Environment-driven reachability for timed systems

Safety verification of an aircraft landing gear system
  • Ciprian Teodorov
  • Philippe Dhaussy
  • Luka Le  Roux
ABZ 2014


With an ever increasing complexity, the verification of critical embedded systems is a challenging and expensive task. Among the available formal methods, model checking offers a high level of automation and would thus lower the cost of this process. But, the scalability of this technique is hindered by the state-space explosion problem, which fuelled the research community since its inception. To address this challenge, in the case of real size systems, the theoretical, the methodological and the algorithmic axes have to be integrated. The context-aware verification (CaV) strives to do this by focusing on the identification, the isolation and the reification of the environment surrounding the studied system. It enables the use of specific algorithms with a major, positive, impact on the scalability of model checking. In this paper, we apply this technique to study a Landing Gear System (LGS) in the presence of failures. The problem has been decomposed in 885 independent verification units (called contexts). The analysis of 163 of these contexts on a 64 GB computer unraveled a 20 TB state space with more than 2.2 billion states. Moreover, using this approach arbitrarily long scenarios have been analysed using less than 10 GB of memory.


Formal verification Context-aware verification Reachability analysis 



The authors wish to thank Dr. Frederic Boniol for his valuable and constructive suggestions related to this paper.


  1. 1.
    Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126, 183–235 (1994)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    André, C.: Syntax and Semantics of the Clock Constraint Specification Language (CCSL). Research Report RR-6925, INRIA, (2009)Google Scholar
  3. 3.
    Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R.H., Konwinski, A., Lee, G., Patterson, D.A., Rabkin, A., Stoica, I., Zaharia, M.: Above the clouds: a berkeley view of cloud computing. Technical Report UCB/EECS-2009-28, EECS Department, University of California, Berkeley (2009)Google Scholar
  4. 4.
    Bengtsson, J., Larsen, K.G., Larsson, F., Pettersson, P., Yi, W.: Uppaal—a tool suite for automatic verification of real–time systems. In: Proceedings of Workshop on Verification and Control of Hybrid Systems III, number 1066 in Lecture Notes in Computer Science, pp. 232–243. Springer–Verlag (1995)Google Scholar
  5. 5.
    Berthomieu, B., Ribet, P.-O., Verdanat, F.: The tool TINA—construction of abstract state spaces for petri nets and time petri nets. Int. J. Prod. Res. 42, 2741–2756 (2004)CrossRefMATHGoogle Scholar
  6. 6.
    Boniol, F., Dhaussy, P., Le Roux, L., Roger, J.-C.: Model-Based Analysis. In: Embedded Systems, pp. 157–183. Wiley, New Jersey (2013). doi: 10.1002/9781118569535.ch8
  7. 7.
    Boniol, F., Wiels, V.: The landing gear system case study. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.-D. (eds.) ABZ 2014: The Landing Gear Case Study, volume 433 of Communications in Computer and Information Science, pp. 1–18. Springer International Publishing (2014)Google Scholar
  8. 8.
    Boniol, F., Wiels, V., Ledinot, E.: Experiences using model checking to verify real time properties of a landing gear control system. France, In: Embedded Real-Time Systems (ERTS), Toulouse (2006)Google Scholar
  9. 9.
    Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., Hwang, L.J.: Symbolic model checking: \(10^{20}\) states and beyond. In: 5th IEEE Symposium on Logic in Computer Science, pp. 428–439 (1990)Google Scholar
  10. 10.
    Clarke, E., Biere, A., Raimi, R., Zhu, Y.: Bounded model checking using satisfiability solving. Form. Methods Syst. Des. 19(1), 7–34 (2001)CrossRefMATHGoogle Scholar
