R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering Journal, 6(1), Jan. 1999.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....of the checker engine and for visualising the results. Model checking engines can now be considered mature technology rather than describe how they work here, we refer the reader to several good tutorial introductions [14,15] An example of a modelchecking framework is the SCRtool from NRL [16]. In general, model checking frameworks are still relatively immature, and are the subject of much current research. A good model checking framework is essential for the following reasons: 1. Temporal logics can be hard to work with, and most people have difficulty in finding the correct logical ....

Bharadwaj R, Heitmeyer C. Model checking complete requirements specifications using abstraction. J Automated Software Eng 1999;6(1)37--68

.... including an automated consistency checker to detect missing cases and other application independent errors [14] a simulator to symbolically execute the specification to ensure that it captures the users intent; and a model checker to detect violations of critical application properties [1]. 2.1 The Formal Method The SCR model represents the environmental quantities that the system monitors and controls as monitored and controlled variables. The environment nondeterministically produces a sequence of input events, where an input event signals a change in some Modes Conditions m1 ....

....[6,9] which exploits the model checkers Spin [15] or SMV [20] and, in particular, their ability to generate counter examples. The method consists in the following steps. First, we encode the SCR specification in the language of the model checker (Spin or SMV) following the technique described in [1]; then, for each animation goal a i , we compute the animation sequence that covers a i by trying to prove with the model checker the trap property i . If the model checker finds a state where i is false, it stops and prints as counter example a state sequence leading to that state. This ....

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering Journal, 6(1), Jan. 1999.

....controlled variable) changes value. Full SCR specifications can include mode transition, event and condition tables to describe a required system behavior, assertions to define properties of the environment, and invariants to specify properties that are required to always hold in the system (see [4, 9, 10]) However, this case study concerns a simple SCR specification consisting of just a single mode transition table and a list of system invariants. Mode Transition Tables Mode classes are abstractions of the system state space with respect to monitored variables. Each mode class can be seen as a ....

.... [8] to more formal techniques such as model checking, theorem proving [6] and other logic based approaches (e.g. 20, 27, 28] Most techniques based on model checking facilitate automated analysis of requirements specifications and generation of counterexamples when errors are detected [2, 4, 11]. However, in contrast to our approach they presuppose complete descriptions of the initial state(s) of the system to compute successor states. Moreover, they need to apply abstraction techniques to reduce the size of the state space, and can only handle finite state systems. For example, in the ....

Bharadwaj, R, and Heitmeyer, C. (1997). Model Checking Complete Requirements Specifications Using Abstraction. Technical Report No. NRL-7999, NRL.

....relation between system and environment variables. According to this method, the specification is first modified, with the aid of an automated tool, to be deterministic and can then be simulated, using a graphical user interface for capturing user inputs and reflecting the system state. In [4] model checking methods are used to verify that a complete SCR model satisfies certain properties, by using SMV and Spin model checkers. SCR is similar to our work (and to other work as described above) in the fact that it uses a GUI in the final phase of the simulation. It is di#erent from our ....

R. Bharadwaj and C. Heitmeyer. Model Checking Complete Requirements Specifications Using Abstraction. Automated Software Engineering, 6(1):37--68, January 1999.

....treated, for computing an abstract model, which can be handled by the model checker. Two tasks have to be solved: firstly, finding an appropriate abstraction function and secondly, computing the abstract model and proving that it preserves the properties of the concrete model (see e.g. GS97,SS99,BH99] This technique involves the use of an (interactive) theorem prover and some insight of how to define the abstraction function. Another direction aims at the treatment of infinite systems by means of uninterpreted functions. Functions with an infinite domain or range that are not relevant to ....

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering, 6(1):37-- 68, 1999.

