Transcript CTC-98 Power Point Slide Template

Introduction to SMV and Model Checking
Mostly by: Ken McMillan
Cadence Berkeley Labs
[email protected]
Small parts by: Brandon Eames
ISIS/Vanderbilt University
[email protected]
Presented in the CS 367 class by Aditya
1
SMV Tool

Can be downloaded from
http://www-cad.eecs.berkeley.edu/~kenmcmil/smv/dld2.html
2
2
Outline

Quick overview of SMV

Model checking
– Temporal logic
– Model checking algorithms
– Expressiveness and complexity

Symbolic model checking
– The “state explosion” problem
– Binary Decision Diagrams
– Computing fixed points with BDD’s
– Application
3
3
SMV: Symbolic Model Verifier



Capture system behavior as combinatorial and sequential
logic: finite state machines.
Capture system requirements as statements in temporal
logic
SMV applies the requirement specifications to the state
machine model
– Attempt to prove that system meets requirements
– If system fails, attempt to show counterexample
4
4
How SMV Works




5
Convert system model (the FSM) to OBDD representation
Convert CTL specifications into operations which can be
applied to OBDDs
Traverse the state space, applying verification operations
until achieving a “fixed point”: stable system
Report the results of the traversal, either requirements met
or not.
5
Example
MODULE main
VAR
request : boolean
state : {ready, busy};
ASSIGN
init(state) := ready;
next(state) := case
state = ready & request : busy;
1 : {ready, busy};
esac;
SPEC
AG(request -> AF state = busy)
6
6
SMV’s supported CTL operators
7
!
&
|
->
<->
“E”
“A”
not
and
or
implies
logical equivalence
existential path quantifier
universal path quantifier
“X”
“F”
“G”
“U”
next time
eventually
globally
until
7
Propositional Linear Temporal Logic

Express properties of “Reactive Systems”
– interactive, nonterminating

For PLTL, a model is an infinite state sequence
  s0 , s1, s2 

Temporal operators
– “Globally”:
p p
G p at t iff p for all t’ t.
p p
p p p p p p p...
G p...
8
8
Temporal operators...
F p at t iff p for some t’ t.
– “Future”:
p p
F p...
– “Until”:
p p
p p
p U q at t iff
– q for some t’ t and
– p in the range [ t, t’ )
p p
p p
p p p p p q
p U q...
– “Next-time”:
9
X p at t iff p at t+1
9
Examples

Liveness: “if input, then eventually output”
G (input  F output)
atomic props

Strong fairness: “infinitely send implies infinitely recv.”
GF send  GF recv
infinitely often

Weak until: “no output before input”
output W input

pUq
pWq
10
Gp
10
Safety v. Liveness

Safety
– Refutable by finite run

Liveness
– Refutable only by infinite run
– Every finite run extensible to satisfying run
11
11
PLTL semantics

Given an infinite sequence
–
–
–

 , si ` f
`f
` f
if fis true in state si of .
if fis true in state s0 of .
if fis valid.
A formula is an atomic proposition, or...
true,
12
  s0 , s1, s2 
p  q,
p,
p U q,
Xp
12
PLTL semantics...

Definition of satisfaction
 , si ` a (atomic)
 , si ` p
 , si ` p  q
 , si ` X p
 , si ` p U q
iff
iff
iff
iff
iff
 , si ` a (atomic)
 , si `/ p
 , si ` p or  , si ` q
 , si 1` p
for some j  i :  , s j ` q
and for all i  k  j :  , sk ` p
Derived operators...
13
p  q  (p  q)
Fp  true U q
Gp  F p
13
Model Checking
(Clarke/Emerson, Queille/Sifakis)
G(p -> F q)
yes
temporal formula
MC
no
p
q
finite-state model
algorithm
p
q
counterexample
Model must now represent all behaviors
14
14
Kripke models

A Kripke model (S,R,L) consists of
– set of states S
– set of transitions R S  S
– labeling L S  AP

Kripke models from programs
repeat
p := true;
p := false;
end
15
p
p
15
Mutual exclusion example
N1,N2
turn=0
T1,N2
turn=1
C1,N2
turn=1
N1,T2
turn=2
T1,T2
turn=1
T1,T2
turn=2
C1,T2
turn=1
N1,C2
turn=2
T1,C2
turn=2
N = noncritical, T = trying, C = critical
16
16
PLTL on Kripke models

A path in model M = (S,R,L) is a sequence
  s0 , s1, s2  S 
such that (si,si+1)  R.
p
s0
s1
Fp
s2
p
s3...
p
M , s0 ` f
iff
for all paths  s0 , s1 , s2  of  , s0 ` f
17
17
Branching time

Model of time is a tree, not a sequence
p
p
AF p
p

Path quantifiers
M , s0 ` A f iff for all paths   s0 , s1 , s2  of M ,  ` f
M , s0 ` E f iff for som epaths   s0 , s1 , s2  of M ,  ` f
18
18
Computation Tree Logic

Every operator F, G, X, U preceded by A or E

Universal modalities...
AG p
AF p
p
p
...
...
...
p
p
...
p
...
p
...
p
...
p
...
19
p
p
19
CTL, cont...

