1k likes | 1.18k Views
Netw 703. Network Protocols. Model Checking Basics. Dr. Eng. Amr T. Abdel-Hamid. Slides based on slides of: K. Havelund & Agroce, Reliable Software: Testing and Monitoring, CMU. E. Clarke, Formal Methods, to be updated by course name
E N D
Netw 703 Network Protocols Model Checking Basics Dr. Eng. Amr T. Abdel-Hamid • Slides based on slides of: • K. Havelund & Agroce, Reliable Software: Testing and Monitoring, CMU. • E. Clarke, Formal Methods, to be updated by course name • S. Tahar, E. Cerny and X. Song, “ Formal Verification of Systems”. Winter 2012
Branching Time Temporal Logic (BTTL) • Structure of time: an infinite tree, each instant may have many successor instants • Along each path in the tree, the corresponding timeline is isomorphic to N • State quantifiers: Xp, Fp, Gp, pUq (like in linear temporal logic) • Path quantifiers: for All paths (A) and there Exists a path (E) from a given state A = ∀ E = ∃ • In linear time logic, temporal operators are provided for describing events along a single future, however, when a linear formula is used for specification, there is usually an implicit universal quantification over all possible futures (linear traces) • In contrast, in branching time logic the operators usually reflect the branching nature of time by allowing explicit quantification over possible futures in any state
CTL • Formulas are constructed from path quantifiers and temporal operators: • Path quantifier: • A: for every path • E: there exists a path • Temporal Operator: • F: holds sometime in the future • X: holds next time • G: holds globally in the future • p U q: p holds until q hold • i.e. AF, AG, AX, A( U ), EF, EG, EX, E( U )
CTL Example • Structure M <S,R,L>: • A Kripke structure: triple M = <S, R, L> • S: set of states R ⊆ S × S: transition relation • L: S → 2AP : (Truth valuation) set of atomic propositions true in each state S = {1,2,3,4,5}, AP = {a,b,c}, R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)} L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c}
Example: • Two input Muller C-element (assuming finite discrete delays): • Specification in CTL: • Liveness: If inputs remain equal, then eventually the output will change to this value. • AG( A( ( a=0 ∧ b=0 ) U ( out=0 ∨ a=1 ∨ b=1 ) ) ) • AG( A( ( a=1 ∧ b=1 ) U ( out=1 ∨ a=0 ∨ b=0 ) ) ) • Safety: If all inputs and the output have the same value then the output should not change until all inputs change their values. • AG( ( a=0 ∧ b=0 ∧ out=0 ) ⇒ A( out=0 U (a=1 ∧ b=1 ) ) ) • AG( ( a=1 ∧ b=1 ∧ out=1 ) ⇒ A( out=1 U (a=0 ∧ b=0 ) ) )
Model Checking Problem • Given an FSM M (equivalent Kripke structure) and a temporal logic formula p, does M define a model of p? • Determine the truth of a formula with respect to a given (initial) state in M • Find all states s of M such that (M, s) p • For any propositional temporal logic, the model checking problem is decidable: exhaustive search of all paths through the finite input structure
Theoretical Background • Theorem [Wolper, 1986]: The model checking for CTL is in deterministic polynomial time • Theorem [Sistla & Clark, 1985]: The model checking problem for PLTL is PSPACE complete • Theorem [Emerson & Lei, 1987]: Given any model-checking algorithm for a linear logic LTL, there is a model checking algorithm for the corresponding branching logic BTL, whose basic modalities are defined by the LTL, of the same order of complexity • • Theorem [Clark, Emerson & Sistla, 1986]: The model checking problem for CTL* is PSPACE-complete
Fixpoints Algorithm • Model Checking Algorithms • Original algorithm described in terms of labeling the CTL structure (Clark83) • Required explicit representation of the whole state space • Better algorithm based on fixed point calculations • Algorithm amenable to symbolic formulation • Symbolic evaluation allows implicit enumeration of states • Significant improvement in maximum size of systems that can be verified
