1 introduction to smv and model checking mostly by: ken mcmillan cadence berkeley labs...

1

Introduction to SMV and Model Checking

Mostly by: Ken McMillanCadence Berkeley Labsmcmillan@cadence.com

Small parts by: Brandon EamesISIS/Vanderbilt Universityb.eames@vanderbilt.edu

Presented in the CS 367 class by Aditya

22

SMV Tool Can be downloaded from

http://www-cad.eecs.berkeley.edu/~kenmcmil/smv/dld2.html 

33

Outline Quick overview of SMV

Model checking

– Temporal logic

– Model checking algorithms

– Expressiveness and complexity

Symbolic model checking

– The “state explosion” problem

– Binary Decision Diagrams

– Computing fixed points with BDD’s

– Application

44

SMV: Symbolic Model Verifier Capture system behavior as combinatorial and sequential

logic: finite state machines.

Capture system requirements as statements in temporal logic

SMV applies the requirement specifications to the state machine model

– Attempt to prove that system meets requirements

– If system fails, attempt to show counterexample

55

How SMV Works Convert system model (the FSM) to OBDD representation

Convert CTL specifications into operations which can be applied to OBDDs

Traverse the state space, applying verification operations until achieving a “fixed point”: stable system

Report the results of the traversal, either requirements met or not.

66

Example

MODULE mainVAR

request : booleanstate : {ready, busy};

ASSIGNinit(state) := ready;next(state) := case

state = ready & request : busy;1 : {ready, busy};

esac;SPEC

AG(request -> AF state = busy)

77

SMV’s supported CTL operators

! not& and| or-> implies<-> logical equivalence“E” existential path quantifier“A” universal path quantifier

“X” next time“F” eventually“G” globally“U” until

88

Propositional Linear Temporal Logic Express properties of “Reactive Systems”

– interactive, nonterminating

For PLTL, a model is an infinite state sequence

210 ,, sss

Temporal operators

– “Globally”: G p at t iff p for all t’ t.

p p p p p p p p p p p...

G p...

99

Temporal operators...– “Future”: F p at t iff p for some t’ t.

p p p p p p

F p...

– “Until”: p U q at t iff

– q for some t’ t and

– p in the range [ t, t’ )

p p p p p p

p U q...

p p p q

– “Next-time”: X p at t iff p at t+1

1010

Examples Liveness: “if input, then eventually output”

G (input F output)

Strong fairness: “infinitely send implies infinitely recv.”

GF send GF recv

Weak until: “no output before input”

output W input

atomic props

infinitely often

p W q p U q G p

1111

Safety v. Liveness Safety

– Refutable by finite run

Liveness

– Refutable only by infinite run

– Every finite run extensible to satisfying run

1212

PLTL semantics Given an infinite sequence

– if is true in state si of .

– if is true in state s0 of .

– if is valid.

A formula is an atomic proposition, or...

true, p q, p, p U q, X p

210 ,, sss

`̀is, `̀`̀

1313

PLTL semantics... Definition of satisfaction

iff

iff

iff

iff

iff

(atomic) , asi `̀ (atomic) , asi `̀psi `̀,qpsi `̀,pXsi `̀,

psjki

qsij

k

j

`̀

`̀

, : allfor and

, : somefor

psi /, `̀qsps ii `̀`̀ ,or ,

psi `̀1, qUpsi `̀,

pFGp

qUFp

qpqp

true

)(Derived operators...

1414

Model Checking (Clarke/Emerson, Queille/Sifakis)

MC

G(p -> F q)yes

nop

q

p

q

temporal formula

finite-state model

algorithm

counterexample

Model must now represent all behaviors

1515

Kripke models A Kripke model (S,R,L) consists of

– set of states S

– set of transitions R SS

– labeling L SAP

Kripke models from programs

p p

repeat p := true; p := false;end

1616

Mutual exclusion example

N1,N2turn=0

T1,N2turn=1

T1,T2turn=1

C1,N2turn=1

C1,T2turn=1

N1,T2turn=2

T1,T2turn=2

N1,C2turn=2

T1,C2turn=2

N = noncritical, T = trying, C = critical

1717

PLTL on Kripke models A path in model M = (S,R,L) is a sequence

such that (si,si+1) R.

Ssss 210 ,,

fssss

fsM

`̀

`̀

0210

0

, of ,, paths allfor

iff

,

F p

p

p

p

s0 s1s2 s3...

1818

Branching time Model of time is a tree, not a sequence

Path quantifiers

fMssssomefEsM

fMsssallfAsM

`̀`̀

`̀`̀

, of ,, paths for iff ,

, of ,, paths for iff ,

2100

2100

AF p

p

p

p

1919

Computation Tree Logic Every operator F, G, X, U preceded by A or E

Universal modalities...

p p

p

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

AG p

p p p p

p

p p

AF p

2020

CTL, cont... Existential modalities

p

p

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

EG p

p p

EF p

2121

CTL, cont Other modalities

AX p, EX p, A(p U q), E(p U q)

Some dualities...

