Model Checking Basics

Netw 703 Network Protocols Model Checking Basics Dr. Eng. Amr T. Abdel-Hamid • Slides based on slides of: • K. Havelund & Agroce, Reliable Software: Testing and Monitoring, CMU. • E. Clarke, Formal Methods, to be updated by course name • S. Tahar, E. Cerny and X. Song, “ Formal Verification of Systems”. Winter 2012

Branching Time Temporal Logic (BTTL) • Structure of time: an infinite tree, each instant may have many successor instants • Along each path in the tree, the corresponding timeline is isomorphic to N • State quantifiers: Xp, Fp, Gp, pUq (like in linear temporal logic) • Path quantifiers: for All paths (A) and there Exists a path (E) from a given state A = ∀ E = ∃ • In linear time logic, temporal operators are provided for describing events along a single future, however, when a linear formula is used for specification, there is usually an implicit universal quantification over all possible futures (linear traces) • In contrast, in branching time logic the operators usually reflect the branching nature of time by allowing explicit quantification over possible futures in any state

CTL • Formulas are constructed from path quantifiers and temporal operators: • Path quantifier: • A: for every path • E: there exists a path • Temporal Operator: • F: holds sometime in the future • X: holds next time • G: holds globally in the future • p U q: p holds until q hold • i.e. AF, AG, AX, A( U ), EF, EG, EX, E( U )

CTL

CTL: Computation Tree Logic

CTL Example • Structure M <S,R,L>: • A Kripke structure: triple M = <S, R, L> • S: set of states R ⊆ S × S: transition relation • L: S → 2AP : (Truth valuation) set of atomic propositions true in each state S = {1,2,3,4,5}, AP = {a,b,c}, R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)} L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c}

Example: • Two input Muller C-element (assuming finite discrete delays): • Specification in CTL: • Liveness: If inputs remain equal, then eventually the output will change to this value. • AG( A( ( a=0 ∧ b=0 ) U ( out=0 ∨ a=1 ∨ b=1 ) ) ) • AG( A( ( a=1 ∧ b=1 ) U ( out=1 ∨ a=0 ∨ b=0 ) ) ) • Safety: If all inputs and the output have the same value then the output should not change until all inputs change their values. • AG( ( a=0 ∧ b=0 ∧ out=0 ) ⇒ A( out=0 U (a=1 ∧ b=1 ) ) ) • AG( ( a=1 ∧ b=1 ∧ out=1 ) ⇒ A( out=1 U (a=0 ∧ b=0 ) ) )

Model Checking Problem • Given an FSM M (equivalent Kripke structure) and a temporal logic formula p, does M define a model of p? • Determine the truth of a formula with respect to a given (initial) state in M • Find all states s of M such that (M, s)  p • For any propositional temporal logic, the model checking problem is decidable: exhaustive search of all paths through the finite input structure

Model Checking Problem

Theoretical Background • Theorem [Wolper, 1986]: The model checking for CTL is in deterministic polynomial time • Theorem [Sistla & Clark, 1985]: The model checking problem for PLTL is PSPACE complete • Theorem [Emerson & Lei, 1987]: Given any model-checking algorithm for a linear logic LTL, there is a model checking algorithm for the corresponding branching logic BTL, whose basic modalities are defined by the LTL, of the same order of complexity • • Theorem [Clark, Emerson & Sistla, 1986]: The model checking problem for CTL* is PSPACE-complete

PSPACE-complete

Fixpoints Algorithm • Model Checking Algorithms • Original algorithm described in terms of labeling the CTL structure (Clark83) • Required explicit representation of the whole state space • Better algorithm based on fixed point calculations • Algorithm amenable to symbolic formulation • Symbolic evaluation allows implicit enumeration of states • Significant improvement in maximum size of systems that can be verified

Symbolic model checking • Symbolic model checking approach • Boolean formulas represent sets and relations • Use fixed point characterizations of CTL operators • Model checking without building complete state graph • CTL model checking problem can be solved in O(|f|  (|S|+|R|)) Note that the complexity is linear in the size of the formula and the transition system • Recall that the size of the transition system is exponential in the number of variables (this is called the state space explosion problem)

CTL Model Checking Algorithm • Translate the formula to a formula which uses the basis • EX p, EG p, E(p U q) • Start from the innermost subformulas • Label the states in the transition system with the subformulas that hold in that state • Initially states are labeled with atomic properties • Each (temporal or boolean) operator has to be processed once • Processing of each operator takes O(|S|+|R|)

