Download
1 / 33
330 likes | 337 Views
A brief history of model checking. Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com. Outline. Part I -- Introduction to model checking Automatic formal verification of finite-state systems Applications Commercial hardware design Avionics, chemical plant control, automotive, etc.
E N D
A brief history ofmodel checking Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com
Outline • Part I -- Introduction to model checking • Automatic formal verification of finite-state systems • Applications • Commercial hardware design • Avionics, chemical plant control, automotive, etc. • Part II -- A brief history of model checking • Influence of many abstract ideas from logic on the development of model checking
The Verification Problem • Debugging chips by simulation... • consumes greater than half of design time, • is unreliable • “Escapes” can cost up to $500M, • is increasing in cost as chip densities scale up
input: temporal logic spec finite-state model output yes no + counterexample (look ma, no test vectors!) Model Checking G(p Þ F q) yes MC no p p q q 2
Temporal logic (LTL) • A logical notation that allows to: • specify relations in time • conveniently express finite control properties • Temporal operators • G p “henceforth p” • F p “eventually p” • X p “p at the next time” • p W q “p unless q” 5
Types of temporal properties • Safety (nothing bad happens) G ~(ack1 & ack2)“mutual exclusion” G (req Þ (req W ack))“req must hold until ack” • Liveness (something good happens) G (req ÞF ack) “if req, eventually ack” • Fairness GF req Þ GF ack “if infinitely often req, infinitely often ack” 6
Computation tree logic (CTL) • Branching time model • Path quantifiers • A = “for all future paths” • E = “for some future path” • Example: AF p = “inevitably p” p p AFp p 7
AFp AFp p CTL model checking algorithm • Example: AF p = “inevitably p” • Complexity • linear in size of model (FSM) • linear in size of specification formula AFp AFp Note: LTL is exponential in formula size 9
Example: traffic light controller • Guarantee no collisions • Guarantee eventual service S E N 10
Specifications • Safety (no collisions) AG Ø (E_Go Ù (N_Go | S_Go)); • Liveness AG (Ø N_Go Ù N_Sense Þ AF N_Go); AG (Ø S_Go Ù S_Sense Þ AF S_Go); AG (Ø E_Go Ù E_Sense Þ AF E_Go); • Fairness constraints infinitely oftenØ(N_Go Ù N_Sense); infinitely oftenØ(S_Go Ù S_Sense); infinitely oftenØ(E_Go Ù E_Sense); (assume each sensor off infinitely often) 14
E_Go E_Req E_Sense NS_Lock N_Go N_Req N_Sense S_Go S_Req S_Sense Counterexample • East and North lights on at same time... N light goes on at same time S light goes off. S takes priority and resets NS_Lock 15
State explosion problem • What if the state space is too large? • too much parallelism • data in model • Approaches • Abstraction/reduction • “Symbolic” methods • Exploiting symmetry • “Partial order” methods 20
0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1 Binary Decision Diagrams • Ordered decision tree for f = ab + cd a 0 1 b b 1 0 1 0 c c c c 1 0 1 0 1 0 1 0 d d d d d d d d 21
OBDD reduction • Reduced (OBDD) form: a 1 0 b 0 1 c 1 1 0 d 0 0 1 Key idea: combine equivalent subcases 22
Symbolic model checking • Basic idea: • Use BDD’s to represent sets and relations • Avoid explicitly representing states • Transition relations R(a,b,a’,b’) a,b a’,b’ 24
Image computation • EX p = states that can reach p in one step EXp p EX p =$v’. (R(v,v’) Ù p(v’)) Note:$a. f = f |a=0 + f |a=1 25
Fixed point iteration • EF p = states that can reach p ... S1 S0 = p Sw Si+1 = Si \/ EX Si ...Model checking without building state graph 26
global bus . . . UIC UIC UIC cluster bus . . . . . . . . . M P P M P P Example: “Gigamax” cache protocol • First commercial application • Method scales well with system size • Finds very subtle “escapes” 33
