A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Similar documents
Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Temporal Logic Model Checking

Binary Decision Diagrams and Symbolic Model Checking

Finite-State Model Checking

Abstractions and Decision Procedures for Effective Software Model Checking

Model Checking. Boris Feigin March 9, University College London

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Model Checking: An Introduction

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

3-Valued Abstraction-Refinement

Lecture 2: Symbolic Model Checking With SAT

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Model checking the basic modalities of CTL with Description Logic

MODEL CHECKING. Arie Gurfinkel

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Alan Bundy. Automated Reasoning LTL Model Checking

Verification Using Temporal Logic

Automata-based Verification - III

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

A Brief Introduction to Model Checking

Computation Tree Logic

From Löwenheim to Pnueli, from Pnueli to PSL and SVA

The State Explosion Problem

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Automata-based Verification - III

3. Temporal Logics and Model Checking

Alternating Time Temporal Logics*

An Introduction to Temporal Logics

CS357: CTL Model Checking (two lectures worth) David Dill

Synthesis of Designs from Property Specifications

Automata-Theoretic Model Checking of Reactive Systems

A Symbolic Approach to Safety LTL Synthesis

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Digital Systems. Validation, verification. R. Pacalet January 4, 2018

Formal Verification of Mobile Network Protocols

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Lecture 16: Computation Tree Logic (CTL)

Reactive Synthesis. Swen Jacobs VTSA 2013 Nancy, France u

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Temporal Formula Specifications of Asynchronous Control Module in Model Checking

Alternating nonzero automata

ESE601: Hybrid Systems. Introduction to verification

Overview. overview / 357

Computer Aided Verification

IC3 and Beyond: Incremental, Inductive Verification

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Computer-Aided Program Design

Finite State Model Checking

Automata, Logic and Games: Theory and Application

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Models for Efficient Timed Verification

Linear-time Temporal Logic

Crash course Verification of Finite Automata CTL model-checking

Linear-Time Logic. Hao Zheng

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Formal Methods Lecture VII Symbolic Model Checking

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Postprint.

ENES 489p. Verification and Validation: Logic and Control Synthesis

Automata-Theoretic LTL Model-Checking

Chapter 5: Linear Temporal Logic

Model Checking with CTL. Presented by Jason Simas

CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment

Timo Latvala. February 4, 2004

Linear Temporal Logic and Büchi Automata

Temporal logics and model checking for fairly correct systems

Ranking Verification Counterexamples: An Invariant guided approach

From Liveness to Promptness

Discrete Event Systems Exam

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Computation Tree Logic

FAIRNESS FOR INFINITE STATE SYSTEMS

T Reactive Systems: Temporal Logic LTL

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Büchi Automata and Linear Temporal Logic

Integrating Induction and Deduction for Verification and Synthesis

2. Elements of the Theory of Computation, Lewis and Papadimitrou,

Logic in Automatic Verification

Compositional Reasoning

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

A Hierarchy for Accellera s Property Specification Language

SAT in Formal Hardware Verification

New Complexity Results for Some Linear Counting Problems Using Minimal Solutions to Linear Diophantine Equations

Learning to Verify Branching Time Properties

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Transcription:

A brief history of model checking Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com

Outline Part I -- Introduction to model checking Automatic formal verification of finite-state systems Applications Commercial hardware design Avionics, chemical plant control, automotive, etc. Part II -- A brief history of model checking Influence of many abstract ideas from logic on the development of model checking

The Verification Problem Debugging chips by simulation... consumes greater than half of design time, is unreliable Escapes can cost up to $500M, is increasing in cost as chip densities scale up

Model Checking G(p F q) MC yes input: temporal logic spec finite-state model output q p p q no yes no + counterexample (look ma, no test vectors!) 2

Temporal logic (LTL) A logical notation that allows to: specify relations in time conveniently express finite control properties Temporal operators G p henceforth p F p eventually p X p p at the next time p W q p unless q 5

Types of temporal properties Safety (nothing bad happens) G ~(ack1 & ack2) mutual exclusion G (req (req W ack)) req must hold until ack Liveness G (req F ack) (something good happens) if req, eventually ack Fairness GF req GF ack if infinitely often req, infinitely often ack 6

Computation tree logic (CTL) Branching time model Path quantifiers A = for all future paths E = for some future path Example: AF p = inevitably p p p AFp p 7

CTL model checking algorithm Example: AF p = inevitably p AFp AFp AFp AFp Complexity linear in size of model (FSM) linear in size of specification formula p Note: LTL is exponential in formula size 9

Example: traffic light controller S E Guarantee no collisions Guarantee eventual service N 10

Safety (no collisions) Liveness Specifications AG (E_Go (N_Go S_Go)); AG ( N_Go N_Sense AF N_Go); AG ( S_Go S_Sense AF S_Go); AG ( E_Go E_Sense AF E_Go); Fairness constraints infinitely often (N_Go N_Sense); infinitely often (S_Go S_Sense); infinitely often (E_Go E_Sense); (assume each sensor off infinitely often) 14

