On account of the intrinsic computational complexity of model checking, we need to support compositional reasoning 49 where model checking a property on a sys. Compositional model checking of productform ctmcs paolo ballarini 1 and andraa. There are two major challenges in practical and scalable application of model checking to software systems. Introduction software is ubiquitous in safetycritical systems, which have the potential to cause loss of life, injury, or other serious damage to property and environment. Compositional encoding for bounded model checking springerlink. Blast stands for berkeley lazy abstraction software verification tool and uses model checking algorithm that is specialized for efficient and scalable software. Integration of model checking into software development.
Compositional conformance checking of nested petri nets. Steven miller master of science in software engineering. Model checking is often applied to software systems by translating them into a modelcheckable formalism to avoid the dif. Automated compositional analysis for checking component. Software model checking edmund clarke1 and daniel kroening2, 1 department of computer science, carnegie mellon university, pittsburgh, pa, 152 2 computer systems institute, eth zurich. Compositional model checking of concurrent systems, with petri nets pawel sobocinski.
This paper presents a compositional conformance checking approach between nested petri nets and event logs of multiagent systems. Inferential reasoning is carried out using rules based on hoares logic of imperative programming, extended to. We have implemented a system based on these methods, and we use it to give a compositional verification of a cpu controller. In computer science, model checking or property checking is a method for checking whether a finitestate model of a system meets a given specification a. Verifying the correctness of aadl modules using model. The main challenge, however, is that requirements, in the form of temporal logic formulae, are usually specified at the systemlevel, and it is not obvious how. Pdf software model checking takes off researchgate. Dimitra giannakopoulou, jeff magee, fluent model checking for eventbased systems, proc.
Abstractbounded model checking bmc for software is a precise bugfinding technique that builds upon the efficiency of modern sat and smt solvers. Compositional model checking of software product lines using. Model checking is an automated technique for the systematic exploration ofu the state space of a state transition system. Compositionality means that the behaviour of a compound system relies only on the behaviour of its compo. The goal is to check properties of the components of a system and then deduce global properties from these local properties. Rational software corporation, 8000 westpark drive, mclean, va. Long carnegiemellon university verification we describe a framework for compositional verification of finitestate processes. Using compositional reasoning, model checking of a property on a system is accomplished by decomposing the system into components, model checking the component properties locally on the components, and deriving the system property from the component properties. We present a program specification language for idealized algol that is compatible both with inferential reasoning and model checking. Bmc currently does not scale to large programs because the size of the generated formulae exceeds the capacity of existing solvers. In addition, the complexities of various kinds of related problems are summarized and a comparison is made between compositional model checking and compositional refinement checking, which exposes. We formally demonstrate the validity of our approach proving that, to check. Compositional model checking of concurrent systems, with petri nets. Compositional verification by model checking for counter.
Verification of nonlinear models and compositional models. Learning assumptions for compositional verification. Compositional verification using assumeguarantee reasoning has recently seen an uprise due to the introduction of automatic techniques for learning assumptions. Inferential reasoning is carried out using rules based on hoares logic of imperative programming, extended to handle procedures and computational side effects.
This is typically associated with hardware or software systems, where the specification contains liveness requirements such as avoidance of livelock as well as safety requirements such as. Software automotive distributed control abstraction model reduction. Department of computer science, university of maryland, college park, md. Compositional model checking with incremental counterexample. Compositional bounded model checking for realworld programs. In last 1015 years, interest in applying to software developed in 1980s by clarke, emerson, and sistla. We have developed a translationbased approach to compositional reasoning of software systems, which simplifies the proof.
Compositional verification by model checking for counterexamples. Applying game semantics to compositional software modeling and. Compositional csp traces refinement checking sciencedirect. Compositional model checking and compositional refinement checking of concurrent reactive systems article pdf available in journal of software 184. Software product lines are widely used due to their advantageous reuse of shared features while still allowing optional and alternative features in the individual products. Applying bounded model checking to compositional process algebras is. Given a nite state model of a system and a property, usually expressed as an automaton or a temporal logic formula, model checking systematically goes through all the possible system behaviors and checks them for conformance against the property.