Examples: mutual exclusion specs...

AG (C1 C2) mutual exclusion

AG (T1 AF C1) liveness

AG (N1 EX T1) non-blocking

pEGAFp

pEFAGp

2222

Symbolic model checking State explosion problem

– State graph exponential in program size

Symbolic model checking approach

– Boolean formulas represent sets and relations

– Use fixed point characterizations of CTL operators

– Model checking without building state graph

Sometimes can handle much larger sate space

2323

Binary Decision Diagrams (Bryant)

Ordered decision tree for f = ab + cd

0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1

d d d d d d d d

c c c c

0 1

0 1 0 1

0 1 0 1 0 1 0 1

b b

a

2424

OBDD reduction Reduced (OBDD) form:

0 1

d

c

01

0 1

0 1

b

a

0

1

Key idea: combine equivalent sub-cases

2525

OBDD properties

Canonical form (for fixed order)

– direct comparison

Efficient apply algorithm

– build BDD’s for large circuits f

g O(|f| |g|)

fg

Variable order strongly affects size

2626

Boolean quantification If v is a boolean variable, then

v.f = f |v =0 V f |v =1

Multivariate quantification

w1,w2,…,wn). f

Complexity on BDD representation

– worst case exponential

– heuristically efficient

Example: b,c). (ab cd) = a d

2727

Characterizing sets Let M = (S,R,L) be a Kripke model

Let S be the set of boolean vectors

(v1,v2,…,vn) {0,1}n

Represent any P S by its characteristic function P

P = {(v1,v2,…,vn) : P}

Set operations

– = false S = true

– PQ= P V Q PQ = P Q

– S\ P= P

2828

Characterizing relations Transition relation R is a set of state pairs…

R = {((v1,v2,…,vn), (v’1,v’2,…,v’n)) : R}

Examples

– A synchronous sequential circuit

v1

v0

R = (v’0 = v0) (v’1 = v0 v1)

2929

Transition relations, cont...– An asynchronous circuit s

r q

q

– Interleaving model

)'())('(

)'())('(

qqqrq

qqqsqR

– Simultaneous model

)'())('(

)'())('(

qqqrq

qqqsqR

3030

Forward and reverse image Forward image

})',( and , somefor :'{),(Image RPRP vvvvv

))',()((.)'(),(Image vvvvv RPRP

PR

Image(P,R)

3131

Images, cont... Reverse image

})',( and ',' somefor :{),(Image-1 RPRP vvvvv

))',()'(('.)(),(Image vvvvv RPRP

PR

Image-1(P,R)

= EX P

3232

Symbolic CTL model checking Equate a formula f with the set of states satisfying it…

Compute BDD’s for characteristic functions…

– p, p q, p q (use BDD ops)

– EX p = Image-1(p,R)

– AX p = EX p

Remaining operators have fixed-point characterization...

}|:{ fvSf v

pEFEXppEF

In fact, this is the least fixed point...

3333

Fixed points of monotonic functions Let be a function S S

Say is monotonic when

Fixed point of is y such that

If monotonic, then it has

– least fixed point y. (y)

– greatest fixed point y. (y)

)()( implies yxyx

yy )(

3434

Iteratively computing fixed points Suppose S is finite

– The least fixed point y. (y) is the limit of

– The greatest fixed point y. (y) is the limit of

(false))((false)false

(true))((true)true

Note, since S is finite, convergence is finite

3535

Example: EF p EF p is characterized by

Thus, it is the limit of the increasing series...

)(. yEXpypEF

pp EX pp EX(p EX p)

. . .

...which we can compute entirely using BDD operations

3636

Example: EG p EG p is characterized by

Thus, it is the limit of the decreasing series...

)(. yEXpypEG

...which we can compute entirely using BDD operations

p EX p pp EX(p EX p)

...

3737

Remaining operators

Allows CTL model checking with only BDD ops

– Avoid building state graph

– (Sometimes) avoid state explosion problem

))((.)(

))((.)(

)(.

)(.

yAXpqyqUpA

yEXpqyqUpE

yAXpypAG

yAXpypAF

Now you can go home and build your own symbolic model checker...

3838

Why does it work?

. . .

. . .

. . .

Many partial states equivalent...

...implies many subfunctions equivalent...

OBDD

3939

When doesn’t it work?

Protocols that pass pointers

Linked lists

Anytime one part of the system “knows” a large amount of information about another part

4040

Summary Model checking

– Automatic verification (or falsification) of finite state systems

– Linear v. branching time logics

State explosion problem

– Binary Decision Diagrams

– Heuristically efficient boolean operations

– Image calculations

– Fixed point characterization of CTL

– Model checking without building state graph

Applications

– Find subtle errors in complex protocols