1 / 53

# Model Checking: An introduction & overview - PowerPoint PPT Presentation

Model Checking: An introduction & overview. Gordon J. Pace. October 2005. History of Formal Methods. Automata model of computation: mathematical definition but intractable. Formal semantics: more abstract models but proofs difficult, tedious and error prone.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Model Checking: An introduction & overview' - gavril

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Model Checking:An introduction & overview

Gordon J. Pace

October 2005

• Automata model of computation: mathematical definition but intractable.

• Formal semantics: more abstract models but proofs difficult, tedious and error prone.

• Theorem proving: proofs rigorously checked but suffers from ‘only PhDs need apply’ syndrome.

• Radiation therapy machine overdoses patients,

• Pentium FDIV bug,

• Ariane-V crash.

Industry willing to invest in algorithmic based, push-button verification tools.

• Identify an interesting computation model,

• For which the verification question is decidable,

• And tractable on interesting problems.

• Write a program to answer verification questions.

• Operational Semantics:

• Denotational Semantics of Timed Systems:

v

V’

0

def

[ delay (v’, v) ] =

v’(t+1)=v(t) /\ v’(0)=low

[

]

• Q = States

•  = Transition relation (Q x Q)

• I = Initial states ( Q)

Q, , I 

(v:=1; w:=v) || (v:=¬v)

v,w=0,0

pc=0,0

v,w=1,0

pc=1,0

v,w=1,0

pc=0,1

v,w=1,0

pc=0,0

v,w=0,1

pc=0,1

v,w=0,1

pc=0,0

v,w=1,1

pc=1,0

v,w=1,1

pc=0,0

i

o

m

Q = Bool x Bool x Bool

I = {(i,m,o) | o = i /\ m }

 = {((i,m,o),(i’,m’,o’)) | m’=o, o’=i’ /\ m’ }

• We will be ‘constructing’ TSs from a symbolic (textual/graphical) description of the system. This is a step which explodes exponentially (linear increase in description may imply exponential increase in state-space size).

• Safety properties: ‘Bad things never happen’.

eg The green lights on a street will never be on at the same time as the green lights on an intersecting street.

• Liveness properties: ‘Good things eventually happen’.

eg A system will never request a service infinitely often without eventually getting it.

Are any of the red states

reachable?

etc

Given a transition system M=Q,,I  and a set of ‘bad’ states B, are there any states in B which are reachable in M?

R0 = I

Rn+1 = Rn (Rn)

where: (P) = { s’ | sP: s  s’ }

Reachable set is the fix-point of this sequence. Termination and correctness are easy to prove.

R := I; Rprev := ;

while (R  Rprev) do

Rprev := R;

R := R  (R);

if (B  R  ) then BUG;

CORRECT;

• Explicit representation

• Keeping a list of traversed states.

• State-explosion problem.

• Looking at the recursion stack will give counter-example (if one is found).

• Breath-first search guarantees a shortest counter-example.

• On-the-fly exploration: Explore only the ‘interesting’ part of the tree (wrt property and graph).

Example: Construct graph only at verification time. Finding a bug would lead to only partial unfolding of the description into a transition system.

• Partial order reduction: By identifying commuting actions (ones which do not disable each other), we can ignore parts of the model.

Example: To check for deadlock in (a!; P  b!; Q), we may just fire actions a and b in this order rather than take all interleavings.

• Compositional verification: Build TS bottom up, minimising the automata as one goes along.

Example: To construct (P Q), construct P and minimise to get P’, construct Q and minimise to get Q’, and then calculate (P’ Q’).

• Interface-Based Verification: Use information about future interfaces composands while constructing sub-components.

Example: Constructing the full rhs of (10c;P + 5c;Q + …)  Huge  (5c;Tea) gives a lot of useless branches which the last process never uses.

• Symbolic state representation: Use a symbolic formula to represent the set of states.

R := I; Rprev := ;

while (R  Rprev) do

Rprev := R;

R := R  (R);

if (B  R  ) then BUG;

CORRECT;

Requires: representation of empty set, union, intersection, relation application, and set equality test.

Use boolean formulae

Let v1 to vn be the boolean variables in the state space. A boolean formula f(v1,…,vn) represents the set of all states (assignments of the variables) which satisfy the formula.

