Introduction to Model Checking

Introduction to Model Checking Ken McMillanCadence Berkeley Labsmcmillan@cadence.com

Outline • Model checking • Temporal logic • Model checking algorithms • Expressiveness and complexity • Symbolic model checking • The “state explosion” problem • Binary Decision Diagrams • Computing fixed points with BDD’s • Application

Propositional Linear Temporal Logic • Express properties of “Reactive Systems” • interactive, nonterminating • For PLTL, a model is an infinite state sequence • Temporal operators • “Globally”: G p at t iff p for allt’³ t. p p p p p p p p p p p... G p...

Temporal operators... • “Future”: F p at t iff p for somet’³ t. p p p p p p F p... • “Until”: p U q at t iff • q for somet’³ t and • p in the range [ t, t’ ) p p p p p p p p p q p U q... • “Next-time”: X p at t iff p at t+1

Examples • Liveness: “if input, then eventually output” G (input ÞF output) • Strong fairness: “infinitely send implies infinitely recv.” GF send Þ GF recv • Weak until: “no output before input” Øoutput W input atomic props infinitely often p W q º p U q Ú G p

Safety v. Liveness • Safety • Refutable by finite run • Liveness • Refutable only by infinite run • Every finite run extensible to satisfying run

PLTL semantics • Given an infinite sequence • if f is true in state si of s. • if f is true in state s0 of s. • if f is valid. • A formula is an atomic proposition, or... true, p Ú q, Øp, p U q, X p

PLTL semantics... • Definition of satisfaction iff iff iff iff iff Derived operators...

Model Checking (Clarke/Emerson, Queille/Sifakis) G(p -> F q) yes temporal formula MC algorithm no p p q q counterexample finite-state model Model must now represent all behaviors

Kripke models • A Kripke model (S,R,L) consists of • set of states S • set of transitions RÍ S ´ S • labeling L Í S ´ AP • Kripke models from programs repeat p := true; p := false; end Øp p

T1,N2 turn=1 N1,T2 turn=2 C1,N2 turn=1 N1,C2 turn=2 T1,T2 turn=1 T1,T2 turn=2 C1,T2 turn=1 T1,C2 turn=2 Mutual exclusion example N1,N2 turn=0 N = noncritical, T = trying, C = critical

PLTL on Kripke models • A path in model M = (S,R,L) is a sequence such that (si,si+1) ÎR. p s0 s1 p s2 s3... F p p

Branching time • Model of time is a tree, not a sequence • Path quantifiers p p AF p p

Computation Tree Logic • Every operator F, G, X, U preceded by A or E • Universal modalities... AG p AF p p p p p p p p p p p . . . . . . . . . . . . . . . . . . . . . . . .

CTL, cont... • Existential modalities EG p EF p p p p p . . . . . . . . . . . . . . . . . . . . . . . .

CTL, cont • Other modalities AX p, EX p, A(p U q), E(p U q) • Some dualities... • Examples: mutual exclusion specs... AGØ (C1ÙC2) mutual exclusion AG (T1ÞAF C1) liveness AG (N1ÞEXT1) non-blocking

CTL model checking • Model checking problem: • Determine for given M, s0 and f, whether • Simple algorithm: • Inductive over structure of formula • Backward propagation of formula labels • O(f V(V + E))

Example AG (T1ÞAF C1) N1,N2 turn=0 T1,N2 turn=1 N1,T2 turn=2 C1,N2 turn=1 T1,T2 turn=1 T1,T2 turn=2 N1,C2 turn=2 C1,T2 turn=1 T1,C2 turn=2

CES algorithm • Need only modalities EX, EU, EG. • e.g., • Checking E(p U q) by backward BFS • Checking EG p p BFS q p SCC EG p SCC SCC Complexity = O(f (V + E))

CTL* • Contains both CTL and LTL • path formulas p U q, G p, Fp, Xp, Øp, p Ù q • state formulas A p, E p • p in LTL ®A p in CTL* • Framework for comparing expressiveness • Existential properties not expressible in PLTL e.g., AG EF p • Fairness assumptions not expressible in CTL e.g., A (GF p®GF q)

Model checking complexities CTL * = PLTL O(2f(V+E)) CTL O(f (V+E)) PSPACE COMPLETE Note: all are linear in model size

Comparing CTL and LTL • Think of CTL formulas as approximations to LTL • AG EF p is weaker than G F p Good for finding bugs... p • AF AG p is stronger than F G p Good for verifying... p p • CTL formulas easier to verify So, use CTL when it applies... 8

Symbolic model checking • State explosion problem • State graph exponential in program size • Symbolic model checking approach • Boolean formulas represent sets and relations • Use fixed point characterizations of CTL operators • Model checking without building state graph Sometimes can handle much larger sate space

0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1 Binary Decision Diagrams (Bryant) • Ordered decision tree for f = ab + cd a 0 1 b b 1 0 1 0 c c c c 1 0 1 0 1 0 1 0 d d d d d d d d

