8/8/2007 Model Checking Motivation More and more complex systems - PDF document

8/8/2007 Model Checking Motivation � More and more complex systems � Increased dependability : everything important Demonstration Of depends on computers SPIN SPIN � Increased functionality : security, mobility � Testing is becoming humanly un-manageable! By Mitra Purandare Testing Implications � Dynamic Execution/Simulation of System � More efficient methods for test and verification � Generating test-cases : Limited by tester's ability needed. to devise test-cases � Formal Verification is the most promising � To Prove : Absence of a certain bug? approach. � To Prove : Presence of a certain property? � Experts in these new methods lacking!! � Is CSARDAS 100% correct? � Job : A great motivation to study formal methods! � Testing : Not formal/Mathematical! Formal Verification Model Checking � Problem : Does an implementation satisfy a � Introduced by Clarke and Emerson, Quielle and property? Sifakis in 1981 � Two Basic categories � Given a property (P) and a system (M), does M � P? − Theorem provers : infinite state systems, time- consuming, not really automated � Yes, P holds in M − Model Checkers : exhaustive state space exploration, � No, generate a trace which shows the property finite state systems, automated violation 1

8/8/2007 Example : Model and Property Model Checking � Model : Kripke � Explicit State Model Checking : explicit state a b Structure, Finite State q representation, Kripke structure( graph) Machine, Automaton � Symbolic : Uses BDDs to represent sets of states p c � Property : CTL/ LTL � Now a days SAT solvers! Result LTL � Safety Property G !p � Liveness Property a b c ! G !p a b a b a.... F q q U p Tools SPIN(Simple Promela INterpreter) � SPIN (Bell Labs) � Developed by G.Z. Holzman@Bell Labs � SMV, NuSMV (CMU) � Promela (PROtocal MEta LAnguage) � Mocha (Penn) � Publicly available since 1991 � JPF (Java Path Finder, NASA) � Bandera (KSU) B d (KSU) � Prestigious ACM System Software Award for � BLAST (Berkeley) 2001 � MAGIC (CMU) � Most efficient and scalable � FormalCheck (Cadence) � RuleBase (IBM, Haifa) � still active research -> good support � SLAM, Zing (Microsoft Research) � FormalPro (Mentor Graphics) SPIN The Cabbage-Goat-Wolf problem! � Explicit state LTL model checker � Ferryman with C, G, W and a boat on one side of a � On-the-fly reachability river � Partial order reduction to reduce state space � Only ferryman can row the boat � Targets software verification � Ferryman can take only one item at a time � Scales well for large problem sizes � Not goat and wolf together without ferryman � Not goat and cabbage together without ferryman � GOAL : Ferryman wants to take all 3 items to the other side! 2

8/8/2007 Property State Transition Diagram � Goal : wolf_location = destination & goat_location � 4 variables, ferryman, cabbage, goat, wolf = destination & cabbage_location = destination & respectively ferryman_location = destination � 1 : on this bank , 0 : other bank i.e. destination � Restriction 1 : wolf_location = goat_location & 1011 0010 0010 1010 1000 1000 0111 0011 ferryman_location != wolf_location 0101 1111 0001 1101 1001 0000 � Restriction 2 : goat_location = cabbage_location & ferryman_location != cabbage_location 1100 0110 1110 0100 � !(Restriction 1 | Restriction 2) U Goal SPIN References Challenges � http://spinroot.com/spin/whatispin.html � Coverage � THE SPIN MODEL CHECKER Primer and � Reliability Reference Manual : Holzman � Repair � Model Checking : Clarke, Grumberg and Peled � Scalability � Symbolic Model Checking : Kenneth L. McMillan � Infinite State System � OR Come To the H-Floor! :) � Specification � InterOperability Future � Bounded Model Checking � SAT Solvers � Abstraction and refinement � Hybrid Systems 3