Automatic Analysis of Consistency Between Implementations and Requirements by Marsha Chechik    , & Gannon, John
AUTOMATIC ANALYSIS OF CONSISTENCY BETWEEN
IMPLEMENTATIONS AND REQUIREMENTS

Marsha Chechik John Gannon
Computer Science Department
University of Maryland
College Park, MD 20742
fchechik,gannong@cs.umd.edu
Date: July 28, 1995
Abstract
Formal methods like model checking can be used to demonstrate that safety
properties of embedded systems are enforced by the system's requirements. Unfortu-
nately, proving these properties provides no guarantee that they will be preserved in
an implementation of the system. We have developed a tool, called Analyzer, which
helps discover instances of inconsistency and incompleteness in implementations with
respect to requirements.
Analyzer uses requirements information to automatically generate properties which
ensure that required state transitions appear in a model of an implementation.
A model is created through abstract interpretation of an implementation anno-
tated with assertions about values of state variables which appear in requirements.
Analyzer determines if the model satises both automatically-generated and user-
specied safety properties.
This paper presents a description of our implementation of Analyzer and our
experience in applying it to a small but realistic problem.

This research is supported in part by the Air Force Oce of Scientic Research under
contract F49620-93-1-0034.
1 Introduction
The keys to winning acceptance for employing formal methods during system development
include demonstrating that their use improves software quality, amortizing the cost of their
creation across several dierent analysis activities, and reducing the cost of their application
through automation. Software quality can be improved by eliminating errors arising from
inconsistencies within the description of a system or between two dierent descriptions of
a system. Automated techniques can be used to derive a nite-state representation of a set
of requirements, and determine if it is a model for system safety properties expressed as
temporal logic assertions[4]. We present a complementary technique which automatically
compares properties derived from a set of requirements with a nite state representation
of its implementation.
Requirements for embedded systems often describe a system as a set of concurrently
executing state machines ([2, 15, 24, 13]) which respond to events in their environment. An
implementation is consistent with its requirements if the implementation's state transitions
are enabled by the same events as those of the requirements, all the requirement's state
transitions appear in the implementation, and the requirement's safety properties hold in
the implementation.
Generally, these properties are judged during code inspections conducted by teams of
reviewers. Reviewers successfully discover local inconsistencies, but the bookkeeping tasks
needed to determine all the possible system states at a particular program point make it
dicult to ensure that global properties of the system hold. We developed a prototype tool,
called Analyzer[5, 6], which automatically determines if an implementation is consistent
with its requirements. The inputs to the tool are a requirements specication and a C
source program annotated with comments describing the values of variables which appear
in the requirements. As Figure 1 illustrates, our tool automatically generates a set of checks
equivalent to temporal logic formulas to ensure the consistency of an implementation with
its requirements. The implementation is abstracted into a nite-state machine (FSM),
and a special-purpose model checking algorithm determines if the FSM is a model of the
properties.
In this paper we describe the tool and show results of a case study in which we ana-
lyzed an implementation of a water-level monitoring system (WLMS) [31] and discovered
several latent errors. The rest of the paper is organized as follows: Section 2 presents our
requirements specication format. In Section 3, we describe the types of global system
properties which are automatically generated from the specications. Section 4 discusses
the process of building a nite-state model of the implementation. In Section 5, we present
an algorithm to check automatically-generated and user-dened system properties. Sec-
tion 6 discusses our approach to processing programs with multiple procedures. Section 7
1
Transformation
    Algorithm
Temporal










       SCR 
Requirements
         +
      Safety
   Properties
Figure 1: Algorithm to solve the problem.
presents the WLMS case study. Finally, in Section 8, we compare the approach taken in
Analyzer with related work and discuss limitations of our approach.
2 Requirements Notation
This section describes the requirements specication format. Software Cost Reduction
(SCR) requirements[2, 14, 16, 17] model a system as a set of concurrently executing state
machines, where each machine interacts with its environment's state variables. Each state
machine represents one mode class, whose states are modes and whose transitions occur in
response to events. Modes within a mode class are disjoint, and the system is in exactly
one mode of each mode class at all times. Changes to its monitored state variables may
cause the system to change its mode or to alter values of its controlled variables (see Figure
2). A condition is a predicate on monitored or mode class variables. An event occurs when
the value of a condition changes. For example, @T(A) WHEN [B] occurs if a condition A
changes its value from False to True while a condition B is True. We refer to A and B as











Figure 2: SCR Requirements notation.
SCR requirements use tables to dene the values of controlled variables and mode
transitions. There is one table for each controlled variable and for each mode class. Each
entry in a condition table denes a value of a variable as a function of a system's modes
and events. Each entry in a mode transition table maps a mode and an event to another
mode in the same mode class.
Table 1 shows a mode transition table for a simple system. We use this example
throughout the paper, referring to it as the Simple System Example (SSE). This system
has one mode class M with modes M1, M2, and M3; three monitored variables A, B, and C;
and two controlled variables D and E. Mode class M starts in mode M1, and all variables
except B and E are initially False. M transitions from M1 to M2 when C becomes True
(indicated by \@T") while B is True (indicated by \t"), and transitions to M3 when B
becomes False (\@F"). Entries marked by \{" are generally considered \don't care" values,
although some values can be inferred from relationships between variables (see below).
Current Mode A B C New Mode
M1 { t @T M2
{ @F { M3
M2 @T @T { M1
t @F { M3
M3 @T { { M1
{ f @F M2
Initial: M1 if (A & B & C)
Table 1: Mode transition table for SSE.
3
The values of controlled variables change in response to events when the system is in
particular modes. Table 2 shows an event table for a controlled variable D. This variable





D = True False
Initial: False
Table 2: Event table for a controlled variable D.
Our analysis tool processes a simplied version of SCR specications in ASCII format,
using boolean variables to represent predicates on monitored and controlled variables.
In addition to mode transition and event tables, our requirements format also includes
declarative information about system variables which often appears in other sections of an
SCR requirements document. This information records relationships between monitored
or controlled variables. Relationships help requirements designers eliminate redundant
information and increase the clarity of specications[3]. They also improve readability and
reduce the eort involved in annotating an implementation. The following is a list of the
relationships which we implemented:
 An equivalence (B = C) is a relationship which indicates that B and C change their
values at the same time.
 An implication (B -> C) is a relationship which indicates that when B is True, C
should be True; and when C is False, B should be False. In specifying SSE, we use
a relationship E -> D to indicate that whenever E is True, D is False.
 A strict implication relationship (B ->> C) is similar to implication except that
when B becomes True, C should already True, and when C becomes False, B should
already be False.
 A timeline relationship (T1 < T2) exists between variables which represent dierent
lengths of time during which a particular condition holds. For example, T1 indicates
that a condition is True for a shorter length of time than T2. T1 must be True when
T2 becomes True, and must become False when T2 becomes False.
 An enumeration relationship (A j B j C) indicates that exactly one of the conditions
is True at all times.
4
 A range enumeration relationship (A | B | C) is an enumeration relationship with
an extra restriction that changes can aect only adjacent conditions, e.g., when A
becomes True, B becomes False and C remains False.
The requirements designer may also specify system safety properties. Such properties
duplicate information stored in the transition tables, but capture the desired information





propositional logic formulae; M is a system mode):
 smi(M , P ) (strong mode invariant) is satised when P is an invariant of a mode M .
For SSE, we specify smi(M=M1, A) to indicate that A is True when the system is
in mode M1 of mode class M.
 wmi(M , P ) (weak mode invariant) is similar to smi. Conditions which change values
as the result of triggering events may still be part of a weak mode invariant. For
example, if conditions A and B are False when mode M1 is entered, and the event
@T(A) WHEN B causes a transition from M1, then the strong and the weak mode





