Hierarchical and Modular Model Checking of Finite State Machines Ping Chen Duminda Wijesekera pchen,
[email protected] Information and Software Engineering Department George Mason University 4400 University Drive, Fairfax, VA 22030
Abstract Model checking has been proven a successful technique for hardware verification. To apply it in a real FSM model often we have to deal with a large checking space. In this paper we give a hierarchical representation structure, with it we can check system FSM model against required system properties efficiently. Also we give some properties of our model checking technique and discuss how to use approximation checking and reuse to reduce checking space further.
1. Introduction 1.1 Background When developing a software system, there are approximately three phases: • Requirement analysis • Design • Implementation Every phase is a refinement and practice of the former step, and methods and techniques are needed to make sure that the refinement and practice is consistent with the specification in the former step and all requirements in the former step are satisfied. Finite state machines (FSMs) are widely used in hardware and software system modeling. A model checking system explores a finite state space of a system FSM model to determine whether or not a property set at requirement analysis phase holds. Therefore, a model checker can serve as a tool to verify correctness and satisfaction relation between requirement and design. A Major problem of model checking is that state spaces arising from practical problems are often huge, which makes exhaustive exploration infeasible with current computation techniques[JM95]. When applying modeling checking to software systems, we actually have to handle infinite state machines. We may fall short of doing “exact” reasoning about the original system. Nevertheless, as the hardware community has discovered, model checking is very useful to find bugs in hardware designs rather than to prove its whole correctness, and we can model a software system in a finite way with FSM[JM95]. With the wide use of object-oriented techniques often we formulate a software system into different components. While modeling a system in FSM, we need show the interaction among components and components’ internal structure. The relation of interaction and causality exists at the level of action occurrences (events). Each time the action occurs, the reasons for it and the context in which it happens may be different, so they should be modeled as different events. When we look at a reactive system and attempt to describe it from causal viewpoint we have to be able to see individual events. If we observe the system in operation in this way we will
1
necessarily see a sequence of distinct events. It appears from this discussion that trace sets are equivalent to transparent reactive systems and we might throw away the systems and work with trace sets[JG91]. Often we use logic to express required properties, for example, CTL is used in SMV, and LTL is used in Spin. Techniques developed in this paper focus on the checking from requirement analysis to design and check if design satisfied the properties set as requirements. We specify properties with the traces of event sets, and also they can be specified using the temporal logic LTL. Besides temporal properties we can specify some other properties and check them through the analysis of event traces, such as: • system redundancy • necessary operations to achieve a system state For a software model checking system there exist two main issues: • Effectiveness: correctness of checking whether a model is consistent with required properties. • Efficiency: reduce the check space to make checking more efficient The number of states and traces in a FSM may be prohibitly huge. In this paper a new method to represent FSM model is proposed. With the new method we can analyze and process a large actual FSM. We also discuss some properties of our model checking technique and how to perform approximation checking and reuse components to reduce the state space further. This paper is organized in this way. In section 1.2 we analyze the relevant work. In section 2 we give the formalization of our model checking system framework and define some concepts. In section 3 we discuss the properties of our model checking system. In section 4 we address the problems of reuse, approximation and hierarchical modeling. In section 5 we give our model checking algorithms. Section 6 discusses some open issues and future work.
1.2 Related work Our work presented in this paper is related to the current work on model checking, protocol checking and architectural modeling and analysis. Research on model checking has been conducted based on an underlying logical representation. Many tools have been built to model checking FSM-based systems. Model checkers such as SMV, SPIN and FDR have been used by researchers and industrialists to find bugs in circuit designs, floating point standards, cache coherence protocols for multiprocessors. Recently model checking has also been applied to check software systems and protocols. Atlee and Gannon [JM92] use SMV to check safety properties for event-driven systems. Anderson et. al [RJ96] use SMV to study the specification of an aircraft collision avoidance system. Wing and Vaziri-Farahani [JM95] use SMV to check cache coherence in distributed file systems. In the security domain Roscoe [AR95] uses FDR to debug and prove noninterference of a simple security high-low hierarchy and Lowe [GL96] uses FDR to prove the correctness of Needham-Schroeder authentication protocols. In the electronic commerce domain Hientze et. al [NH96] uses FDR to analyze electronic commerce protocols and atomicity properties. Our work builds on the insights in the above work in model checking methods to develop a method for trace driven model checking of high level models of distributed component coordination where each component is specified declaratively by a FSM.
