Loading in 5 sec....

Model Checking and Related TechniquesPowerPoint Presentation

Model Checking and Related Techniques

- 209 Views
- Uploaded on
- Presentation posted in: General

Model Checking and Related Techniques

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Model Checking and Related Techniques

Liu Yang

- Model Checking Techniques
- Introduction to MC
- Symbolic Model Checking
- Bounded Model Checking
- Explicit Model Checking

- Tackle the State Space Explosion
- Partial Order Reduction
- Compositional Reasoning
- Abstraction
- Symmetry

- PAT: Process Analysis Toolkit
- Performance Comparison
- Conclusion

- Model Checking is to exhaustively explore all reachable states of a finite state machine so as to tell whether a desired property is guaranteed or not.
- Advantages over traditional system validation approaches based on simulation, testing and deductive reasoning
- An automatic technique for verifying finite state concurrent systems
- Process: modeling, specification and verification
- Main challenge: state space explosion problem

System design

or code

Requirements

manual

abstract

Finite state model

M

Set of logical

properties

for each property φ

automatic

Model checker

M |= φ ?

Yes

No

√ ?

(Unwind State Graph

to obtain Infinite Tree)

- Formally, a Kripke structure is a triple M <S,R,L>, where

- Temporal logics may differ according to how they handle branching in the underlying computation tree.
- In a linear temporal logic (LTL), operators are provided for describing events along a single computation path.
- In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state.

- Formulas are constructed from path quantifiers and temporal operators:
- Path quantifier:
- A: for every path
- E: there exists a path

- Linear Temporal Operator:
- Xp: p holds next time
- Fp: p holds sometime in the future ()
- Gp: p holds globally in the future ()
- pUq: p holds until q holds

- Path quantifier:
- In LTL, only linear temporal operators are allowed.
- In CTL, each temporal operator must be immediately preceded by a path quantifier.
- In CLT*, a path quantifier can prefix an assertion composed of arbitrary combinations of the usual linear-time operators.

- The four most widely used CTL operators are illustrated.
- Each computation tree has initial state s0 as its root.

- Key properties of EFp:

- Let M be the state-transition graph obtained from the concurrent system.
- Let f be the specification expressed in temporal logic.
M, s |= f

- and check if initial states are among these.

- Method used by most “industrial strength” model checkers:
- uses Boolean encoding for state machine and sets of states.
- can handle much larger designs – hundreds of state variables.
- BDDs traditionally used to represent Boolean functions.

- Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987.
- Carl Pixley independently developed a similar algorithm, as did the French researchers, Coudert and Madre.
- BDDs enabled handling much larger concurrent systems. (usually, an order of magnitude increase in hardware latches!)

- Ordered Binary Decision Tree for the two-bit comparator, given by the formula

- If we use the ordering a1 < b1 < a2 < b2 for the comparator function, we obtain the OBDD below:

- The size of an OBDD depends critically on the variable ordering.
- If we use the ordering a1 < a2 < b1 < b2 for the comparator function, we get the OBDD below:

- How to represent state-transition graphs with Ordered Binary Decision Diagrams:
- Assume that system behavior is determined by n Boolean state variables v1, v2, … , vn.
- The Transition relation T will be given as a boolean formula in terms of the state variables:
- where v1,…, vn represents the current state and v’1,…, v’nrepresents the next state.
- Now convert T to a OBDD!!

- Representing transition relations symbolically:
- Boolean formula for transition relation:
- Now, represent as an OBDD!

- How to evaluate fixpoint formulas using OBDDs:
- Introduce state variables:
- Now, compute the sequence
- until convergence.

- BDDs are a canonical representation. Often become too large.
- Selecting right variable ordering very important for obtaining small BDDs.
- Often time consuming or needs manual intervention.
- Sometimes, no space efficient variable ordering exists.

- Next, we describe an alternative approach to symbolic model checking that uses SAT procedures.

- SAT procedures also operate on Boolean expressions but do not use canonical forms.
- Do not suffer from the potential space explosion of BDDs.
- Can handle functions with s to s of variables.
- Very efficient implementations available.

- Bounded model checking uses a SAT procedure instead of BDDs.
- We construct Boolean formula that is satisfiableiff there is a specific finite path of length k in underlying machine.
- We look for longer and longer paths by incrementing the bound k.
- After some number of iterations, we may conclude no such path exists and specification holds.
- For example, to verify safety properties, number of iterations is bounded by diameter of finite state machine.

- Bounded model checking works quickly. This is due to depth first nature of SAT search procedures.
- It finds finite paths of minimal length. This helps user understand the example more easily.
- It uses much less space than BDD based approaches.
- Does not need manually selected variable order or costly reordering. Default splitting heuristics usually sufficient.

