Introduction In Practice State Explosion Problem Infinity and Uncomputability Techniques References. Model Checking. Toryn Qwyllyn Klassen

Transcription

1 Model Checking Toryn Qwyllyn Klassen April 13, 2010

2 Limitations of testing Testing cannot in general prove that a program works. Some program states are usually not covered. Concurrent systems are particularly difficult to test. There is a need for formal methods to verify program properties. One formal method is model checking.

3 What is Model Checking? Suppose that we represent a program as a Kripke structure essentially, a finite graph of states. Model checking is checking to see if a logical statement hold for this graph i.e. to see if the graph is a model (as the term is used in formal logic) of the graph. The model in model checking does not (or, at least, originally did not) refer to the graph being a model of the program.

4 Selected Real-World Uses of Model Checking Hardware items such as circuits are often verified with model checking. Microsoft has used model checking to verify device drivers. Even NASA has used model checking on its software (more on next slide).

5 Example Model Checker An example is the Java Pathfinder, made by NASA: JPF is a custom Java virtual machine which checks the code it runs. It s licensed under NASA Open Source Agreement version 1.3. The JPF was used to find errors in NASA s K9 rover s software (see releases/2005/05_28ar.html). See for more information about the JPF, and model checking in general.

6 State Explosion Problem The main difficulty in model checking is the number of states that must be considered f the overall program configuration is captured by n variables where the i-th is selected from some set of s i different possible values, then the number of possible configurations is n 1 i=0 s i = s 0 s 1 s 2 s n 1 The graph size is exponential in the number of variables.

7 Example A kilobyte of memory may be in up to = = different configurations.

8 Infinite State Spaces For software systems, the problem is, in the general case, even worse than this. The variables of programs may be data structures of unbounded size. Thus, the space of possible state combinations is infinite.

9 Infinite State Spaces (continued) How to deal with unbounded numbers of states? One approach: create a finite abstraction of the software system in question. Alternatively, we could just use a model checker to test the program in small situations, or let the model checker keep running until it found an error. There are mathematical techniques to reason about such infinite systems, but no such technique can tell us all we might want to know.

10 Uncomputability There are limits to what model checking can tell us. Theorem (Rice s Theorem) Any non-trivial question about the output of a program is undecidable.

11 Uncomputability There are limits to what model checking can tell us. Theorem (Rice s Theorem) Any non-trivial question about the output of a program is undecidable. The only trivial questions are those for which the answer is the same for all programs.

12 Fighting the State Explosion Problem From here on, we will consider finite systems, leaving aside consideration of infinite ones. What techniques can be we use to reduce the number of states that are to be considered?

13 1. Compositional reasoning Software (or hardware) systems tend to be made up of components that may be able to be checked individually. Verification of the components of the system may, along with perhaps a bit more work, serve to verify the system as a whole.

14 2. Partial Order Reduction For concurrent programs, often different threads have some degree of independence in that many instructions within a thread will not affect other threads directly. Partial Order Reduction is the elimination from consideration of states from execution sequences that are equivalent. According to the Java Pathfinder website, Partial Order Reduction typically results in more than 70% reduction of state spaces.

15 3. Symmetry reduction Sections of a program state graph are often similar or even identical to each. If the system can be partitioned into equivalence classes of states that are somehow symmetric, then fewer states may need to be checked (e.g. one representative for each equivalence class may suffice).

16 References and Further Reading The Birth of Model Checking by Edmund M. Clarke. The Beginning of Model Checking: A Personal Perspective by E. Allen Emerson. The State Explosion Problem by Joost-Pieter Katoen. fileadmin/user_upload/documents/mc08/mc_lec5a.pdf Model checking by E. M. Clarke, Orna Grumberg, and Doron Peled. Much of it is on Google books at Exact and Approximate Strategies for Symmetry Reduction in Model Checking by Alastair F. Donaldson and Alice Miller.

17 References and Further Reading (continued) Wikipedia has articles on many of these topics, such as Model checking Kripke structure Wikipedia also has a List of model checking tools. The Java Pathfinder site mentioned earlier, has some good introductory material. There is also an older version of the site at which is perhaps easier to navigate.