1 introduction to model checking ken mcmillan cadence berkeley labs [email protected]
TRANSCRIPT
22
Outline Model checking
– Temporal logic
– Model checking algorithms
– Expressiveness and complexity
Symbolic model checking
– The “state explosion” problem
– Binary Decision Diagrams
– Computing fixed points with BDD’s
– Application
33
Propositional Linear Temporal Logic Express properties of “Reactive Systems”
– interactive, nonterminating
For PLTL, a model is an infinite state sequence
210 ,, sss
Temporal operators
– “Globally”: G p at t iff p for all t’ t.
p p p p p p p p p p p...
G p...
44
Temporal operators...– “Future”: F p at t iff p for some t’ t.
p p p p p p
F p...
– “Until”: p U q at t iff
– q for some t’ t and
– p in the range [ t, t’ )
p p p p p p
p U q...
p p p q
– “Next-time”: X p at t iff p at t+1
55
Examples Liveness: “if input, then eventually output”
G (input F output)
Strong fairness: “infinitely send implies infinitely recv.”
GF send GF recv
Weak until: “no output before input”
output W input
atomic props
infinitely often
p W q p U q G p
66
Safety v. Liveness Safety
– Refutable by finite run
Liveness
– Refutable only by infinite run
– Every finite run extensible to satisfying run
77
PLTL semantics Given an infinite sequence
– if is true in state si of .
– if is true in state s0 of .
– if is valid.
A formula is an atomic proposition, or...
true, p q, p, p U q, X p
210 ,, sss
`̀is, `̀`̀
88
PLTL semantics... Definition of satisfaction
iff
iff
iff
iff
iff
(atomic) , asi `̀ (atomic) , asi `̀psi `̀,qpsi `̀,pXsi `̀,
psjki
qsij
k
j
`̀
`̀
, : allfor and
, : somefor
psi /, `̀qsps ii `̀`̀ ,or ,
psi `̀1, qUpsi `̀,
pFGp
qUFp
qpqp
true
)(Derived operators...
99
Model Checking (Clarke/Emerson, Queille/Sifakis)
MC
G(p -> F q)yes
nop
q
p
q
temporal formula
finite-state model
algorithm
counterexample
Model must now represent all behaviors
1010
Kripke models A Kripke model (S,R,L) consists of
– set of states S
– set of transitions R SS
– labeling L SAP
Kripke models from programs
p p
repeat p := true; p := false;end
1111
Mutual exclusion example
N1,N2turn=0
T1,N2turn=1
T1,T2turn=1
C1,N2turn=1
C1,T2turn=1
N1,T2turn=2
T1,T2turn=2
N1,C2turn=2
T1,C2turn=2
N = noncritical, T = trying, C = critical
1212
PLTL on Kripke models A path in model M = (S,R,L) is a sequence
such that (si,si+1) R.
Ssss 210 ,,
fssss
fsM
`̀
`̀
0210
0
, of ,, paths allfor
iff
,
F p
p
p
p
s0 s1s2 s3...
1313
Branching time Model of time is a tree, not a sequence
Path quantifiers
fMssssomefEsM
fMsssallfAsM
`̀`̀
`̀`̀
, of ,, paths for iff ,
, of ,, paths for iff ,
2100
2100
AF p
p
p
p
1414
Computation Tree Logic Every operator F, G, X, U preceded by A or E
Universal modalities...
p p
p
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
AG p
p p p p
p
p p
AF p
1515
CTL, cont... Existential modalities
p
p
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
EG p
p p
EF p
1616
CTL, cont Other modalities
AX p, EX p, A(p U q), E(p U q)
Some dualities...
Examples: mutual exclusion specs...
