Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Software Verification

Published byEsther Ford Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to Software Verification"— Presentation transcript:

1 Introduction to Software Verification
Orna Grumberg Lectures Material winter

2 Lecture 9

3 Symbolic (BDD-based) Model Checking for CTL

4 BDD-based Model Checking
For f = EX f1 return f(V) = V’ [ f1(V’)  R(V,V’) ] This BDD represents all (encoding V of) states that have a successor (with encoding V’) in f1

5 Defined as a new BDD operator: EX f1(V) = V’ [ f1(V’)  R(V,V’) ]
This operation is also called pre-image Important: the formula defines a sequence of BDD operations and therefore is considered as a symbolic algorithm

6 Model Checking f = EF g Given: BDDs R(V,V’) and g(V):
procedure CheckEF (g(V)) Q(V) := emptyset; Q’(V) := g(V) ; while Q(V)  Q’(V) do Q(V) := Q’(V); Q’(V) := Q(V)  EX ( Q(V) ) end while f(V) := Q(V) ; return(f(V)) Least fixpoint CheckEF gets as parameter the set Sg (and implicitly the model M) and returns the set Sf

7 The algorithm applies BDD operations (or ), and EX comparison Q(V)  Q’(V) (easy) Therefore, this is a symbolic algorithm! The algorithm is based on the equivalence: EF g  g  EX EF g

8 Example: f = EF g g f f f done

9 Model Checking f = E[g1 U g2]
Given: BDDs R(V,V’) , g1(V) and g2(V) : procedure CheckEU (g1, g2) Q := emptyset; Q’ := g2 ; while Q  Q’ do Q := Q’; Q’ := Q  (EX(Q)  g1 ) end while f := Q ; return(f) Least fixpoint CheckEF gets as parameter the set Sg (and implicitly the model M) and returns the set Sf

10 Model Checking f = EG g Given: BDDs R(V,V’) , g(V)
procedure CheckEG (g) Q := S ; Q’ := g ; while Q  Q’ do Q := Q’; Q’ := Q  EX (Q) end while f := Q ; return( f ) Greatest fixpoint

11 Example: f = EG g g

12 Bounded (SAT-based) Model Checking

13 State explosion problem - revisited
state of the art symbolic model checking can handle effectively designs with a few hundreds of Boolean variables Other solutions for the state explosion problem are needed!

14 SAT-based model checking
Translates the model and the specification to a propositional formula Uses efficient tools (SAT solvers) for solving the satisfiability problem Since the satisfiability problem is NP-complete, SAT solvers are based on heuristics.

15 SAT tools Using heuristics, SAT tools can solve very large problems fast. They can handle systems with 1000 variables that create formulas with a few millions of variables. GRASP (Silva, Sakallah) Prover (Stalmark) Chaff (Malik) MiniSAT

16 Bounded model checking (BMC) for checking AGp
Given A finite system M A safety property AGp A bound k Determine Does M contain a counterexample to AGp of k transitions (or fewer) ?

17 Bounded Model Checking (BMC) for checking AGp
Unwind the model for k levels, i.e., construct all computations of length k If a state satisfying p is encountered, produce a counterexample; Otherwise, increase k [BCCZ 99]

18 Bounded Model Checking
Terminates with a counterexample or with time- or memory-out The method is suitable for falsification, not verification

19 BMC for checking AGp ( EFp )
Input to BMC: A system over variables V = {v1,…,vn}, where INIT(V) is a propositional formula representing the set of initial states R(V,V’) is a propositional formula representing the transition relation A specification: p(V) is a propositional formula representing the set of states satisfying p

20 BMC for checking =EFp
Build a propositional formula fMk describing all prefixes of length k of paths of M from an initial state Build a propositional formula fk describing all prefixes of length k of paths satisfying  If (fMk  fk ) is satisfiable, return the satisfying assignment as a counterexample Otherwise, increase k and return to 2.

21 If (fMk  fk ) is unsatisfiable: M has no counterexample of length k
If k = 2|V| then we can conclude M |= AGp Too big - not practical The method is suitable for refutation Bug finding

22 BMC for checking =EFp
fMk (V0,…,Vk) = INIT(V0)  R(V0,V1)  …  R(Vk-1,Vk) Uses k+1 copies of V = { v1, …,vn } Vi represents the state after i transitions

23 BMC for checking =EFp
To check if p is violated within k steps: fk (V0,…,Vk) = p(V0)  …  p(Vk) = Vi=0…k p(Vi) To check if p is violated exactly on state k: fk (V0,…,Vk) = p(Vk) Useful when working iteratively on k=0,1,2,…

24 BMC for checking =EFp
The iterative algorithm: . 24 24

25 Example – shift register
Shift register of 3 bits: <x, y, z> Transition relation: R(x,y,z,x’,y’,z’) = x’=y  y’=z  z’=1 |____| error Initial condition: INIT(x,y,z) = x=0  y=0  z=0 Specification: AG ( x=0  y=0  z=0)

26 Propositional formula for k=2
INIT = x=0  y=0  z=0 R = x’=y  y’=z  z’=1 fM,2 = (x0=0  y0=0  z0=0)  (x1=y0  y1=z0  z1=1)  (x2=y1  y2=z1  z2=1) f,2 = Vi=0,..2 (xi=1  yi=1  zi=1) Satisfying assignment: This is a counterexample! p = x=0  y=0  z=0

27 A remark In order to describe a computation of length k by a propositional formula we need k+1 copies of the state variables. With BDDs we use only two copies of current and next states.

28 Bounded model checking
Can handle all of LTL formulas Can be used for verification by choosing k which is large enough Need bound on length of the shortest counterexample. diameter bound. The diameter is the maximum length of the shortest path between any two states. Using such k is often not practical due to the size of the model Computing worst case diameter is exponential. Obtaining better bounds is sometimes possible, but generally intractable.

29 SAT-based verification
Induction Interpolation IC3

Download ppt "Introduction to Software Verification"

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
50.530: Software Engineering

50.530: Software Engineering
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 A Tutorial on Parallel and Distributed Model Checking Orna Grumberg Computer Science Department Technion, Israel.

1 A Tutorial on Parallel and Distributed Model Checking Orna Grumberg Computer Science Department Technion, Israel.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)

Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)
1 Model Checking, Abstraction- Refinement, and Their Implementation Orna Grumberg Verification seminar March 2006.

1 Model Checking, Abstraction- Refinement, and Their Implementation Orna Grumberg Verification seminar March 2006.

Similar presentations

Ads by Google