2
2. Formalization of model checking 2.1 Hierarchical RFSM (running FSM) model In a FSM model to check system temporal properties the transitions and states of FSM model contain much redundant information. What is necessary in the FSM model for our checking system is the triggering relation among transitions. Here we define a new representation method to capture a system’s running temporal properties (event traces). We call it running FSM system model (RFSM). RFSM is similar to event-based architecture used in Rapide, but Rapide focuses on the modeling, while RFSM focuses on the model checking. Definition 1: RFSM An RFSM is a finite state machine whose states are events and transitions are the “trigger” relations from one event to another. Formally, an RFSM consists of: (1) a finite set S of states, S≠Φ (2) an initial state set I⊆ S, (3) a set of transitions T, in which each transition relates a pair of states, (4) an exit state set E ⊆ S The following is an example of RFSM for Netbill protocol: Egrequest.customer
DebitFailure.Bank
RecEGOrder.Merchant
SendEGood.Merchant
PayEPO.Bank
RecEGood.Merchant
CashEB.Bank
DebitTransOK.Bank DebitM.customer
DebitF.customer RecK.customer Abort.customer Complete.customer
Figure 2 Netbill model Definition 2: Hierarchical RFSM Forest A hierarchical RFSM Forest R is a tuple (R1, …… , Rn) of structures, here each Ri has the following components: • a finite set Si of nodes,S≠Φ. • a finite set Bi of boxes (or supernodes). • an Initial node set Ii ∈ Si . • a subset Ei of Si, called exit-nodes. • an indexing function Yi : Bi-> {i+1,……, n} that maps each box of the ith structure to an index greater than i. • An edge relation Ti. Each edge in Ti is a pair (u, v) with source u and sink v: • source u either is a node of Ri, or is a pair (w1 , w2), where w1 is a box of Ri with Yi(w1) = j and w2 is an exit-node of Rj • sink v is a node or box of Ri.
3
The edges connect nodes and boxes with one another. Since the structure associated with a box can have multiple exit-nodes, an edge out of a box specifies the exit-node also. When Bi =Φ a hierarchical RFSM becomes a flat RFSM. With each hierarchical structure, we can associate an ordinary flat structure by recursively substituting each box by the structure indexed by the box. Since different boxes can be associated with the same structure, each node can appear in different contexts. Now we proceed to a formal definition of expansion of a hierarchical RFSM R= for each structure Ri, • The set Si of states of RF i is defined inductively(RF i means the ith flat RFSM): • every node of Ri belongs to Si • if u is a box of Ri with Yi(u) = j, and v is a state of RF i, then (u, v) belongs to Si. • The set Ti of transitions of RF i is defined inductively: • for (u, v) ∈ Ti, if the sink v is a node then (u, v) ∈ Ti, and if v is a box with Yi(v) = j then (u, (v, Ij )) ∈ Ti • if w is a box of Ri with Yi(w) = j, and (u, v) is a transition of RF j, then ((w, u), (w, v)) belongs to Ti. The structure is a flat RFSM, and is called the expanded structure of Ri, denoted RF i. We denote RF 1 also as RF, the expanded structure of R. The size of Ri, denoted |Ri|, is the sum of |Ni|, |Bi|, |Ti|, and Σb∈Bi |OYi(b)|. That is, for every box, we count the number of exit-nodes of the structure indexed by the box. The size of R is the sum of the sizes of Ri. The nesting depth of R, denoted nd(R), is the length of the longest chain i1, i2, ……, ij of indices such that a box of Ril is mapped to il +1. Observe that each state of the expanded structure is a vector with length at most the nesting depth, and size of the expanded structure RF can be exponential in the nesting depth, and is O(|R| nd(R)).
2.2 Definitions Definition 3: Reachable If there exists a path in a RFSM from node B to node A, A is reachable from B. Definition 4: k-partition If a piece of RFSM has k1 in-nodes and k2 exit-nodes, this piece is called a k-partition of the RFSM(k=k1+k2).
