CDA 5416: Computer System Veri cationhaozheng/teach/cda5416/slides/intro.pdf · Contents 1 Course...

CDA 5416: Computer System VerificationIntroduction

Hao Zheng

Department of Computer Science and EngineeringUniversity of South Florida

Tampa, FL 33620Email: [email protected]: (813)974-4757Fax: (813)974-5456

Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 1 / 49

Contents

1 Course Logistics

2 Verification − Why

3 Verification − Overview

4 Formal Verification and Model Checking

5 Course Topics


About This Course

Definition of Verification (Google)The process of establishing the truth, or validity of something

Objective: learn model checking, an automated techniques forverifying computing systems

• Learn modeling computation and communication of concurrentsystems

• Learn formal correctness specification using temporal logics,• Understand the basic model checking algorithms• Gain Hand-on experience with widely-used model checkers


Contact Information

Office Location: ENB 312Office Hours: 1− 2:30pm, Mon & Wed,

or by appointmentCourse webpage: Canvas

http://www.cse.usf.edu/~haozheng/

teach/cda5416/

Email: [email protected]: (813) 974-4757


http://www.cse.usf.edu/~haozheng/teach/cda5416/http://www.cse.usf.edu/~haozheng/teach/cda5416/

Background Requirements

• Topics covered are for HW/SW verification.• Basic knowledge of how HW/SW works (logic design, computer

architecture, OS, etc).

• Knowledge in automata/first-order logic (Discrete math) isdesirable,• but we will review the basics as needed.

• Programming skills that might be needed for the final project.


Textbook

Principles of Model CheckingChristel Baier and Joost-Pieter Katoen

The MIT Press | Massachusetts Institute of Technology Cambridge, Massachusetts 02142 | http://mitpress.mit.edu 978-0-262-02649-9

Principles of Model CheckingChristel Baier and Joost-Pieter Katoen

Principles of Model C

hecking Baier and Katoen

computer science

Our growing dependence on increasingly complex computer and software systems necessitates the development of formalisms, techniques, and tools for assessing functional properties of these systems. One such technique that has emerged in the last twenty years is model checking, which systematically (and automatically) checks whether a model of a given system satisfies a desired property such as deadlock freedom, invariants, or request-response properties. This automated technique for verification and debugging has developed into a mature and widely used approach with many applications. Principles of Model Checking offers a comprehensive introduction to model checking that is not only a text suitable for classroom use but also a valuable reference for researchers and practitioners in the field.

The book begins with the basic principles for modeling concurrent and communicating systems, introduces different classes of properties (including safety and liveness), presents the notion of fairness, and provides automata-based algorithms for these properties. It introduces the temporal logics LTL and CTL, compares them, and covers algorithms for verifying these logics, discussing real-time systems as well as systems subject to random phenomena. Separate chapters treat such efficiency-improving techniques as abstraction and symbolic manipulation. The book includes an extensive set of examples (most of which run through several chapters) and a complete set of basic results accompanied by detailed proofs. Each chapter concludes with a summary, bibliographic notes, and an extensive list of exercises of both practical and theoretical nature.

Christel Baier is Professor and Chair for Algebraic and Logical Foundations of Computer Science in the Faculty of Computer Science at the Technical University of Dresden. Joost-Pieter Katoen is Professor at the RWTH Aachen University and leads the Software Modeling and Verification Group within the Department of Computer Science. He is affiliated with the Formal Methods and Tools Group at the University of Twente.

“ This book offers one of the most comprehensive introductions to logic model checking techniques available today. The authors have found a way to explain both basic concepts and foundational theory thoroughly and in crystal-clear prose. Highly recommended for anyone who wants to learn about this important new field, or brush up on their knowledge of the current state of the art.”

Gerard J. Holzmann, NASA/JPL Laboratory for Reliable Software

“ Principles of Model Checking, by two principals of model-checking research, offers an extensive and thorough coverage of the state of art in computer-aided verification. With its coverage of timed and probabilistic systems, the reader gets a textbook exposition of some of the most advanced topics in model-checking research. Obviously, one cannot expect to cover this heavy volume in a regular graduate course; rather, one can base several graduate courses on this book, which belongs on the bookshelf of every model-checking researcher.”

Moshe Vardi, Director, Computer and Information Technology Institute, Rice University

• Principles of Model Checking byChristel Baier and Joost-Pieter KatoenMIT Press 2008.

• Lectures borrow much material from thetextbook.

• Free on-line access via USF Library


Books for References

Books for References

Hao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 6 / 53


Another Reference Book

A systematic introduction to the SPIN model checker


Evaluation

• Grading policy:• Homeworks: 40%• Quizzes: 5%• Midterm: 25%• Final Project: 30%

• Final Grade: suppose your grade is x%.

90% ≤ x : A80% ≤ x < 90% : B70% ≤ x < 80% : C

x < 70% : D.


Course Communications

• Communications: Canvas at my.usf.edu.• Check out grades, announcements, handouts, etc• All submissions must be done via Canvas.

• Submission using other means will be ignored!• HW solutions and other related information.• Additional information can be found on

http://www.cse.usf.edu/~haozheng/teach/cda5416/

• Clear your email inbox!• You are responsible for not getting emails due the full inbox.

• Request for late submissions and makeup exam:• Granted only when proof showing emergency is provided.• Exceptions to homework or exam schedules for religious observance

will be granted if you let me know at least one week ahead!


http://www.cse.usf.edu/~haozheng/teach/cda5416/

Academic Integrity

• Students are expected to be honest and do not cheat.• More important, be honest to yourselves.

• Collaboration and discussions are highly encouraged.• Copying each others work is forbidden.• Read the university policy at

http://www.ugs.usf.edu/catalogs/0809/adadap.htm

• The reward for cheating is FF.


http://www.ugs.usf.edu/catalogs/0809/adadap.htm

Contents

1 Course Logistics




5 Course Topics


A Flight Autopilot

• Requirement: The autopilot should avoid collision with otherplanes.

• A solution: When distance is 1km, give warning to other planeand notify the pilot. When distance is 300m, and no changes inthe course of other plane were noticed, go up to avoid collision.

• Is this correct?

• The same SW installed on both planes, and both may be directedto change to the same course again!

• Deadlock is a state where all parties are stuck and cannot makefurther progress.• Deadly consequences may occur if the control system deadlocks.


A Flight Autopilot

• Requirement: The autopilot should avoid collision with otherplanes.

• A solution: When distance is 1km, give warning to other planeand notify the pilot. When distance is 300m, and no changes inthe course of other plane were noticed, go up to avoid collision.

