VS .NET bar code in Software Encoding 3 of 9 barcode in Software use none none generating toproduce none for 2.9 Bibliographic notes QR The source co de of all complete Alloy modules from this chapter (working under Alloy 2.0 and 2.1) as well as source code compliant with Alloy 3.

0 are available under ancillary material at the book s website. The PDS model grew out of a coursework set in the Fall 2002 for C475 Software Engineering Environments, co-taught by Susan Eisenbach and the rst author; a published model customized for the .NET global assembly cache will appeared in [EJC03].

The modelling language Alloy and its constraint analyzer [JSS01] have been developed by D. Jackson and his Software Design Group at the Laboratory for Computer Science at the Massachusetts Institute of Technology. The tool has a dedicated repository website at alloy. More information on typed higher-order logics and their use in the modelling and verifying of programming frameworks can be found on F.

Pfenning s course homepage7 on Computation and Deduction.. www-2.cs.cmu.

none for none edu/~fp/courses/comp-ded/. 3 Verification by model checking 3.1 Motivation for verification There is a gr eat advantage in being able to verify the correctness of computer systems, whether they are hardware, software, or a combination. This is most obvious in the case of safety-critical systems, but also applies to those that are commercially critical, such as mass-produced chips, mission critical, etc. Formal veri cation methods have quite recently become usable by industry and there is a growing demand for professionals able to apply them.

In this chapter, and the next one, we examine two applications of logics to the question of verifying the correctness of computer systems, or programs. Formal veri cation techniques can be thought of as comprising three parts:. r a framework none none for modelling systems, typically a description language of some sort; r a speci cation language for describing the properties to be veri ed; r a veri cation method to establish whether the description of a system satis es the speci cation.. Approaches to veri cation can be classi ed according to the following criteria: Proof-based vs. model-based. In a proof-based approach, the system description is a set of formulas (in a suitable logic) and the speci cation is another formula .

The veri cation method consists of trying to nd a proof that . . This typi none none cally requires guidance and expertise from the user. In a model-based approach, the system is represented by a model M for an appropriate logic.

The speci cation is again represented by a formula and the veri cation method consists of computing whether a model M satis es (written M ). This computation is usually automatic for nite models..

3.1 Motivation for verification In s 1 and 2, we could see that logical proof systems are often sound and complete, meaning that (provabili ty) holds if, and only if, (semantic entailment) holds, where the latter is de ned as follows: for all models M, if for all we have M , then M . Thus, we see that the model-based approach is potentially simpler than the proof-based approach, for it is based on a single model M rather than a possibly in nite class of them. Degree of automation.

Approaches di er on how automatic the method is; the extremes are fully automatic and fully manual. Many of the computer-assisted techniques are somewhere in the middle. Full- vs.

property-veri cation. The speci cation may describe a single property of the system, or it may describe its full behaviour. The latter is typically expensive to verify.

Intended domain of application, which may be hardware or software; sequential or concurrent; reactive or terminating; etc. A reactive system is one which reacts to its environment and is not meant to terminate (e.g.

, operating systems, embedded systems and computer hardware). Pre- vs. post-development.

Veri cation is of greater advantage if introduced early in the course of system development, because errors caught earlier in the production cycle are less costly to rectify. (It is alleged that Intel lost millions of dollars by releasing their Pentium chip with the FDIV error.) This chapter concerns a veri cation method called model checking.

In terms of the above classi cation, model checking is an automatic, modelbased, property-veri cation approach. It is intended to be used for concurrent, reactive systems and originated as a post-development methodology. Concurrency bugs are among the most di cult to nd by testing (the activity of running several simulations of important scenarios), since they tend to be non-reproducible or not covered by test cases, so it is well worth having a veri cation technique that can help one to nd them.

The Alloy system described in 2 is also an automatic, modelbased, property-veri cation approach. The way models are used is slightly di erent, however. Alloy nds models which form counterexamples to assertions made by the user.

Model checking starts with a model described by the user, and discovers whether hypotheses asserted by the user are valid on the model. If they are not, it can produce counterexamples, consisting of execution traces. Another di erence between Alloy and model checking is that model checking (unlike Alloy) focuses explicitly on temporal properties and the temporal evolution of systems.

Copyright © . All rights reserved.