Richard J. Anderson
Paul Beame
David Notkin
ABSTRACT
In this paper we present our results and experiences of using symbolic model checking to study the specification of an aircraft collision avoidance system. Symbolic model checking has been highly successful when applied to hardware systems. We are interested in the question of whether or not model checking techniques can be applied to large software specifications.To investigate this, we translated a portion of the finite-state requirements specification of TCAS II (Traffic Alert and Collision Avoidance System) into a form accepted by a model checker (SMV). We successfully used the model checker to investigate a number of dynamic properties of the system.We report on our experiences, describing our approach to translating the specification to the SMV language and our methods for achieving acceptable performance in model checking, and giving a summary of the properties that we were able to check. We consider the paper as a data point that provides reason for optimism about the potential for successful application of model checking to software systems. In addition, our experiences provide a basis for characterizing features that would be especially suitable for model checkers built specifically for analyzing software systems.The intent of this paper is to evaluate symbolic model checking of state-machine based specifications, not to evaluate the TCAS II specification. We used a preliminary version of the specification, the version 6.00, dated March, 1993, in our study. We did not have access to later versions, so we do not know if the properties identified here are present in later versions.
- 1.T. Alspaugh, S. Faulk, K. Britton, R. Parker, D. Parnas,and J. Shore. Software requirements for the A-7E aircraft. Technical report, Naval Research Lab., March 1988,Google Scholar
- 2.J. M. Atlee and A. M. Buckley. A logic-model semantics for SCR software requirements. In Proceedings of the International Symposium on Software Testing and Analysis, pages 280-292, January 1996. Google ScholarDigital Library
- 3.R. E. Bryant. On the complexity of VLSI implementations and graph representation of boolean functions with applications to integer multiplication. IEEE Transactions on Computers, 40(2):205-213, February 1991. Google ScholarDigital Library
- 4.R. E. Bryant and Chen Y.-A. Verification of arithmetic circuits with Binary Moment Diagrams. In Proceedings of the 32nd ACM/IEEE Design Automation Conference,pages 535-541, June 1995, Google ScholarDigital Library
- 5.R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(6):677-691, August 1986. Google ScholarDigital Library
- 6.J. R. Burch, E. M. Clarke, D. E. Long, K. L. McMillan, and D. L. Dill. Symbolic model checking for sequential circuit verification. IEEE Transactions on Computer-Aided Design oj Integrated Circuits and Systems,13(4):401-424, April 1994.Google ScholarDigital Library
- 7.E. Clarke and X. Zhao. Word level symbolic model checking: A new approach for verifying arithmetic circuits.Technical Report CMU-CS-95-161, School of Computer Science, Carnegie Mellon University, May 1995. Google ScholarDigital Library
- 8.E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8(2):244-63, April 1986. Google ScholarDigital Library
- 9.J.C, Corbett, Evaluating deadlock detection methods for concurrent software. IEEE Transactions on Software Engineering, SE-22(3), March 1996. Google ScholarDigital Library
- 10.Federal Aviation Administration, U.S. Department of Transportation. Introduction to TCAS II, March 1990.Google Scholar
- 11.Federal Aviation Administration, U.S. Department of Transportation. TCAS II Collision Avoidance System (CAS) System Requirements Specification, Change 6.00, March 1993.Google Scholar
- 12.D. Harel. Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8:231 274, 1987. Google ScholarDigital Library
- 13.M.P.E. Heimdahl and N.G. Leveson. Completeness and consist ency analysis of state-based requirements. In Proceedings of the 17th International Conference on Software Engineering, pages 3-14, April 1995. Google ScholarDigital Library
- 14.K. Heninger. Specifying software requirements for complex systems: New techniques and their applications.IEEE Transactions on Software Engineering, SE- 6(1):2-12, January 1980.Google Scholar
- 15.D. Jackson. Abstract model checking of infinite specifications.In Proceedings of FME '94: Industrial Benefit of Formal Methods, Second International Symposium of Format Methods Europe, pages 519-31. Springer-Verlag, October 1994. Google ScholarDigital Library
- 16.M. S. Jaffe, N. G. Leveson, M. P. E. Heimdahl, and B. E. Melhart. Software requirements analysis for realtime process-control systems. IEEE Transactions on Software Engineering, 17(3):241-258, March 1991. Google ScholarDigital Library
- 17.N.G. Leveson, M.P.E. Heimdahl, H. Hildreth, and J.D. Reese. Requirements specification for process-control systems. IEEE Transactions on Software Engineering, SE-20(9), September 1994. Google ScholarDigital Library
- 18.K.L. McMillan. Symbolic Model Checking. Kluwer Academic publishers, 1993. Google ScholarDigital Library
- 19.A. Pnueli and M. Shalev. What is in a step: On the semantics of Statecharts. In Proceedings of International Conference on Theoretical Aspects of Computer Software,pages 245-264. Springer-Verlag, September 1991. Google ScholarDigital Library
- 20.S. Ponzio. A lower bound for integer multiplication with read-once branching programs. In Proceedings of the 27th ACM Symposium on Theory of Computing, pages 130-139, May 1995. Google ScholarDigital Library
- 21.T. Sreemani and J. Atlee. Feasibility of model checking software requirements: A case study. Technical Report CS96-05, Department of Computer Science, University of Waterloo, January 1996.Google ScholarCross Ref
- 22.J.M. Wing and M. Vaziri-Farahani. Model checking software systems: A case study. In Proceedings of SIGSOFT'95 Third A CM SIGSOFT Symposium on the Foundations of Software Engineering, pages 128-139, October 1995. Google ScholarDigital Library
Index Terms
- Model checking large software specifications
Recommendations
Model checking large software specifications
In this paper we present our results and experiences of using symbolic model checking to study the specification of an aircraft collision avoidance system. Symbolic model checking has been highly successful when applied to hardware systems. We are ...
Model Checking Large Software Specifications
In this paper, we present our experiences in using symbolic model checking to analyze a specification of a software system for aircraft collision avoidance. Symbolic model checking has been highly successful when applied to hardware systems. We are ...
Comments