Presentation is loading. Please wait.

Presentation is loading. Please wait.

A brief history of model checking Ken McMillan Cadence Berkeley Labs

Published byMarshall Skinner Modified over 9 years ago

Similar presentations

Presentation on theme: "A brief history of model checking Ken McMillan Cadence Berkeley Labs"— Presentation transcript:

1 A brief history of model checking Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com

2 Outline Part I -- Introduction to model checking –Automatic formal verification of finite-state systems –Applications Commercial hardware design Avionics, chemical plant control, automotive, etc. Part II -- A brief history of model checking –Influence of many abstract ideas from logic on the development of model checking

3 The Verification Problem Debugging chips by simulation... –consumes greater than half of design time, –is unreliable “Escapes” can cost up to $500M, –is increasing in cost as chip densities scale up

4 2 Model Checking input: –temporal logic spec –finite-state model output –yes –no + counterexample (look ma, no test vectors!) MC G(p  F q) yes no p q p q

5 5 Temporal logic (LTL) A logical notation that allows to: –specify relations in time –conveniently express finite control properties Temporal operators –G p“henceforth p” –F p“eventually p” –X p“p at the next time” –p W q“p unless q”

6 6 Types of temporal properties Safety(nothing bad happens) G ~(ack1 & ack2) “mutual exclusion” G (req  (req W ack)) “req must hold until ack” Liveness(something good happens) G (req  F ack) “if req, eventually ack” Fairness GF req  GF ack “if infinitely often req, infinitely often ack”

7 7 Computation tree logic (CTL) Branching time model Path quantifiers –A = “for all future paths” –E = “for some future path” Example: AF p = “inevitably p” AFp p p p

8 9 CTL model checking algorithm Example: AF p = “inevitably p” Complexity –linear in size of model (FSM) –linear in size of specification formula p Note: LTL is exponential in formula size AFp

9 10 Example: traffic light controller Guarantee no collisions Guarantee eventual service E S N

10 14 Specifications Safety (no collisions) AG  (E_Go  (N_Go | S_Go)); Liveness AG (  N_Go  N_Sense  AF N_Go); AG (  S_Go  S_Sense  AF S_Go); AG (  E_Go  E_Sense  AF E_Go); Fairness constraints infinitely often  (N_Go  N_Sense); infinitely often  (S_Go  S_Sense); infinitely often  (E_Go  E_Sense); (assume each sensor off infinitely often)

11 15 Counterexample East and North lights on at same time... E_Go E_Sense NS_Lock N_Go N_Req N_Sense S_Go S_Req S_Sense E_Req N light goes on at same time S light goes off. S takes priority and resets NS_Lock N light goes on at same time S light goes off. S takes priority and resets NS_Lock

12 20 State explosion problem What if the state space is too large? –too much parallelism –data in model Approaches –Abstraction/reduction –“Symbolic” methods –Exploiting symmetry –“Partial order” methods

13 21 Binary Decision Diagrams Ordered decision tree for f = ab + cd 0001000100011111 d ddddddd c ccc 01 0 101 0 1010101 b b a

14 22 OBDD reduction Reduced (OBDD) form: 01 d c 0 1 0 1 0 1 b a 0 1 Key idea: combine equivalent subcases

15 24 Symbolic model checking Basic idea: –Use BDD’s to represent sets and relations –Avoid explicitly representing states Transition relations a,ba’,b’ R(a,b,a’,b’)

16 25 Image computation EX p = states that can reach p in one step EXpp EX p =  v’. (R(v,v’)  p(v’)) Note:  a. f = f | a=0 + f | a=1

17 26 Fixed point iteration EF p = states that can reach p S 0 = pS1S1... SwSw S i+1 = S i \/ EX S i...Model checking without building state graph

18 33 Example: “Gigamax” cache protocol First commercial application Method scales well with system size Finds very subtle “escapes” MPP... cluster bus MPP... global bus UIC...

19 Genealogy of model checking Logics of Programs Temporal/ Modal Logics CTL Model Checking Symbolic Model Checking  -automata S1S LTL MC ATV Tarski  -calc QBFBDD Many ideas from logic influence development of model checking...

20 Logics of programs Floyd/Hoare/Dijkstra –Give precise definitions of programming languages –Allows reasoning about programs (proofs/derivations) –Pre-post conditions/ weakest precondition example: assignment axioms {true} x :=y {x = y} {P} x := y {P} (no x in P)

21 Pnueli –Concurrent vs. sequential programming –need to characterize execution sequences –proposes use of temporal logic Concurrent programs sequential A B concurrent A B call ret

22 Temporal and modal logics Roots in philosophical logic –Tense logic -- formalizing linguistic time “If a, then b before c” –Modal logic -- reasoning about possibility “If I had run I would have caught my plane” New use in computer science: –characterize the interactions of parallel processes G req  F ack

23 Genealogy Logics of Programs Temporal/ Modal Logics Pnueli, late 70’s Floyd/Hoare late ‘60’s Aristotle 300’sBCE Kripke ‘59

24 CTL Model checking Reasoning about properties of non- deterministic programs –branching time properties of programs –fixed point characterizations (Tarski) every monotonic function has least/greatest fixed point –key idea: apply to finite graphs, not infinite trees can directly calculate Tarski fixed points Applications –finite state machines in hardware –protocols –proved incorrectness of some published designs

25 Genealogy, cont Logics of Programs Temporal/ Modal Logics CTL Model Checking Tarski Clarke/Emerson Early 80’s 50’s Some published circuits are proved incorrect

26 Decidable logics and automata Büchi –S1S -- reason about sets of natural numbers –Automata on infinite words characterize set of models of formula example: sets that contain the odd numbers –Deep connection between logics and automata 0,1 1 0

27 LTL model checking Vardi and Wolper –Apply Büchi’s technique to LTL –Automaton construction yields optimal decision algorithm Kurshan –Specify properties directly as automata example: infinitely often p (GFp) p true pp

28 Genealogy Logics of Programs Temporal/ Modal Logics CTL Model Checking  -automata S1S LTL MC ATV Tarski Büchi, 60 Kurshan Vardi/ Wolper mid 80’s

29 Symbolic Model Checking State explosion problem –graph model guarantees worst-case complexity Characterize sets and relations by Boolean formulas –compute Tarski fixed points directly on formulas –Use BDD’s to represent formulas efficient canonical form EXp =  v. (R  p  (QBF)

30 Mu-calculus Park’s Mu-Calculus –Logic of relations with fixed point operator –Can express transitive closure –Nicely characterizes what SMC can compute SMC algorithm for Mu-calculus –Use to express symbolic algorithms for CTL, LTL model checking Automaton containment, etc... –Note: bad specification logic, but good for describing algorithms AFp =  Q. p  AX Q

31 Genealogy, cont. –Note first commercial application in 1990 Encore Gigamax cache protocols Logics of Programs Temporal/ Modal Logics CTL Model Checking Symbolic Model Checking  -automata S1S LTL MC ATV Tarski  -calc QBFBDD Park 60’s Bryant mid 80’s late 80’s

32 Applications Hardware Design –Encore Gigamax –Intel instruction decoder –SGI cache protocol chip Other areas –Avionics (TCAS) –Chemical plant control –Nuclear storage facilities (!) Commercial tools –Cadence, IBM, Synopsys

33 A convergence of research areas in logic Many areas of logic have shaped the discourse in model checking –Logics of programs –Temporal/Modal logics –Tarski fixed point theory –Decidable logics -- S1S/automata –Park’s mu-calculus Much of this work is quite abstract, but has strongly influenced practical work in model checking

Download ppt "A brief history of model checking Ken McMillan Cadence Berkeley Labs"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Introduction to Model Checking

Introduction to Model Checking
Part II Concepts.

Part II Concepts.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification

Similar presentations

Ads by Google