Model Checking basic concepts and techniques Sriram K. Rajamani
Sources: My MSR Model checking crash course from Fall 99 Tom Henzinger’s slides from his OSQ course
Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula of a temporal logic.
Why is this of interest to us? Because the dynamics of a discrete system can be captured by a Kripke structure. Because some dynamic properties of a discrete system can be stated in temporal logics. Model checking = System verification
Model checking, generously interpreted: Algorithms for system verification which operate on a system model (semantics) rather than a system description (syntax).
Part I: Models and Specifications Part II: State explosion Agenda
S0S0 S1S1 S2S2 S3S3 Kripke Structure States : valuations to a finite set of variables Initial states : subset of states Arcs: transitions between states Atomic Propositions: finite set of predicates over variables Observation (color): Valuation to all atomic propositions at a state
Kripke Structure M = W, I, R, L, W : set of states (possibly infinite) I W : set of initial states R W X W : set of arcs L : set of atomic propositions W 2 L : mapping from states to subset of atomic propostions (colors)
Three important decisions: 1may vs. must: branching vs. linear time 2prohibiting bad vs. desiring good behavior: safety vs. liveness 3operational vs. declarative: automata vs. logic Specification
S0S0 S1S1 S2S2 S3S3 S0S0 S1S1 S2S2 Run Trace
S0S0 S1S1 S2S2 S3S3 S0S0 S1S1 S2S2 S3S3 Run-tree Trace-tree
Linear temporal logics (eg LTL) view a model as a set of traces Branching temporal logics (eg CTL) view a model as a set of trace-trees Branching Vs Linear
S0S0 S3S3 S4S4 S1S1 S2S2 t2t2 t3t3 t1t1 t0t0 Same traces, different trace trees
Linear time is conceptually simpler than branching time (words vs. trees). Branching time is often computationally more efficient. Branching “refinement” implies linear “refinement” Expressive powers are incomparable
Three important decisions: 1may vs. must: branching vs. linear time 2prohibiting bad vs. desiring good behavior: safety vs. liveness 3operational vs. declarative: automata vs. logic Specification
Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)
Example: Mutual exclusion It cannot happen that both processes are in their critical sections simultaneously.
Example: Mutual exclusion It cannot happen that both processes are in their critical sections simultaneously. Safety
Example: Bounded overtaking Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter.
Example: Bounded overtaking Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter. Safety
Whenever process P1 wants to enter the critical section, it enters it within 51 cycles
Whenever process P1 wants to enter the critical section, it is not the case that 51 cycles pass without P1 entering the critical section Safety
Whenever process P1 wants to enter the critical section, it eventually enters it Liveness
Sequential programs Safety corresponds to partial correctness Liveness corresponds to termination
The vast majority of properties to be verified are safety. Safety Vs Liveness
While nobody will ever observe the violation of a true liveness property, fairness is a useful abstraction that turns complicated safety into simple liveness. Why liveness? “Eventually, we are all dead!” The answer is: abstraction and fairness
Why liveness? r1r1 r2r2 g1g1 g2g2 r1r1 r2r2 ~r 1 ~r 2 F1F1 F2F2 G1G1 G2G2 If P1 requests and keeps requesting, it will be granted within 2 cycles
Abstract view r2r2 r1r1 g2g2 g1g1 r2r2 r1r1 F G1G1 G2G2 r1r1 r2r2 g1g1 g2g2 r1r1 r2r2 ~r 1 ~r 2 F1F1 F2F2 G1G1 G2G2 Safety: If P1 requests and keeps requesting, it will be granted within 2 cycles Liveness: If P1 requests and keeps requesting it will be eventually granted (Does this hold?)
