A Flexible Framework for the Estimation of Coverage Metrics in Explicit State Software Model Checking

Abstract

AbstractExplicit-State Model Checking is a well-studied technique for the verification of concurrent programs. Due to exponential costs associated with model checking, researchers often focus on applying model checking to software units rather than whole programs. Recently, we have introduced a framework that allows developers to specify and model check rich properties of Java software units using the Java Modeling Language (JML). An often overlooked problem in research on model checking software units is the problem of environment generation: how does one develop code for a test harness (representing the behaviors of contexts in which a unit may eventually be deployed) for the purpose of driving the unit being checked along relevant execution paths?In this paper, we build on previous work in the testing community and we focus on the use of coverage information to assess the appropriateness of environments and to guide the design/modification of environments for model checking software units. A novel aspect of our work is the inclusion of specification coverage of JML specifications in addition to code coverage in an approach for assessing the quality of both environments and specifications. To study these ideas, we have built a framework called MAnTA on top of the Bogor Software Model Checking Framework that allows the integration of a variety of coverage analyses with the model checking process. We show how we have used this framework to add two different types of coverage analysis to our model checker (Bogor) and how it helped us find coverage holes in several examples. We make an initial effort to describe a methodology for using code and specification coverage to aid in the development of appropriate environments and JML specifications for model checking Java units.KeywordsModel CheckCoverage AnalysisCoverage InformationJava Modeling LanguageCoverage MetricsThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.