• Is this correct?• The same SW installed on both planes, and both may be directedto change to the same course again!

• Deadlock is a state where all parties are stuck and cannot makefurther progress.• Deadly consequences may occur if the control system deadlocks.


A SW example

process Inc: while true do if x < 200 then x := x+ 1 odprocess Dec: while true do if x > 0 then x := x− 1 odprocess Reset: while true do if x = 200 then x := 0 od

Property: is x always between (including) 0 and 200?

Answer: When x = 200, both Dec and Reset are active, ...


A SW example: SPIN Model (1)

int x = 0;

proctype Inc() {

do :: true -> if :: (x < 200) -> x = x+1 fi od

}

proctype Dec() {

do :: true -> if :: (x > 0) -> x = x-1 fi od

}

proctype Reset() {

do :: true -> if :: (x == 200) -> x = 0 fi od

}


A SW example: SPIN Model (2)

proctype Check() {

assert (x >= 0 && x

A SW example: SPIN OutputA SW example: SPIN Output

pan:1: assertion violated ((x>=0)&&(x

Some High-Profile Bugs


Pentium FDIV Bug (1994)

• Intel Pentium chip, released in 1994 produced error in floatingpoint division.

• Try 4195835− 41958353145727

∗ 3145727.• You would expect 0.• In 94 Pentium, it returns 256!

• Cause: Five entries in the lookup table used for the divisionalgorithm are missing when implemented.

• Bugs only occur after 10th bits to the right of floating point.• Cost: $475 million (part replacements + reputation demage)


Ariane 5 Explosion (1996)

• In December 1996, the Ariane 5 rocket exploded 40 seconds aftertake off.

• Cause: A software components threw an exception caused by adata conversion from 64-bit floating point to 16-bit signed number.

• The exception handler was not used.• Cost: $400 million payload.


Thera-25 Radiation Overdose (1985-87)

• Therac-25: a radiation machine for treatment of cancer patients.• Cause: A failure in the control SW caused wrong dosages of

x-rays into patients.

• Cost: Three patients died as a direct result of this accident.


AT&T Telephone Network Outage (1990)

• January 1990: problem in New York City leads to 9 hour outage oflarge parts of U.S. telephone network

• Cause: a flaw (wrong interpretation of break statement in C) inthe SW embedded in the switches.

• Cost: hundreds of millions US$.


Lessons from Previous Bugs

• Accidents are often not simple.• Usually involve complex sequences of interactions among different

components in the system, and the operating environmentincluding human beings using the system.• Verifying a component is far from being enough.• The whole system must be thoroughly verified.

• Verification challenges• Huge space of behavior − impossible to verify them completely• External events − non-determinism


Importance of System Correctness

• Computing integrated in various applications• Embedded systems• Communication protocols• transportation systems• Manufacturing/process control

• System reliability depends on correctness of HW/SW.• Defects can be• Very expensive for mass-produced products − repair & replacements• Fatal for safety-critical systems − loss of human lives

• NIST (National Institute of Standards and Technology) reportssoftware bugs cost $60 billion annually


Cost of BugsCost of Bugs

The number of design bugs and the cost to fixing them over the course of adesign project.


The number of design bugs and the cost to fixing them over the course of adesign project.


Verification in Reality

• Some numbers:• Verification engineers : design engineer = 3:1.• Verification takes 50%− 70% of design resources.

• The reasons:• The longer bugs undetected the costlier to fix them.• A bug found early incurs little fixing cost.• A bug found after being manufactured may require to repeat the

whole design process.• A bug slipped into customer’s hand can cost hundreds of millions in

hardware and brand image.


Contents

1 Course Logistics




5 Course Topics


Types of Verification

• A process that establishes or confirms that a system fulfills itsrequirements.

• Verification can be classified depending on the attributes:• Functional• Performance• Power• Reliability

Verification 6= Validation1 Verification = check that we are building the the thing right

2 Validation = check that we are building the the right thing


What is Functional Verification?

• Verification to ensure that the logic behavior of a system meetsrequirements.• Also called logic verification.

• Target applications:• HW & SW & communication protocols• Sequential or concurrent systems• Can be found in many important applications such as

• Digital logic designs,• Communication protocols• Embedded control systems

• Can be applied to finite or infinite systems• Abstraction can reduce infinite state systems to finite ones.


When to Use Functional VerificationThe Role of Functional Verification

• A system is designed through asequence of refinement steps.

• Di↵erent requirements atdi↵erent levels.

• System at a lower level mustconforms to the one at ahigher level.


• A system is designed through asequence of refinement steps.

• Different requirements atdifferent levels.

• System at a lower level mustconform to the one at a higherlevel.


Functional Verification Techniques

• Simulation

Common Approaches to Func. Verification

• Simulation

• Logic Emulation: a design is prototyped with FPGAs• Faster, more real testing, and easier for system integration.• Less flexible, hard to debug, etc.

• Testing: work on real stu↵!


• Testing: work on real stuff!• Logic Emulation: a design is prototyped with FPGAs• Faster, more real testing, and easier for system integration.• Less flexible, hard to debug, etc.

• Formal verification/model checking• Based on mathematic logic foundation.Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 31 / 49

Challenges to Verification

• System complexity grows exponentially over time• Moore’s law says that number of transistors double in every 24

months.• More functions are integrated on a single chip.

• Effectiveness of simulation/testing degrades exponentially.• Performance of simulation degrades linearly in system size and

number of simulation vectors − too slow for large complex systems.• The state space to check grows exponentially at the same time.• Not enough input vectors can be simulated with reasonable amount

of time.

⇒ Low confidence in system correctness.


Contents

1 Course Logistics




5 Course Topics


Formal Verification

• Applied mathematic logic for modeling and analyzing computingsystems.• Improve system quality, and reduce verification time.

• Highly recommended by FAA and NASA.• Formal Specification: describe behavior accurately at higher

abstraction level.

• Models: mathematical objects independent of implementations.• Approaches• Theorem Proving: highly expressive• Logic equivalence checking: highly automated• Model Checking: automated


Model Checking: OverviewOverview of Model Checking

Software ErrorsSoftware Correctness

Model CheckingCourse Details

Model Checking Overview

Prof. Dr. Ir. Joost-Pieter Katoen Introduction to Model CheckingHao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 34 / 53Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 35 / 49

Model Checking: Definition

Model checking (MC) is an automatic verification technique thatanswers yes or no to the following question:

M |= f

where

• M is a finite state model of the system under verification,• f is the set of formal properties specifying the correctness

requirements.


