Efficient symbolic model checking of concurrent systems

Design errors in software systems consisting of concurrent components are potentially disastrous, yet notoriously difficult to find by testing. Therefore, more rigorous analysis methods are gaining popularity. Symbolic model checking techniques are based on modeling the behavior of the system as a formula and reducing the analysis problem to symbolic manipulation of formulas by computational tools. In this work, the aim is to make symbolic model checking, in particular bounded model checking, more efficient for verifying and falsifying safety properties of highly concurrent system models with high-level data features. The contributions of this thesis are divided to four topics. The first topic is symbolic model checking of UML state machine models. UML is a language widely used in the industry for modeling software-intensive systems. The contribution is an accurate semantics for a subset of the UML state machine language and an automatic translation to formulas, enabling symbolic UML model checking. The second topic is bounded model checking of systems with queues. Queues are frequently used to model, for example, message buffers in distributed systems. The contribution is a variety of ways to encode the behavior of queues in formulas that exploit the features of modern SMT solver tools. The third topic is symbolic partial order methods for accelerated model checking. By exploiting the inherent independence of the components of a concurrent system, the executions of the system are compressed by allowing several actions in different components to occur at the same time. Making the executions shorter increases the performance of bounded model checking. The contribution includes three alternative partial order semantics for compressing the executions, with analytic and experimental evaluation. The work also presents a new variant of bounded model checking that is based on a concurrent instead of sequential view of the events that constitute an execution. The fourth topic is efficient computation of predicate abstraction. Predicate abstraction is a key technique for scalable model checking, based on replacing the system model by a simpler abstract model that omits irrelevant details. In practice, constructing the abstract model can be computationally expensive. The contribution is a combination of techniques that exploit the structure of the underlying system to partition the problem into a sequence of cheaper abstraction problems, thus reducing the total complexity

A Symbolic Model Checking Approach to Verifying Satellite Onboard Software

This paper discusses the use of symbolic model checking technology to verify the design of an embedded software control system called attitude and orbit control system (AOCS). This system is mission-critical because it is responsible for maintaining the attitude of the satellite and for performing fault detection, isolation, and recovery decisions of the satellite. An executable AOCS implementation by Space Systems Finland has been provided to us in Ada source code form. In order to use symbolic model checking methods, the Ada implementation of the system was modeled at a quite detailed implementation level using the input language of the symbolic model checker NuSMV 2. We describe the modeling techniques and abstractions used to alleviate the state explosion problem due to handling of timers and the large number of system components controlled by AOCS. The specification of the required system behavior was also provided to us in a form of extended state machine diagrams with prioritized transitions. These diagrams have been translated to a set of temporal logic properties, allowing the piecewise checking of the system behavior one extended state machine transition at a time. We also report on the scalability of symbolic model checking tools for the case study at hand as well as discuss potential topics for future work

Jumbala - toimintojen kuvauskieli UML-tilakoneille

UML 2.0 on kieli, jolla mallinnetaan monimutkaisia ohjelmistojärjestelmiä. UML-malli voi kuvata sekä ohjelmiston osien rakennetta että dynaamisia ominaisuuksia. Tässä työssä keskitytään malleihin, jotka kuvaavat reaktiivisia järjestelmiä, esimerkiksi tietoliikenneohjelmistoja tai ohjainlaitteiden sulautettuja ohjelmistoja. Oletuksena on, että järjestelmien käyttäytyminen on mallinnettu käyttäen UML-tilakoneita. Vaikka UML:n spesifikaatiossa on määritelmä tilakoneille, siinä ei ole kiinnitetty toimintojen kuvauskieltä. Kyseistä kieltä käytetään määrittämään tilakoneiden siirtymien vaikutukset mallin kokonaistilaan. Työssä kehitetään Jumbala-niminen toimintojen kuvauskieli. Kieli on suunniteltu osana projektia, jonka tavoitteena on kehittää UML-mallien käyttäytymisen formaalia analysointia. Jumbala perustuu Java-ohjelmointikieleen ja sen lauseilla ja lausekkeilla on lähes sama kielioppi ja semantiikka kuin Javassa. Lisäksi kieltä on laajennettu tilakonemalleihin liittyvillä ominaisuuksilla. Jumbala on oliopohjainen kieli, jolla voi määritellä luokkia ja niiden perintäsuhteita. Työn osana on toteutettu tulkki, joka suorittaa Jumbala-ohjelmia. Tulkki on tarkoitettu osaksi prototyyppityökalujen kokonaisuutta, jolla voi analysoida UML:llä mallinnettujen reaktiivisten ohjelmistojärjestelmien käyttäytymist

JUMBALA -- AN ACTION LANGUAGE FOR UML STATE MACHINES

UML 2.0 is a language for modeling complex software systems.A UML model may describe the dynamic aspects of software as well as the static structure. We concentrate on models of reactive systems, such as em-bedded controllers or telecommunications switches. The behavior of such systems is modeled using UML state machines. Although UML defines thestructure of state machines, it leaves open the choice of an action language, which is the language used to specify how the transitions of a state machineaffect the configuration of the underlying model. A UM

Structure-Aware Computation of Predicate Abstraction

The precise computation of abstractions is a bottleneck in many approaches to CEGAR-based verification. In this paper, we propose a novel approach, based on the use of structural information. Rather than computing the abstraction as a single, monolithic quantification, we provide a \emph{structure-aware} abstraction algorithm, based on two complementary steps. The first, high-level step exploits the structure of the system, and partitions the abstraction problem into the combination of several smaller abstraction problems. This is represented as a formula with quantifiers. The second, low-level step exploits the structure of the formula, in particular the occurrence of variables within the quantifiers, and applies a set of low-level rewriting rules aiming at further reducing the scope of quantifiers. We experimentally evaluate the approach on a substantial set of benchmarks, and show significant speed ups compared to monolithic abstraction algorithms

Model Checking Dynamic and Hierarchical

This paper presents a technique to model check UML specifications by translating UMLmodels to the model checker SPIN. Our models consist of active UML classes, whose behavior is defined by hierarchical state machines. The intended application is to find errors in protocols communicating using asynchronous message passing. Compared to previous efforts using a similar approach, our novel points are the following. First, we consider a subset of UML that in our opinion is expressive enough for protocol models but allows a simpler translation to SPIN than existing work. Preliminary analysis of simple industrial models support our conclusions on the expressivity of our UML subset. Second, we present a powerful action language that is still amenable to automatic analysis