1 introduction to smv and model checking mostly by: ken mcmillan cadence berkeley labs...
TRANSCRIPT
1
Introduction to SMV and Model Checking
Mostly by: Ken McMillanCadence Berkeley [email protected]
Small parts by: Brandon EamesISIS/Vanderbilt [email protected]
Presented in the CS 367 class by Aditya
22
SMV Tool Can be downloaded from
http://www-cad.eecs.berkeley.edu/~kenmcmil/smv/dld2.html
33
Outline Quick overview of SMV
Model checking
– Temporal logic
– Model checking algorithms
– Expressiveness and complexity
Symbolic model checking
– The “state explosion” problem
– Binary Decision Diagrams
– Computing fixed points with BDD’s
– Application
44
SMV: Symbolic Model Verifier Capture system behavior as combinatorial and sequential
logic: finite state machines.
Capture system requirements as statements in temporal logic
SMV applies the requirement specifications to the state machine model
– Attempt to prove that system meets requirements
– If system fails, attempt to show counterexample
55
How SMV Works Convert system model (the FSM) to OBDD representation
Convert CTL specifications into operations which can be applied to OBDDs
Traverse the state space, applying verification operations until achieving a “fixed point”: stable system
Report the results of the traversal, either requirements met or not.
66
Example
MODULE mainVAR
request : booleanstate : {ready, busy};
ASSIGNinit(state) := ready;next(state) := case
state = ready & request : busy;1 : {ready, busy};
esac;SPEC
AG(request -> AF state = busy)
77
SMV’s supported CTL operators
! not& and| or-> implies<-> logical equivalence“E” existential path quantifier“A” universal path quantifier
“X” next time“F” eventually“G” globally“U” until
88
Propositional Linear Temporal Logic Express properties of “Reactive Systems”
– interactive, nonterminating
For PLTL, a model is an infinite state sequence
210 ,, sss
Temporal operators
– “Globally”: G p at t iff p for all t’ t.
p p p p p p p p p p p...
G p...
99
Temporal operators...– “Future”: F p at t iff p for some t’ t.
p p p p p p
F p...
– “Until”: p U q at t iff
– q for some t’ t and
– p in the range [ t, t’ )
p p p p p p
p U q...
p p p q
– “Next-time”: X p at t iff p at t+1
1010
Examples Liveness: “if input, then eventually output”
G (input F output)
Strong fairness: “infinitely send implies infinitely recv.”
GF send GF recv
Weak until: “no output before input”
output W input
atomic props
infinitely often
p W q p U q G p
1111
Safety v. Liveness Safety
– Refutable by finite run
Liveness
– Refutable only by infinite run
– Every finite run extensible to satisfying run
1212
PLTL semantics Given an infinite sequence
– if is true in state si of .
– if is true in state s0 of .
– if is valid.
A formula is an atomic proposition, or...
true, p q, p, p U q, X p
210 ,, sss
`̀is, `̀`̀
1313
PLTL semantics... Definition of satisfaction
iff
iff
iff
iff
iff
(atomic) , asi `̀ (atomic) , asi `̀psi `̀,qpsi `̀,pXsi `̀,
psjki
qsij
k
j
`̀
`̀
, : allfor and
, : somefor
psi /, `̀qsps ii `̀`̀ ,or ,
psi `̀1, qUpsi `̀,
pFGp
qUFp
qpqp
true
)(Derived operators...
1414
Model Checking (Clarke/Emerson, Queille/Sifakis)
MC
G(p -> F q)yes
nop
q
p
q
temporal formula
finite-state model
algorithm
counterexample
Model must now represent all behaviors
1515
Kripke models A Kripke model (S,R,L) consists of
– set of states S
– set of transitions R SS
– labeling L SAP
Kripke models from programs
p p
repeat p := true; p := false;end
1616
Mutual exclusion example
N1,N2turn=0
T1,N2turn=1
T1,T2turn=1
C1,N2turn=1
C1,T2turn=1
N1,T2turn=2
T1,T2turn=2
N1,C2turn=2
T1,C2turn=2
N = noncritical, T = trying, C = critical
1717
PLTL on Kripke models A path in model M = (S,R,L) is a sequence
such that (si,si+1) R.
Ssss 210 ,,
fssss
fsM
`̀
`̀
0210
0
, of ,, paths allfor
iff
,
F p
p
p
p
s0 s1s2 s3...
1818
Branching time Model of time is a tree, not a sequence
Path quantifiers
fMssssomefEsM
fMsssallfAsM
`̀`̀
`̀`̀
, of ,, paths for iff ,
, of ,, paths for iff ,
2100
2100
AF p
p
p
p
1919
Computation Tree Logic Every operator F, G, X, U preceded by A or E
Universal modalities...
p p
p
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
AG p
p p p p
p
p p
AF p
2020
CTL, cont... Existential modalities
p
p
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
EG p
p p
EF p
2121
CTL, cont Other modalities
AX p, EX p, A(p U q), E(p U q)
Some dualities...
