Model Checking and Related Techniques

1 / 67

# Model Checking and Related Techniques - PowerPoint PPT Presentation

Model Checking and Related Techniques. Liu Yang. Outline. Model Checking Techniques Introduction to MC Symbolic Model Checking Bounded Model Checking Explicit Model Checking Tackle the State Space Explosion Partial Order Reduction Compositional Reasoning Abstraction Symmetry

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Model Checking and Related Techniques' - eagan-mcknight

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Model Checking and Related Techniques

Liu Yang

Outline
• Model Checking Techniques
• Introduction to MC
• Symbolic Model Checking
• Bounded Model Checking
• Explicit Model Checking
• Tackle the State Space Explosion
• Partial Order Reduction
• Compositional Reasoning
• Abstraction
• Symmetry
• PAT: Process Analysis Toolkit
• Performance Comparison
• Conclusion
Model Checking Introduction
• Model Checking is to exhaustively explore all reachable states of a finite state machine so as to tell whether a desired property is guaranteed or not.
• Advantages over traditional system validation approaches based on simulation, testing and deductive reasoning
• An automatic technique for verifying finite state concurrent systems
• Process: modeling, specification and verification
• Main challenge: state space explosion problem
Model Checking

System design

or code

Requirements

manual

abstract

Finite state model

M

Set of logical

properties

for each property φ

automatic

Model checker

M |= φ ?

Yes

No

√ ?

Model of Concurrent Systems

(Unwind State Graph

to obtain Infinite Tree)

Model of Concurrent Systems (Cont.)
• Formally, a Kripke structure is a triple M 􀀀 <S,R,L>, where
Temporal logics
• Temporal logics may differ according to how they handle branching in the underlying computation tree.
• In a linear temporal logic (LTL), operators are provided for describing events along a single computation path.
• In a Computation Tree Logics (CTL) the temporal operators quantify over the paths that are possible from a given state.
Temporal logics
• Formulas are constructed from path quantifiers and temporal operators:
• Path quantifier:
• A: for every path
• E: there exists a path
• Linear Temporal Operator:
• Xp: p holds next time
• Fp: p holds sometime in the future ()
• Gp: p holds globally in the future ()
• pUq: p holds until q holds
• In LTL, only linear temporal operators are allowed.
• In CTL, each temporal operator must be immediately preceded by a path quantifier.
• In CLT*, a path quantifier can prefix an assertion composed of arbitrary combinations of the usual linear-time operators.
CTL Examples
• The four most widely used CTL operators are illustrated.
• Each computation tree has initial state s0 as its root.
Fixpoint Algorithms
• Key properties of EFp:
Model Checking Problem
• Let M be the state-transition graph obtained from the concurrent system.
• Let f be the specification expressed in temporal logic.