  11. 11.
    Clarke, E.M., Emerson, E.A., Sistla, A.P.: Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans. Program. Lang. Syst. 8(2), 244–263 (1986)CrossRefMATHGoogle Scholar
  12. 12.
    Clarke, E.M., Enders, R., Filkorn, T., Jha, S.: Exploiting symmetry in temporal logic model checking. Form. Methods Syst. Des. 9(1–2), 77–104 (1996)CrossRefGoogle Scholar
  13. 13.
    Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 3rd edn. The MIT Press (2009)Google Scholar
  14. 14.
    Deantoni, J., Issa Diallo, P., Teodorov, C., Champeau, J., Combemale, B.: Towards a Meta-Language for the Concurrency Concern in DSLs. In: Design, Automation and Test in Europe Conference and Exhibition (DATE), Grenoble, France (2015)Google Scholar
  15. 15.
    Dhaussy, P., Boniol, F., Roger, J.-C.: Reducing state explosion with context modeling for model-checking. In: 13th IEEE International High Assurance Systems Engineering Symposium (Hase’11), Boca Raton, USA (2011)Google Scholar
  16. 16.
    Dhaussy, P., Boniol, F., Roger, J.-C., Le Roux, L.: Improving model checking with context modelling. Advances in Software Engineering, ID 547157:13 pages (2012)Google Scholar
  17. 17.
    Dhaussy, P., Pillain, P.-Y., Creff, S., Raji, A., Le Traon, Y., Baudry, B.: Evaluating context descriptions and property definition patterns for software formal validation. In: Schuerr, Bran Selic Andy (ed.) 12th IEEE/ACM conf Model Driven Engineering Languages and Systems (Models’09), vol. 5795, pp. 438–452. Springer-Verlag, LNCS (2009)Google Scholar
  18. 18.
    Dhaussy, P., Roger, J.-C., Boniol, F.: Context aware model-checking for embedded software. In: Embedded Systems—Theory and Design Methodology, pages ISBN: 978–953–51–0167–3 pages 167–184. InTech (2012)Google Scholar
  19. 19.
    Dhaussy, P., Ciprian, T.: Context-aware verification of a landing gear system. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.-D. (eds.) ABZ 2014: The Landing Gear Case Study volume 433 of Communications in Computer and Information Science, pp. 52–65. Springer International Publishing (2014)Google Scholar
  20. 20.
    Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Property specification patterns for finite-state verification. In: FMSP, pages 7–15 (1998)Google Scholar
  21. 21.
    Edelkamp, S., Sanders, P., Šimeček, P.: Semi-external ltl model checking. In: Gupta, A., Malik, S. (eds.) Computer Aided Verification, volume 5123 of Lecture Notes in Computer Science, pp. 530–542. Springer, Berlin Heidelberg (2008)Google Scholar
  22. 22.
    Farail, P., Gaufillet, P., Peres, F., Bodeveix, J.-P., Filali, M., Berthomieu, B., Rodrigo, S., Vernadat, F., Garavel, H., Lang, F.: Fiacre: an intermediate language for model verification in the TOPCASED environment. In: European Congress on Embedded Real-Time Software (ERTS), Toulouse. SEE (2008)Google Scholar
  23. 23.
    Flanagan, C., Qadeer, S.: Thread-modular model checking. In: SPIN’03 (2003)Google Scholar
  24. 24.
    Godefroid, P.: The Ulg partial-order package for SPIN. SPIN Workshop (1995)Google Scholar
  25. 25.
    Holzmann, G.J.: State compression in SPIN: Recursive indexing and compression training runs. In: Proceedings of 3rd International SPIN Workshop (1997)Google Scholar
  26. 26.
    Holzmann, G.J.: The model checker SPIN. Softw. Eng. 23(5), 279–295 (1997)CrossRefGoogle Scholar
  27. 27.
    INCOSE: INCOSE Systems Engineering Handbook: A Guide for System Life Cycle Processes and Activities. Wiley (2015)Google Scholar
  28. 28.
    Jouault, F., Delatour, J.: Towards fixing sketchy UML models by leveraging textual notations: Application to real-time embedded systems. In: Proceedings of the 14th International Workshop on OCL and Textual Modelling co-located with 17th International Conference on Model Driven Engineering Languages and Systems (MODELS 2014), Valencia, Spain, September 30, 2014., pages 73–82 (2014)Google Scholar
