Your search keyword '"Michael W. Whalen"' showing total 57 results

1. Java Ranger: Supporting String and Array Operations in Java Ranger (Competition Contribution)

Author

Soha Hussein, Qiuchen Yan, Stephen McCamant, Vaibhav Sharma, and Michael W. Whalen

Abstract

Java Ranger is a path-merging tool for Java Programs. It identifies branching regions of code and summarizes them by generating a disjunctive logical constraint that describes the behavior of the code region. Previously, Java Ranger showed that a reduction of 70% of execution paths is possible when used to merge branching regions of code that support numeric constraints.In this paper, we describe the support of two additional features since participation in SV-COMP 2020: symbolic array and symbolic string operations. Finally, we present a preliminary evaluation of the effect of the structure of the disjunctive constraint on the solver’s performance. Results suggest that certain constraint structures can speed up the performance of Java Ranger.

Published

2023

2. Unsatisfiability Proofs for Distributed Clause-Sharing SAT Solvers

Author

Dawn Michaelson, Dominik Schreiber, Marijn J. H. Heule, Benjamin Kiesl-Reiter, and Michael W. Whalen

Subjects

distributed computing, SAT solving, DATA processing & computer science, proofs, ddc:004

Abstract

Distributed clause-sharing SAT solvers can solve problems up to one hundred times faster than sequential SAT solvers by sharing derived information among multiple sequential solvers working on the same problem. Unlike sequential solvers, however, distributed solvers have not been able to produce proofs of unsatisfiability in a scalable manner, which has limited their use in critical applications. In this paper, we present a method to produce unsatisfiability proofs for distributed SAT solvers by combining the partial proofs produced by each sequential solver into a single, linear proof. Our approach is more scalable and general than previous explorations for parallel clause-sharing solvers, allowing use on distributed solvers without shared memory. We propose a simple sequential algorithm as well as a fully distributed algorithm for proof composition. Our empirical evaluation shows that for large-scale distributed solvers (100 nodes of 16 cores each), our distributed approach allows reliable proof composition and checking with reasonable overhead. We analyze the overhead and discuss how and where future efforts may further improve performance.

Published

2023

3. Inductive Validity Cores

Author

Michael W. Whalen, Mats P. E. Heimdahl, Andrew Gacek, and Elaheh Ghassabani

Subjects

Model checking, Theoretical computer science, Computer science, Approximation algorithm, 020207 software engineering, 02 engineering and technology, Mathematical proof, Set (abstract data type), 0202 electrical engineering, electronic engineering, information engineering, Benchmark (computing), Use case, Completeness (statistics), Requirements analysis, Software, Axiom

Abstract

Symbolic model checkers can construct proofs of properties over highly complex models. However, the results reported by the tool when a proof succeeds do not generally provide much insight to the user. It is often useful for users to have traceability information related to the proof: which portions of the model were necessary to construct it. This traceability information can be used to diagnose a variety of modeling problems such as overconstrained axioms and underconstrained properties, measure completeness of a set of requirements over a model, and assist with design optimization given a set of requirements for an existing or synthesized implementation. In this paper, we present a comprehensive treatment of a suite of algorithms to compute inductive validity cores (IVCs), minimal sets of model elements necessary to construct inductive proofs of safety properties for sequential systems. The algorithms are based on the UNSAT core support built into current SMT solvers and novel encodings of the inductive problem to generate approximate and guaranteed minimal inductive validity cores as well as all inductive validity cores. We demonstrate that our algorithms are correct, describe their implementation in the JKind model checker for Lustre models, and present several use cases for the algorithms. We then present a substantial experiment in which we benchmark the efficiency and efficacy of the algorithms.

Published

2021

4. Migrating Solver State

Author

Armin Biere and Md Solimul Chowdhury and Marijn J. H. Heule and Benjamin Kiesl and Michael W. Whalen, Biere, Armin, Chowdhury, Md Solimul, Heule, Marijn J. H., Kiesl, Benjamin, Whalen, Michael W., Armin Biere and Md Solimul Chowdhury and Marijn J. H. Heule and Benjamin Kiesl and Michael W. Whalen, Biere, Armin, Chowdhury, Md Solimul, Heule, Marijn J. H., Kiesl, Benjamin, and Whalen, Michael W.

Abstract

We present approaches to store and restore the state of a SAT solver, allowing us to migrate the state between different compute resources, or even between different solvers. This can be used in many ways, e.g., to improve the fault tolerance of solvers, to schedule SAT problems on a restricted number of cores, or to use dedicated preprocessing tools for inprocessing. We identify a minimum viable subset of the solver state to migrate such that the loss of performance is small. We then present and implement two different approaches to state migration: one approach stores the state at the end of a solver run whereas the other approach stores the state continuously as part of the proof trace. We show that our approaches enable the generation of correct models and valid unsatisfiability proofs. Experimental results confirm that the overhead is reasonable and that in several cases solver performance actually improves.

Published

2022

5. One-Click Formal Methods

Author

Andrew Gacek, Cole Schlesinger, Michael W. Whalen, John Backes, Carsten Varming, Rima Tanash, Martin Schaef, Byron Cook, Pauline Bolignano, Kasper Søe Luckow, and Neha Rungta

Subjects

business.industry, Computer science, 020207 software engineering, Cloud computing, Access control, 02 engineering and technology, computer.software_genre, Mathematical proof, Formal methods, Automation, Software, 0202 electrical engineering, electronic engineering, information engineering, Web service, Aerospace, business, Software engineering, computer

Abstract

Formal methods are mathematically based approaches for specifying, building, and reasoning about software. Despite 50 years of research and development, formal methods have had only limited impact in industry. While we have seen success in such domains as microprocessor design and aerospace (e.g., proofs of security properties for helicopter control systems1), we have not seen wide adoption of formal methods for large and complex systems, such as web services, industrial automation, or enterprise support software.

