Verification By Model Checking

1
Verification By Model Checking

• Cheng Qin
• Department of Computer Science
• University of Kentucky

2
Temporal Logic Model Checking

• Model checking is a method to algorithmically
  verify formal systems. This is achieved by
  verifying if the model, often deriving from a
  hardware or software design, satisfies a formal
  specification. The specification is often written
  as temporal logic formulas.
• The systems best suited for verification by model
  checking are finite state concurrent systems.
• Model checking consists in verifying some
  properties of the model of a system, such as
  reachability property, safety property, liveness
  property, deadlock-freeness, fairness property.
• Verification procedure is an exhaustive search of
  the state space of the concurrent system to
  determine truth of the specification.

3
Digicode Example
4
Digicode With Guarded Transitions

• When modeling real-life systems, it is often
  convenient to let automata manipulate state
  variables.

5
Digicode With Unfolding

• The states of the unfolded automaton are called
  global states.

6
An Example Without Synchronization

• These kind of systems can be broken up into
  components which do not interact with each other.
  The global automaton is then the cartesian
  product of the automata representing the
  components.

7
Synchronized Product

• When we deal with real-life programs or
  systems,These are often broken up into modules or
  subsystems.
• To build a model of the overall systems, it is
  therefore natural to first model the system
  components.
• Then the global automaton is obtained from the
  component automata by having them cooperate.

8
Definition of Synchronized Product

• Let us consider a family of n automata,
  
• ,and
  introduce a new label - to represent the action
  do nothing.
• The cartesian product of
  these automata is simply the automaton
  with
• 
  
• 
  for all i

9
An Example With Synchronization

• Reachability graph the automaton obtained by
  deleting the non-reachable states.
• This is the only part of the given automaton
  relevant to a description of its behavior.
• Sync(inc,inc,inc), (dec,dec,dec)

10
Synchronization by Message Passing

• A smallish elevator
• The cabin which goes up and down depending on the
  current floor and on the commands of the elevator
  controller.
• Three doors which open and close according to the
  commands of the controller.
• A controller which commands the three doors and
  the cabin.

11
Synchronization by Message Passing(Cont.)

• Sync(?open_1,-,-,-,!open_1),(?_1,-,-,-,!close_1)
  , (-,?open_2,-,-,!open_2),(-,?close_2,-,-,-,!close
  _2), (-,-,?open_3,-,!open_3),(-,-,?close_3,!close_
  3),(-,-,-,?down,!down),(-,-,-,?up,!up)

12
Synchronization by Shared Variables

• The two users (share one printer) now decide to
  share 3 variables
• a variable rA which the user A sets to true when
  B wishes to print. Initially rA is false.
• similarly,rB plays the corresponding role for
  user B
• and again the turn variable, to settle conflicts.

13
Temporal Logic

• Developed independently by Clarke, Emerson, and
  Sistla and by Queille and Sifakis in early
  1980s.
• Temporal logic is a form of logic specifically
  tailored for statements and reasoning which
  involve the notion of logic specifically.
• An extension of propositional logic.
• A more direct way of describing dynamic
  behaviour.
• Operators to support linguistic ways of
  expressing temporal relationships
  always,sometimes,until.
• Temporal logic language Operators A formal
  semantics
• We opt for the logic known as CTL(Computation
  Tree Logic) introduced by Emerson and
  HalpernEH86 .

14
Computation Tree
15
Kripke Structure
16
The Logic CTL
17
CTL Operator

• Atomic Proposition
• Classical Bollean Combinators
• Temporal Combinators
• X,F and G
• XP states that the next state satisfies P.
• FP states that a future state satisfies P .
• GP states that all the future state satisfy
  P.
• U
• states that is verified
  until is verified.
• W(weak until)
• A and E
• states all the executions out of the
  current state satisfy property ,whereas
  states that from the current state,theres exists
  an execution satisfying .

18
State Formulas
19
Path Formulas
20
Path Formulas(Cont.)
21
The Formal Syntax of Temporal Logic

• Each tool dealing with temporal formulas will
  allow parentheses, and will have its own operator
  priority conventions.
• Each tool will have its specific set of atomic
  proposition and combinators.
• Most importantly, as a rule of thumb the scope of
  a model checker will be restricted to a fragment
  of CTL,most often CTL or LTL.

22
Formal Semantics of Temporal Logic
23
Describing Dynamic Behaviour
24
LTL And CTL Two Temporal Logics

• LTL (Linear Temporal Logic) and CTL(Computation
  Tree Logic) are two most commonly used temporal
  logics in model checking tools.
• Their origins differ (LTL reaches back toPnu81
  and CTL to CE81,EH82but each may be viewed as a
  fragment of CTL.

