In January 2000, I will be joining the Department of Computer Science at Brown University as an assistant professor.
Symbolic model checking is a practical formal-verification technique that is automatic and is capable of analyzing a wide range of semantic properties (e.g., safety and liveness). Although the technique is mostly used for hardware verification, we use it to analyze the finite-state models of the state-machine specifications of two non-trivial airborne software systems. Applying the technique to a new domain allowed us to discover new research problems and devise some innovative solutions.
More specifically, we used and modified SMV, a model checker based on binary decision diagrams (BDDs), to analyze an early version of the TCAS II (Traffic Alert and Collision Avoidance System II) System Requirements Specification. TCAS II is a complex airborne collision avoidance system used on most commercial aircraft in the United States, and its requirements specification is written in RSML, a hierarchical state-machine language based on Harel's statecharts. After overcoming a number of obstacles, we were able to analyze part of the requirements, verifying as well as falsifying a number of interesting properties [TSE98]. The performance of the analysis can be improved by orders of magnitude using various optimizations [ISSTA98].
Despite the promising results, a large part of the requirements
remains beyond reach because of the numerous complicated
nonlinear arithmetic predicates.
One approach we have considered to attack the problem is to couple
the BDD-based model checker with a decision procedure for
nonlinear arithmetic [CAV97].
For more information on TCAS II, see
With David Jones and William Warner from Boeing, we have recently looked at another statecharts specification that models an airborne fault-tolerant electrical power distribution system. Combining the experience of the two case studies, we found out how the styles of synchronization among the state machines can affect the efficiency of the analysis. New optimization techniques allowed us to discover a number of design flaws not found by simulation [ICSE99].
William Chan, Richard J. Anderson, Paul Beame, David H. Jones, David Notkin, and William E. Warner. Decoupling synchronization from local control for efficient symbolic model checking of statecharts. In Proceedings of the 1999 International Conference on Software Engineering (ICSE'99), pages 142-151, May 1999, Los Angeles, USA. [Abstract | Postscript | PDF]
William Chan, Richard J. Anderson, Paul Beame, and David Notkin. Improving efficiency of symbolic model checking for state-based system requirements. In ISSTA 98: Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 102-112, March 1998, Clearwater Beach, Florida, USA. [Abstract | Postscript | PDF]
William Chan, Richard Anderson, Paul Beame, and David Notkin. Combining constraint solving and symbolic model checking for a class of systems with non-linear constraints. In Computer Aided Verification, 9th International Conference, CAV'97 Proceedings, LNCS 1254, pages 316-327. Springer-Verlag, June 1997, Haifa, Israel. [Abstract | Postscript | PDF]
William Chan, Richard J. Anderson, Paul Beame, Steve Burns, Francesmary Modugno, David Notkin, and Jon D. Reese. Model checking large software specifications. In IEEE Transactions on Software Engineering 24(7), pages 498-520, July 1998. Preliminary version appeared in SIGSOFT'96: Proceedings of the Fourth ACM SIGSOFT Symposium on the Foundation of Software Engineering, pages 156-166, October 1996, San Francisco, USA. [Abstract | Postscript | PDF]
![[free speech]](Icon/rib_bar_wh.trans.gif){kind=icon}
William Chan
(wchan@cs.washington.edu)
http://www.cs.washington.edu/homes/wchan/work/