introduction to model checking -...
TRANSCRIPT
![Page 1: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/1.jpg)
Introduction to Model Checking
Radu Mateescu
Inria – Univ. Grenoble Alpes – LIG
![Page 2: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/2.jpg)
What is model checking?
“Model checking is the method by which a desired behavioral property of a reactive system is verified over a given system (the model) through exhaustive enumeration (explicit or implicit) of all the states reachable by the system and the behaviors that traverse through them.”
Amir Pnueli
Foreword to Model Checking
[Clarke-Grumberg-Peled-00]
FMF - Model Checking - LAAS, 16/10/2014 2
![Page 3: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/3.jpg)
Basic model checking flow
FMF - Model Checking - LAAS, 16/10/2014 3
model checker
property
verdict & diagnostic
translation
encoding and
resolution of the
verification problem
system
description
compilation
model
(state space)
intermediate
form
![Page 4: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/4.jpg)
FMF - Model Checking - LAAS, 16/10/2014 4
Running example (action-based version)
Two-cell buffer with unreliable transmission 9 states, 20 transitions
PUT 0/1 Cell1 Cell2
GET 0/1
action-based setting (Labelled Transition System)
![Page 5: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/5.jpg)
FMF - Model Checking - LAAS, 16/10/2014 5
Running example (state-based version)
Keep the contents of states and the transitions between them
state-based setting (Kripke structure) 0 0
_ _
1 0
0 1 1 1
0 _ 1 _
_ 1
_ 0
0/1/_ 0/1/_
![Page 6: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/6.jpg)
States vs actions
State-based
White box spec style
Predicates on state variables
Stuttering equivalence
Partial order reductions
FMF - Model Checking - LAAS, 16/10/2014 6
Action-based
Black box spec style
Predicates on actions/events
Weak bisimulations
Compositionality (congruences w.r.t. ||)
Kripke transition systems (KTS) state variables and actions
![Page 7: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/7.jpg)
Specification of temporal properties
Temporal logic [Pnueli-77]:
formalism for describing evolutions of program states over (logical) time
– Atomic propositions over states
– Propositional logic operators (or, and, not, …)
– Tense operators (neXt, Until, Previous, Since, Once, …)
– Interpreted on state spaces
High-level specification style:
abstraction and modularity
FMF - Model Checking - LAAS, 16/10/2014 7
![Page 8: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/8.jpg)
Properties on states and branches (CTL – Computation Tree Logic)
X ϕ, E [ϕ1 U ϕ2], A [ϕ1 U ϕ2] EF ϕ = E [true U ϕ] (potentiality)
AG ϕ = EF ϕ (invariance)
AF ϕ = A [true U ϕ] (inevitability)
EG ϕ = AF ϕ (trajectory)
AG (s0* => EF s*0) ok
AG (s0* => AF s*0) ko
FMF - Model Checking - LAAS, 16/10/2014 8
0 0
_ _
1 0
0 1 1 1
0 _ 1 _
_ 1
_ 0
![Page 9: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/9.jpg)
Properties on states and paths (LTL – Linear Temporal Logic)
X ψ, ψ1 U ψ2
F ψ = true U ψ (eventually)
G ψ = F ψ (globally)
ψ1 R ψ2 = (ψ1 U ψ2) (release)
GF (s0_ V s1_ V s_0 V s_1) ok
FG s_ _ ko
FMF - Model Checking - LAAS, 16/10/2014 9
0 0
_ _
1 0
0 1 1 1
0 _ 1 _
_ 1
_ 0
![Page 10: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/10.jpg)
LTL vs CTL
FMF - Model Checking - LAAS, 16/10/2014 10
A (FG p)
AF AG p p
AG p
p
A (GF p)
AG EF p p
GF p
the two logics are uncomparable
![Page 11: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/11.jpg)
Linear-time vs branching-time
FMF - Model Checking - LAAS, 16/10/2014 11
branching-time
LTL
CTL
CTL*
CTL
TL
pCTL
![Page 12: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/12.jpg)
Properties on actions (ACTL – Action-based CTL)
AGtrue [PUT0] E [truetrue UGET0 true]
ok
AGtrue [PUT0] A [truetrue UGET0 true]
ko
FMF - Model Checking - LAAS, 16/10/2014 12
![Page 13: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/13.jpg)
Properties on actions (L – modal -calculus)
“Assembly language” for temporal operators
– Modalities and fixed point operators
– Hierarchy of fragments Lk with alternation depth k
– Captures virtually all existing TL operators
E [ϕ1 U ϕ2] = X . ϕ2 V (ϕ1 Λ < true > X)
(CTL)
AFG ϕ = X . Y . (ϕ Λ X) V < true > Y
(LTL)
FMF - Model Checking - LAAS, 16/10/2014 13
L1
L2
![Page 14: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/14.jpg)
State-based vs action-based
FMF - Model Checking - LAAS, 16/10/2014 14
branching-time ACTL
ACTL* F-LTL
L
HML
HMLR
-ACTL
LTL
CTL
CTL*
CTL
TL
pCTL
![Page 15: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/15.jpg)
Extensions with regular features
Regular expressions / automata
– Natural description of regular paths
Safety: FIFO buffer policy
[true*.PUT0.(GET)*.PUT1.(PUT)*.GET1.(PUT)*.GET0]false
(PDL)
X . ([PUT0] Y . (([PUT1] Z . (([GET1] W . ([GET0] false Λ [PUT] W) Λ [PUT] Z) Λ [GET0] Y) Λ [true] X)
(L1)
FMF - Model Checking - LAAS, 16/10/2014 15
![Page 16: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/16.jpg)
Extensions with data
Handling of data values present in states/actions
Safety: capacity of (reliable) 2-buffer
[ true*. (PUT . (GET)*) {3} ] false
Parametric formulas (stable w.r.t. model)
Response: fair reachability of message delivery
[ true*. {PUT ?m:nat} ] < true*. {GET !m} > true
FMF - Model Checking - LAAS, 16/10/2014 16
variable propagation
regexp with counter
![Page 17: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/17.jpg)
Ergonomic extensions (regular constructs and data handling)
FMF - Model Checking - LAAS, 16/10/2014 17
branching-time ACTL
ACTL* F-LTL
L
HML
HMLR
-ACTL
LTL CTL*
CTL CTL
TL
pCTL
PDL
PDL-
MCL
regular features
PSL
ETL RICO
EAGLE
MITL
ECTL*
FOL
XTL
RegCTL
CTRL
Sugar
RCTL
BRTL
![Page 18: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/18.jpg)
Expressiveness and complexity
FMF - Model Checking - LAAS, 16/10/2014 18
LTL 2|ϕ|·|M|
PDL |ϕ|·|M|
CTL* 2|ϕ|·|M|
L1
|ϕ|·|M|
L2
|ϕ|2·|M|2
PDL- |ϕ|·|M|
CTL |ϕ|·|M|
![Page 19: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/19.jpg)
Quantitative properties
FMF - Model Checking - LAAS, 16/10/2014 19
Time (TA, TPN)
Rates (CTMC, MDP)
Probabilities (DTMC)
![Page 20: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/20.jpg)
FMF - Model Checking - LAAS, 16/10/2014 20
E<> s_1 && (c == 1) (co
urt
esy o
f W
en
deli
n S
erw
e)
![Page 21: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/21.jpg)
Temporal logic zoo
FMF - Model Checking - LAAS, 16/10/2014 21
branching-time ACTL
ACTL* F-LTL
L
HML
HMLR
-ACTL
LTL CTL*
CTL CTL
TL
pCTL
PDL
PDL-
MCL
regular features
PSL
ETL RICO
EAGLE
MITL
ECTL*
FOL
XTL
RegCTL
CTRL
Sugar
RCTL
BRTL
timed TCTL
PCTL CSL
![Page 22: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/22.jpg)
How to choose the right TL?
