Model-Driven Software Verification

In the classic approach to logic model checking, software verification requires a manually constructed artifact (the model) to be written in the language that is accepted by the model checker. The construction of such a model typically requires good knowledge of both the application being verified and of the capabilities of the model checker that is used for the verification. Inadequate knowledge of the model checker can limit the scope of verification that can be performed; inadequate knowledge of the application can undermine the validity of the verification experiment itself. In this paper we explore a different approach to software verification. With this approach, a software application can be included, without substantial change, into a verification test-hamess and then verified directly, while preserving the ability to appZy data abstraction techniques. Only the test-hamess is written in the language of the model checker. The test-hamess is used to drive the application through all its relevant states, while logical properties on its execution are checked by the model checker. To allow the model checker to track state, and avoid duplicate work, the test-hamess includes definitions of all data objects in the application that contain state information. The main objective of this paper is to introduce a powerful extension of the SPIN model checker that allows the user to directly define data abstractions in the logic verification of application level programs.