MODEL CHECKING

-Vasvi Kakkad

University of Sydney

INTRODUCTION Most complicated systems routinely built

today – difficult to get right

Failures are costly

Verification techniques needed

2

Model C

heckin

g

INTRODUCTION

Formal Verification

Apply mathematical arguments to prove

the correctness of the system

Aims to find bugs in the system and aim

to correct

3

Model C

heckin

g

FORMAL VERIFICATION

Build a mathematical model of system

Write correctness requirements

Analysis – Check that model satisfies

specifications

Verification – Analysis either proves or

disproves the correctness claim4

Model C

heckin

g

MODEL CHECKING Model Checking

Technique for automated correctness verification of safety critical reactive systems.

More generallyAlgorithmic analysis to check that a

model satisfies a specified propertyChecks automatically whether a given

formula holds in a given model5

Model C

heckin

g

APPLICATIONS

Electrical Circuits

Communication protocols

Digital Controller

Program Analysis – e.g. Java Path

Finder

6

Model C

heckin

g

MOTIVATION Software/Hardware system –

Specification Language Requirements – Temporal Logic State Space generated from the

specification

Algorithmreturns yes, if the property holds for

modelreturns no + counterexample, otherwise 7

Model C

heckin

g

PROCESS OF MODEL CHECKING 3 Steps

Modeling

Specification

Verification

8

Model C

heckin

g

STEP 1 : MODELING

9

Model C

heckin

g

MODELING Convert the system into a formalism –

finite automata

Limitation on Time and Space – Use abstraction

Model a System using Kripke Structure -State Transition Graph

10

Model C

heckin

g

KRIPKE STRUCTURE Structure over a set of atomic

propositions

M = (S, S0, R, L)

S = Finite Set of StatesS0 S is the Set of Initial StatesR : S X S is a Transition RelationL : S 2AP – Function labels each state

with set of atomic propositions true in that state

11

Model C

heckin

g

EXAMPLE : MICRO-OVEN COOKING Modeling with Kripke structure M(S, S0, R, L)

S = {S1, S2, S3, S4}S0 = S1 – initial stateR = ({S1, S2}, {S2, S1}, {S1, S4}, {S4,

S2}, {S2, S3}, {S3, S3}, {S3, S2})L(S1) = {¬ close, ¬ start, ¬ cooking} L(S2) = { close, ¬ start, ¬ cooking} L(S3) = { close, start, cooking} L(S4) = {¬ close, start, ¬ cooking}

12

Model C

heckin

g

GRAPH OF KRIPKE STRUCTURE

13

Model C

heckin

g

STEP 2 : SPECIFICATION

14

Model C

heckin

g

SPECIFICATION Specification – Property which model

needs to satisfy

Can be described in Temporal Logic

Temporal Logic - Two ways LTL ( Linear Temporal Logic)

CTL (Computation Tree Logic)

15

Model C

heckin

g

COMPARISON : LTL V/S CTL

Checks temporal operators along single path

Counter examples are easy

Nice automata theoretic algorithm

Analyzing data flow problems in Imperative language

Branching time logic Operators should be

preceded by path quantifiers

More efficient Amenable to

Symbolic techniques Analyzing reactive

systems

LTL CTL

16

Model C

heckin

g

OPERATORS FOR TEMPORAL LOGIC

X – Next State

F – In the Future

G – Globally

U – Until

A – Always/All

path

E – Exists

Basic TemporalPath Quantifiers

17

Model C

heckin

g

TEMPORAL OPERATORS

Temporal operators:GpFpXppUq

18

Model C

heckin

g

CTL CTL operator:path quantifier + temporal operator

Universal formulas: AX f, A(f U g), AG f , AF f

Existential formulas: EX f, E(f U g), EG f , EFf

19

Model C

heckin

g

TEMPORAL PROPERTIES

Universal Existential

Safety AGp EGp

liveness AFp EFp

Safety – Something Bad Never HappensLiveness – Something Good Eventually Happens

20

Model C

heckin

g

EXAMPLE : MICRO-OVEN COOKING Specification with CTL

AG ( Start AF Cooking)AG (Close ^ Start ) AF Cooking

21

Model C

heckin

g

STEP 3 : VERIFICATION

22

Model C

heckin

g

VERIFICATION

Temporal Logic

Formula

Finite State Model

23

Model C

heckin

g

VERIFICATION

Temporal Logic

Formula

Finite State Model

Model Checker

24

Model C

heckin

g

VERIFICATION

Temporal Logic

Formula

Finite State Model

Model Checker

Counter Exampl

e

OK

Verification25

Model C

heckin

g

EXAMPLE : MICRO-OVEN COOKING AG (START AF COOKING) Convert to Negative Normal Form

¬EF (start ^ EG ¬cooking))

S(start) = {S3, S4}S(¬cooking) = {S1, S2, S4}S(EG ¬cooking) = {S1, S2, S4}S(start ^ EG ¬cooking) = {S4}S(EF(start ^ EG ¬cooking)) = {S1, S2, S3,

S4}S(¬ EF(start ^ EG ¬cooking)) = {} 26

Model C

heckin

g

GRAPH OF KRIPKE STRUCTURE

27

Model C

heckin

g

PROBLEM WITH LTL MODEL CHECKING

State Space Explosion problem Number of states typically grows

exponentially in the number of process

28

Model C

heckin

g

MAJOR TECHNIQUES

Based on Symbolic Structure

Based on Automata Theory

Other Models – Alternative methods

29

Model C

heckin

g

SYMBOLIC MODEL CHECKINGo Symbolic model checking uses Binary Decision Diagrams ( BDDs )

to represent the model as sets of states

BDD Data structure for representing Boolean function Often concise in memory Canonical representation Boolean operation can be done in polynomial

time in the BDD size

30

Model C

heckin

g

BDD IN MODEL CHECKING Every set A can be represented by its

characteristic function

1 if uA fA(u) =

0 if u A

If the elements of A are encoded by sequences over {0,1}n then fA is a Boolean function and can be represented by a BDD

31

Model C

heckin

g

a

b

c

10

c

1 1

bc

1 1

b

cc

b

0 11 0

a

b

cc

1 1 10

c c c

BDD FOR F(A,B,C) = (A B ) C

Decision tree

a

b

c

10

BDD

32

Model C

heckin

g

SUMMARY

Model Checking – Automated Verification

technique

Hardware/Software model – Kripke Structure

Specification – Temporal Logic (LTL, CTL)

Verification (Model Checking) algorithm

State Space Explosion Problem

Solution : Symbolic Model Checking - BDD33

Model C

heckin

g

THANK YOU...

34

Model C

heckin

g