What are Models?What are Models?

Software ErrorsSoftware Correctness

Model CheckingCourse Details

What are Models?

Prof. Dr. Ir. Joost-Pieter Katoen Introduction to Model Checking

Hao Zheng ( Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 )CDA 5416: Computer System Verification 36 / 53Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 37 / 49

What are Models?

State transition systems• States labeled with basic propositions.• Transition relation between states.

Generality• Sequential programs• Multi-threaded programs• Communicating processes and protocols• Hardware circuits• Biologic systems• . . .


What are Properties?

• Examples:• Can the system reach a deadlock state?• Can two processes access a shared resource at the same time?• Does the program in the correct state upon termination?

Classification

• Safety properties: nothing bad ever happens.

• Liveness properties: good things eventually happen.

• Fairness: something happens infinitely often or repeatedly.

• Specification formalims• Temporal logic• Automata


Advantages of Model Checking

• Exhaustiveness (vs simulation)• All system states are checked, at least in theory.• Not biased to the most possible scenarios (as in testing).

• Automated and fast (vs theorem proving)• Allows easy integration into the existing design flow.

• Diagnostic counter-examples to speed debugging• Help to pinpoint source of the bug

• Specification logics easily express many concurrency properties.• Concise and rigorous.

• The process of modeling and specification itself can reveal a lot of• Incompleteness, ambiguities, and inconsistencies.

• No proofs: why a system is correct is not important, and does notreveal much useful information.• Often used as an enhanced debugger.Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 40 / 49

State Explosion

• State space grows exponentially as the size of system description.• System state space = product of component state space• Available memory cannot keep up with demand.

State Explosion

• State space grows exponentially as the size of system description.• System state space = product of component state space• Available memory cannot keep up with demand.

OUTPUTS: li,lo,ri,roINTERNAL: nor_fifo1,ce_fifo1

DUMMY: dummy

s0

s19

li+

s8

lo+

s20

nor_fifo1+

s10

li-

s13

ce_fifo1+

s2

nor_fifo1+

li+

s14

ce_fifo1+

s17

nor_fifo1- li-

s7

ri-

s9

ri-li+

s18

li- nor_fifo1-

s11

ro-

s12

ro-li+

s15

ce_fifo1-

s4

lo-

s5

ri+

s16

ce_fifo1-li+

s6

ro+

s3

li+li+ ri+ ro+



State Explosion (1)

|S| = 116, |R| = 240

��

��

��

��

��

��

��

State Explosion (1)

|S | = 116, |R | = 240

OUTPUTS: li,lo,ri,roINTERNAL: nor_fifo1,nor_fifo2,ce_fifo1,ce_fifo2,r21,l12

DUMMY: dummy

s0

s31

li+

s20

lo+

s85

ce_fifo1+

s16

li-

s84

nor_fifo1+

s76

li-

s86

nor_fifo1-

s75

nor_fifo1+

li+

s79

nor_fifo1-

s105

lo-

ce_fifo1+

s66

l12+

s114

li+

li-

s22

r21+

s69

li+

s72

ce_fifo2+

s3

ce_fifo1-

s27

li+

s51

ce_fifo1-

s93

nor_fifo2-

s81

li+

ce_fifo2+

s32

l12-

s10

li+

s70

nor_fifo2-

s90

l12-

s58

li+

ce_fifo1-

s104

li+ce_fifo2+

s39

li+

s74

li+

s116

l12-

s94

li+ nor_fifo2- ce_fifo1-

s6

nor_fifo2- l12-

s34

r21-li+

s54

ro+

s106

nor_fifo1+

s41

li+

l12- nor_fifo2-ce_fifo2+

r21-

s61

li+

s50

ri+

s11

nor_fifo1+ro+

s115

li+

nor_fifo2-

ce_fifo1-

ro+nor_fifo1+

ce_fifo2+l12-

s57

ri+

s18

nor_fifo1+ li+

s2

ce_fifo2-

s7

nor_fifo1+li+ ri+ro+

s88

lo+

ce_fifo2+ce_fifo1-

s8

ce_fifo2-

s15

nor_fifo1+ li+

s92

ro-

s63

nor_fifo1+

s110

lo+ ri+ li+ ce_fifo2-

r21+

ro+

s80

li-

s43

ce_fifo1+

s64

ce_fifo1+

s102

ri+

s98

li-

s35

ce_fifo1+ ro+

s103

ro-

s68

nor_fifo1+lo+ ce_fifo2-

s89

nor_fifo2+

ro+li-

s44

nor_fifo1-

l12+

s42

nor_fifo1+li+

s99

ri-ro-li+

s48

li+

s47

ri-

s65

nor_fifo1-

s55

li-

s59

ri+

s36

nor_fifo1- ro+

s19

l12+ nor_fifo2+

nor_fifo1+

s111

ri-

s46

ce_fifo2-ce_fifo1+

s91

li-

s87

ri-

ro-lo+ce_fifo1+ ri+li- ro+

s83

nor_fifo2+

li+

nor_fifo2+

li+ nor_fifo1+

s56

ro+

s62

lo- li-

s60

ri+

s29

lo+

s49

ri-

s14

nor_fifo2+

li+l12+

s17

ri-l12+

ro-

s12

ce_fifo1+

s38

li-

nor_fifo2+

nor_fifo1+nor_fifo1-

s52

ri+

s108

ro-

nor_fifo1- ce_fifo2-li- ce_fifo2-ce_fifo1+

nor_fifo2+

li+

s78

li+ ri-

s73

lo-

s53

ri+

s13

ce_fifo2-li-

s67

li+

s23

l12+ ro+

s24

li-

s107

ce_fifo1+

s30

ri-nor_fifo1-

s4

li- ro-

s40

ce_fifo2-

s101

nor_fifo2+

lo-

s96

li+ ro-

s25

ro-l12+

ro-ce_fifo1+

nor_fifo2+

lo+

s9

ri-li+l12+

ce_fifo2-nor_fifo1-

s28

l12+

s82

ro+

s5

li-

s109

ro-

s26

ri-

s95

ce_fifo1+

s45

ri+

s113

nor_fifo2+

li-

s33

li+ ce_fifo2-

li+

s37

ro+

s97

ri-lo-

s77

l12+ ce_fifo2-

nor_fifo1- ro- nor_fifo1-

s112

ri-li-l12+ li+

s71

ri+

nor_fifo2+

li-ce_fifo1+

s100

nor_fifo2+

nor_fifo1-

s21

l12+ li+ ro-

ce_fifo2-lo-ro+ ro-lo-

nor_fifo2+

ce_fifo1+ri-li-li+ ri+

nor_fifo2+

nor_fifo1- li-nor_fifo1- ri-l12+ ri+l12+ li+ ce_fifo2-



State Explosion (2)