q1q1 q2q2 Fairness constraint: the green transition cannot be ignored forever q3q3
Without fairness: infRuns = q 1 (q 3 q 1 ) * (q 2 ) (q 1 q 3 ) With fairness: infRuns = q 1 (q 3 q 1 ) * (q 2 ) q1q1 q2q2 q3q3
Two important types of fairness 1 Weak (Buchi) fairness: a specified set of transitions cannot be enabled forever without being taken 2 Strong (Streett) fairness: a specified set of transitions cannot be enabled infinitely often without being taken
Fair Kripke Structure M = W, I, R, L, , SF, WF W : set of states (possibly infinite) I W : set of initial states R W X W : set of arcs L : set of atomic propositions W 2 L : labeling function SF: set of strongly fair arcs WF: set of weakly fair arcs
Model-Checking Algorithms for finite state Kripke structures = Graph Algorithms
Automata theoretic approach to model checking Does M satisfy property ? Step 1: Build automaton A for negation of Step 2: Construct product P = MxA Step 3: Check if L(P) is empty
1Safety: -algorithm: reachability (linear) 2Response under weak fairness: -algorithm: strongly connected components (linear) 3Liveness: -algorithm: recursively nested SCCs (quadratic)
LogicModel checking complexity Invariant|M| CTL|M| * | | LTL |M| * 2 | | Modal -calculus ? Refinement|M| * 2 |S|
Example: State Machine For Locking UnlockedLockedError U LL U
Product Construction … Lock(&x); If (x->foo) { if (bar(x)) { Unlock(&x); return OK; } Unlock(&x) …
Product Construction … Lock(&x); If (x->foo) { if (bar(x)) { Unlock(&x); // return OK; } Unlock(&x) …
Part I: Models and Specifications Part II: State explosion Agenda
Problem State explosion : |M| is exponential in the syntactic description of M
Fighting state explosion –Symbolic techniques (BDDs) - [SMV, VIS] –Symmetry reduction - [Murphi] –Partial-order reduction - [SPIN] –Divide and Conquer - [MOCHA, new SMV] –Abstraction - [STeP, InVeSt,SLAM]
Binary Decision Diagrams [Bryant] Ordered decision tree for f = a b c d d ddddddd c ccc bb a
OBDD reduction a bb cc dd f = a b c d
OBDD properties Variable order strongly affects size Canonical representation for a given order Efficient apply algorithm –boolean operations on BDD’s is easy –Can build BDD’s for large circuits f g O(|f| |g|) fg
Boolean quantification If v is a boolean variable, then v.f = f | v =0 + f | v =1 Example: b,c). (ab + ce + b´d) = a + e d Complexity on BDD representation –worst case exponential –heuristically efficient
Characterizing sets Let M be a model with boolean variables (v 1,v 2,…,v n ) Represent any P {0,1} n by its characteristic function P P = {(v 1,v 2,…,v n ) : P } Example: Variables = (x,y,z) P = { (0,0,1), (0,1,0), (1,0,0), (1,1,1) } P = x + y + z
Characterizing sets Represent characteristic function as BDD Set operations can be now done as BDD operations – = false S = true – P Q = P + Q P Q = P Q – S \ P = P
Transition Relations Transition relation R is a set of state pairs for all the arcs in the state machine –R = {((v 1,v 2,…,v n ), (v’ 1,v’ 2,…,v’ n )) : R } v1v1 v0v0 R = (v’ 0 = v 0 ) (v’ 1 = v 0 v 1 )
Forward Image P R Image(P,R)
Reverse Image P R Image -1 (P,R)
Symbolic invariant checking S := BDD for initial states V := BDD for negation of invariant R := BDD for transition relation Loop If ( S V) then print “failed” and exit I := Image( S, R) S’ := S I If ( S = S’) then print “passed” and exit End
BDDs Big breakthrough in hardware McMillan’s thesis won the ACM thesis award Intel, IBM, Motorola all have BDD based model checkers, and large “formal verification” teams based on them. BDDs compactly represent transition relations Can prove that if the circuit has “bounded” communication,then transition relation is small Images and Reachable sets tend to blowup
BDDs Images and reachable sets blow up often Subject of intense investigation (PhD theses on how to compute images without BDDs blowing up) Alphabetical soup of variations: ADDs to ZDDs Work upto ~100 variables, don’t really scale to thousands of variables Provide good “bootstrap” for compositional methods
Infinite state model checking S := constraint for initial states V := constraint for negation of invariant R := constraint for transition relation Loop If ( S V) then print “failed” and exit I := Image( S, R) S’ := S I If ( S = S’) then print “passed” and exit End
Fighting state explosion –Symbolic techniques (BDDs) - [SMV, VIS] –Symmetry reduction - [Murphi] –Partial-order reduction - [SPIN] –Divide and Conquer - [MOCHA, new SMV] –Abstraction - [STeP, InVeSt,SLAM]
Symmetry Reductions Idea: If state space is symmetric, explore only a symmetric “quotient” of the state space Let us define “quotient” first… (also useful in abstractions)
Recall our model M = W, I, R, L, W : set of states I W : set of initial states R W X W : set of arcs L : set of atomic propositions W 2 L : mapping from states to colors Usually we fix the colors and say: M = W, I, R,
Quotient M = W, I, R, Let be an equivalence relation on W. Assume: s t (s) = (t) s I iff t I Quotient: M’ = W’, I’, R’, ’ –W’ = W / I’ = I / –R’ ([s],[t]) whenever R(s,t) – ’([s]) = (s)
Abstract search Suppose we want to check an invariant: Does M satisfy ? Instead check: Does M’ satisfy ? This is sound but not complete. (Why?)