Published

2019

6. Synthesis of Infinite-State Systems with Random Behavior

Author

David Greve, Sanjai Rayadurgam, Andreas Katis, Grigory Fedyukovich, Michael W. Whalen, and Jeffrey Chen

Subjects

FOS: Computer and information sciences, Theoretical computer science, Degree (graph theory), Computer science, Knowledge engineering, 020207 software engineering, Context (language use), 02 engineering and technology, Fuzz testing, Variety (cybernetics), Software Engineering (cs.SE), Computer Science - Software Engineering, 0202 electrical engineering, electronic engineering, information engineering, State (computer science), Reactive system, Implementation

Abstract

Diversity in the exhibited behavior of a given system is a desirable characteristic in a variety of application contexts. Synthesis of conformant implementations often proceeds by discovering witnessing Skolem functions, which are traditionally deterministic. In this paper, we present a novel Skolem extraction algorithm to enable synthesis of witnesses with random behavior and demonstrate its applicability in the context of reactive systems. The synthesized solutions are guaranteed by design to meet the given specification,while exhibiting a high degree of diversity in their responses to external stimuli. Case studies demonstrate how our proposed frame-work unveils a novel application of synthesis in model-based fuzz testing to generate fuzzers of competitive performance to general-purpose alternatives, as well as the practical utility of synthesized controllers in robot motion planning problems., 12 pages, 7 figures, The 35th IEEE/ACM International Conference on Automated Software Engineering (ASE 2020)

Published

2020

7. Java Ranger at SV-COMP 2020 (Competition Contribution)

Author

Willem Visser, Stephen McCamant, Soha Hussein, Vaibhav Sharma, and Michael W. Whalen

Subjects

Java, Computer science, Programming language, 020207 software engineering, Java bytecode, 02 engineering and technology, Extension (predicate logic), Symbolic execution, Executor, computer.software_genre, Pathfinder, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Binary code, Architecture, computer, computer.programming_language

Abstract

Path-merging is a known technique for accelerating symbolic execution. One technique, named “veritesting” by Avgerinos et al. uses summaries of bounded control-flow regions and has been shown to accelerate symbolic execution of binary code. But, when applied to symbolic execution of Java code, veritesting needs to be extended to summarize dynamically dispatched methods and exceptional control-flow. Such an extension of veritesting has been implemented in Java Ranger by implementing as an extension of Symbolic PathFinder, a symbolic executor for Java bytecode. In this paper, we briefly describe the architecture of Java Ranger and describe its setup for SV-COMP 2020.

Published

2020

8. A Formal Approach to Constructing Secure Air Vehicle Software

Author

Adam Foltzer, Ihor Kuz, Michal Podhradsky, Darren Cofer, June Andronick, Gernot Heiser, Douglas Alan Stuart, Lee Pike, Gerwin Klein, Andrew Gacek, Michael W. Whalen, and John Backes

Subjects

General Computer Science, Computer science, business.industry, Vulnerability, 020206 networking & telecommunications, 020207 software engineering, 02 engineering and technology, Software maintenance, Formal methods, Software, Software security assurance, 0202 electrical engineering, electronic engineering, information engineering, Software engineering, business, Formal verification, Vulnerability (computing)

Abstract

Current approaches to cyberresiliency rely on patching systems after a vulnerability is discovered. What is needed is a clean-slate, mathematically based approach for building secure software. We developed new tools based on formal methods for building software for unmanned air vehicles that is provably secure against cyberattacks.

Published

2018

9. Requirements and Architectures for Secure Vehicles

Author

Andrew Gacek, Michael W. Whalen, and Darren Cofer

Subjects

0209 industrial biotechnology, Engineering, business.industry, Reading (computer), Software development, 020207 software engineering, 02 engineering and technology, Construct (python library), Encryption, Computer security, computer.software_genre, Column (database), 020901 industrial engineering & automation, Software, 0202 electrical engineering, electronic engineering, information engineering, Systems architecture, Software requirements, business, computer

Abstract

In the High-Assurance Cyber Military Systems project, researchers are investigating how to construct complex networked-vehicle software securely. Experiments demonstrated that careful attention to requirements and system architecture, along with formally verified approaches that remove known security weaknesses, can lead to vehicles that can withstand attacks from even sophisticated attackers with access to vehicle design data. The Web extra at https://youtu.be/EvG7fjdvyro is an audio podcast of author Michael W. Whalen reading the column that he cowrote with Darren Cofer and Andrew Gacek.

Published

2016

10. The JKind Model Checker

Author

John Backes, Lucas G. Wagner, Michael W. Whalen, Andrew Gacek, and Elaheh Ghassabani

Subjects

State model, Model checking, Computer science, Programming language, 0202 electrical engineering, electronic engineering, information engineering, 020207 software engineering, 020201 artificial intelligence & image processing, 02 engineering and technology, computer.software_genre, Mathematical proof, computer, Smoothing, Counterexample

Abstract

JKind is an open-source industrial model checker developed by Rockwell Collins and the University of Minnesota. JKind uses multiple parallel engines to prove or falsify safety properties of infinite state models. It is portable, easy to install, performance competitive with other state-of-the-art model checkers, and has features designed to improve the results presented to users: inductive validity cores for proofs and counterexample smoothing for test-case generation. It serves as the back-end for various industrial applications.

Published

2018

11. Validity-Guided Synthesis of Reactive Systems from Assume-Guarantee Contracts

Author

Grigory Fedyukovich, Huajun Guo, John Backes, Michael W. Whalen, Arie Gurfinkel, Andrew Gacek, and Andreas Katis

Subjects

Soundness, Model checking, Theoretical computer science, Lustre (programming language), Computer science, 020207 software engineering, 02 engineering and technology, Specification language, Fixed point, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, computer, Reactive system, Program synthesis, computer.programming_language, Problem space

Abstract

Automated synthesis of reactive systems from specifications has been a topic of research for decades. Recently, a variety of approaches have been proposed to extend synthesis of reactive systems from propositional specifications towards specifications over rich theories. We propose a novel, completely automated approach to program synthesis which reduces the problem to deciding the validity of a set of \(\forall \exists \)-formulas. In spirit of IC3/PDR, our problem space is recursively refined by blocking out regions of unsafe states, aiming to discover a fixpoint that describes safe reactions. If such a fixpoint is found, we construct a witness that is directly translated into an implementation. We implemented the algorithm on top of the JKind model checker, and exercised it against contracts written using the Lustre specification language. Experimental results show how the new algorithm outperforms JKind’s already existing synthesis procedure based on k-induction and addresses soundness issues in the k-inductive approach with respect to unrealizable results.

Published

2018

12. Design Considerations for Modeling Modes in Cyber–Physical Systems

Author

Mats P. E. Heimdahl, Sanjai Rayadurgam, Michael W. Whalen, and Anitha Murugesan

Subjects

Medical device, Computer science, business.industry, Design pattern, Cyber-physical system, Control engineering, Software, Automotive systems, Life-critical system, Hardware and Architecture, Electrical and Electronic Engineering, business, Reactive system, Cruise control

Abstract

Editor’s notes: Safety critical systems such as cruise control in automotive systems and variable rate bolus in medical device infusion pumps introduce complexity and reduce the flexibility of incremental code modifications. This paper proposes a generic pattern to structure the mode logic such that additions, modifications, and removal of behaviors could be done in a quick and localized fashion without losing model integrity. The authors illustrate the proposed pattern using the infusion pump as a case study and describe a design pattern for the mode logic of reactive systems that allows for flexible, understandable, and maintainable models.