|S| = 644, |R| = 1724

��

��

��

��

��

��

��

��

��

State Explosion (2)

|S | = 644, |R | = 1724

INTERNAL: nor_fifo1,nor_fifo2,nor_fifo3,ce_fifo1,ce_fifo2,ce_fifo3,t1,t2,li,lo,ri,ro,b1,b2DUMMY: dummy

s0

s625

li+

s609

lo+

s445

li-

s257

ce_fifo1+

s167

nor_fifo1+

s2

nor_fifo1+

li+

s103

ce_fifo1+

s428

nor_fifo1-

li-

s270

li-

s288

lo-

s608

t1+

s443

li+

nor_fifo1-

s134

li+

s602

b1+

s126

b1+

s496

nor_fifo2+

s479

ce_fifo1-

s620

ce_fifo2+

t1+

s347

ce_fifo2+

s156

t1-

s352

nor_fifo2-ce_fifo1-

s337

nor_fifo2+

li+

s172

t1+ nor_fifo2+

s54

ce_fifo1-nor_fifo2-

s16

t1-

s8

nor_fifo2+

t1+ li+

ce_fifo2+

s374

t1-

s627

nor_fifo2+

lo-

nor_fifo2-

s450

nor_fifo2+

nor_fifo1-

s379

b1-

s151

nor_fifo2+

li-

s614

nor_fifo2+

li- nor_fifo1-

s208

nor_fifo1+

s204

t2+

s175

nor_fifo2+

ce_fifo1+

s28

t2+

s193

lo+

s339

nor_fifo2+

ce_fifo1+li-

s358

b2+

s5

lo+

s354

nor_fifo2+

lo+

s180

ce_fifo3+

s343

lo+

s498

ce_fifo2-

s191

nor_fifo2+

li+

s526

nor_fifo2+

nor_fifo1+

s319

ce_fifo2-

s258

nor_fifo3-

s159

lo+

s366

nor_fifo2+

nor_fifo1+ li+

s302

lo+

s510

t2-

s401

nor_fifo3-

s488

t2-

s389

nor_fifo3-

s142

li-

s587

ce_fifo1+

lo+

s586

nor_fifo3-

s570

nor_fifo3-

s331

li-

s130

ce_fifo1+

t2-

s43

ce_fifo1+

s230

li-

s420

ce_fifo1+ t2-

nor_fifo3-

lo+

s255

b2-

s222

ce_fifo1+

s238

b2-

s407

li-

s606

t2-

s523

nor_fifo3-

s598

nor_fifo1-

ce_fifo1+

nor_fifo3-

s187

ro+ lo+

s543

nor_fifo2+

lo+t2-

s182

ri+

s165

lo+

s456

nor_fifo2+

s535

b2-

s391

nor_fifo1-

s59

li-

s145

nor_fifo1- nor_fifo3-

s533

nor_fifo2+

s80

li- ce_fifo1+ro+

s436

ro+

s184

ce_fifo1+

s373

li-

s360

ce_fifo3-

s161

lo+

s449

nor_fifo2+

s642

ro+ nor_fifo2+

s375

ce_fifo1+

s440

ro+ nor_fifo2+

li-

s65

nor_fifo1-

li-nor_fifo2+ ce_fifo1+ri+

s639

ri+

s284

ce_fifo1+

s280

nor_fifo2+

s423

ro-

s346

lo+

s628

nor_fifo2+

s433

ri+

s91

ce_fifo1+li-

s438

ri+

s622

nor_fifo1-nor_fifo2+ li-nor_fifo2+ li- ce_fifo1+ce_fifo3- ro+

s362

nor_fifo1-

s21

li-

ro+

ce_fifo1+

s612

ce_fifo3-

s276

li-

s85

ce_fifo1+

s282

ce_fifo1+nor_fifo2+

s179

ce_fifo3-

s411

lo+

s427

ri-

s72

nor_fifo2+

li-nor_fifo2+

s617

nor_fifo1-

s619

ce_fifo3-nor_fifo2+ro- li- ce_fifo1+

s263

nor_fifo2+ri+

s460

li-

nor_fifo1-ri+

s572

li-

ri+

nor_fifo2+

nor_fifo1-

lo+

ro-

ri+

ce_fifo1+

s262

ce_fifo1+

s448

li-

s61

ro-

s251

li-

s64

ce_fifo1+

s415

ri- nor_fifo2+

s455

nor_fifo1-

s567

nor_fifo2+

s457

ce_fifo3-

s108

li-

s260

ri+ce_fifo1+ce_fifo3- li-ce_fifo3- nor_fifo1-ro- nor_fifo2+ ce_fifo1+

lo+ce_fifo3-

li-

s158

ce_fifo3- nor_fifo2+nor_fifo1-nor_fifo2+ li-ro-

s544

ce_fifo1+

s253

ri-

s540

nor_fifo2+

s106

nor_fifo2+

s634

ce_fifo3-

s476

lo-

s234

ro- li-

s431

nor_fifo2+

s123

lo-ri+nor_fifo1-

s107

ce_fifo3-

s357

ro- li- nor_fifo1-ce_fifo1+

ro-

li-ce_fifo3-ro- nor_fifo1-nor_fifo2+nor_fifo2+

s67

ri- nor_fifo1-li-

lo+

ri+

s117

ri+

s435

t1+

s279

li+

s363

ri-

s528

nor_fifo1-

s196

li-

nor_fifo3+

nor_fifo2+

s546

li-

s236

nor_fifo1-

s74

li-ri- nor_fifo2+ri- nor_fifo1-

nor_fifo2+

lo-

s274

ce_fifo3-

nor_fifo3+

ce_fifo1+

s542

nor_fifo2+

ro- nor_fifo2+

s14

lo-

lo+

ro+

nor_fifo1-

ro-

nor_fifo1-ri+

li-ro-

s432

t1+

s293

ce_fifo3-

s275

li+

nor_fifo3+

s531

nor_fifo1-

s203

li-

nor_fifo3+

s78

nor_fifo1-

nor_fifo2+

s368

nor_fifo2+

s93

lo-ri- lo-ro- ri+

s603

li+

s426

b1+

nor_fifo3+

nor_fifo2+ li- li-ri-

s596

li+

s422

b1+

s610

ce_fifo3-

s380

ro-

s446

li+

t1+

lo-

s371

ri- ri+

s594

b1+

nor_fifo2+

s410

t1+

s97

ri-

s249

li+

nor_fifo3+

li-

nor_fifo3+

nor_fifo2+ lo-

s591

b1+

s138

ce_fifo3-

s60

t1+

s539

li+

s383

ri- t1+ro-nor_fifo2+

s413

ri-

s577

li+

nor_fifo3+

lo-li+

s605

ce_fifo3-

