Automatic Verification of Finite State Concurrent Systems

Transcription

1 Automatic Verification of Finite State Concurrent Systems Edmund M Clarke, Jr Computer Science Department Carnegie Mellon University Pittsburgh, PA 523

2 Temporal Logic Model Checking Specification Language: A propositional temporal logic Verification Procedure: Exhaustive search of the state space of the concurrent system to determine truth of specification E M Clarke and E A Emerson Synthesis of synchronization skeletons for branching time temporal logic In Logic of programs: workshop, Yorktown Heights, NY, May 98, volume 3 of Lecture Notes in Computer Science Springer-Verlag, 98 JP Quielle and J Sifakis Specification and verification of concurrent systems in CESAR In Proceedings of the Fifth International Symposium in Programming, volume 37 of Lecture Notes in Computer Science Springer-Verlag, 98 2

3 Why Model Checking? Advantages: No proofs!!! Fast Counterexamples No problem with partial specifications Logics can easily express many concurrency properties Main Disadvantage: State Explosion Problem Too many processes Data Paths Much progress recently!! 3

4 Outline of Talk Temporal Logic (CTL, CTL, and LTL) 2 Model Checking Problem 3 Some Notable Successes 4 Symbolic Model Checking with Binary Decision Diagrams 5 Tomorrow: Symbolic Model Checking without Binary Decision Diagrams 6 Directions for Future Research 4

5 Temporal Logic a b State Transition Graph or Kripke Model b c c a b b c c a b c c Infinite Computation Tree (Unwind State Graph to obtain Infinite Tree) 5

6 Computation Tree Logics Let be a Kripke Structure, and let be the transition relation for A path is an infinite sequence of states such that for every, Path quantifier: A for every path E there exists a path 2 Temporal Operator: X holds next time F holds sometime in the future G holds globally in the future U holds until holds 6

7 The Logic CTL! Two types of formulas in CTL" : A state formula is either # $, if $ is an atomic proposition, or # %'&, & ( ), or & * ) where & and ) are state formulas, or # E & or A & where & is a path formula 2 A path formula is either # A state formula, or # %'&, & ( ), & * ), X &, F &, G &, or & U ) where & and ) are path formulas 7

8 The Logics CTL and LTL In CTL each of the linear-time operators +,,, -, and U must be immediately preceded by a path quantifier Example: AG EF / In Linear temporal logic (LTL) formulas have the form A 2 where 2 is a path formula in which the only state subformulas are atomic propositions Example: A FG/ 8

9 The Meaning of Path Quantifiers Let 3 be a Kripke structure, 465 be a state of 3, and 7 be a path formula, then 8 3 9:4 5 ;< E7 if and only if there exist a path = starting at 4 5, such that 3 9>= ;< :4 5 ;< A7 if and only if for all paths = starting at 4 5, we have 3 9>= ;< 7 9

10 Expressive Power It can be shown that the three logics CTL*, CTL, and LTL have different expressive powers For example, there is no CTL formula that is equivalent to the LTL formula A? Likewise, there is no LTL formula that is equivalent to the CTL formula AG? The disjunction A? AG? is a CTLE formula that is not expressible in either CTL or LTL

11 Basic CTL Operators This lecture will deal primarily with CTL The four most widely used CTL operators are illustrated below Each computation tree has the state F G as its root g g g g H I FG JK EF L H I FG JK AF L g g g g g g g g g g H I FG JK EG L H I FG JK AG L

12 Typical CTLM formulas N EFOPRQSUTVQWYX Z ['\ WYS]X_^a` : it is possible to get to a state where Started holds but Ready does not hold N AGOb\ W6c d AF e fhgi` : if a Request occurs, then it will be eventually Acknowledged N AGO AF j Wk]lfhWYm nos]p qrw6xs` : DeviceEnabled holds infinitely often on every computation path N AGO EF \ WYt6QSUTVQ` : from any state it is possible to get to the Restart state N AO GF m nossphqw6x d GF m uvw6fxwyqw6xs` : if a process is infinitely-often Enabled, then it is infinitely-often Executed Note that the first four formulas are CTL formulas The last is an LTL formula, not expressible in CTL 2

13 2 Model Checking Problem Let z be the state transition graph obtained from the concurrent system Let { be the specification expressed in temporal logic Find all states of z such that z } ~ {v Efficient model checking algorithms exist for CTL E M Clarke, E A Emerson, and A P Sistla Automatic verification of finite-state concurrent systems using temporal logic specifications ACM Trans Programming Languages and Systems, 8(2):pages , 986 3

14 The EMC System Preprocessor Model Checker (EMC) CTL formulas State Transition Graph 4 to 5 states True or Counterexample 4

15 H Hiraishi (Kyoto University) Vectorized version of EMC algorithm on Fujitsu FACOM VP4E Vector Processor using an explicit representation of the state transition graph State Machine size: 3,72 states 67,8,864 transitions 52 transitions from each state on the average CTL formula: 3 different subformulas Time for model checking: 225 seconds!! 5

16 3 Notable Examples The following examples illustrate the power of model checking to handle industrial size problems They come from many sources, not just my research group ƒ Edmund M Clarke, Jeannette M Wing, et al Formal methods: State of the art and future directions ACM Computing Surveys, 28(4): , December 996 6

17 Notable Examples IEEE Futurebus In 992 Clarke and his students at CMU used SMV to verify the cache coherence protocol in the IEEE Futurebus+ Standard They constructed a precise model of the protocol and attempted to show that it satisfied a formal specification of cache coherence They found a number of previously undetected errors in the design of the protocol This was the first time that formal methods have been used to find errors in an IEEE standard Although development started in 988, all previous attempts to validate Futurebus+ were based on informal techniques 7

18 Notable Examples IEEE SCI In 992 Dill and his students at Stanford used Mur to verify the cache coherence protocol of the IEEE Scalable Coherent Interface They modeled a typical configuration using the C code in the definition of the SCI standard Since the number of states of the model was very large, they verified only small instances of the system Nevertheless, they found several errors, ranging from uninitialized variables to subtle logical errors The errors also existed in the complete protocol, although it had been extensively discussed, simulated, and even implemented 8

19 Notable Examples HDLC ˆ A High-level Data Link Controller (HDLC) was being designed at AT&T in Madrid ˆ In 996 researchers at Bell Labs offered to check some properties of the design The design was almost finished, so no errors were expected ˆ Within five hours, six properties were specified and five were verified, using the FormalCheck verifier ˆ The sixth property failed, uncovering a bug that would have reduced throughput or caused lost transmissions ˆ The error was corrected in a few minutes and formally verified 9

20 Notable Examples Analog Circuits In 994, Bosscher, Polak, and Vaandrager won a best-paper award for proving manually the correctness of a control protocol used in Philips stereo components In 995, Ho and Wong-Toi verified an abstraction of this protocol automatically using HyTech Later in 995, Daws and Yovine used Kronos to check automatically all the properties stated and hand proved by Bosscher et al In 996, Bengtsson, et al model checked the entire protocol Two years earlier this was considered out of reach for algorithmic methods 2

21 Notable Examples ISDN/ISUP Š The NewCoRe Project (89-92) was the first full-scale application of formal verification methods in a software project within AT&T Š Formal modeling and automated verification were applied to the development of the CCITT ISDN User Part Procotol Š A team of five verification engineers formalized and analyzed 45 requirements using a special-purpose model checker Š A total of 7,5 lines of SDL source code was verified Š 2 errors were found; about 55% of the original design requirements were logically inconsistent 2

22 Notable Examples Buildings In 995 the Concurrency Workbench was used to analyze an active structural control system to make buildings more resistant to earthquakes The control system sampled the forces applied to the structure and used hydraulic actuators to exert countervailing forces The first model had more than Œ: _Ž states and was not directly analyzable By using semantic minimization it was possible to derive a much smaller model A timing error was discovered that could have caused the controller to worsen, rather than dampen, the vibration experienced during earthquakes 22

23 4 Symbolic Model Checking with BDDs Ken McMillan implemented a version of the CTL model checking algorithm using Binary Decision Diagrams in the fall of 987 Now able to handle much larger concurrent systems some with more than : reachable states!! J R Burch, E M Clarke, K L McMillan, D L Dill, and J Hwang Symbolic model checking: x states and beyond Information and Computation, 98(2):pages 42 7, 992 K L McMillan Symbolic Model Checking Kluwer Academic Publishers,

24 Fixpoint Algorithms EF š EX EF p p 24

25 Fixpoint Algorithms (cont) Key properties of EFœ : EFœ œ ž EX EF œ 2 Ÿ œ ž EX Ÿ implies EFœ Ÿ We write EFœ Lfp Ÿ œ ž EX Ÿ How to compute EF œ : œ ž œ ž Ÿ œ ž Ÿ Ÿ False Ÿ EX Ÿ ŸR EX Ÿ EX 25

