Introduction to SMV and Model Checking

1
Introduction to SMV and Model Checking
Mostly by Ken McMillanCadence Berkeley
Labsmcmillan_at_cadence.comSmall parts by Brandon
EamesISIS/Vanderbilt Universityb.eames_at_vanderbil
t.edu
Presented in the CS 367 class by Aditya
2
SMV Tool

• Can be downloaded from
• http//www-cad.eecs.berkeley.edu/kenmcmil/smv/d
  ld2.html 

3
Outline

• Quick overview of SMV
• Model checking
• Temporal logic
• Model checking algorithms
• Expressiveness and complexity
• Symbolic model checking
• The state explosion problem
• Binary Decision Diagrams
• Computing fixed points with BDDs
• Application

4
SMV Symbolic Model Verifier

• Capture system behavior as combinatorial and
  sequential logic finite state machines.
• Capture system requirements as statements in
  temporal logic
• SMV applies the requirement specifications to the
  state machine model
• Attempt to prove that system meets requirements
• If system fails, attempt to show counterexample

5
How SMV Works

• Convert system model (the FSM) to OBDD
  representation
• Convert CTL specifications into operations which
  can be applied to OBDDs
• Traverse the state space, applying verification
  operations until achieving a fixed point
  stable system
• Report the results of the traversal, either
  requirements met or not.

6
Example
MODULE main VAR request boolean state
ready, busy ASSIGN init(state)
ready next(state) case state ready
request busy 1 ready, busy esac SPEC
AG(request -gt AF state busy)
7
SMVs supported CTL operators
! not and or -gt implies lt-gt logical
equivalence E existential path quantifier A
universal path quantifier X next time F
eventually G globally U until
8
Propositional Linear Temporal Logic

• Express properties of Reactive Systems
• interactive, nonterminating
• For PLTL, a model is an infinite state sequence

• Temporal operators
• Globally G p at t iff p for all t ³ t.

p
p
p
p
p
p
p
p
p
p
p...
G p...
9
Temporal operators...

• Future F p at t iff p for some t ³ t.

p
p
p
p
p
p
F p...

• Until p U q at t iff
• q for some t ³ t and
• p in the range t, t )

p
p
p
p
p
p
p
p
p
q
p U q...

• Next-time X p at t iff p at t1

10
Examples

• Liveness if input, then eventually output
• G (input Þ F output)
• Strong fairness infinitely send implies
  infinitely recv.
• GF send Þ GF recv
• Weak until no output before input
• Øoutput W input

atomic props
infinitely often
p W q º p U q Ú G p
11
Safety v. Liveness

• Safety
• Refutable by finite run
• Liveness
• Refutable only by infinite run
• Every finite run extensible to satisfying run

12
PLTL semantics

• Given an infinite sequence
• if f is true in state
  si of s.
• if f is true in
  state s0 of s.
• if f is valid.
• A formula is an atomic proposition, or...
• true, p Ú q, Øp, p U q, X p

13
PLTL semantics...

• Definition of satisfaction
• iff
• iff
• iff
• iff
• iff

Derived operators...
14
Model Checking (Clarke/Emerson, Queille/Sifakis)
G(p -gt F q)
yes
temporal formula
MC
algorithm
no
p
p
q
q
counterexample
finite-state model
Model must now represent all behaviors
15
Kripke models

• A Kripke model (S,R,L) consists of
• set of states S
• set of transitions R Í S S
• labeling L Í S AP
• Kripke models from programs

repeat p true p false end
Øp
p
16
Mutual exclusion example
N1,N2 turn0
N noncritical, T trying, C critical
17
PLTL on Kripke models

• A path in model M (S,R,L) is a sequence
• such that (si,si1) Î R.

p
s0
s1
p
s2
s3...
F p
p
18
Branching time

• Model of time is a tree, not a sequence
• Path quantifiers

p
p
AF p
p
19
Computation Tree Logic

• Every operator F, G, X, U preceded by A or E
• Universal modalities...

AG p
AF p
p
p
p
p
p
p
p
p
p
p
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
20
CTL, cont...

• Existential modalities

EG p
EF p
p
p
p
p
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
21
CTL, cont

• Other modalities
• AX p, EX p, A(p U q), E(p U q)
• Some dualities...

• Examples mutual exclusion specs...

AG Ø (C1 Ù C2) mutual exclusion AG (T1 Þ AF
C1) liveness AG (N1 Þ EX T1) non-blocking
22
Symbolic model checking

• State explosion problem
• State graph exponential in program size
• Symbolic model checking approach
• Boolean formulas represent sets and relations
• Use fixed point characterizations of CTL
  operators
• Model checking without building state graph

Sometimes can handle much larger sate space
23
Binary Decision Diagrams (Bryant)

• Ordered decision tree for f ab cd

a
0
1
b
b
0
1
0
1
c
c
c
c
0
1
0
1
0
1
0
1
d
d
d
d
d
d
d
d
24
OBDD reduction

• Reduced (OBDD) form

a
1
0
b
0
1
c
1
0
1
d
0
0
1
Key idea combine equivalent sub-cases
25
OBDD properties

• Canonical form (for fixed order)
• direct comparison
• Efficient apply algorithm
• build BDDs for large circuits

f
fg
g
O(f g)

• Variable order strongly affects size

26
Boolean quantification

• If v is a boolean variable, then
• v.f f v 0 V f v 1
• Multivariate quantification
• (w1,w2,,wn). f
• Complexity on BDD representation
• worst case exponential
• heuristically efficient

Example (b,c). (ab Ú cd) a Ú d
27
Characterizing sets

• Let M (S,R,L) be a Kripke model
• Let S be the set of boolean vectors
• (v1,v2,,vn) Î 0,1n
• Represent any P Í S by its characteristic
  function cP
• P (v1,v2,,vn) cP
• Set operations
• cÆ false cS true
• cP È Q P V Q cP Ç Q P Ù Q
• cS \ P Ø P

28
Characterizing relations

• Transition relation R is a set of state pairs
• R ((v1,v2,,vn), (v1,v2,,vn)) Î cR
• Examples
• A synchronous sequential circuit

v0
v1
cR (v0 Ø v0) Ù (v1 v0 Å v1)
29
Transition relations, cont...

• An asynchronous circuit

s
q
q
r

• Interleaving model

• Simultaneous model

30
Forward and reverse image

• Forward image

Image(P,R)
P
R
31
Images, cont...

• Reverse image

Image-1(P,R)
P
R
EX P
32
Symbolic CTL model checking

• Equate a formula f with the set of states
  satisfying it
• Compute BDDs for characteristic functions
• Ø p, p Ú q, p Ù q (use BDD ops)
• EX p Image-1(p,R)
• AX p Ø EX Ø p
• Remaining operators have fixed-point
  characterization...

In fact, this is the least fixed point...
33
Fixed points of monotonic functions

• Let t be a function S S
• Say t is monotonic when
• Fixed point of t is y such that
• If t monotonic, then it has
• least fixed point my. t(y)
• greatest fixed point ny. t(y)

34
Iteratively computing fixed points

• Suppose S is finite
• The least fixed point my. t(y) is the limit of
• The greatest fixed point ny. t(y) is the limit of

Note, since S is finite, convergence is finite
35
Example EF p

• EF p is characterized by
• Thus, it is the limit of the increasing series...

p Ú EX(p Ú EX p)
p Ú EX p
p
. . .
...which we can compute entirely using BDD
operations
36
Example EG p

• EG p is characterized by
• Thus, it is the limit of the decreasing series...

p Ù EX(p Ù EX p)
p Ù EX p
p
...
...which we can compute entirely using BDD
operations
37
Remaining operators

• Allows CTL model checking with only BDD ops
• Avoid building state graph
• (Sometimes) avoid state explosion problem

Now you can go home and build your own symbolic
model checker...
38
Why does it work?
. . .
. . .
. . .
OBDD
Many partial states equivalent...
...implies many subfunctions equivalent...
39
When doesnt it work?

• Protocols that pass pointers
• Linked lists
• Anytime one part of the system knows a large
  amount of information about another part

40
Summary

• Model checking
• Automatic verification (or falsification) of
  finite state systems
• Linear v. branching time logics
• State explosion problem
• Binary Decision Diagrams
• Heuristically efficient boolean operations
• Image calculations
• Fixed point characterization of CTL
• Model checking without building state graph
• Applications
• Find subtle errors in complex protocols