Published

2015

13. From Requirements to Code: Model Based Development of a Medical Cyber Physical System

Author

John Komp, Anitha Murugesan, BaekGyu Kim, Michael W. Whalen, Oleg Sokolsky, Insup Lee, Lian Duan, Mats P. E. Heimdahl, and Sanjai Rayadurgam

Subjects

System development, Engineering, Engineering management, business.industry, Model-based design, Health care, Code (cryptography), Cyber-physical system, Use of technology, Computer security, computer.software_genre, business, computer

Abstract

The advanced use of technology in medical devices has improved the way health care is delivered to patients. Unfortunately, the increased complexity of modern medical devices poses challenges for development, assurance, and regulatory approval. In an effort to improve the safety of advanced medical devices, organizations such as FDA have supported exploration of techniques to aid in the development and regulatory approval of such systems. In an ongoing research project, our aim is to provide effective development techniques and exemplars of system development artifacts that demonstrate state of the art development techniques.

Published

2017

14. Guest editorial: advanced topics in automated software engineering

Author

Lars Grunske and Michael W. Whalen

Subjects

business.industry, Computer science, Software engineering, business, Software

Published

2018

15. Your 'What' Is My 'How': Iteration and Hierarchy in System Design

Author

Andrew Gacek, Michael W. Whalen, Mats P. E. Heimdahl, Sanjai Rayadurgam, Anitha Murugesan, and Darren Cofer

Subjects

Non-functional requirement, business.industry, Computer science, Software requirements specification, System requirements specification, Formal methods, Software, Formal specification, Design choice, Systems design, Hierarchical control system, Software architecture, Software engineering, business

Abstract

Systems are naturally constructed in hierarchies, in which design choices made at higher levels of abstraction levy requirements on system components at the lower levels. Thus, whether an aspect of a system is a design choice or a requirement largely depends on your vantage point within the system components' hierarchy. Systems are also often constructed from the middle-out rather than top-down; compatibility with existing systems and architectures and availability of specific components influence high-level requirements. Requirements and architectural design should be more closely aligned: requirements models must account for hierarchical system construction and architectural design notations must better support requirements specification for system components.

Published

2013

16. Efficient generation of inductive validity cores for safety properties

Author

Andrew Gacek, Elaheh Ghassabani, and Michael W. Whalen

Subjects

FOS: Computer and information sciences, Model checking, Theoretical computer science, Traceability, Lustre (programming language), Computer science, 020207 software engineering, 02 engineering and technology, Mathematical proof, Software Engineering (cs.SE), Set (abstract data type), Computer Science - Software Engineering, 0202 electrical engineering, electronic engineering, information engineering, Benchmark (computing), 020201 artificial intelligence & image processing, Completeness (statistics), computer, Axiom, computer.programming_language

Abstract

Symbolic model checkers can construct proofs of properties over very complex models. However, the results reported by the tool when a proof succeeds do not generally provide much insight to the user. It is often useful for users to have traceability information related to the proof: which portions of the model were necessary to construct it. This traceability information can be used to diagnose a variety of modeling problems such as overconstrained axioms and underconstrained properties, and can also be used to measure completeness of a set of requirements over a model. In this paper, we present a new algorithm to efficiently compute the inductive validity core (IVC) within a model necessary for inductive proofs of safety properties for sequential systems. The algorithm is based on the UNSAT core support built into current SMT solvers and a novel encoding of the inductive problem to try to generate a minimal inductive validity core. We prove our algorithm is correct, and describe its implementation in the JKind model checker for Lustre models. We then present an experiment in which we benchmark the algorithm in terms of speed, diversity of produced cores, and minimality, with promising results., appears in FSE2016: ACM Sigsoft International Symposium on the Foundations of Software Engineering, Seattle, WA, November 13-19, 2016

Published

2016

17. Towards synthesis from assume-guarantee contracts involving infinite theories

Author

Michael W. Whalen, Andrew Gacek, and Andreas Katis

Subjects

FOS: Computer and information sciences, Model checking, Theoretical computer science, Computer science, business.industry, 020207 software engineering, 02 engineering and technology, Skolem normal form, Solver, Software Engineering (cs.SE), Computer Science - Software Engineering, Software, Preliminary report, Realizability, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business

Abstract

In previous work, we have introduced a contract-based real- izability checking algorithm for assume-guarantee contracts involving infinite theories, such as linear integer/real arith- metic and uninterpreted functions over infinite domains. This algorithm can determine whether or not it is possible to con- struct a realization (i.e. an implementation) of an assume- guarantee contract. The algorithm is similar to k-induction model checking, but involves the use of quantifiers to deter- mine implementability. While our work on realizability is inherently useful for vir- tual integration in determining whether it is possible for sup- pliers to build software that meets a contract, it also provides the foundations to solving the more challenging problem of component synthesis. In this paper, we provide an initial synthesis algorithm for assume-guarantee contracts involv- ing infinite theories. To do so, we take advantage of our realizability checking procedure and a skolemization solver for forall-exists formulas, called AE-VAL. We show that it is possible to immediately adapt our existing algorithm towards syn- thesis by using this solver, using a demonstration example. We then discuss challenges towards creating a more robust synthesis algorithm., Comment: 6 pages, 1 figure

Published

2016

18. Machine-Checked Proofs for Realizability Checking Algorithms

Author

Michael W. Whalen, Andrew Gacek, and Andreas Katis

Subjects

Correctness, Theoretical computer science, Computer science, Programming language, 020207 software engineering, 02 engineering and technology, Specification language, Construct (python library), Mathematical proof, computer.software_genre, Satisfiability modulo theories, Realizability, Component (UML), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Algorithm, computer, Integer (computer science)

Abstract

Virtual integration techniques focus on building architectural models of systems that can be analyzed early in the design cycle to try to lower cost, reduce risk, and improve quality of complex embedded systems. Given appropriate architectural descriptions, assume/guarantee contracts, and compositional reasoning rules, these techniques can be used to prove important safety properties about the architecture prior to system construction. For these proofs to be meaningful, each leaf-level component contract must be realizable; i.e., it is possible to construct a component such that for any input allowed by the contract assumptions, there is some output value that the component can produce that satisfies the contract guarantees. We have recently proposed ini¾ź[1] a contract-based realizability checking algorithm for assume/guarantee contracts over infinite theories supported by SMT solvers such as linear integer/real arithmetic and uninterpreted functions. In that work, we used an SMT solver and an algorithm similar to k-induction to establish the realizability of a contract, and justified our approach via a hand proof. Given the central importance of realizability to our virtual integration approach, we wanted additional confidence that our approach was sound. This paper describes a complete formalization of the approach in the Coq proof and specification language. During formalization, we found several small mistakes and missing assumptions in our reasoning. Although these did not compromise the correctness of the algorithm used in the checking tools, they point to the value of machine-checked formalization. In addition, we believe this is the first machine-checked formalization for a realizability algorithm.

