��

��

Model Checking

Li Xuandong

�

��

��

Outline

� Introductuon to Model Checking

� Model Checking for Real�Time and Hybrid Systems

�

��

��

Correctness � Reliability

� Today� computer systems are widely used in applications where

failure is unacceptable�

� The need for reliable computer systems is critical� It is no longer

feasible to shut down a malfunctioning system order to restore

safety� We are very much dependent on such systems for

continuous operation� Even when failure is not life�threatening�

the consequences of having to replace critical code or circuitry

can be economically devastating�

� It will become more important to develop methods that increase

our con�dence in the correctness and reliability of such systems�

�

��

��

Hardware and Software Veri�cation

The principal validation methods for complex systems are

� simulation�

� testing� and

� formal veri�cation �veri�cation based formal methods��

�

��

��

Formal Methods

� Formal methods are mathematically�based languages� techniques�

and tools for specifying and verifying complex computer systems�

� Ues of formal methods does not a priori guarantee correctness�

However� they can greatly increase our understanding of a

system by revealing inconsistencies� ambiguities� and

incompleteness that might otherwise go undetected�

�

��

��

Formal Methods

� Speci�cation

� Veri�cation

� deductive veri�cation �theorem proving�

� model checking

�

��

��

Model Checking

Model checking is a technique for verifying �nite state systems that

relies on buliding a �nite model of a system and checking that a

desired property holds in that model�

� The veri�cation can be performed automatically�

� The procedure normally uses an exhaustive search of the state

space of the system to determine if some speci�cation is true or

not�

In the ��s� model checking was developed independently by

E�M�Clarke and E�A�Emerson in USA and J�P�Quielle and J�Sifakis

in France�

�

��

��

The Process of Model Checking

� Modeling The �rst task is to convert a design into a formalism

accepted by a model checking tool�

� Speci�cation Before veri�cation� it is necessary to state the

properties that the design must satisfy� The speci�cation is

usually given in some logical formalism�

� Veri�cation Ideally the veri�cation is completely automatic�

However� in practice it often involves human assistance�

�

��

��

The Technical Challenge in Model Checking

� The technical challenge in model checking is in devising

algorithms and data structures that allow us to handle large

search spaces�

� The main disadvantage of model checking the state explosion

that can occur if the system being veri�ed has many components

that can make transitions in parallel�

��

��

Attacking State Explosion Problem

� Symbolic representation of state space

McMillan�s ordered binary decision diagrams �OBDDs�� �

����

� Partial order reduction

A commom model for representing concurrent software is the

interleaving model� in which all of the events in a single execution

are arranged in a linear order called an interleaving sequence� The

partial order reduction techniques make it possible to decrease

the number of interleaving sequences that must be considered�

� Abstraction

� Symmetry

�

��

��

Model Checking for Software

Automated model extraction�

Applying model checking to software requires that

� program source code be translated to a �nite�state transition

systems that safely models program behaviour� and

� remove irrelevant code and thus reduce the size of the

corresponding transition system models�

��

��

��

Model Checking Tools

� SMV

http���www�cs�cmu�edu� modelcheck�code�html

� SPIN

http���netlib�bell�labs�com�netlib�spin�whatispin�html

� HyTech

http���www�cad�eecs�berkeley�edu� tah�HyTech�

� Kronos

http���www�

verimag�imag�fr��PEOPLE�Sergio�Yovine�kronos�index�html

� UPPAAL

http���www�brics�dk�FormalMethods�UPPALL�index�html

��

��

��

Model Checking for Real�Time and Hybrid Systems

Models of continuous time�

� timed automata

� hybrid automata

��

��

��

Fischer�s mutual exclusion protocol

Given m processes P�� P�� � � � � Pm� let each process Pi execute the

following code repeatedly�

a� repeat await �v � ���

b� �v��i��

c� until �v � i��

cs� critical section

d� �v����

Square brackets enclose atomic operations� and x is a shared variable�

Assume an upper bound � on the time spent at b and a low bound �

on the time spent at c�

��

��

��

Real�Time Automata

[0, ),v=0

[0, )

v:=0

[0,20]Ai

[0, ),v=0

8[21, ),v=i

v:=i

8

8

8

CSiCiBi

The problem is to prove that the protocol ensures mutual exclusion

of the critical sections� for given values � and � satisfying � � ��

��

��

��

Example� a water�level monitor

��

��

��

Example� a water�level monitor

� When the pump is o�� the water level falls by two inches per

second� when the pump is on� the water level rises by one inch

per second�

� Initially the water level is one inch and the pump is on�

� There is a delay of two seconds from the time that the monitor

signals to change the status of the pump to the time that the

change becomes e�ective�

Requirement�

� � water�level � �

��

��

��

Hybrid automata

A hybrid automaton is a conventional automaton extended with a set

of variables�

� The variables are assumed to be piecewise linear functions of

time�

� the states of the automaton called locations are assigned with a

change rate for each variable� such as �x � w �x is a variable� w is

a real number�� and

� the transitions of the automaton are labelled with constraints on

the variables such as a � x � b and �or with reset actions such as

x �� c �x is a variable� a� b� and c are real numbers��

��

��

��

x=1y=1y<10

..

