Automated Software Engineering

, Volume 12, Issue 3, pp 297–320 | Cite as

Component Verification with Automatically Generated Assumptions

  • Dimitra Giannakopoulou
  • Corina S. Păsăreanu
  • Howard Barringer


Model checking is an automated technique that can be used to determine whether a system satisfies certain required properties. The typical approach to verifying properties of software components is to check them for all possible environments. In reality, however, a component is only required to satisfy properties in specific environments. Unless these environments are formally characterized and used during verification (assume-guarantee paradigm), the results returned by verification can be overly pessimistic. This work introduces an approach that brings a new dimension to model checking of software components. When checking a component against a property, our modified model checking algorithms return one of the following three results: the component satisfies a property for any environment; the component violates the property for any environment; or finally, our algorithms generate an assumption that characterizes exactly those environments in which the component satisfies its required property. Our approach has been implemented in the LTSA tool and has been applied to the analysis of two NASA applications.


assume-guarantee reasoning model checking component verification 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Aho, A.V., Hopcroft, J.E., and Ullman, J.D. 2000. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley.Google Scholar
  2. Alur, R., Henzinger, T., Mang, F., Qadeer, S., Rajamani, S., and Tasiran, S. 1998. Mocha: Modularity in model checking. In Proceedings of 10th International Conference on Computer Aided Verification (CAV), volume 1427 of Lecture Notes in Computer Science, Springer Verlag, pp. 521–525.Google Scholar
  3. Alur, R., Henzinger, T.A., and Kupferman, O. 1997. Alternating-time temporal logic. In de Roever et al., pp. 23–60.Google Scholar
  4. Aziz, A., Balarin, F., Brayton, R.K., Dibenedetto, M.D., Sladanha, A., and Sangiovanni-Vincentelli, A.L. 1995. Supervisory control of finite state machines. In P. Wolper, editor, 7th International Conference On Computer Aided Verification, vol. 939 of Lecture Notes in Computer Science. Liege, Belgium: Springer Verlag, pp. 279–292.Google Scholar
  5. Balemi, S., Hoffmann, G., Gyugyi, P., Wong-Toi, H., and Franklin, G. 1993. Supervisory control of a rapid thermal multiprocessor. IEEE Transactions on Automatic Control, 38(7):1040–1059, 1993.Google Scholar
  6. Cheung, S. and Kramer, J. 1996. Context constraints for compositional reachability analysis. ACM Transactions on Software Engineering and Methodology, 5(4):334–377.CrossRefGoogle Scholar
  7. Cheung, S. and Kramer, J. 1999. Checking safety properties using compositional reachability analysis. ACM Transactions on Software Engineering and Methodology, 8(1):49–78.CrossRefGoogle Scholar
  8. Clarke, E.M., Grumberg, O., and Peled, D. 2000. Model Checking. MIT Press.Google Scholar
  9. Cobleigh, J.M., Giannakopoulou, D., and Păsăreanu, C.S. 2003. Learning assumptions for compositional verification. In Proceedings of the 9th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS).Google Scholar
  10. de Alfaro, L. and Henzinger, T. 2001. Interface automata. In Proc. of the Joint 8th European Software Engineering Conference and 9th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE), ACM Press.Google Scholar
  11. de Alfaro, L. and Henzinger, T. 2001. Interface theories for component-based design. In Proceedings of EMSOFT 01: Embedded Software, volume 2211 of Lecture Notes in Computer Science, Springer Verlag, pp. 148–165.Google Scholar
  12. de Roever, W.-P. 1997. The need for compositional proof systems: A survey. In de Roever et al., pp. 1–22.Google Scholar
  13. de Roever, W.P., de Boer, F., Hanneman, U., Hooman, J., Lakhnech, Y., Poel, M., and Zwiers, J. 2001. Concurrency Verification: Introduction to Compositional and Non-compositional Methods. Cambridge University Press.Google Scholar
  14. de Roever, W.-P., Langmaack, H., and Pnueli, A. (ed.) 1997. Compositionality: The Significant Difference - An International Symposium, COMPOS’97, volume 1536 of Lecture Notes in Computer Science. Springer-Verlag.Google Scholar
  15. di Benedetto, M. and Sangiovanni-Vincentelli, A. 2001. Model matching for finite-state machines. IEEE Transactions on Automatic Control, 46(11):1726–1743.CrossRefGoogle Scholar
  16. Flanagan, C., Freund, S., and Qadeer, S. 2002. Thread-modular verification for shared-memory programs. In Proceedings of the European Symposium on Programming.Google Scholar
  17. Giannakopoulou, D., Kramer, J., and Cheung, S. 1999. Analysing the behaviour of distributed systems using Tracta. Journal of Automated Software Engineering, special issue on Automated Analysis of Software, 6(1):7–35.Google Scholar
  18. Giannakopoulou, D., Păsăreanu, C.S., and Barringer, H. 2002. Assumption generation for software component verification. In Proceedings of the 17th IEEE International Conference on Automated Software Engineering.Google Scholar
  19. Graf, S., Steffen, B., and Lüttgen, G. 1996. Compositional minimisation of finite state systems using interface specifications. Formal Aspects of Computation, 8.Google Scholar
