Introduction to Model Checking Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com

Outline Model checking Symbolic model checking Temporal logic Model checking algorithms Expressiveness and complexity Symbolic model checking The “state explosion” problem Binary Decision Diagrams Computing fixed points with BDD’s Application

Propositional Linear Temporal Logic Express properties of “Reactive Systems” interactive, nonterminating For PLTL, a model is an infinite state sequence Temporal operators “Globally”: G p at t iff p for all t’ ³ t. p p p p p p p p p p p... G p...

Temporal operators... p p p p p p F p... p p p p p p p p p q p U q... “Future”: F p at t iff p for some t’ ³ t. p p p p p p F p... “Until”: p U q at t iff q for some t’ ³ t and p in the range [ t, t’ ) p p p p p p p p p q p U q... “Next-time”: X p at t iff p at t+1

Examples Liveness: “if input, then eventually output” G (input Þ F output) Strong fairness: “infinitely send implies infinitely recv.” GF send Þ GF recv Weak until: “no output before input” Øoutput W input atomic props infinitely often p W q º p U q Ú G p

Safety v. Liveness Safety Liveness Refutable by finite run Refutable only by infinite run Every finite run extensible to satisfying run

PLTL semantics Given an infinite sequence if f is true in state si of s. if f is true in state s0 of s. if f is valid. A formula is an atomic proposition, or... true, p Ú q, Øp, p U q, X p

PLTL semantics... Definition of satisfaction iff Derived operators...

Model Checking (Clarke/Emerson, Queille/Sifakis) G(p -> F q) yes temporal formula MC algorithm no p p q q counterexample finite-state model Model must now represent all behaviors

Kripke models A Kripke model (S,R,L) consists of set of states S set of transitions R Í S ´ S labeling L Í S ´ AP Kripke models from programs repeat p := true; p := false; end Øp p

Mutual exclusion example N1,N2 turn=0 T1,N2 turn=1 T1,T2 C1,N2 C1,T2 N1,T2 turn=2 T1,T2 N1,C2 T1,C2 N = noncritical, T = trying, C = critical

PLTL on Kripke models A path in model M = (S,R,L) is a sequence such that (si,si+1) Î R. p s0 s1 p s2 s3... F p p

Branching time Model of time is a tree, not a sequence Path quantifiers p p AF p p

Computation Tree Logic Every operator F, G, X, U preceded by A or E Universal modalities... AG p AF p p p p p p p p p p p . . . . . . . . . . . . . . . . . . . . . . . .

CTL, cont... Existential modalities EG p EF p p p p p . . . . . .

CTL, cont Other modalities Some dualities... AX p, EX p, A(p U q), E(p U q) Some dualities... Examples: mutual exclusion specs... AG Ø (C1 Ù C2) mutual exclusion AG (T1 Þ AF C1) liveness AG (N1 Þ EX T1) non-blocking

CTL model checking Model checking problem: Simple algorithm: Determine for given M, s0 and f, whether Simple algorithm: Inductive over structure of formula Backward propagation of formula labels O(f V(V + E))

Example AG (T1 Þ AF C1) N1,N2 turn=0 T1,N2 turn=1 N1,T2 turn=2 C1,N2 C1,T2 turn=1 T1,C2 turn=2

CES algorithm Need only modalities EX, EU, EG. e.g., Checking E(p U q) by backward BFS Checking EG p p BFS q p SCC EG p SCC SCC Complexity = O(f (V + E))

CTL* Contains both CTL and LTL p in LTL ® A p in CTL* path formulas p U q, G p, Fp, Xp, Øp, p Ù q state formulas A p, E p p in LTL ® A p in CTL* Framework for comparing expressiveness Existential properties not expressible in PLTL e.g., AG EF p Fairness assumptions not expressible in CTL e.g., A (GF p ® GF q)

Model checking complexities CTL * = PLTL O(2f (V+E)) CTL O(f (V+E)) PSPACE COMPLETE Note: all are linear in model size

Comparing CTL and LTL Think of CTL formulas as approximations to LTL AG EF p is weaker than G F p Good for finding bugs... p AF AG p is stronger than F G p Good for verifying... p p CTL formulas easier to verify So, use CTL when it applies... 8

Symbolic model checking State explosion problem State graph exponential in program size Symbolic model checking approach Boolean formulas represent sets and relations Use fixed point characterizations of CTL operators Model checking without building state graph Sometimes can handle much larger sate space

Binary Decision Diagrams (Bryant) Ordered decision tree for f = ab + cd a 1 b b 1 1 c c c c 1 1 1 1 d d d d d d d d 1 1 1 1

