Treffer: Exploiting Behavioral Hierarchy for Efficient Model Checking

Inspired by the success of model checking in hardware and protocol verification, model checking techniques for software have been the focus of a lot of research in the last few years [5,3,2,6]. Model checking can be applied only to relatively small models due to its inherently high computational requirements, and there are two complementary trends to address scalability. The model extraction approach, exemplified by projects such as Bandera [6] and SLAM [3], involves constructing inputs to model checkers by abstracting programs written in languages such as C and Java. The model-based design approach, exemplified by modeling notations such as Statecharts [7], promotes design using high-level models that are compiled into code. Our research agenda is to develop model checking techniques for model-based design of software. Modern software design languages promote hierarchy as one of the key constructs for structuring complex specifications. The input language to our model checker is based on hierarchic reactive modules [1]. This choice was motivated by the fact that, unlike STATECHARTS and other languages, in hierarchic reactive modules, the notion of hierarchy is semantic with an observational trace-based semantics and a notion of refinement with assume-guarantee rules. The first contribution of this paper is the Hermes toolkit that implements hierarchic reactive modules. Our implementation has a visual front-end and XML-based back-end, consistent with modern software design tools, and is in Java. There are two basic techniques for reachability analysis. Enumerative model checkers such as SPIN [8] perform an on-the-fly exploration of the state-space using a depth-first search, while symbolic model checkers such as SMV [9] perform a breadth-first search by manipulating sets of states, rather than individual states, encoded typically by ordered binary (or multi-valued) decision diagrams. Since the two approaches are incomparable, and have been shown to be successful, Hermes supports both enumerative and symbolic ...