CTL Model Checking Algorithm • Boolean operators are easy • p : Each state which is not labeled with p should be labeled with p • p  q : Each state which is labeled with both p and q should be labeled with p  q • p  q : Each state which is labeled with p or q should be labeled with p  q

CTL Model Checking Algorithm: EX p • EX p is easy to do in O(|S|+|R|) • All the nodes which have a next state labeled with p should be labeled with EX p p p s1 s2 s3 s4 p, EX p p, EX p s1 s2 s3 s4 EX p

CTL Model Checking Algorithm: E(pUq) • E(pUq): Find the states which are the source of a path where p U q holds • Find the nodes that reach a node that is labeled with q by a path where each node is labeled with p • Label such nodes with E(pUq) • It is a reachability problem which can be solved in O(|S|+|R|) • First label the nodes which satisfy q with E(pUq) • For each node labeled with E(pUq), label all its previous states that are labeled with p with E(p U q)

CTL Model Checking Algorithm: E(pUq) p p s1 s2 s3 s4 q p, E(pUq) p, E(pUq) s1 s2 s3 s4 q, E(pUq)

CTL Model Checking Algorithm: EG p • EG p: Find infinite paths where each node on the path is labeled with p, and label nodes in such paths with EG p • First remove all the states which do not satisfy p from the transition graph • Compute the strongly connected components of the remaining graph, and then find the nodes which can reach the strongly connected components (both of which can be done in O(|S|+|R|) • Label the nodes in the strongly connected components and the nodes that can reach the strongly connected components with EG p

CTL Model Checking Algorithm: EG p p p s1 s2 s3 s4 p A strongly connected component p p s2 s3 s4 p p, EG p p, EG p s1 s2 s3 s4 p, EG p

Verification vs. Falsification • Verification: • Show: initial states  truth set of p • Falsification: • Find: a state  initial states  truth set of p • Generate a counter-example starting from that state • CTL model checking algorithm can also generate a counter-example path if the property is not satisfied • without increasing the complexity • The ability to find counter-examples is one of the biggest strengths of the model checkers

Temporal Properties  Fixpoints [Emerson and Clarke 80] Here are some interesting CTL equivalences: AG p = p  AX AG p EG p = p  EX EG p AF p = p  AX AF p EF p = p  EX EF p A(p U q) = q  (p  AX A(p U q)) p EU q = q  (p  EX E(p U q)) Note that we wrote the CTL temporal operators in terms of themselves and EX and AX operators

Functionals • Given a transition system M=(S, L, R), we will define functions (Properties) from sets of states to sets of states • F : 2S  2S • For example, one such function is the EX operator (which computes the precondition of a set of states) • EX : 2S  2S which can be defined as: EX(p) = { s | (s,s’)  R and s’  p } Image calculation

CTL Example • Structure M <S,R,L>: • A Kripke structure: triple M = <S, R, L> • S: set of states R ⊆ S × S: transition relation • L: S → 2AP : (Truth valuation) set of atomic propositions true in each state S = {1,2,3,4,5}, AP = {a,b,c}, R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)} L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c}

Fixpoint Characterization Equivalences AG p =  y . p  AX y AG p = p  AX AG p EG p =  y . p  EX y EG p = p  EX EG p AF p =  y . p  AX y AF p = p  AX AF p EF p =  y . p  EX y EF p = p  EX EF p A(p U q) =  y . q  (p  AX (y)) p AU q=q  (p  AX (p AU q)) E(pUq) =  y . q  (p  EX (y)) p EU q = q  (p  EX (p EU q)) Fixpoint Characterizations

Functionals • Now, we can think of all temporal operators also as functions from sets of states to sets of states • For example: AX p = EX(p) or if we use the set notation AX p = (S - EX(S - p)) • Logic Set • p  q p  q • p  q p  q • p S – p False  True S

Lattice The set of states of the transition system forms a lattice: • lattice 2S • partial order  • bottom element  • top element S • Least upper bound (lub)  • Greatest lower bound (glb) 

Lattice • (lub): y∈ P is a least upper bound of S in P means y is an upper bound of S and ∀z ∈ P which is an upper bound of S, y ≤ z • (glb) y∈ P is a greatest lower bound of S in P means y is a lower bound of S and ∀z ∈ P which is a lower bound of S, z ≤ y

Temporal Properties  Fixpoints Based on the equivalence EF p = p  EX EF p EF p is a fixpoint of function (F): where F => F y = p  EX y F (EF p) = EF p In fact, EF p is the least fixpoint of F, which is written as: EF p =  y . p  EX y ( means least fixpoint)

