Lecture #11 : Model Checking I

(An Automated Verification Technique)

Topics 1) Formal Verification Overview 2) Model Checking Overview 3) Computational Tree Logics

Why Verification??

Design Validation aims to ensure that the design of a computer system, eg. software, hardware or communication protocols, is correct.

Implementation Validation aims to ensure that the implementation of such a computer system is correct.

The traditionally practiced methods for both design validation and implementation validation are the techniques of simulation and testing.

Those methods are effective in the very early stages of debugging. But those methods can never offer the guarantee of the correctness. An alternative to simulation and testing is the approach of formal verification.

While simulation and testing explore some of the possible behavior of the system, formal verification conducts an exhaustive exploration of all possible behaviors.

Formal Verification
Formal verification techniques can be thought of as comprising three parts:

1) A framework for modeling system, typically a description language of some sort; 2) A specification language for describing the properties to be verified; 3) A verification method to establish whether the description of a system satisfies the specification.

In a proof-based approach, the verification method consists of trying to find a proof |- where represents the model and represents the specification.

In a model-based approach, the system is represented by a finite model M for an appropriate logic.

The specification is again represented by a formula and the verification method consists of computing whether a model M satisfies

. (M |= )

Model Checking
Model Checking is an automatic technique for finite state concurrent systems. Developed independently by Clarke and Emerson, and by Queille and Sifakis in early 1980s. Specification is written in propositional temporal logic. Verification procedure is an exhaustive search of the state space of the design.

Advantages of Model Checking

Fast Provides Counterexample the specification fails to hold. No problem with partial specification Logics can easily express many concurrency properties

Main Disadvantages of Model Checking

State Explosion problem Too many processes Too many data paths Much progress has been made on this problem recently.

Basic Temporal Operators

The symbol p is an atomic proposition, eg. DeviceEnabled. Fp means p holds sometimes in the future. Gp means p holds globally in the future. Xp means p holds next. p U q means p holds until q holds.

Model of Computation
State Transition System is the model of Temporal Logic. The model contains several states and transition between states. A state contains current values of something that we are interested in, eg. current values of variables in a program, actual states of physical devices, etc. A formula can be true in some states and false in others. A transition between states represents a computation step. Consider the figure for Microwave Oven.

Temporal Logic Specification

The oven does not heat up until the door is closed. Not heat_up holds Until door_closed heat_up U door_closed Before the door is closed, the oven must not heat up.

Model Checking Problem

Let M be a model expressed as a state-transition graph. Let f be the specification in temporal logic. Find all states s of M such that M, s |= f. ie. SS = { s in M | M, s |= f } Suppose that s0 is an initial state of the system, the model checker outputs the answers yes if s0 SS and no otherwise; in the latter case, the model checker also produces a trace of system behavior which causes this failure.

Clarkes System
Model the system using a description language of a model checker, arriving at a model M. Code the property using the specification language of the model checker, resulting in a temporal logic formula . Run the model checker with input M and . Consider the Clarkes model checker system.

10

Model Checker Performance

Model Checker today can handle systems with between 100 and 300 state variables. System with 10120 reachable states has been checked.

11

Successful Industrial Experience

In 1992, Clarke and his students at CMU used SMV, a model checker, to verify the IEEE Future+ cache coherence protocol. They found a number of previously undetected errors in the design of the protocol. In 1992, Dill and his students at Stanford used Murphi, a model checker, to verify the cache coherence protocol of the IEEE scalable coherent interface. They found several errors ranging from uninitialized variable to subtle logical errors. The errors also existed in the complete protocol, although it had been extensively analyzed, simulated and even implemented !!!!. A High-level Data Link Controller was being designed at AT&T in 1996. Researcher at Bell Labs offered to check some properties of the design using FormalCheck Verifier. Six properties failed to hold, uncovering a bug that would have reduced throughput or caused lost transmissions !!!. Raimi used Motorolas Verdict model checker to debug a hardware laboratory failure. Initial Silicon of the PowerPC 620 Microprocessor crashed during boot of an operating system. In a matter of seconds, Verdict found a BIU deadlock causing the failure.

12

Successful Industrial Experience (cont.)

A special purpose model checker was used at AT&T in the software development of CCITT ISDN User Part Protocol. Five verification engineers analyzed 145 requirements. A total of 7,500 lines of SDL source code were verified. 112 errors were found; about 55% of the original design requirement were found logically inconsistent. There are many other successful examples of the use of model checking in hardware and protocol verification. Many large industries such as INTEL, IBM, MOTOROLA, etc. are starting to use model checking.