.... for a safety injection control system [Cou93] Although fairly small, this case study comes from a real application, raises many of the issues found in high assurance systems and is frequently used to illustrate other methods such as, e.g. the SCR method [Heit96] and its analysis techniques [Bha99, Jef98, Gar99]. Illustrations on larger, more complex systems such as the LAS ambulance despatching system and the BART train control system can be found in [Lam00a, Lam00b, Let01] 2. GOAL ORIENTED ANALYSIS OF REQUIRE MENTS FOR A SAFETY INJECTION SYSTEM We follow the KAOS method [Lam00b] to gradually ....

R. Bharadwaj and C. Heitmeyer, "Model Checking Complete Requirements Specifications Using Abstraction," Automated Software Engineering, Vol 6, No. 1, January 1999, 37- 68.

....instances and the timing extensions. Application of formal methods to the analysis of software requirements captured with SCR (Software Cost Reduction) is described in [17] The SCR method provides a tabular notation for specifying the required relation between system and environment variables. In [5] model checking methods are used to verify that a complete SCR model satisfies certain properties, by using SMV and Spin model checkers. This work is very different from our work. In [5] model checking is used for verifying properties of a state based model (which is the traditional use of ....

....provides a tabular notation for specifying the required relation between system and environment variables. In [5] model checking methods are used to verify that a complete SCR model satisfies certain properties, by using SMV and Spin model checkers. This work is very different from our work. In [5] model checking is used for verifying properties of a state based model (which is the traditional use of model checking) while we use model checking for driving the execution of a scenario based specification. The idea of using sequence charts to discover design errors at early stages of ....

R. Bharadwaj and C. Heitmeyer. Model Checking Complete Requirements Specifications Using Abstraction. Automated Software Engineering, 6(1):37--68, January 1999.

.... adopted widely outside academia their cost saving benefits were doubtful, they lacked tool support, and were perceived difficult to apply [27] Recently, the tools for proving properties of finitestate models are becoming increasingly available and are often used for analyzing requirements, e.g. [2, 3, 10, 4]. These tools typically require the users to spec ify properties using temporal logics and to describe models of systems using some finite state transition representation. The tools are based on a variety of verification techniques. For example, SPIN [16] and SMV [22] are based on state space ....

Ramesh Bharadwaj and Connie Heirmeyer. "Model Checking Complete Requirements Specifications Using Abstraction". Journal of Automated Software gmeermg, 6(1), January 1999.

....to a debugging or fault finding mode in which the analyst is seeking the cause of the problem. Finite state verification approaches usually provide a trace or path through the model (or the corresponding path through the original software system) but these paths are sometimes long and convoluted [2, 9]. Complicated paths make it more difficult to track down the actual cause of the inconsistency. Thus, when an analyst is in fault finding mode, it makes sense to use a reasoning engine optimized to produce short paths or user guided paths that reveal the inconsistency. A more mature software ....

....used to create several counter examples for each property. For this study, SMV, which uses a BFS algorithm, generated a large set of short traces, while SPIN, which uses a DFS algorithm, took less time and generated a small set of long traces. A more direct comparison of SMV and SPIN was made in [2] with comparable results. Chan et al. showed that different algorithms can effect the performance of symbolic model checking [4] They modified SMV so that it could search either forwards or backwards. In their experiments on a software system, the backwards search worked better. Others, however, ....

[Article contains additional citation context not shown here]

R. Bharadwaj and C. L. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Soft. Eng., 6(1):37--68, Jan. 1999.

....2 shows the number of CTL formulas and the number of variables in each of the specifications. Here are some additional details: Cruise Control [3] Two of the scalar variables have the same domain: Activate, Deactivate, Resume . The third has a domain of cardinality 5. Safety Injection [5] Two scalar variables have the domain: On, Off . The third has a domain of cardinality 3. The integer variable takes values between 0 and 200, but it is only compared with 2 different symbolic constants. CPU Stack The scalars have domains with cardinality 3, 4, and 6, respectively. ....