OBDD reduction • Reduced (OBDD) form: a 1 0 b 0 1 c 1 1 0 d 0 0 1 Key idea: combine equivalent sub-cases

OBDD properties • Canonical form (for fixed order) • direct comparison • Efficient apply algorithm • build BDD’s for large circuits f fg g O(|f| |g|) • Variable order strongly affects size

Boolean quantification • If v is a boolean variable, then $v.f = f |v =0 V f |v =1 • Multivariate quantification $(w1,w2,…,wn). f • Complexity on BDD representation • worst case exponential • heuristically efficient Example: $(b,c). (ab Ú cd) = a Ú d

Characterizing sets • Let M = (S,R,L) be a Kripke model • Let S be the set of boolean vectors (v1,v2,…,vn) Î {0,1}n • Represent any PÍS by its characteristic function cP P = {(v1,v2,…,vn) : cP} • Set operations • cÆ= false cS = true • cP È Q= P V Q cP Ç Q = P Ù Q • cS\ P= ØP

Characterizing relations • Transition relation R is a set of state pairs… R = {((v1,v2,…,vn), (v’1,v’2,…,v’n)) : Î cR} • Examples • A synchronous sequential circuit v0 v1 cR = (v’0 = Øv0) Ù (v’1 = v0Åv1)

Transition relations, cont... • An asynchronous circuit s q q r • Interleaving model • Simultaneous model

Forward and reverse image • Forward image Image(P,R) P R

Images, cont... • Reverse image Image-1(P,R) P R = EX P

Symbolic CTL model checking • Equate a formula f with the set of states satisfying it… • Compute BDD’s for characteristic functions… • Ø p, p Ú q, p Ù q (use BDD ops) • EX p = Image-1(p,R) • AX p = Ø EX Ø p • Remaining operators have fixed-point characterization... In fact, this is the least fixed point...

Fixed points of monotonic functions • Let t be a function S®S • Say t is monotonic when • Fixed point of t is y such that • If t monotonic, then it has • least fixed point my. t(y) • greatest fixed point ny. t(y)

Iteratively computing fixed points • Suppose S is finite • The least fixed point my. t(y) is the limit of • The greatest fixed point ny. t(y) is the limit of Note, since S is finite, convergence is finite

Example: EF p • EF p is characterized by • Thus, it is the limit of the increasing series... pÚ EX(pÚEX p) pÚEX p . . . p ...which we can compute entirely using BDD operations

Example: EG p • EG p is characterized by • Thus, it is the limit of the decreasing series... p Ù EX(pÙEX p) ... pÙEX p p ...which we can compute entirely using BDD operations

Remaining operators • Allows CTL model checking with only BDD ops • Avoid building state graph • (Sometimes) avoid state explosion problem Now you can go home and build your own symbolic model checker...

Example: “Gigamax” cache protocol • Bus snooping maintains local consistency • Message passing protocol for global consistency global bus . . . UIC UIC UIC cluster bus . . . . . . . . . M P P M P P

Protocol example • Cluster B read --> cluster A • Cluster A response --> B and main memory • Clusters A and B end shared global bus . . . UIC A B C UIC UIC cluster bus . . . . . . . . . M P P M P P read miss owned copy

Protocol correctness issues • Protocol issues • deadlock • unexpected messages • liveness • Coherence • each address is sequentially consistent • store ordering (system dependent) • Abstraction is relative to properties specified

One-address abstraction • Cache replacement is nondeterministic • Message queue latency is arbitrary IN OUT A ? ? ? ? output of A may or may not occur at any given time

Specifications • Absence of deadlock SPEC AG (EF p.readable & EF p.writable); • Coherence SPEC AG((p.readable & bit -> ~EF(p.readable & ~bit)); Abstraction: { 0 if data < n 1 otherwise bit =

Counterexample: deadlock in 13 steps • Cluster A read --> global (waits, takes lock) • Cluster C read --> cluster B • Cluster B response --> C and main memory • Cluster C read --> cluster A (takes lock) global bus . . . UIC A B C UIC UIC cluster bus . . . . . . . . . M P P M P P owned copy from cluster A

State space explosion • State space growth is exponential

BDD performance • BDD size growth is linear

BDD performance • Run time growth is quadratic

Why does it work? . . . . . . . . . OBDD Many partial states equivalent... ...implies many subfunctions equivalent...

When doesn’t it work? • Protocols that pass pointers • Linked lists • Anytime one part of the system “knows” a large amount of information about another part

Summary • Model checking • Automatic verification (or falsification) of finite state systems • Linear v. branching time logics • State explosion problem • Binary Decision Diagrams • Heuristically efficient boolean operations • Image calculations • Fixed point characterization of CTL • Model checking without building state graph • Applications • Find subtle errors in complex protocols

Introduction to Model Checking