  29. 29.
    Jouault, F., Teodorov, C., Delatour, J., Le Roux, L., Dhaussy, P.: Transformation de modèles UML vers Fiacre, via les langages intermédiaires tUML et ABCD. Génie logiciel, 109:xx (2014)Google Scholar
  30. 30.
    Menad, N., Dhaussy, P.: A transformation approach for multiform time requirements. In: Hierons, R.M., Merayo, M.G., Bravetti, M. (eds.) Software Engineering and Formal Methods, volume 8137 of Lecture Notes in Computer Science, pp. 16–30. Springer Berlin Heidelberg (2013)Google Scholar
  31. 31.
    Park, S., Kwon, G.: Avoidance of state explosion using dependency analysis in model checking control flow model. In: Proceedings of the 5th International Conference on Computational Science and Its Applications (ICCSA ’06), vol. 3984, pp. 905–911. Springer-Verlag, LNCS (2006)Google Scholar
  32. 32.
    Peled, D.: Combining Partial-Order Reductions with On-the-fly Model-Checking. In: CAV ’94: Proceedings of the 6th International Conference on Computer Aided Verification, pages 377–390, London, UK, Springer-Verlag (1994)Google Scholar
  33. 33.
    Queille, J.-P., Sifakis, J.: Specification and verification of concurrent systems in cesar. In: Proceedings of the 5th Colloquium on International Symposium on Programming, pages 337–351, London, UK, Springer-Verlag (1982)Google Scholar
  34. 34.
    Stern, U., Dill, D.L.: Using magnetic disk instead of main memory in the Mur\(\varphi \) verifier. In: Hu, A.J., Vardi, M.Y. (eds.) Computer Aided Verification, volume 1427 of Lecture Notes in Computer Science, pp. 172–183. Springer, Berlin Heidelberg (1998)Google Scholar
  35. 35.
    Teodorov, C.: Embedding multiform time constraints in smalltalk. In: Proceedings of the International Workshop on Smalltalk Technologies, IWST ’14 (2014)Google Scholar
  36. 36.
    Teodorov, C., Le Roux, L., Dhaussy, P.: Context-aware verification of a cruise-control system. In: Ait Ameur, Y., Bellatreche, L., Papadopoulos, G.A. (eds.) Model and Data Engineering, volume 8748 of Lecture Notes in Computer Science, pp. 53–64. Springer International Publishing (2014)Google Scholar
  37. 37.
    Tkachuk, O., Dwyer, M.B., Pasareanu, C.S.: Automated environment generation for software model checking. In: Automated Software Engineering, 2003. In: Proceedings of 18th IEEE International Conference on, pages 116–127 (2003)Google Scholar
  38. 38.
    Valmari, A.: Stubborn sets for reduced state space generation. In: Proceedings of the 10th International Conference on Applications and Theory of Petri Nets, pages 491–515, London, UK, Springer-Verlag (1991)Google Scholar
  39. 39.
    Valmari, A.: The state explosion problem. In: Reisig, W., Rozenberg, G. (eds.) Lectures on Petri Nets I: Basic Models, volume 1491 of Lecture Notes in Computer Science, pp. 429–528. Springer, Berlin Heidelberg (1998)Google Scholar
  40. 40.
    Whittle, J.: Specifying precise use cases with use case charts. In: 9th IEEE/ACM conf. Model Driven Engineering Languages and Systems (MoDELS’06), Satellite Events, pages 290–301, Genova, Italy (2006)Google Scholar
  41. 41.
    Yatake, K., Aoki, T.: Automatic generation of model checking scripts based on environment modeling. In: Proceedings of the 17th International SPIN Conference on Model Checking Software, SPIN’10, pages 58–75, Berlin, Heidelberg, Springer-Verlag (2010)Google Scholar
  42. 42.
    Yu, Y., Manolios, P., Lamport, L.: Model checking tla+ specifications. In: Proceedings of the 10th IFIP WG 10.5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods, CHARME ’99, pages 54–66, London, UK, UK, Springer-Verlag (1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Ciprian Teodorov
    • 1
  • Philippe Dhaussy
    • 1
  • Luka Le  Roux
    • 1
  1. 1.UEB, Lab-STICC Laboratory UMR CNRS 6285ENSTA BretagneBrestFrance

Personalised recommendations