Existential modalities
EG p
EF p
p
p
p
p
...
...
...
...
...
...
...
...
20
20
CTL, cont

Other modalities
AX p, EX p, A(p U q), E(p U q)

Some dualities...
AGp  EFp
AFp  EGp

21
Examples: mutual exclusion specs...
AG  (C1  C2)
mutual exclusion
AG (T1  AF C1)
liveness
AG (N1  EX T1)
non-blocking
21
Symbolic model checking

State explosion problem
– State graph exponential in program size

Symbolic model checking approach
– Boolean formulas represent sets and relations
– Use fixed point characterizations of CTL operators
– Model checking without building state graph
Sometimes can handle much larger sate space
22
22
Binary Decision Diagrams (Bryant)

Ordered decision tree for f = ab + cd
a
0
0
0
d
c
b
1
1
1
0
d
d
0
c
1
0
d
d
c
b
1
1
0
d
d
c
1
d
0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1
23
23
OBDD reduction

Reduced (OBDD) form:
a
1
0
0
0
0
c
1
b
1
1
d
0 1
Key idea: combine equivalent sub-cases
24
24
OBDD properties

Canonical form (for fixed order)
– direct comparison

Efficient apply algorithm
– build BDD’s for large circuits
f
fg
g

25
O(|f| |g|)
Variable order strongly affects size
25
Boolean quantification

If v is a boolean variable, then
$v.f = f |v =0 V f |v =1

Multivariate quantification
$(w1,w2,…,wn). f
Example:

$(b,c). (ab cd)
=
a d
Complexity on BDD representation
– worst case exponential
– heuristically efficient
26
26
Characterizing sets

Let M = (S,R,L) be a Kripke model

Let S be the set of boolean vectors
(v1,v2,…,vn)  {0,1}n

Represent any P  S by its characteristic function cP
P = {(v1,v2,…,vn) : cP}

Set operations
– c = false
cS = true
– cP Q = P V Q
cP Q = P  Q
– cS \ P =  P
27
27
Characterizing relations

Transition relation R is a set of state pairs…
R = {((v1,v2,…,vn), (v’1,v’2,…,v’n)) : cR}

Examples
– A synchronous sequential circuit
v0
v1
cR =
28
(v’0 =
 v0)  (v’1
= v0  v1)
28
Transition relations, cont...
– An asynchronous circuit
s
q
r
q
– Interleaving model
c R  (q'  (s  q ))  (q '  q )
 (q '  (r  q))  (q'  q)
– Simultaneous model
cR 
(q'  (s  q ))  (q'  q)
 (q '  (r  q))  (q '  q )
29
29
Forward and reverse image

Forward image
Image(P,R)
P
R
Image(P, R)  {v' : for some v, v  P and ( v, v' )  R}
c Image(P,R) (v' )  $v. (c P (v)  c R (v, v' ))
30
30
Images, cont...

Reverse image
Image-1(P,R)
P
R
= EX P
Image-1 (P, R)  {v : for some v ', v ' P and ( v, v' )  R}
c Image(P,R) (v)  $v'. (c P (v' )  c R (v, v' ))
31
31
Symbolic CTL model checking

Equate a formula f with the set of states satisfying it…
f  {v  S : v | f }


Compute BDD’s for characteristic functions…
–  p, p  q, p  q
(use BDD ops)
– EX p
= Image-1(p,R)
– AX p
=  EX  p
Remaining operators have fixed-point characterization...
EF p 
p  EX EF p
In fact, this is the least fixed point...
32
32
Fixed points of monotonic functions

Let t be a function S  S

Say t is monotonic when x  y implies t ( x)  t ( y)

Fixed point of t is y such that t ( y )  y

If t monotonic, then it has
– least fixed point my. t(y)
– greatest fixed point ny. t(y)
33
33
Iteratively computing fixed points

Suppose S is finite
– The least fixed point my. t(y) is the limit of
false  t (false)  t (t (false))  
– The greatest fixed point ny. t(y) is the limit of
true  t (true)  t (t (true))  
Note, since S is finite, convergence is finite
34
34
Example: EF p

EF p is characterized by
EF p  my. ( p  EX y)

Thus, it is the limit of the increasing series...
...
p
EX(p  EX p)
p  EX p
p
...which we can compute entirely using BDD operations
35
35
Example: EG p

EG p is characterized by
EG p  n y. ( p  EX y)

Thus, it is the limit of the decreasing series...
...
p
EX(p  EX p)
p  EX p
p
...which we can compute entirely using BDD operations
36
36
Remaining operators
AF p  my. ( p  AX y )
AG p  ny. ( p  AX y )
E ( p U q)  my. (q  ( p  EX y ))
A( p U q)  my. (q  ( p  AX y ))

Allows CTL model checking with only BDD ops
– Avoid building state graph
– (Sometimes) avoid state explosion problem
Now you can go home and build your own symbolic model checker...
37
37
Why does it work?
...
...
...
OBDD
Many partial states equivalent...
...implies many subfunctions equivalent...
38
38
When doesn’t it work?

Protocols that pass pointers

Linked lists

39
Anytime one part of the system “knows” a
large amount of information about another part
39
Summary

Model checking
– Automatic verification (or falsification) of finite state systems
– Linear v. branching time logics

State explosion problem
– Binary Decision Diagrams
– Heuristically efficient boolean operations
– Image calculations
– Fixed point characterization of CTL
– Model checking without building state graph

Applications
– Find subtle errors in complex protocols
40
40