s285

ce_fifo2+

s147

ce_fifo1-

nor_fifo3+

nor_fifo2+t1+

s252

li+

s128

ce_fifo3-

s441

ce_fifo2+

s307

ce_fifo1-

s62

ri-

s55

b1+

s224

li+

b1+

ro-

li+

s328

ce_fifo1-

s462

ce_fifo2+ ro-

s541

ri-

t1+

nor_fifo3+

li+t1+

s644

ce_fifo1- li+

s6

nor_fifo2-ce_fifo3- ce_fifo3- ce_fifo2+

s459

t1- li+

t1+ ce_fifo3-

nor_fifo3+

nor_fifo2+

s581

li+

nor_fifo3+

nor_fifo1-

s623

ce_fifo2+

s485

ce_fifo1-

s217

ro-

s640

t1-

s186

ce_fifo2+ li+

s397

ro- ce_fifo3-

s166

li+

s329

t1-

s365

nor_fifo2-

ce_fifo1- ce_fifo3-

s170

nor_fifo2-

nor_fifo3+

s227

t1+

nor_fifo3+

s58

b1+

li+

ce_fifo3- ce_fifo2+

s621

li+

s190

ce_fifo3-

li+

ce_fifo1-

ce_fifo2+ce_fifo3-

t1-

ce_fifo1- li+nor_fifo2-

s547

ro-

t1+

ri+

ri-ce_fifo2+ ce_fifo1-

li+

nor_fifo3+

ce_fifo1+ ro- li+b1+

nor_fifo1-

ri-

s507

ce_fifo2+

s163

li+

s77

ro-t1-

s351

li+

s254

ro-

s536

nor_fifo2-

s486

t1-ce_fifo3-

s524

nor_fifo2-

s68

ro-

s353

nor_fifo2-ce_fifo1-ce_fifo3- li+

s42

nor_fifo2-

li+

s261

ro-

ce_fifo1-

s63

nor_fifo3+

ce_fifo1+

li-

s402

ce_fifo1-

s551

ce_fifo2+nor_fifo3+

s219

li+

li+nor_fifo2- ri- ce_fifo1-

s561

ro-ce_fifo2+ t1-li+ri-ce_fifo2+ t1-

ri- ce_fifo1+

s565

ri-

s416

ce_fifo2+

s235

t1- ce_fifo1-

s418

nor_fifo2-

s71

ri-

s57

ce_fifo1- ro-

s23

li+

s578

ro-

s216

nor_fifo2-

ce_fifo3-

s205

nor_fifo2-nor_fifo2-t1- ro-li+

s259

ce_fifo2+

s321

nor_fifo3+

s81

t1- li+

s264

ri-

s611

ce_fifo1-

ce_fifo3- t1-ce_fifo1-

s458

nor_fifo3+ nor_fifo2-

li+

ce_fifo2+ ro-

nor_fifo3+

ce_fifo1+li-

nor_fifo2+

ri- t1-li+

nor_fifo2-

ce_fifo2+ ri-li+

li+

ce_fifo1-ce_fifo2+

ce_fifo1+

ri- li-

s76

nor_fifo3+

lo+

nor_fifo3+

s417

ce_fifo2+

s240

t1-

s584

t1-

s181

nor_fifo3+ li+

s616

nor_fifo2-

s557

nor_fifo3+

li+

s137

ro-

s376

t1-nor_fifo2-

s98

ro- ce_fifo3-

s209

b1-

s248

nor_fifo3+

nor_fifo1+

li+

ce_fifo2+

s633

t1-

nor_fifo3+

lo+ nor_fifo2+

ri-li+

s292

nor_fifo2- nor_fifo2-t1-ri-

li+

ce_fifo1-

s189

nor_fifo2-

ce_fifo3- ce_fifo1-

ce_fifo2+ nor_fifo3+li+ ce_fifo2+ri- ce_fifo1-

s421

ri-

lo+ri-

nor_fifo3+

ce_fifo1- li+

ce_fifo2+ce_fifo3-

s105

li+

s298

nor_fifo2-

s499

nor_fifo3+

s447

t1-

s143

ri-

s245

ri-nor_fifo1+

s92

nor_fifo3+

nor_fifo1+ li+

s553

ri- li+

li+

s534

nor_fifo2- t1-

s269

nor_fifo3+

nor_fifo2+ li+

ro-

s382

b1- nor_fifo2-ri-

li+

ce_fifo1-

s304

b1- li+ ri-

nor_fifo3+

t1- nor_fifo2-

s607

nor_fifo3+

nor_fifo2+nor_fifo1+

li+

ce_fifo2+

nor_fifo3+

ce_fifo2+

s309

ri-

s119

t2+

s461

li+

s129

nor_fifo1+

s171

nor_fifo1+

ro-

b1-

s452

ri-

s206

t2+ ro-

s211

nor_fifo1+

nor_fifo3+

nor_fifo2-

li+

s214

t1- nor_fifo3+b1- li+

s86

li+ri-nor_fifo1+

s265

li+

nor_fifo2+ ri-

nor_fifo3+

t1-

s468

li+

ro-

li+

nor_fifo2-

s442

nor_fifo3+

nor_fifo2+nor_fifo1+ li+

s604

nor_fifo1+

nor_fifo2+ri-

li+

s220

b1-nor_fifo3+

s132

nor_fifo1+

s127

t2+

s464

li+

s626

nor_fifo1+

ce_fifo3-

s277

ro-

s30

nor_fifo1+

s198

li+

ro-nor_fifo2+

s439

nor_fifo2+nor_fifo1+ ri- li+

s530

nor_fifo1+

nor_fifo2+ro-

li+ ri-

s585

nor_fifo1+

s295

li+

ce_fifo3-

s7

li+ro-nor_fifo1+ nor_fifo3+ t1- li+

t2+

s286

nor_fifo1+ ri-

nor_fifo3+

b1-

nor_fifo3+

ce_fifo1-

li+

s47

nor_fifo1+

s41

t2+nor_fifo3+

s589

t2+

s290

li+

s18

li+

ce_fifo3-nor_fifo2+

s283

ri-

s109

nor_fifo1+

s301

li+

ri+

s267

lo+ t2+ ri- li+nor_fifo1+ nor_fifo3+

s370

nor_fifo1+ ro- li+nor_fifo2+

li+ ri-

s359

nor_fifo1+

nor_fifo2+ce_fifo3-

s466

li+nor_fifo1+ ce_fifo3-

s631

nor_fifo1+

ri+

nor_fifo3+

ce_fifo1-

nor_fifo2-

nor_fifo3+

t2+nor_fifo1+

li+t1-

ri-

s272

ri-

s559

ce_fifo1+

s113

li-

s90

t2+

s24

li+

ri+nor_fifo2+

li+

s512

t2+

s111

nor_fifo1+ nor_fifo3+

s471

nor_fifo1+ ri+ li+

ri-lo+ li+ nor_fifo3+ nor_fifo1+

s369

