Compositional Model Checking of Ada Tasking

Model checking 7] has proven to be an eeec-tive analysis tool for domains such as hardware circuits and communication protocols. However, it has not yet been widely applied to more general concurrent systems, such as those realized by Ada multi-tasking programs. A major impediment to the use of model checking in such systems is the exponential growth of the state space, which results from the parallel composition of component tasks. Various compo-sitional approaches have been proposed to address this problem, in which the parts of a system are analyzed separately, and then the results are combined into inferences about the whole. One of the more promising of these techniques is called compositional minimization 6], which eliminates each component's \un-interesting" states as the model checking proceeds; this in turn can lead to a signiicant reduction in the composite state-space. In this paper we evaluate the application of this approach to Ada multi-tasking programs, particularly highlighting the design choices made to accommodate Ada's semantics. We also discuss the types of systems (and properties) for which this method produces signiicant time/space savings, as well as those for which the savings are less pronounced .