EF Fixpoint Computation EF(p)states that can reach p  p EX(p)  EX(EX(p))  ... p • • • EF(p)

Temporal Properties  Fixpoints Based on the equivalence EG p = p  AX EG p EG p is a fixpoint of function (F): where F => F y = p  EX y F (EG p) = EG p In fact, EG p is the greatest fixpoint of F, which is written as: EG p =  y . p  EX y ( means greatest fixpoint)

EG Fixpoint Computation EG(p)  states that can avoid reaching pp EX(p)  EX(EX(p))  ... • • • EG(p)

Least Fixpoint Given a monotonic function F, its least fixpoint is the greatest lower bound (glb) of all the reductive elements :  y . F y =  { y | F y  y } The least fixpoint  y . F y is the limit of the following sequence (assuming F is -continuous): , F , F2 , F3 , ... If S is finite, then we can compute the least fixpoint using the above sequence

EF Fixpoint Computation EF p =  y . p  EX y is the limit of the sequence: , pEX , pEX(pEX ) , pEX(pEX(p EX )) , ... which is equivalent to , p, p  EX p , p  EX (p  EX (p) ) , ...

EF Fixpoint Computation p s1 s2 s3 s4 p Start  1st iteration pEX  = {s1,s4} EX()= {s1,s4}   ={s1,s4} 2nd iteration pEX(pEX ) = {s1,s4} EX({s1,s4})= {s1,s4} {s3}={s1,s3,s4} 3rd iteration pEX(pEX(p EX )) = {s1,s4} EX({s1,s3,s4})= {s1,s4} {s2,s3,s4}={s1,s2,s3,s4} 4th iteration pEX(pEX(pEX(p EX ))) = {s1,s4} EX({s1,s2,s3,s4})= {s1,s4}  {s1,s2,s3,s4} = {s1,s2,s3,s4}

EF Fixpoint Computation EF(p)states that can reach p  p EX(p)  EX(EX(p))  ... p • • • EF(p)

Greatest Fixpoint Given a monotonic function F, its greatest fixpoint is the least upper bound (lub) of all the extensive elements:  y. F y =  { y | F y  y } The greatest fixpoint  y . F y is the limit of the following sequence (assuming F is -continuous): S, F S, F2 S, F3 S, ... If S is finite, then we can compute the greatest fixpoint using the above sequence

EG Fixpoint Computation Similarly, EG p =  y . p  EX y is the limit of the sequence: S, pEX S, pEX(p  EX S) , pEX(p  EX (p  EX S)) , ... which is equivalent to S, p, p  EX p , p  EX (p  EX (p) ) , ...

EG Fixpoint Computation p p s1 s2 s3 s4 p Start S = {s1,s2,s3,s4} 1st iteration pEX S = {s1,s3,s4}EX({s1,s2,s3,s4})= {s1,s3,s4}{s1,s2,s3,s4}={s1,s3,s4} 2nd iteration pEX(pEX S) = {s1,s3,s4}EX({s1,s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4} 3rd iteration pEX(pEX(pEX S)) = {s1,s3,s4}EX({s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4}

EG Fixpoint Computation EG(p)  states that can avoid reaching pp EX(p)  EX(EX(p))  ... • • • EG(p)

Example • Structure M <S,R,L>: S = {1,2,3,4,5}, AP = {a,b,c}, R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)} L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c} Check if AG(a ∨ c) holds

Example (cont.) • Remember that: • AG p =  y . p  AX y • AX p = EX(p) • H(a∨c) = H(a) ∪ H(c) ={2,3} ∪ {3,4,5} = {2,3,4,5} • I0  S = {1,2,3,4,5} • I1  {2,3,4,5} ∩ S = {2,3,4,5} ∩ {1,2,3,4,5} = {2,3,4,5} • I2  {2,3,4,5} ∩ AX(2,3,4,5) = {2,3,4,5} ∩ {1,2,3,4} = {2,3,4} • I3  {2,3,4,5} ∩ AX(2,3,4) = {2,3,4,5} ∩ {1,2,3,4} = {2,3,4} • I3 = I2  H(AG(a∨c)) = {2,3,4} • To verify that f holds in state s, check if s∈H(f)

Example • For the FSM below, formally check the following properties, using Fixpoint Theorm: • AG(a ∨c ∨b) • AF(ab) • If failed show the subset of the design the property holds for as well as the counter example 1 2 4 3 c a a,b b,c d c 6 S = {1,2,3,4,5,6}, AP = {a,b,c,d}, R = {(1,2), (1,3),(2,3), (3,4), (4,4), (4,5), (5,2), (2,6), (6,1)} L(1) = {a,b}, L(2) = {c}, L(3) = {b,c}, L(4) = {a}, L(5) = {c}, L(6) = {d} 5