b2+ li+

nor_fifo3+

ce_fifo1-

ce_fifo2+ri-li+t2+

s385

li+

ro+

s73

nor_fifo1+

ro+

nor_fifo3+

lo+ t2+

s195

nor_fifo1+ ce_fifo3- li+nor_fifo2+

s364

nor_fifo1+

ri+nor_fifo2+

s564

ce_fifo1+

s95

t2+nor_fifo3+

s115

li-

s202

nor_fifo1+nor_fifo2+ ri+ li+

s396

li-

s96

nor_fifo1- ri-

s381

t2+

nor_fifo3+

lo+

li+

s197

b2+ce_fifo1+ ri-

s571

t2+

ce_fifo1+ ri-

li-

s425

nor_fifo1+

nor_fifo2+ ro+

ce_fifo1- ce_fifo2+

ri-

s100

li+

ro+nor_fifo2+

nor_fifo3+

b1+

s194

ce_fifo3+ nor_fifo1+

s529

li+

s516

ce_fifo2-

nor_fifo1+

b2+

s554

ro+nor_fifo1+ li+

s221

t2+

s400

ri-

s576

nor_fifo1-

s15

nor_fifo1+

s338

ce_fifo2-

s273

nor_fifo3-

s356

li+

s552

t2+

s99

ri-

li-

s474

nor_fifo3+li-nor_fifo1-

s386

t2+

s120

nor_fifo1+

b2-

li-nor_fifo1- ri- ce_fifo1+ nor_fifo3+

s574

li-

li+

ce_fifo3+

s340

ce_fifo2-

s419

li+

b2-

nor_fifo3+

nor_fifo2+

nor_fifo1+

s32

ce_fifo2-ce_fifo3+ li+nor_fifo1+ce_fifo3+

s50

t2-

b1+ ri-

ce_fifo1+ t2+

s33

li-

s268

ro+ li+nor_fifo1+nor_fifo2+


t2+

s226

ri-

s392

nor_fifo1-

s316

li-

s12

nor_fifo1-

s291

t2+nor_fifo3+

s579

nor_fifo1- t2+

li+

s104

nor_fifo3-

s154

ce_fifo2-

s212

t2-

s497


s38

nor_fifo1+

nor_fifo3-

s555

ri-

li-

li- nor_fifo3+t2+ ce_fifo3+ li+

s521

t2-li-nor_fifo1- nor_fifo3+

s583

nor_fifo1+

t2-

s350

li+

nor_fifo3-

s597

li+nor_fifo1+b2- ri- nor_fifo2+

s239

li+

t2-

li+

s520

t2-

s414

nor_fifo3- nor_fifo1+ ce_fifo2-

s430

li+nor_fifo1+ li+ce_fifo3+ nor_fifo1+

nor_fifo1+

ce_fifo2- nor_fifo3-ce_fifo1+ b2+

s491

li-

nor_fifo3+

nor_fifo2+

t1+

ce_fifo1+

t2+

s495

nor_fifo1-

s133

t2+nor_fifo3+

s393

t2+

s592

lo-

ce_fifo3+

s39

nor_fifo1+nor_fifo1- nor_fifo3+ li-

s465

t2+li- nor_fifo3+ li- nor_fifo1-

s618

b2+

nor_fifo1+

t2-nor_fifo3-

s504

nor_fifo2+

ro-li+nor_fifo1+nor_fifo3- li+t2- nor_fifo1+

s475

ce_fifo2- ce_fifo3+ce_fifo1+

s177

li-

ce_fifo2-

nor_fifo1+

nor_fifo2+

t1+ri-ce_fifo2-

li+

li+

t2- nor_fifo3-

ce_fifo3+

lo+t2-

ce_fifo3+

li+

s310

t2+

s515

lo-

s408

lo- nor_fifo3+ nor_fifo1-

s454

b2+

s155

b2+li-

s345

ro-

nor_fifo2+

li+

ce_fifo2-

s242

lo+

ce_fifo3+

s25

t2-

s124

ce_fifo1+

s317

li-

ce_fifo2-

s437

ce_fifo1+ nor_fifo3-

s637

li-

s325

nor_fifo2+

ce_fifo3-

ce_fifo3+

lo+ nor_fifo1- ce_fifo3+ce_fifo2-

li-

s178

nor_fifo2+

t1+ro-

s94

t1+

s573

li+

s333

nor_fifo3+

s297

ce_fifo2-

s630

li-

s615

ce_fifo3+

ce_fifo3+

s508

li-

s306

ce_fifo1+

s160

nor_fifo2+

ce_fifo3-li+

b2+

lo-

s537

nor_fifo3-nor_fifo1- ce_fifo2-

s281

li-

s332

nor_fifo2+

ri+

ce_fifo2-

ce_fifo1+

s83

li-

s638

nor_fifo2+

t1+ ce_fifo3-

nor_fifo2+ro-

t1+li+

nor_fifo1- ce_fifo3+t2-

s599

li-

s4

nor_fifo3+

s250

li+

s139

li-

s121

ce_fifo3+

s483

t2-

s69

nor_fifo1-

s377

li- ce_fifo2-

s451

ce_fifo3+

s13

lo- ce_fifo2- nor_fifo3-li- ce_fifo2-

ce_fifo3+

s146

ce_fifo1+

s164

nor_fifo2+

ri+li+

ce_fifo1+ ce_fifo2-

li-

nor_fifo3-t2-nor_fifo1-ce_fifo3+nor_fifo1-

li-

nor_fifo2+

t1+li+ ce_fifo3-

s641

nor_fifo2+

t1+ ri+

s342

b2+

s169

li+

s548

li-

s218

ce_fifo2-

s472

lo- nor_fifo3-ce_fifo2-ce_fifo3+

s176

li+

s152

ce_fifo2-t1+ lo-

s326

t2- ce_fifo3+ nor_fifo1- ce_fifo2-

t2-

nor_fifo1- li-

nor_fifo3- li-

s305

nor_fifo1-nor_fifo3-t2-li-li- ce_fifo3+

s482

nor_fifo2+

t1+ ri+li+

ce_fifo1+ t2-

s563

nor_fifo3-

s613

ce_fifo2-

s157

t1+

s635

li+ lo-

s56

ce_fifo2-

s501

t1+ ce_fifo3+

s315

ce_fifo2- ce_fifo3+

s473

t1+li+

s348

t2- t2-li-lo- ce_fifo3+

ce_fifo2-

nor_fifo1- nor_fifo3-

ri+ nor_fifo2+

lo-

li- nor_fifo3-ce_fifo2- ce_fifo3+li+ nor_fifo1- t2-lo- t2- nor_fifo3-

b2-

ce_fifo1+

s66

ce_fifo2-

s241

t1+

s82

li+ nor_fifo3-

s162

t2-

s140

li+

s299

t1+

s632

li+

s22

t2- ce_fifo3+ nor_fifo3-

s323

li+ ce_fifo2-ce_fifo2- ce_fifo3+ t1+ ce_fifo2- nor_fifo3-t1+ ce_fifo3+

