Using SPIN model checking for flight software verification

Glück, Peter; Holzmann, Gerard J.

doi:10.1109/aero.2002.1036832

Cited by 43 publications

(15 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…6 separately shows how performance varies with state size for a fixed transition delay of 2 3 time units and the graph on the lower right repeats this experiment for a larger transition delay of 2 13 time units. Note that, in the latter case, performance becomes almost completely independent of state size, likely because it is now dominated by the transition delay itself.…”

Section: A Reference Modelmentioning

confidence: 86%

“…We consider six large applications. The first (DS1) is a verification of a large model with embedded C code taken from NASA's Deep Space 1 mission, as described in [13]. The second application (DEOS) is a verification model of the DEOS Operating System kernel developed at Honeywell Laboratories, a variant of which is also discussed in [33].…”

Section: Larger Verification Modelsmentioning

confidence: 99%

See 1 more Smart Citation

The Design of a Multicore Extension of the SPIN Model Checker

Holzmann

Bošnački

2007

IIEEE Trans. Software Eng.

110

View full text Add to dashboard Cite

Abstract-We describe an extension of the SPIN model checker for use on multicore shared-memory systems and report on its performance. We show how, with proper load balancing, the time requirements of a verification run can, in some cases, be reduced close to N-fold when N processing cores are used. We also analyze the types of verification problems for which multicore algorithms cannot provide relief. The extensions discussed here require only relatively small changes in the SPIN source code and are compatible with most existing verification modes such as partial order reduction, the verification of temporal logic formulas, bitstate hashing, and hash-compact compression.Index Terms-Software/program verification, model checking, models of computation, logics and meanings of programs, distributed programming.

show abstract

Section: A Reference Modelmentioning

confidence: 86%

Section: Larger Verification Modelsmentioning

confidence: 99%

The Design of a Multicore Extension of the SPIN Model Checker

Holzmann

Bošnački

2007

IIEEE Trans. Software Eng.

110

View full text Add to dashboard Cite

show abstract

“…The test-harness that the user prepares now drives the thread executions directly, selecting the proper level of granularity of execution. The application we studied in [5] is of this type, and could be adapted to use the new method of data abstraction we have discussed here. The capability to redefine how state information is to be represented, or abstracted, is also similar to the view function in TLC [11].…”

Section: Discussionmentioning

confidence: 98%

Model-Driven Software Verification

Holzmann

Joshi

2004

Model Checking Software

View full text Add to dashboard Cite

Abstract. In the classic approach to logic model checking, software verification requires a manually constructed artifact (the model) to be written in the language that is accepted by the model checker. The construction of such a model typically requires good knowledge of both the application being verified and of the capabilities of the model checker that is used for the verification. Inadequate knowledge of the model checker can limit the scope of verification that can be performed; inadequate knowledge of the application can undermine the validity of the verification experiment itself. In this paper we explore a different approach to software verification. With this approach, a software application can be included, without substantial change, into a verification test-harness and then verified directly, while preserving the ability to apply data abstraction techniques. Only the test-harness is written in the language of the model checker. The test-harness is used to drive the application through all its relevant states, while logical properties on its execution are checked by the model checker. To allow the model checker to track state, and avoid duplicate work, the test-harness includes definitions of all data objects in the application that contain state information. The main objective of this paper is to introduce a powerful extension of the SPIN model checker that allows the user to directly define data abstractions in the logic verification of application level programs.

show abstract

“…Modex takes C code and creates Promela models by processing all basic actions and conditions of the program with respect to a set of rules. A case study of Modex involving NASA legacy flight software is described by Glück & Holzmann (2002). Modex's approach effectively moves the effort from manual modeling to specifying patterns that match the C statements that should be included in the model (Promela allows for including C statements) and what to ignore.…”

Section: Timing Analysis With Model Checkingmentioning

confidence: 99%