4
For example, a RFSM has the piece: 1
2
3
5
4
6
7
9
10
12
13
8 11
14
16
15
17
18
Figure 3 a piece of RFSM We can transform the part in dash box into 4-partition by omitting the middle boxes, and get a new RFSM: 1
2
14
15
17
18
13 16
Figure 4 partitioned RFSM In the dash box, we get a 4-node graph. These 4 nodes are “in” or “out” nodes in Figure1. Their connectivity is decided by the reachability relationship in Figure 1, and we can partition the RFSM in Figure2 further into a higher level RFSM for efficient analysis and processing (shown in Figure 3). Such a partition can be a reusable, approximation and hierarchical unit.
1
2
13
14
16
15
18
17
14
2 17
Figure 5 partitioned RFSM Also with a partition we can perform modular checking. We try to make a partition to be a component in the model as well so it is meaningful to analysts and benefit to the analysis of required properties.
5
Definition 6: Bridge point In a sequence of event sets A=, if #Ai(1≤ i ≤n)=1, Ai is a bridge point of A. A bridge point often is a good choice of start point for a partition.
3. Properties of our model checking system To check a FSM model first we have to have a criteria of correctness, and we define consistency(correctness) and inconsistency as follows: Definition7: Consistent , Inconsistent In a RFSM if no path violates the required event traces (properties), the model is consistent with requirement; otherwise, the model is inconsistent with it. Lemma 1: A FSM can reach its end states iff its RFSM is acyclic. Lemma 1 ‘s proof is very simple, and it is very important to check if a RFSM is acyclic or not. Lemma 2: In an RFSM its nodes’ ordering exists iff its RFSM is acyclic. Proof Suppose there are two nodes n1, n2 in an acyclic DAG G, and there exists a path p1: ……, n1, ……, n2, …… and there exists another path p2: ……, n2, ……, n1, …… then there exists a cycle: ……, n1, ……, n2, ……, n1, …… It is impossible for G is acyclic. So n1, n2 have a certain ordering in all paths of acyclic DAG. Lemma 3: In an acyclic RFSM if we can find a piece of path which includes A->B, we can guarantee that there doesn’t exist B->A in the whole RFSM. Proof Suppose there are two nodes A, B in an acyclic DAG G, and there exists a path p1: ……, A, ……, B, …… and there exists another path p2: ……, B, ……, A, …… then there exists a cycle: ……, A, ……, B, ……, A, …… It is impossible. So the ordering of A, B is maintained in all paths of acyclic DAG. Nevertheless, if we can find a piece of path with an ordering of events in an acyclic RFSM, our model checker can just terminate for Lemma 3 guarantee the counter example doesn’t exist. In section 4.1, 4.2 and 4.3 we discuss how to use the above properties and the techniques of hierarchical checking, reuse and approximation checking to reduce the checking overhead and deal with practical systems. In the example we adopt the incidence matrix as the data structure to represent our RFSM, but it is not the only choice. We can choose appropriate data structure for an actual problem to gain efficiency, for example, we can choose sparse matrix.
6
4. Hierarchical and modular model checking Hierarchical and modular checking can make a model checker deal with a FSM system with large state space. There are three methods of partitioning a RFSM to perform hierarchical checking. • Bottom-up: get the whole flat RFSM, analyze and process it hierarchically. • Top-down: some nodes in the given RFSM have internal structures, that is, they are RFSM’s themselves, now we can have a top-down analysis. Top-down analysis is really essential for a system with huge state space for often storing and processing the whole RFSM is impossible. • Hybrid: combine bottom-up checking top-down checking together.
4.1 Bottom-up hierarchical checking Bottom-up hierarchical checking can deal with a RFSM with a medium node space. There is an example of bottom-up hierarchical checking, suppose the original RFSM has 2n nodes, and we partition it as follows: Original RFSM
Divide into k subpartitions
divide m times ……
Figure 4 partition a large RFSM We can transform the original RFSM into small partitions. If we use the incidence matrix to represent these small RFSM’s, we analyze the performance as follows: Suppose the original model has 2n nodes and each time we divide the partition into two equal small partition, we will get 2n-1 +2n-2 +……+20 two-node partitions, and if we use the simplest method to compute its reachability matrix directly, to each partition we need perform 23 multiplication, so as a whole we need multiply two integers (2n-1 +2n-2 +……+20 ) * 23 times, and it is about 2n+3. So its time complexity is O(n), and with similar analysis we can get its space complexity is O(2n), too.