AG (C1 C2) mutual exclusion
AG (T1 AF C1) liveness
AG (N1 EX T1) non-blocking
pEGAFp
pEFAGp
1717
CTL model checking Model checking problem:
– Determine for given M, s0 and f, whether
Simple algorithm:
– Inductive over structure of formula
– Backward propagation of formula labels
– O(f V(V + E))
fM `̀0 ,
1818
Example
N1,N2turn=0
T1,N2turn=1
T1,T2turn=1
C1,N2turn=1
C1,T2turn=1
N1,T2turn=2
T1,T2turn=2
N1,C2turn=2
T1,C2turn=2
AG (T1 AF C1)
1919
CES algorithm Need only modalities EX, EU, EG.
– e.g.,
– Checking E(p U q) by backward BFS
– Checking EG p
pEGAFp
pEFAGp
q
pBFS
pSCC
SCCSCC
EG p
Complexity = O(f (V + E))
2020
CTL* Contains both CTL and LTL
– path formulas
p U q, G p, Fp, Xp, p, p q
– state formulas
A p, E p
p in LTL A p in CTL*
Framework for comparing expressiveness
– Existential properties not expressible in PLTL
e.g., AG EF p
– Fairness assumptions not expressible in CTL
e.g., A (GF p GF q)
2121
Model checking complexities
CTL
PLTLO(2f (V+E))
CTLO(f (V+E))
*
=
Note: all are linear in model size
PSPACE COMPLETE
2222 8
Comparing CTL and LTL Think of CTL formulas as approximations to LTL
– AG EF p is weaker than G F p
So, use CTL when it applies...
– AF AG p is stronger than F G p
pGood for finding bugs...
Good for verifying...p p
CTL formulas easier to verify
2323
Symbolic model checking State explosion problem
– State graph exponential in program size
Symbolic model checking approach
– Boolean formulas represent sets and relations
– Use fixed point characterizations of CTL operators
– Model checking without building state graph
Sometimes can handle much larger sate space
2424
Binary Decision Diagrams (Bryant)
Ordered decision tree for f = ab + cd
0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1
d d d d d d d d
c c c c
0 1
0 1 0 1
0 1 0 1 0 1 0 1
b b
a
2525
OBDD reduction Reduced (OBDD) form:
0 1
d
c
01
0 1
0 1
b
a
0
1
Key idea: combine equivalent sub-cases
2626
OBDD properties
Canonical form (for fixed order)
– direct comparison
Efficient apply algorithm
– build BDD’s for large circuits f
g O(|f| |g|)
fg
Variable order strongly affects size
2727
Boolean quantification If v is a boolean variable, then
v.f = f |v =0 V f |v =1
Multivariate quantification
w1,w2,…,wn). f
Complexity on BDD representation
– worst case exponential
– heuristically efficient
Example: b,c). (ab cd) = a d
2828
Characterizing sets Let M = (S,R,L) be a Kripke model
Let S be the set of boolean vectors
(v1,v2,…,vn) {0,1}n
Represent any P S by its characteristic function P
P = {(v1,v2,…,vn) : P}
Set operations
– = false S = true
– PQ= P V Q PQ = P Q
– S\ P= P
2929
Characterizing relations Transition relation R is a set of state pairs…
R = {((v1,v2,…,vn), (v’1,v’2,…,v’n)) : R}
Examples
– A synchronous sequential circuit
v1
v0
R = (v’0 = v0) (v’1 = v0 v1)
3030
Transition relations, cont...– An asynchronous circuit s
r q
q
– Interleaving model
)'())('(
)'())('(
qqqrq
qqqsqR
– Simultaneous model
)'())('(
)'())('(
qqqrq
qqqsqR
3131
Forward and reverse image Forward image
})',( and , somefor :'{),(Image RPRP vvvvv
))',()((.)'(),(Image vvvvv RPRP
PR
Image(P,R)
3232
Images, cont... Reverse image
})',( and ',' somefor :{),(Image-1 RPRP vvvvv
))',()'(('.)(),(Image vvvvv RPRP
PR
Image-1(P,R)
= EX P
3333
Symbolic CTL model checking Equate a formula f with the set of states satisfying it…
Compute BDD’s for characteristic functions…
– p, p q, p q (use BDD ops)
– EX p = Image-1(p,R)
– AX p = EX p
Remaining operators have fixed-point characterization...
