The Versatile Synchronous Observer
A synchronous observer is an adjunct to a system model that monitors its state variables and raises a signal flag when some condition is satisfied. Synchronous observers provide an alternative to temporal logic as a means to specify safety properties but have the advantage that they are expressed in the same notation as the system model—and thereby lower the mental hurdle to effective use of model checking and other techniques for automated analysis of system models. Model checkers that do use temporal logic can nonetheless employ synchronous observers by checking for properties such as “never(flag raised).”
The use of synchronous observers to specify properties is well-known; rather less well-known is that they can be used to specify assumptions and axioms, to constrain models, and to specify test cases. The idea underlying these applications is that the basic model generates more behaviors than are desired, the synchronous observer recognizes those that are interesting, and the model checker is constrained to just the interesting cases. The efficiency in this approach is that it is usually much easier to write recognizers than generators.
The paper describes and illustrates several applications of synchronous observers.
KeywordsModel Checker Temporal Logic Safety Property Hybrid Automaton Liveness Property
Unable to display preview. Download preview PDF.
- 3.Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: International Conference on Software Engineering, pp. 411–420. IEEE Computer Society, Los Angeles (1999)Google Scholar
- 4.SAL home page, http://sal.csl.sri.com/
- 5.McMillan, K.L.: Circular compositional reasoning about liveness. In: Pierre, L., Kropf, T. (eds.) Advances in Hardware Design and Verification: IFIP WG10.5 International Conference on Correct Hardware Design and Verification Methods (CHARME 1999). LNCS, vol. 1703, pp. 342–346. Springer, Heidelberg (1999)CrossRefGoogle Scholar
- 6.Rushby, J.: Formal verification of McMillan’s compositional assume-guarantee rule. Technical report, Computer Science Laboratory, SRI International, Menlo Park, CA (2001)Google Scholar
- 10.Bass, E.J., Feigh, K.M., Gunter, E., Rushby, J.: Formal modeling and analysis for interactive hybrid systems. In: Fourth International Workshop on Formal Methods for Interactive Systems: FMIS 2011, Limerick, Ireland. Electronic Communications of the EASST, vol. 45 (2011)Google Scholar
- 12.de Moura, L., Rueß, H.: Lemmas on demand for satisfiability solvers. In: Proceedings of the Fifth International Symposium on the Theory and Applications of Satisfiability Testing (SAT 2002), Cincinnati, OH (2002)Google Scholar
- 15.Rushby, J.: A safety-case approach for certifying adaptive systems. In: AIAA Infotech@Aerospace Conference, Seattle, WA. American Institute of Aeronautics and Astronautics, AIAA paper 2009-1992 (2009)Google Scholar
- 18.Gargantini, A., Heitmeyer, C.: Using model checking to generate tests from requirements specifications. In: Nierstrasz, O., Lemoine, M. (eds.) ESEC/FSE 1999. LNCS, vol. 1687, pp. 146–162. Springer, Heidelberg (1999)Google Scholar
- 19.Hamon, G., de Moura, L., Rushby, J.: Generating efficient test sets with a model checker. In: 2nd International Conference on Software Engineering and Formal Methods (SEFM), Beijing, China, pp. 261–270. IEEE Computer Society (2004)Google Scholar
- 20.Hamon, G., de Moura, L., Rushby, J.: Automated test generation with SAL. Technical note, Computer Science Laboratory, SRI International, Menlo Park, CA (2005), http://www.csl.sri.com/users/rushby/abstracts/sal-atg
- 21.IEEE Standard 1850–2010: Property Specification Language, PSL (2010)Google Scholar
- 22.IEEE Standard 1800–2012: SystemVerilog—Unified Hardware Design, Specification, and Verification Language (2012)Google Scholar