Model Checking and Testing combined Doron Peled, University of Warwick 1 1

Why “model checking”? Want to verify hardware and code. Want to perform verification automatically. Manual methods are time consuming, difficult. Restricting to finite state systems. Willing to give up exhaustiveness. Checking a (mathematical) model of a system, not the system itself. Want to obtain counterexamples.

A transition system A (finite) set of variables V. A set of states . A (finite) set of transitions T, each transition et has an enabling condition e and a transformation t. An initial condition p. Denote that s’ is a successor of s by R(s,s’). 11 2

The interleaving model An execution is a finite or infinite sequence of states s0, s1, s2, … The initial state satisfies the initial condition, i.e., p(s0). Moving from one state si to si+1 is by executing a transition et: e(si), i.e., si satisfies e. si+1 is obtained by applying t to si. 13 3

Initially: PC0=L0/\PC1=L1 T0:PC0=L0PC0=NC0 T1:PC0=NC0/\Turn=0 PC0:=CR0 T2:PC0=CR0 (PC0,Turn):=(L0,1) T3:PC1==L1PC1=NC1 T4:PC1=NC1/\Turn=1 PC1:=CR1 T5:PC1=CR1 (PC1,Turn):=(L1,0) L0:While True do NC0:wait(Turn=0); CR0:Turn=1 endwhile || L1:While True do NC1:wait(Turn=1); CR1:Turn=0 endwhile Initially: PC0=L0/\PC1=L1 17 5

The state space Turn=0 L0,L1 Turn=1 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,NC1 Turn=0 CR0,NC1 Turn=1 NC0,CR1 18 6

Invariant: (PC0=CR0/\PC1=CR1) Turn=0 L0,L1 Turn=1 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=1 L0,NC1 Turn=1 NC0,L1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,NC1 Turn=0 CR0,NC1 Turn=1 NC0,CR1 19 7

How can we check the model? The model is a graph. The specification should refer the the graph representation. Apply graph theory algorithms. 9

What properties can we check without using temporal specification? Invariants: a property that needs to hold in each state. Deadlock detection: can we reach a state where the program is blocked? Dead code: does the program have parts that are never executed. 10

How to perform the check? Apply a search strategy (Depth first search, Breadth first search). Check states/transitions during the search. If property does not hold, report counterexample! DFS – on-the-fly verification. BFS – finds the shortest counterexample. 11

If it is so good, why learn deductive verification methods? Model checking works for finite state systems. Would not work with Unconstrained integers. Unbounded message queues. General data structures: queues trees stacks parametric algorithms and systems. Some new algorithms for infinite systems. 12

The state space explosion Need to represent the state space of a program in the computer memory. Each state can be as big as the entire memory! Many states: Each integer variable has 2^32 possibilities. Two such variables have 2^64 possibilities. In concurrent protocols, the number of states usually grows exponentially with the number of processes. 13

If it is so constrained, is it of any use? Many protocols are finite state. Many programs or procedures are finite state in nature. Can use abstraction techniques. Sometimes it is possible to decompose a program, and prove part of it by model checking and part by theorem proving. Many techniques to reduce the state space explosion (BDDs, Partial Order Reduction). 14

Depth First Search Program DFS For each s such that q(s) dfs(s) end DFS Procedure dfs(s) for each s’ such that R(s,s’) do If new(s’) then dfs(s’) end dfs. 15

Start from an initial state Hash table: q1 q1 q2 q3 Stack: q1 q4 q5 16

Continue with a successor Hash table: q1 q1 q2 q2 q3 Stack: q1 q2 q4 q5 17

One successor of q2. Hash table: q1 q1 q2 q4 q2 q3 Stack: q1 q2 q4 q4 18

Backtrack to q2 (no new successors for q4). Hash table: q1 q1 q2 q4 q2 q3 Stack: q1 q2 q4 q5 19

Backtracked to q1 Hash table: q1 q1 q2 q4 q2 q3 Stack: q1 q4 q5 20

Second successor to q1 q4 has been already visited. Hash table: q1 q1 q2 q4 q3 q2 q3 Stack: q1 q3 q4 q5 21

Backtrack again to q1. Hash table: q1 q1 q2 q4 q3 q2 q3 Stack: q1 q4 22

How can we check properties with DFS? Invariants: check that all reachable states satisfy the invariant property. If not, show a path from an initial state to a bad state. Deadlocks: check whether a state where no process can continue is reached. Dead code: as we progress with the DFS, mark all the transitions that are executed at least once. 23

Want to do more! Want to check more properties. Want to have a unique algorithm to deal with all kinds of properties. This is done by writing specification is temporal logics. Temporal logic specification can be translated into graphs (finite automata). 25

Temporal Logic Modalities: First order logic or propositional assertions describe a state. Modalities: <>p means p will happen eventually. []p means p will happen always. p p p p p p p p 15 4

More temporal logic p U q – p has to hold until q holds. []<>p --- its always the case that there is a later p, i.e., p happens infinitely often. <>[]p --- At some point p will hold forever, i.e., p is stable. <>p/\<>q both p and q would happen eventually. Note, this is not the same as <>(p/\q).

