Presentation is loading. Please wait.

Presentation is loading. Please wait.

MCAI 2.0 Model Checking in Ten Minutes Edmund Clarke School of Computer Science Carnegie Mellon University.

Published byMerry Quinn Modified over 8 years ago

Similar presentations

Presentation on theme: "MCAI 2.0 Model Checking in Ten Minutes Edmund Clarke School of Computer Science Carnegie Mellon University."— Presentation transcript:

1 MCAI 2.0 Model Checking in Ten Minutes Edmund Clarke School of Computer Science Carnegie Mellon University

2 MCAI 2.0 Temporal Logic Model Checking  Model checking is an automatic verification technique for finite state concurrent systems.  Developed independently by Clarke and Emerson and by Queille and Sifakis in early 1980’s.  Specifications are written in propositional temporal logic. (Pnueli 77)  Verification procedure is an intelligent exhaustive search of the state space of the design.

3 MCAI 2.0 Model Checking The Model Checking Problem (Clarke and Emerson 81): Let M be a state-transition graph Let f be a formula of temporal logic a U bU e.g., a U b means “a holds true Until b becomes true” Does f hold along all paths that start at initial state of M ? Preprocessor Model Checker Representation of M Formula f True or Counterexample 3 aaaab

4 MCAI 2.0 Advantages of Model Checking  No proofs! (algorithmic not deductive)  Fast (compared to other rigorous methods)  No problem with partial specifications  Diagnostic counterexamples Safety Property: bad state unreachable Initial State 4

5 MCAI 2.0 Advantages of Model Checking  No proofs! (algorithmic not deductive)  Fast (compared to other rigorous methods)  No problem with partial specifications  Diagnostic counterexamples Safety Property: bad state unreachable Initial State Counterexample 5

6 MCAI 2.0 Many Industrial Successes 6  Try 4195835 – 4195835 / 3145727 * 3145727. –In 94’ Pentium, it doesn’t return 0, but 256.  Intel uses the SRT algorithm for floating point division. Five entries in the lookup table are missing.  Cost: $500 million  Xudong Zhao’s Thesis on Word Level Model Checking

7 MCAI 2.0 The State Explosion Problem System Description State Transition Graph Combinatorial explosion of system states renders explicit model construction infeasible. Combinatorial explosion of system states renders explicit model construction infeasible. Exponential Growth of … … global state space in number of concurrent components. … memory states in memory size. Exponential Growth of … … global state space in number of concurrent components. … memory states in memory size. Feasibility of model checking inherently tied to handling state explosion.

8 MCAI 2.0 CEGAR CounterExample-Guided Abstraction Refinement C Program InitialAbstraction Simulator No error or bug found Propertyholds Simulationsucessful Bug found Abstraction refinement Refinement Model CheckerVerification Spurious counterexample Counterexample Abstract Model

9 MCAI 2.0 Combating the State Explosion  Binary Decision Diagrams can be used to represent state transition systems more efficiently.  Symbolic Model Checking 1992  Semantic techniques for alleviating state explosion: –Partial Order Reduction. –Abstraction. –Compositional reasoning. –Symmetry. –Cone of influence reduction. –Semantic minimization.

10 MCAI 2.0 Model Checking since 1981 1981 Clarke / Emerson: CTL Model Checking Sifakis / Quielle 1982EMC: Explicit Model Checker Clarke, Emerson, Sistla 1990Symbolic Model Checking Burch, Clarke, Dill, McMillan 1992SMV: Symbolic Model Verifier McMillan 1998 Bounded Model Checking using SAT Biere, Clarke, Zhu 2000Counterexample-guided Abstraction Refinement Clarke, Grumberg, Jha, Lu, Veith 10 5 10 100 10 1000 1990s: Formal Hardware Verification in Industry: Intel, IBM, Motorola, etc.

11 MCAI 2.0 Model Checking since 1981 1981 Clarke / Emerson: CTL Model Checking Sifakis / Quielle 1982EMC: Explicit Model Checker Clarke, Emerson, Sistla 1990Symbolic Model Checking Burch, Clarke, Dill, McMillan 1992SMV: Symbolic Model Verifier McMillan 1998 Bounded Model Checking using SAT Biere, Clarke, Zhu 2000Counterexample-guided Abstraction Refinement Clarke, Grumberg, Jha, Lu, Veith CBMC MAGIC

12 MCAI 2.0 Grand Challenge: Model Check Software ! What makes Software Model Checking different ?

13 MCAI 2.0 What Makes Software Model Checking Different ?  Large/unbounded base types: int, float, string  User-defined types/classes  Pointers/aliasing + unbounded #’s of heap-allocated cells  Procedure calls/recursion/calls through pointers/dynamic method lookup/overloading  Concurrency + unbounded #’s of threads

14 MCAI 2.0 What Makes Software Model Checking Different ?  Templates/generics/include files  Interrupts/exceptions/callbacks  Use of secondary storage: files, databases  Absent source code for: libraries, system calls, mobile code  Esoteric features: continuations, self-modifying code  Size (e.g., MS Word = 1.4 MLOC)

15 MCAI 2.0 Software Example: Device Driver Code Also according to Wired News : “Microsoft has developed a tool called Static Device Verifier or SDV, that uses ‘Model Checking’ to analyze the source code for Windows drivers and see if the code that the programmer wrote matches a mathematical model of what a Windows device driver should do. If the driver doesn’t match the model, the SDV warns that the driver might contain a bug.”

16 MCAI 2.0 16 Mars Polar Lander (1999) landing-logic error Spirit Mars Rover (2004) file-system error Aerospace Systems: Software Driven! Mission Loss 16 Airbus A380 Flight Deck Do you trust flight software?

17 MCAI 2.0  Scalability: each new Mars mission employs more software than all previous Mars missions together  Often no models, only code: software written in C, sometimes without the help of formal models  MCAI 2.0 can be used to extract abstract models from source code, analyze generated models, drive C-code testers, … 17 Embedded Systems Need MCAI 2.0 17

Download ppt "MCAI 2.0 Model Checking in Ten Minutes Edmund Clarke School of Computer Science Carnegie Mellon University."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Edmund M. Clarke School of Computer Science Carnegie Mellon University Model Checking and the Verification of Computer Systems.

Edmund M. Clarke School of Computer Science Carnegie Mellon University Model Checking and the Verification of Computer Systems.

Similar presentations

Ads by Google