1 Model checking

2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems (textutal representation), or, equivalenely, with a Kripke structures (automata representation).

3 Kripke structures A convenient model for describing reactive systems Implicitly all states are accepting. M= h S, , I, L i S: States (finite).  µ S x S is the transition relation. I µ S are the Initial states. L: S ) 2 AP (where AP is a set of atomic propositions) Convention: we will only write the positive literals.

4 A Kripke structure Note: the alphabet is NOT the set AP. Rather it is 2 AP

From a Kripke structure to a Buchi automata Given a Kripke structure M= h S,  , I M, L i......we can build an equivalent Buchi automata B M = h , S, ¢, I, F i where  = 2 Prop S // same states (s, t) 2 ¢ iff (s,t) 2 ¢ M and a = L(s) // transition relation I = I M // same initial state F = S //every state is accepting

Example The system: M = p,q p becomes the Buchi automaton (recall: a transition is labelled with an element of 2 AP ) p,q   p p Recall that this is {  p,  q}

7 Correctness condition An LTL formula  a set of allowed computations ( ‘ models ’ ). A Kripke structure M = a set of computations. Are the computations of M models of 

8 Correctness All sequences Sequences satisfying Spec Program computations

9 Incorrectness All sequences Sequences satisfying Spec Program computations Counter examples

10 Model-Checking: formally Language of a model M: L (M) Language of a specification  : L (  ). We need: L (M)  L (  ). This is called Model-Checking If yes, we write M ²  

11 Model checking – example p q,x p,x p,y M BB M ²  ?  : G (p U q) Let  = s 0,s 1 .  2 L (M) but   L (B  ). Hence L(M) * L (B  ). s0s0 s1s1 s2s2 model spec q

12 How to model-check? Show that L(Model)  L(Spec). Equivalently: Show that L(Model)  L(Spec) = Ø. How? Check that A model £ A : Spec is empty. M S M : S M µ S M Å : S  ;

13 What do we need to know? 1.How to translate from LTL to an automaton ? 2.How to complement an automaton? 3.How to intersect two automata? 4.How to check for emptiness of an automaton ? L(Model)  L(Spec) = Ø.

14 How to complement? Complementation is hard! We know how to translate an LTL formula to a Buchi automaton. So we can: Build an automaton A for , and complement A, or Negate the property, obtaining ¬  (the sequences that should never occur). Build an automaton for ¬ .

15 But... reacall... Theoretically, model checking gives us a proof of correctness Practically, it mainly attempts to increase reliability: Automated systematic debugging VERY good at finding errors! Why ? Possible bugs in the model checker Capacity limitations Wrong or missing properties...

16 From programs to Kripke structures Supposed that we wish to model-check a program / concurrent program – How can we represent it as a Kripke structure ?

17 Kripke structures Kripke structures are suitable for modeling a synchronous system. When we move from state s to state s ’, the values of the atoms in the state are changed synchronously. Is this the case for programs ? How can we describe programs as transition systems?

18 Programs as transition systems Programs we know are sequential. What is the result of this computation :... x = y; y = x; We need to model the location in the program We will use a variable called the program counter (PC)

19 L 0 :While True do nc 0 :wait (Turn=0); cr 0 :Turn=1 T0: (pc 0 =L 0, pc 0 =nc 0 ) T1: (pc 0 =nc 0 Æ Turn=0, pc 0 =cr 0 ) T2: (pc 0 =cr 0, pc 0 = L 0 Æ Turn=1) T3: (pc 1 =L 1, pc 1 =nc 1 ) T4: (pc 1 =nc 1 Æ Turn=1, pc 1 =cr 1 ) T5: (pc 1 =cr 1, pc 1 = L 1 Æ Turn = 0) Initially: pc 0 =L 0 Æ pc 1 =L 1 L 1 :While True do nc 1 :wait (Turn=1); cr 1 :Turn=0 || Possible transitions: Example: A program that maintains mutual exclusion

20 And now as a Kripke structure Turn=0 L 0,L 1 Turn=0 L 0,nc 1 Turn=0 nc 0,L 1 Turn=0 cr 0,nc 1 Turn=0 nc 0,nc 1 Turn=0 cr 0,L 1 Turn=1 L 0,cr 1 Turn=1 nc 0,cr 1 Turn=1 L 0,nc 1 Turn=1 nc 0,nc 1 Turn=1 nc 0,L 1 Turn=1 L 0,L 1 PC 0 = L 0, PC 1 = L 1

21 Turn=0 L 0,L 1 Turn=0 L 0,nc 1 Turn=0 nc 0,L 1 Turn=0 cr 0,nc 1 Turn=0 nc 0,nc 1 Turn=0 cr 0,L 1 Turn=1 L 0,cr 1 Turn=1 nc 0,cr 1 Turn=1 L 0,nc 1 Turn=1 nc 0,nc 1 Turn=1 nc 0,L 1 Turn=1 L 0,L 1 G : (pc 0 =cr 0 Æ pc 1 =cr 1 ) (a safety property)

22 Turn=0 L 0,L 1 Turn=0 L 0,nc 1 Turn=0 nc 0,L 1 Turn=0 cr 0,nc 1 Turn=0 nc 0,nc 1 Turn=0 cr 0,L 1 Turn=1 L 0,cr 1 Turn=1 nc 0,cr 1 Turn=1 L 0,nc 1 Turn=1 nc 0,nc 1 Turn=1 nc 0,L 1 Turn=1 L 0,L 1 G(Turn=0 ! F Turn=1) (a liveness property)

23 What properties can we check? Examples: Invariants: a property that has to hold in each state. Deadlock detection: can we reach a state where the program is blocked? Dead code: does the program have parts that are never executed?

24 If it is so good, is this all we need? Model checking works only for finite state systems. Would not work with Unconstrained integers. Unbounded message queues. General data structures: queues trees stacks Parametric algorithms and systems.

25 The state space explosion problem Need to represent the state space of a program in the computer memory. Each state can be as big as the entire memory! Many states: Each integer variable has 2 32 possibilities. Two such variables have 2 64 possibilities. In concurrent protocols, the number of states usually grows exponentially with the number of processes.

26 If it is so constrained, is it of any use? Many protocols are finite state. Many programs or procedures are finite state in nature. Can use abstraction techniques.

27 If it is so constrained, is it of any use? Sometimes it is possible to decompose a program, and prove part of it by model checking and part by other methods. Many techniques to reduce the state space explosion We will NOT learn about such techniques, but let us mention some names: Data structures such as Binary Decision Diagrams, Reductions, such as Partial Order Reduction.