CIS 6930 Automated Verification

1
CIS 6930 Automated Verification

• Tuba Yavuz-Kahveci
• University of Florida
• Spring 2006

2
Course Organization

• Scope Software Model Checking
• Class web page http//www.cise.ufl.edu/tyavuz/ci
  s6930-sp06/index.html
• Textbook None
• Tentative reading list will be available on the
  course web page

3
Course Organization

• Attendance is mandatory!
• Homeworks (25)
• Written homeworks
• Experimentation with the model checking tools
• Take-home exam (25)
• Project (50)
• Case study
• Survey
• Tool extension

4
Introduction

• Model Checking is an automated and exhaustive
  correctness verification technique for finite
  state concurrent systems
• User does not need to be a formal methods expert
• Unlike testing, model checking can show absence
  of errors
• If the property cannot be verified then a
  counter-example path is provided

5
Challenges

• State-explosion problem
• Exhaustiveness comes with the price of
  scalability problem!
• State space of a program/model can be exponential
  in the number of
• Variables
• Concurrent components

6
Challenges

• Alleviating state explosion problem
• State compression
• Avoiding redundant paths
• Symbolic representations
• Compositional reasoning
• Abstraction

7
Challenges

• Infinite-state systems
• Why to bother?
• Unbounded integer variables
• Dynamic data structures
• Unbounded number of processes
• Model checking becomes undecidable!
• Powerful abstractions
• Precise yet bounded abstract representations and
  transformations

8
The Big Picture
9
Specification

• System specification
• Input language of the model checker
• High-level programming language
• Correctness property specification
• Temporal logic

10
Temporal Logic

• A formalism for describing ordering of
  states/events
• Input/output pairs are good for transformational
  systems
• Temporal logic is good for reactive systems,
  which continuously interact with the environment

11
Temporal Logic

• Example properties for an ATM
• Always asks the password
• If withdrawal is selected and there is enough
  money then eventually the requested amount is
  delivered
• Deposit is not complete until the envelope is
  inserted

Boolean connectives
Temporal operators

12
Temporal Logic

• Linear Time Temporal Logic (LTL)
• The property must be satisfied by each path of
  the transition system
• Computation Tree Logic (CTL)
• System computation is perceived as a tree and the
  computation tree should obey the branching
  dictated by the property

13
How does model checking work?
14
How does model checking work?
Program or High-level Design
Model Checker
Correct!
(S state space, I initial states, R
transition relation)
Yes!
Are all initial states in SP, the set of states
that satisfy p?
No!
Not correct! And here is why
Correctness Property
P temporal logic formula
State1 (initial) State2 State3
Bad state
Symbolic Model Checking
15
Tools

• Explicit-state model checkers
• Spin
• Java Pathfinder
• Verisoft
• Symbolic model checkers
• SMV, nuSMV
• ALV