}|:{ fvSf v
pEFEXppEF
In fact, this is the least fixed point...
3434
Fixed points of monotonic functions Let be a function S S
Say is monotonic when
Fixed point of is y such that
If monotonic, then it has
– least fixed point y. (y)
– greatest fixed point y. (y)
)()( implies yxyx
yy )(
3535
Iteratively computing fixed points Suppose S is finite
– The least fixed point y. (y) is the limit of
– The greatest fixed point y. (y) is the limit of
(false))((false)false
(true))((true)true
Note, since S is finite, convergence is finite
3636
Example: EF p EF p is characterized by
Thus, it is the limit of the increasing series...
)(. yEXpypEF
pp EX pp EX(p EX p)
. . .
...which we can compute entirely using BDD operations
3737
Example: EG p EG p is characterized by
Thus, it is the limit of the decreasing series...
)(. yEXpypEG
...which we can compute entirely using BDD operations
p EX p pp EX(p EX p)
...
3838
Remaining operators
Allows CTL model checking with only BDD ops
– Avoid building state graph
– (Sometimes) avoid state explosion problem
))((.)(
))((.)(
)(.
)(.
yAXpqyqUpA
yEXpqyqUpE
yAXpypAG
yAXpypAF
Now you can go home and build your own symbolic model checker...
3939
Example: “Gigamax” cache protocol
Bus snooping maintains local consistency
Message passing protocol for global consistency
M P P . . .
cluster bus
M P P . . .
. . .
global bus
UIC
UIC
UIC
. . .
4040
Protocol example
Cluster B read --> cluster A Cluster A response --> B and main memory Clusters A and B end shared
M P P . . .
cluster bus
M P P . . .
. . .
global bus
UIC
UIC
UIC
. . .
owned copy read miss
A B C
4141
Protocol correctness issues
Protocol issues– deadlock– unexpected messages– liveness
Coherence
– each address is sequentially consistent– store ordering (system dependent)
Abstraction is relative to properties specified
4242
One-address abstraction Cache replacement is nondeterministic
Message queue latency is arbitrary
IN OUT? A ? ? ?
output of A may or may notoccur at any given time
4343
Specifications
Absence of deadlock
SPEC AG (EF p.readable & EF p.writable);
CoherenceSPEC AG((p.readable & bit ->
~EF(p.readable & ~bit));
{ 0 if data < n1 otherwise
bit =
Abstraction:
4444
Counterexample: deadlock in 13 steps
Cluster A read --> global (waits, takes lock) Cluster C read --> cluster B Cluster B response --> C and main memory Cluster C read --> cluster A (takes lock)
M P P . . .
cluster bus
M P P . . .
. . .
global bus
UIC
UIC
UIC
. . .
owned copy from cluster A
A B C
4545
1.00E+081.00E+091.00E+101.00E+11
1.00E+121.00E+131.00E+14
0 1 2 3 4 5 6 7Caches per cluster
Rea
chab
le s
tate
s
State space explosion
State space growth is exponential
4646
0
50000
100000
150000
200000
250000
0 1 2 3 4 5 6 7Caches per cluster
BD
D n
od
es
BDD performance
BDD size growth is linear
4747
0
200
400
600
800
1000
0 1 2 3 4 5 6 7Caches per cluster
s
Executiontime
BDD performance
Run time growth is quadratic
4848
Why does it work?
. . .
. . .
. . .
Many partial states equivalent...
...implies many subfunctions equivalent...
OBDD
4949
When doesn’t it work?
Protocols that pass pointers
Linked lists
Anytime one part of the system “knows” a large amount of information about another part
5050
Summary Model checking
– Automatic verification (or falsification) of finite state systems
– Linear v. branching time logics
State explosion problem
– Binary Decision Diagrams
– Heuristically efficient boolean operations
– Image calculations
– Fixed point characterization of CTL
– Model checking without building state graph
Applications
– Find subtle errors in complex protocols