1 introduction to smv and model checking mostly by: ken mcmillan cadence berkeley labs...
TRANSCRIPT
![Page 1: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/1.jpg)
1
Introduction to SMV and Model Checking
Mostly by: Ken McMillanCadence Berkeley [email protected]
Small parts by: Brandon EamesISIS/Vanderbilt [email protected]
Presented in the CS 367 class by Aditya
![Page 2: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/2.jpg)
22
SMV Tool Can be downloaded from
http://www-cad.eecs.berkeley.edu/~kenmcmil/smv/dld2.html
![Page 3: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/3.jpg)
33
Outline Quick overview of SMV
Model checking
– Temporal logic
– Model checking algorithms
– Expressiveness and complexity
Symbolic model checking
– The “state explosion” problem
– Binary Decision Diagrams
– Computing fixed points with BDD’s
– Application
![Page 4: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/4.jpg)
44
SMV: Symbolic Model Verifier Capture system behavior as combinatorial and sequential
logic: finite state machines.
Capture system requirements as statements in temporal logic
SMV applies the requirement specifications to the state machine model
– Attempt to prove that system meets requirements
– If system fails, attempt to show counterexample
![Page 5: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/5.jpg)
55
How SMV Works Convert system model (the FSM) to OBDD representation
Convert CTL specifications into operations which can be applied to OBDDs
Traverse the state space, applying verification operations until achieving a “fixed point”: stable system
Report the results of the traversal, either requirements met or not.
![Page 6: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/6.jpg)
66
Example
MODULE mainVAR
request : booleanstate : {ready, busy};
ASSIGNinit(state) := ready;next(state) := case
state = ready & request : busy;1 : {ready, busy};
esac;SPEC
AG(request -> AF state = busy)
![Page 7: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/7.jpg)
77
SMV’s supported CTL operators
! not& and| or-> implies<-> logical equivalence“E” existential path quantifier“A” universal path quantifier
“X” next time“F” eventually“G” globally“U” until
![Page 8: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/8.jpg)
88
Propositional Linear Temporal Logic Express properties of “Reactive Systems”
– interactive, nonterminating
For PLTL, a model is an infinite state sequence
210 ,, sss
Temporal operators
– “Globally”: G p at t iff p for all t’ t.
p p p p p p p p p p p...
G p...
![Page 9: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/9.jpg)
99
Temporal operators...– “Future”: F p at t iff p for some t’ t.
p p p p p p
F p...
– “Until”: p U q at t iff
– q for some t’ t and
– p in the range [ t, t’ )
p p p p p p
p U q...
p p p q
– “Next-time”: X p at t iff p at t+1
![Page 10: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/10.jpg)
1010
Examples Liveness: “if input, then eventually output”
G (input F output)
Strong fairness: “infinitely send implies infinitely recv.”
GF send GF recv
Weak until: “no output before input”
output W input
atomic props
infinitely often
p W q p U q G p
![Page 11: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/11.jpg)
1111
Safety v. Liveness Safety
– Refutable by finite run
Liveness
– Refutable only by infinite run
– Every finite run extensible to satisfying run
![Page 12: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/12.jpg)
1212
PLTL semantics Given an infinite sequence
– if is true in state si of .
– if is true in state s0 of .
– if is valid.
A formula is an atomic proposition, or...
true, p q, p, p U q, X p
210 ,, sss
`̀is, `̀`̀
![Page 13: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/13.jpg)
1313
PLTL semantics... Definition of satisfaction
iff
iff
iff
iff
iff
(atomic) , asi `̀ (atomic) , asi `̀psi `̀,qpsi `̀,pXsi `̀,
psjki
qsij
k
j
`̀
`̀
, : allfor and
, : somefor
psi /, `̀qsps ii `̀`̀ ,or ,
psi `̀1, qUpsi `̀,
pFGp
qUFp
qpqp
true
)(Derived operators...
![Page 14: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/14.jpg)
1414
Model Checking (Clarke/Emerson, Queille/Sifakis)
MC
G(p -> F q)yes
nop
q
p
q
temporal formula
finite-state model
algorithm
counterexample
Model must now represent all behaviors
![Page 15: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/15.jpg)
1515
Kripke models A Kripke model (S,R,L) consists of
– set of states S
– set of transitions R SS
– labeling L SAP
Kripke models from programs
p p
repeat p := true; p := false;end
![Page 16: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/16.jpg)
1616
Mutual exclusion example
N1,N2turn=0
T1,N2turn=1
T1,T2turn=1
C1,N2turn=1
C1,T2turn=1
N1,T2turn=2
T1,T2turn=2
N1,C2turn=2
T1,C2turn=2
N = noncritical, T = trying, C = critical
![Page 17: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/17.jpg)
1717
PLTL on Kripke models A path in model M = (S,R,L) is a sequence
such that (si,si+1) R.
Ssss 210 ,,
fssss
fsM
`̀
`̀
0210
0
, of ,, paths allfor
iff
,
F p
p
p
p
s0 s1s2 s3...
![Page 18: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/18.jpg)
1818
Branching time Model of time is a tree, not a sequence
Path quantifiers
fMssssomefEsM
fMsssallfAsM
`̀`̀
`̀`̀
, of ,, paths for iff ,
, of ,, paths for iff ,
2100
2100
AF p
p
p
p
![Page 19: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/19.jpg)
1919
Computation Tree Logic Every operator F, G, X, U preceded by A or E
Universal modalities...
p p
p
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
AG p
p p p p
p
p p
AF p
![Page 20: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/20.jpg)
2020
CTL, cont... Existential modalities
p
p
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
EG p
p p
EF p
![Page 21: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/21.jpg)
2121
CTL, cont Other modalities
AX p, EX p, A(p U q), E(p U q)
Some dualities...