Double the variables

To represent the transition relation, give a formula over variables v1,…,vn and v’1,…,v’n relating the values before and after the step.

v1

v3

Initial states:

I  (v2=true) /\ (v3=v1 /\ v2)

v2

1

Transition relation:

T  (v3=v1 /\ v2) /\ (v’3=v’1 /\ v’2) /\ v’2=v3

Empty set:  = false

Intersection: P  Q = P /\ Q

Union: P  Q = P \/ Q

Transition relation application:

(P) = (vars: P /\ T)[vars’/vars]

Testing set equality:

P=Q iff P  Q

• Calculating whether a boolean formula is a tautology is an NP-complete problem. 

• In practice representations like Binary Decision Diagrams (BDDs) and algorithms used in SAT checkers perform quite well on typical problems.

Counter-Example Generation

I=R0

Counter-Example Generation

R1

I

Counter-Example Generation

R2

R1

I

Counter-Example Generation

R2

R1

I

Counter-Example Generation

R2

R1

I

Counter-Example Generation

R2

R1

I

Counter-Example Generation

R2

R1

I

Set of all shortest counter-examples obtained

• Technique to reduce state space to explore, transition relation to use.

• Collapse state space by approximating wrt property being verified.

• Can be used to verify infinite state systems.

• Example: Collapse states together by throwing away variables, or simplifying wrt formula.

etc

• Example: Collapse states together by throwing away variables, or simplifying wrt formula.

etc

• Example: Collapse states together by throwing away variables, or simplifying wrt formula.

etc

• Concrete counter-example generation not always easy.

• May yield ‘false negatives’.

etc

• Backward Analysis

Rn+1 = Rn  -1(Rn)

If R be the fix-point of this sequence, the system is correct iff R  I = .

• Induction (depth 1): If …

• The initial states are good, and

• Any good state can only go to a good state, then

The system is correct.

• Induction (depth n): If …

• Any chain of length n starting from an initial state yields only good states, and

• Any chain of n good states can only be extended to reach a good state, then,

The system is correct.

• Induction

By starting with n=1 and increasing, (plus adding some other constraints) we get a complete TS verification technique.

• Explicit state traversal: No more than 107 generated states. Works well for interleaving, asynchronous systems.

• Symbolic state traversal: Can reach up to 10150 (overall) states. Works well for synchronous systems.

• Sometimes may work with thousands of variables …

• With abstraction, 101500 states and above have been reported!

• Combined with other techniques, microprocessor producers are managing to ‘verify’ large chunks of their processors.

• Application of model-checking techniques on real-life systems still requires expert users.

• Various commercial and academic tools available.

• Symbolic:

• BDD based: SMV, NuSMV, VIS, Lustre tools.

• Sat based: Prover tools, Chaff, Hugo, Bandera toolset.

• Explicit state: CADP, Spin, CRL, Edinburgh Workbench, FDR.

• Various high-level input languages: Verilog, VHDL, LOTOS, CSP, CCS, C, JAVA.

• Safety properties are easy to specify

• Intuition: ‘no bad things happen’.

• If you can express a new output variable ok which is false when something bad happens, then this your property is a safety property (observer based verification).

• Not all properties are safety properties.

inputs

outputs

Program

ok

Observer

Advantage: Program and property can be expressed in the same language.

Safety Properties

• The system may only shutdown if the mayday signal has been on and unattended for 4 consecutive time units.

shutdown

ok

• Bisimulation based verification

• Temporal logic based verification

• Linear time logic (eg LTL)

Globally (Finally bell)

• Branching time logic (eg CTL)

AG (ding EF dong)

Globally (Globally req Finally ack)

• Example: Induction on structure:

From:

Prog(in,out) satisfiesProp(in,out)

Prog(in,m) /\ Prop(m,out) satisfies Prop(in,out)

Conclude:

Any chain of Prog’s satisfies Prop.

• So does this constitute a proof?

• Can I now claim my product to be correct?

• Would a proof that P=NP change verification as we now know it?

• Other techniques (STE, BMC,…),

• Testing and combining testing with verification,

• Interaction between theorem-provers and model-checkers,

• Model-checking other types of systems (hybrid systems, Petri-Nets, etc).

• Verification of Kevin & co’s synchronisation algorithms,

• Use grammar induction to improve interface based verification,

• SPeeDI and hybrid system verification,

• Structural induction to model-check compiler properties.