) is satised if whenever P
1
is True, either P
2
is True or the next transi-
tion of the system will establish a state in which P
2
holds. For example, a property
cause(M=M3 & C, D) in SSE specications indicates that the system will reach a





) is satised if whenever P
1
is True, the next transition of the system
will establish a state in which P
2
holds.
 reach(P ) is satised if the system can reach a state in which Property holds. reach
properties are usually used to ensure that other types of properties are not satised
vacuously. For example, specifying reach(M=M3) for SSE indicates that the system
should eventually transit to mode M3.
A full specication of SSE can be found in Appendix A.
3 Implementation Properties
An implementation is consistent with its requirements if it implements all state transi-
tions specied in the requirements, does not implement any state transitions which are not
specied in the requirements, and satises all user-dened safety properties. A require-
ments specication can be translated into a list of properties which capture this notion
5
of consistency. To prove that an implementation is consistent with its requirements, we
demonstrate that the implementation is a model of all of all these properties. We express
system properties as Computation Tree Logic (CTL)[8] formulae. CTL is a propositional
branching time logic, whose temporal operators permit explicit quantication over all pos-
sible futures. Table 3 summarizes some CTL operators.
CTL Operator Description
A(f) f holds in every immediate successor
E(f) f holds in some immediate successors
A3(f) f eventually holds on all paths
E3(f) f eventually holds on some paths
A2(f) f holds on all paths
Table 3: CTL Operators.
3.1 Automatically-Generated Safety Properties





ensure that the only transitions to a mode are those specied in
P
1
= A2(M1 _ (E M
1
! (M1 _ (M
2











& B & @T (C)) _ (M
3









& @F (B)) _ (M
2








































& B & @F (C) & E M
2
)
Figure 3: Properties to ensure consistency with SCR mode tables.
the requirements. For example, P
2
asserts that if the system will be in mode M
2
in
its next state, then either it must already be in that mode or one of the requirements'
transitions is occurring: the system is in mode M
1
with an event @T (C) WHEN[B], or in
M
3
with an event @F (C) WHEN[ B]. P
2
was obtained from composing the rows in the
SCR tables which have M
2
in their right columns. P
1
slightly diers from P
2
since it
captures the fact that the system starts in mode M
1
. Such properties are called \only
6
legal transitions" (OLT). There is one such property generated for every requirements




ensure that all transitions specied in





correspond to the two transitions leaving mode M
1
and can be
obtained by composing the rows of the SCR tables which have M
1
in their left columns.
There is one ALT property for every row of every mode transition table specied in the









are ALT properties which ensure that all changes to D specied in
the requirements appear in the implementation. There are two OLT properties generated
for each controlled variable, reecting changes of value to True and False, respectively, and
one ALT property generated for each row of every event table.
P
10
= A2(D _ (E D! (D _ (@F (C) &M3))))
P
11
= A2(E D ! (D _ (@T (C) &M1)))
P
12
= E3(D & @F (C) &M3 & E D)
P
13
= E3(D & T (C) &M1 & E D)
Figure 4: Properties for the controlled variable D.
3.2 User-Specied Safety Properties
The ve types of properties that the user can specify in our requirements format can be
easily translated into CTL formulae, as shown in Figure 5. This Figure clearly identies
the dierence between smi and wmi properties. Property smi(M;P ) means that for every
state of the system P holds whenever the system is in mode M . In contrast, property
wmi(M;P ) means that P holds only in those states where the system is in mode M and
remains in M in at least one of its next states.
U
1
= smi(M;P ) = A2(M _ P )
U
2
































Figure 5: Formulae for user-specied properties.
These types of user-specied properties frequently appear in requirements documents,
and during our case studies we did not need to verify any other types of properties. Re-
7
quirements specications of realistic size and complexity (like [2]), however, contain global
properties which cannot be expressed using only these assertions. Allowing the user to
specify a richer set of properties is relatively easy, although not every CTL-expressible
formula can be veried during our analysis. We defer a further discussion of this issue
until Section 8.







     flow graph
Figure 6: Layers of abstraction.
In this section we present a way to create an abstraction of a program which we use for
our analysis. We need a way to establish a correspondence between the implementation
and information specied in the requirements. Our solution involves annotating the pro-
gram and, assuming that the annotations correctly reect what the code does, using these
annotations together with control-ow information of the program to create the necessary
abstraction (see Figure 6). Afterwards, we use this abstraction to check system properties.
4.1 Annotating an Implementation
Annotations are user-specied comments which record mode transitions and changes to the
values of controlled and monitored variables. Annotations are interleaved with the program
statements, but start with @@ to distinguish them from the program text. Annotations
capture local rather than invariant program properties, and therefore are relatively easy
to specify.
We distinguish between controlled, monitored, and mode class variables. Monitored
and controlled variables have boolean values; mode class variables have values which form
8
enumerated types whose constant values are the modes of the mode class. Thus our system
states consist of a nite number of variables whose types contain only a nite number of
values.
An Initial annotation indicates the starting state of each mode class. It uncondition-
ally assigns values to variables. This annotation corresponds to initialization information
specied in the requirements. An Update annotation assigns values to variables, identify-
ing points at which the program changes its state. Analyzer uses Update annotations to
compute sets of values that requirements variables may have at these points (i.e., possible
system states). An Assert annotation asserts that variables must have particular values
in the current system state. Static analysis usually gives imprecise results because system
states are aggregated. Assert annotations reduce the amount of information in the system
state to what the programmer knows to be true.
The usual objections to inserting annotations in the code are that this process greatly
increases the amount of work during the implementation step and that the properties
described by annotations may be complex. Annotations generally correspond to assign-
ments of constants to variables or predicates on a variable's value. Thus, blocks of code
which compute new values of variables often do not need to be annotated. Our experience
indicates that the usual code/annotation ratio is about 10/1. The properties described
by annotations are simple since they describe local state changes rather than invariant
properties.
Figure 7a contains a fragment of an implementation of the Water-Level Monitoring
system which is the subject of our case study. We presented the code with some typical user
comments in order to compare the comments and our annotations (Figure 7b). Although
the rst portion of the code manipulates variables to compute a new system state, it is
not annotated. The remaining part, consisting of predicates and assignments of constant
values to variables, is heavily annotated.
Although most of our experience came from annotating existing code, we envision a
code development process in which annotations are inserted while the program is being
written.
4.2 Creating an Annotated Flow Graph
We construct a CFG of the program from the source text and annotations, and then
propagate the state information about the requirements variables throughout the CFG.
Figure 8a shows a small fragment of the implementation of the SSE. We have omitted all
program variables and kept only the program control ow and annotations. This is the
9
    SET_MODE (OperatingClass, Operating);
  }
  ...
  GET_MODE(OperatingClass, OPCM);
  if (!MODE_EQ(OPCM, Test))) && 
      (PRESSED(SlfTst))){
    /* we are not in Test and self-test */
    /* button is pressed */
    SET_MODE(OperatingClass, Test);






