Introduction to Model Checking

1
Introduction to Model Checking
Ken McMillanCadence Berkeley Labsmcmillan_at_cadenc
e.com
2
Outline

• Model checking
• Temporal logic
• Model checking algorithms
• Expressiveness and complexity
• Symbolic model checking
• The state explosion problem
• Binary Decision Diagrams
• Computing fixed points with BDDs
• Application

3
Propositional Linear Temporal Logic

• Express properties of Reactive Systems
• interactive, nonterminating
• For PLTL, a model is an infinite state sequence

• Temporal operators
• Globally G p at t iff p for all t ³ t.

p
p
p
p
p
p
p
p
p
p
p...
G p...
4
Temporal operators...

• Future F p at t iff p for some t ³ t.

p
p
p
p
p
p
F p...

• Until p U q at t iff
• q for some t ³ t and
• p in the range t, t )

p
p
p
p
p
p
p
p
p
q
p U q...

• Next-time X p at t iff p at t1

5
Examples

• Liveness if input, then eventually output
• G (input Þ F output)
• Strong fairness infinitely send implies
  infinitely recv.
• GF send Þ GF recv
• Weak until no output before input
• Øoutput W input

atomic props
infinitely often
p W q º p U q Ú G p
6
Safety v. Liveness

• Safety
• Refutable by finite run
• Liveness
• Refutable only by infinite run
• Every finite run extensible to satisfying run

7
PLTL semantics

• Given an infinite sequence
• if f is true in state
  si of s.
• if f is true in
  state s0 of s.
• if f is valid.
• A formula is an atomic proposition, or...
• true, p Ú q, Øp, p U q, X p

8
PLTL semantics...

• Definition of satisfaction
• iff
• iff
• iff
• iff
• iff

Derived operators...
9
Model Checking (Clarke/Emerson, Queille/Sifakis)
G(p -gt F q)
yes
temporal formula
MC
algorithm
no
p
p
q
q
counterexample
finite-state model
Model must now represent all behaviors
10
Kripke models

• A Kripke model (S,R,L) consists of
• set of states S
• set of transitions R Í S S
• labeling L Í S AP
• Kripke models from programs

repeat p true p false end
Øp
p
11
Mutual exclusion example
N1,N2 turn0
N noncritical, T trying, C critical
12
PLTL on Kripke models

• A path in model M (S,R,L) is a sequence
• such that (si,si1) Î R.

p
s0
s1
p
s2
s3...
F p
p
13
Branching time

• Model of time is a tree, not a sequence
• Path quantifiers

p
p
AF p
p
14
Computation Tree Logic

• Every operator F, G, X, U preceded by A or E
• Universal modalities...

AG p
AF p
p
p
p
p
p
p
p
p
p
p
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
15
CTL, cont...

• Existential modalities

EG p
EF p
p
p
p
p
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
16
CTL, cont

• Other modalities
• AX p, EX p, A(p U q), E(p U q)
• Some dualities...

• Examples mutual exclusion specs...

AG Ø (C1 Ù C2) mutual exclusion AG (T1 Þ AF
C1) liveness AG (N1 Þ EX T1) non-blocking
17
CTL model checking

• Model checking problem
• Determine for given M, s0 and f, whether
• Simple algorithm
• Inductive over structure of formula
• Backward propagation of formula labels
• O(f V(V E))

18
Example
AG (T1 Þ AF C1)
N1,N2 turn0
T1,N2 turn1
N1,T2 turn2
T1,T2 turn1
C1,N2 turn1
T1,T2 turn2
N1,C2 turn2
C1,T2 turn1
T1,C2 turn2
19
CES algorithm

• Need only modalities EX, EU, EG.
• e.g.,
• Checking E(p U q) by backward BFS
• Checking EG p

p
BFS
q
p
SCC
EG p
SCC
SCC
Complexity O(f (V E))
20
CTL

• Contains both CTL and LTL
• path formulas
• p U q, G p, Fp, Xp, Øp, p Ù q
• state formulas
• A p, E p
• p in LTL A p in CTL
• Framework for comparing expressiveness
• Existential properties not expressible in PLTL
• e.g., AG EF p
• Fairness assumptions not expressible in CTL
• e.g., A (GF p GF q)

21
Model checking complexities
CTL


PLTL O(2f (VE))
CTL O(f (VE))
PSPACE COMPLETE
Note all are linear in model size
22
Comparing CTL and LTL

• Think of CTL formulas as approximations to LTL
• AG EF p is weaker than G F p

Good for finding bugs...
p

• AF AG p is stronger than F G p

Good for verifying...
p
p

• CTL formulas easier to verify

So, use CTL when it applies...
8
23
Symbolic model checking

• State explosion problem
• State graph exponential in program size
• Symbolic model checking approach
• Boolean formulas represent sets and relations
• Use fixed point characterizations of CTL
  operators
• Model checking without building state graph

Sometimes can handle much larger sate space
24
Binary Decision Diagrams (Bryant)

• Ordered decision tree for f ab cd

a
0
1
b
b
0
1
0
1
c
c
c
c
0
1
0
1
0
1
0
1
d
d
d
d
d
d
d
d
25
OBDD reduction

• Reduced (OBDD) form

a
1
0
b
0
1
c
1
0
1
d
0
0
1
Key idea combine equivalent sub-cases
26
OBDD properties