Stable equivalences Equivalence is called stable if: R ( x, y) for every s in [x] there exists some t in [y] such that R (s,t) Claim: Suppose is called stable, then: M satisifies iff M’ satisfy Sound and complete! (Why?)
Automorphisms 0,0 1,1 0,11,0 A permutation function f : W W is an automorphism if: 1. x f(x) for all x 2. R( x, z) R( f(x), f(z))
Automorphisms f: f(0,0) = 1,1 f(1,1) = 0,0 f(0,1) = 0,1 f(1,0) = 1,0 g: g(0,0) = 0,0 g(1,1) = 1,1 g(0,1) = 1,0 g(1,0) = 0,1 A = { f, g, f g, I} The set of all automorphisms forms a group! 0,0 1,1 0,11,0
Automorphisms Let x y if there is some automorphism f such that f(x) = y The equivalence classes of are called orbits Claim 1: is an equivalence Claim 2: is stable
Orbits [ (0,0), (1,1) ] [ (0,1), (1,0) ] 0,0 1,1 0,11,0
Symmetry reduction [ (0,0),(1,1) ] [ (0,1), (1,0) ] Map each state to its representative in the orbit
Symmetry reduction Step 1: Analyze the system statically and come up with a function that maps each state to its representative Step 2: When exploring the states, store and explore the representatives!
Symmetry reduction Difficulty: Computing the function (which maps states to representatives) is hard! Solutions: Be satisfied with multiple representatives for each orbit Ask user to tell you where the symmetries are
Symmetry reduction Implemented in Mur Similar ideas have also impacted Nitpick
Fighting state explosion –Symbolic techniques (BDDs) - [SMV, VIS] –Symmetry reduction - [Murphi] –Partial-order reduction - [SPIN] –Divide and Conquer - [MOCHA, new SMV] –Abstraction - [STeP, InVeSt,SLAM]
Partial Order Methods Protocols are usually modeled as an asynchronous composition of processes (interleaving model) Partial order reduction explores only a portion of the state space You can still prove properties about the entire state space
S0S0 S1S1 S2S2 S3S3 Actions An action is a guarded command Nondeterminism arises because any of the enabled actions could be scheduled next! Can label state machine transitions with action names
Independent Actions S0S0 S1S1 S2S2 S3S3 Actions and are independent if: 1. Neither action enables or disables the other 2. If both and are enabled, then they commute
Partial Order Methods Key idea: If actions { } are independent then: Need to explore only one! But there are some caveats..
Parital Order Equivalence Two action sequences A and B are partial- order-equivalent if: A can be transformed to B by swapping adjacent independent actions Need to explore only one representative in each equivalence class!
Partial Order Methods Offer good reductions in asynchronous protocols: Exponential reductions in “artificial” examples 5-10 times faster in “real” examples Implemented in SPIN Also implemented in Verisoft (we will revisit this later!)
Example integer x, y; boolean bomb; Init true x := 0; y := 0; bomb := false Update : ( x < 10) & ! bomb x := x+1 : ( y < 10) & ! bomb y := y+1 : ( x = 3) & ( y = 3) & ! bomb bomb := true
0,0 1,02,03,04,0 0,1 1,12,13,14,1 0,2 1,22,23,24,2 0,3 1,32,33,34,3