M, s |= f

• and check if initial states are among these.
Symbolic Model Checking
• Method used by most “industrial strength” model checkers:
• uses Boolean encoding for state machine and sets of states.
• can handle much larger designs – hundreds of state variables.
• BDDs traditionally used to represent Boolean functions.
Symbolic Model Checking with BDDs
• Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in 1987.
• Carl Pixley independently developed a similar algorithm, as did the French researchers, Coudert and Madre.
• BDDs enabled handling much larger concurrent systems. (usually, an order of magnitude increase in hardware latches!)
Ordered Binary Decision Trees and Diagrams
• Ordered Binary Decision Tree for the two-bit comparator, given by the formula
OBDD for Comparator Example
• If we use the ordering a1 < b1 < a2 < b2 for the comparator function, we obtain the OBDD below:
Variable Ordering Problem
• The size of an OBDD depends critically on the variable ordering.
• If we use the ordering a1 < a2 < b1 < b2 for the comparator function, we get the OBDD below:
Symbolic Model Checking Algorithm
• How to represent state-transition graphs with Ordered Binary Decision Diagrams:
• Assume that system behavior is determined by n Boolean state variables v1, v2, … , vn.
• The Transition relation T will be given as a boolean formula in terms of the state variables:
• where v1,…, vn represents the current state and v’1,…, v’nrepresents the next state.
• Now convert T to a OBDD!!
Symbolic Model Checking (cont.)
• Representing transition relations symbolically:
• Boolean formula for transition relation:
• Now, represent as an OBDD!
Symbolic Model Checking (cont.)
• How to evaluate fixpoint formulas using OBDDs:
• Introduce state variables:
• Now, compute the sequence
• until convergence.
Problems with BDDs
• BDDs are a canonical representation. Often become too large.
• Selecting right variable ordering very important for obtaining small BDDs.
• Often time consuming or needs manual intervention.
• Sometimes, no space efficient variable ordering exists.
• Next, we describe an alternative approach to symbolic model checking that uses SAT procedures.
• SAT procedures also operate on Boolean expressions but do not use canonical forms.
• Do not suffer from the potential space explosion of BDDs.
• Can handle functions with s to s of variables.
• Very efficient implementations available.
Bounded Model Checking
• Bounded model checking uses a SAT procedure instead of BDDs.
• We construct Boolean formula that is satisfiableiff there is a specific finite path of length k in underlying machine.
• We look for longer and longer paths by incrementing the bound k.
• After some number of iterations, we may conclude no such path exists and specification holds.
• For example, to verify safety properties, number of iterations is bounded by diameter of finite state machine.
• Bounded model checking works quickly. This is due to depth first nature of SAT search procedures.
• It finds finite paths of minimal length. This helps user understand the example more easily.
• It uses much less space than BDD based approaches.
• Does not need manually selected variable order or costly reordering. Default splitting heuristics usually sufficient.
NuSMV: A New Symbolic Model Verifier
• Finite-state Systems described in a specialized language
• Specifications expressible in CTL, LTL
• Provides both BDD and SAT based model checking.
• Allow user specified variable ordering
• Uses a number of heuristics for achieving efficiency and control state explosion
Explicit Model Checking
• Given a model M and an LTL formula 
• All traces of M must satisfy 
• If a trace of M does not satisfy 
• Counterexample
• M is the set of traces of M
•  is the set of traces that satisfy 
• M 
• Equivalently M ¬=
Büchi Automata
• Automaton which accepts infinite traces
• A Büchi automaton is 4-tupleS, I,, F
• S is a finite set of states
• I S is a set of initial states
•   S S is a transition relation
• F S is a set of accepting states
• An infinite sequence of states is accepted iff it contains accepting states infinitely often
Example

S0

S1

S2

1=S0S1S2S2S2S2…

ACCEPTED

2=S0S1S2S1S2S1…

ACCEPTED

3=S0S1S2S1S1S1…

REJECTED

LTL and Büchi Automata
• LTL formula
• Represents a set of infinite traces which satisfy such formula
• Büchi Automaton
• Accepts a set of infinite traces
• We can build an automaton which accepts all and only the infinite traces represented by an LTL formula
LTL Model Checking
• Given a model M and an LTL formula 
• Build the Buchi automaton B¬
• Compute product of M and B¬
• Each state of M is labeled with propositions
• Each state of B¬ is labeled with propositions
• Match states with the same labels
• The product accepts the traces of M that are also traces of B¬ (M ¬)
• If the product accepts any sequence
• We have found a counterexample
Nested Depth First Search
• The product is a Büchi automaton
• How do we find accepted sequences?
• Accepted sequences must contain a cycle
• In order to contain accepting states infinitely often
• We are interested only in cycles that contain at least an accepting state
• During depth first search start a second search when we are in an accepting states
• If we can reach the same state again we have a cycle (and a counterexample)
Nested Depth First Search

procedureDFS(s)

visited = visited {s}

for each successor s’ of s

ifs’  visitedthen

DFS(s’)

ifs’ is accepting then

DFS2(s’, s’)

end if

end if

end for

end procedure

Nested Depth First Search

procedure DFS2(s, seed)

visited2 = visited2 {s}

for each successor s’ of s

ifs’ = seed then

return “Cycle Detect”;

end if

if s’  visited2then

DFS2(s’, seed)

end if

end for

end procedure

Explicit Model Checking
• Avoid to construct the entire state space of the modeled system, can be done On-the-Fly
• Some states are not generated in the product
• Counterexample can be found before searching all states
• Easy to optimize
• Better support for asynchronous composition.
SPIN
• Explicit State Model Checker
• Process Algebra
• Asynchronous composition of independent processes
• Communication using channels and global variables
• Non-deterministic choices and interleavings
• Nested Depth First Search
• Uses a hashing function to store each state using only 2 bits (no guarantee of soundness)
• Partial Order Reduction
SPIN Example of Peterson’s Algorithm

bool turn, flag[2];

byte ncrit;

active proctype user0()