Examples: mutual exclusion specs...
AG (C1 C2) mutual exclusion
AG (T1 AF C1) liveness
AG (N1 EX T1) non-blocking
pEGAFp
pEFAGp
2222
Symbolic model checking State explosion problem
– State graph exponential in program size
Symbolic model checking approach
– Boolean formulas represent sets and relations
– Use fixed point characterizations of CTL operators
– Model checking without building state graph
Sometimes can handle much larger sate space
2323
Binary Decision Diagrams (Bryant)
Ordered decision tree for f = ab + cd
0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1
d d d d d d d d
c c c c
0 1
0 1 0 1
0 1 0 1 0 1 0 1
b b
a
2424
OBDD reduction Reduced (OBDD) form:
0 1
d
c
01
0 1
0 1
b
a
0
1
Key idea: combine equivalent sub-cases
2525
OBDD properties
Canonical form (for fixed order)
– direct comparison
Efficient apply algorithm
– build BDD’s for large circuits f
g O(|f| |g|)
fg
Variable order strongly affects size
2626
Boolean quantification If v is a boolean variable, then
v.f = f |v =0 V f |v =1
Multivariate quantification
w1,w2,…,wn). f
Complexity on BDD representation
– worst case exponential
– heuristically efficient
Example: b,c). (ab cd) = a d
2727
Characterizing sets Let M = (S,R,L) be a Kripke model
Let S be the set of boolean vectors
(v1,v2,…,vn) {0,1}n
Represent any P S by its characteristic function P
P = {(v1,v2,…,vn) : P}
Set operations
– = false S = true
– PQ= P V Q PQ = P Q
– S\ P= P
2828
Characterizing relations Transition relation R is a set of state pairs…
R = {((v1,v2,…,vn), (v’1,v’2,…,v’n)) : R}
Examples
– A synchronous sequential circuit
v1
v0
R = (v’0 = v0) (v’1 = v0 v1)
2929
Transition relations, cont...– An asynchronous circuit s
r q
q
– Interleaving model
)'())('(
)'())('(
qqqrq
qqqsqR
– Simultaneous model
)'())('(
)'())('(
qqqrq
qqqsqR
3030
Forward and reverse image Forward image
})',( and , somefor :'{),(Image RPRP vvvvv
))',()((.)'(),(Image vvvvv RPRP
PR
Image(P,R)
3131
Images, cont... Reverse image
})',( and ',' somefor :{),(Image-1 RPRP vvvvv
))',()'(('.)(),(Image vvvvv RPRP
PR
Image-1(P,R)
= EX P
3232
Symbolic CTL model checking Equate a formula f with the set of states satisfying it…
Compute BDD’s for characteristic functions…
– p, p q, p q (use BDD ops)
– EX p = Image-1(p,R)
– AX p = EX p
Remaining operators have fixed-point characterization...
}|:{ fvSf v
pEFEXppEF
In fact, this is the least fixed point...
3333
Fixed points of monotonic functions Let be a function S S
Say is monotonic when
Fixed point of is y such that
If monotonic, then it has
– least fixed point y. (y)
– greatest fixed point y. (y)
)()( implies yxyx
yy )(
3434
Iteratively computing fixed points Suppose S is finite
– The least fixed point y. (y) is the limit of
– The greatest fixed point y. (y) is the limit of
(false))((false)false
(true))((true)true
Note, since S is finite, convergence is finite
3535
Example: EF p EF p is characterized by
Thus, it is the limit of the increasing series...
)(. yEXpypEF
pp EX pp EX(p EX p)
. . .
...which we can compute entirely using BDD operations
3636
Example: EG p EG p is characterized by
Thus, it is the limit of the decreasing series...
)(. yEXpypEG
...which we can compute entirely using BDD operations
p EX p pp EX(p EX p)
...
3737
Remaining operators
Allows CTL model checking with only BDD ops
– Avoid building state graph
– (Sometimes) avoid state explosion problem
))((.)(
))((.)(
)(.
)(.
yAXpqyqUpA
yEXpqyqUpE
yAXpypAG
yAXpypAF
Now you can go home and build your own symbolic model checker...
3838
Why does it work?
. . .
. . .
. . .
Many partial states equivalent...
...implies many subfunctions equivalent...
OBDD
3939
When doesn’t it work?
Protocols that pass pointers
Linked lists
Anytime one part of the system “knows” a large amount of information about another part
4040
Summary Model checking
– Automatic verification (or falsification) of finite state systems
– Linear v. branching time logics
State explosion problem
– Binary Decision Diagrams
– Heuristically efficient boolean operations
– Image calculations
– Fixed point characterization of CTL
– Model checking without building state graph
Applications
– Find subtle errors in complex protocols