  GET_MODE(OperatingClass, OPCM);
  WATER_LEVEL(&LVLCM);
  INLIM=((LVLCM<(float)DPAR_HWL) &&
         (LVLCM>(float)DPAR_LWL));
  GET_TIME(SHUTER, &SHUTTM);
  if (ERR_VAR_F(CLK_ERR)==CLK_OVERFLOW) {
    RESET_TIMER(SHUTER);
    SHUTTM=0;
  }
     (SHUTTM<DPAR_SLT) && !PRESSED(SlfTst)){
  if (MODE_EQ(OPCM, Shutdown) && INLIM &&
while(TRUE) {
  ...
  GET_MODE(OperatingClass, OPCM);
  WATER_LEVEL(&LVLCM);
  INLIM=((LVLCM<(float)DPAR_HWL) &&
         (LVLCM>(float)DPAR_LWL));
  GET_TIME(SHUTER, &SHUTTM);
  if (ERR_VAR_F(CLK_ERR)==CLK_OVERFLOW) {
    RESET_TIMER(SHUTER);
    SHUTTM=0;
  }
     (SHUTTM<DPAR_SLT) && !PRESSED(SlfTst)){
    /* we are in mode Shutdown and water */
    /* is within limits */
  if (MODE_EQ(OPCM, Shutdown) && INLIM &&
    SET_MODE (OperatingClass, Operating);
  }
  ...
  GET_MODE(OperatingClass, OPCM);
  if (!MODE_EQ(OPCM, Test))) && 
      (PRESSED(SlfTst))){
    SET_MODE(OperatingClass, Test);





    @@ Assert Normal(Shutdown);
    @@ Update WithinLimits & ~SlfTstPressed
& ~ShutdownLockTime200;
@@ Update Normal(Operating);
    @@ Assert ~Normal(Test);
    @@ Update SlfTstPressed;
@@ Update Normal(Test);
Figure 7: Annotations in WLMS code.
starting point for the analysis of the SSE.




V is a nite set of nodes corresponding to decisions, joins and annotations of P .









in some execution sequence; and
V
0
2 V is an entry node.
10
We interpret annotations in an ANP to create a set-based approximation of attainable
values for each requirements' variable[10, 11]. We compute two sets of information for our
analysis: reaching values (RVs) and conditions (Conds). The RV of a variable at a node is a
set of values that a variable may attain if the control reaches the node. RVs are computed
by interpreting Update and Initial annotations. The Cond of a variable at a node is a
set of values the variable must attain if control reaches the node. Conds are computed by
interpreting all annotations.
We use a simple abstraction function  to map the nite sets of values that variables








is a set of concrete values that a variable may (or must) attain if control reaches
some program node and V
a
is a set of abstract values used to represent RVs and Conds for
each variable. Values of V
a
are partially ordered via set inclusion.








c; 8(c 2 V
c
) ^ ((c) = a)
is an inverse of , and gives the concrete form of an abstract value, treating variables with
abstract values corresponding to multiple concrete values as having each of these values.
For example, if the abstract value of A is fTrue,Falseg, then A can have concrete values
True or False.
Denition 4.2 A system state SS at a node n is a set of triples (i; v; c) such that
i 2 R, where R is the set of all controlled, monitored and mode class variables;
v 2 V
a
is an abstract value representing the RV of i at the node n; and
c 2 V
a
is an abstract value representing the Cond of i at the node n.
For a system state SS, let
RV(SS) = f(i; v) j (i 2 R) ^ (v 2 V
a
) ^ (9c 2 V
a
s:t: (i; v; c) 2 SS)g
Cond(SS) = f(i; c) j (i 2 R) ^ (v 2 V
a
) ^ (9v 2 V
a
s:t: (i; v; c) 2 SS)g
RV(SS; i) = fv j (i; v) 2 RV(SS)g
Cond(SS; i) = fc j (i; c) 2 Cond(SS)g
To evaluate programs abstractly, we dene the meaning of union and widening opera-
tions ([10]) for system states. These operations are used to combine state information at
11
join nodes of condition and loop statements, respectively. The union operation combines





two system states, then their union SS
r








= f(i; v; c) j (i 2 R) ^ (v 2 V
a
) ^ (c 2 V
a
) ^
(v = RV (SS
1





; i) [ Cond(SS
2
; i))g
Thus, our system states form a complete
S
-lattice under the partial ordering of set inclu-
sion. Given that all variables inR have a nite number of abstract values, our system states
do not have an innite increasing chain of values[10], and thus we can dene our widening
operation to be the same as union. Thus, we no longer need to distinguish between the
two types of join nodes, which simplies our analysis signicantly.
Our computation of system states at each node of the ACFG is similar to that of reach-
ing denitions via dataow techniques ([1, 7]). gen sets capture new values generated at
each node in an ACFG. The sets are empty except for nodes corresponding to annotations,
which contain variable-value pairs for each variable. These pairs are produced from values
in annotations and from information about the relationships between variables. Variables
which are unrelated to those appearing in annotations, have empty-set values in the gen




, to compute RVs and Conds.
These sets are identical except at nodes corresponding to Assert annotations where gen
u
is an empty set and gen
a
contains variable-value pairs derived from the annotation.











kill(n) = f(i; v
1
) j ((i; v
2
) 2 gen(n)) ^ ((v
2
= ? ! v
1







where \{" is set dierence and > indicates the set of all possible values for i.
Figure 8b shows the ACFG for the code fragment in Figure 8a. gen and kill sets
computed at each node are shown in bold face on this gure. We did not include variables
whose values are empty sets. The rst Assert generates Cond information that mode class
M has to be either in mode M1 or M3, and thus the value M2 is killed. The second
Assert (on the left branch) generates the value True for B (killing False), and the Update




sets. The right branch is
similar. The Update on the join generates the value True for D and M2 for M. Since D is
related to E via implication, this Update also generates the value False for E.
We compute in(n) and out(n) attributes whose values are system states before and
after a node n, respectively (SS(n) = out(n)), via a least xed point algorithm using the
12
following system of equations:
in(n) =
S









(n) [ (Cond(in(n))  kill
a
(n))
where union and dierence are the usual set operations. Figure 8b shows Conds and RVs
in italic and regular fonts, respectively. Nodes of the graph which aect the computation
of reaching values are shaded. Assume that processing starts with RV and Cond sets being
f(A, fg), (B, fTrue, Falseg), (C, fg), (D, fTrue, Falseg), (E, fFalseg), (M, fM1,M2,M3g)g.
The rst Assert changes the value of M in Cond to fM1,M3g. The Assert on the left branch
restricts the value of B to fTrueg in the Cond set, whereas the Update changes the value
of C to fTrueg in both the subsequent Cond and RV sets. The right branch is similar. At
the join, we union the possible values for variables in RVs and Conds. C and B are fTrueg
on the left branch and fFalseg on the right, and so their resulting values are fTrue, Falseg
in both RV and Cond sets.
4.3 Constructing a Finite-State Machine
We create a Finite-State Machine FSM from an ACFG (see Figure 6) and use it for
verication of the system properties. In an ACFG (G = hV;E; V
0
i), let U  V and I 
V be sets of nodes containing Update and Initial annotations, respectively. (U and I are
disjoint.)




A is a set of system states;
S = U [ I is a nite set of nodes;
L: S ! A is a function labeling each node with a system state which holds
in that node;
N  S  S is a total transition relation
1
, i.e. 8x 2 S 9y 2 S s.t. (x, y) 2 N.
N is obtained by connecting nodes of S s.t. there is an Update-clear path
between them in ACFG; and
s
0
2 S is an entry node.