13

Model of Computation
Formally, a Kripke structure is a triple M = (S, R, L), where o S is the set of states, o R S S is the transition relation, and o L : S P(AP) gives the set AP of atomic propositions true in each state. For example, let S = {s0, s1, s2} and R = { (s0, s2), (s2, s2), (s1, s2), (s1, s0), (s0,s1) }. L(s0) = {p, q} L(s1) = {q, r} L(s2) = {r}. This model is illustrated as a graph in figure 3.2. We assume that R is total (ie. for all states s S there exists a state s

S such that (s, s) R).

In other words, there is no dead-end state. A path in M is an infinite sequence of states, = s0, s1, such that for i 0, (si, si+1) R and si S. For example, the following are paths in the model in figure 3.2. t0, t1, t0, t1, t0, t1, t1, t0, t1, t0, t2, t2, We write i to denote the suffix of starting at si, ie. the i-th element in the path . if = t1, t0, t1, t0, t2, t2, then 0= t1, t0, t1, t0, t2, t2, 1= t0, t1, t0, t2, t2, and 2= t1, t0, t2, t2,
14

Computation Tree Logics

Temporal Logics may differ according to how they handle branching in the underlying computation tree. In a linear temporal logic, operators are provided for describing events along a single computation path. In a branching-time logic, the temporal operators quantify over the paths that are possible from a given state.

15

The Logic CTL*

The computation tree logic CTL* combines both branching-time and linear-time operators. Conceptually, CTL* formulae describe properties of computation trees. The tree is formed by designating a state in a Kripke structure as the initial state and then unwinding the structure into an infinite tree with the designated state at the root. Figure 3.4 shows the computation tree of the model in figure 3.2. In this logic, a path quantifier can prefix an assertion composed of arbitrary combinations of the usual linear-time operators.

1) Path quantifier : A for every path E there exists a path

2) Linear time operators : Xp p holds next time Fp p holds sometime in the future Gp p holds globally in the future pUq p holds until q holds.

16

Path formulae and State formulae

Path formulae are formulae which are defined wrt. a path. State formulae are formulae which are defined wrt. a state. CTL* is the set of state formulae generated by the following rules. The syntax of state formulae is given by the following rules: o If p AP, then p is a state formula where AP stands for a set of all atomic propositions. o If f and g are state formulae, then f, f g, f g and f g are state formulae. o If f is a path formula, then Ef and Af are a state formula. Two additional rules are needed to specify the syntax of path formulae: o If f is a state formula, then f is also a path formula. o If f and g are path formulae, then f, f g, Xf, Ff, Gf and f U g are path formulae. State formula can be interpreted on a path by considering the first state of the path. Thus, state formula is a path formula. For example, the following are state formulae. p, q, p q, E(p q), Aq, EFq, EFEq, AAp where p and q are atomic propositions. The following are examples of path formulae. p, q, p q, E(p q), Aq, Xp, FFq, FGf, FAq

17

State formulae
If f is a state formula, the notation M, s |= f means that f holds at state s in the Kripke structure M. Assume f1 and f2 are state formulae and g is a path formula. The relation M, s |= f is defined inductively as follows: 1) s |= p iff p L(s) 2) s |= f1 iff it is not true that s |= f1 3) s |= f1 f2 iff s |= f1 or s |= f2 4) s |= Eg iff there exists a path starting with s such that |= g. 5) s |= Ag iff for all paths starting with s, |= g.

18

Path Formulae
If f is a path formula, M, |= f means that f holds along path in Kripke structure M. Assume g1 and g2 are path formulae and f is a state formula. The relation M, |= f is defined inductively as follows: 1) |= f iff s is the first state of and s |= f. 2) |= g1 iff it is not the case that |= g1. 3) |= g1 g2 iff |= g1 or |= g2. 4) |= Xg1 iff 1 |= g1. 5) |= Gg1 iff for all i 0, i |= g1. 6) |= Fg1 iff there exists i 0 such that i |= g1. 7) |= (g1 U g2) iff there exists i 0 such that

i |= g2 and for 0 j < i, j |= g1.

19

Example of the Semantics of State and Path formulae

For example, in the model in figure 3.2, the following is true. t0 |= p q

t0 |= Ep

t0 |= Ap t0, t1, t2, t2, t2, |= (p q) t0, t1, t2, t2, t2, |= G(p q r) t0, t1, t2, t2, t2, |= X( q r) t0, t1, t0, t2, t2, |= q U q t0 |= EX (q r) (because t1 |= q r ) (because t2 |= q but t0 and t1 |= q) (because t0 |= (p q))

(due to path t0, t1, t2, t2, t2,)

t0 |= AX r t0 |= EF (p q)

(due to path t0, t1, t0, t1, t0, t1,..)