y=1

x<2y=1x=1..

y=-2x=1

x<2

x=1

y>5y=-2

..

..

x=2? x=2?

x:=0

x:=0

y=10?

y=5?

_ _

_ _

S S

SS

1 2

3 4�

��

��

The runs of an hybrid automaton

� Initial Step� The automaton starts at one of the initial

locations with all variables initialised to their initial values�

� Continuous Step� As time progresses� the values of all

variables change continuously according to the rate associated

with the current location�

� Discrete Step� At any time� the system can change its current

location from one to another provided that there is a transition

between these two locations whose labelling conditions are

satis�ed by the current value of the variables� With a location

change by a transition� all the variables are reset to the new

value accordingly by the reset actions labelled on this transition�

Transitions are assumed to be instantaneous�

�

��

��

Time Current location x y

� s� x� �

� s� x� � � ��

� s� � ��

�� s� � ��

�� s� � ��

���� s� ��� �

���� s� � �

��� s� � �

��� s� � �

� � � � � � � � � � � �

��

��

��

Linear Duration Properties �LDPs�

Linear duration properties �LDPs� are linear inequalities on

integrated durations of system states�

mPi��ciR

Si �M

�for any i �� � i � m�� Si is a state and ci is a real number� and M is

a real number�

Example

The button should be pressed� possibly intermittently� for a total

duration not smaller than seconds� which can be expressed by the

following linear duration property�

�R

S � �

��

��

��

LDPs for water level monitor

For an interval ��� t��

� the time the system stays in s� or s��

Rs� �R

s� �

� the time the system stays in s� or s��

Rs� �R

s� �

� the water level at time t�

� � �R

s� �R

s��� �R

s� �R

s�� �

The requirement�

� �R

s� �R

s� � �R

s� �R

s�� � � �

� �R

s� �R

s� � �R

s� �R

s�� � � �

��

��

��

The model�checking problem

Given a hybrid automaton A� given a linear duration property P�

decide e�ciently whether A satis�es P�

��

��

��

Timed Sequences

A timed sequence

�v�� t����v�� t��� � � � ��vm� tm�

represents a behaviour of a hybrid automaton if and only if

� for each i �� � i � m� ��� between locations vi and vi�� there is

a transition� and

� t�� t�� � � �� and tm have to satisfy some time constraints enforced

by the automaton�

For example�

�s�� ���s�� ���s�� ������s�� ���s�� ��

expresses a behaviour of the hybrid automaton modelling the

water�level monitor�

��

��

��

De�nition of the satisfaction problem

� A timed sequence � � �v�� t����v�� t��� � � � ��vm� tm� satis�es a

linear duration property P �

nPi��ciR

Si �M � if and only if

nPi��ci�P

u��i

tu� �M� �

where �i �fu j �� � u � m � �vu � Si g�

� A hybrid automaton satis�es a linear duration property if and

only if any timed sequences expressing its behaviour satis�es the

linear duration property�

��

��

��

Reducing the problem to linear programming

For a path � � v��v�� � � � �vm in a hybrid automaton H� any timed

sequence representing the behaviour of H� which is corresponding to

�� is of the form

� � �v�� t����v�� t��� � � � ��vm� tm�

where t�� t�� � � � � tm satisfy a group of linear inequalities C��

��

��

��

Reducing the problem to linear programming

Checking all timed sequences� which are a behaviour of H and

corresponding to �� for a LDP P is equivalent to the problem�

� �nding the maximum value of the linear function

nPi��ci�P

u��i

tu�

subject to the linear constraints C�� and checking whether it is

not greater than M �

��

��

��

Web for model checking

� http���www�cs�cmu�edu� modelcheck�

� http���netlib�bell�labs�com�netlib�spin�whatispin�html

� http���www�cis�upenn�edu� alur�

� http���www�cad�eecs�berkeley�edu� tah�

� http���www�

verimag�imag�fr��PEOPLE�Sergio�Yovine�kronos�index�html

� http���cm�bell�labs�com�cm�cs�who�gerard�

