Completeness and consistency in hierarchical state-based requirements

Heimdahl, Mats P. E.; Leveson, Nancy G.

doi:10.1109/32.508311

Cited by 224 publications

(106 citation statements)

References 17 publications

Supporting

Mentioning

103

Contrasting

Unclassified

Order By: Relevance

“…Our analysis focuses on two SMV variables: Composite RA which encodes the escape maneuver, or Resolution Advisory, and Displayed Model Goal, which encodes its strength. A desirable property of Composite RA is that it should change deterministically [14]: this is essential for ensuring that Own Aircraft has predictable behavior and does not decide on different maneuvers under similar conditions. We checked that nondeterminism is not attained using a macro ND Composite RA defined in the model to encode possible nondeterminism (row 1 of Table 1).…”

Section: Case Study: Checking the Tcas II Systemmentioning

confidence: 99%

See 1 more Smart Citation

Finding Environment Guarantees

Chećhik

Gheorghiu

Gurfinkel

Fundamental Approaches to Software Engineering

View full text Add to dashboard Cite

Abstract. When model checking a software component, a model of the environment in which that component is supposed to run is constructed. One of the major threats to the validity of this kind of analysis is the correctness of the environment model. In this paper, we identify and formalize a problem related to environment models -environment guarantees. It captures those cases where the correctness of the component under analysis is due solely to the model of its environment. Environment guarantees provides a model-based analog to a property-based notion of vacuity by identifying cases when the component is irrelevant to satisfaction of a property. The paper also presents a model checking technique for the detection of environment guarantees. We show the effectiveness of our technique by applying it to a previously published study of TCAS II, where it finds a number of environment guarantees.

show abstract

Section: Case Study: Checking the Tcas II Systemmentioning

confidence: 99%

“…This is a safety-critical system required on every U.S. commercial aircraft transporting more than thirty passengers, and has also been deployed in other countries. TCAS II has also been used as a classical case study for requirements modeling [18] and formal verification [14,19,4]. …”

Section: Case Study: Checking the Tcas II Systemmentioning

confidence: 99%

Finding Environment Guarantees

Chećhik

Gheorghiu

Gurfinkel

Fundamental Approaches to Software Engineering

View full text Add to dashboard Cite

show abstract

“…Related techniques for formal verification of specifications include: In [20], the requirements for the TCAS airborne, collision avoidance protocol formulated in RSML were checked with SMV. The model checker builds a highly abstract model to avoid the state-space explosion problem.…”

Section: Related Workmentioning

confidence: 99%

A case study on the lightweight verification of a multi-threaded task server

Cataño

Ahmed²,

Siminiceanu

et al. 2014

Science of Computer Programming

View full text Add to dashboard Cite

We present a case study of verifying the design of a commercial multi-threaded task server (MTTS), developed by the Novabase company, used for massively parallelising computational tasks. In a first stage, we employed the Plural tool, which is designed to perform lightweight verification of Java programs using a Data Flow Analysis (DFA) framework, to specify and verify the MTTS. We wrote the Plural specification for the MTTS based on the code developed by Novabase, its informal documentation, and our discussions with Novabase engineers, who validated our understanding of the MTTS application. The Plural specification language is based on typestates and access permissions. In a second stage, we developed the Pulse tool that enhances the analysis performed by Plural, and used the tool on the MTTS specifications. Pulse translates Plural specifications into an abstract state-machine model that captures the semantics of all the possible concurrent programs implementing the given specifications, and uses the evmdd-smc symbolic model-checker to verify the machine model. The experimental results on the MTTS specification show that the exhaustive model-checking approach scales reasonably well and is efficient at finding errors in specifications that were not previously detected with the Data Flow Analysis (DFA) capabilities of Plural.

show abstract

“…They contain predicates of local states and of the input variables and often involve nontrivial arithmetic predicates. While many other researchers conservatively abstract each arithmetic predicate as an independent Boolean variable [14], [15], [16], we encode each bit of the numeric inputs as a Boolean variable, resulting in more accurate analysis at the expense of requiring more Boolean variables. In addition, a guarding condition can refer to any part of the system, so the interdependencies between the BDD variables are high.…”

Section: Tcas IImentioning

confidence: 99%

“…To detect such false dependencies, one can check whether the disjunction of the guarding conditions of the transitions out of a local state with the same trigger and action events is a tautology. This can sometimes be checked efficiently using BDDs [15]. However, the syntax sometimes allows easy detection of most false dependencies of this kindÐfor example, the selfloops in Fig.…”

Section: Dependency Analysismentioning

confidence: 99%

Optimizing symbolic model checking for statecharts

Chan

Anderson

Beame

et al. 2001

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

AbstractÐSymbolic model checking based on binary decision diagrams is a powerful formal verification technique for reactive systems. In this paper, we present various optimizations for improving the time and space efficiency of symbolic model checking for systems specified as statecharts. We used these techniques in our analyses of the models of a collision avoidance system and a faulttolerant electrical power distribution (EPD) system, both used on commercial aircraft. The techniques together reduce the time and space requirements by orders of magnitude, making feasible some analysis that was previously intractable. We also elaborate on the results of verifying the EPD model. The analysis disclosed subtle modeling and logical flaws not found by simulation.

show abstract

Completeness and consistency in hierarchical state-based requirements

Cited by 224 publications

References 17 publications

Finding Environment Guarantees

Finding Environment Guarantees

A case study on the lightweight verification of a multi-threaded task server

Optimizing symbolic model checking for statecharts

Contact Info

Product

Resources

About