 # M ODEL CHECKING -Vasvi Kakkad University of Sydney.

## Presentation on theme: "M ODEL CHECKING -Vasvi Kakkad University of Sydney."— Presentation transcript:

M ODEL CHECKING -Vasvi Kakkad University of Sydney

I NTRODUCTION Most complicated systems routinely built today – difficult to get right Failures are costly Verification techniques needed 2 Model Checking

I NTRODUCTION Formal Verification Apply mathematical arguments to prove the correctness of the system Aims to find bugs in the system and aim to correct 3 Model Checking

F ORMAL V ERIFICATION Build a mathematical model of system Write correctness requirements Analysis – Check that model satisfies specifications Verification – Analysis either proves or disproves the correctness claim 4 Model Checking

M ODEL C HECKING Model Checking Technique for automated correctness verification of safety critical reactive systems. More generally Algorithmic analysis to check that a model satisfies a specified property Checks automatically whether a given formula holds in a given model 5 Model Checking

A PPLICATIONS Electrical Circuits Communication protocols Digital Controller Program Analysis – e.g. Java Path Finder 6 Model Checking

M OTIVATION Software/Hardware system – Specification Language Requirements – Temporal Logic State Space generated from the specification Algorithm returns yes, if the property holds for model returns no + counterexample, otherwise 7 Model Checking

P ROCESS OF M ODEL C HECKING 3 Steps Modeling Specification Verification 8 Model Checking

S TEP 1 : M ODELING 9 Model Checking

M ODELING Convert the system into a formalism – finite automata Limitation on Time and Space – Use abstraction Model a System using Kripke Structure - State Transition Graph 10 Model Checking

K RIPKE S TRUCTURE Structure over a set of atomic propositions M = (S, S0, R, L) S = Finite Set of States S0  S is the Set of Initial States R : S X S is a Transition Relation L : S  2 AP – Function labels each state with set of atomic propositions true in that state 11 Model Checking

E XAMPLE : M ICRO - OVEN C OOKING Modeling with Kripke structure M(S, S0, R, L) S = {S1, S2, S3, S4} S0 = S1 – initial state R = ({S1, S2}, {S2, S1}, {S1, S4}, {S4, S2}, {S2, S3}, {S3, S3}, {S3, S2}) L(S1) = {¬ close, ¬ start, ¬ cooking} L(S2) = { close, ¬ start, ¬ cooking} L(S3) = { close, start, cooking} L(S4) = {¬ close, start, ¬ cooking} 12 Model Checking

G RAPH OF K RIPKE S TRUCTURE 13 Model Checking

S TEP 2 : S PECIFICATION 14 Model Checking

S PECIFICATION Specification – Property which model needs to satisfy Can be described in Temporal Logic Temporal Logic - Two ways LTL ( Linear Temporal Logic) CTL (Computation Tree Logic) 15 Model Checking

C OMPARISON : LTL V / S CTL Checks temporal operators along single path Counter examples are easy Nice automata theoretic algorithm Analyzing data flow problems in Imperative language Branching time logic Operators should be preceded by path quantifiers More efficient Amenable to Symbolic techniques Analyzing reactive systems LTLCTL 16 Model Checking

O PERATORS FOR T EMPORAL L OGIC X – Next State F – In the Future G – Globally U – Until A – Always/All path E – Exists Basic TemporalPath Quantifiers 17 Model Checking

T EMPORAL OPERATORS Temporal operators: Gp Fp Xp pUq 18 Model Checking

CTL CTL operator: path quantifier + temporal operator Universal formulas: AX f, A(f U g), AG f, AF f Existential formulas: EX f, E(f U g), EG f, EFf 19 Model Checking

T EMPORAL P ROPERTIES UniversalExistential SafetyAGpEGp livenessAFpEFp Safety – Something Bad Never Happens Liveness – Something Good Eventually Happens 20 Model Checking

E XAMPLE : M ICRO - OVEN COOKING Specification with CTL AG ( Start  AF Cooking) AG (Close ^ Start )  AF Cooking 21 Model Checking

S TEP 3 : V ERIFICATION 22 Model Checking

V ERIFICATION Temporal Logic Formula Finite State Model 23 Model Checking

V ERIFICATION Temporal Logic Formula Finite State Model Model Checker 24 Model Checking

V ERIFICATION Temporal Logic Formula Finite State Model Model Checker Counter Example OK Verification 25 Model Checking

E XAMPLE : M ICRO - OVEN COOKING AG ( START  AF COOKING ) Convert to Negative Normal Form ¬EF (start ^ EG ¬cooking)) S(start) = {S3, S4} S( ¬cooking) = {S1, S2, S4} S(EG ¬cooking) = {S1, S2, S4} S(start ^ EG ¬cooking) = {S4} S(EF(start ^ EG ¬cooking)) = {S1, S2, S3, S4} S(¬ EF(start ^ EG ¬cooking)) = {} 26 Model Checking

G RAPH OF K RIPKE S TRUCTURE 27 Model Checking

P ROBLEM W ITH LTL M ODEL C HECKING State Space Explosion problem Number of states typically grows exponentially in the number of process 28 Model Checking

M AJOR T ECHNIQUES Based on Symbolic Structure Based on Automata Theory Other Models – Alternative methods 29 Model Checking

S YMBOLIC M ODEL C HECKING o Symbolic model checking uses Binary Decision Diagrams ( BDDs ) to represent the model as sets of states BDD Data structure for representing Boolean function Often concise in memory Canonical representation Boolean operation can be done in polynomial time in the BDD size 30 Model Checking

BDD IN M ODEL C HECKING Every set A can be represented by its characteristic function 1 if u  A f A (u) = 0 if u  A If the elements of A are encoded by sequences over {0,1} n then f A is a Boolean function and can be represented by a BDD 31 Model Checking

a b c 10 c 11 b c 11 b cc b 0110 a b cc 1110 ccc BDD FOR F ( A, B, C ) = ( A  B )  C Decision tree a b c 10 BDD 32 Model Checking

S UMMARY Model Checking – Automated Verification technique Hardware/Software model – Kripke Structure Specification – Temporal Logic (LTL, CTL) Verification (Model Checking) algorithm State Space Explosion Problem Solution : Symbolic Model Checking - BDD 33 Model Checking

T HANK Y OU... 34 Model Checking