- Finite-state Systems described in a specialized language
- Specifications expressible in CTL, LTL
- Provides both BDD and SAT based model checking.
- Allow user specified variable ordering
- Uses a number of heuristics for achieving efficiency and control state explosion

- Given a model M and an LTL formula
- All traces of M must satisfy
- If a trace of M does not satisfy
- Counterexample

- M is the set of traces of M
- is the set of traces that satisfy

- M
- Equivalently M ¬=

- Automaton which accepts infinite traces
- A Büchi automaton is 4-tupleS, I,, F
- S is a finite set of states
- I S is a set of initial states
- S S is a transition relation
- F S is a set of accepting states

- An infinite sequence of states is accepted iff it contains accepting states infinitely often

S0

S1

S2

1=S0S1S2S2S2S2…

ACCEPTED

2=S0S1S2S1S2S1…

ACCEPTED

3=S0S1S2S1S1S1…

REJECTED

- LTL formula
- Represents a set of infinite traces which satisfy such formula

- Büchi Automaton
- Accepts a set of infinite traces

- We can build an automaton which accepts all and only the infinite traces represented by an LTL formula

- Given a model M and an LTL formula
- Build the Buchi automaton B¬
- Compute product of M and B¬
- Each state of M is labeled with propositions
- Each state of B¬ is labeled with propositions
- Match states with the same labels

- The product accepts the traces of M that are also traces of B¬ (M ¬)
- If the product accepts any sequence
- We have found a counterexample

- The product is a Büchi automaton
- How do we find accepted sequences?
- Accepted sequences must contain a cycle
- In order to contain accepting states infinitely often

- We are interested only in cycles that contain at least an accepting state
- During depth first search start a second search when we are in an accepting states
- If we can reach the same state again we have a cycle (and a counterexample)

- Accepted sequences must contain a cycle

procedureDFS(s)

visited = visited {s}

for each successor s’ of s

ifs’ visitedthen

DFS(s’)

ifs’ is accepting then

DFS2(s’, s’)

end if

end if

end for

end procedure

procedure DFS2(s, seed)

visited2 = visited2 {s}

for each successor s’ of s

ifs’ = seed then

return “Cycle Detect”;

end if

if s’ visited2then

DFS2(s’, seed)

end if

end for

end procedure

- Avoid to construct the entire state space of the modeled system, can be done On-the-Fly
- Some states are not generated in the product
- Counterexample can be found before searching all states
- Easy to optimize
- Better support for asynchronous composition.

- Explicit State Model Checker
- Process Algebra
- Asynchronous composition of independent processes
- Communication using channels and global variables
- Non-deterministic choices and interleavings

- Nested Depth First Search
- Uses a hashing function to store each state using only 2 bits (no guarantee of soundness)
- Partial Order Reduction

bool turn, flag[2];

byte ncrit;

active proctype user0()

{

again:

flag[0] = 1;

reach:turn = 0;

cs:(flag[1 - 0] == 0 || turn == 1 - 0);

ncrit++;

ss:assert(ncrit == 1);/* critical section */

ncrit--;

flag[0] = 0;

goto again

}

active proctype user1()

{

again:

flag[1] = 1;

reach:turn = 1;

cs:(flag[1 - 1] == 0 || turn == 1 - 1);

ncrit++;

assert(ncrit == 1);/* critical section */

ncrit--;

flag[1] = 0;

goto again

}

- Model Checking Techniques
- Introduction to MC
- Symbolic Model Checking
- Bounded Model Checking
- Explicit Model Checking

- Tackle the State Space Explosion
- Partial Order Reduction
- Compositional Reasoning
- Abstraction
- Symmetry

- PAT: Process Analysis Toolkit
- Performance Comparison
- Conclusion

- The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily.
- To avoid discriminating against any particular ordering, the events are interleaved in all possible ways.
- The ordering between independent transitions is largely meaningless!!

- Allowing all possible orderings is a potential cause of the state explosion problem.
- To see this, consider n transitions that can be executed concurrently.
- In this case, there are n different orderings and 2n different states (one for each subset of the transitions).
- If the specification does not distinguish between these sequences, it is beneficial to consider only one with n + 1 states.

- The partial order reduction is aimed at reducing the size of the state space that needs to be searched.
- It exploits the commutativity of concurrently executed transitions, which result in the same state.
- Thus, this reduction technique is best suited for asynchronous systems.
- (In synchronous systems, concurrent transitions are executed simultaneously rather than being interleaved.)

- The method consists of constructing a reduced state graph.
- The full state graph, which may be too big to fit in memory, is never constructed.
- The behaviors of the reduced graph are a subset of the behaviors of the full state graph.
- The justification of the reduction method shows that the behaviors that are not present do not add any information.

- The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution.
- However, the method can be described better as model checking using representatives, since the verification is performed using representatives from the equivalence classes of behaviors.

- Big systems are composed by sub-processes running in parallel. The specifications for such systems can be decomposed into properties hold in the sub processes.
- Communication protocol: a sender, a network and a receiver.

- Assume-Guarantee Paradigm
- Verify each sub-process separately by adding assumptions on sub-process.
- Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )

- Eliminate details irrelevant to the property
- Obtain simple finite models sufficient to verify the property
- E.g., Infinite state ! Finite state approximation

- Disadvantage
- Loss of Precision: False positives/negatives

- Approaches:
- Cone of influence reduction
- Data abstraction

- If f is an LTL formula that refers only to the variables in V, and C is the cone of influence of V, then <f, M> is satisfied if and only if <f, N> is satisfied, where N is the reduced model with respect to C.

