Felix Kossak felix kossak scch at 43 7236 3343

Felix Kossak felix. kossak@scch. at +43 7236 3343 811 www. scch. at Model Checking An overview Model Checking 1

What is Model Checking? n Verification of critical properties of a system n Systems that can be modelled as finite automata n In particular, concurrent systems (such as parallel processes) n Checking can be fully automated n Considered as a “formal method” (or not) Model Checking 2

Areas of Application n “Classical” Model Checking has been successfully applied in e. g. § Design of electronic circuits § Network protocol design n Is - or could - also be applied in: § Parallel process design § Real-time systems § Workflow, architectures; algorithms in general (flowchart level) § Software verification: e. g. termination of loops §. . . Model Checking 3

Properties that Can Be Checked n Livelihood: will the system “live” forever? n Deadlocks, livelocks n Reachability: can a state / all states be reached? n Safety: Will a “bad” state never be reached? Will a “bad” state trigger an exception, etc? n Fairness (an event will occur infinitely often) n Underspecification (e. g. unexpected messages) n Overspecification (dead code) n Constraints (e. g. buffer / array bounds, invariants) n Real-time performance (special tools) Model Checking 4

Application Examples n Network protocols n Process scheduling n Process communication n Shared resources: e. g. printer manager n Hardware / machine controllers n Architecture design n Workflow design n Algorithm design (on flowchart level) Model Checking 5

Basic approach n System specification: temporal logic n System design: finite automata n Associate “atomic properties” with states n Try to derive specification from “atomic properties” Model Checking 6

Limits n Size of the automaton: “state explosion” § In practice, the number of states becomes soon very large § potentially exponential w. r. t. system description § Simplification while preserving correctness? n For specific problems, rather than problem classes Model Checking 7

Technical Details n Automata § ‘Kripke structures’ § Petri nets, etc n Specification in temporal logic § CTL* n Data structures: research issue § Binary Decision Diagrams (BDD) Model Checking 8

Kripke Structures n Finite Automaton n States are associated with ‘atomic properties’ n Transitions modify variables n Transitions may be guarded n Synchronisation of automata: Model Checking 9

Synchronisation of Automata n Global variables n Message queues n Synchronous / asynchronous n Theoretical size: | A | x | B | n → ‘State explosion’ Model Checking 10

Temporal Logic: CTL* n “Computation Tree Logic” n boolean combinators (propos. connectives) n temporal combinators: § § § next state (X) a future state (F) all future states (G) until (U) while not (W) Model Checking 11

Temporal Logic: CTL* (2) n path quantifiers: § all executions out of current state (A) § there exists an execution (E) n 2 basically different subsets of CTL* § CTL: each combinator directly under A/E § LTL: no path quantifiers Model Checking 12

Model Checking CTL n CTL: § “marking” § traverse each state of automaton A and each subformula of temporal formula f § O( |A| x | f | ) Model Checking 13

Model Checking LTL n construct FA which recognises the negation of temporal formula f n synchronise this FA with the automaton A n Is the language accepted empty? (reachability) n O( | A | x 2 | f | ) (worst case) Model Checking 14

Binary Decision Diagrams (BDD) n Data structure for state sets n Reduced decision tree § Share identical subtrees § Delete superfluous nodes n Problems with § non-Boolean variables § asynchronous automata § Solution: e. g. Multi-valued Decision Diagrams Model Checking 15

Tools n The most important tools are academic § open source, some free even for commercial use § SMV (Nu. SMV) § SPIN n Some are part of comprehensive design software § (in particular commercial tools) Model Checking 16

Nu. SMV n Free re-implementation of SMV n Designed for electronic circuits in the first place n Automaton is modelled similar to a programme in C n Temporal logic: CTL n Basic data structure: OBDD Model Checking 17

SPIN n Designed for software verification n Automaton is modelled similar to SMV (like a programme) n Temporal Logic: PLTL n Basic data structure: POR Model Checking 18

SPIN: Code Example active proctype A( ) { x = 1; turn = B_TURN; y == 0 || turn == A_TURN; mutex++; /* critical section */ mutex--; x = 0; } Model Checking 19

Design/CPN (now CPN Tools): n Based on Coloured Petri Nets (CPN) n Elements can be timed n Interactive simulation n Reachability graphs can be generated for model checking n Analysis using CTL possible (Computation Tree Logic, a temporal logic) Model Checking 20

Design/CPN: Graphic Design Model Checking 21

Design/CPN: Restrictions; Successor n Restrictions: § only for Unix / Linux and Mac § no longer maintained n Successor: CPN Tools § for Windows (2000, XP) § better GUI § but limited model checking capability (new version last week, yet to be evaluated) Model Checking 22

Other Tools for Timed Automata n Academic: § KRONOS, UPPAAL, Verus § only for scientific purposes available (? ) n Other: § Veri. Soft (by Bell Labs): free (yet to be evaluated) Model Checking 23

Other Interesting Tools n SIPN editor: for PLC programmes § generates code for SMV Model Checking 24

References & Links n B. Bérard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, Ph. Schnoebelen: Systems and Software Verification; Model-Checking Techniques and Tools. Springer, 2001 n http: //www. abo. fi/%7 Ejolilius/mclinks. htm (many links, but seemingly not maintained for a while) Model Checking 25