Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking basic concepts and techniques Sriram K. Rajamani.

Published byMya Chesser Modified over 9 years ago

Similar presentations

Presentation on theme: "Model Checking basic concepts and techniques Sriram K. Rajamani."— Presentation transcript:

1 Model Checking basic concepts and techniques Sriram K. Rajamani

2 Sources: My MSR Model checking crash course from Fall 99 Tom Henzinger’s slides from his OSQ course

3 Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula of a temporal logic.

4 Why is this of interest to us? Because the dynamics of a discrete system can be captured by a Kripke structure. Because some dynamic properties of a discrete system can be stated in temporal logics.  Model checking = System verification

5 Model checking, generously interpreted: Algorithms for system verification which operate on a system model (semantics) rather than a system description (syntax).

6 Part I: Models and Specifications Part II: State explosion Agenda

7 S0S0 S1S1 S2S2 S3S3 Kripke Structure States : valuations to a finite set of variables Initial states : subset of states Arcs: transitions between states Atomic Propositions: finite set of predicates over variables Observation (color): Valuation to all atomic propositions at a state

8 Kripke Structure M =  W, I, R, L,   W : set of states (possibly infinite) I  W : set of initial states R  W X W : set of arcs L : set of atomic propositions   W  2 L : mapping from states to subset of atomic propostions (colors)

9 Three important decisions: 1may vs. must: branching vs. linear time 2prohibiting bad vs. desiring good behavior: safety vs. liveness 3operational vs. declarative: automata vs. logic Specification

10 S0S0 S1S1 S2S2 S3S3 S0S0 S1S1 S2S2 Run Trace

11 S0S0 S1S1 S2S2 S3S3 S0S0 S1S1 S2S2 S3S3 Run-tree Trace-tree

12 Linear temporal logics (eg LTL) view a model as a set of traces Branching temporal logics (eg CTL) view a model as a set of trace-trees Branching Vs Linear

13 S0S0 S3S3 S4S4 S1S1 S2S2 t2t2 t3t3 t1t1 t0t0 Same traces, different trace trees

14 Linear time is conceptually simpler than branching time (words vs. trees). Branching time is often computationally more efficient. Branching “refinement” implies linear “refinement” Expressive powers are incomparable

15 Three important decisions: 1may vs. must: branching vs. linear time 2prohibiting bad vs. desiring good behavior: safety vs. liveness 3operational vs. declarative: automata vs. logic Specification

16 Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

17 Example: Mutual exclusion It cannot happen that both processes are in their critical sections simultaneously.

18 Example: Mutual exclusion It cannot happen that both processes are in their critical sections simultaneously. Safety

19 Example: Bounded overtaking Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter.

20 Example: Bounded overtaking Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter. Safety

21 Whenever process P1 wants to enter the critical section, it enters it within 51 cycles

22 Whenever process P1 wants to enter the critical section, it is not the case that 51 cycles pass without P1 entering the critical section Safety

23 Whenever process P1 wants to enter the critical section, it eventually enters it Liveness

24 Sequential programs Safety corresponds to partial correctness Liveness corresponds to termination

25 The vast majority of properties to be verified are safety. Safety Vs Liveness

26 While nobody will ever observe the violation of a true liveness property, fairness is a useful abstraction that turns complicated safety into simple liveness. Why liveness? “Eventually, we are all dead!” The answer is: abstraction and fairness

27 Why liveness? r1r1 r2r2 g1g1 g2g2 r1r1 r2r2 ~r 1 ~r 2 F1F1 F2F2 G1G1 G2G2 If P1 requests and keeps requesting, it will be granted within 2 cycles

28 Abstract view r2r2 r1r1 g2g2 g1g1 r2r2 r1r1 F G1G1 G2G2 r1r1 r2r2 g1g1 g2g2 r1r1 r2r2 ~r 1 ~r 2 F1F1 F2F2 G1G1 G2G2 Safety: If P1 requests and keeps requesting, it will be granted within 2 cycles Liveness: If P1 requests and keeps requesting it will be eventually granted (Does this hold?)

29 q1q1 q2q2 Fairness constraint: the green transition cannot be ignored forever q3q3

30 Without fairness: infRuns = q 1 (q 3 q 1 ) * (q 2 )   (q 1 q 3 )  With fairness: infRuns = q 1 (q 3 q 1 ) * (q 2 )  q1q1 q2q2 q3q3

31 Two important types of fairness 1 Weak (Buchi) fairness: a specified set of transitions cannot be enabled forever without being taken 2 Strong (Streett) fairness: a specified set of transitions cannot be enabled infinitely often without being taken

32 Fair Kripke Structure M =  W, I, R, L, , SF, WF  W : set of states (possibly infinite) I  W : set of initial states R  W X W : set of arcs L : set of atomic propositions   W  2 L : labeling function SF: set of strongly fair arcs WF: set of weakly fair arcs

33 Model-Checking Algorithms for finite state Kripke structures = Graph Algorithms

34 Automata theoretic approach to model checking Does M satisfy property  ? Step 1: Build automaton A for negation of  Step 2: Construct product P = MxA Step 3: Check if L(P) is empty

35 1Safety: -algorithm: reachability (linear) 2Response under weak fairness: -algorithm: strongly connected components (linear) 3Liveness: -algorithm: recursively nested SCCs (quadratic)

36 LogicModel checking complexity Invariant|M| CTL|M| * |  | LTL |M| * 2 |  | Modal  -calculus ? Refinement|M| * 2 |S|

37 Example: State Machine For Locking UnlockedLockedError U LL U

38 Product Construction … Lock(&x); If (x->foo) { if (bar(x)) { Unlock(&x); return OK; } Unlock(&x) …

39 Product Construction … Lock(&x); If (x->foo) { if (bar(x)) { Unlock(&x); // return OK; } Unlock(&x) …

40 Part I: Models and Specifications Part II: State explosion Agenda

41 Problem State explosion : |M| is exponential in the syntactic description of M

42 Fighting state explosion –Symbolic techniques (BDDs) - [SMV, VIS] –Symmetry reduction - [Murphi] –Partial-order reduction - [SPIN] –Divide and Conquer - [MOCHA, new SMV] –Abstraction - [STeP, InVeSt,SLAM]

43 Binary Decision Diagrams [Bryant] Ordered decision tree for f = a  b  c  d 0110100110010110 d ddddddd c ccc 01 0 101 0 1010101 bb a

44 OBDD reduction a bb cc dd 0 1 0 0 1 0 1 0 1 1 1 0 0 1 0 1 f = a  b  c  d

45 OBDD properties Variable order strongly affects size Canonical representation for a given order Efficient apply algorithm –boolean operations on BDD’s is easy –Can build BDD’s for large circuits f g O(|f| |g|) fg

46 Boolean quantification If v is a boolean variable, then  v.f = f | v =0 + f | v =1 Example:  b,c). (ab +  ce + b´d) = a + e  d Complexity on BDD representation –worst case exponential –heuristically efficient

47 Characterizing sets Let M be a model with boolean variables (v 1,v 2,…,v n ) Represent any P  {0,1} n by its characteristic function  P P = {(v 1,v 2,…,v n ) :  P } Example: Variables = (x,y,z) P = { (0,0,1), (0,1,0), (1,0,0), (1,1,1) }  P = x + y + z

48 Characterizing sets Represent characteristic function as BDD Set operations can be now done as BDD operations –    = false  S = true –  P  Q  = P + Q  P  Q = P  Q –  S  \ P  =  P

49 Transition Relations Transition relation R is a set of state pairs for all the arcs in the state machine –R = {((v 1,v 2,…,v n ), (v’ 1,v’ 2,…,v’ n )) :  R } v1v1 v0v0  R = (v’ 0 =  v 0 )  (v’ 1 = v 0  v 1 )

50 Forward Image P R Image(P,R)

51 Reverse Image P R Image -1 (P,R)

52 Symbolic invariant checking S := BDD for initial states V := BDD for negation of invariant R := BDD for transition relation Loop If ( S  V) then print “failed” and exit I := Image( S, R) S’ := S  I If ( S = S’) then print “passed” and exit End

53 BDDs Big breakthrough in hardware McMillan’s thesis won the ACM thesis award Intel, IBM, Motorola all have BDD based model checkers, and large “formal verification” teams based on them. BDDs compactly represent transition relations Can prove that if the circuit has “bounded” communication,then transition relation is small Images and Reachable sets tend to blowup

54 BDDs Images and reachable sets blow up often Subject of intense investigation (PhD theses on how to compute images without BDDs blowing up) Alphabetical soup of variations: ADDs to ZDDs Work upto ~100 variables, don’t really scale to thousands of variables Provide good “bootstrap” for compositional methods

55 Infinite state model checking S := constraint for initial states V := constraint for negation of invariant R := constraint for transition relation Loop If ( S  V) then print “failed” and exit I := Image( S, R) S’ := S  I If ( S = S’) then print “passed” and exit End

56 Fighting state explosion –Symbolic techniques (BDDs) - [SMV, VIS] –Symmetry reduction - [Murphi] –Partial-order reduction - [SPIN] –Divide and Conquer - [MOCHA, new SMV] –Abstraction - [STeP, InVeSt,SLAM]

57 Symmetry Reductions Idea: If state space is symmetric, explore only a symmetric “quotient” of the state space Let us define “quotient” first… (also useful in abstractions)

58 Recall our model M =  W, I, R, L,   W : set of states I  W : set of initial states R  W X W : set of arcs L : set of atomic propositions   W  2 L : mapping from states to colors Usually we fix the colors and say: M =  W, I, R,  

59 Quotient M =  W, I, R,   Let  be an equivalence relation on W. Assume: s  t   (s) =  (t) s  I iff t  I Quotient: M’ =  W’, I’, R’,  ’  –W’ = W /  I’ = I /  –R’ ([s],[t]) whenever R(s,t) –  ’([s]) =  (s)

60 Abstract search Suppose we want to check an invariant: Does M satisfy  ? Instead check: Does M’ satisfy  ? This is sound but not complete. (Why?)

61 Stable equivalences Equivalence  is called stable if: R ( x, y)  for every s in [x] there exists some t in [y] such that R (s,t) Claim: Suppose  is called stable, then: M satisifies  iff M’ satisfy  Sound and complete! (Why?)

62 Automorphisms 0,0 1,1 0,11,0 A permutation function f : W  W is an automorphism if: 1. x  f(x) for all x 2. R( x, z)  R( f(x), f(z))

63 Automorphisms f: f(0,0) = 1,1 f(1,1) = 0,0 f(0,1) = 0,1 f(1,0) = 1,0 g: g(0,0) = 0,0 g(1,1) = 1,1 g(0,1) = 1,0 g(1,0) = 0,1 A = { f, g, f  g, I} The set of all automorphisms forms a group! 0,0 1,1 0,11,0

64 Automorphisms Let x  y if there is some automorphism f such that f(x) = y The equivalence classes of  are called orbits Claim 1:  is an equivalence Claim 2:  is stable

65 Orbits [ (0,0), (1,1) ] [ (0,1), (1,0) ] 0,0 1,1 0,11,0

66 Symmetry reduction [ (0,0),(1,1) ] [ (0,1), (1,0) ] Map each state to its representative in the orbit

67 Symmetry reduction Step 1: Analyze the system statically and come up with a function that maps each state to its representative Step 2: When exploring the states, store and explore the representatives!

68 Symmetry reduction Difficulty: Computing the function (which maps states to representatives) is hard! Solutions: Be satisfied with multiple representatives for each orbit Ask user to tell you where the symmetries are

69 Symmetry reduction Implemented in Mur  Similar ideas have also impacted Nitpick

70 Fighting state explosion –Symbolic techniques (BDDs) - [SMV, VIS] –Symmetry reduction - [Murphi] –Partial-order reduction - [SPIN] –Divide and Conquer - [MOCHA, new SMV] –Abstraction - [STeP, InVeSt,SLAM]

71 Partial Order Methods Protocols are usually modeled as an asynchronous composition of processes (interleaving model) Partial order reduction explores only a portion of the state space You can still prove properties about the entire state space

72 S0S0 S1S1 S2S2 S3S3 Actions An action is a guarded command Nondeterminism arises because any of the enabled actions could be scheduled next! Can label state machine transitions with action names     

73 Independent Actions S0S0 S1S1 S2S2 S3S3    Actions  and  are independent if: 1. Neither action enables or disables the other 2. If both  and  are enabled, then they commute

74 Partial Order Methods Key idea: If actions {  } are independent then:  Need to explore only one! But there are some caveats..

75 Parital Order Equivalence Two action sequences A and B are partial- order-equivalent if: A can be transformed to B by swapping adjacent independent actions Need to explore only one representative in each equivalence class!

76 Partial Order Methods Offer good reductions in asynchronous protocols: Exponential reductions in “artificial” examples 5-10 times faster in “real” examples Implemented in SPIN Also implemented in Verisoft (we will revisit this later!)

77 Example integer x, y; boolean bomb; Init  true  x := 0; y := 0; bomb := false Update   : ( x < 10) & ! bomb  x := x+1   : ( y < 10) & ! bomb  y := y+1   : ( x = 3) & ( y = 3) & ! bomb  bomb := true

78 0,0   1,02,03,04,0    0,1  1,12,13,14,1    0,2  1,22,23,24,2    0,3  1,32,33,34,3          

Download ppt "Model Checking basic concepts and techniques Sriram K. Rajamani."

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Model Checking Lecture 1.

Model Checking Lecture 1.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

Similar presentations

Ads by Google