OBDD reduction Reduced (OBDD) form: a 1 b 1 c 1 1 d 1 Key idea: combine equivalent sub-cases

OBDD properties Canonical form (for fixed order) direct comparison Efficient apply algorithm build BDD’s for large circuits f fg g O(|f| |g|) Variable order strongly affects size

Boolean quantification If v is a boolean variable, then $v.f = f |v =0 V f |v =1 Multivariate quantification $(w1,w2,…,wn). f Complexity on BDD representation worst case exponential heuristically efficient Example: $(b,c). (ab Ú cd) = a Ú d

Characterizing sets Let M = (S,R,L) be a Kripke model Let S be the set of boolean vectors (v1,v2,…,vn) Î {0,1}n Represent any P Í S by its characteristic function cP P = {(v1,v2,…,vn) : cP} Set operations cÆ = false cS = true cP È Q = P V Q cP Ç Q = P Ù Q cS \ P = Ø P

Characterizing relations Transition relation R is a set of state pairs… R = {((v1,v2,…,vn), (v’1,v’2,…,v’n)) : Î cR} Examples A synchronous sequential circuit v0 v1 cR = (v’0 = Ø v0) Ù (v’1 = v0 Å v1)

Transition relations, cont... An asynchronous circuit s q q r Interleaving model Simultaneous model

Forward and reverse image Forward image P Image(P,R) R

Images, cont... Reverse image Image-1(P,R) P R = EX P

Symbolic CTL model checking Equate a formula f with the set of states satisfying it… Compute BDD’s for characteristic functions… Ø p, p Ú q, p Ù q (use BDD ops) EX p = Image-1(p,R) AX p = Ø EX Ø p Remaining operators have fixed-point characterization... In fact, this is the least fixed point...

Fixed points of monotonic functions Let t be a function S ® S Say t is monotonic when Fixed point of t is y such that If t monotonic, then it has least fixed point my. t(y) greatest fixed point ny. t(y)

Iteratively computing fixed points Suppose S is finite The least fixed point my. t(y) is the limit of The greatest fixed point ny. t(y) is the limit of Note, since S is finite, convergence is finite

Example: EF p EF p is characterized by Thus, it is the limit of the increasing series... p Ú EX(p Ú EX p) p Ú EX p . . . p ...which we can compute entirely using BDD operations

Example: EG p EG p is characterized by Thus, it is the limit of the decreasing series... p Ù EX(p Ù EX p) ... p Ù EX p p ...which we can compute entirely using BDD operations

Remaining operators Allows CTL model checking with only BDD ops Avoid building state graph (Sometimes) avoid state explosion problem Now you can go home and build your own symbolic model checker...

Example: “Gigamax” cache protocol global bus . . . UIC UIC UIC cluster bus . . . . . . . . . M P P M P P Bus snooping maintains local consistency Message passing protocol for global consistency

Protocol example Cluster B read --> cluster A global bus . . . UIC A B C UIC UIC cluster bus . . . . . . . . . M P P M P P owned copy read miss Cluster B read --> cluster A Cluster A response --> B and main memory Clusters A and B end shared

Protocol correctness issues Protocol issues deadlock unexpected messages liveness Coherence each address is sequentially consistent store ordering (system dependent) Abstraction is relative to properties specified

One-address abstraction Cache replacement is nondeterministic Message queue latency is arbitrary IN OUT ? A ? ? ? output of A may or may not occur at any given time

{ Specifications Absence of deadlock Coherence SPEC AG (EF p.readable & EF p.writable); Coherence SPEC AG((p.readable & bit -> ~EF(p.readable & ~bit)); Abstraction: { 0 if data < n 1 otherwise bit =

Counterexample: deadlock in 13 steps global bus . . . UIC A B C UIC UIC cluster bus . . . . . . . . . M P P M P P owned copy from cluster A Cluster A read --> global (waits, takes lock) Cluster C read --> cluster B Cluster B response --> C and main memory Cluster C read --> cluster A (takes lock)

State space explosion State space growth is exponential

BDD performance BDD size growth is linear

BDD performance Run time growth is quadratic

Why does it work? . . . . . . . . . OBDD Many partial states equivalent... ...implies many subfunctions equivalent...

When doesn’t it work? Protocols that pass pointers Linked lists Anytime one part of the system “knows” a large amount of information about another part

Summary Model checking State explosion problem Applications Automatic verification (or falsification) of finite state systems Linear v. branching time logics State explosion problem Binary Decision Diagrams Heuristically efficient boolean operations Image calculations Fixed point characterization of CTL Model checking without building state graph Applications Find subtle errors in complex protocols