COMS W4117
Compilers and Translators:
Software Verification Tools
Lecture 22: Model Checking
November 20, 2007

Lecture Outline

1. See Final Report for suggestion on how to prepare your final report.
2. Review
3. Model checking

1. Review

• Binary decision diagrams
• SAT

2. Model Checking

• Model checking is a technique for determining whether a desirable property of a system design is true by exploring all states reachable by the system.
• When a design fails to satisfy a property, the technique produces a counterexample that falsifies the property.
• The challenge in model checking is dealing with the state space explosion problem.
• There are three steps involved in using a model checker to verify a design:
1. Modeling: creating a formalism from the design acceptable to the model checker.
2. Specification: stating the desirable property in some formalism such as temporal logic, which asserts how the behavior of the system should evolve over time.
3. Verification: inputting the model and specification into the model checker and then analyzing its output.

3. Kripke Structures

• A reactive system is one that interacts with its environment without terminating. An operating system is an example of a reactive system.
• We are interesting in modeling the sequences of state transitions a reactive system may make in interacting with its environment.
• Kripke structures are frequently used to model reactive systems. A Kripke structure is a labeled transition system.
• A Kripke structure M over a set of atomic propositions has four components:
1. S, a finite set of states.
2. A set of initial states.
3. A transition relation R that is a subset of S × S. The transition relation gives the next states that can follow a given state. Every state x must have a successor in R; that is, for every state x in S, there is at least one state y in S such that (x, y) is in R.
4. A labeling function that labels each state with the set of atomic propositions that are true in that state.
• A path in the structure M from a state x is an infinite sequence of states beginning with x such that if y and z are adjacent states in the sequence, then (x,y) is in R.

4. Temporal Logic

• Temporal logic is a formalism for describing sequences of state transitions in a reactive system.
• A formula in temporal logic can specify that some state is eventually reached, or that an error state is never reached.
• Many forms of temporal logic have been defined including CTL (computational tree logic, a branching-time logic), CTL* (a superset of CTL), and LTL (linear temporal logic).
• CTL* formulas describe properties of computation trees created by unwinding a rooted Kripke structure into an infinite tree that shows all of the possible executions starting from the initial (root) state.
• CTL* formulas are composed of path quantifiers and temporal operators.
• The path quantifier A is "for all computation paths".
• The path quantifier E is "for some computation path".
• There are five basic temporal operators:
• X is for "next time". It asserts that a property holds in the next state of the path.
• F is for "eventually" (or "in the future"). It asserts that a property will hold at some state on the path.
• G is for "always" (or "globally"). It asserts that a property holds at every state on the path.
• U is for "until". It combines two properties and asserts that if there is a state on the path where the second property holds, then at every preceding state on the path, the first property holds.
• R is for "release". It is the logical dual of U. It asserts that the second property holds along the path up to and including the first state where the first property holds. However, the first property is not required to hold eventually.
• Example: the CTL formula EF(Start ∧ ¬Ready) means it is possible to get to a state where Start holds but Ready does not hold.

5. Model Checking Problem

• The model checking problem is given a Kripke structure M and a temporal logic formula, find all states in M that satisfy the formula.
• The system satisfies the specification if all of the initial states of M satisfy the formula.
• Many methods have been proposed for doing model checking including methods based on automata theory and symbolic evaluation.
• Explicit-state methods in which states are computed on the fly are often used for software.
• Symbolic methods in which the transition relation is encoded as a BDD are often used for hardware.
• Since model checkers cannot take real programs as inputs, abstraction is used to approximate the program.
• An over-approximation adds more behaviors than are present in the original system.
• An under-approximation removes behaviors that are present in the original system.
• A precise abstraction represents the same behaviors that are present in the original system.
• Eliminating spurious errors is an important hard problem.

6. SPIN Model Checker

• Widely used model checker for system software.
• SPIN uses the PROMELA language to describe the system. A Kripke structure is generated on the fly during model checking.
• SPIN translates LTL formulae into Buchi automata.
• Gerard Holzmann was given ACM system software award for SPIN in 2002.

7. Reading

• E. Clarke, O. Grumberg, and D. Peled, Model Checking, MIT Press, 1999.
• Gerard Holzmann: ON-THE-FLY LTL Model Checking with SPIN
• See http://en.wikipedia.org/wiki/Symbolic_model_verification for a list of popular model checking tools.
• http://spinroot.com/spin/Doc/fm2003-spin-tutorial.pdf contains a nice tutorial on SPIN.