Published

2016

19. On Implementing Real-Time Specification Patterns Using Observers

Author

John Komp, Andrew Gacek, John Backes, and Michael W. Whalen

Subjects

Model checking, Programming language, Computer science, Semantics (computer science), Software requirements specification, 020207 software engineering, System requirements specification, 02 engineering and technology, Specification language, computer.software_genre, 020202 computer hardware & architecture, Language Of Temporal Ordering Specification, Formal specification, Formal language, 0202 electrical engineering, electronic engineering, information engineering, computer

Abstract

English language requirements are often used to specify the behavior of complex cyber-physical systems. The process of transforming these requirements to a formal specification language is often challenging, especially if the specification language does not contain constructs analogous to those used in the original requirements. For example, requirements often contain real-time constraints, but many specification languages for model checkers have discrete time semantics. Work in specification patterns helps to bridge these gaps, allowing straightforward expression of common requirements patterns in formal languages. In this work we demonstrate how we support real-time specification patterns in the Assume Guarantee Reasoning Environment AGREE using observers. We demonstrate that there are subtle challenges, not mentioned in previous literature, to express real-time patterns accurately using observers. We then demonstrate that these patterns are sufficient to model real-time requirements for a real-world avionics system.

Published

2016

20. Reasoning about Algebraic Data Types with Abstractions

Author

Andrew Gacek, Michael W. Whalen, and Tuan-Hung Pham

Subjects

FOS: Computer and information sciences, Computer Science - Logic in Computer Science, Catamorphism, Computer Science - Programming Languages, Theoretical computer science, Syntax (programming languages), Computer science, 020207 software engineering, 02 engineering and technology, Decidability, Logic in Computer Science (cs.LO), Set (abstract data type), Computational Theory and Mathematics, Artificial Intelligence, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, 0202 electrical engineering, electronic engineering, information engineering, Algebraic data type, 020201 artificial intelligence & image processing, Variety (universal algebra), Completeness (statistics), Software, Associative property, Programming Languages (cs.PL)

Abstract

Reasoning about functions that operate over algebraic data types is an important problem for a large variety of applications. One application of particular interest is network applications that manipulate or reason about complex message structures, such as XML messages. This paper presents a decision procedure for reasoning about algebraic data types using abstractions that are provided by catamorphisms: fold functions that map instances of algebraic data types to values in a decidable domain. We show that the procedure is sound and complete for a class of catamorphisms that satisfy a generalized sufficient surjectivity condition. Our work extends a previous decision procedure that unrolls catamorphism functions until a solution is found. We use the generalized sufficient surjectivity condition to address an incompleteness in the previous unrolling algorithm (and associated proof). We then propose the categories of monotonic and associative catamorphisms, which we argue provide a more intuitive inclusion test than the generalized sufficient surjectivity condition. We use these notions to address two open problems from previous work: (1) we provide a bound, with respect to formula size, on the number of unrollings necessary for completeness, showing that it is linear for monotonic catamorphisms and exponentially small for associative catamorphisms, and (2) we demonstrate that associative catamorphisms can be combined within a formula while preserving completeness. Our combination results extend the set of problems that can be reasoned about using the catamorphism-based approach. We also describe an implementation of the approach, called RADA, which accepts formulas in an extended version of the SMT-LIB 2.0 syntax. The procedure is quite general and is central to the reasoning infrastructure for Guardol, a domain-specific language for reasoning about network guards., Comment: To appear in Journal of Automated Reasoning

Published

2016

21. A DSL for cross-domain security

Author

Tuang-Hung Pham, Michael W. Whalen, David S. Hardin, and Konrad Slind

Subjects

Domain-specific language, Guard (information security), Programming language, Computer science, computer.software_genre, Higher-order logic, Domain (software engineering), Digital subscriber line, Recursive functions, Code (cryptography), General Earth and Planetary Sciences, computer, Formal verification, General Environmental Science

Abstract

Guardol is a domain-specific language focused on the creation of high-assurance network guards and the specification of guard properties. The Guardol system generates Ada code from Guardol programs and also provides specification and automated verification support. Guard programs and specifications are translated to higher order logic, then deductively transformed to a form suitable for a SMT-style decision procedure for recursive functions over tree-structured data. The result is that difficult properties of Guardol programs can be proved fully automatically.

Published

2012

22. Software model checking takes off

Author

Steven P. Miller, Darren Cofer, and Michael W. Whalen

Subjects

Model checking, General Computer Science, Computer science, business.industry, Software model checking, Embedded system, Abstraction model checking, business

Abstract

A translator framework enables the use of model checking in complex avionics systems and other industrial settings.

Published

2010

23. Extending Lustre with Timeout Automata

Author

Eric Van Wyk, Jimin Gao, and Michael W. Whalen

Subjects

attribute grammars, General Computer Science, Lustre (programming language), Computer science, Programming language, composable language extensions, 020207 software engineering, 02 engineering and technology, computer.software_genre, Extensibility, Automaton, Theoretical Computer Science, extensible languages, Asynchronous communication, 020204 information systems, synchronous languages, 0202 electrical engineering, electronic engineering, information engineering, Timeout, computer, computer.programming_language, Computer Science(all)

Abstract

This paper describes an extension to Lustre to support the analysis of globally asynchronous, locally synchronous (GALS) architectures. This extension consists of constructs for directly specifying the timeout automata used to describe asynchronous communication between processes represented by Lustre nodes. It is implemented using an extensible language framework based on attribute grammars that allows such extensions to be modularly defined so that they may be more easily composed with other language extensions.

Published

2008

24. Hierarchical multi-formalism proofs of cyber-physical systems

Author

Oleg Sokolsky, Michael W. Whalen, Elaheh Ghassabani, Anitha Murugesan, Mats P. E. Heimdahl, Sanjai Rayadurgam, and Insup Lee

Subjects

Theoretical computer science, Embedded software, Discrete time and continuous time, Computer science, Scalability, Cyber-physical system, Cost accounting, Semantics, Mathematical proof, Automaton

Abstract

To manage design complexity and provide verification tractability, models of complex cyber-physical systems are typically hierarchically organized into multiple abstraction layers. High-level analysis explores interactions of the system with its physical environment, while embedded software is developed separately based on derived requirements. This separation of low-level and high-level analysis also gives hope to scalability, because we are able to use tools that are appropriate for each level. When attempting to perform compositional reasoning in such an environment, care must be taken to ensure that results from one tool can be used in another to avoid errors due to “mismatches” in the semantics of the underlying formalisms. This paper proposes a formal approach for linking high-level continuous time models and lower-level discrete time models.

