1 Model Checking Orna Grumberg Technion Haifa, Israel Taiwan, October 8, 2009.

Slides:



Advertisements
Similar presentations
Introduction to Model Checking
Advertisements

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Model Checking Lawrence Chung.
Demonstration Of SPIN By Mitra Purandare
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
CSEP590 – Model Checking and Software Verification University of Washington Department of Computer Science and Engineering Summer 2003.
© Katz, 2007CS Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS Shmuel Katz The Technion.
1 Model Checking, Abstraction- Refinement, and Their Implementation Orna Grumberg Verification seminar March 2006.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.
1 2-Valued and 3-Valued Abstraction- Refinement Frameworks for Model Checking Orna Grumberg Technion Haifa, Israel Tutorials at ATVA, 2009.
1 CTL Model Checking David L. Dill. 2 CTL syntax: AP -- atomic propositions p  AP is a formula f  g is a formula, if f and g are ¬f is a formula AX.
Specification and Verification of Aspects Shmuel Katz.
Review of the automata-theoretic approach to model-checking.
Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
Model Checking and Related Techniques
MCAI 2.0 Model Checking in Ten Minutes Edmund Clarke School of Computer Science Carnegie Mellon University.
Lecture 1: Model Checking
15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.
1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
10/19/2015COSC , Lecture 171 Real-Time Systems, COSC , Lecture 17 Stefan Andrei.
On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.
Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9.
Introduction to Model Checking
- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -
Verification & Validation By: Amir Masoud Gharehbaghi
1 Distributed BDD-based Model Checking Orna Grumberg Technion, Israel Joint work with Tamir Heyman, Nili Ifergan, and Assaf Schuster CAV00, FMCAD00, CAV01,
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software.
Finding Security Vulnerabilities in a Network Protocol Using Formal Verification Methods Orna Grumberg Technion, Israel Joint work with Adi Sosnovich and.
6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Basic concepts of Model Checking
Symbolic model checking with SAT/SMT
Introduction to Software Verification
CTL model checking algorithms
CIS 842: Specification and Verification of Reactive Systems
Introduction to Software Verification
Formal Methods in software development
CSCI1600: Embedded and Real Time Software
Introduction to verification
Formal Methods in software development
Program correctness Branching-time temporal logics
Presentation transcript:

1 Model Checking Orna Grumberg Technion Haifa, Israel Taiwan, October 8, 2009

2 Why (formal) verification? safety-critical applications: Bugs are unacceptable! –Air-traffic controllers –Medical equipment –Cars Bugs found in later stages of design are expensive, e.g. Intel’s Pentium bug in floating-point division Hardware and software systems grow in size and complexity: Subtle errors are hard to find by testing Pressure to reduce time-to-market Automated tools for formal verification are needed

3 Formal Verification Given a model of a (hardware or software) system and a formal specification does the system model satisfy the specification? Not decidable! To enable automation, we restrict the problem to a decidable one: Finite-state reactive systems Propositional temporal logics

4 Finite state systems - examples Hardware designs Controllers (elevator, traffic-light) Communication protocols (when ignoring the message content) High level (abstracted) description of non finite state systems

5 Properties in temporal logic mutual exclusion: always  ( cs 1  cs 2 ) non starvation: always (request  eventually grant) communication protocols: (  get-message) until send-message

6 Model Checking [EC81,QS82] An efficient procedure that receives:  A finite-state model describing a system  A temporal logic formula describing a property It returns yes, if the system has the property no + Counterexample, otherwise

7 Model Checking  Emerging as an industrial standard tool for verification of hardware designs: Intel, IBM, Cadence, …  Recently applied successfully also for software verification: SLAM (Microsoft), Java PathFinder and SPIN (NASA), BLAST (EPFL), CBMC (Oxford),…

8 Clarke, Emerson, and Sifakis won the 2007 Turing award for their contribution to Model Checking

9 Overview Temporal logics Model Checking BDD-based (symbolic) model checking SAT-based (bounded) model checking

10 Model of a system Kripke structure / transition system a,ba a b,c c a,c a,b b

11 Notation Kripke structure M = (S, I, R, L) –S : (finite) set of states –I : set of initial states –R : set of transitions –L: labeling function, associates each state with a subset of atomic propositions AP p q st M: AP = {p, q}

12  =s 0 s 1 s 2... is a path in M from s iff s = s 0 and for every i  0: (s i,s i+1 )  R

13 Temporal Logics Linear Time –Every moment has a unique successor –Infinite sequences (words) –Linear Time Temporal Logic (LTL) Branching Time –Every moment has several successors –Infinite tree –Computation Tree Logic (CTL) Temporal Logics – Express properties of event orderings in time

14 Propositional temporal logic AP – a set of atomic propositions Temporal operators: Gp Fp Xp pUq Path quantifiers: A for all path E there exists a path

15 M |= f  for every initial state s, s |= f

16 Computation Tree Logic (CTL) CTL operator: path quantifier + temporal operator Atomic propositions: p  AP Boolean operators: f  g,  f CTL temporal operators: EX f, E(fUg), EGf

