Model Checking Ahmed Rezine Höstermin 2015 IDA, Linköpings Universitet
Model Checking
Ahmed Rezine
IDA, Linköpings Universitet
Höstermin 2015
Outline
Outline
Program verification
We often want to answer whether a program is correct or not (i.e., has some bad behaviors or not):
Correct Program Incorrect Program
Model checking
I Model checking is (aims to be) a push button verification approach
I Given:
I
I a model M of the system to be verified, and a correctness property Φ to be checked: absence of deadlocks, livelocks, starvation, under/over specification, violations of constraints/assertions, etc
I The model checking tool returns:
I
I a counter example in case M does not model Φ , or a mathematical guaranty that M does model Φ
Used both for Verification and debugging
I Model checking tools are used both:
I
I
To establish correctness of a model M with respect to a correctness property Φ
More importantly, to find bugs and errors in M
In this lecture
We will briefly:
I Introduce model checking, models and properties
I Give examples of tools and what they are used for
Outline
Model Checking
Model Checking in Practice
Traditional model checkers: More recent model checkers:
M as a Kripke structure
Assume a set of atomic propositions AP . A Kripke structure M is a tuple ( S
;
S
0
;
R
;
L ) where:
1.
S is a finite set of states
2.
S
0
S is the set of initial states
3.
R S S is the transition relation s.t. for any s
2
S , R ( s
; s holds for some s
0 2
S
0
)
4.
L : S
!
2
AP labels each state with the atomic propositions that hold on it.
Programs as Kripke structures
7
8
5
6
3
4
1
2
9
10
11
12
13
14 int x = 0; v o i d t h r e a d (){ int v = x ; x = v + 1;
} v o i d m a i n (){ f o r k ( t h r e a d ); int u = x ; x = u + 1; j o i n ( t h r e a d ); a s s e r t ( x == 2);
}
Synchronous circuits as Kripke structures v
0
0 v
0
1 v
0
2
=
: v
0
= v
0 v
1
= ( v
0
^ v
1
) v
2
(1)
(2)
(3)
Asynchronous circuits handled using a disjunctive R instead of a conjunctive one like for synchronous circuits.
Synchronous circuits as Kripke structures v
0
0 v
0
1 v
0
2
=
: v
0
= v
0 v
1
= ( v
0
^ v
1
) v
2
(1)
(2)
(3)
Asynchronous circuits handled using a disjunctive R instead of a conjunctive one like for synchronous circuits.
Temporal Logics
I Temporal logics are formalisms to describe sequences of transitions
I
I
Time is not mentioned explicitly (but for some other logics ...)
Instead, temporal operators are used to express that certain states are:
I
I
I never reached eventually reached more complex combinations of those
Linear Temporal Logic (LTL)
Consider all “runs” (capturing “executions” of the program) of the
Kripke structure.
I
I
I
( ab )
!
( c )
!
( c )
!
( c )
! : : :
( ab )
!
( bc )
!
( c )
!
( c )
! : : :
( ab )
!
( bc )
!
( ab )
!
( bc )
! : : :
I AP g eventually holds: F ( g )
I AP g globbaly appear: G ( g )
I AP g holds in the next state: X ( g )
I Combinations: GF ( g ) , FG ( g ) ,
G ( g
)
F ( q )) , GF ( g )
)
GF ( q ) . . .
Computation Tree Logic (CTL)
Computation trees are obtained by unwinding the Kripke structure
Computation Tree Logic (CTL)
M
; s
0 j
= EF g
M
; s
0 j
= EG g
M
; s
0 j
= AF g
M
; s
0 j
= AG g
Computation Tree Logic (CTL)
Computation trees are obtained by unwinding the Kripke structure
I can express reset: AGEF g
I but not stability: FG g
Outline
Explicit model checking: SPIN http://spinroot.com/spin/whatispin.html
I a model checker for tracing logical errors in designs of distributed and concurrent systems:
I
I
I
I
I data communication protocols, switching systems, concurrent algorithms, railway signaling protocols, control software for spacecrafts, nuclear power plants etc.
I concurrent systems are described in the Promela modelling language. Given a model, SPIN reports on:
I
I
I
I deadlocks, starvation race conditions, unwarranted assumptions about the the speed of the processes
Promela:Protocol, Process Meta Language
I
I dynamic creation of concurrent processes processes communicate by message passing in:
I
I synchronous channels (rendez vous) asynchronous (using buffers)
I resembles C, models finite-state systems
SPIN descriptions
I embedded C can be used as part of model specifications
I SPIN works on the fly, allowing to handle larger systems
I Correctness properties can be expressed in LTL
I SPIN supports random, interactive and guided simulation
I verification can be exhaustive or partial, it can use depth-first, breadth-first and bounded context-switching
Symbolic model checking http://nusmv.fbk.eu
I Represent values symbolically (using predicates) instead of explicitely
I Use SAT solvers to check satisfiability of large boolean formulas
I Use Binary Decision Diagrams (BDDs) to efficiently represent such formulas
Symbolic model checking: BDDs Canonicity
Symbolic model checking: NuSMV
I NuSMV is an open source symbolic model checker
I It uses both BDD and SAT representations
I Performs CTL and LTL model checking
I Can capture (A)Synchronous finite models
I allows for interactive and random simulation
Timed System: UPPAAL http://www.uppaal.org/
I The Kripke structures we looked at were finite
I Many systems exhibit an infinite state space
I One way is to abstract into a finite state system
I Analyse the abstract system to deduce properties of the original
Timed Systems
I Continous time is one source of infinity
I Discretizing it does not capture all possible behaviours
I Several models were proposed, timed automata by Alur,
Courcoubetis and Dill are the most adopted ones.
Timed Systems
Timed Systems: UPPAAL
Counter Example Guided Abstraction Refinement: Satabs http://www.cprover.org/satabs/
I Remove irrelevant details using abstraction
I Automatically generate small enough models for model checking
I Use as few predicates as possible to symbollically represent many states
Counter Example Guided Abstraction Refinement: Satabs
1.
Given a C program
2.
Compute an abstraction
3.
Model Check the abstraction,
I If no error, return program correct
4.
Check feasibility of the run
I If feasible, return the witness run
5.
Refine predicates, goto 2
