A brief history of model checking

1
A brief history ofmodel checking

• Ken McMillan
• Cadence Berkeley Labs
• mcmillan_at_cadence.com

2
Outline

• Part I -- Introduction to model checking
• Automatic formal verification of finite-state
  systems
• Applications
• Commercial hardware design
• Avionics, chemical plant control, automotive,
  etc.
• Part II -- A brief history of model checking
• Influence of many abstract ideas from logic on
  the development of model checking

3
The Verification Problem

• Debugging chips by simulation...
• consumes greater than half of design time,
• is unreliable
• Escapes can cost up to 500M,
• is increasing in cost as chip densities scale up

4
Model Checking
G(p Þ F q)

• input
• temporal logic spec
• finite-state model
• output
• yes
• no counterexample
• (look ma, no test vectors!)

yes
MC
no
p
p
q
q
2
5
Temporal logic (LTL)

• A logical notation that allows to
• specify relations in time
• conveniently express finite control properties
• Temporal operators
• G p henceforth p
• F p eventually p
• X p p at the next time
• p W q p unless q

5
6
Types of temporal properties

• Safety (nothing bad happens)
• G (ack1 ack2) mutual exclusion
• G (req Þ (req W ack)) req must hold
• until ack
• Liveness (something good happens)
• G (req ÞF ack) if req, eventually ack
• Fairness
• GF req Þ GF ack if infinitely often req,
  infinitely often ack

6
7
Computation tree logic (CTL)

• Branching time model
• Path quantifiers
• A for all future paths
• E for some future path
• Example AF p inevitably p

p
p
AFp
p
7
8
CTL model checking algorithm

• Example AF p inevitably p
• Complexity
• linear in size of model (FSM)
• linear in size of specification formula

AFp
AFp
Note LTL is exponential in formula size
9
9
Example traffic light controller
S
E
N

• Guarantee no collisions
• Guarantee eventual service

10
10
Specifications

• Safety (no collisions)
• AG Ø (E_Go Ù (N_Go S_Go))
• Liveness
• AG (Ø N_Go Ù N_Sense Þ AF N_Go)
• AG (Ø S_Go Ù S_Sense Þ AF S_Go)
• AG (Ø E_Go Ù E_Sense Þ AF E_Go)
• Fairness constraints
• infinitely often Ø(N_Go Ù N_Sense)
• infinitely often Ø(S_Go Ù S_Sense)
• infinitely often Ø(E_Go Ù E_Sense)
• (assume each sensor off infinitely often)

14
11
Counterexample

• East and North lights on at same time...

N light goes on at same time S light goes off. S
takes priority and resets NS_Lock
15
12
State explosion problem

• What if the state space is too large?
• too much parallelism
• data in model
• Approaches
• Abstraction/reduction
• Symbolic methods
• Exploiting symmetry
• Partial order methods

20
13
Binary Decision Diagrams

• Ordered decision tree for f ab cd

a
0
1
b
b
0
1
0
1
c
c
c
c
0
1
0
1
0
1
0
1
d
d
d
d
d
d
d
d
21
14
OBDD reduction

• Reduced (OBDD) form

a
1
0
b
0
1
c
1
0
1
d
0
0
1
Key idea combine equivalent subcases
22
15
Symbolic model checking

• Basic idea
• Use BDDs to represent sets and relations
• Avoid explicitly representing states
• Transition relations

R(a,b,a,b)
a,b
a,b
24
16
Image computation

• EX p states that can reach p in one step

EXp
p
EX p v. (R(v,v) Ù p(v))
Note a. f f a0 f a1
25
17
Fixed point iteration

• EF p states that can reach p

S0 p
S1
...
Sw
Si1 Si \/ EX Si
...Model checking without building state graph
26
18
Example Gigamax cache protocol

• First commercial application
• Method scales well with system size
• Finds very subtle escapes

33
19
Genealogy of model checking
Many ideas from logic influence development of
model checking...
Logics of Programs
Temporal/ Modal Logics
Tarski
w-automata S1S
m-calc
CTL Model Checking
LTL MC
ATV
QBF
BDD
Symbolic Model Checking
20
Logics of programs

