Model checking large software specifications

Anderson, Richard; Beame, Paul; Burns, S.M.; Chan, William; Modugno, Francesmary; Notkin, David; Reese, J.D.

doi:10.1145/250707.239127

Cited by 17 publications

(11 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, in Matlab Stateflow, transitions are taken according to their relative locations in the statechart diagram in clockwise order starting at the "twelve o'clock" position. 1 Our compiler treats nondeterminism as an error which would be returned by the system. This could be altered straightforwardly, but in some cases it would lead to our tool being less efficient as it presently exploits the determinism of statecharts.…”

Section: Statemate Semanticsmentioning

confidence: 99%

Verifying Statemate Statecharts Using CSP and FDR

Roscoe

2006

Formal Methods and Software Engineering

View full text Add to dashboard Cite

show abstract

Section: Statemate Semanticsmentioning

confidence: 99%

Verifying Statemate Statecharts Using CSP and FDR

Roscoe

2006

Formal Methods and Software Engineering

View full text Add to dashboard Cite

show abstract

“…[20,27,28]). Most techniques based on model checking facilitate automated analysis of requirements specifications and generation of counterexamples when errors are detected [2,4,11]. However, in contrast to our approach they presuppose complete descriptions of the initial state(s) of the system to compute successor states.…”

Section: Abductive Analysis Of Invariantsmentioning

confidence: 99%

An Abductive Approach for Analysing Event-Based Requirements Specifications

et al. 2002

View full text Add to dashboard Cite

Abstract. We present a logic and logic programming based approach for analysing event-based requirements specifications given in terms of a system's reaction to events and safety properties. The approach uses a variant of Kowalski and Sergot's Event Calculus to represent such specifications declaratively and an abductive reasoning mechanism for analysing safety properties. Given a system description and a safety property, the abductive mechanism is able to identify a complete set of counterexamples (if any exist) of the property in terms of symbolic "current" states and associated event-based transitions. A case study of an automobile cruise control system specified in the SCR framework is used to illustrate our approach. The technique described is implemented using existing tools for abductive logic programming.

show abstract

“…All six properties in the WCP SRS, including the two properties listed above, are transition invariants. (Also interesting to note is that all properties of the TCAS II requirements specification [30] analyzed by Anderson et al [2], except one designed to expose circular definitions, 3 are state invariants. )…”

Section: Building Abstractions Of Scr Specificationsmentioning

confidence: 99%

“…3. In contrast to Anderson et al [2], who use model checking to check for circular definitions, the SCR method uses consistency checking [30], a form of static analysis. The use of static analysis to detect circularities is possible because SCR's step semantics is much simpler than the step semantics of RSML [30], the Statecharts variant used to specify TCAS II.…”

Section: Formal Framework For Abstractionmentioning

confidence: 99%

Using abstraction and model checking to detect safety violations in requirements specifications

Heitmeyer

Kirby

Labaw

et al. 1998

IIEEE Trans. Software Eng.

158

View full text Add to dashboard Cite

Abstract-Exposing inconsistencies can uncover many defects in software specifications. One approach to exposing inconsistencies analyzes two redundant specifications, one operational and the other property-based, and reports discrepancies. This paper describes a "practical" formal method, based on this approach and the SCR (Software Cost Reduction) tabular notation, that can expose inconsistencies in software requirements specifications. Because users of the method do not need advanced mathematical training or theorem proving skills, most software developers should be able to apply the method without extraordinary effort. This paper also describes an application of the method which exposed a safety violation in the contractor-produced software requirements specification of a sizable, safety-critical control system. Because the enormous state space of specifications of practical software usually renders direct analysis impractical, a common approach is to apply abstraction to the specification. To reduce the state space of the control system specification, two "pushbutton" abstraction methods were applied, one which automatically removes irrelevant variables and a second which replaces the large, possibly infinite, type sets of certain variables with smaller type sets. Analyzing the reduced specification with the model checker Spin uncovered a possible safety violation. Simulation demonstrated that the safety violation was not spurious but an actual defect in the original specification.

show abstract

Model checking large software specifications

Cited by 17 publications

References 34 publications

Verifying Statemate Statecharts Using CSP and FDR

Verifying Statemate Statecharts Using CSP and FDR

An Abductive Approach for Analysing Event-Based Requirements Specifications

Using abstraction and model checking to detect safety violations in requirements specifications

Contact Info

Product

Resources

About