Thesis (MSc)--University of Stellenbosch, 2003.ENGLISH ABSTRACT: Model checking is a computer-aided verification technique that is used to verify properties
about the formal description of a system automatically. This technique has been applied
successfully to detect subtle errors in reactive systems. Such errors are extremely difficult to
detect by using traditional testing techniques. The conventional method of applying model
checking is to construct a model manually either before or after the implementation of a
system. Constructing such a model requires time, skill and experience. An alternative method
is to derive a model from an implementation automatically.
In this thesis two techniques of applying model checking to reactive systems are compared,
both of which have problems as well as advantages. Two specific strategies are compared in
the area of protocol development:
1. Structuring a protocol as a transition system, modelling the system, and then deriving
an implementation from the model.
2. Automatically translating implementation code to a verifiable model.
Structuring a reactive system as a transition system makes it possible to verify the control flow
of the system at implementation level-as opposed to verifying the control flow at abstract
level. The result is a closer correspondence between implementation and specification (model).
At the same time testing, which is restricted to small, independent code fragments that
manipulate data, is simplified significantly.
The construction of a model often takes too long; therefore, verification results may no longer
be applicable when they become available. To address this problem, the technique of automated
model extraction was suggested. This technique aims to reduce the time required to
construct a model by minimising manual input during model construction.
A transition system is a low-level formalism and direct execution through interpretation is feasible. However, the overhead of interpretation is the major disadvantage of this technique.
With automated model extraction there are disadvantages too. For example, differences
between the implementation and specification languages-such as constructs present in the
implementation language that cannot be expressed in the modelling language-make the
development of an automated model extraction tool extremely difficult.
In conclusion, the two techniques are compared against a set of software development considerations.
Since a specific technique is not always preferable, guidelines are proposed to help
select the best approach in different circumstances.AFRIKAANSE OPSOMMING: Modeltoetsing is 'n rekenaargebaseerde verifikasietegniek wat gebruik word om eienskappe
rakende 'n formele spesifikasie van 'n stelsel te verifieer. Die tegniek is al suksesvol toegepas
om subtiele foute in reaktiewe stelsels op te spoor. Sulke foute word uiters moeilik opgespoor
as tradisionele toetsings tegnieke gebruik word. Tradisioneel word modeltoetsing toegepas
deur 'n model te bou voor of na die implementasie van 'n stelsel. Om'n model te bou
verg tyd, vernuf en ervaring. 'n Alternatiewe metode is om outomaties 'n model van 'n
implementasie af te lei.
In hierdie tesis word twee toepassingstegnieke van modeltoetsing vergelyk, waar beide tegnieke
beskik oor voordele sowel as nadele. Twee strategieë word vergelyk in die gebied van protokol
ontwikkeling:
1. Om 'n protokol as 'n oorgangsstelsel te struktureer, dit te moduleer en dan 'n implementasie
van die model af te lei.
2. Om outomaties 'n verifieerbare model van 'n implementasie af te lei.
Om 'n reaktiewe stelsel as 'n oorgangsstelsel te struktureer maak dit moontlik om die kontrolevloei
op implementasie vlak te verifieer-in teenstelling met verifikasie van kontrolevloei
op 'n abstrakte vlak. Die resultaat is 'n nouer band wat bestaan tussen die implementasie en
die spesifikasie. Terselfdetyd word toetsing, wat beperk word tot klein, onafhanklike kodesegmente
wat data manupileer, beduidend vereenvoudig.
Die konstruksie van 'n model neem soms te lank; gevolglik, wanneer die verifikasieresultate
beskikbaar word, is dit dalk nie meer toepaslik op die huidige weergawe van 'n implementasie
nie. Om die probleem aan te spreek is 'n tegniek om modelle outomaties van implementasies
af te lei, voorgestel. Die doel van die tegniek is om die tyd wat dit neem om 'n model te bou
te verminder deur handtoevoer tot 'n minimum te beperk. 'n Oorgangsstelsel is 'n laevlak formalisme en direkte uitvoering deur interpretasie is wesenlik.
Die oorhoofse koste van die interpreteerder is egter die grootste nadeel van die tegniek. Daar is
ook nadele wat oorweeg moet word rakende die tegniek om outomaties modelle van implementasies
af te lei. Byvoorbeeld, verskille tussen die implementasietaal en spesifikasietaal=-soos
byvoorbleed konstrukte wat in die implementasietaal gebruik word wat nie in die modeleringstaal
voorgestel kan word nie-vrnaak die ontwikkeling van 'n modelafieier uiters moeilik.
As gevolg word die twee tegnieke vergelyk teen 'n stel van programatuurontwikkelingsoorwegings.
Omdat 'n spesifieke tegniek nie altyd voorkeur kan geniet nie, word riglyne voorgestel
om te help met die keuse om die beste tegniek te kies in verskillende omstandighede