R. Bharadwaj and C. L. Heitmeyer. Model checking complete requirements specifications using abstraction. Memorandum Report NRL/MR/5540-97-7999, U.S. Naval Research Laboratory, Washington, DC

....abstraction has been explored by several researchers. Most of such abstractions are weak property preserving, e.g. Clarke et al. 1995, Jackson, 1994, Kelb et al. 1995, Colon and Uribe, 1998, Saidi, 1999] We discuss some of strong property preserving approaches below. Bharadwaj and Heitmeyer [Bharadwaj and Heitmeyer, 1999, Heitmeyer et al. 1998] analyzed SCR specifications using the SPIN [Holzmann, 1997] model checker. The system is checked against state and transition invariants. The size of the concrete state space is reduced by three abstraction methods: eliminating variables which are not relevant to the ....

....when the pressure falls below a certain threshold. The specification includes 6 variables; two of which are unconstrained integers. This system has been verified by Bultan [Bultan et al. 1998] using his infinite state model checker, also based on the Omega library, and by Bharadwaj and Heitmeyer [Bharadwaj and Heitmeyer, 1999] using SPIN and a set of abstractions built into SCRTool (see Section 2.2) Both approaches were conclusive on two properties: 16 1. AG( Reset Pressure 6= High) Overridden) 2. AG( Reset Pressure = TooLow) Injection) Our analysis yielded True for the above properties and for two ....

Bharadwaj, R. and Heitmeyer, C. (1999). "Model Checking Complete Requirements Specifications Using Abstraction". Journal of Automated Software Engineering, 6(1).

....when moving from this formal presentation of ABPS to a practical system. Ease of use: The system is parameterized on several rather technical constructs (e.g. abstractions expressed as algebras, and a non technical user should not be required to define these from scratch. Recent work [3, 6, 12, 11] has begun to lay the foundation for libraries of reusable abstractions that can be exploited in automated verification. Our goal is to build on such libraries to enable users to select abstractions to be incorporated into the systems they analyze. Instead of explicitly defining , we allow the ....

Ramesh Bharadwaj and Constance Heitmeyer. Model checking complete requirements specifications using abstract ions. Technical Report NRL/MR/5540--97-7999, Center for High Assurance Systems, Naval Research Laboratory, W ashingon DC, 1997.

....[33] 2.2 Related Work The idea of verification with the presence of abstraction has been explored by several researchers. Most of such abstractions are weak property preserving, e.g. 9, 25, 26, 10, 32] We discuss some of strong property preserving approaches below. Bharadwaj and Heitmeyer [1, 22] analyzed SCR specifications using the SPIN [24] model checker. The system is checked against state and transition invariants. The size of the concrete state space is reduced by three abstraction methods: eliminating variables which are not relevant to the property being verified, i.e. slicing ....

....is its variables and their types. Another abstraction constitutes going from a set of values that a variable may have at a certain point of the program to an interval by taking the minimum (maximum) value from the set as the left (right) bound of the interval. For example, ff(f 1, 5, 3g) [ 1, 5] ff(f0.5, 1.3, 23g) 0.5, 23] Here, the vocabulary of M is the same as M . Both refer to concrete variables and their values. Techniques have been developed [13] to enable finite representations of infinite sets of values and to ensure convergence of the computation of the abstract model ....

[Article contains additional citation context not shown here]

Ramesh Bharadwaj and Connie Heitmeyer. "Model Checking Complete Requirements Specifications Using Abstraction". Journal of Automated Software Engineering, 6(1), January 1999.

....we need to ensure that the abstraction is converging: 1. we have a finite representation of the infinite set of values. One way is to abstract from a set to an interval by taking the minimum (maximum) value from the set as the left (right) bound of the interval. For example, ffl ff(f 1, 5, 3g) [ 1, 5] ffl ff(f0.5, 1.3, 23g) 0.5, 23] 2. we ensure convergence in a finite number of steps. With a finite domain abstraction, convergence is guaranteed. To achieve convergence for the infinite domain abstraction, 8] introduced an abstract binary operator widening, denoted as r, which represents a ....