7
If there exist k-partitions in a RFSM, a k-partition can be replaced by a k-node RFSM and processed within the same level as other common nodes. Partitions can be processed separately before the whole structure is processed to get its internal connectivity structure for further processing. We use the netbill model as an example to show how to perform top-down hierarchical checking.
CashEB.Bank
DebitTransOK.Bank
DebitFailure.Bank
DebitM.customer Bankprocessing.bank
DebitF.customer
RecK.customer
Abort.customer
Complete.customer
Figure 7 Bankprocessing sub-RFSM
Egrequest.customer
Bankprocessing.bank
RecEGOrder.Merchant
PayEPO.Bank
Figure 8 •
SendEGood.Merchant
RecEGood.Merchant
Netbill RFSM
Analyze the trigger relation in Netbill FSM model, we get the following RFSM and its incidence matrix X, in this step we delete useless states and transitions and just extract the useful “triggering” relationship for event tracing. X=[0,1,0,0,0,0,0,0,0,0,0,0,0 0,0,1,0,0,0,0,0,0,0,0,0,0 0,0,0,1,0,0,0,0,0,0,0,0,0 0,0,0,0,1,0,0,0,0,0,0,0,0 0,0,0,0,0,1,0,0,0,0,0,0,0 0,0,0,0,0,0,1,1,0,0,0,0,0 0,0,0,0,0,0,0,0,1,0,0,0,0 0,0,0,0,0,0,0,0,0,0,1,0,0 0,0,0,0,0,0,0,0,0,1,0,0,0 0,0,0,0,0,0,0,0,0,0,0,0,0 0,0,0,0,0,0,0,0,0,0,0,1,0 0,0,0,0,0,0,0,0,0,0,0,0,1 0,0,0,0,0,0,0,0,0,0,0,0,0]
8
•
Although it is only a small example, we can still use k-partition technique to make the processing better (shown in Figure 6). And its incidence matrix is: X’’=[0,1,0,0,1,0,0,0 0,0,1,0,0,0,0,0 0,0,0,1,0,0,0,0 0,0,0,0,0,0,0,0 0,0,0,0,0,1,0,0 0,0,0,0,0,0,1,0 0,0,0,0,0,0,0,1 0,0,0,0,0,0,0,0] We can get its reachability matrix Y’’, and in the computation we can get many matrices that show the path with different length from one transition to another. Y’’=[0,1,1,1,1,1,1,1 0,0,1,1,0,0,0,0 0,0,0,1,0,0,0,0 0,0,0,0,0,0,0,0 0,0,0,0,0,1,1,1 0,0,0,0,0,0,1,1 0,0,0,0,0,0,0,1 0,0,0,0,0,0,0,0]
•
According to our definition of k-partition, the following part has two “in” edges, so we can transform it into a 1-partition: Bankprocessing is the name we set for it temporally, here bankprocessing can be a reusable, approximation and hierarchical unit for further processing. We get a new system RFSM in Figure 7, and its incidence matrix is: X’=[0,1,0,0,0,0, 0,0,1,0,0,0, 0,0,0,1,0,0, 0,0,0,0,1,0, 0,0,0,0,0,1, 0,0,0,0,0,0,] We can get its reachability matrix Y’, and in the computation we can get many matrices that show the path with different length from one transition to another. Y’=[0,1,1,1,1,1, 0,0,1,1,1,1, 0,0,0,1,1,1, 0,0,0,0,1,1, 0,0,0,0,0,1, 0,0,0,0,0,0,] The last step is to combine Y’ and Y’’ together to get the whole the reachability matrix Y. We use the following rule to expand Y’ to Y: Delete the last line, replace all “1” in the last column in Y’ by the first line in Y’’, append Y’’ to Y’ by line, put 0 to other positions.
