Francesmary Modugno

Model checking large software specifications

In this paper we present our results and experiences of using symbolic model checking to study the specification of an aircraft collision avoidance system. Symbolic model checking has been highly successful when applied to hardware systems. We are interested in the question of whether or not model checking techniques can be applied to large software specifications.To investigate this, we translated a portion of the finite-state requirements specification of TCAS II (Traffic Alert and Collision Avoidance System) into a form accepted by a model checker (SMV). We successfully used the model checker to investigate a number of dynamic properties of the system.We report on our experiences, describing our approach to translating the specification to the SMV language and our methods for achieving acceptable performance in model checking, and giving a summary of the properties that we were able to check. We consider the paper as a data point that provides reason for optimism about the potential for successful application of model checking to software systems. In addition, our experiences provide a basis for characterizing features that would be especially suitable for model checkers built specifically for analyzing software systems.The intent of this paper is to evaluate symbolic model checking of state-machine based specifications, not to evaluate the TCAS II specification. We used a preliminary version of the specification, the version 6.00, dated March, 1993, in our study. We did not have access to later versions, so we do not know if the properties identified here are present in later versions.

Time-constrained automata

In this paper, we augment the input-output automaton model in order to reason about time in concurrent systems, and we prove simple properties of this augmentation. The input-output automata model is a useful model for reasoning about computation in concurrent and distributed systems because it allows fundamental properties such as fairness and compositionality to be expressed easily and naturally. A unique property of the model is that systems are modeled as the composition of autonomous components. This paper describes a way to add a notion of time to the model in a way that preserves these properties. The result is a simple, compositional model for real-time computation that provides a convenient notation for expressing timing properties such as bounded fairness.

Integrated safety analysis of requirements specifications

This paper describes an integrated approach to safety analysis of software requirements and demonstrates the feasibility and utility of applying the individual techniques and the integrated approach on the requirements specification of a guidance system for a high-speed civil transport being developed at NASA Ames. Each analysis found different types of errors in the specification; thus together the techniques provided a more comprehensive safety analysis than any individual technique. We also discovered that the more the analyst knew about the application and the model, the more successful they were in finding errors. Our findings imply that the most effective safety-analysis tools will assist rather than replace the analyst.

Visual programming in a visual domain: a case study of cognitive dimensions

We present a new visual programming language and environment that serves as a form of feedback and representation in a Programming by Demonstration system The language di ers from existing visual languages because it explicitly represents data objects and implicitly represents operations by changes in data objects The system was designed to provide non programmers with programming support for common repetitive tasks and incorporates some principles of cognition to assist these users in learning to use it With this in mind we analyzed the language and its editor along cognitive dimensions The assessment provided insight into both strengths and weaknesses of the system prompting a number of design changes This demonstrates how useful such an analysis can be

Pursuit: graphically representing programs in a demonstrational visual shell

Pursuit is a programmable direct manipulation interface to a file system that enables users to create programs by demonstration. To construct a program in Pursuit, users execute actions on real data and Pursuit creates a general procedure containing variables, loops and conditionals. During the demonstration, the evolving program is represented in an editable, visual programming language. Unlike other visual programming languages, which explicitly represent operations and leave users to imagine data in their heads, Pursuit’s visual language explicitly represents data objects using icons and implicitly represents operations by the changes they cause to data icons. The language also serves as a novel form of feedback between Pursuit and the user.

Evaluating program representation in a demonstrational visual shell

For Programming by Demonstration (PBD) systems to reach their full potential, some way of representing programs is necessary so that programs can be viewed, edited and shared. How to represent programs, especially in a way that is easy for non-programmers to understand, is an open question. We designed and implemented two representation languages for a PBD desktop similar to the Apple Macintosh Finder. The first language is based on the comic-strip metaphor and graphically depicts the effects of a program on data. The second language is text-based and describes the actions of a program. A user study revealed that both languages enabled non-programmers generate and comprehend programs containing loops, variables and conditionals. Moreover, the study revealed that the comic-strip language doubled users’ abilities to accurately generate programs. Trends suggest that the same language was also easier for users to comprehend. These findings suggest that it is possible for a PBD system to enable non-programmers to construct programs and that the form of the representation can impact the PBD system’s effectiveness.

Visual Programming in a Visual Shell—A Unified Approach

Abstract Pursuit is a desktop interface designed to enable non-programmers to construct programs that automate routine repetitive tasks in a way that is consistent with the direct manipulation paradigm. Pursuit combines a Programming by Demonstration (PBD) interface with an editable, visual program representation language. The representation language differs from existing visual languages because it explicitly represents data objects and implicitly represents operations by changes to the data objects. In addition, the language provides concise ways to handle and represent error conditions and dialog boxes.

A state-based visual language for a demonstrational visual shell

We present a new visual programming language and environment that serves as a form of feedback and representation in a Programming by Demonstration (PBD) system. The language differs from existing visual languages because it explicitly represents data objects and implicitly represents operations by changes in data objects. To improve feedback and provide a closer union between the PBD system and the program representation, the visual language is integrated into other parts of the system, such as the editor. Finally, in order to enable new operations to be added easily to the system, we introduce a declarative language for specifying how an operations visual representation is generated.<<ETX>>

Creating and analyzing requirement specifications of joint human-computer controllers for safety-critical systems

The causes of many accidents in safety-critical systems, such as aircraft and nuclear pourer plants, can in part be found in the breakdown in communication between operators and computer(s) controlling the system. In this paper, we outline a method to model and analyze a controller in order to uncover potential requirement and design problems that can contribute to this communication breakdown. We illustrate the modeling and analysis techniques on a requirements specification for the guidance system of a high-speed civil transport being developed at NASA Ames. Our analysis revealed several system hazards, including potential sources of mode confusion, incomplete specification of computer response to operator input, as well as assumptions about the knowledge an operator must have in order to successfully control the aircraft.

Exploring Grahpical Feedback in a Demonstrational Visual Shell

We present a visual language that serves as a novel form of feedback in a Programming by Demonstration (PBD) interface. The language explicitly represents data, such as files, with unique icons and implicitly represents operations by changes to data icons, so that operations reflect the changes seen in the interface when executed. In addition, the language is used to provide feedback to the user by indicating loops and inferred sets, specifying parameters, etc., and is integrated into other parts of the PBD system, such as the editor. This forms a close union between the interface, the PBD system and the program representation and helps bridge the gap between the users mental model of the programming process and the actual programming task.