true for every i. A path is feasible if it can be taken during some execution of the program.
1
We add loops at terminal states since our specications describe only innite behaviors.
13
@@ Assert M(M1) or M(M3);
if (...) {
    @@ Assert B;
    @@ Update C;
}
else {
    @@ Assert ~B;
    @@ Update ~C;
}
@@ Update M(M2) & D;
Assert M(M1) or M(M3)
Assert B Assert ~B
Update C Update ~C
Update M(M2) & D
b)
a)
Cond = {(A, {}), (B, {True}) , 
(C, {}), {D, {True,False}),  
(E, {False}), (M, {M1,M3})}
genu = gena = {(C, {True})}
killu = killa = {(C,{False})}
RV = {(A, {}), (B, {True,False}),
(C, {True}), (D, {True,False}),
(E, {False}), (M, {M1,M2,M3})}
Cond = {(A, {}), (B, {True}),  
(C, {True}), (D, {True,False}), 
(E, {False}), (M, {M1,M3})}
RV = {(A, {}), (B, {True,False}), 
(C, {False}), (D, {True,False}), 
(E, {False}), (M, {M1,M2,M3})}
Cond = {(A, {}), (B, {False}),
(C, {False}), (D, {True,False}), 
(E, {False}), (M, {M1,M3})}
genu = gena = {(C, {False})}
killu = killa = {(C, {True})}
Cond = {(A, {}), (B, {True,False}), 
(C, {True,False}), (D, {True,False}), 
(E, {False}), (M, {M1,M2,M3})}
RV = {(A, {}), (B, {True,False}), 
(C, {True,False}), (D, {True}),
(E, {False}), (M, {M2})}
Cond = {(A, {}), (B, {True,False}), 
(C, {True,False}), (D, {True}), 
(E, {False}), (M, {M2})}
killa = {(B, {False})}
gena = {(B, {False})}
killa = {(B, {True})}
Cond = {(A, {}), (B, {True,False}), 
(C, {}) , (D, {True,False}), 
(E, {False}), (M, {M1,M3})}
gena = {(M, {M1,M3})}
killa = {(M, {M2})}
RV = {(A, {}), (B, {True,False}), 
(C, {}), (D, {True,False}), 
(E, {False}), (M, {M1,M2,M3})}
Cond = {(A, {}), (B, {True,False}), 
(C, {}), (D, {True,False}), 
(E, {False}), (M, {M1,M2,M3})}
gena = {(B, {True})}
genu = gena = {(M, {M2}), 
(D, {True}), (E, {False})}
killu = killa = {(M, {M1,M3}), 
(D, {False}), (E, {True})}
Cond = {(A, {}), (B, {False}), 
(C, {}), (D, {True,False}),
(E, {False}), (M, {M1,M3})}
RV = {(A, {}), (B, {True,False}), 
(C, {True,False}), (D, {True,False}), 
(E, {False}), (M, {M1,M3})}
Figure 8: Computation of Conds and RVs. a) A code fragment. b) A corresponding ACFG.
We combine RV and Cond information for each node of the FSM , resulting in Info
sets.
Info(n) = f(i; r) j (i 2 R) ^ (r 2 V
a
) ^ ((i; v; c) 2 SS(n)) ^ (r = v \ c)g;
where \ is the usual set intersection. This denition can be viewed as computing Info(n) =
Cond(n) u RV(n). We verify an implicit property P
14




@@ Update ~CS2@@ Update C S3
@@ Update M(M2) & DS4
@@ Update ~E 
{(A, {}), (B, {True,False}), 
(C, {}), (D, {True,False}), 
(E, {False}), (M, {M1,M3})}
{(A, {}), (B, {False}),
(C, {False}), {D, {True,False}),
(E, {False}), (M, {M1,M3})}
{(A, {}), (B, {True}), 
(C, {True}), (D, {True,False}), 
(E, {False}), (M, {M1,M3})}
{(A, {}), (B, {True,False}), 
(C, {True,False}), (D, {True}),
(E, {False}), (M, {M2})}
Figure 9: Finite-state abstraction.
attain at least one of the values it must attain:
P
14
= A2(8i 2 R 9(i; v; c) 2 SS(n) 9(i; r) 2 Info(n) s:t: c 6= fg ! r 6= fg)
This is the \assertion satised in current state" (ASCS) property, saying that if a Cond
value for some variable is dierent from fg, then there is a value other then fg resulting
from computation of Info for this variable.
Figure 9 shows a fragment of an FSM which abstracts the code in Figure 8, with Info
sets shown at every state. In this gure, all states correspond to nodes containing Update
annotations in the ACFG in Figure 8b.
5 Verifying Properties
In this section we describe how automatically-generated and user-specied properties are
veried.
5.1 Formal Model
We use the nal abstraction, FSM , to verify properties about the system. To understand
which of these properties are preserved in the correctly annotated program, we need to




Unfortunately, it is impossible to analyze the actual program behavior when annotations are missing
or wrong. We are currently exploring ways to explicitly connect annotations and code.
15
LetM be a class of models. In our case,M contains ANP, ACFG, and FSM.
Let P be a class of specication formulas, i.e., all automatically-generated and user-
specied properties. These have a well-dened interpretation, i.e.
8M 2 M;8p 2 P; (M j= p) _ (M 6j= p)
Let : M!M be a mapping from one model to another.
We note that we utilize an abstraction function  to go from the concrete domain V
c
to the abstract domain V
a
in ANP. Thus, we dene a separate model, ANP
a
, representing
















are transformation functions dened in addition to the abstraction function
.
We verify all properties in FSM and are interested in their interpretation in ANP. In
our case, it is hard to determine the correct interpretation of results of verifying properties
since FSM was an abstraction designed specically to bridge the gap in event granularity
between requirements and an implementation. We further note that some of the paths
in ANP are infeasible, and thus not all nodes in the resulting FSM can occur during the




represent FSM produced by the actual
runs of the program on abstract and concrete values of variables, respectively, and we will
interpret the results with respect to FSM
rc












is a transformation function dened in addition to the concretization function
. We further dene a combined transformation function  = 
3
 , and thus FSM
= (FSM
rc
). Once we establish that a property holds (does not hold) on FSM
rc
, we
conclude that it holds (does not hold) on ANP . However, results of property verication
on FSM are interpreted dierently for FSM
rc
, depending on the property being veried,
due to the presence of infeasible paths and the fact that  is not one-to-one.
Denition 5.1 A map  is falseness-preserving with respect to specication formula p,
written FP(,p), i 8M 2 M, if M 6j= p, then (M) 6j= p.
Denition 5.2 A map  is truth-preserving with respect to specication formula p, written





Figure 10: a) Optimistic and b) Pessimistic interpretations of a formula holding in a state.
Denition 5.3 A map  is not consistent with respect to specication formula p i
(TP (; p)) ^ (FP (; p)):
We say that a property p is pessimistic for a map  if TP(, p) and optimistic if FP(, p).
In our case, the map : FSM ! FSM
rc
is truth-preserving with respect to some
properties and falseness-preserving with respect to some others. OLT properties involve
quantication over every possible state. Thus, if one of these properties is preserved
in the model, it is preserved in the annotated program. The map  should then be
falseness-preserving with respect to these properties. The ASCS property is also universally
quantied and thus we need to dene  so that it is falseness-preserving with respect to
it. However, ALT properties are existentially quantied, i.e., if there a state satisfying
these properties in the model, there might not be one in the actual program because the
paths on which these properties hold in the model might be infeasible. Thus,  should be
truth-preserving with respect to these properties.
When we determine if a state is a model of a formula, we should make sure that 
remains consistent for every formula, i.e.,  is truth-preserving or falseness-preserving for
every formula. We dene two interpretations for a formula holding in a state, one for pes-
simistic and another for optimistic properties. Variables in states have values represented
by sets, so we treat atomic (or negated atomic) propositions in formulas as assertions about
sets of values, e.g., P is treated as P = fTrueg and M(M1) is treated asM = fM2;M3g.
To check if a state s is a model of an atomic proposition P , we compare P 's asserted value
(P
f
) with its value in state s (P (s)). For optimistic analysis, if there are common values
between P
f
and P (s), i.e., P
f
\ P (s) 6= ; (see Figure 10a), we assume that P
f
holds in
s. In pessimistic analysis we want to nd the maximum number of errors, and thus we
consider P
f
to hold in a state s only if (P (s) 6= fg) ^ (P (s)  P
f
), i.e., all values of P (s)
17
are present in P
f
(see Figure 10b). This way, during the interpretation step,
8p 2 P; ((FP (; p) ^ FSM j= p)! (FSM
rc
j= p)) ^
((TP (; p) ^ FSM 6j= p) ! (FSM
rc
6j= p));
i.e., pessimistic properties which hold in FSM , also hold in FSM
rc
, and optimistic prop-
erties violated in FSM , are also violated in FSM
rc
.
5.2 Checking Automatically-Generated Properties
To verify the automatically-generated properties, we take advantage of their rather re-
stricted forms and verify all of them in a single traversal of the FSM . These properties
involve state transitions which occur only in response to events. To calculate a node's
event, we traverse the FSM backwards until a node containing an Update annotation is
found on each branch. We form conjunctions of the Triggering and When conditions in
these Updates. For example, consider calculating the event which results in the transition
to M(M2) at node S
4













consist of the information
specied in the corresponding gen
u





. The set I of transitions and events discovered by Analyzer is shown in Figure 11.