....partial, with the convergence dependent on the structure of the program and the formula to be verified. This approach does not utilize abstraction for state space reduction. Bultan verified Properties 1 and 2, and we were not able to determine the exact size of his models. Bharadwaj and Heitmeyer [1] analyzed SCR specifications using the SPIN [15] model checker. Their technique only allows finite domain variables, including integer subranges and enumerated types. The size of the concrete state space is reduced by two methods: eliminating variables which are not relevant to the property being ....

R. Bharadwaj and C. Heitmeyer. "Model Checking Complete Requirements Specifications Using Abstraction ". Journal of Automated Software Engineering, 6(1), January 1999.

....Variables Monitored Variables Environment IN SOFT OUT REQ and NAT Projects Illustrative of Requirements Interaction Management 51 1999 William N. Robinson Requirements Interaction Management GSU CIS 99 7 As an example, consider a transition table for the variable InjectionPressure[14]. This table can be used to define when coolant can be injected into a pressurized container according to the water pressure in the containe r. The first row of table 14 indicates that the mode of InjectionPressure changes from TooLow to Permitted when WaterPressure Low becomes true. A set of ....

Bharadwaj, Ramesh and Constance L. Heitmeye r. "Model Checking Complete Requirements Specifications Using Abstraction," NRL Memorandum Report NRL/MR/5540--97-7999, November 10, 1997

....specifications described as deterministic state machines. Two popular tools, SCR[101] and RSML[147] demonstrate how analytic techniques can proof safety and liveness properties for such specifications. For example, SCR (6. 6) has been used to uncover inconsistencies between requirements[13]. Heitmeyer and Mandroili present an overview of the current state of the art in formal modeling and analysis tools for software specifications[98] 4.2.2.4 Scenario Analysis As defined in[267] A scenario is . a temporal sequence of interaction events among different agents in the restricted ....

....Spin[104] is used to exhaustively check all states of the model for violations of the specified properties. Model checking has been used to verify functional requirements; specifically safet y, precedence, or liveness requirements. It has found missing, ambiguous, and erroneous requirements [13][97] 251] Moreover, this work can be applied to analysis of implementations. By instrumenting an implementation to log interesting state changes, a model checker can check the resulting log files to verify properties of the implementation[28] 4.2.2.6 Execution Monitoring Requirement level ....

Bharadwaj, Ramesh and Heitmeyer, C.L., "Model Checking Complete Requirements Specifications Using Abstraction," NRL Memorandum Report NRL/MR/5540--97-7999, November 10, 1997.

....is that the verification is fully automated. Modelchecking has been effectively applied to verifying hardware [22, 19, 15, 49] and distributed systems, including network and security protocols [34, 47, 48, 43, 3] Model checking has also started to be applied to requirements engineering [6, 23, 60, 7, 64]. However, the size of the state space grows exponentially to the number of variables in the problem, making all but the most trivial programs too large to analyze. Various researchers have been proposing checking abstractions of programs [66, 42, 35] Unfortunately, coming up with useful ....

....implementation) for language containment properties. Both approaches have been used to formally verify communication protocols and circuit designs, as well as other hardware and software systems. A group of researchers at Naval Research Lab recently undertook a verification effort similar to ours [7]. The goal of this work was to use a linear time model checker SPIN to check consistency of SCR requirements. Promela (an input language for SPIN) is a C like language with non deterministic guarded IF statements. Rather than using analysis to determine when events occurred, their implementation ....

Ramesh Bharadwaj and Connie Heitmeyer. "Model Checking Complete Requirements Specifications Using Abstraction". Journal of Automated Software Engineering, 6(1), January 1999.

....hold in the model. The NRL SCR toolkit also includes backend translators to the modelcheckers SMV and SPIN [19] and it is noteworthy that the translators implement formal abstractions of the SCR models that allow counterexamples from the model checker to be traced back to the SCR specification [6, 5]. Owre, Rushby, and Shankar [22] describe how the model checker in PVS can be used to verify safety properties in SCR mode transition tables. A model checking specification consists of two parts. One part is a state machine defined in terms of variables, initial values for the variables, and a ....

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Technical Report NRL/MR/5540-- 977999, U.S. Naval Research Laboratory, November 1997.

....explosion problem, can often be alleviated by abstraction. For SCR , we have developed automatable abstraction methods that reduce the state space either by eliminating variables irrelevant to a property (variable restriction) or by reducing the range of variable values (variable abstraction) [5, 11]. When, as often happens, even abstraction does not allow the state space to be searched exhaustively, a partial search of the state space can often find states that violate a specified property. In addition to finding property violations, most model checkers produce counterexamples in the form of ....

....CD security property with TAME (see Section 3.6) we first used the Spin model checker to search for violations of the property. For each property, we used SCR to automatically extract an abstraction from the CD specification and the property, using the variable restriction method described in [5, 11] to remove all variables irrelevant to the validity of the property. Then, by hand, we applied the variable abstraction method described in [11] By limiting the range of values that certain variables can assume, this method usually produces a smaller abstraction. In our CD study, the abstractions ....

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering, 6(1), January 1999.

....for this task. One solution that has been proposed is to select the appropriate controlled variables, and to extract only those parts of the description that are necessary for the definition of the values of these variables. This approach is supported, for example, by the SCR toolset [HBGL95, BhHe97] But for our task, we do not only need a certain view of the system, we often need to modify the system in order to fit in the new feature. Therefore, we need to know the consequences of making changes. We would like to know answers to two questions: 1. Does the change, made in the partial ....

Bharadwaj, R. and Heitmeyer, C. Model checking complete requirements specifications using abstraction. Technical Report NRL/MR/5540--97-7999, Naval Research Lab., Washington DC (10 Nov. 1997).

No context found.

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering Journal, 6(1), Jan. 1999.

....; x 2 ; verification is the process of establishing that each SOL predicate x i 2 X is an invariant of Sigma . 7 SOL Agent Modules A SOL agent module describes both an agent s environment, which is usually nondeterministic, and the required agent behavior, which is usually deterministic [5, 9]. A SOL agent module describes the required relation between monitored variables, environmental quantities that the agent monitors, and controlled variables, environmental quantities that the agent controls. Additional internal variables are often introduced to make the description of the agent ....

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering, 6(1), January 1999.

....In recent years, model checking has emerged as a remarkably effective technique for the automated analysis of descriptions of hardware systems and communication protocols. To analyze software system descriptions, however, a direct application of model checking rarely succeeds [1, 3], since these descriptions often have huge (often infinite) state spaces which are not amenable to the finite state methods of model checking. More important, the computation of a fixpoint (the hallmark of the model checking approach) is not always needed in practice for the verification of an ....

....Also, unlike general purpose theorem provers, Salsa concentrates on a single task and gains efficiency by employing a set of optimized heuristics. The design of Salsa was motivated by the need within the SCR Toolset [4] for more automation during consistency checking and invariant checking [1, 3]. Salsa achieves complete automation of proofs by its reliance on decision procedures, i.e. algorithms that establish the logical truth or falsity of formulae of decidable sub theories, such as the fragment of arithmetic involving only integer linear constraints called Presburger arithmetic. ....

Ramesh Bharadwaj and Constance Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering, 6(1), January 1999.

.... including an automated consistency checker to detect missing cases and other application independent errors [14] a simulator to symbolically execute the specification to ensure that it captures the users intent [13] and a model checker to detect violations of critical application properties [3, 12]. Recently, groups at NASA and Rockwell Aviation as well as our group at NRL have used the SCR techniques to detect serious errors in requirements specifications of real world systems [7, 21, 12] By exposing defects in the requirements specification, such techniques help the user improve the ....

....presented in Section 4.1 uses the symbolic model checker SMV [20] whereas the example presented in Section 4. 2 uses the explicit state model checker Spin [16] To translate an SCR specification into either the language of Spin or the language of SMV, we use the translation method described in [3]. A Spin specification and an SMV specification obtained from an SCR specification using this translation method are semantically equivalent. Section 4.3 describes our coverage criterion, a form of branch coverage. 4.1 Cenerating Test Sequences from Properties To introduce our method, we ....

[Article contains additional citation context not shown here]

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Eng. J., 6(1), January 1999.

....to assess their ability to read and understand descriptions of state transitions in the four notations. In the experiment we carried out, we used the SCR Toolset [4] to create a formal model of the domain based on the description provided in [6] and the Toolset s automated analysis tools [1, 2] to arrive at answers to some of the questions in the original study. Other questions were answered by examining the SCR tables. The development of the domain model and its analysis was carried out in less than one afternoon (about three hours) which is comparable to the time taken by most of the ....

....experts, who are usually able to determine, using their expertise, whether the pre state is reachable . In the absence of access to domain experts, we decided to run the model checker Spin after an automatic translation of the SCR model to the language of Spin using the method outlined in [1]. Running Spin immediately yielded a counterexample (a sequence of monitored variable changes starting from the initial state and leading to the transition that falsifies the predicate) of 16 steps. A scenario under which question 2 could be answered in the affirmative was demonstrated by running ....

R. Bharadwaj and C. L. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering, 6(1), January 1999.

....such as security, safety, timeliness (real time) survivability, and fault tolerance. Since SOL is a synchronous data flow language, programs in SOL are readily amenable to automatic static analysis techniques such as automatic theorem proving using decision procedures [6] or model checking [5, 7]. Admittedly, such a style imposes some limitations on expressiveness, which may pose a problem in certain circumstances . One should keep in mind that it is precisely these limitations that make many interesting theorems about SOL programs decidable, thereby opening up the possibility of fully ....

....the Naval Research Laboratory (NRL) to document the requirements of the US Navy s A 7 aircraft [2, 17] One of the goals of SOL is to be able to directly implement specifications of high quality, such as the ones produced in SCR, in a safe and efficient manner. For illustrative SCR examples, see [5, 13, 14]. Researchers at NRL have provided a formal model for the SCR notation [5, 16] based upon which a number of tools have been developed [6, 15] For verifying programs in SOL, our intention is to build upon one of these tools, Salsa, which is an invariant checker for state machine descriptions. ....

[Article contains additional citation context not shown here]

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering, 6(1), January 1999.

....monitored events, each specified by the name of a monitored variable and a value to be assigned to that variable. The execution model is similar to the execution model of SCR systems used in the translation of SCR into Promela (the language of the SPIN model checker) by Bharadwaj and Heitmeyer [3] and can be described (in pseudocode) as follows. open files state = 0; initialize new state variables ; check assumptions and assertions ; while ( infile contains another monitored event ) state = state 1; copy new state variables to old state variables ; update new state ....

....is reduced using the rewrite rule for the pattern. This process is repeated until the whole tree has been reduced. As noted in Section 2. 3, the code generated by our code generators uses an execution model similar to the execution model of SCR systems used in the translation of SCR into Promela [3]. Both use two sets of variables, one for the old state values and one for the new state values. Both encode the function tables as conditional statements in the target language and both execute the code for the functions in an order determined by the dependency relationship on the variables. One ....

Bharadwaj, R. and C. Heitmeyer: 1999, `Model Checking Complete Requirements Specifications Using Abstraction'. Automated Software Engineering 6(1).

....technique for the automated analysis of descriptions of hardware and protocols. To analyze software system descriptions, however, a direct application of model checking to a problem (i.e. without a prior reduction of its state space size by the application of abstraction) rarely succeeds [9]. For such systems, theorem proving affords an interesting alternative. Conventional theorem proving systems, however, are often too general or too expensive to use in a practical setting because they require considerable user sophistication, human effort, and system resources. Additionally, the ....

....Like a theorem prover, it uses decision procedures, can handle infinite state systems, and can use auxiliary lemmas to complete an analysis. The design of Salsa was motivated by the need within the SCR Toolset [23] for more automation during consistency checking [24] and invariant checking [9, 22]. Salsa achieves complete automation of proofs by its reliance on decision procedures, i.e. algorithms that establish the logical truth or falsity of formulae of decidable sub theories, such as the fragment of arithmetic involving only integer linear constraints called Presburger arithmetic. ....

[Article contains additional citation context not shown here]

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Journal of Automated Software Eng., January 1999.

....properties using either model checking or theorem proving is still an open question given the high overhead usually associated with these techniques. However, we are developing approaches that reduce this overhead by using automatic abstraction methods to limit state explosion in model checking [5, 9] and by using the automatic generation of invariants [15] and more automatic, more natural theorem proving methods [3, 4, 16] to facilitate the use of mechanical theorem provers. Our application of the SCR simulator to the LCS specification proved to be especially valuable. Once the specification ....

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering, 6(1), January 1999.

.... for creating and modifying a requirements specification, a consistency checker for checking the specification for application independent properties (e.g. type correctness and unwanted nondeterminism) a simulator for symbolically executing the system based on the specification, a model checker [2] for analyzing the specification for critical application properties, and a dependency graph browser for displaying the dependencies among the variables in the specification. Our ongoing research also includes a new effort to automatically generate source code from SCR specifications. Currently, ....

Ramesh Bharadwaj and Constance Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering, 6(1), January 1999.

.... consistency checker to expose missing cases, unwanted nondeterminism, and other application independent errors [1] a simulator to symbolically execute the specification to ensure that it captures the users intent [2] and a model checker to detect violations of critical application properties [3, 4]. The SCR method also provides a customized interface called TAME (Timed Automata Modeling Environment) 5] for verifying specifications using the mechanical theorem prover PVS (Prototype Verification System) 6] and a new tool for automatically generating invariants from SCR specifications [7] ....

.... at least in some contexts, the use of abstraction in model checking is impractical [18] We have developed a new approach to using abstraction in model checking which derives a sound, and often complete, abstraction automatically from the requirements specification and the property to be analyzed [4, 3]. By a sound abstraction, we mean that any property that holds for the abstraction also holds in the original specification; by a complete abstraction, we mean that any property that holds in the original specification also holds in the abstraction. Because construction of the abstraction is ....

[Article contains additional citation context not shown here]

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Eng. J., 6(1), January 1999.

.... properties, such as type errors and missing cases; the simulator helps the user detect cases in which the specification fails to satisfy the specifier s intent, and a newly integrated model checker SPIN [21] detects violations of application specific properties, such as safety properties [6]. Recently, NRL applied the SCR tools to a sizable contractor produced requirements specification of the Weapons Control Panel (WCP) for a safety critical U.S. military system [15] The tools uncovered numerous errors in the contractor specification, including a safety violation. This violation, ....

....6= j, is false. Using this semantics along with the assumption about initial states, we can easily derive the following state invariants from Table 5, SafetyInjection = On , Pressure = TooLow :Overridden; 4) and its equivalent form, SafetyInjection = Off , Pressure 6= TooLow Overridden: In [6], the following two properties of the Safety Injection System are proved using model checking: Property X: Reset = On Pressure 6= High ) Overridden Property Y: Reset = On Pressure = TooLow ) SafetyInjection = On Property X is easily derived from the invariant in (3) since (3) is stronger. ....

[Article contains additional citation context not shown here]

Bharadwaj, R., and Heitmeyer, C. Model checking complete requirements specifications using abstraction. Journal of Automated Software Engineering (Jan. 1999). To appear.

....the Spin model checker [9] to check properties of the specification. Once a property violation is detected, the user can run the simulator to demonstrate and validate the violation. To make model checking practical, we have developed sound methods for deriving abstractions from SCR specifications [2, 5]. The methods are practical: none requires ingenuity on the user s part, and each derives a smaller, more abstract specification automatically. Based on the property to be analyzed, these methods eliminate unneeded detail from the specification. Theorem Prover. When model checking fails to ....

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering Journal, 6(1), Jan. 1999.

....hoc ways the correspondence between the abstraction and the original specification is based on informal, intuitive arguments. Needed are mathematically sound abstractions that can be constructed automatically. Recent progress in automatically constructing sound abstractions has been reported in [4, 5]. Provide Good Feedback. When formal analysis exposes an error, the user should be provided with easy to understand feedback useful in correcting the error. Techniques for achieving this in consistency checking already exist (see, e.g. 12, 23] As noted above, counterexamples produced by model ....

....This is in contrast to heavy duty techniques where the user needs to be a good violinist. Formal methods research has already produced a significant body of theory. Moreover, some promising research is currently in progress in automated abstraction and automatic generation of invariants (e.g. [19, 4, 15, 5]) However, to make formal methods practical, good engineering is needed. The user of formal methods should not need to communicate the required system behavior in some arcane language nor to decipher the meaning of obscure feedback from an analysis tool. What a practical formal method should do ....

R. Bharadwaj and C. Heitmeyer. "Model checking complete requirements specifications using abstraction." Automated Software Eng. Journal (to appear).

.... the specification editor, the consistency checker, and the simulator to detect 24 errors, many of them serious, in the requirements specification of an example flight guidance system [25] This paper describes a third pilot project in which the SCR tools, including a newly integrated model checker [5, 4], were applied to a safety critical military system. After introducing the system of interest, the Weapons Control Panel (WCP) this paper describes how we translated a draft software requirements specification (SRS) prepared by a military contractor into the SCR notation, the problems encountered ....

....states (s; s 0 ) where s; s 0 2 S and there exists an enabled input event e 2 E m such that T (e; s) s 0 . To analyze property q, we translated q, which the SRS describes in prose, into propositional logic and then used our abstraction methods to generate a reduced model of the WCP [5, 4]. Invoking the explicit state model checker Spin [22] on the reduced model exposed a violation of the property and a counterexample, i.e. a sequence of input events that leads to two states in which the violation occurs. To demonstrate the violation and to ensure that the detected error was not ....

R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Technical Report 97-7999, Naval Research Lab., Wash., DC, 1997.

....with the simulator. In a third project, researchers at the JPL (Jet Propulsion Laboratory) used SCR to analyze specifications of two components of NASA s Deep Space 1 spacecraft for errors [13] In a fourth pilot project, NRL applied the SCR tools, including a newly integrated model checker [3], to a sizable contractor produced requirements spec ification of the Weapons Control Panel (WCP) for a safety critical US military system [10] The tools uncovered numerous errors in the contractor specification, including a serious safety violation. Translating the contractor specification ....

....In developing an SCR specification, the user normally invokes the consistency checker first and postpones more heavy duty analysis such as model checking until later. By exploiting the special properties guaranteed by consistency checking (e.g. determinism) later analyses can be more efficient [3]. Simulator. To validate a specification, the user can run the simulator [9] and analyze the results to ensure that the specification captures the intended behavior. Additionally, the user can define invariant properties believed to be true of the required behavior and, using simulation, execute ....

[Article contains additional citation context not shown here]

R. Bharadwaj and C. Heitmeyer. "Model checking complete requirements specifications using abstraction." Journal of Automated Software Eng. (to appear).

No context found.

R. Bharadwaj and C. Heitmeyer, "Model Checking Complete Requirements Specifications Using Abstraction," Automated Software Engineering , Vol 6, No. 1, January 1999, 3768.

No context found.

Ramesh Bharadwaj and Constance L. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering: An International Journal, 6(1):37--68, January 1999.

No context found.

R. Bharadwaj and C. Heitmeyer, "Model Checking Complete Requirements Specifications Using Abstraction," Automated Software Engineering , Vol 6, No. 1, January 1999, 3768.

No context found.

Bharadwaj, R., and Heitmeyer, C. (1997). Model Checking Complete Requirements Specifications Using Abstraction, Technical Report No. NRL-7999, Naval Research Laboratory, Washington.

No context found.

R. Bharadwaj and C. Heitmeyer. ModelChecking Complete Requirements Specifications using Abstraction. Report NRL/MR/5540-977999, Naval Research Lab., November 1997.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC