model checking: an introduction & overview
DESCRIPTION
Model Checking: An introduction & overview. Gordon J. Pace. October 2005. History of Formal Methods. Automata model of computation: mathematical definition but intractable. Formal semantics: more abstract models but proofs difficult, tedious and error prone. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/1.jpg)
Model Checking:An introduction & overview
Gordon J. PaceOctober 2005
![Page 2: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/2.jpg)
History of Formal Methods Automata model of computation:
mathematical definition but intractable. Formal semantics: more abstract
models but proofs difficult, tedious and error prone.
Theorem proving: proofs rigorously checked but suffers from ‘only PhDs need apply’ syndrome.
![Page 3: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/3.jpg)
The 1990s Radiation therapy machine
overdoses patients, Pentium FDIV bug, Ariane-V crash.
Industry willing to invest in algorithmic based, push-button
verification tools.
![Page 4: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/4.jpg)
Model-Checking Identify an interesting computation
model, For which the verification question is
decidable, And tractable on interesting
problems. Write a program to answer
verification questions.
![Page 5: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/5.jpg)
Formal Semantics Operational Semantics:
(P, (, ’)
(P;Q, (Q, ’)
(v:=n, ) (, [vn])
![Page 6: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/6.jpg)
Formal Semantics Denotational Semantics of Timed
Systems:
v V’
[ delay (v’, v) ] =
v’(t+1)=v(t) /\ v’(0)=low
def [ ]
0
![Page 7: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/7.jpg)
Transition Systems
Q = States = Transition relation ( Q x Q) I = Initial states ( Q)
Q, , I
![Page 8: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/8.jpg)
Constructing TSs via OS
(v:=1; w:=v) || (v:=¬v)
v,w=1,0
pc=1,0
v,w=1,1
pc=1,0
v,w=0,0
pc=0,0
v,w=1,0
pc=0,0
v,w=0,1
pc=0,0
v,w=1,1
pc=0,0
v,w=1,0
pc=0,1
v,w=0,1
pc=0,1
![Page 9: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/9.jpg)
Constructing TSs via TDSi
m
o
Q = Bool x Bool x Bool
I = {(i,m,o) | o = i /\ m }
= {((i,m,o),(i’,m’,o’)) | m’=o, o’=i’ /\ m’ }
![Page 10: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/10.jpg)
Note: We will be ‘constructing’ TSs from a
symbolic (textual/graphical) description of the system. This is a step which explodes exponentially (linear increase in description may imply exponential increase in state-space size).
![Page 11: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/11.jpg)
Properties of TSs Safety properties: ‘Bad things never
happen’. eg The green lights on a street will never be
on at the same time as the green lights on an intersecting street.
Liveness properties: ‘Good things eventually happen’.
eg A system will never request a service infinitely often without eventually getting it.
![Page 12: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/12.jpg)
Safety Property Model
Are any of the red states reachable?
etc
![Page 13: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/13.jpg)
Safety Property Model
Given a transition system M=Q,,I and a set of ‘bad’ states B, are there any states in B which are reachable in M?
![Page 14: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/14.jpg)
A Reachability Algorithm
R0 = I
Rn+1 = Rn (Rn)
where: (P) = { s’ | sP: s s’ }
Reachable set is the fix-point of this sequence. Termination and correctness are easy to prove.
![Page 15: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/15.jpg)
A Reachability Algorithm
R := I; Rprev := ;
while (R Rprev) do
Rprev := R; R := R (R); if (B R ) then BUG;
CORRECT;
![Page 16: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/16.jpg)
State Space Representation Explicit representation
Keeping a list of traversed states. State-explosion problem. Looking at the recursion stack will give
counter-example (if one is found). Breath-first search guarantees a
shortest counter-example.
![Page 17: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/17.jpg)
Typical Optimizations On-the-fly exploration: Explore
only the ‘interesting’ part of the tree (wrt property and graph).
Example: Construct graph only at verification time. Finding a bug would lead to only partial unfolding of the description into a transition system.
![Page 18: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/18.jpg)
Typical Optimizations Partial order reduction: By
identifying commuting actions (ones which do not disable each other), we can ignore parts of the model.
Example: To check for deadlock in (a!; P b!; Q), we may just fire actions a and b in this order rather than take all interleavings.
![Page 19: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/19.jpg)
Typical Optimizations Compositional verification: Build
TS bottom up, minimising the automata as one goes along.
Example: To construct (P Q), construct P and minimise to get P’, construct Q and minimise to get Q’, and then calculate (P’ Q’).
![Page 20: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/20.jpg)
Typical Optimizations Interface-Based Verification: Use
information about future interfaces composands while constructing sub-components.
Example: Constructing the full rhs of (10c;P + 5c;Q + …) Huge (5c;Tea) gives a lot of useless branches which the last process never uses.
![Page 21: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/21.jpg)
State Space Representation Symbolic state
representation: Use a symbolic formula to represent the set of states.
R := I; Rprev := ;
while (R Rprev) do
Rprev := R; R := R (R); if (B R ) then BUG;
CORRECT;
Requires: representation of empty set, union, intersection, relation application, and set equality test.
![Page 22: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/22.jpg)
Symbolic Representation
Use boolean formulae
Let v1 to vn be the boolean variables in the state space. A boolean formula f(v1,…,vn) represents the set of all states (assignments of the variables) which satisfy the formula.
![Page 23: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/23.jpg)
Symbolic Representation
Double the variables
To represent the transition relation, give a formula over variables v1,…,vn and v’1,…,v’n relating the values before and after the step.
