SYMBOLIC MODEL CHECKING:
1020 STATES AND BEYOND
J.R. Burch
E.M. Clarke
K.L. McMillan
D. L. Dill
L. J. Hwang
Presented by
Rehana Begam
OUTLINE
 Motivation
 Definitions
 Symbolic
Model Checking
 Contribution



Mu-Calculus Encoding
Binary Decision Diagram Representation
Model Checking Algorithm
 CTL Model
Checking
 Empirical Results
 Summary
 Future Work
MOTIVATION
 Many
different methods for automatically
verifying finite state systems
LTL
 CTL

 All
rely on algorithms that explicitly represent a
state space, using a list or table that grows in
proportion to the number of states
 Number of states in the model grow
exponentially with the number of concurrently
executing components
 The size of the state table is the limiting factor in
applying these algorithms to realistic systems
MOTIVATION
 This
“state explosion problem” can not be
handled by the state enumeration methods
 Explicit state enumeration methods are limited
to systems with at most 108 reachable states
 Can be eliminated by representing the state
space symbolically instead of explicitly
 This technique verifies models with more than
1020 states !
DEFINITIONS
Relational variable
 a predicate or a function
Abstraction operator
 λ: used in lambda calculus
 f(x1, x2) is written as λ x1, x2[f]
Relational term
 f is a formula and yi are individual variables
 R is relational term and P is a relational variable with arity n
Fixed point of function f
 An element x such that f(x) = x
DEFINITIONS
 Least fixed point is the least element that is a fixed point. y
is lfp of f in S iff
(f(y) = y) ∧ (∀x S . (f(x) = x) ⇒ (y ⊆ x))
 Greatest fixed point is the greatest element that is a fixed
point. y is gfp of f in S iff
(f(y) = y) ∧ (∀x S . (f(x) = x) ⇒ (x ⊆ y))
Fixed point operators
 μ and ν are the lfp and gfp operators used in mu-calculus
Monotone function
 A function f is monotone iff for all P ⊆ S and Q ⊆ S,
P ⊆ Q ⇒ f(P) ⊆ f(Q)
DEFINITIONS
Variable Interpretation
 Individual IP: for each individual variable y, IP(y) is a value
in domain D
 Relational IR: for each n-ary relational variable P, IR(P) is an
n-ary relation in domain D
Substitution of Variables
 The substitution of a variable w for a variable v in a
formula f, denoted f(v ← w)
f <v ← w> ⇒ ∃v [(v ⇔ w) ∧ f]
SYMBOLIC MODEL CHECKING
 In
explicit state model checking, we represent
the Kripke structure as a graph and implement
the model checking algorithm as graph traversal.
 2 main steps:


Encode Model Domain:
Describe sets of states as propositional logic formulae
instead of enumeration: Mu-Calculus
S = {1, 2, 3, 4, 5}
= {x | 1 ≤ x ≤ 5}
Compact Representation:
Represent those logical formulae/boolean functions
using efficient means of manipulating boolean
functions: Binary Decision Diagrams
CONTRIBUTIONS
 Provides
a generalized symbolic model checking
method by using a dialect of the Mu-Calculus as
the primary specification language
 Describes a model checking algorithm for MuCalculus formulas that uses BDD to represent
relations and formulas
 Shows how Mu-Calculus model checking
algorithm can be used to derive efficient decision
procedures for CTL, LTL model checking
 Discusses how it can be used to verify a simple
synchronous pipeline circuit
MU-CALCULUS
 Syntax:

In this formula, R can be a Relational variable or a
Relational term of the following two forms:

Second one represents the least fixed point of R
where R be formally monotone with P
MU-CALCULUS
 Example:
MU-CALCULUS
 Formal
Definition:
given a finite signature
 each symbol in
is either an Individual variable or a
Relational variable with some positive arity.
 recursively define two syntactic categories: formulas
and relational terms.
 Formula:

MU-CALCULUS

Relational term:

∀, ∧, ⇒, and ⇔ are treated as abbreviations in the usual
manner
¬R is an abbreviation for
R ∨ R’ is an abbreviation for


MU-CALCULUS
 Model
M = (D, IR, ID), where D is the domain
 Semantic function
MU-CALCULUS
BINARY DECISION DIAGRAM
 Widely
used in various tools for the design and
analysis of digital circuits
 Canonical form representation for Boolean
formulas
 Similar to binary decision tree
 Allows many practical systems with extremely
large state spaces to be verified-which are
impossible to handle with explicit state
enumeration methods
BINARY DECISION DIAGRAM
 DAG
 Occurrence
of variables is
ordered from root to a leaf.
 Example:



Formula: (a ∧ b) ∨ (c ∧ d)
Ordering: a < b < c < d
(a ←1, b ← 0, c ← 1, d ← 1)
leads to a leaf node labeled 1
MODEL CHECKING ALGORITHM
 For
the Mu-Calculus
that uses BDDs as
its internal
representation
BDDATOM(f)
returns BDD iff f = 1
 Last case substitutes
xi by dummy di
 FixedPoint() is the
standard technique

CTL MODEL CHECKING
 CTL
formula f is true of Kripke structure M= (A, S,
L, N, SO) ⇔ Mu-Calculus formula f' is true of a
structure M’ = (S, IR, ID)
 If CTL formula f is an abbreviation for the MuCalculus relational term R, then f is true at state s
iff R(s) is true
 If f has no temporal operators, then it represents
the relational term R
CTL MODEL CHECKING
 EX
f = λS [ ∃t [ f(t) ∧ N(s, t) ] ]
 EG f = f ∧ EX EG f
= νQ [ f ∧ EX Q ]
= νQ [ λS [ f(s) ∧ ∃t [ Q(t) ∧ N(s, t) ] ]
 E [ f ∪ g ] = g ∨ (f ∧ EX E[f ∪ g])
= μQ [g ∨ (f ∧ EX Q]]
= μQ [λS [g(s) ∨ (f(s) ∧ ∃t [Q(t) ∧ N(s, t)]]
EMPIRICAL RESULTS
Performs three-address
logical and arithmetic
operations on a register
3 Pipeline stages:
 Operand read from the
register file
 ALU (Arithmetic Logic Unit)
operation
 Write back to register
EMPIRICAL RESULTS
Pipeline with 12 bits has
approximately 1.5 x 1O29
reachable states
The number of nodes in
BDD is asymptotically
linear in the number of
bits, not exponential
The verification time is
polynomial in the number
of bits
SUMMARY
 Suitable encoding
of the model domain and
compact representation for relations, the
complexity of various graph-based verification
algorithms is reduced
 Regular structure of the data path logic captured
by the BDD representation results in a linear
space complexity in the number of circuit
components rather than exponential
FUTURE WORKS
 Characterization
of the models for which the
BDD Mu-Calculus checker is efficient
 Applicability of developed technique in common
graph algorithms whose results can be expressed
as relations, such as minimum spanning trees,
graph isomorphism etc.