Model Checking

1
Model Checking

• Mark Reith
• CS 7123 Research Seminar
• 22 Oct 07

2
Overview

• Why Model Checking?
• Basic Concepts
• Model Checking Variants
• Limitations
• Example Tools

3
Why Model Checking?

• Need for reliable hardware software
• Deductive verification
• Uses axioms and proof rules to prove correct
• Can reason about infinite state systems
• Often requires verification expert time
• No bound on time/memory to find proof
• Limited automation

4
Why Model Checking?

• Model checking formal method to verify finite
  state concurrent systems
• Always provides a yes/no answer
• Produces counterexamples upon failure
• Reasonable efficiency
• Bounded time/space to verify
• Automated

5
Applications

• Applicable to
• Hardware controllers/circuits
• Communication and security protocols
• Concurrent software
• Industrial Size Problems
• Discovered flaws in FutureBus
• Microsoft device drivers
• NASA critical software
• Microprocessor design

6
Basic Concepts

• Key terms
• Model Initial State (Input)
• Specification/Properties (Input)
• State Space (Verification)
• Counterexample (Output)

7
Model Initial State

• Represented as automata
• States and transitions
• State space
• Abstraction used to eliminate irrelevant details
• Initial state model
• Reachable state space

8
Specification

• Often expressed in temporal logic
• Propositional logic with temporal aspect
• Describes ordering of events without explicitly
  using the concept of time
• Several variants LTL, CTL, CTL

9
Linear Temporal Logic (LTL)

• Given properties p and q
• G p p is true henceforth from current state
• X p p is true in next state
• F p p is true in current or future state
• p U q p is true until q is true
• p R q p releases q if q is true up until p
  becomes true

10
Computational Tree Logic

• Similar to LTL, but specifies branches
• Quantifiers over path
• A p p has to hold on all paths from current
  state
• E p there exists at least one path from current
  state where p holds

11
CTL Example
12
CTL Example
13
Types of Model Checking

• Explicit
• Symbolic
• Language Containment
• Bounded (SAT Solver)
• Probabilistic (DTMC)

14
Explicit Model Checking

• Early model checking approach
• Uses Kripke structure
• FSM with labeled states
• Visit each state and evaluate specification
• Often requires constructing state space
• With CTL, able to check 105 states

15
Explicit Model Checking
pqr
pqr
pqr
pqr

• Specifications
• AG p
• EX q
• EF r

16
(No Transcript)
17
(No Transcript)
18
Symbolic Model Checking

• Uses special data structure
• Ordered binary decision diagrams (OBDD)
• Limits search to states involving variables of
  interest
• With CTL, able to check 10120 states
• Used to verify real world circuits

19
Symbolic State Graphs

• State transition structure represented as a
  Boolean function
• Dont actually build the graph
• Select binary encodings of system states and
  input alphabet
• Next-state behavior described as a relation by
  characteristic function d(v1, v2, v1, v2)

20
Simple Example
21
BDD
22
BDD
23
BDD
24
Reduced OBDD
p
0
1
q
q
0
1
1
0
p
0
1
q
q
1
1
0
0
1
0
25
Reduced OBDD
26
Verifying Symbolic Models

• BDDs provide set operations
• and, or, not, xor, etc
• Image(p, R), Image-1(p, R)

27
Verifying Symbolic Models

• CTL expressions can be translated into efficient
  BDD operations
• EX p Image-1(p, R)
• AX p Ø EX Ø p
• Other temporal operators have fixed-point
  characterization

28
Example EF p

• EF p is characterized by
• Thus, it is the limit of the increasing series...

...which we can compute entirely using BDD
operations
29
Example EG p

• EG p is characterized by
• Thus, it is the limit of the decreasing series...

...which we can compute entirely using BDD
operations
30
Remaining operators

• Allows CTL model checking with only BDD ops
• Avoid building state graph
• (Sometimes) avoid state explosion problem

Now you can go home and build your own symbolic
model checker...
31
Language Containment

• Represents both model and specification as
  Büchi-automata
• Process
• Negate specification automata and intersect
  result with model automata
• Any path of resulting automata that reaches an
  accepting state is counterexample

32
Limitations

• State explosion problem
• Particularly in software since less regularity
  than circuits
• Models are approximations of real world systems
  abstraction of details allows for tractable
  models

33
Limitations

• Incorrect models or specifications may produce
  incorrect results
• Only checks specifications provided no guarantee
  that specification covers all properties that
  should be satisfied

34
Optimizations

• Abstraction
• Composition
• Symmetry
• Partial Order Reduction
• Induction

35
Example Tools

• SPIN (Promela)
• SMV, NuSMV
• Java Pathfinder (JPF)
• Alloy (SAT solver)
• Bandera/Bogor
• LTSA (Label Transition System Analyzer)
• PRISM (probabilistic, symbolic)

36
Summary

• Model Checking Fundamentals
• Various Types of Model Checkers
• Applications of Model Checking
• Example Tools

37
References

• Clarke et al. Model Checking 1999
• Doron Peled. Software Reliability Methods 2001
• Ken McMillan Introduction to Model Checking
  1998
• CS 6133 Spec Verification
• Wikipedia Model Checking

38
Questions?

• Just nod and clap