Abstract
With a few exceptions, previous formal methods for reactive system analysis have focused on finite state machines represented in terms of boolean states and boolean next-state functions. By contrast, in many reactive system domains requirements engineers and developers think in terms of complex data types and expressive next-state functions. Formal methods for reactive system design must be extended to meet their needs as well. I term a reactive system function rich if expressing its state, next-state function, or output function naturally requires this higher expressive power. ISAT, a prototype formal-methods based tool environment, is intended to assist in the creation and validation of function rich reactive systems. This paper describes a case study I have carried out using ISAT to design, validate, synthesize, and evolve controllers for the email agent components making up a novel spam-free email system that I deployed in a user trial in July 1999. The trial has been running since, with high availability, through several evolutionary specification changes and resulting software releases. The case study illustrates the use of a mix of validation techniques, from scenario simulation and coverage through static analysis and theorem proving, and discusses the value each technique adds. In addition to summarizing ISAT and the trial, this paper discusses tool requirements placed by the domain and task, the simple and powerful platform/controller/pure-functions software architecture of the components, and lessons learned.
Similar content being viewed by others
References
Abdulla, P., Annichini, A., Bensalem, S., Bouajjani, A., Habermehl, P., and Lakhnech, Y. 1999. Verification of infinite-state systems by combining abstraction and reachability analysis. In Proc. 11th Intl. Conf. on Computer Aided Verification, LNCS(1633). Berlin: Springer Verlag, pp. 146–159.
Alur, R. and Henzinger, T. 1996. Reactive modules. In Proc. 11th IEEE Symposium on Logic in Computer Science. pp. 207–218.
Alur, R., Jagadeesan, L., Kott, J., and Von Olnhausen, J. 1997. Model checking of real-time systems: A telecommunications application. In Proc. 19th Intl. Conf. Software Eng. New York: ACM Press, pp. 514–524.
Blaine, L., Gilham, L., Liu, J., Smith, D., and Westfold, S. 1998. Planware—domain-specific synthesis of high performance schedulers. In Proc. 13th IEEE Intl. Conf. on Automated Software Engineering. Silver Spring, MD: IEEE Comp. Soc., pp. 270–279.
Bultan, T., Gerber, R., and League, C. 1998. Verifying systems with integer constraints and boolean predicates: A composite approach. In Proc. 1998 Intl. Symp. Software Testing and Analysis, ACM SIGSOFT SEN, 23(2), pp. 113–123.
Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., and Hwang, L.J. 1992. Symbolic model checking: 1020 states and beyond. Info. and Comput., 98:142–170.
Costales, B., Allman, E., and Rickert, N. 1993. Sendmail. Sebastopol, CA: O'Reilly and Assoc.
Godefroid, P., Hanmer, R., and Jagadeesan, L. 1998. Model checking without a model: An analysis of the heartbeat monitor of a telephone switch using verisoft. In Proc. 1998 Intl. Symp. on Software Testing and Analysis, ACM SIGSOFT SEN, 23(2):124–133, New York: ACM Press.
Graf, S. and Saidi, H. 1997. Construction of abstract state graphs with PVS. In Proc. Conf. on Computer Aided Verification, LNCS 1254. Berlin: Springer Verlag.
Hall, R.J. 1995. Systematic incremental validation of reactive systems via sound scenario generalization. J. Automated Software Eng., 2(2):131–166.
Hall, R.J. 1996. INFOMOD: A knowledge-based moderator for electronic mail help lists. In Proc. Fifth Intl. Conf. on Information and Knowledge Management, New York: ACM Press, pp. 107–114. See also http://pcalvoid.research.att.com/.
Hall, R.J. 1997. Reactive system validation using automated reasoning over a fragment library. In Proc. 1997 IEEE Automated Software Engineering Conf. (ASE'97). Silver Spring, MD: IEEE Comp. Soc.
