symbolic model checking: 10 20 states and beyond j.r. burch e.m. clarke k.l. mcmillan d. l. dill l....
TRANSCRIPT
![Page 1: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/1.jpg)
SYMBOLIC MODEL CHECKING: 1020 STATES AND BEYOND
J.R. BurchE.M. Clarke
K.L. McMillanD. L. Dill
L. J. Hwang
Presented byRehana Begam
![Page 2: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/2.jpg)
Motivation Definitions Symbolic Model Checking Contribution
Mu-Calculus Encoding Binary Decision Diagram Representation Model Checking Algorithm
CTL Model Checking Empirical Results Summary Future Work
OUTLINE
![Page 3: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/3.jpg)
Many different methods for automatically verifying finite state systems LTL CTL
All rely on algorithms that explicitly represent a state space, using a list or table that grows in proportion to the number of states
Number of states in the model grow exponentially with the number of concurrently executing components
The size of the state table is the limiting factor in applying these algorithms to realistic systems
MOTIVATION
![Page 4: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/4.jpg)
This “state explosion problem” can not be handled by the state enumeration methods
Explicit state enumeration methods are limited to systems with at most 108 reachable states
Can be eliminated by representing the state space symbolically instead of explicitly
This technique verifies models with more than 1020 states !
MOTIVATION
![Page 5: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/5.jpg)
Relational variable a predicate or a function
Abstraction operatorλ: used in lambda calculus f(x1, x2) is written as λ x1, x2[f]
Relational term f is a formula and yi are individual variables
R is relational term and P is a relational variable with arity n
Fixed point of function fAn element x such that f(x) = x
DEFINITIONS
![Page 6: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/6.jpg)
Least fixed point is the least element that is a fixed point. y is lfp of f in S iff
(f(y) = y) ( x S . (f(x) = x) (y x))∧ ∀ ⇒ ⊆Greatest fixed point is the greatest element that is a fixed
point. y is gfp of f in S iff
(f(y) = y) ( x S . (f(x) = x) (x y))∧ ∀ ⇒ ⊆ Fixed point operators
μ and ν are the lfp and gfp operators used in mu-calculus Monotone function
A function f is monotone iff for all P S and Q⊆ S,⊆P Q f(P) f(Q)⊆ ⇒ ⊆
DEFINITIONS
![Page 7: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/7.jpg)
Variable Interpretation Individual IP: for each individual variable y, IP(y) is a value in
domain D Relational IR: for each n-ary relational variable P, IR(P) is an
n-ary relation in domain D Substitution of Variables
The substitution of a variable w for a variable v in a formula f, denoted f(v ← w)
f <v ← w> ⇒ ∃v [(v ⇔ w) ∧ f]
DEFINITIONS
![Page 8: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/8.jpg)
In explicit state model checking, we represent the Kripke structure as a graph and implement the model checking algorithm as graph traversal.
2 main steps: Encode Model Domain:
Describe sets of states as propositional logic formulae instead of enumeration: Mu-Calculus
S = {1, 2, 3, 4, 5} = {x | 1 ≤ x ≤ 5}
Compact Representation:Represent those logical formulae/boolean functions using efficient means of manipulating boolean functions: Binary Decision Diagrams
SYMBOLIC MODEL CHECKING
![Page 9: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/9.jpg)
Provides a generalized symbolic model checking method by using a dialect of the Mu-Calculus as the primary specification language
Describes a model checking algorithm for Mu-Calculus formulas that uses BDD to represent relations and formulas
Shows how Mu-Calculus model checking algorithm can be used to derive efficient decision procedures for CTL, LTL model checking
Discusses how it can be used to verify a simple synchronous pipeline circuit
CONTRIBUTIONS
![Page 10: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/10.jpg)
Syntax:
In this formula, R can be a Relational variable or a Relational term of the following two forms:
Second one represents the least fixed point of R where R be formally monotone with P
MU-CALCULUS
![Page 11: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/11.jpg)
Example:
MU-CALCULUS
![Page 12: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/12.jpg)
Formal Definition: given a finite signature each symbol in is either an Individual variable or a
Relational variable with some positive arity. recursively define two syntactic categories: formulas
and relational terms. Formula:
MU-CALCULUS
![Page 13: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/13.jpg)
Relational term:
∀, , , and are treated as abbreviations in the usual ∧ ⇒ ⇔manner
¬R is an abbreviation for R R’ is an abbreviation for ∨
MU-CALCULUS
![Page 14: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/14.jpg)
Model M = (D, IR, ID), where D is the domain Semantic function
MU-CALCULUS
![Page 15: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/15.jpg)
MU-CALCULUS
![Page 16: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/16.jpg)
Widely used in various tools for the design and analysis of digital circuits
Canonical form representation for Boolean formulas
Similar to binary decision tree Allows many practical systems with extremely
large state spaces to be verified-which are impossible to handle with explicit state enumeration methods
BINARY DECISION DIAGRAM
![Page 17: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/17.jpg)
DAG Occurrence of variables is
ordered from root to a leaf. Example:
Formula: (a b) (c d)∧ ∨ ∧ Ordering: a < b < c < d (a ←1, b ← 0, c ← 1, d ← 1)
leads to a leaf node labeled 1
BINARY DECISION DIAGRAM
![Page 18: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/18.jpg)
For the Mu-Calculus that uses BDDs as its internal representation BDDATOM(f)
returns BDD iff f = 1 Last case substitutes
xi by dummy di
FixedPoint() is the standard technique
MODEL CHECKING ALGORITHM
![Page 19: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/19.jpg)
CTL formula f is true of Kripke structure M= (A, S, L, N, SO) Mu-Calculus formula ⇔ f' is true of a structure M’ = (S, IR, ID)
If CTL formula f is an abbreviation for the Mu-Calculus relational term R, then f is true at state s iff R(s) is true
If f has no temporal operators, then it represents the relational term R
CTL MODEL CHECKING
![Page 20: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/20.jpg)
EX f = λS [ ∃t [ f(t) N(s, t) ] ]∧ EG f = f EX EG ∧ f
= νQ [ f EX Q∧ ] = νQ [ λS [ f(s) ∧ ∃t [ Q(t) N(s, t) ] ]∧
E [ f g ] = g (∪ ∨ f EX E[f g])∧ ∪ = μQ [g (∨ f EX Q]]∧ = μQ [λS [g(s) (f(s) ∨ ∧ ∃t [Q(t) N(s, ∧
t)]]
CTL MODEL CHECKING
![Page 21: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/21.jpg)
Performs three-address logical and arithmetic operations on a register
3 Pipeline stages: Operand read from the
register fileALU (Arithmetic Logic Unit)
operationWrite back to register
EMPIRICAL RESULTS
![Page 22: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/22.jpg)
Pipeline with 12 bits has approximately 1.5 x 1O29 reachable states
The number of nodes in BDD is asymptotically linear in the number of bits, not exponential
The verification time is polynomial in the number of bits
EMPIRICAL RESULTS
![Page 23: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/23.jpg)
Suitable encoding of the model domain and compact representation for relations, the complexity of various graph-based verification algorithms is reduced
Regular structure of the data path logic captured by the BDD representation results in a linear space complexity in the number of circuit components rather than exponential
SUMMARY
![Page 24: SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam](https://reader035.vdocuments.site/reader035/viewer/2022062221/56649cc55503460f9498e391/html5/thumbnails/24.jpg)
Characterization of the models for which the BDD Mu-Calculus checker is efficient
Applicability of developed technique in common graph algorithms whose results can be expressed as relations, such as minimum spanning trees, graph isomorphism etc.
FUTURE WORKS