Applying infinite state model checking and other analysis techniques to tabular requirements specifications of safety-critical systems

Tevfik Bultan, Constance Heitmeyer
2008 Design automation for embedded systems  
Although it is most often applied to finite state models, in recent years, symbolic model checking has been extended to infinite state models using symbolic representations that encode infinite sets. This paper investigates the application of an infinite state symbolic model checker called Action Language Verifier (ALV) to formal requirements specifications of safety-critical systems represented in the SCR (Software Cost Reduction) tabular notation. After reviewing the SCR method and tools, the
more » ... Action Language for representing state machine models, and the ALV infinite state model checker, the paper presents experimental results of formally analyzing two SCR specifications using ALV. The application of ALV to verify or falsify (by generating counterexample behaviors) the state and transition invariants of SCR specifications and to check Disjointness and Coverage properties is described. The results of formal analysis with ALV are then compared with the results of formal analysis using techniques that have been integrated into the SCR toolset. Based on the experimental results, strengths and weaknesses of infinite state model checking with respect to other formal analysis approaches such as explicit and finite state model checking and theorem proving are discussed. * This is an extended version of a paper published in the In the last two decades, significant progress has been made in automated techniques for verifying finite state systems, especially in techniques based on model checking [20] . In hardware design, model checking has been successfully transferred from academic research into industrial use. Given a state machine model and a property (often expressed in temporal logic), a model checker exhaustively searches the model's state space to determine if the model satisfies the given property. Since early model checking research focused on the analysis of finite state models, model checking is known mainly as a finite state verification technique. As an exception, verification techniques that focus on real-time systems have been successful in analyzing specifications with infinite state spaces (see, for example, [34] ). These techniques, which are based on the timed automata model [1] , show that verification of timed automata can be achieved by using a finite representation based on clock regions. Verification of hybrid systems has also been studied extensively (see, for example, [30] ) to analyze behaviors of discrete control systems that interact with continuously changing, external environments. Research in this area typically assumes a continuous domain, thus resulting in infinite state specifications. In recent years, model checking using symbolic representations that can encode infinite sets has been extended to analyze infinite state models outside the domain of real-time or hybrid systems [2, 23, 35, 36] . These infinite state model checkers have reached a maturity level comparable to that of finite state model checkers a decade ago. This paper investigates the application of an infinite state model checker called the Action Language Verifier (ALV) [19, 44] to the formal analysis of requirements of safety-critical systems specified in the SCR (Software Cost Reduction) tabular notation. It then compares the results of applying infinite state model checking using ALV with the results of applying the formal analysis tools and techniques of the SCR toolset [25], identifying both the strengths and weaknesses of the two approaches and discussing potential synergies among the various analysis techniques. The remainder of the paper is organized as follows. After reviewing the SCR model and tools, Section 2 presents the two SCR specifications used in our experiments. Section 3 gives an overview of the Action Language, and Section 4 discusses the verification techniques used in ALV. Section 5 describes the application of ALV and the SCR tools to the verification of the two SCR specifications presented in Section 2. Section 6 discusses how ALV can be used for consistency checking and how its approach and performance compare with those of the SCR tools for consistency checking. Section 7 compares the infinite state model checking techniques used in ALV with the verification techniques used in the SCR toolset, and Section 8 discusses the utility of ALV in the SCR toolset. Finally, section 9 presents some conclusions. SCR Language and Toolset The objective of an SCR specification is to specify the required externally visible behavior of a software system as a relation on environmental quantities. In an SCR specification [25, 28] , monitored and controlled variables represent the quantities in the system environment that the system monitors and controls. The required system behavior is specified as relations the system must maintain between the monitored and controlled variables. To specify these relations clearly and concisely, the SCR language provides two types of auxiliary variables, terms and mode classes. A term is an auxiliary variable which makes the specification more understandable by assigning some logical expression to the variable or more concise by assigning a logical expression occurring more than once in the specification to the variable. A mode class is a special case of a term whose values are modes. If a monitored variable changes, the effects of the change may differ if the system is in one mode rather than another mode. Also of significance in SCR specifications are conditions and events, where a condition is a predicate defined on a system state, and a basic event, represented as @T(c), indicates that condition c changes from false to true. The event @F(c) is defined by @T(¬c), and indicates that condition c changes from true to false. If c's value in the current-state is denoted c and its value in the next-state as c , then the semantics of @T(c) is defined by ¬c ∧ c and the semantics of @F(c) by c ∧ ¬c . A conditioned event, denoted @T(c) WHEN d, adds a qualifying condition d to an event and has the semantics ¬c ∧ c ∧ d.
doi:10.1007/s10617-008-9014-2 fatcat:u4twazgxl5cyxfybqhwhptb6xm