9
We can get: Y=[0,1,1,1,1,1,1,1,1,1,1,1,1, 0,0,1,1,1,1,1,1,1,1,1,1,1, 0,0,0,1,1,1,1,1,1,1,1,1,1, 0,0,0,0,1,1,1,1,1,1,1,1,1, 0,0,0,0,0,1,1,1,1,1,1,1,1, 0,0,0,0,0,0,1,1,1,1,1,1,1 0,0,0,0,0,0,0,1,1,0,0,0,0 0,0,0,0,0,0,0,0,1,0,0,0,0 0,0,0,0,0,0,0,0,0,0,0,0,0 0,0,0,0,0,0,0,0,0,0,1,1,1 0,0,0,0,0,0,0,0,0,0,0,1,1 0,0,0,0,0,0,0,0,0,0,0,0,1 0,0,0,0,0,0,0,0,0,0,0,0,0] This is an acyclic RFSM, and we can check the properties set in section1. By simple checking the appropriate value in the matrix we can get that all properties are satisfied in the model, so the model is consistent with the design requirements. •
Performance analysis: • Directly computing reachability matrix: 14*14*14=2744 multiplication are needed. • Top-down hierarchical checking: 8*8*8+6*6*6=728 multiplication are needed.
4.2 Top-down hierarchical checking FDR’s(Failures-Divergence Refinement) method of checking whether a property holds is to test for the refinement of a transition system capturing the property by a candidate machine. FDR2 offers the ability to build up a system gradually, at each stage compress subsystems to produce an equivalent process with (hopefully) many less states. Spin is a tool for analyzing the logical consistency of concurrent systems, specifically of data communication protocols. An exhaustive verification performed by Spin can establish with mathematical certainty whether or not a given behavior is error-free. To perform top-down hierarchical checking we have to have some information or assumptions about the system model. We have to know or assume first that the system model can be divided into 1-partitions according to time or space or some other criteria. Lemma 4: If we can assume that a partition is an 1-partition and can be represented by a node, we can process it within the same level as other common nodes. This 1-Partition can be processed separately after the whole structure is processed. To show how to do the top-down hierarchical checking, we use the same netbill example. First we get the system RFSM, which is same with Figure 6. We assume Bankprocessing as a separate RFSM and we will refine it later. System RFSM’s incidence matrix X’ and reachability matrix Y’ is same with the bottom-up analysis, and we can get the refinement of Bankprocessing sub-RFSM as Figure 5. With the same processing we can get its incidence matrix X’’ and reachability matrix 10
Y’’. The step of combination is same with the bottom-up analysis, and they have the same performance, too.
4.3 Hybrid hierarchical checking Often in the practical checking problems we know both the whole detailed FSM model and the model structure, so now it is possible to combine the top-down hierarchical checking and bottomup hierarchical checking together to perform a hybrid hierarchical checking to improve the performance further. In this case we can analyze the structure first and try to reduce the number of component that need check by reusing some components, then we can analyze the FSM model to perform a bottom-up hierarchical checking. SMV is a hybrid checking system. It assigns transitions into modules. Often a module represents an actual component in a system, but a component is not necessarily a good choice for computation. It executes or simulates a step by non-deterministically choosing a process, then executing all of the assignment statements in that process in parallel. Its advantages are: • Modular hierarchical descriptions • Definition of reusable components In our method we combine the computation and semantics together to get a tradeoff.
4.4 reuse In the process of model analysis checking space can quickly become very complex when considering large-scale compositions and multiple instances of components. Besides the hierarchical techniques we introduces in section 3.2 another approach to address such complexity issues is based on exploiting sub-traces (partition) relationship and reuse results obtained for the sub-traces. Such an approach requires an analysis of all trace relationship to define trace hierarchy, propagating the failure results of checking at the leaf level to the super traces and reuse the simulation traces for the success results. This is the basic idea of reuse. By reuse we can reduce the checking space further. The technique of reuse can only be used in the top-down or hybrid model checking. Definition 8: Include Suppose there are two event sequences, A and B, A=, B=, If ∀bl∈B, ∃ai∈A and ai = bl, and ∀bl, bk∈B, ai = bl, aj = bk, (k-l)×(j-i)≥0, then we define A includes B, and B is called subtrace of A. Lemma 5: Suppose A includes B, if B is incorrect, then A is incorrect; if A is correct, then B is correct. In our checking system a partition is the unit for analysis and checking. A partition represents a group of traces starting from some events. To reuse a partition we need partition the model carefully, that means reuse will expose some constraints on the choice of partitions. A reusable partition should appear several times in the model. A model checker only needs analyze its internal connectivity structure once and then put the results in the place of its every appearance. A reused partition is better to be loose coupled with the other part of the system model. 11
Lemma 6: A partition is a reusable unit.