Symbolic model checking • Symbolic model checking approach • Boolean formulas represent sets and relations • Use fixed point characterizations of CTL operators • Model checking without building complete state graph • CTL model checking problem can be solved in O(|f| (|S|+|R|)) Note that the complexity is linear in the size of the formula and the transition system • Recall that the size of the transition system is exponential in the number of variables (this is called the state space explosion problem)
CTL Model Checking Algorithm • Translate the formula to a formula which uses the basis • EX p, EG p, E(p U q) • Start from the innermost subformulas • Label the states in the transition system with the subformulas that hold in that state • Initially states are labeled with atomic properties • Each (temporal or boolean) operator has to be processed once • Processing of each operator takes O(|S|+|R|)
CTL Model Checking Algorithm • Boolean operators are easy • p : Each state which is not labeled with p should be labeled with p • p q : Each state which is labeled with both p and q should be labeled with p q • p q : Each state which is labeled with p or q should be labeled with p q
CTL Model Checking Algorithm: EX p • EX p is easy to do in O(|S|+|R|) • All the nodes which have a next state labeled with p should be labeled with EX p p p s1 s2 s3 s4 p, EX p p, EX p s1 s2 s3 s4 EX p
CTL Model Checking Algorithm: E(pUq) • E(pUq): Find the states which are the source of a path where p U q holds • Find the nodes that reach a node that is labeled with q by a path where each node is labeled with p • Label such nodes with E(pUq) • It is a reachability problem which can be solved in O(|S|+|R|) • First label the nodes which satisfy q with E(pUq) • For each node labeled with E(pUq), label all its previous states that are labeled with p with E(p U q)
CTL Model Checking Algorithm: E(pUq) p p s1 s2 s3 s4 q p, E(pUq) p, E(pUq) s1 s2 s3 s4 q, E(pUq)
CTL Model Checking Algorithm: EG p • EG p: Find infinite paths where each node on the path is labeled with p, and label nodes in such paths with EG p • First remove all the states which do not satisfy p from the transition graph • Compute the strongly connected components of the remaining graph, and then find the nodes which can reach the strongly connected components (both of which can be done in O(|S|+|R|) • Label the nodes in the strongly connected components and the nodes that can reach the strongly connected components with EG p
CTL Model Checking Algorithm: EG p p p s1 s2 s3 s4 p A strongly connected component p p s2 s3 s4 p p, EG p p, EG p s1 s2 s3 s4 p, EG p
Verification vs. Falsification • Verification: • Show: initial states truth set of p • Falsification: • Find: a state initial states truth set of p • Generate a counter-example starting from that state • CTL model checking algorithm can also generate a counter-example path if the property is not satisfied • without increasing the complexity • The ability to find counter-examples is one of the biggest strengths of the model checkers
Temporal Properties Fixpoints [Emerson and Clarke 80] Here are some interesting CTL equivalences: AG p = p AX AG p EG p = p EX EG p AF p = p AX AF p EF p = p EX EF p A(p U q) = q (p AX A(p U q)) p EU q = q (p EX E(p U q)) Note that we wrote the CTL temporal operators in terms of themselves and EX and AX operators
Functionals • Given a transition system M=(S, L, R), we will define functions (Properties) from sets of states to sets of states • F : 2S 2S • For example, one such function is the EX operator (which computes the precondition of a set of states) • EX : 2S 2S which can be defined as: EX(p) = { s | (s,s’) R and s’ p } Image calculation
CTL Example • Structure M <S,R,L>: • A Kripke structure: triple M = <S, R, L> • S: set of states R ⊆ S × S: transition relation • L: S → 2AP : (Truth valuation) set of atomic propositions true in each state S = {1,2,3,4,5}, AP = {a,b,c}, R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)} L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c}