{

again:

flag[0] = 1;

reach: turn = 0;

cs: (flag[1 - 0] == 0 || turn == 1 - 0);

ncrit++;

ss: assert(ncrit == 1); /* critical section */

ncrit--;

flag[0] = 0;

goto again

}

active proctype user1()

{

again:

flag[1] = 1;

reach: turn = 1;

cs: (flag[1 - 1] == 0 || turn == 1 - 1);

ncrit++;

assert(ncrit == 1); /* critical section */

ncrit--;

flag[1] = 0;

goto again

}

Outline
• Model Checking Techniques
• Introduction to MC
• Symbolic Model Checking
• Bounded Model Checking
• Explicit Model Checking
• Tackle the State Space Explosion
• Partial Order Reduction
• Compositional Reasoning
• Abstraction
• Symmetry
• PAT: Process Analysis Toolkit
• Performance Comparison
• Conclusion
Partial Order Reduction
• The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily.
• To avoid discriminating against any particular ordering, the events are interleaved in all possible ways.
• The ordering between independent transitions is largely meaningless!!
The State Explosion Problem
• Allowing all possible orderings is a potential cause of the state explosion problem.
• To see this, consider n transitions that can be executed concurrently.
• In this case, there are n different orderings and 2n different states (one for each subset of the transitions).
• If the specification does not distinguish between these sequences, it is beneficial to consider only one with n + 1 states.
Partial Order Reduction
• The partial order reduction is aimed at reducing the size of the state space that needs to be searched.
• It exploits the commutativity of concurrently executed transitions, which result in the same state.
• Thus, this reduction technique is best suited for asynchronous systems.
• (In synchronous systems, concurrent transitions are executed simultaneously rather than being interleaved.)
Partial Order Reduction (Cont.)
• The method consists of constructing a reduced state graph.
• The full state graph, which may be too big to fit in memory, is never constructed.
• The behaviors of the reduced graph are a subset of the behaviors of the full state graph.
• The justification of the reduction method shows that the behaviors that are not present do not add any information.
Partial Order Reduction (Cont.)
• The name partial order reduction comes from early versions of the algorithms that were based on the partial order model of program execution.
• However, the method can be described better as model checking using representatives, since the verification is performed using representatives from the equivalence classes of behaviors.
Compositional Reasoning
• Big systems are composed by sub-processes running in parallel. The specifications for such systems can be decomposed into properties hold in the sub processes.
• Communication protocol: a sender, a network and a receiver.
• Verify each sub-process separately by adding assumptions on sub-process.
• Combine the assumed and guaranteed properties to shown the correctness of (|| sub-processes )
Abstraction
• Eliminate details irrelevant to the property
• Obtain simple finite models sufficient to verify the property
• E.g., Infinite state ! Finite state approximation
• Loss of Precision: False positives/negatives
• Approaches:
• Cone of influence reduction
• Data abstraction
Cone of Influence Reduction
• If f is an LTL formula that refers only to the variables in V, and C is the cone of influence of V, then <f, M> is satisfied if and only if <f, N> is satisfied, where N is the reduced model with respect to C.

Boolean v1, v2, v3, v4, v5, v6;

Repeat forever in parallel:

v1 = v2;

v2 = v1 & v3;

v3 = v1 & v2;

v4 = v5 & v3;

v5 = v4 & v6;

End.

(F(~ v1)): v1 will eventually become False.

Boolean v1, v2, v3;

Repeat forever in parallel:

v1 = v2;

v2 = v1 & v3;

End.

Cone of Influence Reduction

A Simple System Model

A Simple LTL property

Cone of Influence Reduction

h

h

h

h

h

Data Abstraction

S

S’

Abstraction Function h : S ! S’

Even

Odd

Neg

Zero

Pos

Data Abstraction Example
• Abstraction proceeds component-wise, where variables are components