s506

t2- ce_fifo3+li+ t1+ lo-

s232

nor_fifo3- li- b2-lo- t2- nor_fifo1- b2-

ce_fifo3+

nor_fifo1-

ce_fifo2-

nor_fifo3-

ce_fifo1+

s388

t1+

s229

li+

s244

t2-

s404

li+ ce_fifo2-

s327

li+

s484

t1+ nor_fifo3-

s453

ce_fifo3+

s185

t2- nor_fifo3-ce_fifo2- t1+ t2- nor_fifo3-ce_fifo3+t1+

b2+

li+ ce_fifo3+ lo-

s545

b2-

ro+

nor_fifo1- nor_fifo2+

ro+

nor_fifo2+li-li+ nor_fifo3-t2- t1+ ce_fifo2-

ce_fifo3+

nor_fifo1-

t2-

s550

ce_fifo2-nor_fifo3-

s643

t2-

s406

nor_fifo3-t1+ce_fifo3+ li+

s568

t2-t1+ t2-li+ nor_fifo3-

s355

t2+

ce_fifo3+

t2-

ce_fifo1+

s560

b2-li+ t1+

ro+

s200

li-

ro+

lo- nor_fifo2+

nor_fifo1-

ce_fifo3+

ce_fifo2-nor_fifo3+

ro+

nor_fifo1-

s490

b2+

t1+

s246

ri-

s192

t2+

li+

ro+

s210

nor_fifo2+

s79

li+

s237

t1+

s88

t2-

s429

nor_fifo3+t2+

t1+ b2-nor_fifo3-

ce_fifo3+

ce_fifo2-ce_fifo1+t1+ nor_fifo3+

t1+ b2+

li+

ro+

lo-li+ b2-

s31

t1+t2+

s173

ro-

s399

b2-

ro+

s532

t1+

s372

li+

ro+

t1+ nor_fifo2+

s87

ri-

li+

s424

t2+ ri-

ro+

li+ nor_fifo2+

ce_fifo1+

b2+

s271

t2+

nor_fifo3+li+

s569

t1+ ri- t1+ t2+li+

s114

t1+t2+ nor_fifo3+

ro+

s52

nor_fifo2+

s629

ce_fifo3-

ro+

s525

b1+li+

s361

t2+ ro-

ro+

t1+

s405

ri-

t1+li+

s492

t1+ ro-

s266

t2+li+ ri-

t2+

t1+ nor_fifo3+li+

ce_fifo1+

nor_fifo3+

s112

t1+t2+ ri-

s9

li+ ro-

s636

ri+

s335

ro-li+ t1+

s378

ce_fifo2+

s231

ce_fifo1- ro+

s45

li+

s35

t1+t2+ ro-

ro+

b1+

s469

li+ ce_fifo3-

ri-

lo-

s183

t2+ ce_fifo3-

s590

t2+t1+ ri-li+

ce_fifo1+

ri-

s313

t1+ ce_fifo3-

s199

li+ ro-t2+

s518

t2+li+ ro-t1+

s503

ce_fifo3-t1+t2+

s477

li+ ri+

s312

lo- ro-

s538

li+

s289

ro+

s84

ce_fifo1-

s89

nor_fifo2-

s390

li+ ce_fifo2+

s549

t1-

s149

ro+

s19

t2+li+ ce_fifo3-

s150

ce_fifo3-t1+li+

ri-

t2+lo-

s188

t2+ ri+

s75

ro+

ri+

ce_fifo2+ce_fifo1- li+

s318

t1+ ri+

ce_fifo2+ce_fifo1-ro+

s394

t1+ ro+

s243

ce_fifo1-

s444

ro+

s247

nor_fifo2-

ri+

li+

s3

ce_fifo1-

s10

nor_fifo2-

s467

ro-

li-

ce_fifo2+

s311

ro+

s70

t1-

s153

t1+ ri+li+

li+ro+

s403

t1-

s434

nor_fifo2-

s502

lo- t2+ ro-

s463

ro+ ce_fifo2+li+ ro+ li+ ce_fifo1-

ri+

ce_fifo2+t1- li+

s136

ro-

nor_fifo1-

s344

ce_fifo3-li+ t1+ t2+

ri+

ce_fifo2+ce_fifo1-

s26

t2+ ri+li+

s556

ro+li+

s256

ro+ t2+

s135

ce_fifo3-lo-

s509

ri+t1+ t2+

s141

lo- ri+

s580

t2+t1+ ro+

s566

t1-

s601

nor_fifo2-

s168

ro+

ri+

s174

nor_fifo2-ce_fifo1-

ri+

s367

nor_fifo2-

s334

t1- li+

s296

ro-

nor_fifo1- li-

s595

ce_fifo3-nor_fifo1-

ri+

ce_fifo2+

s624

li+

ri+

ce_fifo1- li+

s324

ro-

nor_fifo1- t2+

s294

ce_fifo3-li-

s17

ro-

t2+li-

s349

t2+ ri+t1+li+

ri+

t1- ce_fifo2+

s322

ce_fifo3-lo- t2+

ce_fifo1-ro+

s122

nor_fifo2-ro+ li+ ro+ t1-li+

s493

ro-

ce_fifo1+

s101

ro+ t2+li+

ce_fifo2+ro+

s233

li+ ro+t1+

s600

nor_fifo1- ri+

ri+

s46

t1-

s527

li+

s481

ro-

t2+li-nor_fifo1-

s131

b1-

s278

li+ro+

s144

t2+ce_fifo3-nor_fifo1-

ri+

s489

li+ nor_fifo2-

s480

t2+ ce_fifo3-li-

s330

t2+lo- ri+

nor_fifo2-ro+ t1-ro+

ri+

ce_fifo2+

s11

ro-

ce_fifo1+ li-

s300

li- ri+

s412

li+ ro+t1+ t2+

s118

ce_fifo3-li-nor_fifo1-

s225

ro+lo-

ri+

ce_fifo1-

ri+

t1- nor_fifo2-

s314

ce_fifo1+ ce_fifo3-

s36

ro-

ce_fifo1+ t2+

s487

ri+li- t2+

s303

ce_fifo3-li-nor_fifo1- t2+

s53

ro+

s287

li+

s588

t2+

s593

nor_fifo1+

s51

ro+nor_fifo1-

s148

t2+ri+nor_fifo1-

s470

ce_fifo3-ce_fifo1+ li-

s207

ro+ b1-

s201

ro-

ce_fifo1+ t2+li-

li+

ce_fifo3- t1-

ri+

nor_fifo2-

s384

ro+li-

ro-

lo+

b1-ri+ li+

s125

li-nor_fifo1- ri+

ri+

t1-

s320

ce_fifo1+ ri+

s505

ce_fifo1+ t2+ce_fifo3-

s398

ro+lo- t2+

s48

ri+

s517

t2+

s215

li+

s522

nor_fifo1+

s562

ro+ t2+li-

s20

ce_fifo1+ t2+ce_fifo3-li-

s228

t2+ro+nor_fifo1-

s395

ce_fifo1+ ro+

s494

lo+ce_fifo3-

s514