Published

2015

25. A Flexible and Non-intrusive Approach for Computing Complex Structural Coverage Metrics

Author

Michael W. Whalen, Suzette Person, Neha Rungta, Matt Staats, and Daniela Grijincu

Published

2015

26. Requirements Analysis of a Quad-Redundant Flight Control System

Author

Steven P. Miller, Michael W. Whalen, Darren Cofer, and John Backes

Subjects

Model checking, Computer science, Component-based software engineering, Systems engineering, Systems architecture, Verification, Avionics, Requirements analysis, Software verification, Domain (software engineering)

Abstract

In this paper we detail our effort to formalize and prove requirements for the Quad-redundant Flight Control System (QFCS) within NASA’s Transport Class Model (TCM). We use a compositional approach with assume-guarantee contracts that correspond to the requirements for software components embedded in an AADL system architecture model. This approach is designed to exploit the verification effort and artifacts that are already part of typical software verification processes in the avionics domain. Our approach is supported by an AADL annex that allows specification of contracts along with a tool, called AGREE, for performing compositional verification. The goal of this paper is to show the benefits of a compositional verification approach applied to a realistic avionics system and to demonstrate the effectiveness of the AGREE tool in performing this analysis.

Published

2015

27. Towards Realizability Checking of Contracts Using Theories

Author

Darren Cofer, Andreas Katis, John Backes, Michael W. Whalen, and Andrew Gacek

Subjects

Architecture description language, Correctness, Computer science, Engineering support, Programming language, 020207 software engineering, 02 engineering and technology, computer.software_genre, Mathematical proof, Reliability engineering, Realizability, Component (UML), Premise, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Temporal logic, computer

Abstract

Virtual integration techniques focus on building architectural models of systems that can be analyzed early in the design cycle to try to lower cost, reduce risk, and improve quality of complex embedded systems. Given appropriate architectural descriptions and compositional reasoning rules, these techniques can be used to prove important safety properties about the architecture prior to system construction. Such proofs build from “leaf-level” assume/guarantee component contracts through architectural layers towards top-level safety properties. The proofs are built upon the premise that each leaf-level component contract is realizable; i.e., it is possible to construct a component such that for any input allowed by the contract assumptions, there is some output value that the component can produce that satisfies the contract guarantees. Without engineering support it is all too easy to write leaf-level components that can’t be realized. Realizability checking for propositional contracts has been well-studied for many years, both for component synthesis and checking correctness of temporal logic requirements. However, checking realizability for contracts involving infinite theories is still an open problem. In this paper, we describe a new approach for checking realizability of contracts involving theories and demonstrate its usefulness on several examples.

Published

2015

28. Proving the shalls

Author

Michael W. Whalen, Alan C. Tribble, Mats P. E. Heimdahl, and Steven P. Miller

Subjects

Model checking, business.industry, Computer science, Software development, Formal methods, System requirements, Formal specification, Software requirements, Software engineering, business, Formal verification, Software, Natural language, Information Systems

Abstract

Incomplete, inaccurate, ambiguous, and vola-tile requirements have plagued the software industry since its inception. The convergence of model-based development and formal methods offers developers of safety-critical systems a powerful new approach to the early validation of requirements. This paper describes an exercise conducted to determine if formal methods could be used to validate system requirements early in the lifecycle at reasonable cost. Several hundred functional and safety requirements for the mode logic of a typical flight guidance system were captured as natural language “shall” statements. A formal model of the mode logic was written in the RSML−e language and translated into the NuSMV model checker and the PVS theorem prover using translators developed as part of the project. Each “shall” statement was manually translated into a NuSMV or PVS property and proven using these tools. Numerous errors were found in both the original requirements and the RSML−e model. This demonstrates that formal models can be written for realistic systems and that formal analysis tools have matured to the point where they can be effectively used to find errors before implementation.

Published

2006

29. Deviation Analysis: A New Use of Model Checking

Author

Yunja Choi, Mats P. E. Heimdahl, and Michael W. Whalen

Subjects

Model checking, Computer science, Robustness (computer science), Control system, Symbolic trajectory evaluation, Software requirements specification, Abstraction model checking, Symbolic execution, Algorithm, Software

Abstract

Inaccuracies, or deviations, in the measurements of monitored variables in a control system are facts of life that control software must accommodate. Deviation analysis can be used to determine how a software specification will behave in the face of such deviations. Deviation analysis is intended to answer questions such as "What is the effect on output O if input I is off by 0 to 100?". This property is best checked with some form of symbolic execution approach. In this report we wish to propose a new approach to deviation analysis using model checking techniques. The key observation that allows us to use model checkers is that the property can be restated as "Will there be an effect on output O if input I is off by 0 to 100?"--this restatement of the property changes the analysis from an exploratory analysis to a verification task suitable for model checking.

Published

2005

30. Resolute: An Assurance Case Language for Architecture Models

Author

Konrad Slind, John Backes, Andrew Gacek, Michael W. Whalen, and Darren Cofer

Subjects

FOS: Computer and information sciences, Structure (mathematical logic), Correctness, Computer science, Programming language, Mathematical proof, Formal methods, computer.software_genre, System model, Software Engineering (cs.SE), Set (abstract data type), Computer Science - Software Engineering, Argument, General Earth and Planetary Sciences, Architectural model, computer, General Environmental Science

Abstract

Arguments about the safety, security, and correctness of a complex system are often made in the form of an assurance case. An assurance case is a structured argument, often represented with a graphical interface, that presents and supports claims about a system's behavior. The argument may combine different kinds of evidence to justify its top level claim. While assurance cases deliver some level of guarantee of a system's correctness, they lack the rigor that proofs from formal methods typically provide. Furthermore, changes in the structure of a model during development may result in inconsistencies between a design and its assurance case. Our solution is a framework for automatically generating assurance cases based on 1) a system model specified in an architectural design language, 2) a set of logical rules expressed in a domain specific language that we have developed, and 3) the results of other formal analyses that have been run on the model. We argue that the rigor of these automatically generated assurance cases exceeds those of traditional assurance case arguments because of their more formal logical foundation and direct connection to the architectural model., 9 pages, accepted to HILT 2014

Published

2014

31. Structuring simulink models for verification and reuse

Author

Mats P. E. Heimdahl, Michael W. Whalen, Anitha Murugesan, and Sanjai Rayadurgam

Subjects

Engineering, Source code, Process (engineering), business.industry, media_common.quotation_subject, Software development, Stateflow, Structuring, Software, Model-based design, Systems engineering, Code generation, business, computer, media_common, computer.programming_language

Abstract

Model-based development (MBD) tool suites such as Simulink and Stateflow offer powerful tools for design, development, and analysis of models. These models can be used for several purposes: for code generation, for prototyping, as descriptions of an environment (plant) that will be controlled by software, as oracles for a testing process, and many other aspects of software development. In addition, a goal of model-based development is to develop reusable models that can be easily managed in a version-controlled continuous integration process. Although significant guidance exists for proper structuring of source code for these purposes, considerably less guidance exists for MBD approaches. In this paper, we discuss structuring issues in constructing models to support use (and reuse) of models for design and verification in critical software development projects. We illustrate our approach using a generic patient-controlled analgesia infusion pump (GPCA), a medical cyber-physical system.