Counterexample East and North lights on at same time... E_Go E_Req E_Sense NS_Lock N_Go N_Req N_Sense S_Go S_Req S_Sense N light goes on at same time S light goes off. S takes priority and resets NS_Lock 15

State explosion problem What if the state space is too large? too much parallelism data in model Approaches Abstraction/reduction Symbolic methods Exploiting symmetry Partial order methods 20

Binary Decision Diagrams Ordered decision tree for f = ab + cd 0 a 1 0 b 1 0 b 1 0 c 1 0 c 1 0 c 1 0 c 1 d d d d d d d d 0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1 21

OBDD reduction Reduced (OBDD) form: 0 a 1 0 b 1 c 0 1 1 0 d 0 1 Key idea: combine equivalent subcases 22

Symbolic model checking Basic idea: Use BDD s to represent sets and relations Avoid explicitly representing states Transition relations a,b R(a,b,a,b ) a,b 24

Image computation EX p = states that can reach p in one step EXp p EX p = v. (R(v,v ) p(v )) Note: a. f = f a=0 + f a=1 25

Fixed point iteration EF p = states that can reach p S w... S 1 S 0 = p S i+1 = S i \/ EX S i...model checking without building state graph 26

Example: Gigamax cache protocol global bus UIC... cluster bus UIC UIC... M P P... M P P... First commercial application Method scales well with system size Finds very subtle escapes 33

Genealogy of model checking Many ideas from logic influence development of model checking... ω-automata S1S ATV LTL MC Logics of Programs CTL Model Checking Temporal/ Modal Logics Tarski µ-calc QBF BDD Symbolic Model Checking

Logics of programs Floyd/Hoare/Dijkstra Give precise definitions of programming languages Allows reasoning about programs (proofs/derivations) Pre-post conditions/ weakest precondition example: assignment axioms {true} x :=y {x = y} {P} x := y {P} (no x in P)

Concurrent programs Pnueli Concurrent vs. sequential programming sequential concurrent A B A B call ret need to characterize execution sequences proposes use of temporal logic

Temporal and modal logics Roots in philosophical logic Tense logic -- formalizing linguistic time If a, then b before c Modal logic -- reasoning about possibility If I had run I would have caught my plane New use in computer science: characterize the interactions of parallel processes G req F ack

Genealogy Floyd/Hoare late 60 s Logics of Programs Temporal/ Modal Logics Aristotle 300 sbce Kripke 59 Pnueli, late 70 s

CTL Model checking Reasoning about properties of nondeterministic programs branching time properties of programs fixed point characterizations (Tarski) every monotonic function has least/greatest fixed point key idea: apply to finite graphs, not infinite trees can directly calculate Tarski fixed points Applications finite state machines in hardware protocols proved incorrectness of some published designs

Genealogy, cont Logics of Programs Temporal/ Modal Logics Tarski 50 s CTL Model Checking Clarke/Emerson Early 80 s Some published circuits are proved incorrect

Decidable logics and automata Büchi S1S -- reason about sets of natural numbers Automata on infinite words characterize set of models of formula example: sets that contain the odd numbers 0,1 0 0,1 1 Deep connection between logics and automata

LTL model checking Vardi and Wolper Apply Büchi s technique to LTL Automaton construction yields optimal decision algorithm Kurshan Specify properties directly as automata example: infinitely often p (GFp) p p true

Genealogy Büchi, 60 ω-automata S1S Logics of Programs Temporal/ Modal Logics Tarski ATV Kurshan mid 80 s LTL MC Vardi/ Wolper CTL Model Checking

Symbolic Model Checking State explosion problem graph model guarantees worst-case complexity Characterize sets and relations by Boolean formulas compute Tarski fixed points directly on formulas EXp = v. (R p ) (QBF) Use BDD s to represent formulas efficient canonical form

Mu-calculus Park s Mu-Calculus Logic of relations with fixed point operator Can express transitive closure Nicely characterizes what SMC can compute SMC algorithm for Mu-calculus Use to express symbolic algorithms for CTL, LTL model checking AFp = µq. p AX Q Automaton containment, etc... Note: bad specification logic, but good for describing algorithms

Genealogy, cont. ω-automata S1S ATV LTL MC Logics of Programs CTL Model Checking Note first commercial application in 1990 Encore Gigamax cache protocols Temporal/ Modal Logics Symbolic Model Checking late 80 s QBF Tarski µ-calc BDD Park 60 s Bryant mid 80 s

Applications Hardware Design Encore Gigamax Intel instruction decoder SGI cache protocol chip Other areas Avionics (TCAS) Chemical plant control Nuclear storage facilities (!) Commercial tools Cadence, IBM, Synopsys

A convergence of research areas in logic Many areas of logic have shaped the discourse in model checking Logics of programs Temporal/Modal logics Tarski fixed point theory Decidable logics -- S1S/automata Park s mu-calculus Much of this work is quite abstract, but has strongly influenced practical work in model checking

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback