Acknowledge all students and TAB members for input on the process.
Sent from my iPad


Thanks to Laura, Katherine, Yi for input on the possibility of formalizing aspects of MoXI using an automated theorem prover. /thanks to the members of the TAB: …


MENTION: PANDA, other backends




Symbolic model checking has made foundational changes to impactful, real-world system designs, yet its assent to a common-place verification technique is currently most limited by a few barriers to adoption, centering on its lack of standardization. For just one example, in our own work, symbolic model checking with \nuXmv changed the design ... \cite{marco cristian}
%
The collection of impactful success stories of symboic model checking in real-world system development are far too many and too diverse to cite in a single paper; there is no question that model checking provides value beyond its cost in verifying a wide range of systems uphold requirements for safety, security, and other desirable properties (such as consistency or financial soundness). However, model checking is still not as commonly-used as informal verificaiton techniques such as simulation and testing. One major reason for this is the specification bottleneck \cite{Roz16}: creating and validating system models and temporal logic specifications remains a challenging undertaking. The second barrier to adoption is the famous state-space explosion problem: the combination of the modeling technique used to represent the relevant system characteristics and the back-end model-checking algorithm result in an untenable search space. However, the third barrier is perhaps both the biggest impediment and the easiest to overcome: a lack of standardization in symbolic model checking prevents the propogation of mitigations to the first two barriers.

SMV is a widely-used, expressive modeling language; due to it's appealing syntax that intuitively represents many common systems, SMV continues to be successfully used in a wide range of industrial verification efforts \cite{RLS02,GHBTCM02,TM03,CH03,MTWH06,Mil08,YJC09,BCKNNR09,GDH11,LVBFNH12,BCPJKPRT15,ZR12,ZR14,MCGTR15,GCMTR16,DRR17,DR17}. Two freely-available model checkers previously provided viable research platforms: CadenceSMV \cite{McM93} and \textsc{NuSMV} \cite{CCGGPRST02} (which is integrated into today’s \nuXmv \cite{nuxmv}). Yet, today CadenceSMV’s 32-bit pre-compiled binary and \nuXmv’s increasingly restricted, closed-source releases are no longer suitbale for research, e.g., into improved model-checking algorithms. How can we continue the progression of high-level language model checking in SMV with no open-source research platforms that allows new algorithms under the hood?

SMV as a modeling language is important because it has significantly reduced the (first) specificaion barrier. Uniquely from other model-checking input languages, it includes high-level constructs critically required for modeling and validating safety-critical systems, such many aerospace operational systems, from Boeing's Wheel Braking System \cite{BCFJKPRT15} to NASA's Automated Airspace Concept \cite{ZR12,ZR14,MCGTR15,GCMTR16} to a variety of Unmanned Aerial Systems \cite{SRRMMI13,RRS14}. SMV has been used widely by the hardware model checking community as well (e.g., at FMCAD \cite{FMCAD}) and has appealing qualities that could further widespread integration of formal methods, yet we cannot ........... second baarrier




At the other end of the spectrum are tools such as ABC\cite{brayton2010abc}, an open-source, award-winning, model-checking engine.
%% which provide viable research platforms. 
Unfortunately, these tools are based on a bit-level input language like  AIGER. Such languages do not support direct modeling of modern complex systems---the way SMV does---and hinder validation; it is very hard to convince industrial system designers that AIGER models correctly capture their higher-level systems. %%In addition, 
Most existing systems for translating from high-level models to AIGER focus on hardware designs, and do not provide a natural means to describe systems that arise in, for instance, the embedded systems field. Finally, the problem of translating counterexamples produced by ABC back into meaningful counterexamples for a non-hardware-centric higher-level language model, such as one in SMV, remains an open research question.