Published

2014

32. Moving the goalposts: coverage satisfaction is not enough

Author

Gregory Gay, Matt Staats, Michael W. Whalen, and Mats P. E. Heimdahl

Subjects

Engineering, Measure (data warehouse), Software testing, business.industry, Certification, business, Empirical evidence, Fault detection and isolation, Reliability engineering, Test (assessment)

Abstract

Structural coverage criteria have been proposed to measure the adequacy of testing efforts. Indeed, in some domains—e.g., critical systems areas—structural coverage criteria must be satisfied to achieve certification. The advent of powerful search-based test generation tools has given us the ability to generate test inputs to satisfy these structural coverage criteria. While tempting, recent empirical evidence indicates these tools should be used with caution, as merely achieving high structural coverage is not necessarily indicative of high fault detection ability. In this report, we review some of these findings, and offer recommendations on how the strengths of search-based test generation methods can alleviate these issues.

Published

2014

33. Linking abstract analysis to concrete design: A hierarchical approach to verify medical CPS safety

Author

Insup Lee, Oleg Sokolsky, Michael W. Whalen, Anitha Murugesan, Mats P. E. Heimdahl, and Sanjai Rayadurgam

Subjects

High-level verification, Theoretical computer science, Functional verification, Computer science, Component (UML), Runtime verification, Verification, Abstraction layer, Abstraction (linguistics), Intelligent verification

Abstract

To manage design complexity and provide verification tractability, models of complex cyber-physical systems are typically hierarchically organized into multiple abstraction layers. Formal reasoning about such systems, therefore, usually involves multiple modeling formalisms, verification paradigms, and associated tools. System properties verified using an abstract component specification in one paradigm must be shown to logically follow from properties verified --- possibly using a different paradigm --- on a more concrete component description. As component specifications at one layer of abstraction get elaborated into more concrete component descriptions at the next lower level, abstraction induced differences come to the fore; differences that have to be reconciled. In this paper, we present an approach to tie together distinct verification paradigms and reconcile these abstraction induced differences using a medical device cyber-physical system as an example. While the specifics are particular to the example at hand, we believe the techniques are applicable in similar situations for verifying cyber-physical system properties.

Published

2014

34. An Improved Unrolling-Based Decision Procedure for Algebraic Data Types

Author

Tuan-Hung Pham and Michael W. Whalen

Subjects

Catamorphism, Predicate abstraction, Theoretical computer science, Fold (higher-order function), Computer science, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Algebraic data type, Monotonic function, Data type, Algorithm, Decidability

Abstract

Reasoning about algebraic data types and functions that operate over these data types is an important problem for a large variety of applications. In this paper, we present a decision procedure for reasoning about data types using abstractions that are provided by catamorphisms: fold functions that map instances of algebraic data types into values in a decidable domain. We show that the procedure is sound and complete for a class of monotonic catamorphisms. Our work extends a previous decision procedure that solves formulas involving algebraic data types via successive unrollings of catamorphism functions. First, we propose the categories of monotonic catamorphisms and associative-commutative catamorphisms, which we argue provide a better formal foundation than previous categorizations of catamorphisms. We use monotonic catamorphisms to fix an incompleteness in the previous unrolling algorithm and associated proof. We then use these notions to address two open problems from previous work: 1 we provide a bound on the number of unrollings necessary for completeness, showing that it is exponentially small with respect to formula size for associative-commutative catamorphisms, and 2 we demonstrate that associative-commutative catamorphisms can be combined within a formula whilst preserving completeness.

Published

2014

35. Compositional verification of a medical device system

Author

Anitha Murugesan, Michael W. Whalen, Sanjai Rayadurgam, and Mats P. E. Heimdahl

Subjects

High-level verification, Functional verification, Programming language, Computer science, Architecture Analysis & Design Language, Runtime verification, Stateflow, computer.software_genre, General Earth and Planetary Sciences, Verification, Software system, computer, Software verification, General Environmental Science, computer.programming_language

Abstract

Complex systems are by necessity hierarchically organized. Decomposition into subsystems allows for intellectual control, as well as enabling different subsystems to be created by distinct teams. This decomposition affects both requirements and architecture. The architecture describes the structure and this affects how requirements ``flow down'' to each subsystem. Moreover, discoveries in the design process may affect the requirements. Demonstrating that a complex system satisfies its requirements when the subsystems are composed is a challenging problem. In this paper, we present a medical device case example where we apply an iterative approach to architecture and verification based on software architectural models. We represent the hierarchical composition of the system in the Architecture Analysis and Design Language (AADL), and use an extension to the AADL language to describe the requirements at different levels of abstraction for compositional verification. The component-level behavior for the model is described in Simulink/Stateflow. We assemble proofs of system level properties by using the Simulink Design Verifier to establish component-level properties and an open-source plug-in for the OSATE AADL environment to perform the compositional verification of the architecture. This combination of verification tools allows us to iteratively explore design and verification of detailed behavioral models, and to scale formal analysis to large software systems.

Published

2013

36. Your what is my how: Why requirements and architectural design should be iterative

Author

Anitha Murugesan, Michael W. Whalen, and Mats P. E. Heimdahl

Subjects

System requirements, Requirements management, Requirement, Non-functional requirement, Computer science, Systems engineering, Software requirements specification, Non-functional testing, System requirements specification, Requirements analysis

Abstract

Systems are naturally constructed in hierarchies in which design choices made at higher levels of abstraction levy requirements on system components at lower levels of abstraction. Thus, whether an aspect of the system is a design choice or a requirement depends largely on one's location within the hierarchy of system components. In addition, it is often the case that systems are not constructed top-down, but rather middle-out; compatibility with existing systems and architectures, or availability of specific physical components may influence high-level requirements. Despite these facts, several of the reference models commonly used for requirements, including the four-variable model and world machine model, do not account for hierarchical decomposition. In this position paper, we argue that requirements and architectural design should be more closely aligned: that requirements reference models should account for hierarchical system construction, and that architectural design notations should better support specification of requirements for system components. We briefly describe work to this end that was performed on the META II project and describe the gaps in this work that need to be addressed to meet practitioner needs.