25
LTL And CTL Two Temporal Logics (Cont.)

26
Expressive Power (LTL Vs CTL)
27
How to choose from CTL and LTL?

• Model checking in CTL is more efficient than
  model checking in LTL.
• If our goal is state some properties,choose LTL.
• If we aim for exhaustive verification of a
  system, CTL is more likely to avoid the
  combinatorial explosion pitfall.
• If we wish to perform verification on-the-fly in
  order to detect possible errors, then LTL is a
  good choose.
• The main tools use either CTL(SMV) or LTL(SPIN).

28
The Expressivity of CTL

• Any property of the form as seen from the
  outside world, the automaton being studied
  behaves like the reference automaton can
  be expressed by CTL.
• The CTL combination are sufficiently expressive.
  A theorem due to KampKamp,68,GPSS80) shows that
  any new temporal combinator whose semantics can
  be expressed as a clause similar to the clauses
  of formal semantics of temporal logic (Slide 20)
  can be defined as an expression based on X and U.
  

29
Basic CTL Operators
30
Basic CTL Operators (Cont.)
31
Typical CTL Formulas
32
Model Checking Problem
33
Verification Goals

• A reachability property states that some
  particular situation can be reached.
• A safety property expresses that, under certain
  conditions, something never occurs.
• A liveness property expresses that, under certain
  conditions, something will ultimately occur.
• A fairness property expresses that under certain
  conditions, something will(or will not) occur
  infinitely often.
• A Deadlock-freeness is a special property,
  stating that the systems can never be in a
  situation in which no progress is possible.

34
Explicit Traversal
35
Advantages of Model Checking

• Fast (compared to other rigorous methods such as
  theorem proving)
• Diagnostic counterexamples
• No problem with partial specifications
• Logics can easily express many concurrency
  properties

36
Main Disadvantage

• State explosion An automaton representing the
  overall system often has so many states that
  constructing it directly is next to impossible.
• Too many states
• In digital hardware terms too many latchs
• Data path
• Much progress has been made on this problem
  recently!

37
Combating the State Explosion Problem

• Binary Decision Diagrams can be used to represent
  state transition systems more efficiently.
• The partial order reduction can be used to reduce
  the number of states that must be enumerated.
• Many techniques for alleviating state explosion
• Abstraction.
• Compositional reasoning.
• Symmetry.
• Cone of influence reduction.
• Semantic minimization.

38
Model Checker Performance

• Model checkers today can routinely handle systems
  with between 100 and 1000 state variables.
• Systems with 10120 reachable states have been
  checked. (Compare approx. 1078 atoms in
  universe.)
• By using appropriate abstraction techniques,
  systems with an essentially unlimited number of
  states can be checked.

39
Temporal Logic Model Checkers

• The first two model checkers were EMC (Clarke,
  Emerson, Sistla) and Caesar (Queille, Sifakis).
• SMV is the first model checker to use BDDs.It
  performed (BDD_based) symbolic model checking of
  CTL formula on networks of automata with shared
  variables. It is developed by K.L.McMillian under
  the guidance of E.M.Clarke at Carnegie-Mellon
  University.
• Spin is a tool mainly developed by G.J.Holzmann
  at Bell Labs. It was designed for simulation and
  verification of distributed algorithms. It uses
  the partial order reduction to reduce the state
  explosion problem.
• DESIGN/CPN was initially developed by Meta
  Software Corp and CPN Group at the University of
  Arhus, Demark. It allows one to edit ,simulate
  and verify large hierachical Coloured Petri Nets.

40
Temporal Logic Model Checkers(Cont.)

• Verus and Kronos check properties of real-time
  systems.
• HyTech allows one to analyze linear hybrid
  automata. It was developed by T. A. Henzinger,
  P-H. Ho and H. Wong-Toi, at Cornell University,
  and improvements were added at the University of
  California, Berkeley.
• UPPAAL is developed jointly by the Basic Research
  in Computer Science Laboratory at Aalborg
  University in Denmark and The Department of
  Computer Systems at Uppsala University in Sweden,
  mainly by W.Yi, K.G.Larsen and P.Petterson. It is
  an integrated tool environment for modeling,
  simulating and verifying real-time system.