[](Turn=0<>Turn=1) L0,L1 Turn=1 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=1 L0,NC1 Turn=1 NC0,L1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,NC1 Turn=0 CR0,NC1 Turn=1 NC0,CR1 20 8

Correctness condition We want to find a correctness condition for a model to satisfy a specification. Language of a model: L(Model) Language of a specification: L(Spec). We need: L(Model)  L(Spec). 21

Correctness Sequences satisfying Spec Program executions All sequences 22

Incorrectness Counterexamples All sequences Sequences satisfying Spec Program executions Counterexamples Counterexamples are sometimes more interesting and useful than finding that the program is “correct” due to: Underspecification Modeling errors Algorithm and tool limitation 22

How to check correctness? Show that L(Model)  L(Spec). Equivalently: ______ Show that L(Model)  L(Spec) = Ø. Also: can obtain L(Spec) by translating from LTL! 23

What do we need to know? How to intersect two automata? How to complement an automaton? Well, not really, if the specification is given in LTL, we can negate the specification and then translate. How to translate from LTL to an automaton? 24

Büchi automata (w-automata) S - finite set of states. S0  S - initial states. S - finite alphabet. d  S  S  S - transition relation. F  S - accepting states. Accepting run: passes a state in F infinitely often. System automata: F=S.

Example: check a a, a a a <>a

Example: check <>a

Example: check <>a a, a <>a a a Use automatic translation algorithms, e.g., [Gerth,Peled,Vardi,Wolper 95]

Technicality… Add an initial node. Turn=0 L0,L1 Turn=1 L0,L1 Turn=0 L0,L1 Turn=1 L0,L1 Add an initial node. Propositions are attached to incoming nodes. All nodes are accepting. Technicality… 19 20

System s1 s3 s2 c b a All states are accepting! = no fairness conditions

Acceptance is determined by automaton P. Every element in the product is a counter example for the checked property. a s1 s3 s2 c b a q1 a a a q2 s1,q1 s2,q1 s1,q2 a b c s3,q2 Acceptance is determined by automaton P.

How to check for (non)emptiness? s1,q1 s2,q1 s1,q2 a b c s3,q2 28

Nonemptiness... Need to check if there exists an accepting run, i.e., infinite sequence that passes through an accepting state infinitely often.

Finding accepting runs If there is an accepting run, then at least one accepting state repeats on it forever. This state must appear on a cycle. So, find a reachable accepting state on a cycle.

Equivalently... A strongly connected component: a maximal set of nodes where each node is reachable by a path from each other node. Find a reachable strongly connected component with an accepting node.

How to complement? Complementation is hard! Can ask for the negated property (the sequences that should never occur). Can translate from LTL formula  to automaton A, and complement A. But: can translate ¬ into an automaton directly! 29

Model Checking under Fairness Express the fairness as a property φ. To prove a property ψ under fairness, model check φψ. Counter example Fair (φ) Bad (¬ψ) Program

Model Checking under Fairness Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either it contains on occurrence of a transition from P, or it contains a state where P is disabled.

 Conformance Testing Unknown deterministic finite state system B. Known: n states and alphabet . An abstract model C of B. C satisfies all the properties we want from B. C has m states. Check conformance of B and C. Another version: only a bound n on the number of states l is known. 

Model Checking / Testing Given Finite state system B. Transition relation of B known. Property represent by automaton P. Check if L(B)  L(P)=. Graph theory or BDD techniques. Complexity: polynomial. Unknown Finite state system B. Alphabet and number of states of B or upper bound known. Specification given as an abstract system C. Check if B C. Complexity: polynomial if number states known. Exponential otherwise.

 Black box checking  Unknown Finite state system B. Alphabet and upper bound on number of states of B known. Complexity: exponential. Property represent by automaton P. Check if L(B)  L(P)=. Graph theory techniques.  

Combination lock automaton Accepts only words with a specific suffix (cdab in the example). c d a b s1 s2 s3 s4 s5 Any other input

Cannot distinguish if reduced or not. Conformance testing a b Cannot distinguish if reduced or not. 

Conformance testing (cont.) b a When the black box is nondeterministic, we might never test some choices.

Conformance testing (cont.)  b b a a a  a b b a a b Need: bound on number of states of B.

Need reliable RESET b a s1 s3 s2 Start with a: in case of being in s1 or s3 we’ll move to s1 and cannot distinguish. Start with b: In case of being in s1 or s2 we’ll move to s2 and cannot distinguish. s1 s3 s2 a b The kind of experiment we do affects what we can distinguish. Much like the Heisenberg principle in Physics.