Examples: mutual exclusion specs...
AG (C1 C2) mutual exclusion
AG (T1 AF C1) liveness
AG (N1 EX T1) non-blocking
pEGAFp
pEFAGp
![Page 22: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/22.jpg)
2222
Symbolic model checking State explosion problem
– State graph exponential in program size
Symbolic model checking approach
– Boolean formulas represent sets and relations
– Use fixed point characterizations of CTL operators
– Model checking without building state graph
Sometimes can handle much larger sate space
![Page 23: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/23.jpg)
2323
Binary Decision Diagrams (Bryant)
Ordered decision tree for f = ab + cd
0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1
d d d d d d d d
c c c c
0 1
0 1 0 1
0 1 0 1 0 1 0 1
b b
a
![Page 24: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/24.jpg)
2424
OBDD reduction Reduced (OBDD) form:
0 1
d
c
01
0 1
0 1
b
a
0
1
Key idea: combine equivalent sub-cases
![Page 25: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/25.jpg)
2525
OBDD properties
Canonical form (for fixed order)
– direct comparison
Efficient apply algorithm
– build BDD’s for large circuits f
g O(|f| |g|)
fg
Variable order strongly affects size
![Page 26: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/26.jpg)
2626
Boolean quantification If v is a boolean variable, then
v.f = f |v =0 V f |v =1
Multivariate quantification
w1,w2,…,wn). f
Complexity on BDD representation
– worst case exponential
– heuristically efficient
Example: b,c). (ab cd) = a d
![Page 27: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/27.jpg)
2727
Characterizing sets Let M = (S,R,L) be a Kripke model
Let S be the set of boolean vectors
(v1,v2,…,vn) {0,1}n
Represent any P S by its characteristic function P
P = {(v1,v2,…,vn) : P}
Set operations
– = false S = true
– PQ= P V Q PQ = P Q
– S\ P= P
![Page 28: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/28.jpg)
2828
Characterizing relations Transition relation R is a set of state pairs…
R = {((v1,v2,…,vn), (v’1,v’2,…,v’n)) : R}
Examples
– A synchronous sequential circuit
v1
v0
R = (v’0 = v0) (v’1 = v0 v1)
![Page 29: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/29.jpg)
2929
Transition relations, cont...– An asynchronous circuit s
r q
q
– Interleaving model
)'())('(
)'())('(
qqqrq
qqqsqR
– Simultaneous model
)'())('(
)'())('(
qqqrq
qqqsqR
![Page 30: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/30.jpg)
3030
Forward and reverse image Forward image
})',( and , somefor :'{),(Image RPRP vvvvv
))',()((.)'(),(Image vvvvv RPRP
PR
Image(P,R)
![Page 31: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/31.jpg)
3131
Images, cont... Reverse image
})',( and ',' somefor :{),(Image-1 RPRP vvvvv
))',()'(('.)(),(Image vvvvv RPRP
PR
Image-1(P,R)
= EX P
![Page 32: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/32.jpg)
3232
Symbolic CTL model checking Equate a formula f with the set of states satisfying it…
Compute BDD’s for characteristic functions…
– p, p q, p q (use BDD ops)
– EX p = Image-1(p,R)
– AX p = EX p
Remaining operators have fixed-point characterization...
}|:{ fvSf v
pEFEXppEF
In fact, this is the least fixed point...
![Page 33: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/33.jpg)
3333
Fixed points of monotonic functions Let be a function S S
Say is monotonic when
Fixed point of is y such that
If monotonic, then it has
– least fixed point y. (y)
– greatest fixed point y. (y)
)()( implies yxyx
yy )(
![Page 34: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/34.jpg)
3434
Iteratively computing fixed points Suppose S is finite
– The least fixed point y. (y) is the limit of
– The greatest fixed point y. (y) is the limit of
(false))((false)false
(true))((true)true
Note, since S is finite, convergence is finite
![Page 35: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/35.jpg)
3535
Example: EF p EF p is characterized by
Thus, it is the limit of the increasing series...
)(. yEXpypEF
pp EX pp EX(p EX p)
. . .
...which we can compute entirely using BDD operations
![Page 36: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/36.jpg)
3636
Example: EG p EG p is characterized by
Thus, it is the limit of the decreasing series...
)(. yEXpypEG
...which we can compute entirely using BDD operations
p EX p pp EX(p EX p)
...
![Page 37: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/37.jpg)
3737
Remaining operators
Allows CTL model checking with only BDD ops
– Avoid building state graph
– (Sometimes) avoid state explosion problem
))((.)(
))((.)(
)(.
)(.
yAXpqyqUpA
yEXpqyqUpE
yAXpypAG
yAXpypAF
Now you can go home and build your own symbolic model checker...
![Page 38: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/38.jpg)
3838
Why does it work?
. . .
. . .
. . .
Many partial states equivalent...
...implies many subfunctions equivalent...
OBDD
![Page 39: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/39.jpg)
3939
When doesn’t it work?
Protocols that pass pointers
Linked lists
Anytime one part of the system “knows” a large amount of information about another part
![Page 40: 1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs mcmillan@cadence.com Small parts by: Brandon Eames ISIS/Vanderbilt](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e405503460f94b320a6/html5/thumbnails/40.jpg)
4040
Summary Model checking
– Automatic verification (or falsification) of finite state systems
– Linear v. branching time logics
State explosion problem
– Binary Decision Diagrams
– Heuristically efficient boolean operations
– Image calculations
– Fixed point characterization of CTL
– Model checking without building state graph
Applications
– Find subtle errors in complex protocols