1 / 78

# Model Checking

Model Checking. basic concepts and techniques Sriram K. Rajamani. Sources: My MSR Model checking crash course from Fall 99 Tom Henzinger’s slides from his OSQ course. Model checking , narrowly interpreted :

## Model Checking

E N D

### Presentation Transcript

1. Model Checking basic concepts and techniques Sriram K. Rajamani

2. Sources: My MSR Model checking crash course from Fall 99 Tom Henzinger’s slides from his OSQ course

3. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula of a temporal logic.

4. Why is this of interest to us? Because the dynamics of a discrete system can be captured by a Kripke structure. Because some dynamic properties of a discrete system can be stated in temporal logics.  Model checking = System verification

5. Model checking, generously interpreted: Algorithms for system verification which operate on a system model (semantics) rather than a system description (syntax).

6. Agenda Part I: Models and Specifications Part II: State explosion

7. Kripke Structure States: valuations to a finite set of variables Initial states : subset of states Arcs: transitions between states Atomic Propositions: finite set of predicates over variables Observation (color): Valuation to all atomic propositions at a state S0 S1 S2 S3

8. Kripke Structure M =  W, I, R, L,   W : set of states (possibly infinite) I  W : set of initial states R  W X W : set of arcs L : set of atomic propositions   W  2L : mapping from states to subset of atomic propostions (colors)

9. Specification Three important decisions: • may vs. must: branching vs. linear time • prohibiting bad vs. desiring good behavior: safety vs. liveness • operational vs. declarative: automata vs. logic

10. S0 S1 S2 S0 Run S1 S2 S3 Trace

11. S0 Run-tree S1 S0 S2 S3 S1 S2 S3 Trace-tree

12. Branching Vs Linear Linear temporal logics (eg LTL) view a model as a set of traces Branching temporal logics (eg CTL) view a model as a set of trace-trees

13. S0 t0 S1 S2 t1 S3 S4 t2 t3 Same traces, different trace trees

14. Linear time is conceptually simpler than branching time (words vs. trees). Branching time is often computationally more efficient. Branching “refinement” implies linear “refinement” Expressive powers are incomparable

15. Specification Three important decisions: • may vs. must: branching vs. linear time • prohibiting bad vs. desiring good behavior: safety vs. liveness • operational vs. declarative: automata vs. logic

16. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

17. Example: Mutual exclusion It cannot happen that both processes are in their critical sections simultaneously.

18. Example: Mutual exclusion It cannot happen that both processes are in their critical sections simultaneously. Safety

19. Example: Bounded overtaking Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter.

20. Example: Bounded overtaking Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter. Safety

21. Whenever process P1 wants to enter the critical section, it enters it within 51 cycles

22. Whenever process P1 wants to enter the critical section, it enters it within 51 cycles Whenever process P1 wants to enter the critical section, it is not the case that 51 cycles pass without P1 entering the critical section Safety

23. Whenever process P1 wants to enter the critical section, it eventually enters it Liveness

24. Sequential programs Safety corresponds to partial correctness Liveness corresponds to termination

25. Safety Vs Liveness The vast majority of properties to be verified are safety.

26. Why liveness? “Eventually, we are all dead!” The answer is: abstraction and fairness While nobody will ever observe the violation of a true liveness property, fairness is a useful abstraction that turns complicated safety into simple liveness.

27. Why liveness? r1 ~r1 g1 If P1 requests and keeps requesting, it will be granted within 2 cycles F1 F2 ~r2 r1 r2 g2 r2 G1 G2

28. r1 g1 F r1 r2 g2 r2 G1 G2 r1 ~r1 g1 F1 F2 ~r2 r1 r2 g2 r2 G1 G2 Abstract view Safety: If P1 requests and keeps requesting, it will be granted within 2 cycles Liveness: If P1 requests and keeps requesting it will be eventually granted (Does this hold?)

29. q1 q2 q3 Fairness constraint: the green transition cannot be ignored forever

30. q1 q2 q3 Without fairness: infRuns = q1 (q3 q1)* (q2) (q1 q3) With fairness: infRuns = q1 (q3 q1)* (q2)

31. Two important types of fairness 1 Weak (Buchi) fairness: a specified set of transitions cannot be enabled forever without being taken 2 Strong (Streett) fairness: a specified set of transitions cannot be enabled infinitely often without being taken

32. Fair Kripke Structure M =  W, I, R, L, , SF, WF  W : set of states (possibly infinite) I  W : set of initial states R  W X W : set of arcs L : set of atomic propositions   W  2L : labeling function SF: set of strongly fair arcs WF: set of weakly fair arcs

33. Model-Checking Algorithms for finite state Kripke structures = Graph Algorithms

34. Automata theoretic approach to model checking Does M satisfy property ? Step 1: Build automaton A for negation of  Step 2: Construct product P = MxA Step 3: Check if L(P) is empty

35. Safety: • -algorithm: reachability (linear) • Response under weak fairness: • -algorithm: strongly connected components (linear) • Liveness: • -algorithm: recursively nested SCCs (quadratic)

36. Logic Model checking complexity Invariant |M| CTL |M| * || LTL |M| * 2|| Modal -calculus ? Refinement |M| * 2|S|

37. Example: State MachineFor Locking U L L Unlocked Locked Error U

38. Product Construction … Lock(&x); If (x->foo) { if (bar(x)) { Unlock(&x); return OK; } } Unlock(&x) …

39. Product Construction … Lock(&x); If (x->foo) { if (bar(x)) { Unlock(&x); // return OK; } } Unlock(&x) …

40. Agenda Part I: Models and Specifications Part II: State explosion

41. Problem State explosion : |M| is exponential in the syntactic description of M

42. Fighting state explosion • Symbolic techniques (BDDs) - [SMV, VIS] • Symmetry reduction - [Murphi] • Partial-order reduction - [SPIN] • Divide and Conquer - [MOCHA, new SMV] • Abstraction - [STeP, InVeSt,SLAM]

43. 0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0 Binary Decision Diagrams [Bryant] Ordered decision tree for f = a  b  c  d a 0 1 b b 1 0 1 0 c c c c 1 0 1 0 1 0 1 0 d d d d d d d d

44. OBDD reduction a f = a  b  c  d 0 1 b b 1 1 0 0 c c 1 1 0 0 d d 1 1 0 0 0 1

45. OBDD properties Variable order strongly affects size Canonical representation for a given order Efficient apply algorithm • boolean operations on BDD’s is easy • Can build BDD’s for large circuits f fg g O(|f| |g|)

46. Boolean quantification • If v is a boolean variable, then \$v.f = f |v =0 + f |v =1 Example:\$(b,c). (ab +ce + b´d) = a + e + d • Complexity on BDD representation • worst case exponential • heuristically efficient

47. Characterizing sets • Let Mbe a model with boolean variables (v1,v2,…,vn) • Represent any P Í{0,1}n by its characteristic function cP P = {(v1,v2,…,vn) : cP} Example: Variables = (x,y,z) P = { (0,0,1) , (0,1,0), (1,0,0), (1,1,1) } cP = x + y + z

48. Characterizing sets • Represent characteristic function as BDD • Set operations can be now done as BDD operations • cÆ= false cS = true • cP È Q= P + Q cP Ç Q = P . Q • cS\ P= ØP

49. Transition Relations • Transition relation R is a set of state pairs for all the arcs in the state machine • R = {((v1,v2,…,vn), (v’1,v’2,…,v’n)) : Î cR} v0 v1 cR = (v’0 = Øv0) Ù (v’1 = v0Åv1)

50. Forward Image Image(P,R) P R

More Related