Published

2012

37. The hidden models of model checking

Author

Michael W. Whalen, Matthew B. Dwyer, and Willem Visser

Subjects

Model checking, Theoretical computer science, Software, business.industry, Computer science, Modeling and Simulation, Software engineering, business, Formal methods, Value (mathematics)

Abstract

In the past, applying formal analysis, such as model checking, to industrial problems required a team of formal methods experts and a great deal of effort. Model checking has become popular, because model checkers have evolved to allow domain-experts, who lack model checking expertise, to analyze their systems. What made this shift possible and what roles did models play in this? That is the main question we consider here. We survey approaches that transform domain-specific input models into alternative forms that are invisible to the user and which are amenable to model checking using existing techniques--we refer to these as hidden models. We observe that keeping these models hidden from the user is in fact paramount to the success of the domain-specific model checker. We illustrate the value of hidden models by surveying successful examples of their use in different areas of model checking (hardware and software) and how a lack of suitable models hamper a new area (biological systems).

Published

2012

38. Integrating Statechart Components in Polyglot

Author

Gabor Karsai, Daniel Balasubramanian, Thomas Pressburger, Jason Biatek, Michael W. Whalen, Michael Lowry, and Corina S. Păsăreanu

Subjects

Programming language, Asynchronous communication, Computer science, Formalism (philosophy), Polyglot, computer.software_genre, computer, Reactive system, Scheduling (computing)

Abstract

Statecharts is a model-based formalism for simulating and analyzing reactive systems. In our previous work, we developed Polyglot, a unified framework for analyzing different semantic variants of Statechart models. However, for systems containing communicating, asynchronous components deployed on a distributed platform, additional features not inherent to the basic Statecharts paradigm are needed. These include a connector mechanism for communication, a scheduling framework for sequencing the execution of individual components, and a method for specifying verification properties spanning multiple components. This paper describes the addition of these features to Polyglot, along with an example NASA case study using these new features. Furthermore, the paper describes on-going work on modeling Plexil execution plans with Polyglot, which enables the study of interaction issues for future manned and unmanned missions.

Published

2012

39. The Guardol Language and Verification System

Author

David S. Hardin, Konrad Slind, Tuan-Hung Pham, and Michael W. Whalen

Subjects

Computer science, Termination proof, Programming language, Recursive functions, Verification system, Guard (computer science), computer.software_genre, Higher-order logic, computer

Abstract

Guardol is a domain-specific language designed to facilitate the construction of correct network guards operating over tree-shaped data. The Guardol system generates Ada code from Guardol programs and also provides specification and automated verification support. Guard programs and specifications are translated to higher order logic, then deductively transformed to a form suitable for a SMT-style decision procedure for recursive functions over tree-structured data. The result is that difficult properties of Guardol programs can be proved fully automatically.

Published

2012

40. Incremental Verification with Mode Variable Invariants in State Machines

Author

Michael W. Whalen, Pierre-Loïc Garoche, Temesghen Kahsai, and Cesare Tinelli

Subjects

Model checking, High-level verification, Dependency graph, Finite-state machine, Modal, Functional verification, Computer science, Runtime verification, Invariant (mathematics), Algorithm

Abstract

We describe two complementary techniques to aid the automatic verification of safety properties of synchronous systems by model checking. A first technique allows the automatic generation of certain inductive invariants for mode variables. Such invariants are crucial in the verification of safety properties in systems with complex modal behavior. A second technique allows the simultaneous verification of multiple properties incrementally. Specifically, the outcome of a property--valid or invalid--is communicated to the user as soon as it is known. Moreover, each property proven valid is used immediately as an invariant in the model checking procedure to aid the verification of the remaining properties. We have implemented these techniques as new options in the Kind model checker. Experimental evidence shows that these two techniques combine synergistically to increase Kind's precision as well as its speed.

Published

2012

41. Compositional Verification of Architectural Models

Author

Michael W. Whalen, Darren Cofer, Lui Sha, Brian LaValley, Steven P. Miller, and Andrew Gacek

Subjects

Soundness, Correctness, business.industry, Systems Modeling Language, Computer science, Design flow, Software design pattern, Systems architecture, Systems engineering, Systems design, Software engineering, business, Formal methods

Abstract

This paper describes a design flow and supporting tools to significantly improve the design and verification of complex cyber-physical systems. We focus on system architecture models composed from libraries of components and complexity-reducing design patterns having formally verified properties. This allows new system designs to be developed rapidly using patterns that have been shown to reduce unnecessary complexity and coupling between components. Components and patterns are annotated with formal contracts describing their guaranteed behaviors and the contextual assumptions that must be satisfied for their correct operation. We describe the compositional reasoning framework that we have developed for proving the correctness of a system design, and provide a proof of the soundness of our compositional reasoning approach. An example based on an aircraft flight control system is provided to illustrate the method and supporting analysis tools.

Published

2012

42. Model Checking Information Flow

Author

Lucas G. Wagner, Michael W. Whalen, and David A. Greve

Subjects

Model checking, business.industry, Programming language, Computer science, Dataflow, Security domain, computer.software_genre, Domain (software engineering), Esterel, Software, Flow (mathematics), Information flow (information theory), business, computer, computer.programming_language

Abstract

Information flow modeling describes how information can be transferred between different locations within a software and/or hardware system. In this chapter, we define a notion of information flow based on traces that is useful for describing flow relations for synchronous dataflow languages such as SimulinkⓇ (The Mathworks, Inc.) and SCADE™ (Esterel Technologies, Inc.) that are often used for hardware/software codesign. We then define an automated method for analyzing information flow properties of Simulink models using model checking. This method is based on creating a flow model that tracks information flow throughout the model. Often, information flow properties are defined in terms of some form of noninterference, which states informally that objects in one security domain cannot perceive the actions of objects within another domain. We demonstrate that this method preserves the GWV functional notion of noninterference. We then describe how this proof relates to the GWV theorem and provide some insight into the relationship of the flow model and the flow graphs used in GWVr1. Finally, we demonstrate our analysis technique by analyzing the architecture of the Turnstile high-assurance cross-domain guard platform using our Gryphon translation framework and the Prover™ model checker.