• Canonical form (for fixed order)
• direct comparison
• Efficient apply algorithm
• build BDDs for large circuits

f
fg
g
O(f g)

• Variable order strongly affects size

27
Boolean quantification

• If v is a boolean variable, then
• v.f f v 0 V f v 1
• Multivariate quantification
• (w1,w2,,wn). f
• Complexity on BDD representation
• worst case exponential
• heuristically efficient

Example (b,c). (ab Ú cd) a Ú d
28
Characterizing sets

• Let M (S,R,L) be a Kripke model
• Let S be the set of boolean vectors
• (v1,v2,,vn) Î 0,1n
• Represent any P Í S by its characteristic
  function cP
• P (v1,v2,,vn) cP
• Set operations
• cÆ false cS true
• cP È Q P V Q cP Ç Q P Ù Q
• cS \ P Ø P

29
Characterizing relations

• Transition relation R is a set of state pairs
• R ((v1,v2,,vn), (v1,v2,,vn)) Î cR
• Examples
• A synchronous sequential circuit

v0
v1
cR (v0 Ø v0) Ù (v1 v0 Å v1)
30
Transition relations, cont...

• An asynchronous circuit

s
q
q
r

• Interleaving model

• Simultaneous model

31
Forward and reverse image

• Forward image

Image(P,R)
P
R
32
Images, cont...

• Reverse image

Image-1(P,R)
P
R
EX P
33
Symbolic CTL model checking

• Equate a formula f with the set of states
  satisfying it
• Compute BDDs for characteristic functions
• Ø p, p Ú q, p Ù q (use BDD ops)
• EX p Image-1(p,R)
• AX p Ø EX Ø p
• Remaining operators have fixed-point
  characterization...

In fact, this is the least fixed point...
34
Fixed points of monotonic functions

• Let t be a function S S
• Say t is monotonic when
• Fixed point of t is y such that
• If t monotonic, then it has
• least fixed point my. t(y)
• greatest fixed point ny. t(y)

35
Iteratively computing fixed points

• Suppose S is finite
• The least fixed point my. t(y) is the limit of
• The greatest fixed point ny. t(y) is the limit of

Note, since S is finite, convergence is finite
36
Example EF p

• EF p is characterized by
• Thus, it is the limit of the increasing series...

p Ú EX(p Ú EX p)
p Ú EX p
p
. . .
...which we can compute entirely using BDD
operations
37
Example EG p

• EG p is characterized by
• Thus, it is the limit of the decreasing series...

p Ù EX(p Ù EX p)
p Ù EX p
p
...
...which we can compute entirely using BDD
operations
38
Remaining operators

• Allows CTL model checking with only BDD ops
• Avoid building state graph
• (Sometimes) avoid state explosion problem

Now you can go home and build your own symbolic
model checker...
39
Example Gigamax cache protocol
global bus
. . .
UIC
UIC
UIC
cluster bus
. . .
. . .
. . .
M
P
P
M
P
P

• Bus snooping maintains local consistency
• Message passing protocol for global consistency

40
Protocol example
global bus
. . .
UIC
A
B
C
UIC
UIC
cluster bus
. . .
. . .
. . .
M
P
P
M
P
P
read miss
owned copy

• Cluster B read --gt cluster A
• Cluster A response --gt B and main memory
• Clusters A and B end shared

41
Protocol correctness issues

• Protocol issues
• deadlock
• unexpected messages
• liveness
• Coherence
• each address is sequentially consistent
• store ordering (system dependent)
• Abstraction is relative to properties specified

42
One-address abstraction

• Cache replacement is nondeterministic
• Message queue latency is arbitrary

IN
OUT
?
A
?
?
?
output of A may or may not occur at any given time
43
Specifications

• Absence of deadlock
• SPEC AG (EF p.readable EF p.writable)
• Coherence
• SPEC AG((p.readable bit -gt
• EF(p.readable bit))

Abstraction

0 if data lt n 1 otherwise
bit
44
Counterexample deadlock in 13 steps
global bus
. . .
UIC
A
B
C
UIC
UIC
cluster bus
. . .
. . .
. . .
M
P
P
M
P
P
owned copy from cluster A

• Cluster A read --gt global (waits, takes lock)
• Cluster C read --gt cluster B
• Cluster B response --gt C and main memory
• Cluster C read --gt cluster A (takes lock)

45
State space explosion

• State space growth is exponential

46
BDD performance

• BDD size growth is linear

47
BDD performance

• Run time growth is quadratic

48
Why does it work?
. . .
. . .
. . .
OBDD
Many partial states equivalent...
...implies many subfunctions equivalent...
49
When doesnt it work?

• Protocols that pass pointers
• Linked lists
• Anytime one part of the system knows a large
  amount of information about another part

50
Summary

• Model checking
• Automatic verification (or falsification) of
  finite state systems
• Linear v. branching time logics
• State explosion problem
• Binary Decision Diagrams
• Heuristically efficient boolean operations
• Image calculations
• Fixed point characterization of CTL
• Model checking without building state graph
• Applications
• Find subtle errors in complex protocols