Distinguishing sequences [VC] algorithm s1 s2 s3 b/1 a/1 Words of length n-m+1 Reset or homing Known automaton A has l states. Black box automaton has up to n states. Check each transition. Check that there are no "combination lock" errors. Complexity: O(l2 n p n-l+1). When n=l: O(l3p). Distinguishing sequences

Experiments a b c reset a b c try c fail a b c try b

Simpler problem: deadlock? Nondeterministic algorithm: guess a path of length  n from the initial state to a deadlock state. Linear time, logarithmic space. Deterministic algorithm: systematically try paths of length n, one after the other (and use reset), until deadlock is reached. Exponential time, linear space.

Deadlock complexity Nondeterministic algorithm: Linear time, logarithmic space. Deterministic algorithm: Exponential (pn-1) time, linear space. Lower bound: Exponential time (use combination lock automata). How does this conform with what we know about complexity theory?

Modeling black box checking Cannot model using Turing machines: not all the information about B is given. Only certain experiments are allowed. We learn the model as we make the experiments. Can use the model of games of incomplete information.

Games of incomplete information Two players: $-player, -player (here, deterministic). Finitely many configurations C. Including: Initial Ci , Winning : W+ and W- . An equivalence relation @ on C (the $-player cannot distinguish between equivalent states). Labels L on moves (try a, reset, success, fail). The $-player has the moves labeled the same from configurations that are equivalent. Deterministic strategy for the $-player: will lead to a configuration in W+  W-. Cannot distinguish equivalent conference. Nondeterministic strategy: Can distinguish.

Modeling BBC as games Each configuration contains an automaton and its current state (and more). Moves of the $-player are labeled with try a, reset... Moves of the -player with success, fail. c1 @ c2 when the automata in c1 and c2 would respond in the same way to the experiments so far.

A naive strategy for BBC Learn first the structure of the black box. Then apply the intersection. Enumerate automata with n states (without repeating isomorphic automata). For a current automata and new automata, construct a distinguishing sequence. Only one of them survives. Complexity: O((n+1)p (n+1)/n!)

On-the-fly strategy Systematically (as in the deadlock case), find two sequences v1 and v2 of length <=m n. Applying v1 to P brings us to a state t that is accepting. Applying v2 to P brings us back to t. Apply v1 v2 n to B. If this succeeds, there is a cycle in the intersection labeled with v2, with t as the P (accepting) component. Complexity: O(n2p2mnm). v1 v2

Learning an automaton Use Angluin’s algorithm for learning an automaton. The learning algorithm queries whether some strings are in the automaton B. It can also conjecture an automaton Mi and asks for a counterexample. It then generates an automaton with more states Mi+1 and so forth.

A strategy based on learning [PVY] Start the learning algorithm. Queries are just experiments to B. For a conjectured automaton Mi , check if Mi  P =  If so, we check conformance of Mi with B ([VC] algorithm). If nonempty, it contains some v1 (v2)w . We test B with v1 v2n+1. If this succeeds: error, otherwise, this is a counterexample for Mi .

Complexity l - real size of B. n - an upper bound of size of B. p - size of alphabet. Lower bound: reachability is similar to deadlock. O(l 3 p l + l 2mn) if there is an error. O(l 3 p l + l 2 n p n-l+1+ l 2mn) if there is no error. If n is not known, check while time allows. Average complexity: polynomial.

Some experiments Basic system written in SML (by Alex Groce, CMU). Experiment with black box using Unix I/O. Allows model-free model checking of C code with inter-process communication. Compiling tested code in SML with BBC program as one process. Another application: Adaptive Model Checking when the model may not be accurate [GPY].

Unit checking [GP93] Check a unit of code, e.g., a bunch of interacting procedures, a-la unit testing. No initial states are given, not finite state, parametric, compositional. Use temporal properties to describe suspicious paths in the execution. Guide the path search with property. Use flow chart instead of “state space”. Cannot check whether a state occurred, use DFS and iterative deepening.

Unit testing of code: Calculating path condition (A≠2 /\ X/A>1) /\ (A>1 & B=0) A>1 & B=0 Need to find a satisfying assignment: A=3, X=6, B=0 A≠2 /\ X/A>1 no yes X=X/A A≠2 /\ X>1 A=2 | X>1 If deterministic code, starting with such initial values will enforce executing this path true no yes X=X+1 true

Spec: ¬at l2U (at l2/\ xy /\ (¬at l2/\(¬at l2U at l2 /\ x2y ))) l2:x:=x+z l3:x<t l1:… l2:x:=x+z ¬at l2 X = at l2/\ xy l3:x<t x2y ¬at l2 l2:x:=x+z at l2/\ x2y Now simplify condition using theorem proving.

Test case generation based on LTL specification Compiler Model Checker Path condition calculation First order instantiator Test monitoring Transitions Path Flow chart LTLAut

Conclusions Model checking is useful for automatically finding errors in hardware/software design. Testing is nonexhaustive yet practical. Combining model checking and testing methods enhances capabilities and alleviates limitations. Black Box Checking allows model checking a system directly, without first modeling it. Unit Checking allows systematic testing of temporal properties of systems.