SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam

 Motivation  Definitions  Symbolic Model Checking  Contribution  Mu-Calculus Encoding  Binary Decision Diagram Representation  Model Checking Algorithm  CTL Model Checking  Empirical Results  Summary  Future Work OUTLINE

 Many different methods for automatically verifying finite state systems  LTL  CTL  All rely on algorithms that explicitly represent a state space, using a list or table that grows in proportion to the number of states  Number of states in the model grow exponentially with the number of concurrently executing components  The size of the state table is the limiting factor in applying these algorithms to realistic systems MOTIVATION

 This “state explosion problem” can not be handled by the state enumeration methods  Explicit state enumeration methods are limited to systems with at most 10 8 reachable states  Can be eliminated by representing the state space symbolically instead of explicitly  This technique verifies models with more than states ! MOTIVATION

 Relational variable  a predicate or a function  Abstraction operator  λ: used in lambda calculus  f(x 1, x 2 ) is written as λ x1, x2 [f]  Relational term  f is a formula and y i are individual variables  R is relational term and P is a relational variable with arity n  Fixed point of function f  An element x such that f(x) = x DEFINITIONS

 Least fixed point is the least element that is a fixed point. y is lfp of f in S iff (f(y) = y) ∧ (∀x S. (f(x) = x) ⇒ (y ⊆ x))  Greatest fixed point is the greatest element that is a fixed point. y is gfp of f in S iff (f(y) = y) ∧ (∀x S. (f(x) = x) ⇒ (x ⊆ y))  Fixed point operators  μ and ν are the lfp and gfp operators used in mu-calculus  Monotone function  A function f is monotone iff for all P ⊆ S and Q ⊆ S, P ⊆ Q ⇒ f(P) ⊆ f(Q) DEFINITIONS

 Variable Interpretation  Individual I P : for each individual variable y, I P (y) is a value in domain D  Relational I R : for each n-ary relational variable P, I R (P) is an n-ary relation in domain D  Substitution of Variables  The substitution of a variable w for a variable v in a formula f, denoted f(v ← w) f ⇒ ∃ v [(v ⇔ w) ∧ f] DEFINITIONS

 In explicit state model checking, we represent the Kripke structure as a graph and implement the model checking algorithm as graph traversal.  2 main steps:  Encode Model Domain: Describe sets of states as propositional logic formulae instead of enumeration: Mu-Calculus S = {1, 2, 3, 4, 5} = {x | 1 ≤ x ≤ 5}  Compact Representation: Represent those logical formulae/boolean functions using efficient means of manipulating boolean functions: Binary Decision Diagrams SYMBOLIC MODEL CHECKING

 Provides a generalized symbolic model checking method by using a dialect of the Mu-Calculus as the primary specification language  Describes a model checking algorithm for Mu- Calculus formulas that uses BDD to represent relations and formulas  Shows how Mu-Calculus model checking algorithm can be used to derive efficient decision procedures for CTL, LTL model checking  Discusses how it can be used to verify a simple synchronous pipeline circuit CONTRIBUTIONS

 Syntax:  In this formula, R can be a Relational variable or a Relational term of the following two forms:  Second one represents the least fixed point of R where R be formally monotone with P MU-CALCULUS

 Example: MU-CALCULUS

 Formal Definition:  given a finite signature  each symbol in is either an Individual variable or a Relational variable with some positive arity.  recursively define two syntactic categories: formulas and relational terms.  Formula: MU-CALCULUS

 Relational term:  ∀, ∧, ⇒, and ⇔ are treated as abbreviations in the usual manner  ¬R is an abbreviation for  R ∨ R’ is an abbreviation for MU-CALCULUS

 Model M = (D, I R, I D ), where D is the domain  Semantic function MU-CALCULUS

MU-CALCULUS

 Widely used in various tools for the design and analysis of digital circuits  Canonical form representation for Boolean formulas  Similar to binary decision tree  Allows many practical systems with extremely large state spaces to be verified-which are impossible to handle with explicit state enumeration methods BINARY DECISION DIAGRAM

 DAG  Occurrence of variables is ordered from root to a leaf.  Example:  Formula: (a ∧ b) ∨ (c ∧ d)  Ordering: a < b < c < d  (a ←1, b ← 0, c ← 1, d ← 1) leads to a leaf node labeled 1 BINARY DECISION DIAGRAM

 For the Mu-Calculus that uses BDDs as its internal representation  BDDATOM(f) returns BDD iff f = 1  Last case substitutes x i by dummy d i  FixedPoint() is the standard technique MODEL CHECKING ALGORITHM

 CTL formula f is true of Kripke structure M= (A, S, L, N, S O ) ⇔ Mu-Calculus formula f' is true of a structure M’ = (S, I R, I D )  If CTL formula f is an abbreviation for the Mu- Calculus relational term R, then f is true at state s iff R(s) is true  If f has no temporal operators, then it represents the relational term R CTL MODEL CHECKING

 EX f = λ S [ ∃ t [ f(t) ∧ N(s, t) ] ]  EG f = f ∧ EX EG f = νQ [ f ∧ EX Q ] = νQ [ λ S [ f(s) ∧ ∃ t [ Q(t) ∧ N(s, t) ] ]  E [ f ∪ g ] = g ∨ (f ∧ EX E[f ∪ g]) = μQ [g ∨ (f ∧ EX Q]] = μQ [λ S [g(s) ∨ (f(s) ∧ ∃ t [Q(t) ∧ N(s, t)]] CTL MODEL CHECKING

 Performs three-address logical and arithmetic operations on a register  3 Pipeline stages:  Operand read from the register file  ALU (Arithmetic Logic Unit) operation  Write back to register EMPIRICAL RESULTS

 Pipeline with 12 bits has approximately 1.5 x 1O 29 reachable states  The number of nodes in BDD is asymptotically linear in the number of bits, not exponential  The verification time is polynomial in the number of bits EMPIRICAL RESULTS

 Suitable encoding of the model domain and compact representation for relations, the complexity of various graph-based verification algorithms is reduced  Regular structure of the data path logic captured by the BDD representation results in a linear space complexity in the number of circuit components rather than exponential SUMMARY

 Characterization of the models for which the BDD Mu-Calculus checker is efficient  Applicability of developed technique in common graph algorithms whose results can be expressed as relations, such as minimum spanning trees, graph isomorphism etc. FUTURE WORKS