4.5 approximation checking Often we can’t simulate and check the whole system accurately in a user-satisfied manner (time and space), so we have to execute an approximate checking. The benefit of such approximate checking is that failures once detected can lead to immediate conclusions, but getting increased assurance on the correctness of the model would require increased cost of checking. We further reduce the checking space with the use of approximate checking. Approximate checking raises an interesting set of questions that pertain to its correctness. There are several ways to relax an accurate model checking under some assumptions to maintain correctness: • Reduce start points of checking: a part of RFSM is not computed and ignored. The correctness of success is contingent on the assumption that the starting events are not reachable via traces that conflict with any of the required traces. • If a user can set weight of desired property for each state/transition or partition, our system can analyze high propriety ones and ignore other ones. By this way we can get a quantified confidence for the checking results. • We can assume a partition’s representative nodes (nodes that have connection with the external part of a model) is fully connected and omit the analysis of its internal connectivity structure, hence we can get a worst-case analysis (worst case for cycle detection). Lemma 7: A partition is an approximation unit. After we perform the model checking with use of the above techniques, we can check the appropriate places in the original FSM model where model checker finds some problems, and refine the original FSM model.
5. Model checking algorithms In our analysis system we use matrix to represent the RFSM. In the incidence matrix of the FSM model, each node takes one line and one column, put 1 if there are direct relation from one node to another, otherwise put 0. After we get the incidence matrix, we can compute its reachability matrix, and it is easy to check if there is a cycle in the model. 5.1 Reachability algorithm Input: A hierarchical structure K and a target region T Output: The answer to the reachability problem (K, T) Function Reachable(K, T) begin transform K to subpartitions according to some criteria; compute the reachability matrices of each partition; combine them together to get the reachability matrix of original RFSM; end
12
5.2 Cycle Detection algorithm The basic problem encountered during verification of liveness requirements is to check whether a specified state can be reached repeatedly. Function CycleDetection (K, T) begin call Reachable(K, T); check (i, i) (i=1,……,n)of reachability matrix; if any one of them is 1, return CycleExisted = true; else return CycleExisted = false; end 5.3 Model Checking algorithm function ModelChecking (K, p) p=:specify ordering of events u, v begin find the component that u belongs to check if there exists an edge from u to v in RFSM if yes, return true; else if there exists an edge from v to u in RFSM, return false; else return unspecified; end
6. Future work In the former sections we present our approach of software system model checking technique. Nevertheless, there are still some open issues: • How to choose the best partitions?
