Title: Model Checking
1Model Checking
2Agenda
- What is Model Checking
- What can we do
- What cant we do
- Where does it make sense
- Where doesnt it?
3Origins
- void foo(int bar)
-
- printf("this is")
- if (bar lt 1)
-
- printf("not ")
-
- printf("a positive integer")
- return
-
- Is this program correct?
- How do we find out whether it is correct?
- Statement coverage 1
- Condition Coverage 1
- Path Coverage 2
- Path coverage is exponential!
4Problems
- Specifications in natural language
- Testing requires manual input definitions
- Simulation also?
- How to deal with concurrency?
5The Model Checking Problem
Does the property P hold in model M ?
6Properties
- f0 false
- f1 false
- turn 0 // or 1
- p0 f0 true
- while f1
- if turn ? 0
- f0 false
- while turn ? 0
- f0 true
-
-
- //critical section
- turn 1
- f0 false
- Mutual exclusion requires
- Only one process in the critical section.Safety
- If a process wants to enter the critical section,
it eventually will.Liveness
7Models
- Model Checkers work on finite state machines.
- These FSMs should encode the behaviour of our
system.
8Model Checking
?
9Model Checkers
- SPIN - explicit state, input PROMELAGerard
Holzmann, http//spinroot.com - SMV - symbolic, input SMVKen McMillan,
http//embedded.eecs.berkeley.edu/Alumni/kenmcmil/
smv/ - SATABS - SAT-based predicate abstraction, input
C-codeDaniel Kroening, http//www.inf.ethz.ch/per
sonal/daniekro/satabs/
10Questions?
?
11Fiction
- Model Checking can prove that your program is
correct!
12Levels of Checking
Requirements
Analysis
Charmy, Hugo/RT
Design
Hugo/RT
SLAM, BLAST, SATABS
Coding
Testing
13Examples
bit f0,f1 byte mutex / procs in crit.
sect. / byte turn / who's turn is it?
/ define A_TURN 0 define B_TURN 1 active
proctype A() turn B_TURN f0 1
f1 0 (turn A_TURN) mutex /
enter crit. / mutex-- / leave crit. /
f0 0
f0 false f1 false turn 0 // or 1 p0
f0 true while f1 if turn ? 0 f0
false while turn ? 0 f0 true
//critical section turn 1 f0 false
14WWW
- Why do we want to verify our system?
- What do we want to verify?
- When should we verify it?
15Building Models
16Conclusion
- Model Checking is a tool that can help improve SW
quality - Like every other tool it has its own domain of
applications - You need good judgement to know when it is useful
- Know what model checking results mean!
17