) : @F (C) WHEN [B = fFalseg & D = fTrue; Falseg& E = fFalseg]










) : @F (C) WHEN [B = fFalseg & E = fFalseg &M = fM1;M3g]
Figure 11: Events and transitions discovered for node S
4
.
Our event calculations change the semantics of SCR events in two ways. Although
an SCR event occurs only when a value of a condition on a monitored variable changes,
we assume that every Update annotation marks an event. This analysis exaggerates the
number of events we calculate since an Update may not change a value of its variable,
but this treatment simplies searches for events in FSM . Secondly, SCR state transitions
occur instantaneously with the events that trigger them, while our state transitions may
be triggered by events associated with Update annotations which are textually remote
18
from the annotation marking the state transition. This dierence is the result of analyzing
implementations in which variables triggering events and those recording state transitions
change values in dierent statements, each of which is separately annotated.
Verication of ASCS Property
The ASCS property is checked for each state during the FSM traversal which computes
Info sets. A programmer might intentionally annotate his program with an assertion
which \contradicts" RVs at some node, thus violating the ASCS property. This is done to
explicitly mark a node in the FSM as unreachable to ensure that it is not considered in
the verication of other properties. Thus, when Analyzer nds a violation of the ASCS
property in a node, it marks the node as unreachable and skips it during the rest of the
property verication step. The ASCS property is universally quantied, and thus  is
pessimistic with respect to it, i.e. more errors could be reported than are present in the
annotated program.
Verication of OLT Properties









& B & @T (C)) _ (M
3
& B & @F (C))))
All such properties have the general form P = A2(EF ! (F _G)). Since A2(EF !
(F _G)) = A2(A (F )_ (F _G)), these properties are universally quantied and thus
can be veried pessimistically, thus possibly identifying illegal transitions even if they
actually occur on infeasible paths. We need to examine only those states in which F is




in our example). Thus, we check
the formula only for predecessors of states labeled with Update annotations for F . In our










, respectively. We check
all OLT properties in one traversal of the FSM by the following algorithm:
Algorithm 1
For every node y reachable from s
0
in the depth-rst order of the FSM
If y contains an Update annotation establishing F then
For every x s.t. (x; y) 2 N , where N is the successor relation
If x j= F then




Theorem 1. The successful execution of Algorithm 1 indicates that a property P =
A2(E  F ! (F _ G)) holds in our model, i.e., if the algorithm reports no error, then
FSM j= P .
Proof. We will prove a contrapositive of the above statement, i.e., if FSM 6j= P , then
the algorithm reports an error.
Assume that FSM 6j= P . Then 9z 2 S s.t. z is reachable from s
0
and z j= P , i.e.
z j= E  F but z 6j= F and z 6j= G. Then 9w; (z;w) 2 N ^ w j= F which means that w
contains an annotation establishing F . The algorithm starts with s
0
, comes to w during
its depth-rst traversal, nds z (since (z;w) 2 N), checks that z j= F and z j= G, and
reports an error.
So, if FSM 6j= P then the algorithm reports an error. 2
Verication of ALT Properties






















hold in the model because the node S
4




, respectively (see Table 11). Analyzer marks ALT properties indicating that they
have been satised if the implementation's calculated event contains values that would
cause a requirement's state transition. Any properties remaining unmarked at the end of
analysis are reported as errors. This analysis is optimistic since it considers state transitions
to satisfy a property even if they occur on infeasible paths. Thus, we might not report all
unimplemented transitions. We also use an optimistic interpretation for a formula holding
in a state. For example, while verifying property P
13
, we nd that the node S
4
satises it
by our treatment of transition I
6
. This node is reachable from the starting node, and thus
the property is considered to hold.
20
5.3 Verifying User-Specied Properties
Recall that a user can specify ve types of properties - reach, smi, wmi, strcause and cause.
Each of these properties is veried in a separate traversal of the FSM.
 reach(P ) properties are existentially quantied and thus are veried optimistically,
i.e., Analyzer searches the state space for a state where P holds, and if one is found,
the entire property is considered to hold.
 During the verication of smi(M , P ) = A2(M _P ) properties, Analyzer takes all
states where M does not hold, and determines if P holds in each of these states. As
soon as an error is discovered, the process terminates. These properties are veried
pessimistically, i.e., if there is one state which violates the invariant (although it
can be on an unreachable path), the entire property is considered violated. All
remaining types of properties are also universally quantied, and so their verication
is pessimistic.
 During the verication of wmi(M , P ) = A2((M _ P ) _ A  M) properties,
Analyzer looks for the nodes s.t. M holds in the node and in at least one of its
successors, and checks that P holds in this node. The verication stops as soon as
an error is discovered.




) properties, Analyzer starts with all states
where P
1
fails and checks if P
2
holds there; if not, it looks at all successor states
and reports an error if P
2
does not hold in either of these.









that only successor states are examined.
Figure 12 summarizes the basic steps of our analysis.
6 Processing Functions
In Section 4, we presented our algorithm for intraprocedural analysis of annotated pro-
grams, which creates an ACFG. However, since programs usually consist of several proce-
dures, we needed to extend our analysis technique to process these programs. We perform
interprocedural analysis using an adaptation of a technique called cloning [9]. A similar
algorithm was described in [32]. This technique enables Analyzer to process programs
with cycles in their call graphs (recursion), to analyze each called function only a constant
21
1. Start with an annotated program. Build its CFG.
2. Abstract it to ACFG:
Compute gen and kill sets for each node containing an annotation.
Propagate RVs and Conds throughout the graph.
3. Abstract ACFG to FSM :
Remove all nodes except those containing Update or Initial annotations
For each node, compute Info = Cond u RV and check the ASCS property.
If violated, report violation and mark the node as unreachable.
4. Generate P - a set of properties to ensure that the implementation is
consistent with the requirements.
5. Check that FSM j= P:
For each reachable event changing a mode class or controlled variable:
Compute Triggering and When conditions from all predecessors.
Verify that each of the transitions is specied in requirements.
Mark these transitions as used.
Report unused mode transitions, if any.
7. Verify user-specied properties of the system.
Figure 12: Summary of the algorithm.
number of times, and to achieve reasonable precision in the analysis. Our algorithm clones
a CFG of a function each time it is called in a new calling context (i.e., new RVs or Conds).
We verify each copy of a function once with its own set of reaching values and conditions.
Since we ignore functions without annotations and the number of possible calling contexts
is nite (and hopefully small), we avoid many potential problems with the combinatorial
growth of the CFG of the entire program.
Denition 6.1 An ACFG of an annotated program P in the presence of function calls
is a directed graph G = hV, E, V
0
i, where
V is a nite set of nodes corresponding to decisions, joins, function calls and
annotations of P .