  20. Haghverdi, E. and Ural, H. 1999. Submodule construction from concurrent system specifications. Information and Software Technology, 41:499–506.CrossRefGoogle Scholar
  21. Havelund, K. and Rosu, G. 2001. Monitoring Java programs with Java pathexplorer. In First Workshop on Runtime Verification (RV’01), volume 55(2) of Electronic Notes in Theoretical Computer Science, Paris, France.Google Scholar
  22. Havelund, K., Lowry, M., and Penix, J. 2001. Formal analysis of a space craft controller using SPIN. In IEEE Transactions on Software Engineering, Vol. 27, Num. 8.Google Scholar
  23. Holzmann, G. 1991. The Design and Validation of Computer Protocols. Prentice Hall.Google Scholar
  24. Inverardi, P., Wolf, A., and Yankelevich, D. 2000. Static checking of system behaviors using derived component assumptions. ACM Transactions on Software Engineering Methods, 9(3):239–272.CrossRefGoogle Scholar
  25. Jones, C. 1983. Tentative steps towards a development method for interfering programs. ACM Transactions on Programming Languages and Systems, 5(4):596–619.CrossRefGoogle Scholar
  26. Khatri, S., Narayan, A., Krishnan, S., McMillan, K., Brayton, R., and Sangiovanni-Vincentelli, A. 1996. Engineering change in a non-deterministic FSM setting. In Proceedings of 33rd IEEE/ACM Design Automation Conference.Google Scholar
  27. Krimm, J.-P. and Mounier, L. 1997. Compositional state space generation from LOTOS programs. In E. Brinksma, editor, 3rd International Workshop on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’97), volume 1217 of Lecture Notes in Computer Science. Enschede, The Netherlands: Springer.Google Scholar
  28. Larsen, K. and Thomsen, B. 1988. A modal process logic. In Proceedings of the IEEE/ACM Conference on Logic in Computer Science, LICS’88.Google Scholar
  29. Larsen, K. and Xinxin, L. 1990. Equation solving using modal transition systems. In Proceedings of the IEEE/ACM Conference on Logic in Computer Science, LICS’90.Google Scholar
  30. Magee, J., Dulay, N., and Kramer, J. 1994. Regis: A constructive development environment for parallel and distributed programs. Distributed Systems Engineering Journal, Special Issue on Configurable Distributed Systems, 1(5):304–312.Google Scholar
  31. Magee, J., and Kramer, J. 1999. Concurrency: State Models & Java Programs. John Wiley & Sons.Google Scholar
  32. Magee, J., Kramer, J., and Giannakopoulou, D. 1999. Behaviour analysis of software architectures. In 1st Working IFIP Conference on Software Architecture (WICSA1): San Antonio, TX, USA.Google Scholar
  33. Magee, J., Pryce, N., Giannakopoulou, D., and Kramer, J. 2000. Graphical animation of behavior models. In Proceedings of the 22nd International Conference of Software Engineering (ICSE).Google Scholar
  34. Merlin, P., and Bochmann, G.V. 1983. On the construction of submodule specification and communication protocols. ACM Transactions on Programming Languages and Systems, 5:1–25.CrossRefGoogle Scholar
  35. Milner, R. 1989. Communication and Concurrency. Prentice-Hall.Google Scholar
  36. Parrow, J. 1989. Submodule construction as equation solving CCS. Theoretical Computer Science, 68:175–202.CrossRefGoogle Scholar
  37. Păsăreanu, C.S., Dwyer, M.B., and Huth, M. 1999. Assume-guarantee model checking of software: A comparative case study. In D. Dams, R. Gerth, S. Leue, and M. Massink, editors, Theoretical and Practical Aspects of SPIN Model Checking, volume 1680 of Lecture Notes in Computer Science. Springer-Verlag, pp. 168–183.Google Scholar
  38. Pnueli, A., 1984. In transition from global to modular temporal reasoning about programs. In K. Apt, editor, Logic and Models of Concurrent Systems, volume 13, New York: Springer-Verlag.Google Scholar
  39. Pell, B., Gat, E., Keesing, R., Muscettola, N., and Smith, B. 1997. Plan execution for autonomous spacecrafts. In Proc. of the Int. Joint Conf. on Artificial Intelligence.Google Scholar
  40. Shields, M. 1989. A note on the simple interface equation. The Computer Journal, 32(5):399–412.CrossRefGoogle Scholar
  41. Sidhu, D.P. and Aristizabal, J. 1988. Constructing submodule specifications and network protocols. IEEE Transactions on Software Engineering, 14(11):1565–1577.CrossRefGoogle Scholar
  42. Stølen, K. 1991. A method for the development of totally correct shared-state parallel programs. In J. Baeten and J. Groote, editors, Proceedings of Concur’91, volume 527 of Lecture Notes in Computer Science. Springer Verlag.Google Scholar
  43. Tronci, E. 1998. Automatic synthesis of controllers from formal specifications. In Proc. of 2nd IEEE Int. Conf. on Formal Engineering Methods. Brisbane, Australia.Google Scholar
  44. Xu, Q., de Roever, W.-P., and He, J. 1997. The rely-guarantee method for verifying shared variable concurrent programs. Formal Aspects of Computing, 9(2):149–174.CrossRefGoogle Scholar

Copyright information

© Springer Science + Business Media, Inc. 2005

Authors and Affiliations

  • Dimitra Giannakopoulou
    • 1
  • Corina S. Păsăreanu
    • 2
  • Howard Barringer
    • 3
  1. 1.RIACS/USRANASA Ames Research CenterUSA
  2. 2.Kestrel Technology LLCNASA Ames Research CenterUSA
  3. 3.School of Computer ScienceUniversity of ManchesterManchesterUK

Personalised recommendations