1 A Formal Object-Oriented Analysis for Software Reliability: Design for Verification Natasha Sharygina Robotics Research Group The Univ. of Texas at Austin Austin, TX, 78712 natali@mail.utexas.edu James C. Browne Computer Science Department The Univ. Of Texas at Austin Austin, TX, 78712 browne@cs.utexas.edu Robert P. Kurshan Bell Laboratories 600 Mountain Ave. Murray Hill, NJ, 07974 k@research.bell-labs.com Abstract. This paper and a companion paper [32] together define, present and apply a methodology for integration of formal verification by automata-based model-checking into a commercially supported object-oriented software development process. This paper defines and illustrates a set of design rules for OOA models with executable semantics, which lead to automata models with tractable state spaces. The design rules yield OOA models with functionally structured designs similar to those of hardware systems, which have enabled successful application of model-checking to verification of hardware systems. The design rules are incorporated into an extended object-oriented development process for software systems. The methodology, including the design rules was applied to a NASA robot control software. The complex robot control system was decomposed into several functional subsystems. Evaluation by model checking of one control intensive subsystem was performed. Results including identification of significant errors in the original robotic control system are demonstrated. 1. Introduction Problem Statement. Software systems used for control of modern devices are typically both complex and concurrent. Object-oriented development methods are commonly employed to reduce the complexity of these software systems. Object-oriented development systems still largely depend on conventional testing to validate correctness of system behaviors. But validation of system behaviors by conventional testing is simply not adequate to attain the needed reliability since complete testing of systems of any degree of complexity is impossible. Formal verification of system behavior through model checking [2], on the other hand, formally verifies that a given system satisfies a desired behavioral property through exhaustive search of ALL states reachable by the system. Model checking has been widely and successfully applied to verification of the properties of hardware systems. It is natural to consider application of model checking to formal verification of software systems. Application of model checking to software systems, has, however, been much less successful. (Section 5 on Related Work gives an overview of some of the past and current research on the application of model checking to software systems.) To apply model checking to software systems the software systems must be translated from programming or specification languages to representations to which model checking can be applied. The resulting representation for model checking must have a tractable state space if model checking is to be successful. Translation of software systems designed by conventional development processes and even by object-oriented development processes to representations to which model checking can be applied have generally resulted in very large interconnected state spaces. A principal result reported in this paper is a set of design rules (Section 3) for development of object-oriented software systems which when translated to representations to which model checking can be applied, yield manageable state spaces. These design rules are the critical initial step in the methodology for integration of formal verification by model checking into object-oriented development processes defined in a companion paper [32]. Approach. The validity and usefulness of design rules and the effectiveness of the integration of formal verification into object-oriented software development can be evaluated only in the context of their application. This paper reports a case study in re-engineering the control subsystem for a robotics software system to attain high reliability. This case study motivates and demonstrates the design rules for