41
A Few Definitions

• Automata A set Propp1, of elementary
  properties is given. An automaton is a tuple
  AQ,E,T,q0,l in which
• Q is a finite set of states
• E is the finite set of transition labels
• T is the set of transitions
• q0 is the initial state of the automaton
• l is the mapping which associates with each
  state of Q the finite
• set of elementary properties which hold in
  that state
• Atomic propositions Elementary properties
• A latch is a electronic circuit used to store
  information in asynchronous sequential logic
  systems. One latch can store one bit of
  information. Latches are devices which have no
  clock input and change output state only in
  response to data input.

42
A few Definitions(Cont.1)

• An execution is a sequence of states describing
  one possible evolution of the system.
• An execution tree is a tree to organize the set
  of possible executions.
• A path of an automaton A is simply a sequence
  ,finite or infinite, of transitions (qi,ei,qi)
  of A which follow each other, that is such that
  qiqi1for each i.
• A partial execution is an execution of A is a
  path starting from the initial state q0.
• A complete execution is an execution which is
  maximal ,that is, which cannot be extended
  (Deadlock or infinite).
• A state is said to be reachable if it appears in
  the execution tree of the automaton.

43
A few Definitions(Cont.2)

• Symbolic model checking refers to any checking
  method which would attempt to represent
  symbolically the states and transitions of
  automaton targeted for verification.
• A BDD is a particular data structure which is
  very commonly used for the symbolic
  representation of state sets.
• In asynchronous systems, interleavings of
  independent concurrent events are equivalent, and
  only a representative interleaving needs to be
  explored to verify local properties.
  Partial-order methods exploit this redundancy and
  visit only a subset of the reachable states.
  Symbolic techniques, on the other hand, capture
  the transition relation of a system and the set
  of reachable states as boolean functions. In many
  cases, these functions can be represented
  compactly using binary decision diagrams (BDDs).
  Traditionally, the two techniques have been
  practiced by two different schools--partial-order
  methods with enumerative depth-first search for
  the analysis of asynchronous network protocols,
  and symbolic breadth-first search for the
  analysis of synchronous hardware designs.

44
A few Definitions(Cont.3)

• Coloured Petri Nets is a graphical oriented
  language for design, specification, simulation
  and verification of systems. It is in particular
  well-suited for systems that consists of a number
  of processes which communicate and synchronize.
  Typical examples of application areas are
  communication protocols, distributed systems,
  automated production systems, work flow analysis
  and VLSI chips. It is developed by Department of
  Computer Science, University of Aarhus, Denmark.

45
Notable Examples- IEEE Futurebus

• In 1992 Clarke and his students at CMU used SMV
  to verify the IEEE Future cache coherence
  protocol.
• They found a number of previously undetected
  errors in the design of the protocol.
• This was the first time that formal methods have
  been used to find errors in an IEEE standard.
• Although the development of the protocol began in
  1988, all previous attempts to validate it were
  based entirely on informal techniques.

46
Notable Examples-IEEE SCI

• In 1992 Dill and his students at Stanford used
  Murphi to verify the cache coherence protocol of
  the IEEE Scalable Coherent Interface.
• They found several errors, ranging from
  uninitialized variables to subtle logical errors.
• The errors also existed in the complete protocol,
  although it had been extensively discussed,
  simulated, and even implemented.

47
Notable Examples - HDLC

• A High-level Data Link Controller was being
  designed at ATT in Madrid in 1996.
• Researchers at Bell Labs offered to check some
  properties of the design using the FormalCheck
  verifier.
• Within five hours, six properties were specified
  and five were verified.
• The sixth property failed, uncovering a bug that
  would have reduced throughput or caused lost
  transmissions!

48
Notable ExamplesPowerPC 620 Microprocessor

• Richard Raimi used Motorolas Verdict model
  checker to debug a hardware laboratory failure.
• Initial silicon of the PowerPC 620 microprocessor
  crashed during boot of an operating system.
• In a matter of seconds, Verdict found a BIU
  deadlock causing the failure.

49
Notable Examples-Analog Circuits

• In 1994 Bosscher, Polak, and Vaandrager won a
  best-paper award for proving manually the
  correctness of a control protocol used in Philips
  stereo components.
• In 1995 Ho and Wong-Toi verified an abstraction
  of this protocol automatically using HyTech.
• Later in 1995 Daws and Yovine used Kronos to
  check all the properties stated and hand proved
  by Bosscher, et al.

50
Notable Examples-Edifices

• In 1995 the Concurrency Workbench was used to
  analyze an active structural control system to
  make buildings more resistant to earthquakes.
• The control system sampled the forces being
  applied to the structure and used hydraulic
  actuators to exert countervailing forces.
• A timing error was discovered that could have
  caused the controller to worsen, rather than
  dampen, the vibration experienced during
  earthquakes.

51
Questions?