Next, for model checking we use the model checking algorithm for multivalued systems and the alternationfree calculus, suggested in 53. Finding security vulnerabilities with formal methods. In dart, each new input vector attempts to force the execution of the program through some new path. One of the main drawbacks of model checking is the state explosion problem. Compositional modelchecking verification of critical systems. Model checking, automated abstraction, and compositional. Probabilistic model checking di erential invariants. Veri cation of nonlinear hybrid systems andr e platzer.
We describe a software model checking tool founded on game semantics, highlight the underpinning theoretical results and discuss several case studies. Checking safety properties using compositional reachability analysis shing chi cheung hong kong university of science and technology and jeff kramer imperial college of science, technology and medicine the software architecture of a distributed program can be represented by a hierarchical. Safety analysis of software product lines using statebased modeling and compositional model checking by jing liu a dissertation submitted to the graduate faculty in partial ful. However, this goal is currently hampered by the complexity of. Safety analysis of software product lines using state. Compositional model checking of software product lines. The adoption of modelbased development tools is changing the costbenefit equation for the industrial use of formal methods. Software model checking via static and dynamic program analysis, movep2006. Checking safety properties using compositional reachability. Compositional model checking with incremental counterexample construction. The different stages of the prevailing software development model involve the use of software development tools and methods that are usually based on different paradigms. Fourth annual symposium on logic in computer science, year1989, pages353362. Code requirement engineering system software design software development unit testing.
Compositional model checking of concurrent systems, with. Subsequently, it was extended by bruni, melgratti and montanari for ordinary, in. Modelchecking is made possible by the use of an algorithmic, regularlanguage semantics, which is a representation of the fullyabstract game semantic. The integration of formal methods such as model checking into software development environments makes it possible to fight increasing cost and complexity with automation and rigor. Model checking and modular orn4 grumberg the technion and david e. Compositional model checking orna grumberg the technion, haifa, israel modern software, which is often concurrent and distributed, must be extremely reliable and correct. The main difficulty with this type of approach is that local properties are often not preserved at the global level. Compositional model checking of software product lines using variation point obligations jing liu samik basu robyn r lutz received. Compositional reasoning 1, 2, 14, 4, as applied in model checking, is a powerful state space reduction algorithm and accomplishes verification of a property on a system by decomposing the system into components, checking the component properties locally, and deriving the system property from the component properties.
One compositional technique advocates proving properties of a system by checking properties of its components in an assumeguarantee style. The size and complexity of this software continues to grow, making it. Multivalued abstraction and compositional model checking. Model checking 3 is a technique for automating highquality assurance of software. In this paper, we transfer this technique to a setting with csp as modelling and property specification language, and present an approach to compositional traces refinement checking. It consists of checking that a finitestate model of the design satisfies a specification given in temporal logic, which is a logic that can express properties involving the sequencing of events in time. Timescale analysis spatiotemporal pancreatic cancer pathways andr e platzer cmu veri cation of nonlinear models and compositional models cmacs10 2 20. Especially for highintegrity product lines, we would like to use model checking to verify that key properties hold as each new product is built. In department of defense sponsored information security research. In addition, we demonstrate efficient methods for model checking in the logic and for checking the preorder in several special cases. Most of the model checking research has focused on developing scalable techniques for verifying large systems. Typically, one has hardware or software systems in mind, whereas the specification contains safety requirements such as. However, this goal is currently hampered by the complexity of composing model.
Modelchecking is made possible by the use of an algorithmic, regularlanguage semantics, which is a representation of the fullyabstract game semantic model of the programming language. The different stages of the prevailing software development model involve the use of software development tools. Nevertheless, they have often been described as a noncompositional model, and tools tend to deal with monolithic. Citeseerx document details isaac councill, lee giles, pradeep teregowda. We also show, in case the checks on individual components are inde.