20

Standard Abbreviations
Af is equivalent to E(f) This is because A represents the universal quantification on paths whereas E represents the existential quantification on paths. In first-order predicate logic, X p(X) is equivalent to X p(X). Gf is equivalent to F(f). This is because G represents the universal quantification of states in a path whereas F stands for the existential quantification of states in a path. Ff is equivalent to (T U f)

21

CTL
CTL is a restricted subset of CTL* that permits only branching-time operators each of the linear-time operators G, F, X, and U must be immediately preceded by a path quantifier. For example, AG(EF p) Note that we will focus on CTL in this course. More precisely, CTL is the subset of CTL* that is obtained by restricting the syntax of path formulae. The rule for the syntax of path formulae is as follows: If f and g are state formulae, then Xf, Ff, Gf and f U g are path formulae. In summary, the syntax of CTL is defined by the following. Definition 1 We define CTL formula inductively via a Backus Naur form.

::= | T | p | () | ( ) | ( ) | () | AX | EX |

A[ U ] | E[ U ] | AG | EG | AF | EF.
where p ranges over atomic formulae. There are eight basic CTL operators:

AX and EX, AF and EF AG and EG, AU and EU

22

LTL
LTL consists of formulae that have the form Af where f is a path formula in which the only state subformulae permitted are atomic propositions. For example, A(FG p) More precisely, an LTL path formula is defined by the following: If p AP, then p is a path formula. If f and g are path formulae, then f, f g, Xf, Ff, Gf and are path formulae. Note that the semantics for path quantifiers and linear-time operators in CTL*, CTL and LTL are defined identically. fUg

23

Expressive Power
It can be shown that the three logics, namely CTL*, CTL, LTL, have different expressive powers. For example, there is no CTL formula that is equivalent to the LTL formula A(FG p). Like wise, there is no LTL formula that is equivalent to the CTL formula AG(EF p). The disjunction A(FG p) AG(EF p) is a CTL* formula that is not expressible in either CTL or LTL.

24

Example of CTL
Consider the model in figure 3.2, the following holds. M, t0 |= EX (q r) M, t0 |= AX (q r) M, t0 |= EF (p r) M, t2 |= EG r M, t2 |= AG r M, t0 |= AF r M, t0 |= E( (p q) U r) M, t0 |= A(p U r)

25

Practical pattern of CTL specifications

It is possible to get to a state where started holds, but ready does not hold:

EF(started ready)
For any state, if a requested (of some resource) occurs, then it will eventually be acknowledged:

AG(requested AF acknowledged)
A certain process is enabled infinitely often on every computation path:

AG(AF enabled)
Note that AG enabled means that a process is always enabled infinitely. AF enabled : eventually enabled on every computation path. Whatever happens, a certain process will eventually be permanently deadlocked:

AF(AG deadlock)
From any state it is possible to get to a restart state:

AG(EF restart)
Note that EF restart means that it is possible to get to a restart state from a specific state (possibly from the initial state).

26

Practical pattern of CTL specifications (cont.)

An upwards traveling elevator at the second floor does not change its direction when it has passengers wishing to go to the fifth floor:

AG( (at_2_floor upward_direction ButtonPressed_5) A(upward_direction U at_5_floor))

The elevator can remain idle on the third floor with its doors closed:

AG(at_3_floor idle door_closed EG(at_3_floor idle door_closed))

27

Equivalence between CTL formulae

Definition 2 Two CTL formulas and are said to be semantically equivalent if any state in any model which satisfies one of them also satisfies the other; we denote this . A is a universal quantifier on paths and E is the corresponding existential quantifier. Moreover, G and F are also universal and existential quantifier, ranging over the states along a particular path.

AF EG AG EF
On any particular path, each state has a unique successor. Therefore, X is its own dual on computation paths and we have

AX EX
We also have the equivalence

AF A(T U )

EF E(T U )

The connective AX can be written EX and AG, AF, EG and EF can be written in terms of AU and EU.

AG EF E(T U ) EG AF A(T U )
28

Equivalence between CTL formulae (cont.)

Therefore AU, EU and EX form an adequate set of temporal connectives. Also EG, EU, and EX form an adequate set, because we have the equivalence

A[p U q] (E (p U (p q) ) EG q)
In other words, AU can be represented by EU and EG. Theorem 1 The set of operator , and together with AU, EU and

EX are adequate for CTL: any CTL formula can be transformed into a
semantically equivalent CTL formula which uses only those logical connectives This is because EG can be represented by AF.

29