in some execution sequence; and
V
0
is an entry node.
We use an example in Figure 13b to illustrate how the computation of RVs is performed






  @@ Initial M: M(M0);
  x = 3;
  @@ Update Xgt0;
  F();
  return 1;
}
void F() {
  @@ Update Xge0;
  if (x > 0) {
    @@ Update Xgt0;
    x−−;
    F();
  }
  else {
    @@ Update Xeq0;




   Xgt0 | Xeq0
   Xgt0 −> Xge0















RV = {(M, {M0}), (Xgt0, {True}),
   (Xge0, {True}), (Xeq0, {False})}
RV = {(M, {M0}), (Xgt0, {True}),
    (Xge0, {True}), (Xeq0, {False})}
RV = {(M, {M0}), (Xgt0, {True}),
   (Xge0, {True}), (Xeq0, {False})}
RV = {(M, {M0}), (Xgt0, {True}),
   (Xge0, {True}), (Xeq0, {False})}
RV = {(M, {M1}), (Xgt0, {False})
   (Xge0, {True}), (Xeq0, {True})}
RV = {(M, {M1}), (Xgt0, {False})
   (Xge0, {True}), (Xeq0, {True})}
RV = {(M,{M0,M1}), (Xgt0, {True,False},
   (Xge0, {True}), (Xeq0, {True,False})}
RV = {(M,{M0,M1}), (Xgt0, {True,False},
   (Xge0, {True}), (Xeq0, {True,False})}
Figure 13: Computing RVs in the presence of function calls. a) Some relationships
between the monitored variables. b) An implementation. c) An ACFG generated for
this example.
it reaches zero. The three monitored variables, Xgt0, Xeq0, Xge0, stand for \X greater
than 0", \X equal to 0" and \X greater than or equal to 0", respectively. These are
connected via relationships shown in Figure 13a. Figure 13c presents the ACFG produced
for this example. Ellipses indicate function calls. While computing RVs and encountering
a call to F from the main routine, Analyzer creates a copy of the F's ACFG in the
environment where the initial information, in(RV), is f(M, fM0g), (Xgt0, fTrueg), (Xge0,
fTrueg), (Xeq0, fFalseg)g, which is used as the RV set at the start of the function, and
the computation is continued through the ACFG of F. When the function calls itself (the
shaded node in Figure 13b), the RV of the call site is identical to that of the original call, so
Analyzer skips the recursive call and sets the output information, out(RV), of the call site
to its in(RV). Processing of the non-recursive branch of F yields the context f(M, fM1g),
(Xgt0, fFalseg), (Xeq0, fTrueg), (Xge0, fTrueg)g. When these two sets are merged at join
node at the end of F, F's out(RV) set is f(M, fM0, M1g), (Xgt0, fTrue,Falseg), (Xge0,
fTrueg), (Xeq0, fTrue,Falseg)g. This also becomes the out(RV) set of main's call to F.
23
A similar computation occurs for condition propagation except that both RV and Cond
information should match in order for the recursive call to be skipped. The algorithm
for processing function calls appears in Appendix B. After RV and Cond information is
calculated, Analyzer abstracts ACFG to FSM and uses it to verify the system properties,
as described in Sections 4 and 5.
7 Case Study
A Water-Level Monitoring System (WLMS) monitors and displays the water level in a
container. It also raises visual and audio alarms and shuts o its pump when the level is
out of range or when the monitoring system fails. Two push buttons, SelfTest and Reset,
permit the operator to test the system and return it to normal operation. A complete
description of this system can be found in [31]. WLMS has two mode classes, Normal and
Failure, whose modes are described in Table 4. The system starts in mode Standby of
mode class Normal and mode AllOK of mode class Failure. Monitored variables indicate
the water level in the container (both that it is within its limits and its more stringent
hysteresis range, InsideHysR ->WithinLimits), the lengths of time that buttons have been
pressed (SlfTstPressed < SlfTstPressed500) or that the system has been in a mode (InTest
< InTest2000 < InTest4000 < InTest14000), and device failures. Controlled variables are
set to trigger alarms and to display the water level to the operator. A mode transition
table for modeclass Normal is shown in Table 5.
The requirements included four user-dened safety properties, identical to those used in
[4]. They are shown in Table 6. If the SelfTest button has been pressed for 500ms or more,
the system is either in mode Test or will be in mode Test after its next transition. When
the system is in mode Standby, the SelfTest button has not been pressed for 500ms. If the
system is in mode Operating, then either the water level is WithinLimits or the SelfTest
button has been pressed long enough to cause a transition to mode Test. If the system is
in mode Shutdown, then either the water level is outside the hysteresis water-level range
and the system has been in mode Shutdown for less than 200 ms, or the SelfTest button
has been pressed but not long enough to cause a transition to mode Test.
The WLMS was originally implemented by roughly 1300 lines of FORTRAN and As-
sembler code. To analyze the program, we translated it into C and replaced its PC interface
routines with an Xlib interface. We annotated the program with 32 Update annotations
corresponding to monitored variables, 30 Update annotations corresponding to mode class
and controlled variables, and 33 Assert annotations. Out of 54 functions in the implemen-
tation, only eight had annotations.
After we eliminated annotation errors in the implementation, Analyzer reported a num-
24
Mode Class Mode Meaning
Normal Operating The system is running properly.
Shutdown The water level is out of range and the system will be
shutdown unless conditions change.
Standby The system is waiting for the operator to push a button
to select test or operating mode.
Test The system is not operating, but controlled variables are
being checked.
Failure AllOK No device failures.
BadLevDev The water level cannot be measured.
HardFail Unrecoverable failure.
Table 4: WLMS Modes.
Current Inside Within SlfTst SlfTst In Reset Shutdown New
Mode HysR Limits Pressed Pressed Test Pressed LockTime Mode
500 1400 3000 200
Standby t { { { { @T { Operating
{ { { @T { { { Test
Operating { @F f { { { { Shutdown
{ { { @T { { { Test
Shutdown @T { f { { { f Operating
{ { f { { { @T Standby
{ { { @T { { { Test
Test { { { { @T { { Standby
Initial: Standby (SlfTstPressed500 & ResetPressed3000 & InTest14000 &
ShutdownLockTime200)
Table 5: Mode transition table for mode class Normal.
ber of inconsistencies between the requirements and the implementation (see Table 7).
These numbers overestimate the actual errors in the implementation. First of all, some
mode transitions and controlled variable value changes resulted in a number of OLT prop-
erties violations. For example, ve illegal mode transitions generated 34 violation messages
because several illegal transitions were detected at each location. Also, all the mode tran-
sition problems can be attributed to three principal causes: the wrong monitored variable