17 More CTL operators Universal formulas: AX f, A(f U g), AG f, AF f Existential formulas: EX f, E(fUg), EG f, EF f

18 Linear Temporal logic (LTL) Formulas are of the form Af, where f can include any nesting of temporal operators but no path quantifiers Example: LTL formula which is not CTL A GF p Meaning, along every path, infinitely often p

19 CTL* Includes LTL and CTL and more

20 Example formulas CTL formulas: mutual exclusion: AG  ( cs 1  cs 2 ) non starvation: AG (request  AF grant) “sanity” check: EF request LTL formulas: fairness: A(GF enabled  GF executed) A(x=a  y=b  XXXX z=a+b)

21 Property types Universal Existential Safety AGp EGp Liveness AFp EFp

22 Property types (cont.) Combination of universal safety and existential liveness: “along every possible execution, in every state there is a possible continuation that will eventually reach a reset state” AG EF reset

23 Mutual Exclusion Example [by Willem Visser] N 1  T 1 T 1  S 0  C 1  S 1 C 1  N 1  S 0 N 2  T 2 T 2  S 0  C 2  S 1 C 2  N 2  S 0 || Two process mutual exclusion with shared semaphore Each process has three states Non-critical (N) Trying (T) Critical (C) Semaphore can be available (S 0 ) or taken (S 1 ) Initially both processes are in the Non-critical state and the semaphore is available --- N 1 N 2 S 0

24 Model for Mutual Exclusion N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 Specification: M ╞ AG EF (N 1  N 2  S 0 ) No matter where you are there is always a way to get to the initial state

25 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG EF (N 1  N 2  S 0 )

26 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG EF (N 1  N 2  S 0 )

27 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG EF (N 1  N 2  S 0 )

28 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG EF (N 1  N 2  S 0 )

29 Mutual Exclusion Example N1N2S0N1N2S0 C1N2S1C1N2S1 T1T2S0T1T2S0 N1T2S0N1T2S0 T1N2S0T1N2S0 N1C2S1N1C2S1 T1C2S1T1C2S1 C1T2S1C1T2S1 M ╞ AG EF (N 1  N 2  S 0 ) No matter where you are there is always a way to get to the initial state

30 Model Checking M |= f The Model Checking algorithm works iteratively on subformulas of f, from simpler subformulas to more complex ones For checking AG( request  AF grant) –Check grant, request –Then check AF grant –Next check request  AF grant –Finally check AG( request  AF grant)

31 Model Checking M |= f (cont.) We check subformula g of f only after all subformulas of g have already been checked For subformula g, the algorithm returns the set of states that satisfy g ( S g ) The algorithm has time complexity: O( |M|  |f| )

32 Model Checking M |= f (cont.) M |= f if and only if all initial states of M are contained in S f.

33 Basic operations in model checking Given a set of states Q: Succ(Q) returns the set of successors of the states in Q Pred(Q) returns the set of states that have a successor in Q

34 Model checking f = EF g Given: a model M and the set S g of states satisfying g in M procedure CheckEF (S g ) Q := emptyset; Q’ := S g ; while Q  Q’ do Q := Q’; Q’ := Q  Pred(Q) end while S f := Q ; return(S f )

35 g g g f f f f f f f Example: f = EF g

36 Model checking f = EG g CheckEG gets M and S g and returns S f procedure CheckEG (S g ) Q := S ; Q’ := S g ; while Q  Q’ do Q := Q’; Q’ := Q  Pred(Q) end while S f := Q ; return(S f )

37 g g g g g g Example: f = EG g

38 Reachability + model checking f=AGp Starting from the initial states, iteratively computes the set of successors. At each iteration checks whether it reached a state which satisfies  p. –If yes, announces failure. Stops when no new states are found. –Result 1: the set of reachable states. –Result 2: M |= AGp

39 Model checking f = AG p CheckAG gets M, S p and returns Reach procedure CheckAG (S p ) Reach:= I ; New := I; while New   do If New  S p return (M |  AGp) New := Succ(New); New :=New\Reach; Reach := Reach  New; end while return( Reach, M |= AGp)

40 Reachability + checking AG a a,ba a b,c c a,c a,b b Reach = New = I = { 1, 2 }

41 Return: M |  AG a a,ba a b,c c a,c a,b b Failure: New  S a

42 Reachability + checking AG (a  b) a,ba a b,c c a,c a,b b Reach = New = I = { 1, 2 }

43 Return: Reach, M |= AG (a  b) a,ba a b,c c a,c a,b b Reach = {1, 2, 3, 4, 5, 6} New = emptyset

44 Main limitation: The state explosion problem: Model checking is efficient in time but suffers from high space requirements: The number of states in the system model grows exponentially with  the number of variables  the number of components in the system

45 If the model is given explicitly (e.g. by adjacent matrix) then only systems of restricted size can be handled. Strong reduction techniques are needed, e.g. Partial Order Reduction

46 Symbolic model checking A solution to the state explosion problem: BDD-based model checking Binary Decision Diagrams ( BDDs ) are used to represent the model and sets of states. It can handle systems with hundreds of Boolean variables.