Boolean v1, v2, v3, v4, v5, v6;

Repeat forever in parallel:

v1 = v2;

v2 = v1 & v3;

v3 = v1 & v2;

v4 = v5 & v3;

v5 = v4 & v6;

End.

(F(~ v1)): v1 will eventually become False.

Boolean v1, v2, v3;

Repeat forever in parallel:

v1 = v2;

v2 = v1 & v3;

End.

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

h

h

h

h

h

S

S’

Abstraction Function h : S ! S’

Even

Odd

Neg

Zero

Pos

- Abstraction proceeds component-wise, where variables are components

…, -2, 0, 2, 4, …

x:int

…, -3, -1, 1, 3, …

…, -3, -2, -1

y:int

0

1, 2, 3, …

- Symmetry partitions state-space into equivalence classes
- Knowledge of symmetry search only 1 state per equivalence class
- Need techniques for:
- Symmetry detection
- Efficient exploitation of symmetry

- Ideally both should be fully automatic
- Challenges: detecting & exploiting symmetries

byte tok = 1;

active [2] proctype user() {

byte state = N;

do

:: (state == N) -> state = T

:: (state == T) && (tok == _pid) -> state = C

:: (state == C) -> state = N;

if

:: tok = 1

:: tok = 2

fi

od

}

Reduced state-graph

State-graph

N1 N2

tok=1

N1 N2

tok=2

N1 N2

tok=1

T1 N2

tok=1

N1 T2

tok=1

T1 N2

tok=1

N1 T2

tok=1

T1 N2

tok=2

N1 T2

tok=2

C1 N2

tok=1

T1 T2

tok=1

C1 N2

tok=1

T1 T2

tok=1

T1 T2

tok=2

N1 C2

tok=2

C1 T2

tok=1

C1 T2

tok=1

T1 C2

tok=2

- Model Checking Techniques
- Introduction to MC
- Symbolic Model Checking
- Bounded Model Checking
- Explicit Model Checking

- Tackle the State Space Explosion
- Partial Order Reduction
- Compositional Reasoning
- Abstraction
- Symmetry

- PAT: Process Analysis Toolkit
- Performance Comparison
- Conclusion

- A interactive system to support: composing, simulating and reasoning of extended Process Algebra.
- Modeling:
- Extended CSP (Communicating Sequential Processes)
- LTL

- Model Checkers:
- Explicit Model Checker
- Bounded Model Checker

- Features
- Handle Fairness with Partial Order Reduction
- Bounded Model Checking Process Algebra

- Fairness properties state that if something is possible sufficiently often, then it must eventually happen.
- deadlock-freeness. FALSE.
- non-starvation. FALSE.

- Let e be an event/action.
- A weak fair event is written as wf(e)
- A strong fair event is written as sf(e)

- Model Checking Techniques
- Introduction to MC
- Symbolic Model Checking
- Bounded Model Checking
- Explicit Model Checking

- Tackle the State Space Explosion
- Partial Order Reduction
- Compositional Reasoning
- Abstraction
- Symmetry

- PAT: Process Analysis Toolkit
- Performance Comparison
- Conclusion

- SPIN faster, if it can handle example
- NuSMV-ImProviso can handle more examples
- NuSMV-ImProviso matches SPIN on Best, Worst

- Models of same size in SMV and Promela
- Same reduction
- SPIN faster until…

- Generally Spin is faster thaNuSMV, and can scale up to larger states. The partial order reduction in Spin is very helpful.
- Generally, explicit model checking and BMC complements BDD-based model checking. BMC can also outperform BDD for some systems

- Model Checking Techniques
- Introduction to MC
- Symbolic Model Checking
- Bounded Model Checking
- Explicit Model Checking

- Tackle the State Space Explosion
- Partial Order Reduction
- Equivalences and Pre-orders between Structures
- Compositional Reasoning
- Abstraction
- Symmetry

- PAT: Process Analysis Toolkit
- Performance Comparison
- Conclusion

- Three ways to do model checking
- Symbolic Model Checking
- Bounded Model Checking
- Explicit Model Checking

- Various optimization techniques
- Partial Order Reduction
- Compositional Reasoning
- Abstraction
- Symmetry

- Summary of Papers studied:
- Model Checking of Consensus Algorithms [T Tsuchiya and A Schiper, SRDS 07]
- MC of Distributed Dependable Protocols Semantic Property Preserving Abstractions [P Boker, M Serafini, A Pataricza and N Suri, 07]
- Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski, DSN 07]
- Model Checking Transactional Memories

- Most suitable MC technique
- Explicit Model Checking
- Benefits:
- Better support for asynchronous communication
- Better control of optimization techniques
- Tools with better performance: SPIN or PAT (better support for the fairness with POR)

- Possible optimization techniques
- Abstraction
- Compositional Reasoning
- Symmetry