m odel checking -vasvi kakkad university of sydney
TRANSCRIPT
INTRODUCTION Most complicated systems routinely built
today – difficult to get right
Failures are costly
Verification techniques needed
2
Model C
heckin
g
INTRODUCTION
Formal Verification
Apply mathematical arguments to prove
the correctness of the system
Aims to find bugs in the system and aim
to correct
3
Model C
heckin
g
FORMAL VERIFICATION
Build a mathematical model of system
Write correctness requirements
Analysis – Check that model satisfies
specifications
Verification – Analysis either proves or
disproves the correctness claim4
Model C
heckin
g
MODEL CHECKING Model Checking
Technique for automated correctness verification of safety critical reactive systems.
More generallyAlgorithmic analysis to check that a
model satisfies a specified propertyChecks automatically whether a given
formula holds in a given model5
Model C
heckin
g
APPLICATIONS
Electrical Circuits
Communication protocols
Digital Controller
Program Analysis – e.g. Java Path
Finder
6
Model C
heckin
g
MOTIVATION Software/Hardware system –
Specification Language Requirements – Temporal Logic State Space generated from the
specification
Algorithmreturns yes, if the property holds for
modelreturns no + counterexample, otherwise 7
Model C
heckin
g
MODELING Convert the system into a formalism –
finite automata
Limitation on Time and Space – Use abstraction
Model a System using Kripke Structure -State Transition Graph
10
Model C
heckin
g
KRIPKE STRUCTURE Structure over a set of atomic
propositions
M = (S, S0, R, L)
S = Finite Set of StatesS0 S is the Set of Initial StatesR : S X S is a Transition RelationL : S 2AP – Function labels each state
with set of atomic propositions true in that state
11
Model C
heckin
g
EXAMPLE : MICRO-OVEN COOKING Modeling with Kripke structure M(S, S0, R, L)
S = {S1, S2, S3, S4}S0 = S1 – initial stateR = ({S1, S2}, {S2, S1}, {S1, S4}, {S4,
S2}, {S2, S3}, {S3, S3}, {S3, S2})L(S1) = {¬ close, ¬ start, ¬ cooking} L(S2) = { close, ¬ start, ¬ cooking} L(S3) = { close, start, cooking} L(S4) = {¬ close, start, ¬ cooking}
12
Model C
heckin
g
SPECIFICATION Specification – Property which model
needs to satisfy
Can be described in Temporal Logic
Temporal Logic - Two ways LTL ( Linear Temporal Logic)
CTL (Computation Tree Logic)
15
Model C
heckin
g
COMPARISON : LTL V/S CTL
Checks temporal operators along single path
Counter examples are easy
Nice automata theoretic algorithm
Analyzing data flow problems in Imperative language
Branching time logic Operators should be
preceded by path quantifiers
More efficient Amenable to
Symbolic techniques Analyzing reactive
systems
LTL CTL
16
Model C
heckin
g
OPERATORS FOR TEMPORAL LOGIC
X – Next State
F – In the Future
G – Globally
U – Until
A – Always/All
path
E – Exists
Basic TemporalPath Quantifiers
17
Model C
heckin
g
CTL CTL operator:path quantifier + temporal operator
Universal formulas: AX f, A(f U g), AG f , AF f
Existential formulas: EX f, E(f U g), EG f , EFf
19
Model C
heckin
g
TEMPORAL PROPERTIES
Universal Existential
Safety AGp EGp
liveness AFp EFp
Safety – Something Bad Never HappensLiveness – Something Good Eventually Happens
20
Model C
heckin
g
EXAMPLE : MICRO-OVEN COOKING Specification with CTL
AG ( Start AF Cooking)AG (Close ^ Start ) AF Cooking
21
Model C
heckin
g
VERIFICATION
Temporal Logic
Formula
Finite State Model
Model Checker
Counter Exampl
e
OK
Verification25
Model C
heckin
g
EXAMPLE : MICRO-OVEN COOKING AG (START AF COOKING) Convert to Negative Normal Form
¬EF (start ^ EG ¬cooking))
S(start) = {S3, S4}S(¬cooking) = {S1, S2, S4}S(EG ¬cooking) = {S1, S2, S4}S(start ^ EG ¬cooking) = {S4}S(EF(start ^ EG ¬cooking)) = {S1, S2, S3,
S4}S(¬ EF(start ^ EG ¬cooking)) = {} 26
Model C
heckin
g
PROBLEM WITH LTL MODEL CHECKING
State Space Explosion problem Number of states typically grows
exponentially in the number of process
28
Model C
heckin
g
MAJOR TECHNIQUES
Based on Symbolic Structure
Based on Automata Theory
Other Models – Alternative methods
29
Model C
heckin
g
SYMBOLIC MODEL CHECKINGo Symbolic model checking uses Binary Decision Diagrams ( BDDs )
to represent the model as sets of states
BDD Data structure for representing Boolean function Often concise in memory Canonical representation Boolean operation can be done in polynomial
time in the BDD size
30
Model C
heckin
g
BDD IN MODEL CHECKING Every set A can be represented by its
characteristic function
1 if uA fA(u) =
0 if u A
If the elements of A are encoded by sequences over {0,1}n then fA is a Boolean function and can be represented by a BDD
31
Model C
heckin
g
a
b
c
10
c
1 1
bc
1 1
b
cc
b
0 11 0
a
b
cc
1 1 10
c c c
BDD FOR F(A,B,C) = (A B ) C
Decision tree
a
b
c
10
BDD
32
Model C
heckin
g
SUMMARY
Model Checking – Automated Verification
technique
Hardware/Software model – Kripke Structure
Specification – Temporal Logic (LTL, CTL)
Verification (Model Checking) algorithm
State Space Explosion Problem
Solution : Symbolic Model Checking - BDD33
Model C
heckin
g