Albert M. K. Cheng Real-Time Systems Laboratory University of Houston Chapter 4: Model Checking for Formal Analysis and Verification of Real-Time Systems Albert M. K. Cheng Real-Time Systems Laboratory University of Houston

Correctness of Real-Time Systems Satisfaction of logical correctness constraints Satisfaction of timing constraints

Presentation Outline Model of a real-time system Specification, analysis, and verification Explicit-state and symbolic model checking

A Real-Time System A Sensor input Decision, action X Y D S State

Analysis Techniques Simulation Testing Verification Run-time monitoring

Model Checking Is the finite-state graph a model of the temporal logic formula? Specification represented as a labeled finite-state Graph (Kripke structure) Safety assertion written as temporal logic formula

Computation Tree Logic CTL Propositional, branching-time temporal logic Next-time operator X, Until operator U A(E)X f : f holds in every (some) immediate successor of current state A(E)[f1 U f2] : for every (some) computation path, there exists an initial prefix of the path such that f2 holds at the last state of the prefix and f1 holds at all other states along the prefix

Example: Solution to Mutual Exclusion Problem N1,N2 T1,N2 N1,T2 C1,N2 T1,T2 T1,T2 N1,C2 C1,T2 T1,C2

CTL abbreviations AF(f) = A[True U f]: f holds in the future along every path from the initial state s0, so f is inevitable EG(f) = NOT AF(NOT f) EF(f) = E[True U f]: there is some path from the initial state s0 that leads to a state at which f holds, so f potentially holds AG(f) = NOT EF(NOT f)

Representing a Computation Tree Logic (CTL) Formula in Prefix Notation f = A [ !X U ( Y V Z ) ] 1 2 3 4 5 6 = (AU (NOT X) (OR Y Z)) nf[1]: (AU (NOT X) (OR Y Z)) sf[1]: (2 4) nf[2]: (NOT X) sf[2]: (3) nf[3]: X sf[3]: nil nf[4]: (OR Y Z) sf[4]: (5 6) nf[5]: Y sf[5]: nil nf[6]: Z sf[6]: nil

Functions Formula f = A [f1 U f2] arg1(f) = first argument of formula f arg2(f) = second argument of formula f labeled(s,f): state s is labeled with formula f add_label(s,f): add label to state s marked(s): state has been marked or visited

Explicit-State Model Checking for (fi=flength; fi >= 1; fi--) labelgraph(fi,s,&correct); labelgraph (fi,s,b) short fi, s; Boolean *b; { short i; switch(nf[fi-1][0].opcode) case atomic: atf(fi,s,b); break; case nt: ntf(fi,s,b); break; case ad: adf(fi,s,b); case ax: axf(fi,s,b); case ex: exf(fi,s,b);

Explicit-State Model Checking case au: for (i=0; i <= numstates; i++) marked[i] = false; if (!marked[i]) auf(fi,s,b); break; case eu: euf(fi,s,b); }

function au(f,s,b) if marked(s) then { if labeled(s,f) then {b := true; return} b := false; return} marked(s) := true; if labeled(s, arg2(f)) then { add_label(s,f); b:= true; return} else if !labeled(s, arg1(f)) then { b := false; return } for all s1 in successors(s) do { au(f, s1, b1); if !b1 then { b := false; return } } add_label(s,f); b := true; return.

Symbolic Model Checking Transition relation between the values of the variables in the current and the next states can be stated as a Boolean formula Use Binary Decision Diagrams (BDDs) to present this Boolean formula Apply model checker to finite-state graph represented as BBDs

Real-Time CTL Existentially Bounded Until operator: E[f_1 U[x,y] f_2] at state s_0 means there exists a path beginning at s_0 and some i such that x <= i <= y and f_2 holds at state s_i and forall j < i, f_1 holds at state s_j Min/max delays Min/max number of condition occurrences