Nature of the system and its properties: linear / branching state / action functional / quantitative discrete / continuous
Expressiveness vs model checking complexity
– Tradeoff is often made in the available tools
User-friendliness
– Built-in ergonomic extensions (regexps, data)
– Tools often provide libraries of derived operators
– Use of property pattern libraries [Dwyer-et-al-99]
FMF - Model Checking - LAAS, 16/10/2014 22
![Page 23: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/23.jpg)
FMF - Model Checking - LAAS, 16/10/2014 23
State space explosion Exponential growth of the state space with the number of parallel processes
Model checking holy grail:
(endless?) fight against state space explosion
![Page 24: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/24.jpg)
On-the-fly model checking (linear-time, state-based – LTL/SPIN)
FMF - Model Checking - LAAS, 16/10/2014 24
Büchi
automaton
Aφ
product BA
L (KS × Aφ) =
L (KS) ∩ L (Aφ)
LTL
formula (φ)
verdict & counterexample (lasso)
negation and
translation
synchronous product
emptiness check
Promela
program
compilation
implicit
KS
partial order
reduction
see the BA zoo at www.spot.lip6.fr
![Page 25: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/25.jpg)
On-the-fly model checking (branching-time, action-based – MCL/CADP/Evaluator)
FMF - Model Checking - LAAS, 16/10/2014 25
parameterized
HMLR
parameterized
BES
MCL
formula
verdict & diagnostic
translation
optimisation
encoding
instantiation & resolution
LNT
specification
On-the-fly
activities
compilation
implicit
LTS
Open/Caesar environment
Caesar_Solve
![Page 26: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/26.jpg)
Symbolic model checking (branching-time, state-based logics – CTL/nuSMV)
FMF - Model Checking - LAAS, 16/10/2014 26
L encoding
(predicate
transformer)
CTL
formula
verdict & diagnostic
translation
symbolic fixed point iteration
formal
description
compilation
symbolic
KS
(BDD) dynamic
variable
reordering
fairness
constraint
handling
![Page 27: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/27.jpg)
Other ways to fight state explosion
Bounded model checking
– Symbolic partial exploration, use of SAT/SMT solvers
Parallel and distributed model checking
– Explicit / symbolic, linear / branching
Compositional verification
– Assume-guarantee / partial model checking
Runtime verification
– TL formulas monitors check execution traces
Statistical model checking
FMF - Model Checking - LAAS, 16/10/2014 27
![Page 28: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/28.jpg)
Model checkers landscape (partial view)
FMF - Model Checking - LAAS, 16/10/2014 28
LTL SPIN (explicit/parallel) SPOT (explicit/symbolic) DIVINE (explicit/distributed) LTSmin (explicit/distributed)
CTLF nuSMV (symbolic)
TLA TLA+ (symbolic)
MCL CADP (explicit/distributed)
Timed CTL UPPAAL (symbolic)
PCTL
CSL
PRISM (explicit/symbolic) MRMC (explicit/symbolic) MODEST (explicit/symbolic)
Timed LTL TINA (symbolic)
-ACTL JACK (explicit/symbolic)
F-LTL LTSA (explicit)
![Page 29: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/29.jpg)
Model checking in the design process
Choose the right modeling language and TL
Model the essential aspects of the system
Start with on-the-fly (parallel) verification:
– Fast detection of errors
– Debug based on counterexamples
When no more errors found / no memory left:
– Use symbolic / compositional / distributed verification
– Use abstraction whenever possible
FMF - Model Checking - LAAS, 16/10/2014 29
![Page 30: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/30.jpg)
What to do next?
Regular increase of model checking capabilities
– Bounded model checking, SAT/SMT techniques
Several stable tools (and many others!)
– Industrial success stories for each method / tool
Model checking interoperates with other techniques (static analysis, theorem proving, …)
Ideally, one should be able to apply smoothly several verification techniques on the same system description
need for languages / models / tools interoperability
FMF - Model Checking - LAAS, 16/10/2014 30
![Page 31: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/31.jpg)
Some references
[Schnoebelen-et-al-99] Vérification de logiciels
[Clarke-Grumberg-Peled-00] Model Checking
[Baier-Katoen-08] Principles of Model Checking
+ many articles on the various model checkers
FMF - Model Checking - LAAS, 16/10/2014 31
![Page 32: Introduction to Model Checking - LAAS-CNRSprojects.laas.fr/IFSE/FMF/J4/slides/mateescu-FMF-model-checking.pdf · Introduction to Model Checking Radu Mateescu Inria – Univ. Grenoble](https://reader033.vdocuments.us/reader033/viewer/2022051507/5a7307287f8b9abb538e3e1a/html5/thumbnails/32.jpg)
Thank you
FMF - Model Checking - LAAS, 16/10/2014 32