Towards Effective Model Checking

ions As mentioned above, the state space of a model M together with the property φ to be checked, is generally too big to be checked exhaustively. In order to reduce the state space of the model M, abstractions have to be made. The verification approach requires over approximations of the original model Mv: if the abstract model Mabs is proven to be correct with respect to the (safety) property φ, this should imply that the original model Mv is correct with respect to φ as well. Over approximations are usually obtained 40 Chapter 2 – Effective Modelling by replacing explicit choices in Mv by non-determinism in Mabs. For the debugging approach, under approximations of the model Md are sufficient: if an error is found in the abstract model Mabs, it is certain that the error also appears in the original model Md . Under approximations are usually obtained by removing behaviour (e.g. statements) from the original model Md . Partial Search For state spaces that are too big to be checked exhaustively, model checking tools often support options to partially search the state space. SPIN, for example, provides the so-called ‘bitstate’ hashing or supertrace technique [89], that can perform verifications with a relatively high coverage within a memory area that may be orders of magnitude smaller than required for exhaustive verifications. In general, the user of a model checker should try to exhaustively analyse the state space of the model M and the property φ. This especially holds for the verification approach. However, there may be cases where reduction of the state space by abstraction is too costly (i.e. time consuming) and where a partial search becomes a serious option. For the debugging approach the partial search mode nearly seems to be a natural choice. Because a partial search of the state space is in general much faster than its exhaustive counterpart, this mode is convenient when results are needed as fast as possible. Management of Results The verification approach requires the complete verification trajectory to be carefully controlled and managed: all verification results should be reproducible. This involves the management of all versions of the models, the properties, the verification runs, the verification results, etc. Without tool support, the quality of the verification process depends on the accuracy of the persons who conducted the verification. Chapter 3 will discuss the management problems of the verification approach in greater depth. The debugging approach is only interested in the errors found in the model and the corresponding error traces. This information should be automatically saved. Other aspects of the validation trajectory, however, are of less importance to the debugging approach. Switching Between the Two Approaches When the verification approach is being used and several errors are being exposed during the model checking process, it is of course possible to switch to the debugging approach to find as many bugs as possible. The other way around is more problematic. If the debugging approach does not reveal any errors, in general, the model Md has to be changed considerably to be used as a model Mv for the verification approach. The model Mv has a fixed level of abstraction and is optimised to be readable and accessible; all characteristics which