• Floyd/Hoare/Dijkstra
• Give precise definitions of programming languages
• Allows reasoning about programs
  (proofs/derivations)
• Pre-post conditions/ weakest precondition
• example assignment axioms

true x y x y
P x y P (no x in P)
21
Concurrent programs

• Pnueli
• Concurrent vs. sequential programming
• need to characterize execution sequences
• proposes use of temporal logic

sequential
concurrent
A
A
B
B
call
ret
22
Temporal and modal logics

• Roots in philosophical logic
• Tense logic -- formalizing linguistic time
• If a, then b before c
• Modal logic -- reasoning about possibility
• If I had run I would have caught my plane
• New use in computer science
• characterize the interactions of parallel
  processes

G req Þ F ack
23
Genealogy
Floyd/Hoare late 60s
Aristotle 300sBCE Kripke 59
Logics of Programs
Temporal/ Modal Logics
Pnueli, late 70s
24
CTL Model checking

• Reasoning about properties of non-deterministic
  programs
• branching time properties of programs
• fixed point characterizations (Tarski)
• every monotonic function has least/greatest fixed
  point
• key idea apply to finite graphs, not infinite
  trees
• can directly calculate Tarski fixed points
• Applications
• finite state machines in hardware
• protocols
• proved incorrectness of some published designs

25
Genealogy, cont
Logics of Programs
Temporal/ Modal Logics
Tarski
50s
CTL Model Checking
Clarke/Emerson Early 80s
Some published circuits are proved incorrect
26
Decidable logics and automata

• Büchi
• S1S -- reason about sets of natural numbers
• Automata on infinite words
• characterize set of models of formula
• example sets that contain the odd numbers
• Deep connection between logics and automata

0,1
0
0,1
1
27
LTL model checking

• Vardi and Wolper
• Apply Büchis technique to LTL
• Automaton construction yields optimal decision
  algorithm
• Kurshan
• Specify properties directly as automata
• example infinitely often p (GFp)

p
Øp
true
28
Genealogy
Logics of Programs
Temporal/ Modal Logics
Büchi, 60
Tarski
w-automata S1S
CTL Model Checking
LTL MC
ATV
Vardi/ Wolper
Kurshan
mid 80s
29
Symbolic Model Checking

• State explosion problem
• graph model guarantees worst-case complexity
• Characterize sets and relations by Boolean
  formulas
• compute Tarski fixed points directly on formulas
• Use BDDs to represent formulas
• efficient canonical form

EXp v. (R Ù p) (QBF)
30
Mu-calculus

• Parks Mu-Calculus
• Logic of relations with fixed point operator
• Can express transitive closure
• Nicely characterizes what SMC can compute
• SMC algorithm for Mu-calculus
• Use to express symbolic algorithms for
• CTL, LTL model checking
• Automaton containment, etc...
• Note bad specification logic, but good for
  describing algorithms

AFp mQ. p Ú AX Q
31
Genealogy, cont.
Logics of Programs
Temporal/ Modal Logics
Tarski
w-automata S1S
Park 60s
m-calc
CTL Model Checking
LTL MC
ATV
QBF
BDD
Bryant mid 80s
Symbolic Model Checking
late 80s

• Note first commercial application in 1990
• Encore Gigamax cache protocols

32
Applications

• Hardware Design
• Encore Gigamax
• Intel instruction decoder
• SGI cache protocol chip
• Other areas
• Avionics (TCAS)
• Chemical plant control
• Nuclear storage facilities (!)
• Commercial tools
• Cadence, IBM, Synopsys

33
A convergence of research areas in logic

• Many areas of logic have shaped the discourse in
  model checking
• Logics of programs
• Temporal/Modal logics
• Tarski fixed point theory
• Decidable logics -- S1S/automata
• Parks mu-calculus
• Much of this work is quite abstract, but has
  strongly influenced practical work in model
  checking