Model Checking My 27 year quest to overcome the My 27 year quest to - PowerPoint PPT Presentation

Model Checking Model Checking My 27 year quest to overcome the My 27 year quest to overcome the state explosion problem state explosion problem Edmund Clarke Edmund Clarke Computer Science Department Computer Science Department Carnegie Mellon University Carnegie Mellon University

Intel Pentium FDIV Bug Intel Pentium FDIV Bug  Try 4195835 – 4195835 / 3145727 * 3145727. Try 4195835 – 4195835 / 3145727 * 3145727. – In 94’ Pentium, it doesn’t return 0, but 256. In 94’ Pentium, it doesn’t return 0, but 256.  Intel uses the SRT algorithm for floating point division. Intel uses the SRT algorithm for floating point division. Five entries in the lookup table are missing. Five entries in the lookup table are missing.  Cost: $500 million Cost: $500 million  Xudong Zhao’s Thesis on Word Level Model Checking Xudong Zhao’s Thesis on Word Level Model Checking

Recent Rumor: New AMD TLB Recent Rumor: New AMD TLB Bug?? Bug?? AMD Family 10h revision B2 processors suffer from an issue in AMD Family 10h revision B2 processors suffer from an issue in  the processor TLB ( (Translation Translation L Lookaside ookaside B Buffer uffer). ). the processor TLB Launch date of these processors rocessors was delayed in September, 2007. was delayed in September, 2007. Launch date of these p  AMD doesn’t have official announcement yet, but you can google  AMD doesn’t have official announcement yet, but you can google “AMD Barcelona bug arcelona bug” for plenty of discussion. ” for plenty of discussion. “AMD B

Temporal Logic Model Temporal Logic Model Checking Checking  Model checking is an Model checking is an automatic verification technique automatic verification technique for finite state concurrent systems. for finite state concurrent systems.  Developed independently by Developed independently by Clarke and Emerson Clarke and Emerson and and by Queille and Sifakis Queille and Sifakis in early 1980’s. in early 1980’s. by  Specifications Specifications are written in are written in propositional temporal propositional temporal logic logic. .  Verification procedure is an Verification procedure is an exhaustive search of the exhaustive search of the state space of the design. of the design. state space

Advantages of Model Advantages of Model Checking Checking  No proofs!!! No proofs!!!  Fast (compared to other rigorous methods such as Fast (compared to other rigorous methods such as theorem proving) theorem proving)  Diagnostic counterexamples Diagnostic counterexamples  No problem with partial specifications No problem with partial specifications  Logics can easily express many concurrency properties Logics can easily express many concurrency properties

Main Disadvantage Main Disadvantage State Explosion Problem: : State Explosion Problem 1,0 0,0 1,1 0,1 2-bit counter n-bit counter has 2 n states

Main Disadvantage Contd. Main Disadvantage Contd. a 1 n states, || b 2 m threads c 3 1,a n m states 2,a 1,b 2,b 3,a 1,c 3,b 2,c 3,c

Main Disadvantage Contd. Main Disadvantage Contd. State Explosion Problem: : State Explosion Problem Unavoidable in worst case, but steady progress over the past 27 years using clever algorithms, data structures, and engineering

LTL - Linear Time Logic LTL - Linear Time Logic Determines Patterns on Infinite Traces Determines Patterns on Infinite Traces a Atomic Propositions Atomic Propositions Boolean Operations Boolean Operations Temporal operators Temporal operators a “a is true now” a “a is true now” X a “a is true in the neX Xt state” t state” X a “a is true in the ne Fa “a will be true in the F Future” uture” Fa “a will be true in the Ga “a will be G Globally true in the future” lobally true in the future” Ga “a will be a U b “a will hold true U Until b becomes true” ntil b becomes true” a U b “a will hold true

LTL - Linear Time Logic LTL - Linear Time Logic Determines Patterns on Infinite Traces Determines Patterns on Infinite Traces a Atomic Propositions Atomic Propositions Boolean Operations Boolean Operations Temporal operators Temporal operators a “a is true now” a “a is true now” X a “a is true in the neXt state” X a “a is true in the neXt state” Fa “a will be true in the F Future” uture” Fa “a will be true in the Ga “a will be G Globally true in the future” lobally true in the future” Ga “a will be a U b “a will hold true U Until b becomes true” ntil b becomes true” a U b “a will hold true

