Abstract

Model checking is an effective technique for verifying properties of a finite specification. A model checker accepts a specification and a property, and it searches the reachable states to determine if the property is a theorem of the specification. Because model checking examines every state of the specification, it is a more thorough validation technique than testing executable specifications. However, some researchers question the feasibility of model checking, because the size of a specifications state-space grows exponentially with respect to the number of variables in the specification. This paper demonstrates the feasibility of symbolically model checking a non-trivial specification: the software requirements of the A-7E aircraft. The A-7E requirements document lists five properties that the designers manually derived from the requirements. Using McMillan's (1992) Symbolic Model Verifier, we were able to verify or find a counterexample to each property in less than 10-15 CPU minutes. In particular, we found that an important safety property did not hold.