Example (cont.) • Remember that: • H(a∪b) = H(a) ∪ H(b) ∪ H(c) ={1,4} ∪ {2,3,5} ∪ {1,3} = {1,2,3,4,5} • AG(a ∨c ∨b) = AG p =  y . p  AX y =  y . p  AX y • AX p = EX(p) • I0  S = {1,2,3,4,5,6} • I1  {1,2,3,4,5} ∩ S = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,2,3,4,5} • I2  {1,2,3,4,5} ∩ AX(1,2,3,4,5) = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,3,4,5} • This is because that : AX(1,2,3,4,5) =  EX((1,2,3,4,5)) =  EX(6) =  (2) = S- {2 } = {1,3,4,5,6} • I3  {1,2,3,4,5} ∩ AX(1,3,4,5) = {1,3,4,5} • This is because that : AX(1,3,4,5) =  EX((1,3,4,5)) =  EX(2,6) =  (2,6) = S- {2 ,6} = {1,3,4,5} • I3 = I2  H(AG(a∨b ∨ c)) = {1,3,4,5} • The property does not hold, except for the above states, and it is clear that states {2,6} can be considered as counter examples. • state 6 does not contain neither a,c,b and state 2 does not have a proceeding one on one of its pathes path (2,6)

Example (AF(ab)) • Remember that: • H(a  b) = H(a)  H(b) ={1,4}  {1,3}= {1} • AF(a  b) = AG p =  y . p  AX y =  y . p  AX y • AX p = EX(p) • I0  • I1  {1} ∩ AX() = {1} ∩  =  • This is because that : AX() =  EX(()) =  EX(1,2,3,4,5,6) = • The property does not hold for any state.

Model Checking Tools (non-commercial) • SMV (Symbolic Model Verifier) • A tool for checking finite state systems against specifications in the temporal logic CTL. • Developed at Carnegie Mellon University by E. Clarke, K. McMillan et. al. • Supports a simple input language: SMV • For more information: http://www.cs.cmu.edu/~modelcheck/smv.html • Cadence SMV • Updated version of SMV by K. McMillan at Berkeley Cadence Labs • Input languages: extended SMV and synchronous Verilog • Supports temporal logics CTL and LTL, finite automata, embedded assertions, and refinement specifications. • Features compositional reasoning, link with a simple theorem prover, an easy-to-use graphical user interface and source level debugging capabilities • For more information: http://www-cad.eecs.berkeley.edu/~kenmcmil/smv/

Model Checking Tools (commercial) • FormalCheck • Supports the synthesizable subsets of Verilog and VHDL hardware design languages. • User supplies FormalCheck with a set of queries (properties and constraints) • Each property is defined using semantics of the class of omega automata. • Tool provides powerful model reduction options. • For more information: http://www.cadence.com/datasheets/formalcheck.html

Model Checking • Automatic verification (or falsification) of finite state systems • Explicit State Representation ⇒ State Explosion Problem (about 108states maximum) • Breakthrough: Implicit State Representation using ROBDD (about 1020 states). • Use Boolean characteristic functions represented by ROBDDs to encode sets of states and transition relations.

Binary Decision Diagrams • Ordered binary decision diagrams (OBDDs) are a canonical form for Boolean formulas. • OBDDs are often substantially more compact than traditional normal forms. • Moreover, they can be manipulated very efficiently. • Introduced at: • R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(8), 1986.

Binary Decision Trees • A Binary decision tree is a rooted, directed tree with two types of vertices, terminal vertices and nonterminal vertices. • Each nonterminal vertex v is labeled by a variable var(v) and has two successors: • low (v) corresponding to the case where the variable is assigned 0, and high (v) corresponding to the case where the variable is assigned 1. • Each terminal vertex v is labeled by value(v) which is either 0 or 1

Model Checking Basics

Model Checking Basics

Presentation Transcript

Model Checking

Model Checking

Model checking

Regular Model Checking

LTL Model Checking

Checking Basics

Model Checking

Model Checking

Model Checking

Model checking

Model Checking

Model Checking

Model Checking

Model Checking

Cite-Checking Basics

Optimizing CTL Model checking + Model checking TCTL

Model Checking

Model checking

Logic Model Checking

Model Checking Overview

Model Checking

Model checking