wmi(Normal=Operating, (SlfTstPressed500 & (WithinLimits OR SlfTstPressed)))
wmi(Normal=Shutdown, (SlfTstPressed500 &
((InsideHysR & ShutdownLockTime200) OR SlfTstPressed)))
Table 6: Properties of the WLMS.
Property Type Violations Locations
OLT properties for modeclasses 34 5
OLT properties for controlled variables 56 5
ALT properties for modeclasses 10
ALT properties for controlled variables 26
Table 7: Results of analyzing the WLMS.
that the operator pressed the SelfTest and Reset buttons were not calculated or checked,
and no transitions to a mode corresponding to complete system failure were implemented.
Most of the illegal assignments to the controlled variables occurred because the order of
triggering events in the implementation diered from that in the requirements.
Each of the four safety properties was veried by Analyzer. These results are not
particularly interesting because all the safety properties included negated monitored vari-
ables that were never assigned True values in the implementation (i.e., InsideHysR and
SlfTstPressed500). Thus most formulas hold trivially. The third formula:
wmi(Normal=Operating, ~SlfTstPressed500 & (WithinLimits OR SlfTstPressed)))
was veried since WithinLimits was set to True before each transition to Operating, and
whenever WithinLimits and SlfTstPressed were set to False, the system immediately tran-
sitioned to mode Shutdown.
26
8 Discussion and Conclusion
This section compares our approach with related work and discusses potential improve-
ments in our analysis method.
8.1 Related Work
Analyzer contains features similar to those in several other static analysis systems. To
simplify the verication of properties of implementations, these systems restrict the forms
of their formal specication notations or create abstract models from implementations that
could be analyzed with state-exploration rather than theorem-proving techniques.
In Inscape[28, 29, 30], complex logical formulas are abstracted to simple predicates
which may be primitive or dened in terms of other predicates (like our relationships).
Predicates form pre- and postconditions used to specify implementations. A programmer
constructs an implementation with an editor that analyzes the implementation's control
ow and operation invocations to calculate its pre- and postconditions. During the calcula-
tion, Inscape uses pattern matching and simple deduction to determine if the precondition
of an operation has been satised before its invocation. If not, unsatised predicates
are propagated backwards through the control-ow graph until Inscape nds operations
satisfying them. The predicates of an operation's postconditions are propagated forward
through the graph so that they might satisfy a subsequent operation's precondition. To de-
termine if an implementation is correct, Inscape compares its calculated and the specied
conditions.
Quick Defect Analysis (QDA)[18, 20] also uses a simplied specication language. Par-
tial specications called hypotheses are embedded in comments to describe properties
that objects should have at particular program points. Other comments contain assertions
about properties of objects. An interpreter builds an abstract model of the implementation
from the assertions and the implementation's control ow graph. Hypotheses are veried
with respect to this model. More recent work[19] enriches QDA's specication language so
assertions also describe event occurrences and hypotheses assert that the implementation's
events occur in certain sequences.
The Cecil specication language permits the description of sequencing constraints on
user-denable program events (e.g., denitions or uses of variables, operation invocations,
etc.) by anchored, quantied regular expressions (AQREs)[25, 26, 27]. After a user species
a mapping from programming language constructs to Cecil events, the Cesar analyzer uses
dataow analysis techniques to determine if the implementation meets Cecil constraints.
27
Aspect's[21, 22, 23] specication notation permits users to write pre- and postconditions
about the data dependencies of an operation. Dataow analysis is used to compute an
upper bound on the data dependencies of the implementation. If an asserted dependency
is missing, an error is reported.
Clarke et al. [7] also create abstract, nite state models of programs, and use model
checking techniques to verify formulas. Programs written in a special nite-state pro-
gramming language are translated into relational expressions characterizing the program's
initial state and transition relation. To reduce the size of the model, users dene mappings
of implementation values to abstract values and symbolically execute operations on the
values. The model checking approach is pessimistic for formulas expressed in 8CTL*[12],
a subset of CTL* in which only a universal path quantication is allowed. The authors
also identify a large class of temporal formulas for which the verication results are exact,
i.e., formulas hold in the model i they hold in the original program.
8.2 Conclusion and Future Work
We have dened a notion of consistency between SCR-style requirements and an anno-
tated program. We have also presented a technique to ensure this notion of consistency,
implemented in a tool called Analyzer. Analyzer creates a nite-state abstraction of an
annotated program and checks it against a set of properties automatically generated from
the requirements or specied by the user. This approach can be applied to small but
realistic systems, as indicated by the case study that was presented here.
The algorithm which creates a nite-state model of a program uses only annotations and
the control-ow of the program. Thus, it might happen that the annotations are correct,
but the corresponding constructs of the program are incorrect or missing. Also, a program
has to be fully (and correctly) annotated to obtain maximum benets from the analysis. We
are currently looking at means of connecting requirements and program variables. The user
will provide declarative information describing the dependencies between implementation
and requirements variables. We hope that this approach will enable us to nd missing or
incorrect annotations and, in many cases, insert necessary annotations automatically.
The language for user-specied safety properties is very restricted. Let  be a mapping
from an annotated program to FSM .  is truth-preserving with respect to CTL formulas
quantied over all possible paths and falseness-preserving with respect to formulas quan-
tied over some paths. Therefore,  is not consistent with respect to an arbitrary CTL
formula p, i.e., verifying p on FSM gives no information about its validity on the annotated
program. So, assuming that a formula does not include negated quantiers (i.e.  A2(P )
= E3( P ), we can verify it only if it does not contain mixed quantiers. Young and
28
Taylor[34] reach the same conclusion. All properties discussed in earlier sections contained
just one quantier, and thus could be processed. We plan to extend Analyzer to be able
to verify arbitrary consistent CTL formulae.
Acknowledgements
We would like to thank Rich Gerber and Bill Pugh for many valuable technical contribu-
tions to this work.
References
[1] A. Aho, R. Sethi, and J. Ulman. Compilers: Principles, Techniques, and Tools,
Chapter 10. Addison Wesley, 1988.
[2] T. Alspaugh, S. Faulk, K. Britton, R. Parker, D. Parnas, and J. Shore. \Software
Requirements for the A-7E Aircraft". Technical report, Naval Research Laboratory,
March 1988.
[3] J. Atlee. \Automated Analysis of Software Requirements". PhD thesis, University of
Maryland, College Park, Maryland, December 1992.
[4] J.M. Atlee and J. Gannon. \State-Based Model Checking of Event-Driven System
Requirements". IEEE Transactions on Software Engineering, pages 22{40, January
1993.
[5] M. Chechik and J. Gannon. \Automatic Verication of Requirements Implementa-
tions". In Proceedings of the 1994 ISSTA, pages 1{14, Seattle, Washington, August
1994.
[6] M. Chechik and J. Gannon. \Automatic Analysis of Consistency Between Implemen-
tations and Requirements: A Case Study". In Proceedings of 10th Annual Conference
on Compute Assurance, pages 123{131, June 1995.
[7] Edmind M. Clarke, Orna Grumberg, and David E. Long. \Model Checking and
Abstraction". In Proceedings of the Ninth Annual Symposium on Principles of Pro-