ro-

li+

s478

ri+ce_fifo1+ li-

li+

ro-

t1-

li+

b1-ce_fifo3-

ri+

b1-

ro-

lo+t2+

s308

nor_fifo1- ri+li- t2+

s213

li-nor_fifo1- ro+

s116

nor_fifo1+ro+

s110

t2+ro+

s409

nor_fifo1+ li+li+ro+ t2+

s511

ce_fifo1+ t2+ri+

s223

ce_fifo3-

s513

t2+

s519

nor_fifo1+ li+

s27

ri+ t2+ce_fifo1+ li-

s44

li+ro-

nor_fifo1+

s37

lo+ t2+ce_fifo3-

s387

nor_fifo1- li- ro+ t2+

ri+

s34

li+

s341

nor_fifo1+

s558

li- ro+ce_fifo1+

s29

ce_fifo3-

nor_fifo1+

s582

ce_fifo1+ t2+ro+

s40

ro+

s575

t2+

s102

lo+ nor_fifo1+ t2+ri+

li+ ro-

b1-

s500

ri+lo+

s336

li+ce_fifo3-

s49

ro-

t2+ li+

li+ t2+ri+ li+ro+ ro+ nor_fifo1+

ro- li+

t2+nor_fifo1+ lo+ ri+ t2+ce_fifo3- li+nor_fifo1+ ri+ nor_fifo1+lo+ ro+ro+ce_fifo1+ t2+li- li+ri+li+t2+ce_fifo3-

ce_fifo3-

nor_fifo1+ t2+



Big Breakthroughs on State Explosion

• Symbolic model checking: Burch, Clarke, McMillan, Dill, andHwang 90, Ken McMillans thesis 92.• Encode state space and MC algorithms using Boolean formulas and

operations.

• Partial order reduction: Valmari 90, Godefroid 90, Peled 94.• Mainly used to reduce redundant states in asynchronous design verification.

• Bounded model checking: Biere, Cimatti, Clarke, Zhu 99• targeted to find bugs of fixed lengths.• Use fast SAT solvers at Boolean reasoning engine.• Can handle designs of thousands of state variables.• There are now many SAT-based unbounded methods.

• Counter-example guided abstraction refinement (CEGAR):Bob Kurshan 1994, Clarke, Grumberg, Jha, Lu, Veith 2000.• Used in most software model checkers.


Success Stories of Model Checking

• Security: Needham-Schroeder encryption protocol• Error that remained undiscovered for 17 years unrevealed

• Transportation systems• Train model containing 10476 states

• Model checkers for C, Java and C++• Used (and developed) by Microsoft, Digital, NASA• Successful application area: device drivers

• Dutch storm surge barrier in Nieuwe Waterweg• Software in the current/next generation of space missiles• NASAs Mars Pathfinder, Deep Space-1, JPL LARS group

• An entire execution cluster in Intel Core i7 (CAV 2009).


Model Checking Tools

• Industry (Intel, IBM, Motorola) has been using MC more widely forobvious reasons.

• SMV: first symbolic model checker, many variants.• VIS: logic synthesis and verification for synchronous circuits.• SPIN/LTSA: an explicit model checker for SW verification.• Uppaal/Kronos/ATACS: real-time system verification.• HyTech: hybrid system verification.• Cospan/FormalCheck: ω-automata/language inclusion.• SteP/PVS: combination of model checking and theorem proving.• SLAM: a project done at Microsoft for device driver verification.


Contents

1 Course Logistics




5 Course Topics


Topics to be Covered (Tentative)

• Introduction to the model checker SPIN• Modeling concurrent software and hardware systems• Basics of Linear Time Logic and model checking algorithms• Introduction to the model checker NuSMV• Basics of computational-tree logic and symbolic model checking

algorithms

• If there is time, introduce Boolean SAT solving and bounded modelchecking


My Research

Building Secure, Trustworthy, Autonomous and Reliable Embedded(STAR) Systems

• Embedded system are pervasive: cars, aircrafts, medical devices,etc.

My Current Focus: Verifying Safety-CriticalEmbedded Systems

• Embedded system are pervasive: cars, aircrafts, medical devices,etc.

• Can we trust cars and aircrafts?


• Can we trust cars and aircrafts?Hao Zheng (CSE, USF) CDA 5416: Comp Sys Verification 49 / 49

Course LogisticsVerification - WhyVerification - OverviewFormal Verification and Model CheckingCourse Topics

CDA 5416: Computer System Veri cationhaozheng/teach/cda5416/slides/intro.pdf · Contents 1 Course...

Documents

Transcript of CDA 5416: Computer System Veri cationhaozheng/teach/cda5416/slides/intro.pdf · Contents 1 Course...