Advanced Topics in verification Seminar

1
Model Checking Theory

• Advanced Topics in verification Seminar
• Presented By Shai Turgeman
• November 2002

2
Todays Agenda

• Verification via model checking
• State machines
• Temporal Logic (CTL, LTL)
• Traditional Model Checking
• BDD (Binary Decision Diagram)
• Symbolic Model Checking
• Fairness Constraints
• Summary

3
Abstract

• The model checking method discovered
• at the 1980s
• A fully automated tool
• No need to construct proofs

4
Verification Via Model Checking

• Finite state description
• of a system
• Requirements expressed
• in temporal logic

• Satisfaction check, early bugs detecting, counter
  examples
• _
• Interaction with the user

5
Verification Via Model Checking cont.
Model Checking
System Description
YES / NO
Requirements
6
Kripke Structure

• Formal definition (S,P,L,N,S0)
• S Set of states
• P Set of atomic propositions
• L S 2P Labeling function
• N ? SS Transition relation
• S0?S Initial state

7
Labeled transition systems

• Formal definition (S,P,A,L,N,S0)
• S,P,L,S0 are the same as kripke
• A Set of actions
• N ? SxAxS Transition relation with labeling

8
Temporal Logic

• Propositional logic - defines a set of states
• Temporal logic describes property changes threw
  time
• -CTL ( Computation Tree Logic)
• -LTL ( Linear-Time Temporal Logic)
• Both used with Kripke structures

9
Temporal Logic cont.

• Path formulas Describe a property satisfied by
  a set of states that is connected by transitional
  relation
• State formulas Describe a property satisfied by
  a state.

10
CTL path operators

• Every state formula S is a path formula
• ?P If a path satisfies ?P it does not satisfies
  P
• P?Q A path satisfies P?Q if it satisfies both P
  and Q
• XP Next State a path satisfies XP if the
  state after initial state satisfies P
• PUQ A path satisfies PUQ if it satisfies Q and
  Until that state it satisfies P

11
derived CTL path operators

• P?Q can be represented with ?, ?
• ?((?P)?(?Q))
• P Q can be represented with ?, ?
• (? P)?Q
• FP A path satisfies Future P if a state
  satisfying P can be reached some time, can be
  represented by U
• ttUP , tt(S??S)

12
CTL state operators

• p?P Any atomic proposition
• ?S A state satisfies S if it doesnt satisfy ?S
• S?T A state satisfies S?T is it satisfies both
  S and T
• ?, expressed as shown for path formulas.

13
CTL path quantifiers

• AP A state satisfies AP if every execution path
  emanating from it satisfies P
• EP A state satisfies EP if some execution path
  satisfies P, can be represented with ?, A
• ?A(?P)

14
Examples

• pxgt0
• Meaning A variable x value most be positive.
• AG(?P1 ? ?P2)
• Meaning It is always the case that P1 (process
  1 is in critical section) is false or P2 is
  false.
• AGEF reset
• Meaning It is always the case that reset state
  is reachable

15
CTL, CTL and LTL

• CTL - The largest possibilities of expressions,
  it can describe any property.
• CTL A or E (path quantifiers) must precede any
  operator and only state formulas, as a result
  cannot describe all properties
• LTL no path quantifiers and only path formulas,
  as a result cannot describe all properties

16

• So, we have CTL, Why do we need CTL LTL ?
• The Algorithm

17
Traditional Model Checking

• Inputs Kripke structure and a CTL formula
• Global strategy Calculate all states satisfying
  formula S and put them into Sk.
• K S exactly when s is in Sk ?S, so our goal
  is to calculate Sk .
• The method Calculate iteratively from the
  smallest sub-formula to the one around it.

18
Immediate calculations

• CTL operators calculated with no difficulty
• S pSk L(p)
• S ?TSk S-Tk
• S T?USk Tk ? Uk

19
AX

• S AXT
• calculate Tk.
• Check each state
• Check each transition emanating from each state
• If the target state satisfies T then that state
  is put into Sk.
• Requires a visit to each state and each
  transition once.

20
A(_U_)

• Similar to E(_U_).
• S A(TUQ)
• calculate Tk and Qk.
• Use an iterative, approximation-based procedure
  to compute Sk, by generating a series S0,S1,
  of approximations to Sk.
• For all 0 lt i lt n, Si Si1.
• For all 0 lt i lt n, Si ?Sk.