Fixpoint Characterization Equivalences AG p = y . p AX y AG p = p AX AG p EG p = y . p EX y EG p = p EX EG p AF p = y . p AX y AF p = p AX AF p EF p = y . p EX y EF p = p EX EF p A(p U q) = y . q (p AX (y)) p AU q=q (p AX (p AU q)) E(pUq) = y . q (p EX (y)) p EU q = q (p EX (p EU q)) Fixpoint Characterizations
Functionals • Now, we can think of all temporal operators also as functions from sets of states to sets of states • For example: AX p = EX(p) or if we use the set notation AX p = (S - EX(S - p)) • Logic Set • p q p q • p q p q • p S – p False True S
Lattice The set of states of the transition system forms a lattice: • lattice 2S • partial order • bottom element • top element S • Least upper bound (lub) • Greatest lower bound (glb)
Lattice • (lub): y∈ P is a least upper bound of S in P means y is an upper bound of S and ∀z ∈ P which is an upper bound of S, y ≤ z • (glb) y∈ P is a greatest lower bound of S in P means y is a lower bound of S and ∀z ∈ P which is a lower bound of S, z ≤ y
Temporal Properties Fixpoints Based on the equivalence EF p = p EX EF p EF p is a fixpoint of function (F): where F => F y = p EX y F (EF p) = EF p In fact, EF p is the least fixpoint of F, which is written as: EF p = y . p EX y ( means least fixpoint)
EF Fixpoint Computation EF(p)states that can reach p p EX(p) EX(EX(p)) ... p • • • EF(p)
Temporal Properties Fixpoints Based on the equivalence EG p = p AX EG p EG p is a fixpoint of function (F): where F => F y = p EX y F (EG p) = EG p In fact, EG p is the greatest fixpoint of F, which is written as: EG p = y . p EX y ( means greatest fixpoint)
EG Fixpoint Computation EG(p) states that can avoid reaching pp EX(p) EX(EX(p)) ... • • • EG(p)
Least Fixpoint Given a monotonic function F, its least fixpoint is the greatest lower bound (glb) of all the reductive elements : y . F y = { y | F y y } The least fixpoint y . F y is the limit of the following sequence (assuming F is -continuous): , F , F2 , F3 , ... If S is finite, then we can compute the least fixpoint using the above sequence
EF Fixpoint Computation EF p = y . p EX y is the limit of the sequence: , pEX , pEX(pEX ) , pEX(pEX(p EX )) , ... which is equivalent to , p, p EX p , p EX (p EX (p) ) , ...
EF Fixpoint Computation p s1 s2 s3 s4 p Start 1st iteration pEX = {s1,s4} EX()= {s1,s4} ={s1,s4} 2nd iteration pEX(pEX ) = {s1,s4} EX({s1,s4})= {s1,s4} {s3}={s1,s3,s4} 3rd iteration pEX(pEX(p EX )) = {s1,s4} EX({s1,s3,s4})= {s1,s4} {s2,s3,s4}={s1,s2,s3,s4} 4th iteration pEX(pEX(pEX(p EX ))) = {s1,s4} EX({s1,s2,s3,s4})= {s1,s4} {s1,s2,s3,s4} = {s1,s2,s3,s4}
EF Fixpoint Computation EF(p)states that can reach p p EX(p) EX(EX(p)) ... p • • • EF(p)
Greatest Fixpoint Given a monotonic function F, its greatest fixpoint is the least upper bound (lub) of all the extensive elements: y. F y = { y | F y y } The greatest fixpoint y . F y is the limit of the following sequence (assuming F is -continuous): S, F S, F2 S, F3 S, ... If S is finite, then we can compute the greatest fixpoint using the above sequence
EG Fixpoint Computation Similarly, EG p = y . p EX y is the limit of the sequence: S, pEX S, pEX(p EX S) , pEX(p EX (p EX S)) , ... which is equivalent to S, p, p EX p , p EX (p EX (p) ) , ...
EG Fixpoint Computation p p s1 s2 s3 s4 p Start S = {s1,s2,s3,s4} 1st iteration pEX S = {s1,s3,s4}EX({s1,s2,s3,s4})= {s1,s3,s4}{s1,s2,s3,s4}={s1,s3,s4} 2nd iteration pEX(pEX S) = {s1,s3,s4}EX({s1,s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4} 3rd iteration pEX(pEX(pEX S)) = {s1,s3,s4}EX({s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4}
EG Fixpoint Computation EG(p) states that can avoid reaching pp EX(p) EX(EX(p)) ... • • • EG(p)
Example • Structure M <S,R,L>: S = {1,2,3,4,5}, AP = {a,b,c}, R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)} L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c} Check if AG(a ∨ c) holds
Example (cont.) • Remember that: • AG p = y . p AX y • AX p = EX(p) • H(a∨c) = H(a) ∪ H(c) ={2,3} ∪ {3,4,5} = {2,3,4,5} • I0 S = {1,2,3,4,5} • I1 {2,3,4,5} ∩ S = {2,3,4,5} ∩ {1,2,3,4,5} = {2,3,4,5} • I2 {2,3,4,5} ∩ AX(2,3,4,5) = {2,3,4,5} ∩ {1,2,3,4} = {2,3,4} • I3 {2,3,4,5} ∩ AX(2,3,4) = {2,3,4,5} ∩ {1,2,3,4} = {2,3,4} • I3 = I2 H(AG(a∨c)) = {2,3,4} • To verify that f holds in state s, check if s∈H(f)