Published

2010

43. Development of Security Software: A High Assurance Methodology

Author

D. Randolph Johnson, Michael W. Whalen, T. Douglas Hiratzka, David S. Hardin, and Lucas G. Wagner

Subjects

Functional specification, Model checking, Correctness, business.industry, Computer science, Software development, System requirements, Software, Software security assurance, Software quality analyst, Code generation, Software verification and validation, Software engineering, business, Formal verification, Software verification

Abstract

This paper reports on a project to exercise, evaluate and enhance a methodology for developing high assurance software for an embedded system controller. In this approach, researchers at the National Security Agency capture system requirements precisely and unambiguously through functional specifications in Z. Rockwell Collins then implements these requirements using an integrated, model-based software development approach. The development effort is supported by a tool chain that provides automated code generation and support for formal verification. The specific system is a prototype high speed encryption system, although the controller could be adapted for use in a variety of critical systems in which very high assurance of correctness, reliability, and security or safety properties is essential.

Published

2009

44. The effect of program and model structure on mc/dc test adequacy coverage

Author

Michael W. Whalen, Ajitha Rajan, and Mats P. E. Heimdahl

Subjects

Computer science, business.industry, Software engineering, business

Published

2008

45. Requirements Coverage as an Adequacy Measure for Conformance Testing

Author

Mats P. E. Heimdahl, Matt Staats, Ajitha Rajan, and Michael W. Whalen

Subjects

Measure (data warehouse), Modified condition/decision coverage, Linear temporal logic, Computer science, Test suite, Conformance testing, Computer security, computer.software_genre, computer, Reliability engineering, Test (assessment)

Abstract

Conformance testing in model-based development refers to the testing activity that verifies whether the code generated (manually or automatically) from the model is behaviorally equivalent to the model. Presently the adequacy of conformance testing is inferred by measuring structural coverage achieved over the model. We hypothesize that adequacy metrics for conformance testing should consider structural coverage over the requirementseither in place of or in addition to structural coverage over the model. Measuring structural coverage over the requirements gives a notion of how well the conformance tests exercise the required behavior of the system. We conducted an experiment to investigate the hypothesis stating structural coverage over formal requirements is more effective than structural coverage over the model as an adequacy measure for conformance testing. We found that the hypothesis was rejected at 5% statistical significance on three of the four case examples in our experiment. Nevertheless, we found that the tests providing requirements coverage found several faults that remained undetected by tests providing model coverage. We thus formed a second hypothesis stating that complementing model coverage with requirements coverage will prove more effective as an adequacy measure than solely using model coverage for conformance testing. In our experiment, we found test suites providing both requirements coverage and model coverage to be more effective at finding faults than test suites providing model coverage alone, at 5% statistical significance. Based on our results, we believe existing adequacy measures for conformance testing that only consider model coverage can be strengthened by combining them with rigorous requirements coverage metrics.

Published

2008

46. Integration of Formal Analysis into a Model-Based Software Development Process

Author

Darren Cofer, Steven P. Miller, Bruce H. Krogh, Michael W. Whalen, and Walter Storm

Subjects

Software development process, Life-critical system, business.industry, Computer science, Formal specification, Package development process, Avionics software, Software verification and validation, Software engineering, business, Formal methods, Formal verification

Abstract

The next generation of military aerospace systems will includeadvanced control systems whose size and complexity will challenge currentverification and validation approaches. The recent adoption by the aerospaceindustry of model-based development tools such as Simulink® and SCADESuite™ is removing barriers to the use of formal methods for the verification ofcritical avionics software. Formal methods use mathematics to prove that softwaredesign models meet their requirements, and so can greatly increase confidencein the safety and correctness of software. Recent advances in formalanalysis tools have made it practical to formally verify important properties ofthese models to ensure that design defects are identified and corrected early inthe lifecycle. This paper describes how formal analysis tools can be insertedinto a model-based development process to decrease costs and increase qualityof critical avionics software.

Published

2008

47. Model Validation using Automatically Generated Requirements-Based Tests

Author

Ajitha Rajan, Michael W. Whalen, and Mats P.E. Heimdahl

Subjects

Social software engineering, business.industry, Computer science, Exception handling, Software development, Software requirements specification, 020207 software engineering, 02 engineering and technology, Application lifecycle management, Software construction, 0202 electrical engineering, electronic engineering, information engineering, Systems engineering, 020201 artificial intelligence & image processing, Software requirements, Software verification and validation, business, Software engineering

Published

2007

48. Coverage metrics for requirements-based testing

Author

Mats P. E. Heimdahl, Ajitha Rajan, Michael W. Whalen, and Steven P. Miller

Subjects

Model-based testing, Test case, Computer science, business.industry, White-box testing, Test suite, Code coverage, Software requirements specification, Non-functional testing, Software engineering, business, Requirements analysis, Reliability engineering

Abstract

In black-box testing, one is interested in creating a suite of tests from requirements that adequately exercise the behavior of a software system without regard to the internal structure of the implementation. In current practice, the adequacy of black box test suites is inferred by examining coverage on an executable artifact, either source code or a software model.In this paper, we define structural coverage metrics directly on high-level formal software requirements. These metrics provide objective, implementation-independent measures of how well a black-box test suite exercises a set of requirements. We focus on structural coverage criteria on requirements formalized as LTL properties and discuss how they can be adapted to measure finite test cases. These criteria can also be used to automatically generate a requirements-based test suite. Unlike model or code-derived test cases, these tests are immediately traceable to high-level requirements. To assess the practicality of our approach, we apply it on a realistic example from the avionics domain.

Published

2006

49. Providing the shalls

Author

Steven P. Miller, Alan C. Tribble, Michael W. Whalen, and Mats P. E. Heimdahl

Subjects

Software, Information Systems

Published

2006

50. A PROPOSAL FOR MODEL-BASED SAFETY ANALYSIS

Author

Mats P. E. Heimdahl, Anjali Joshi, Michael W. Whalen, and Steven P. Miller

Subjects

Fault tree analysis, Engineering, Risk analysis (engineering), business.industry, Process (engineering), Safety engineering, Systems architecture, System safety, Fault model, Hazard analysis, business, Reliability engineering, System model

Abstract

System safety analysis techniques are well established and are used extensively during the design of safety-critical systems. Despite this, most of the techniques are highly subjective and dependent on the skill of the practitioner. Since these analyses are usually based on an informal system model, it is unlikely that they will be complete, consistent, and error free. In fact, the lack of precise models of the system architecture and its failure modes often forces the safety analysts to devote much of their effort to finding undocumented details of the system behavior and embedding this information in the safety artifacts such as the fault trees. In this paper we propose an approach, Model-Based Safety Analysis, in which the system and safety engineers use the same system models created during a model-based development process. By extending the system model with a fault model as well as relevant portions of the physical system to be controlled, automated support can be provided for much of the safety analysis. We believe that by using a common model for both system and safety engineering and automating parts of the safety analysis, we can both reduce the cost and improve the quality of the safety analysis. Here we present our vision of model-based safety analysis and discuss the advantages and challenges in making this approach practical.

Published

2006