47 Binary decision diagrams (BDDs) Data structure for representing Boolean functions Often concise in memory Canonical representation Most Boolean operations can be performed on BDDs in polynomial time in the BDD size

48 a b c 10 c 11 b c 11 b cc b 0110 a b cc 1110 ccc BDD for f(a,b,c) = (a  b )  c Decision tree a b c 10 BDD

49 BDDs in model checking Every set A  U can be represented by its characteristic function 1 if u  A f A (u) = 0 if u  A If the elements of U are encoded by sequences over {0,1} n then f A is a Boolean function and can be represented by a BDD

50 Representing a model with BDDs Assume that states in model M are encoded by {0,1} n and described by Boolean variables v 1...v n S f can be represented by a BDD over v 1...v n R (a set of pairs of states (s,s’) ) can be represented by a BDD over v 1...v n v 1 ’...v n ’

51 Example: representing a model with BDDs S = { s 1, s 2, s 3 } R = { (s 1,s 2 ), (s 2,s 2 ), (s 3,s 1 ) } State encoding: s 1 : v 1 v 2 =00 s 2 : v 1 v 2 =01 s 3 : v 1 v 2 =11 For A = {s 1, s 2 } the Boolean formula representing A: f A (v 1,v 2 ) = (  v 1   v 2 )  (  v 1  v 2 ) =  v 1

52 f R (v 1, v 2, v’ 1, v’ 2 ) = (  v 1   v 2   v’ 1  v’ 2 )  (  v 1  v 2   v’ 1  v’ 2 )  (v 1  v 2   v’ 1   v’ 2 ) f A and f R can be represented by BDDs.

53 Symbolic model checking Same algorithm as before Succ(Q) and Pred(Q) use Boolean operations on BDDs R and Q Pred(Q)(s) =  s’ [ R(s,s’)  Q(s’)] –Boolean operations on BDDs R and Q

54 Symbolic model checking (cont.) Most Boolean operations on BDDs are quadratic in the size of the BDDs BDDs are canonical –Easy to check Q = Q’

55 Symbolic Model checking for f= EF g Given: BDDs R and S g : procedure CheckEF (S g ) Q := emptyset; Q’ := S g ; While Q  Q’ do Q := Q’; Q’ := Q  Pred ( Q ) end while S f := Q ; return(S f )

56 State explosion problem - revisited state of the art symbolic model checking can handle effectively designs with a few hundreds of Boolean variables Other solutions for the state explosion problem are needed!

57 SAT-based model checking Translates the model and the specification to a propositional formula Uses efficient tools for solving the satisfiability problem Since the satisfiability problem is NP- complete, SAT solvers are based on heuristics.

58 SAT tools Using heuristics, SAT tools can solve very large problems fast. They can handle systems with 1000 variables that create formulas with a few millions of variables. GRASP (Silva, Sakallah) Prover (Stalmark) Chaff (Malik) MiniSAT

59 The developers of GRASP and Chaff won the 2009 CAV award for their contribution to model checking

60 Bounded model checking for checking AGp Unwind the model for k levels, i.e., construct all computation of length k If a state satisfying  p is encountered, then produce a counterexample The method is suitable for falsification, not verification

61 Bounded model checking with SAT Construct a formula f M,k describing all possible computations of M of length k Construct a formula f ,k expressing that  =EF  p holds within k computation steps Check whether f = f M,k  f ,k is satisfiable If f is satisfiable then M |  AGp The satisfying assignment is a counterexample

62 Example – shift register Shift register of 3 bits: Transition relation: R(x,y,z,x’,y’,z’) = x’=y  y’=z  z’=1 |____| error Initial condition: I(x,y,z) = x=0  y=0  z=0 Specification: AG ( x=0  y=0  z=0)

63 Propositional formula for k=2 f M,2 = (x 0 =0  y 0 =0  z 0 =0)  (x 1 =y 0  y 1 =z 0  z 1 =1)  (x 2 =y 1  y 2 =z 1  z 2 =1) f ,2 = V i=0,..2 (x i =1  y i =1  z i =1) Satisfying assignment: This is a counterexample!

64 A remark In order to describe a computation of length k by a propositional formula we need k+1 copies of the state variables. With BDDs we use only two copies of current and next states.

65 Bounded model checking Can handle all of LTL formulas Can be used for verification by choosing k which is large enough Using such k is often not practical due to the size of the model

66 SAT-based verification Induction interpolation

67 Other solutions to the state explosion problem Abstraction Modular verification Partial order reduction Symmetry Distributed model checking

68 References Model Checking Model checking E. Clarke, O. Grumberg, D. Peled, MIT Press, Temporal Logic The Temporal Logic of Programs A. Pnueli, FOCS 1977

69 BDDs: R. E. Bryant, Graph-based Algorithms for Boolean Function Manipulation, IEEE transactions on Computers, 1986 BDD-based model checking: J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, L.J. Hwang, Symbolic Model Checking: 10^20 States and Beyond, LICS’90 SAT-based Bounded model checking: Symbolic model checking using SAT procedures instead of BDDs, A. Biere, A. Cimatti, E. M. Clarke, M. Fujita, Y. Zhu, DAC'99

70 Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.