Presentation is loading. Please wait.

Presentation is loading. Please wait.

SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

Published byLucinda Williams Modified over 9 years ago

Similar presentations

Presentation on theme: "SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam."— Presentation transcript:

1 SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam

2  Motivation  Definitions  Symbolic Model Checking  Contribution  Mu-Calculus Encoding  Binary Decision Diagram Representation  Model Checking Algorithm  CTL Model Checking  Empirical Results  Summary  Future Work OUTLINE

3  Many different methods for automatically verifying finite state systems  LTL  CTL  All rely on algorithms that explicitly represent a state space, using a list or table that grows in proportion to the number of states  Number of states in the model grow exponentially with the number of concurrently executing components  The size of the state table is the limiting factor in applying these algorithms to realistic systems MOTIVATION

4  This “state explosion problem” can not be handled by the state enumeration methods  Explicit state enumeration methods are limited to systems with at most 10 8 reachable states  Can be eliminated by representing the state space symbolically instead of explicitly  This technique verifies models with more than 10 20 states ! MOTIVATION

5  Relational variable  a predicate or a function  Abstraction operator  λ: used in lambda calculus  f(x 1, x 2 ) is written as λ x1, x2 [f]  Relational term  f is a formula and y i are individual variables  R is relational term and P is a relational variable with arity n  Fixed point of function f  An element x such that f(x) = x DEFINITIONS

6  Least fixed point is the least element that is a fixed point. y is lfp of f in S iff (f(y) = y) ∧ (∀x S. (f(x) = x) ⇒ (y ⊆ x))  Greatest fixed point is the greatest element that is a fixed point. y is gfp of f in S iff (f(y) = y) ∧ (∀x S. (f(x) = x) ⇒ (x ⊆ y))  Fixed point operators  μ and ν are the lfp and gfp operators used in mu-calculus  Monotone function  A function f is monotone iff for all P ⊆ S and Q ⊆ S, P ⊆ Q ⇒ f(P) ⊆ f(Q) DEFINITIONS

7  Variable Interpretation  Individual I P : for each individual variable y, I P (y) is a value in domain D  Relational I R : for each n-ary relational variable P, I R (P) is an n-ary relation in domain D  Substitution of Variables  The substitution of a variable w for a variable v in a formula f, denoted f(v ← w) f ⇒ ∃ v [(v ⇔ w) ∧ f] DEFINITIONS

8  In explicit state model checking, we represent the Kripke structure as a graph and implement the model checking algorithm as graph traversal.  2 main steps:  Encode Model Domain: Describe sets of states as propositional logic formulae instead of enumeration: Mu-Calculus S = {1, 2, 3, 4, 5} = {x | 1 ≤ x ≤ 5}  Compact Representation: Represent those logical formulae/boolean functions using efficient means of manipulating boolean functions: Binary Decision Diagrams SYMBOLIC MODEL CHECKING

9  Provides a generalized symbolic model checking method by using a dialect of the Mu-Calculus as the primary specification language  Describes a model checking algorithm for Mu- Calculus formulas that uses BDD to represent relations and formulas  Shows how Mu-Calculus model checking algorithm can be used to derive efficient decision procedures for CTL, LTL model checking  Discusses how it can be used to verify a simple synchronous pipeline circuit CONTRIBUTIONS

10  Syntax:  In this formula, R can be a Relational variable or a Relational term of the following two forms:  Second one represents the least fixed point of R where R be formally monotone with P MU-CALCULUS

11  Example: MU-CALCULUS

12  Formal Definition:  given a finite signature  each symbol in is either an Individual variable or a Relational variable with some positive arity.  recursively define two syntactic categories: formulas and relational terms.  Formula: MU-CALCULUS

13  Relational term:  ∀, ∧, ⇒, and ⇔ are treated as abbreviations in the usual manner  ¬R is an abbreviation for  R ∨ R’ is an abbreviation for MU-CALCULUS

14  Model M = (D, I R, I D ), where D is the domain  Semantic function MU-CALCULUS

15 MU-CALCULUS

16  Widely used in various tools for the design and analysis of digital circuits  Canonical form representation for Boolean formulas  Similar to binary decision tree  Allows many practical systems with extremely large state spaces to be verified-which are impossible to handle with explicit state enumeration methods BINARY DECISION DIAGRAM

17  DAG  Occurrence of variables is ordered from root to a leaf.  Example:  Formula: (a ∧ b) ∨ (c ∧ d)  Ordering: a < b < c < d  (a ←1, b ← 0, c ← 1, d ← 1) leads to a leaf node labeled 1 BINARY DECISION DIAGRAM

18  For the Mu-Calculus that uses BDDs as its internal representation  BDDATOM(f) returns BDD iff f = 1  Last case substitutes x i by dummy d i  FixedPoint() is the standard technique MODEL CHECKING ALGORITHM

19  CTL formula f is true of Kripke structure M= (A, S, L, N, S O ) ⇔ Mu-Calculus formula f' is true of a structure M’ = (S, I R, I D )  If CTL formula f is an abbreviation for the Mu- Calculus relational term R, then f is true at state s iff R(s) is true  If f has no temporal operators, then it represents the relational term R CTL MODEL CHECKING

20  EX f = λ S [ ∃ t [ f(t) ∧ N(s, t) ] ]  EG f = f ∧ EX EG f = νQ [ f ∧ EX Q ] = νQ [ λ S [ f(s) ∧ ∃ t [ Q(t) ∧ N(s, t) ] ]  E [ f ∪ g ] = g ∨ (f ∧ EX E[f ∪ g]) = μQ [g ∨ (f ∧ EX Q]] = μQ [λ S [g(s) ∨ (f(s) ∧ ∃ t [Q(t) ∧ N(s, t)]] CTL MODEL CHECKING

21  Performs three-address logical and arithmetic operations on a register  3 Pipeline stages:  Operand read from the register file  ALU (Arithmetic Logic Unit) operation  Write back to register EMPIRICAL RESULTS

22  Pipeline with 12 bits has approximately 1.5 x 1O 29 reachable states  The number of nodes in BDD is asymptotically linear in the number of bits, not exponential  The verification time is polynomial in the number of bits EMPIRICAL RESULTS

23  Suitable encoding of the model domain and compact representation for relations, the complexity of various graph-based verification algorithms is reduced  Regular structure of the data path logic captured by the BDD representation results in a linear space complexity in the number of circuit components rather than exponential SUMMARY

24  Characterization of the models for which the BDD Mu-Calculus checker is efficient  Applicability of developed technique in common graph algorithms whose results can be expressed as relations, such as minimum spanning trees, graph isomorphism etc. FUTURE WORKS

Download ppt "SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam."

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.

1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 

1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.

CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
CS357: CTL Model Checking (combined notes from lectures 11/5 and 11/7) David Dill 1.

CS357: CTL Model Checking (combined notes from lectures 11/5 and 11/7) David Dill 1.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Similar presentations

Ads by Google