Download presentation

Presentation is loading. Please wait.

Published bySierra Boone Modified over 3 years ago

1
1 Introduction to Model Checking Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com

2
2 2 Outline l Model checking –Temporal logic –Model checking algorithms –Expressiveness and complexity l Symbolic model checking –The state explosion problem –Binary Decision Diagrams –Computing fixed points with BDDs –Application

3
3 3 Propositional Linear Temporal Logic l Express properties of Reactive Systems –interactive, nonterminating l For PLTL, a model is an infinite state sequence l Temporal operators –Globally: G p at t iff p for all t t. ppppppppppp... G p...

4
4 4 Temporal operators... –Future: F p at t iff p for some t t. pppppp F p... –Until: p U q at t iff – q for some t t and – p in the range [ t, t ) pppppp p U q... pppq –Next-time: X p at t iff p at t+1

5
5 5 Examples l Liveness: if input, then eventually output G (input F output) l Strong fairness: infinitely send implies infinitely recv. GF send GF recv l Weak until: no output before input output W input atomic props infinitely often p W q p U q G p

6
6 6 Safety v. Liveness l Safety –Refutable by finite run l Liveness –Refutable only by infinite run –Every finite run extensible to satisfying run

7
7 7 PLTL semantics l Given an infinite sequence – if is true in state s i of. – if is true in state s 0 of. – if is valid. l A formula is an atomic proposition, or... true, p q, p, p U q, X p

8
8 8 PLTL semantics... l Definition of satisfaction iff Derived operators...

9
9 9 Model Checking (Clarke/Emerson, Queille/Sifakis) MC G(p -> F q) yes no p q p q temporal formula finite-state model algorithm counterexample Model must now represent all behaviors

10
10 Kripke models l A Kripke model (S,R,L) consists of –set of states S –set of transitions R S S –labeling L S AP l Kripke models from programs p p repeat p := true; p := false; end

11
11 Mutual exclusion example N1,N2 turn=0 T1,N2 turn=1 T1,T2 turn=1 C1,N2 turn=1 C1,T2 turn=1 N1,T2 turn=2 T1,T2 turn=2 N1,C2 turn=2 T1,C2 turn=2 N = noncritical, T = trying, C = critical

12
12 PLTL on Kripke models l A path in model M = (S,R,L) is a sequence such that (s i,s i +1) R. F p p p p s0s0 s1s1 s2s2 s 3...

13
13 Branching time l Model of time is a tree, not a sequence l Path quantifiers AF p p p p

14
14 Computation Tree Logic l Every operator F, G, X, U preceded by A or E l Universal modalities... pp p... AG p pppp p pp AF p

15
15 CTL, cont... l Existential modalities p p... EG p p p EF p

16
16 CTL, cont l Other modalities AX p, EX p, A(p U q), E(p U q) l Some dualities... l Examples: mutual exclusion specs... AG (C 1 C 2 )mutual exclusion AG (T 1 AF C 1 )liveness AG (N 1 EX T 1 )non-blocking

17
17 CTL model checking l Model checking problem: –Determine for given M, s 0 and f, whether l Simple algorithm: –Inductive over structure of formula –Backward propagation of formula labels –O(f V(V + E))

18
18 Example N1,N2 turn=0 T1,N2 turn=1 T1,T2 turn=1 C1,N2 turn=1 C1,T2 turn=1 N1,T2 turn=2 T1,T2 turn=2 N1,C2 turn=2 T1,C2 turn=2 AG (T 1 AF C 1 )

19
19 CES algorithm l Need only modalities EX, EU, EG. –e.g., –Checking E(p U q) by backward BFS –Checking EG p q p BFS p SCC EG p Complexity = O(f (V + E))

20
20 CTL* l Contains both CTL and LTL –path formulas p U q, G p, Fp, Xp, p, p q –state formulas A p, E p p in LTL A p in CTL* l Framework for comparing expressiveness –Existential properties not expressible in PLTL e.g., AG EF p –Fairness assumptions not expressible in CTL e.g., A (GF p GF q)

21
21 Model checking complexities CTL PLTL O(2 f (V+E)) CTL O(f (V+E)) * = Note: all are linear in model size PSPACE COMPLETE

22
22 8 Comparing CTL and LTL l Think of CTL formulas as approximations to LTL –AG EF p is weaker than G F p So, use CTL when it applies... –AF AG p is stronger than F G p p Good for finding bugs... Good for verifying... pp l CTL formulas easier to verify

23
23 Symbolic model checking l State explosion problem –State graph exponential in program size l Symbolic model checking approach –Boolean formulas represent sets and relations –Use fixed point characterizations of CTL operators –Model checking without building state graph Sometimes can handle much larger sate space