21
A(_U_) cont.

• S0 ?
• S1 Qk. If Qk ? we stop and Sk S0 ?.
• For i gt 2 we generate Si1 from Si by
• Si contains those states that satisfy T, not in
  Si and their transitions lead to states in Si.
• If Si is empty we stop and Sk Si.
• Otherwise Si1 Si ? Si.

22
A(_U_) cont.
T

T

S3
S2

T
Q
S1
23
A(_U_) cont.

• Necessary data structure
• Si Counter initialized with the number of
  emanating transitions.
• Backward traversing to support the Si Counter
  update.
• Complexity
• Initial scan for counter update O(S)
• Every state and transition visited once -
  O(SN)

24
Traditional Model Checking

• So, for a formula f the total running time is
• O( f (NS))
• Why doesnt every one uses model checking?

25
State Explosion

• A quite small hardware design containing only 100
  latches will have about 2100 states.
• This problem is the reason why this method is not
  usable.

Model Checking
System Description
YES / NO
Requirements
26
BDD

• BDD (Binary Decision Diagram)
• Purpose Represents boolean formulas more
  compact than traditional representations.
• A BDD is a directed acyclic graph and very
  similar to a binary decision tree.
• Given an assignment of boolean values to the
  variables it is easy to determine if true or false

27
Example

• Boolean expression (a ? b) ?(c ? d)
• For ( a1, b0, c1, d1) it is a true case.

a
1
b
0
1
0
1
c
0
1
0
d
0
1
1
0
28
BDD cont.

• Variables ordering affects critically on the tree
  size.
• There is a unique BDD for a given boolean
  function with a given variable ordering.
• Basic operations on BDDs (?, ?, ?)are possible in
  linear complexity.

29
BDD and Kripke structures

• the transition relation N and the set of states S
  is represented by a BDD over the set of current -
  V and next-state - V variables
• Assumption For any two states s1, s2 in S, if
  L(s1) L(s2), then s1 s2.
• Every state will be represented by a P length
  vector of its AP.

30
BDD and Kripke structures cont.

• Every transition between states will be
  represented by a 2(P) length vector of the two
  states APs.
• These vectors create a boolean formula with P
  or 2(P) variables and can be represented easily
  by a BDD.
• A transition is valid if the BDDs result is 1,
  if the result is 0 the transition does not exist.

31
Symbolic Model Checking

• Reduces the state explosion problem, especially
  for limited communication structures.
• The symbolic model checking algorithm works
  inductively over the structure of CTL formulas.
• Computing boolean connections with BDDs.

32
Symbolic Model Checking cont.

• Computing EX
• EXf ?v f(v) ? N(u,v)
• Computing EU
• Ef U g g ? (f ? EX(Ef U g))
• Computing EG
• EGf f ? EX(EGf)

33
Symbolic Model Checking result

• Helps dealing with state explosion problem
• Keeps Model checkings good qualities
• What more is needed?

34
Fairness constraints

• In many cases we are interested in correctness
  only along fair computation paths.
• No point checking a property on a path that will
  never satisfy it.
• A path is said to be fair with respect to a set
  of fairness constraints if each constraint holds
  infinitely often along the path.
• Denoted as EcXf , Ecf U g, EcGf.

35
Fairness constraints cont.

• Example EcGf true for a state that satisfies Gf
  and each formula in C (set of constraints) holds
  infinitely often, the set of such states is Z and
  is the largest set satisfying the conditions
• All the states in Z must satisfy f.
• For all ck?C and s ?Z there is a path from s to a
  state satisfying ck such that all states on the
  path satisfy f.

36
Fairness constraints cont.

• Examples EcX(f ), Ecf U g
• Define a set of all states that are on a fair
  computation as h EcGtrue
• EcX(f ) EX ( f ? h )
• Ecf U g Ef U (g ?h)

37
Short Summary

• Traditional Model Checking
• BDD
• Symbolic Model Checking
• Fairness constraints
• State Explosion

38
References

• Pragmatics of model checking an STTT special
  section by Rance Cleaveland.
• Sequential circuit verification using symbolic
  model checking by J.R Burch, E.M.Clarck,
  K.L.McMillan, D.L.Dill
• Fitting formal methods into the design cycle by
  K.L.McMillan, Murray Hill.