![Page 24: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/24.jpg)
Examplev1
v2
v3
Initial states:
I (v2=true) /\ (v3=v1 /\ v2)
Transition relation:
T (v3=v1 /\ v2) /\ (v’3=v’1 /\ v’2) /\ v’2=v3
1
![Page 25: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/25.jpg)
Set Operators:
Empty set: = falseIntersection: P Q = P /\ Q Union: P Q = P \/ QTransition relation application:(P) = (vars: P /\ T)[vars’/vars]Testing set equality:
P=Q iff P Q
![Page 26: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/26.jpg)
The Problem Calculating whether a boolean
formula is a tautology is an NP-complete problem.
In practice representations like Binary Decision Diagrams (BDDs) and algorithms used in SAT checkers perform quite well on typical problems.
![Page 27: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/27.jpg)
Counter-Example Generation
I=R0Bad
![Page 28: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/28.jpg)
Counter-Example Generation
I BadR1
![Page 29: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/29.jpg)
Counter-Example Generation
I BadR1
R2
![Page 30: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/30.jpg)
Counter-Example Generation
I BadR1
R2
![Page 31: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/31.jpg)
Counter-Example Generation
I BadR1
R2
![Page 32: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/32.jpg)
Counter-Example Generation
I BadR1
R2
![Page 33: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/33.jpg)
Counter-Example Generation
I BadR1
R2
Set of all shortest counter-examples obtained
![Page 34: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/34.jpg)
Abstract Interpretation Technique to reduce state space to
explore, transition relation to use. Collapse state space by
approximating wrt property being verified.
Can be used to verify infinite state systems.
![Page 35: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/35.jpg)
Abstract Interpretation Example: Collapse states together
by throwing away variables, or simplifying wrt formula.
etc
![Page 36: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/36.jpg)
Abstract Interpretation Example: Collapse states together
by throwing away variables, or simplifying wrt formula.
etc
![Page 37: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/37.jpg)
Abstract Interpretation Example: Collapse states together
by throwing away variables, or simplifying wrt formula.
etc
![Page 38: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/38.jpg)
Abstract Interpretation Concrete counter-example
generation not always easy. May yield ‘false negatives’.
etc
![Page 39: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/39.jpg)
Other Techniques Backward Analysis
R0 = Bad
Rn+1 = Rn -1(Rn)
If R be the fix-point of this sequence, the system is correct iff R I = .
![Page 40: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/40.jpg)
Other Techniques Induction (depth 1): If …
1. The initial states are good, and2. Any good state can only go to a
good state, then
The system is correct.
![Page 41: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/41.jpg)
Other Techniques Induction (depth n): If …1. Any chain of length n starting from
an initial state yields only good states, and
2. Any chain of n good states can only be extended to reach a good state, then,
The system is correct.
![Page 42: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/42.jpg)
Other Techniques Induction
By starting with n=1 and increasing, (plus adding some other constraints) we get a complete TS verification technique.
![Page 43: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/43.jpg)
State-of-the-art Explicit state traversal: No more than
107 generated states. Works well for interleaving, asynchronous systems.
Symbolic state traversal: Can reach up to 10150 (overall) states. Works well for synchronous systems. Sometimes may work with thousands of
variables … With abstraction, 101500 states and above have
been reported!
![Page 44: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/44.jpg)
State-of-the-art Combined with other techniques,
microprocessor producers are managing to ‘verify’ large chunks of their processors.
Application of model-checking techniques on real-life systems still requires expert users.
![Page 45: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/45.jpg)
Tools Various commercial and academic tools
available. Symbolic:
BDD based: SMV, NuSMV, VIS, Lustre tools. Sat based: Prover tools, Chaff, Hugo, Bandera
toolset. Explicit state: CADP, Spin, CRL, Edinburgh
Workbench, FDR. Various high-level input languages: Verilog,
VHDL, LOTOS, CSP, CCS, C, JAVA.
![Page 46: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/46.jpg)
Stating Properties Safety properties are easy to specify
Intuition: ‘no bad things happen’. If you can express a new output
variable ok which is false when something bad happens, then this your property is a safety property (observer based verification).
Not all properties are safety properties.
![Page 47: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/47.jpg)
Observer Verification
Program
Observer
inputs outputs
ok
Advantage: Program and property can be expressed in the same language.
![Page 48: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/48.jpg)
Safety Properties The system may only shutdown if the
mayday signal has been on and unattended for 4 consecutive time units.
shutdown
ok
mayday
![Page 49: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/49.jpg)
Non-Safety Properties Bisimulation based verification Temporal logic based verification
Linear time logic (eg LTL) Globally (Finally bell) Branching time logic (eg CTL) AG (ding EF dong) Globally (Globally req Finally ack)
![Page 50: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/50.jpg)
Beyond Finite Systems Example: Induction on structure:From:Prog(in,out) satisfies Prop(in,out)Prog(in,m) /\ Prop(m,out) satisfies
Prop(in,out)Conclude:Any chain of Prog’s satisfies Prop.
![Page 51: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/51.jpg)
Philosophical Issues
So does this constitute a proof? Can I now claim my product to be
correct? Would a proof that P=NP change
verification as we now know it?
![Page 52: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/52.jpg)
What I would have also liked to talk about … Other techniques (STE, BMC,…), More about infinite systems, Testing and combining testing with
verification, Interaction between theorem-provers and
model-checkers, Model-checking other types of systems
(hybrid systems, Petri-Nets, etc).
![Page 53: Model Checking: An introduction & overview](https://reader033.vdocuments.us/reader033/viewer/2022051517/568152e7550346895dc10573/html5/thumbnails/53.jpg)
What now? Potential projects … Verification of Kevin & co’s
synchronisation algorithms, Use grammar induction to improve
interface based verification, SPeeDI and hybrid system
verification, Structural induction to model-check
compiler properties.