Hall, R.J. 1998a. How to avoid unwanted email. Comm. ACM, 41(3):88–95.
Hall, R.J. 1998b. Feature combination and interaction detection via foreground/background models. In Proc. Fifth Intl. Workshop on Feature Interactions in Telecommunications and Software Systems, IOS Press.
Hall, R.J. 1999. Email channels help web site: http://pcalvoid.research.att.com/.
Hall, R.J. 2000. Upgrading legacy instances of reactive systems. In Proc. Fifteenth IEEE Intl. Conf. on Automated Software Engineering. Silver Spring, MD: IEEE Computer Society Press, pp. 63–72.
Harel, D. 1987. Statecharts:Avisual approach to complex systems. Sci. of Computer Programming, 8(3):231–274.
Heimdahl, M. and Leveson, N. 1996. Completeness and consistency analysis of state-based requirements. IEEE Transactions on Software Engineering, 22(6):363–377.
Heitmeyer, C.L., Jeffords, R.D., and Labaw, B.G. 1996. Automated consistency checking of requirements specifications. ACM Trans. Software Eng. and Methodology, 5(3):231–261.
Holzmann, G.J. 1991. Design and Validation of Computer Protocols. Englewood Cliffs, NJ: Prentice Hall.
Jackson, D. and Vaziri, M. 2000. Finding bugs with a constraint solver. In Proc. 2000 Intl. Symp. on Software Testing and Analysis. New York: ACM, pp. 14–25.
Lowry, M., Boyd, M., and Kulkarni, D. 1998. Towards a theory for integration of mathematical verification and empirical testing. In Proc. 13th IEEE Intl. Automated Software Engineering Conf. Silver Spring, MD: IEEE Computer Society, pp. 322–331.
Manku, G., Hojati, R., and Brayton, R. 1998. Structural symmetry and model checking. In Proc. 10th Intl. Conf. on Computer Aided Verification, LNCS(1427). Berlin: Springer Verlag, pp. 159–171.
Myers, J. and Rose, M. 1994. “Post Office Protocol—Version 3”; NetworkWorking Group Request for Comments 1725 (RFC 1725, Nov. 1994) available at http://andrew2.andrew.cmu.edu/rfc/rfc1725.
Nakamura, M., Kakuda, Y., and Kikuno, T. 1996. Petri-net based detection method for non-deterministic feature interactions and its experimental evaluation. In Feature Interactions in Telecommunications IV. IOS Press, pp. 138–152.
Rich, C. and Feldman, Y. 1992. Seven layers of knowledge representation and reasoning in support of software development. IEEE Trans. on Software Eng., 18(6):451–469.
Rushby, J. 1999. Integrated formal verification: Using model checking with automated abstraction, invariant generation, and theorem proving. In Proc. Theoretical and Practical Aspects of SPIN Model Checking: 5th and 6th International SPIN Workshops. Springer Verlag Lecture Notes in Computer Science Vol. 1680, pp. 1–11.
Srinivas, Y. and Jullig, R. 1995. Specware: Formal support for composing software. In Proc. Conf. on Mathematics of Program Construction, Kloster Irsee, Germany.
Williamson, K. and Healy, M. 1999. Industrial applications of software synthesis via category theory. In Proc. 14th IEEE Intl. Conf. on Automated Software Engineering. Silver Spring, MD: IEEE Computer Society, pp. 35–43.
Wolper, P. and Boigelot, B. 1998. Verifying systems with infinite but regular state spaces. In Proc. 10th Intl. Conf. on Computer Aided Verification, LNCS(1427). Berlin: Springer Verlag, pp. 88–97.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Hall, R.J. Specification, Validation, and Synthesis of Email Agent Controllers: A Case Study in Function Rich Reactive System Design. Automated Software Engineering 9, 233–261 (2002). https://doi.org/10.1023/A:1016372507161
Issue Date:
DOI: https://doi.org/10.1023/A:1016372507161