LTL - Linear Time Logic LTL - Linear Time Logic Determines Patterns on Infinite Traces Determines Patterns on Infinite Traces a Atomic Propositions Atomic Propositions Boolean Operations Boolean Operations Temporal operators Temporal operators a “a is true now” a “a is true now” X a “a is true in the neX Xt state” t state” X a “a is true in the ne Fa “a will be true in the Future” Fa “a will be true in the Future” Ga “a will be G Globally true in the future” lobally true in the future” Ga “a will be a U b “a will hold true U Until b becomes true” ntil b becomes true” a U b “a will hold true

LTL - Linear Time Logic LTL - Linear Time Logic Determines Patterns on Infinite Traces Determines Patterns on Infinite Traces a a a a a Atomic Propositions Atomic Propositions Boolean Operations Boolean Operations Temporal operators Temporal operators a “a is true now” ” a “a is true now X a “a is true in the neX Xt state” t state” X a “a is true in the ne Fa “a will be true in the F Future” uture” Fa “a will be true in the Ga “a will be Globally true in the future” Ga “a will be Globally true in the future” a U b “a will hold true U Until b becomes true” ntil b becomes true” a U b “a will hold true

LTL - Linear Time Logic LTL - Linear Time Logic Determines Patterns on Infinite Traces Determines Patterns on Infinite Traces a a a a b Atomic Propositions Atomic Propositions Boolean Operations Boolean Operations Temporal operators Temporal operators a “a is true now” a “a is true now” X a “a is true in the neX Xt state” t state” X a “a is true in the ne Fa “a will be true in the F Future” uture” Fa “a will be true in the Ga “a will be G Globally true in the future” lobally true in the future” Ga “a will be a U b “a will hold true Until b becomes true” a U b “a will hold true Until b becomes true”

Branching Time Branching Time

CTL: Computation Tree Logic CTL: Computation Tree Logic EF g “g will possibly become true”

CTL: Computation Tree Logic CTL: Computation Tree Logic AF g “g will necessarily become true”

CTL: Computation Tree Logic CTL: Computation Tree Logic AG g “g is an invariant”

CTL: Computation Tree Logic CTL: Computation Tree Logic EG g “g is a potential invariant”

CTL: Computation Tree Logic CTL: Computation Tree Logic CTL uses the temporal operators CTL uses the temporal operators AX, AG, AF, AU AX, AG, AF, AU EX, EG, EF, EU EX, EG, EF, EU CTL* allows complex nestings such as allows complex nestings such as CTL* AXX, AGX, EXF, ... AXX, AGX, EXF, ... CTL: linear model checking algorithm ! CTL: linear model checking algorithm !

Model Checking Problem Model Checking Problem  Let Let M M be a be a state-transition graph state-transition graph. .  Let Let ƒ ƒ be the be the specification specification in temporal logic. in temporal logic.  Find all states Find all states s s of of M M such that such that M, s |= ƒ M, s |= ƒ . . • CTL Model Checking: CE 81; CES 83/86; QS 81/82. CTL Model Checking: CE 81; CES 83/86; QS 81/82. • LTL Model Checking: LP 85. LTL Model Checking: LP 85. • Automata Theoretic LTL Model Checking: VW 86. Automata Theoretic LTL Model Checking: VW 86. • CTL* Model Checking: EL 85. CTL* Model Checking: EL 85.

Model of computation Model of computation Microwave Oven Example State-transition graph describes system evolving ~ Start ~ Close over time. ~ Heat ~ Error ~ Start Start ~ Start Close ~ Close Close Heat ~ Heat ~ Heat ~ Error Error ~ Error Start Start Start Close Close Close ~ Heat ~ Heat Heat Error ~ Error ~ Error

Temporal Logic and Model Temporal Logic and Model Checking Checking The oven doesn’t heat up heat up until the until the door is closed door is closed . . The oven doesn’t • Not heat_up heat_up holds holds until until door_closed door_closed Not • ( ~ ~ heat_up heat_up) ) U U door_closed door_closed ( •

Model Checking Model Checking Hardware Description Informal (VERILOG, VHDL, SMV) Specification compilation manual algorithmic verification Transition System Temporal Logic Formula (Automaton, Kripke structure) (CTL, LTL, etc.)