gramming Languages, pages 343{354, August 1992.
[8] E.M. Clarke, E.A. Emerson, and A.P. Sistla. \Automatic Verication of Finite-State
Concurrent Systems Using Temporal Logic Specications". ACM Transactions on
Programming Languages and Systems, 8(2):244{263, April 1986.
29
[9] Keith D. Cooper, Mary W. Hall, and Ken Kennedy. \Procedure Cloning". In Proceed-
ings of IEEE International Conference on Computer Languages, pages 96{105, April
1992.
[10] Patrick Cousot and Radhia Cousot. \Static Determination of Dynamic Properties of
Programs". In Proceedings of the "Colloque sur la Programmation", April 1976.
[11] Patrick Cousot and Radhia Cousot. \Abstract Interpretation: A Unied Lattice
Model For Static Analysis of Programs by Construction or Approximation of Fix-
points". In Proceedings of the 4th POPL, pages 238{252, Los Angeles, California,
1977.
[12] O. Grumberg and D.E. Long. \Model Checking and Modular Verication". In Proceed-
ings of CONCUR'91: 2nd International Conference on Concurrency Theory, 1991.
[13] D. Harel, H. Lachover, A. Naamad, A. Pnueli, M. Politi, R. Sherman, A. Shtull-
Trauring, and M. Trakhtenbrot. \STATEMATE: A Working Environment for the
Development of Complex Reactive Systems". IEEE Transactions on Software Engi-
neering, 16(4):403{414, April 1990.
[14] C. Heitmeyer and B. Labaw. \Consistency Checks for SCR-Style Requirements
Specications". Technical Report NRL Report 93-9586, Naval Research Laboratory,
November 1993.
[15] C. Heitmeyer, B. Labaw, and D. Kiskis. \Consistency Checking of SCR-Style Re-
quirements Specications". In Proceedings of RE'95 International Symposium of Re-
quirements Engineering, March 1995.
[16] K. Heninger. \Software Requirements for the A-7E Aircraft". Technical Report NRL
Report 3876, Naval Research Laboratory, Washington, DC, 1978.
[17] K. Heninger. \Specifying Software Requirements for Complex Systems: New Tech-
niques and Their Applications". IEEE Transactions on Software Engineering, SE-
6(1):2{12, January 1980.
[18] W.E. Howden. \Comments Analysis and Programming Errors". IEEE Transactions
on Software Engineering, 16(1):72{81, January 1990.
[19] W.E. Howden and G.M. Shi. \Linear and Structural Event Sequence Analysis". Sub-
mitted to ISSTA'96, June 1995.
[20] W.E. Howden and B. Wieand. \QDA { A Method for Systematic Informal Program
Analysis". IEEE Transactions on Software Engineering, 20(6):445{462, June 1994.
[21] D. Jackson. Aspect: A Formal Specication Language for Detecting Bugs. PhD thesis,
MIT, Cambridge, Massachusetts, June 1992.
30
[22] Daniel Jackson. \Abstract Analysis with Aspect". In Proceedings of the 1993 Inter-
national Symposium on Software Testing and Analysis (ISSTA), pages 19{27, June
1993.
[23] Daniel Jackson. \Aspect: Detecting Bugs with Abstract Dependences". (submitted
to Transactions on Software Engineering and Methodology), November 1993.
[24] N.G. Levenson, M.P.E. Heimdahl, H. Hildreth, and J.D. Reese. \Requirements Spec-
ication for Process-Control Systems". IEEE Transactions on Software Engineering,
20(9):684{707, September 1994.
[25] Kurt M. Olender and Leon J. Osterweil. \Cesar: A Static Sequencing Constraint
Analyzer". In Proceedings of the ACM SIGSOFT '89 Third Symposium on Software
Testing, Analysis, and Verication (TAV3), pages 66{74, December 1989.
[26] Kurt M. Olender and Leon J. Osterweil. \Cecil: A Sequencing Constraint Language for
Automatic Static Analysis Generation". IEEE Transactions on Software Engineering,
16(3):268{280, March 1990.
[27] Kurt M. Olender and Leon K. Osterweil. \Interprocedural Static Analysis of Se-
quencing Constraints". ACM Transactions of Software Engineering and Methodology,
1(1):21{52, January 1992.
[28] Dewayne E. Perry. \Software InterconnectionModels". In Proceedings of the 9th Inter-
national Conference on Software Engineering, pages 61{69. IEEE Computer Society
Press, 1987.
[29] Dewayne E. Perry. \The Inscape Environment.". In Proceedings of the 11th Interna-
tional Conference on Software Engineering, pages 60{68, Pittsburgh PA, May 1989.
[30] Dewayne E. Perry. \The Logic of Propagation in The Inscape Environment". In
Proceedings of the 3rd Symposium on Software Testing, Analysis, and Verication
(TAV3), pages 114{121, Key West, Florida, December 1989.
[31] A. J. van Schouwen. \The A-7 Requirements Model: Re-examination for Real-Time
Systems and an Application to Monitoring Systems". Technical Report TR-90-276,
Queen's University, Kingston, Ontario, May 1990.
[32] Ben Wegbreit. \Property Extraction in Well-Founded Property Sets". IEEE Trans-
actions on Software Engineering, 1(3):270{285, September 1975.
[33] Michal Young. \How to Leave Out Details: Error-Preserving Abstractions of State-
Space Models". In Proceedings of the Workshop on Software Testing, pages 63{70,
1988.
31
[34] Michal Young and Richard N. Taylor. "Rethinking the Taxonomy of Fault Detec-
tion Techniques". In Proceedings of the 11th International Conference on Software
Engineering, pages 53{62, May 1989.
A SSE Requirements specication
MONITORED CONTROLLED VARIABLES
A, B, C VARIABLE D
INITIAL False
CONTROLLED True @T(C) WHEN [M=M1]
D, E False @F(C) WHEN [M=M3]
MODECLASS M VARIABLE E
INITIAL M1 (~A & B & ~C & D) INITIAL True
MODE M1 False @T(C) WHEN [M=M1]
M2 @T(C) WHEN [B] True @F(C)
M3 @F(B)
MODE M2 RELATIONSHIPS
M1 @T(A) & @T(B) E -> ~D
M3 @F(B) WHEN [A]
MODE M3 PROPERTIES
M1 @T(A) smi (M=M1, A)
M2 @F(C) WHEN [~B] reach (M=M3)
cause (M=M3 & ~C, D)
All such specications adhere to the same format: monitored and controlled variables
are listed separately, followed by a mode transition table for each mode class. Event tables
for controlled variables, a list of relationships and a list of user-specied properties complete
the specication.
B Algorithm to Process Function Calls
We store separate copies of CFGs of each function for dierent calling contexts. Every call
cite contains a pointer to a CFG of a copy of a function it calls, or a null pointer if it calls a
function without annotations. To distinguish between copies of the functions, we associate
a list of contexts with each of them. Each context contains the following information: in
and out which contain system states at the start and the end of the function; graph which
is a pointer to the CFG of the function with this calling environment; and color which
32
indicates the processing status: eitherwhite (unprocessed), gray (partially processed), or
black (processed). Initially, ins and outs are empty, and each context is marked white.
In the presentation of the algorithm, when these elds have a two argument (e.g., in(RV,
cl)), they represent reaching value or condition information about the node corresponding
to the function call, and when they have three arguments (e.g., in(RV, ct, fn)), they
represent information about the body of the function in a particular context. Let PR be
a set of functions which needs to be processed, i.e. those which contain annotations or call
other functions which need to be processed. Figure 14 contains the algorithm.
33
1. Compute RVs. When a node calls a function in PR, check its list of contexts.
If there exists a context ct s.t. in(RV,ct,fn) is in(RV,cl) then
If color(ct,fn) is black (already processed) then
out(RV,cl) out(RV,ct,fn)
Elseif color(ct,fn) is gray (recursion) then
out(RV,cl) in(RV,ct,fn)
/* skip the call */
Else
New context nct CopyCFG (graph(ct,fn))
graph(cl) graph(nct,fn)
color(nct,fn) gray
in(RV,nct,fn) in(RV,first block(fn)) in(RV,cl)
Recursively propagate RVs through the function
color(nct,fn) black;
out(RV,last block(fn)) out(RV,cl) out(RV,nct,fn)
2. Mark all copies of all functions white.
3. Compute Conds. If a node calls a function in PR, check its list of contexts.
If there is a context ct s.t. in(RV,ct,fn) is in(RV,cl) and
in(Cond,ct,fn) is in(Cond,cl) then
If color(ct,fn) is black (already processed) then
graph(cl) graph(ct,fn)
out(Cond,cl) out(Cond,ct,fn)
Elseif color(ct, fn) is gray (recursion) then
out(Cond,cl) in(Cond,ct,fn)
Else
New context nct CopyCFG (graph (ct,fn))
/* copy graph together with RVs */
graph(cl) (graph(nct,fn)
color(nct,fn) gray
in(Cond,nct,fn) in(Cond,fist block(fn)) in(Cond,cl)
Recursively compute conditions in the function
color(nct,fn) black
out(Cond,last block(fn)) out(Cond,cl) out(Cond,nct,fn)
Figure 14: Algorithm to Process Function Calls.
34