Genealogy of model checking Many ideas from logic influence development of model checking... Logics of Programs Temporal/ Modal Logics Tarski w-automata S1S m-calc CTL Model Checking ATV LTL MC QBF BDD Symbolic Model Checking
Logics of programs • Floyd/Hoare/Dijkstra • Give precise definitions of programming languages • Allows reasoning about programs (proofs/derivations) • Pre-post conditions/ weakest precondition • example: assignment axioms {true} x :=y {x = y} {P} x := y {P} (no x in P)
Concurrent programs • Pnueli • Concurrent vs. sequential programming • need to characterize execution sequences • proposes use of temporal logic sequential concurrent A A B B call ret
Temporal and modal logics • Roots in philosophical logic • Tense logic -- formalizing linguistic time “If a, then b before c” • Modal logic -- reasoning about possibility “If I had run I would have caught my plane” • New use in computer science: • characterize the interactions of parallel processes G req Þ F ack
Genealogy Floyd/Hoare late ‘60’s Aristotle 300’sBCE Kripke ‘59 Logics of Programs Temporal/ Modal Logics Pnueli, late 70’s
CTL Model checking • Reasoning about properties of non-deterministic programs • branching time properties of programs • fixed point characterizations (Tarski) • every monotonic function has least/greatest fixed point • key idea: apply to finite graphs, not infinite trees • can directly calculate Tarski fixed points • Applications • finite state machines in hardware • protocols • proved incorrectness of some published designs
Genealogy, cont Logics of Programs Temporal/ Modal Logics Tarski 50’s CTL Model Checking Clarke/Emerson Early 80’s Some published circuits are proved incorrect
Decidable logics and automata • Büchi • S1S -- reason about sets of natural numbers • Automata on infinite words • characterize set of models of formula • example: sets that contain the odd numbers • Deep connection between logics and automata 0,1 0 0,1 1
LTL model checking • Vardi and Wolper • Apply Büchi’s technique to LTL • Automaton construction yields optimal decision algorithm • Kurshan • Specify properties directly as automata • example: infinitely often p (GFp) p Øp true
Genealogy Logics of Programs Temporal/ Modal Logics Büchi, 60 Tarski w-automata S1S CTL Model Checking ATV LTL MC Vardi/ Wolper Kurshan mid 80’s
Symbolic Model Checking • State explosion problem • graph model guarantees worst-case complexity • Characterize sets and relations by Boolean formulas • compute Tarski fixed points directly on formulas • Use BDD’s to represent formulas • efficient canonical form EXp = $v¢. (R Ù p¢) (QBF)
Mu-calculus • Park’s Mu-Calculus • Logic of relations with fixed point operator • Can express transitive closure • Nicely characterizes what SMC can compute • SMC algorithm for Mu-calculus • Use to express symbolic algorithms for • CTL, LTL model checking • Automaton containment, etc... • Note: bad specification logic, but good for describing algorithms AFp = mQ. p Ú AX Q
Genealogy, cont. Logics of Programs Temporal/ Modal Logics • Note first commercial application in 1990 • Encore Gigamax cache protocols Tarski w-automata S1S Park 60’s m-calc CTL Model Checking ATV LTL MC QBF BDD Bryant mid 80’s Symbolic Model Checking late 80’s
Applications • Hardware Design • Encore Gigamax • Intel instruction decoder • SGI cache protocol chip • Other areas • Avionics (TCAS) • Chemical plant control • Nuclear storage facilities (!) • Commercial tools • Cadence, IBM, Synopsys
A convergence of research areas in logic • Many areas of logic have shaped the discourse in model checking • Logics of programs • Temporal/Modal logics • Tarski fixed point theory • Decidable logics -- S1S/automata • Park’s mu-calculus • Much of this work is quite abstract, but has strongly influenced practical work in model checking