…, -2, 0, 2, 4, …

x:int

…, -3, -1, 1, 3, …

…, -3, -2, -1

y:int

0

1, 2, 3, …

Symmetry
• Symmetry partitions state-space into equivalence classes
• Knowledge of symmetry  search only 1 state per equivalence class
• Need techniques for:
• Symmetry detection
• Efficient exploitation of symmetry
• Ideally both should be fully automatic
• Challenges: detecting & exploiting symmetries
Model Written in SPIN

byte tok = 1;

active [2] proctype user() {

byte state = N;

do

:: (state == N) -> state = T

:: (state == T) && (tok == _pid) -> state = C

:: (state == C) -> state = N;

if

:: tok = 1

:: tok = 2

fi

od

}

Symmetry Reduction: Example

Reduced state-graph

State-graph

N1 N2

tok=1

N1 N2

tok=2

N1 N2

tok=1

T1 N2

tok=1

N1 T2

tok=1

T1 N2

tok=1

N1 T2

tok=1

T1 N2

tok=2

N1 T2

tok=2

C1 N2

tok=1

T1 T2

tok=1

C1 N2

tok=1

T1 T2

tok=1

T1 T2

tok=2

N1 C2

tok=2

C1 T2

tok=1

C1 T2

tok=1

T1 C2

tok=2

Outline
• Model Checking Techniques
• Introduction to MC
• Symbolic Model Checking
• Bounded Model Checking
• Explicit Model Checking
• Tackle the State Space Explosion
• Partial Order Reduction
• Compositional Reasoning
• Abstraction
• Symmetry
• PAT: Process Analysis Toolkit
• Performance Comparison
• Conclusion
PAT: Process Analysis Toolkit
• A interactive system to support: composing, simulating and reasoning of extended Process Algebra.
• Modeling:
• Extended CSP (Communicating Sequential Processes)
• LTL
• Model Checkers:
• Explicit Model Checker
• Bounded Model Checker
• Features
• Handle Fairness with Partial Order Reduction
• Bounded Model Checking Process Algebra
Fairness Assumptions
• Fairness properties state that if something is possible sufficiently often, then it must eventually happen.
• non-starvation. FALSE.
Specifying Fairness
• Let e be an event/action.
• A weak fair event is written as wf(e)
• A strong fair event is written as sf(e)
Outline
• Model Checking Techniques
• Introduction to MC
• Symbolic Model Checking
• Bounded Model Checking
• Explicit Model Checking
• Tackle the State Space Explosion
• Partial Order Reduction
• Compositional Reasoning
• Abstraction
• Symmetry
• PAT: Process Analysis Toolkit
• Performance Comparison
• Conclusion
Comparison: NuSMV-ImProviso, and SPIN
• SPIN faster, if it can handle example
• NuSMV-ImProviso can handle more examples
• NuSMV-ImProviso matches SPIN on Best, Worst
• Models of same size in SMV and Promela
• Same reduction
• SPIN faster until…
Comparison Conclusion
• Generally Spin is faster thaNuSMV, and can scale up to larger states. The partial order reduction in Spin is very helpful.
• Generally, explicit model checking and BMC complements BDD-based model checking. BMC can also outperform BDD for some systems
Outline
• Model Checking Techniques
• Introduction to MC
• Symbolic Model Checking
• Bounded Model Checking
• Explicit Model Checking
• Tackle the State Space Explosion
• Partial Order Reduction
• Equivalences and Pre-orders between Structures
• Compositional Reasoning
• Abstraction
• Symmetry
• PAT: Process Analysis Toolkit
• Performance Comparison
• Conclusion
Conclusion
• Three ways to do model checking
• Symbolic Model Checking
• Bounded Model Checking
• Explicit Model Checking
• Various optimization techniques
• Partial Order Reduction
• Compositional Reasoning
• Abstraction
• Symmetry
Model Checking Distributed Algorithms
• Summary of Papers studied:
• Model Checking of Consensus Algorithms [T Tsuchiya and A Schiper, SRDS 07]
• MC of Distributed Dependable Protocols Semantic Property Preserving Abstractions [P Boker, M Serafini, A Pataricza and N Suri, 07]
• Automatic Verification and Discovery of Byzantine Consensus Protocols [P Zielinski, DSN 07]
• Model Checking Transactional Memories
Model Checking Distributed Algorithms
• Most suitable MC technique
• Explicit Model Checking
• Benefits:
• Better support for asynchronous communication
• Better control of optimization techniques
• Tools with better performance: SPIN or PAT (better support for the fairness with POR)
• Possible optimization techniques
• Abstraction
• Compositional Reasoning
• Symmetry