Model Checking 1

Model Checking

An overview

Felix Kossak

felix.kossak@scch.at

+43 7236 3343 811

www.scch.at

Model Checking 2

What is Model Checking?

Verification of critical properties of a system

Systems that can be modelled as finite automata

In particular, concurrent systems(such as parallel processes)

Checking can be fully automated

Considered as a “formal method” (or not)

Model Checking 3

Areas of Application

“Classical” Model Checking has been successfully applied in e.g. Design of electronic circuits

Network protocol design

Is - or could - also be applied in: Parallel process design

Real-time systems

Workflow, architectures; algorithms in general (flowchart level)

Software verification: e.g. termination of loops

...

Model Checking 4

Properties that Can Be Checked

Livelihood: will the system “live” forever?

Deadlocks, livelocks

Reachability: can a state / all states be reached?

Safety: Will a “bad” state never be reached?Will a “bad” state trigger an exception, etc?

Fairness (an event will occur infinitely often)

Underspecification (e.g. unexpected messages)

Overspecification (dead code)

Constraints (e.g. buffer / array bounds, invariants)

Real-time performance (special tools)

Model Checking 5

Application Examples

Network protocols

Process scheduling

Process communication

Shared resources: e.g. printer manager

Hardware / machine controllers

Architecture design

Workflow design

Algorithm design (on flowchart level)

Model Checking 6

Basic approach

System specification: temporal logic

System design: finite automata

Associate “atomic properties” with states

Try to derive specification from “atomic properties”

Model Checking 7

Limits

Size of the automaton: “state explosion”

In practice, the number of states becomes soon very large

potentially exponential w.r.t. system description

Simplification while preserving correctness?

For specific problems, rather than problem classes

Model Checking 8

Technical Details

Automata

‘Kripke structures’

Petri nets, etc

Specification in temporal logic

CTL*

Data structures: research issue

Binary Decision Diagrams (BDD)

Model Checking 9

Kripke Structures

Finite Automaton

States are associated with ‘atomic properties’

Transitions modify variables

Transitions may be guarded

Synchronisation of automata:

Model Checking 10

Synchronisationof Automata

Global variables

Message queues

Synchronous / asynchronous

Theoretical size: | A | x | B |

→ ‘State explosion’

Model Checking 11

Temporal Logic:CTL*

“Computation Tree Logic”

boolean combinators (propos. connectives)

temporal combinators:

next state (X)

a future state (F)

all future states (G)

until (U)

while not (W)

Model Checking 12

Temporal Logic:CTL* (2)

path quantifiers:

all executions out of current state (A)

there exists an execution (E)

2 basically different subsets of CTL*

CTL: each combinator directly under A/E

LTL: no path quantifiers

Model Checking 13

Model CheckingCTL

CTL:

“marking”

traverse each state of automaton Aand each subformula of temporal formula f

O( |A| x | f | )

Model Checking 14

Model CheckingLTL

construct FA which recognises the negation of temporal formula f

synchronise this FA with the automaton A

Is the language accepted empty?(reachability)

O( | A | x 2 | f | ) (worst case)

Model Checking 15

Binary Decision Diagrams(BDD)

Data structure for state sets

Reduced decision tree

Share identical subtrees

Delete superfluous nodes

Problems with

non-Boolean variables

asynchronous automata

Solution: e.g. Multi-valued Decision Diagrams

Model Checking 16

Tools

The most important tools are academic

open source, some free even for commercial use

SMV (NuSMV)

SPIN

Some are part of comprehensive design software

(in particular commercial tools)

Model Checking 17

NuSMV

Free re-implementation of SMV

Designed for electronic circuits in the first place

Automaton is modelled similar to a programme in C

Temporal logic: CTL

Basic data structure: OBDD

Model Checking 18

SPIN

Designed for software verification

Automaton is modelled similar to SMV(like a programme)

Temporal Logic: PLTL

Basic data structure: POR

Model Checking 19

SPIN:Code Example

active proctype A( )

{

x = 1;

turn = B_TURN;

y == 0 || turn == A_TURN;

mutex++;

/* critical section */

mutex--;

x = 0;

}

Model Checking 20

Design/CPN(now CPN Tools):

Based on Coloured Petri Nets (CPN)

Elements can be timed

Interactive simulation

Reachability graphs can be generated for model checking

Analysis using CTL possible (Computation Tree Logic, a temporal logic)

Model Checking 21

Design/CPN:Graphic Design

Model Checking 22

Design/CPN:Restrictions; Successor

Restrictions:

only for Unix / Linux and Mac

no longer maintained

Successor: CPN Tools

for Windows (2000, XP)

better GUI

but limited model checking capability(new version last week, yet to be evaluated)

Model Checking 23

Other Toolsfor Timed Automata

Academic:

KRONOS, UPPAAL, Verus

only for scientific purposes available (?)

Other:

VeriSoft (by Bell Labs): free(yet to be evaluated)

Model Checking 24

Other Interesting Tools

SIPN editor: for PLC programmes

generates code for SMV

Model Checking 25

References& Links

B. Bérard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, Ph. Schnoebelen: Systems and Software Verification; Model-Checking Techniques and Tools. Springer, 2001

http://www.abo.fi/%7Ejolilius/mclinks.htm(many links, but seemingly not maintained for a while)