Effectively Combining Software Verification Strategies: Understanding Different Assumptions

David Owen, Dejan Desovski, Bojan Cukic
2006 Proceedings - International Symposium on Software Reliability Engineering  
In this paper we describe an experiment in which inconsistent results between two tools for testing formal models (and a third used to determine which of the two was correct) led us to a more careful look at the assumptions involved in the use of each tool and a clearer understanding of the results of each. For the experiment, we created error-seeded versions of an SCR specification representing a real-world personnel access control system. We checked them first using the model checker SPIN and
more » ... Lurch, our random testing tool for finite-state models. In one case a property violation was detected by Lurch, an incomplete tool, but missed by SPIN, a well-known and established model checking tool designed for complete verification. We used SCR Toolset and Salsa invariant checker to determine that the violation detected by Lurch was indeed present in the specification. We then looked more carefully at how we were using SPIN in conjunction with the SCR Toolset and, eventually, made adjustments so that SPIN also detected the mysterious property violation. Our original intent was to show how combining different tools can decrease verification's time and memory requirements. We demonstrate the advantage of using incomplete but lightweight tools to quickly detect property violations. Our experience brought to light another reason to use multiple complimentary tools: one tool can expose the assumptions or validate the results of another.
doi:10.1109/issre.2006.24 dblp:conf/issre/OwenDC06 fatcat:2vurgcflcfdzdceg6kow242vwq