1 / 25

Model Checking

Felix Kossak f elix.kossak@ scch.at +43 7236 3343 8 11 www.scch.at. Model Checking. An overview. What is Model Checking?. Verification of critical properties of a system Systems that can be modelled as finite automata In particular, concurrent systems (such as parallel processes)

ellard
Download Presentation

Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Felix Kossak felix.kossak@scch.at+43 7236 3343 811 www.scch.at Model Checking An overview Model Checking

  2. What is Model Checking? • Verification of critical properties of a system • Systems that can be modelled as finite automata • In particular, concurrent systems(such as parallel processes) • Checking can be fully automated • Considered as a “formal method” (or not) Model Checking

  3. Areas of Application • “Classical” Model Checking has been successfully applied in e.g. • Design of electronic circuits • Network protocol design • Is - or could - also be applied in: • Parallel process design • Real-time systems • Workflow, architectures; algorithms in general (flowchart level) • Software verification: e.g. termination of loops • ... Model Checking

  4. Properties that Can Be Checked • Livelihood: will the system “live” forever? • Deadlocks, livelocks • Reachability: can a state / all states be reached? • Safety: Will a “bad” state never be reached? Will a “bad” state trigger an exception, etc? • Fairness (an event will occur infinitely often) • Underspecification (e.g. unexpected messages) • Overspecification (dead code) • Constraints (e.g. buffer / array bounds, invariants) • Real-time performance (special tools) Model Checking

  5. Application Examples • Network protocols • Process scheduling • Process communication • Shared resources: e.g. printer manager • Hardware / machine controllers • Architecture design • Workflow design • Algorithm design (on flowchart level) Model Checking

  6. Basic approach • System specification: temporal logic • System design: finite automata • Associate “atomic properties” with states • Try to derive specification from “atomic properties” Model Checking

  7. Limits • Size of the automaton: “state explosion” • In practice, the number of states becomes soon very large • potentially exponential w.r.t. system description • Simplification while preserving correctness? • For specific problems, rather than problem classes Model Checking

  8. Technical Details • Automata • ‘Kripke structures’ • Petri nets, etc • Specification in temporal logic • CTL* • Data structures: research issue • Binary Decision Diagrams (BDD) Model Checking

  9. Kripke Structures • Finite Automaton • States are associated with ‘atomic properties’ • Transitions modify variables • Transitions may be guarded • Synchronisation of automata: Model Checking

  10. Synchronisationof Automata • Global variables • Message queues • Synchronous / asynchronous • Theoretical size: | A | x | B | • → ‘State explosion’ Model Checking

  11. Temporal Logic:CTL* • “Computation Tree Logic” • boolean combinators (propos. connectives) • temporal combinators: • next state (X) • a future state (F) • all future states (G) • until (U) • while not (W) Model Checking

  12. Temporal Logic:CTL* (2) • path quantifiers: • all executions out of current state (A) • there exists an execution (E) • 2 basically different subsets of CTL* • CTL: each combinator directly under A/E • LTL: no path quantifiers Model Checking

  13. Model CheckingCTL • CTL: • “marking” • traverse each state of automaton Aand each subformula of temporal formula f • O( |A| x | f | ) Model Checking

  14. Model CheckingLTL • construct FA which recognises the negation of temporal formula f • synchronise this FA with the automaton A • Is the language accepted empty?(reachability) • O( | A | x 2 | f | ) (worst case) Model Checking

  15. Binary Decision Diagrams(BDD) • Data structure for state sets • Reduced decision tree • Share identical subtrees • Delete superfluous nodes • Problems with • non-Boolean variables • asynchronous automata • Solution: e.g. Multi-valued Decision Diagrams Model Checking

  16. Tools • The most important tools are academic • open source, some free even for commercial use • SMV (NuSMV) • SPIN • Some are part of comprehensive design software • (in particular commercial tools) Model Checking

  17. NuSMV • Free re-implementation of SMV • Designed for electronic circuits in the first place • Automaton is modelled similar to a programme in C • Temporal logic: CTL • Basic data structure: OBDD Model Checking

  18. SPIN • Designed for software verification • Automaton is modelled similar to SMV(like a programme) • Temporal Logic: PLTL • Basic data structure: POR Model Checking

  19. SPIN:Code Example active proctype A( ) { x = 1; turn = B_TURN; y == 0 || turn == A_TURN; mutex++; /* critical section */ mutex--; x = 0; } Model Checking

  20. Design/CPN(now CPN Tools): • Based on Coloured Petri Nets (CPN) • Elements can be timed • Interactive simulation • Reachability graphs can be generated for model checking • Analysis using CTL possible (Computation Tree Logic, a temporal logic) Model Checking

  21. Design/CPN:Graphic Design Model Checking

  22. Design/CPN:Restrictions; Successor • Restrictions: • only for Unix / Linux and Mac • no longer maintained • Successor: CPN Tools • for Windows (2000, XP) • better GUI • but limited model checking capability(new version last week, yet to be evaluated) Model Checking

  23. Other Toolsfor Timed Automata • Academic: • KRONOS, UPPAAL, Verus • only for scientific purposes available (?) • Other: • VeriSoft (by Bell Labs): free(yet to be evaluated) Model Checking

  24. Other Interesting Tools • SIPN editor: for PLC programmes • generates code for SMV Model Checking

  25. References& Links • B. Bérard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, Ph. Schnoebelen: Systems and Software Verification; Model-Checking Techniques and Tools. Springer, 2001 • http://www.abo.fi/%7Ejolilius/mclinks.htm(many links, but seemingly not maintained for a while) Model Checking

More Related