Example • For the FSM below, formally check the following properties, using Fixpoint Theorm: • AG(a ∨c ∨b) • AF(ab) • If failed show the subset of the design the property holds for as well as the counter example 1 2 4 3 c a a,b b,c d c 6 S = {1,2,3,4,5,6}, AP = {a,b,c,d}, R = {(1,2), (1,3),(2,3), (3,4), (4,4), (4,5), (5,2), (2,6), (6,1)} L(1) = {a,b}, L(2) = {c}, L(3) = {b,c}, L(4) = {a}, L(5) = {c}, L(6) = {d} 5
Example (cont.) • Remember that: • H(a∪b) = H(a) ∪ H(b) ∪ H(c) ={1,4} ∪ {2,3,5} ∪ {1,3} = {1,2,3,4,5} • AG(a ∨c ∨b) = AG p = y . p AX y = y . p AX y • AX p = EX(p) • I0 S = {1,2,3,4,5,6} • I1 {1,2,3,4,5} ∩ S = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,2,3,4,5} • I2 {1,2,3,4,5} ∩ AX(1,2,3,4,5) = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,3,4,5} • This is because that : AX(1,2,3,4,5) = EX((1,2,3,4,5)) = EX(6) = (2) = S- {2 } = {1,3,4,5,6} • I3 {1,2,3,4,5} ∩ AX(1,3,4,5) = {1,3,4,5} • This is because that : AX(1,3,4,5) = EX((1,3,4,5)) = EX(2,6) = (2,6) = S- {2 ,6} = {1,3,4,5} • I3 = I2 H(AG(a∨b ∨ c)) = {1,3,4,5} • The property does not hold, except for the above states, and it is clear that states {2,6} can be considered as counter examples. • state 6 does not contain neither a,c,b and state 2 does not have a proceeding one on one of its pathes path (2,6)
Example (AF(ab)) • Remember that: • H(a b) = H(a) H(b) ={1,4} {1,3}= {1} • AF(a b) = AG p = y . p AX y = y . p AX y • AX p = EX(p) • I0 • I1 {1} ∩ AX() = {1} ∩ = • This is because that : AX() = EX(()) = EX(1,2,3,4,5,6) = • The property does not hold for any state.
Model Checking Tools (non-commercial) • SMV (Symbolic Model Verifier) • A tool for checking finite state systems against specifications in the temporal logic CTL. • Developed at Carnegie Mellon University by E. Clarke, K. McMillan et. al. • Supports a simple input language: SMV • For more information: http://www.cs.cmu.edu/~modelcheck/smv.html • Cadence SMV • Updated version of SMV by K. McMillan at Berkeley Cadence Labs • Input languages: extended SMV and synchronous Verilog • Supports temporal logics CTL and LTL, finite automata, embedded assertions, and refinement specifications. • Features compositional reasoning, link with a simple theorem prover, an easy-to-use graphical user interface and source level debugging capabilities • For more information: http://www-cad.eecs.berkeley.edu/~kenmcmil/smv/
Model Checking Tools (commercial) • FormalCheck • Supports the synthesizable subsets of Verilog and VHDL hardware design languages. • User supplies FormalCheck with a set of queries (properties and constraints) • Each property is defined using semantics of the class of omega automata. • Tool provides powerful model reduction options. • For more information: http://www.cadence.com/datasheets/formalcheck.html
Model Checking • Automatic verification (or falsification) of finite state systems • Explicit State Representation ⇒ State Explosion Problem (about 108states maximum) • Breakthrough: Implicit State Representation using ROBDD (about 1020 states). • Use Boolean characteristic functions represented by ROBDDs to encode sets of states and transition relations.
Binary Decision Diagrams • Ordered binary decision diagrams (OBDDs) are a canonical form for Boolean formulas. • OBDDs are often substantially more compact than traditional normal forms. • Moreover, they can be manipulated very efficiently. • Introduced at: • R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(8), 1986.
Binary Decision Trees • A Binary decision tree is a rooted, directed tree with two types of vertices, terminal vertices and nonterminal vertices. • Each nonterminal vertex v is labeled by a variable var(v) and has two successors: • low (v) corresponding to the case where the variable is assigned 0, and high (v) corresponding to the case where the variable is assigned 1. • Each terminal vertex v is labeled by value(v) which is either 0 or 1