Compositional model checking is used to verify a processor microarchitecture containing most of the features of a modern micropro cessor, including branch. Model checking is one formal verification technique. In this approach an abstract, finitestate model of the system is constructed. The adoption of model based development tools is changing the costbenefit equation for the industrial use of formal methods. Model checking, automated abstraction, and compositional veri. Software bounded model checking bmc is a powerful technique for finding bugs in bounded program executions.
Software model checking is the algorithmic analysis of programs to prove. Modelchecking is made possible by the use of an algorithmic, regularlanguage semantics, which is a representation of the fully. Compositional model checking is used to verify a processor microarchitecture containing most of the features of a modern micropro cessor, including branch prediction, speculative execution, out. Furthermore, any automatonbased representation of concurrent components yields an explosion in the number of states, thus limiting the use of modelchecking mc verification techniques. Model checking is an algorithmic approach to analysis of finitestate systems model checking has been originally developed for analysis of hardware designs and communication protocols model checking algorithms and tools have to be tuned to be applicable to analysis of software. In practice, dart typically achieves much better coverage than pure random testing see gks05.
Petri nets are a classical, yet widely used and understood, model of. Bringing model checking closer to practical software engineering. This is typically associated with hardware or software systems, where the specification contains liveness requirements such as avoidance of livelock as well as safety requirements such as avoidance of states representing a system crash. A gamesbased foundation for compositional software model. Analysis of an emergency diesel generator control system. Ghica oxford university computing laboratory october 18, 2002. Rational software corporation, 8000 westpark drive, mclean.
In compositional model checking, the approach is to reason about the correctness of a system by lifting results obtained in analyses of subsystems to the systemlevel. Bounded model checking compositional reasoning symmetry. One emerging method of achieving confidence in such systems is to statically verify them using model checking. Generating variationpoint obligations for compositional.
Model checking is made possible by the use of an algorithmic, regularlanguage semantics, which is a representation of the fullyabstract game semantic model of the programming language. Methodology for hardware verification using compositional. Pdf a translator framework enables the use of model checking in complex avionics systems and other industrial settings. Ecs, university of southampton, uk compositionality and process equivalence are both standard concepts of process algebra.
Abstraction, refinement and counterexamples cegar temporal logics. Various approaches to model checking software 6 hypothesis model checking is an algorithmic approach to analysis of finitestate systems model checking has been originally developed for analysis of hardware designs and communication protocols model checking algorithms and tools have to be tuned to be applicable to analysis of software. Model checking is an automated technique to verify hardware and software systems formally. Qa plan for smart nas testbed systemlevel requirements and goals. Microarchitecture verification by compositional model checking. Compositional model checking with incremental counter. Compositional reasoning for hardwaresoftware coveri. Compositional specification in rewriting logic theory and. A method is described for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. We formally demonstrate the validity of our approach proving that, to check fitness of a nested petri net is. Ensuring the correctness of critical systems cs becomes more complex if we consider that their behaviour is the result of the concurrent execution of many components. Model checking cs252r spring 2011 contains material from slides by edmund clarke. Software model checking is the algorithmic analysis of programs to prove prop.
Second, compositional techniques reduce the safety verification problem on the orig. Computeraided verification of software and hardware model checking. Model checking, abstraction, and compositional verification. The mismatch between the different levels of this hierarchical. Analysis of an emergency diesel generator control system by. New methods for protecting against cyber threats, wiley, 2007, 349360. Safety analysis of software product lines using statebased. Proceesings of 19th international conference on software. In proceedings of 20th annual ieee symposium on logic in computer science lics 05. Compositional bounded model checking for realworld. In computer science, model checking, or property checking, is, for a given finitestate model of a system, exhaustively and automatically checking whether this model meets a given specification a. Pdf compositional model checking and compositional.