24
24 Binary Decision Diagrams (Bryant) l Ordered decision tree for f = ab + cd 0001000100011111 d ddddddd c ccc 01 0 101 0 1010101 b b a

25
25 OBDD reduction l Reduced (OBDD) form: 01 d c 0 1 0 1 0 1 b a 0 1 Key idea: combine equivalent sub-cases

26
26 OBDD properties l Canonical form (for fixed order) –direct comparison l Efficient apply algorithm –build BDDs for large circuits f g O(|f| |g|) fg l Variable order strongly affects size

27
27 Boolean quantification l If v is a boolean variable, then v.f = f | v =0 V f | v =1 l Multivariate quantification w 1,w 2,…,w n ). f l Complexity on BDD representation –worst case exponential –heuristically efficient Example: b,c). (ab cd) = a d

28
28 Characterizing sets l Let M = (S,R,L) be a Kripke model l Let S be the set of boolean vectors (v 1,v 2,…,v n ) {0,1} n Represent any P S by its characteristic function P P = {(v 1,v 2,…,v n ) : P } l Set operations – = false S = true – P Q = P V Q P Q = P Q – S \ P = P

29
29 Characterizing relations l Transition relation R is a set of state pairs… R = {((v 1,v 2,…,v n ), (v 1,v 2,…,v n )) : R } l Examples –A synchronous sequential circuit v1v1 v0v0 R = (v 0 = v 0 ) (v 1 = v 0 v 1 )

30
30 Transition relations, cont... –An asynchronous circuit s r q q –Interleaving model –Simultaneous model

31
31 Forward and reverse image l Forward image P R Image(P,R)

32
32 Images, cont... l Reverse image P R Image -1 (P,R) = EX P

33
33 Symbolic CTL model checking l Equate a formula f with the set of states satisfying it… l Compute BDDs for characteristic functions… – p, p q, p q(use BDD ops) –EX p= Image -1 (p,R) –AX p= EX p l Remaining operators have fixed-point characterization... In fact, this is the least fixed point...

34
34 Fixed points of monotonic functions Let be a function S S Say is monotonic when Fixed point of is y such that If monotonic, then it has –least fixed point y. (y) –greatest fixed point y. (y)

35
35 Iteratively computing fixed points l Suppose S is finite –The least fixed point y. (y) is the limit of –The greatest fixed point y. (y) is the limit of Note, since S is finite, convergence is finite

36
36 Example: EF p l EF p is characterized by l Thus, it is the limit of the increasing series... p p EX p p EX(p EX p)......which we can compute entirely using BDD operations

37
37 Example: EG p l EG p is characterized by l Thus, it is the limit of the decreasing series......which we can compute entirely using BDD operations p EX p p p EX(p EX p)...

38
38 Remaining operators l Allows CTL model checking with only BDD ops –Avoid building state graph –(Sometimes) avoid state explosion problem Now you can go home and build your own symbolic model checker...

39
39 Example: Gigamax cache protocol l Bus snooping maintains local consistency l Message passing protocol for global consistency MPP... cluster bus MPP... global bus UIC...

40
40 Protocol example l Cluster B read --> cluster A l Cluster A response --> B and main memory l Clusters A and B end shared MPP... cluster bus MPP... global bus UIC... owned copy read miss ABC

41
41 Protocol correctness issues l Protocol issues –deadlock –unexpected messages –liveness l Coherence –each address is sequentially consistent –store ordering (system dependent) l Abstraction is relative to properties specified

42
42 One-address abstraction l Cache replacement is nondeterministic l Message queue latency is arbitrary IN OUT ? A??? output of A may or may not occur at any given time

43
43 Specifications l Absence of deadlock SPEC AG (EF p.readable & EF p.writable); l Coherence SPEC AG((p.readable & bit -> ~EF(p.readable & ~bit)); { 0 if data < n 1 otherwise bit = Abstraction:

44
44 Counterexample: deadlock in 13 steps l Cluster A read --> global (waits, takes lock) l Cluster C read --> cluster B l Cluster B response --> C and main memory l Cluster C read --> cluster A (takes lock) MPP... cluster bus MPP... global bus UIC... owned copy from cluster A ABC

45
45 State space explosion l State space growth is exponential

46
46 BDD performance l BDD size growth is linear

47
47 BDD performance l Run time growth is quadratic

48
48 Why does it work?... Many partial states equivalent......implies many subfunctions equivalent... OBDD

49
49 When doesnt it work? l Protocols that pass pointers l Linked lists l Anytime one part of the system knows a large amount of information about another part

50
50 Summary l Model checking –Automatic verification (or falsification) of finite state systems –Linear v. branching time logics l State explosion problem –Binary Decision Diagrams –Heuristically efficient boolean operations –Image calculations –Fixed point characterization of CTL –Model checking without building state graph l Applications –Find subtle errors in complex protocols

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google