References [AR95] A. W. Roscoe, “CSP and determinism in security modeling”, In Proceedings of 1995 IEEE Symposium on Security and Privacy, 1995. [BD92] L. Bernardinello, F. De Cindio, A survey of Basic Net Models and Modular Net Classes, LNCS vol. 609, Springer Verlag, 1992 [BR98] B. Yang, R. E. Bryant, D. R. O'Hallaron, A. Biere, O. Coudert, G. Janssen, R. K. Ranjan, and F. Somenzi, “A Performance Study of BDD-Based Model Checking” Formal Methods in Computer-Aided Design FMCAD '98, November, 1998. [DB96] Douglas B. West, “Introduction to Graph Theory”. Prentice Hall, 1996. [DJ95] David C. Luckham and James Vera, “An event-based architecture definition language”. IEEE Transaction on Software Engineering, April 1995. [EE86] E. M. Clarke, E. A. Emerson and A. P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. In ACM Transactions on Programming Languages and Systems, 8(2):244--263, 1986. [GL96] G. Lowe, “Breaking and fixing the Needham-Schroeder public key protocol using FDR”, In Tools and Algorithms for the Construction and Analysis of Systems, Second International Workshop, TACAS 1996. [JE92] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and J. Hwang. Symbolic model checking: 10E20 states and beyond. In LICS, 1990. [JG91] Jeremy Gunawardena, Geometric Logic, Causality and Event Structures. Proceedings on Concurrency Theory (CONCUR '91) Amsterdam, NET, August 1991.LNCS 527. Springer, 1991. 13
[JM92] Joanne M. Atlee, John Gannon. “State-based model checking of event-driven system requirements”. In proceedings of the ACM SIGSOFT’91 Conference on Software for Critical Systems, p16-28, 1991. [JM95] Jeannette M. Wing, M Vaziri-Farahani. “Model Checking Software Systems:A case study”.In proceedings of the Third ACM SIGSOFT Symposium on the Foundations of Software Engineering, p128-139, October 1995. [KM93] K. L. MCMILLAN. “Symbolic Model Checking”. Kluwer Academic Publishers, 1993. [MC95] Marsha Chechik, John Gannon. “Automatic Analysis of Consistency between Implementations and Requirements”. In Proceedings of COMPASS'95, pp. 123-132, Gathersburg, MD, June 1995. [NH96] N. Hientze, J. D. Tygar, J. Wing and H. C. Wong, “Model checking electronic commerce protocols”, USENIX 1996. [RA96] Rajeev Alur, Ken McMillan. “Model checking of correctness conditions for concurrent objects”. LICS 1996: 219-228
[RA98] Rajeev Alur, Ken McMillan. “Deciding Global Partial-order Properties”. ICALP 1998: 41-52 [RA98]Rajeev Alur,Mihalis Yannakakis. “Model Checking of Hierarchical State Machines”. SIGSOFT’ 98. [RA98] Rajeev Alur, Thomas A. Henzinger, Sriram K. Rajamani. “Symbolic Exploration of Transition Hierarchies”. TACAS 1998: 330-344 [RE86] Randal E. Bryant. “Graph-based algorithms for boolean function manipulation”. IEEE Transaction on Computers C-35, 8(August 1986), 677-691. [RJ96]Richard J. Anderson, Paul Beame, Steve Burns,William Chan, Francesmary Modugno. “Model Checking Large Software Specifications”. SIGSOFT’96, proceedings of the 4th ACM SIGSOFT Symposium on the foundations of software engineering,p156-166, October, 1996. [RW89] Rob van Glabbeek, W.P. Weijland Branching time and abstraction in bisimulation semantics (extended abstract), Information Processing 89: Proceedings of the IFIP 11th World Computer Congress, San Fransisco, USA 1989 [PO98] Peyman Oreizy, Richard N. Taylor. “on the role of software architecture in runtime system reconfiguration”. ICCDS 4, 1998.
14
Appendix A Netbill Protocol Here is a simplified version of Netbill Protocol to show how to specify system temporal properties with event traces: 1. C→M Consumer (C) requests Merchant (M) for electronic goods 2. M→C M sends goods to C encrypted with key K 3. C→M C sends signed EPO (electronic payment order providing authorization to transfer funds and marks C’s commit point) 4. M→B M sends K and signed EPO to Bank (B) 5. B→M B sends M a receipt of fund transfer 6. M→C M sends K to C (C also can directly contact B to get key when timeout) 7. C→B C inquires B 8. B→C B sends K to C Its FSM is:
Idle
Egrequest ^RecEOrder RecvdEG
Idle
CashEB
Error RecEGood ^payEPO DebitFailure
Tansaction Server
Gordered
Failed
^DebitTransOK ^DebitF
^DebitM
FailProcess
NOK-Trans
Bankqueried ^RecK
^Abort ^Complete
End
OK-Trans
^DebitFailure
SendK ^DebitM
Success
QueryEPO ^SendK
KeyReceived
Customer FSM model Bank FSM model
R ecE G O rder^ S endE G ood receive O rder
Idle
S endE G ood ^R ecE G ood E G oodS ent
payE P O ^C ashE B TrytoC ash
D ebitFailure
O rderFailure
D ebitT ransO K ^S endK
Merchant FSM model S uccess
15
