. We also conclude that there are no redundant states in the implementation. The method is exemplified on a small hardware example. We implemented our method symbolically as an extension to SMV. The implementation involves efficient OBDD manipulations that reduce the number of OBDD variables from 4n to 2n.

[1] Kenneth L. McMillan. The smv system draft , 1992 .

[2] Thomas Filkorn. A Method for Symbolic Verification of Synchronous Circuits , 1991 .

[3] Robin Milner,et al. An Algebraic Definition of Simulation Between Programs , 1971, IJCAI.

[4] James G. Speight. A review of: “CombustioD Measurement” Edited by Norman Chigier, Carnegie Mellon University, Pittsburgh Pennsylvania Hemisphere Publishing Corporation, Philadelphia, PA. , 1992 .

[5] Zohar Manna,et al. Temporal Verification of Reactive Systems , 1995, Springer New York.

[6] Ilan Beer,et al. RuleBase: an industry-oriented formal verification tool , 1996, DAC '96.

[7] Elaine J. Weyuker,et al. Analyzing Partition Testing Strategies , 1991, IEEE Trans. Software Eng..

[8] Sérgio Vale Aguiar Campos,et al. Symbolic Model Checking , 1993, CAV.

[9] Orna Grumberg,et al. Model checking and modular verification , 1994, TOPL.

[10] Thomas A. Henzinger,et al. Fair Simulation , 1997, Inf. Comput..

[11] Timothy Kam,et al. Coverage estimation for symbolic model checking , 1999, DAC '99.

[12] Stephan Merz,et al. Model Checking , 2000 .

[13] Zohar Manna,et al. Temporal verification of reactive systems - safety , 1995 .