26 ªa«EF? p s 26

27 a± ²³ EF? p s µ ¹ EX µ º 27

28 »¼a½ ¾ EF À? p s ÁRÂÄÃ Å Æ EX Á Ç 28

29 ÈÉaÊ ËÌ EF Í? p s Î Ï Ð Ñ Ò EX ÎRÓ 29

30 Ù Ü Ü Ù Ordered Binary Decision Trees and Diagrams Ordered Binary Decision Tree for the two-bit comparator, given by the formula ÔRÕbÖØ ÖÛÚ ÙÜ Ù:Ü ÚÞÝ ß is shown in the figure below: ÕbÖà á âýdã ÕbÖäÚåá ÚæÝ a b b aa aa aa a a b b b b b b b b 2 b 2 2 b 2 2 b 2 2 b 2 3

31 From Binary Decision Trees to Diagrams An Ordered Binary Decision Diagram (OBDD) is an ordered decision tree where ç All isomorphic subtrees are combined, and ç All nodes with isomorphic children are eliminated Given a parameter ordering, OBDD is unique up to isomorphism ç R E Bryant Graph-based algorithms for boolean function manipulation IEEE Transactions on Computers, C-35(8):677 69, 986 3

32 OBDD for Comparator Example If we use the ordering èêé ë ìíé ë èûîåë ìî for the comparator function, we obtain the OBDD below: a b b a 2 b b

33 Variable Ordering Problem The size of an OBDD depends critically on the variable ordering If we use the ordering ïêð ñ ïäòåñ óð ñ óò for the comparator function, we get the OBDD below: a a 2 a 22 b b b b b b

34 Variable Ordering Problem (Cont) ô õ ø þ ÿ õ ø ø ý ÿ ü For an -bit comparator: if we use the ordering öê ùø ú ø ûíûûø ö_ü úxü, the number of vertices will be ýô if we use the ordering öê ùø ûûû number of vertices is ö_ü ú ûûûiø ú:ü, the In general, finding an optimal ordering is known to be NP-complete Moreover, there are boolean functions that have exponential size OBDDs for any variable ordering An example is the middle output (ô circuit to multiply two ô bit integers output) of a combinational 34

35 Logical operations on OBDD s Logical negation: Replace each leaf by its negation Logical conjunction: Use Shannon s expansion as follows, #$ % &!" #" ('*) + #$,'*) + - #" (' + #$,' + to break problem into two subproblems Solve subproblems recursively Always combine isomorphic subtrees and eliminate redundant nodes Hash table stores previously computed subproblems Number of subproblems bounded by ' ('/#',' 35

36 2 Logical operations (cont) Boolean quantification: 3 4 By definition, :9;9<= 3>4 576? 6A@*B CED 6A@ C 6F84 9:9;9<"=!@ C B : replace all 4 nodes by left sub-tree 6F84 9:9;9<"=!@ C : replace all 4 nodes by right sub-tree Using the above operations, we can build up OBDD s for complex boolean functions from simpler ones 36

37 Symbolic Model Checking Algorithm How to represent state-transition graphs with Ordered Binary Decision Diagrams: Assume that system behavior is determined by G variables H"IKJLHNMJPOPO$OQJRHTS boolean state The Transition relation U will be given as a boolean formula in terms of the state variables: U VWHIJPOXOPOYJLHTSZJLH[I JPOPOPOYJRH[ S\ where H"IKJPO$OPOLHTS represents the current state and H [I JPOPO$OQJRH [ S represents the next state Now convert U to a OBDD!! 37

38 Symbolic Model Checking (cont) Representing transition relations symbolically: a a, b Boolean formula for transition relation: ]^ _ `ab_ ^NcT_ adcfeg ]^ _ ab_ ^hct_ acfeg ]^ _ ab_ ^NcT_ `bacfe Now, represent as an OBDD! 38

39 j Symbolic Model Checking (cont) Consider i j EX k Now, introduce state variables and transition relation: iflnm oqp rqm o"sutwv lnm ox o"sfpy m k,lnm o"szp { Compute OBDD for relational product on right side of formula 39

40 ƒ Symbolic Model Checking (cont) How to evaluate fixpoint formulas using OBDDs: Introduce state variables: EF } ~ Lfp } ƒ EX EF } ~ Lfp }Y n ˆ Q "ŠŒ Ž n "Š ˆ n "Š ˆ Now, compute the sequence E n ˆL A n ˆL $ n qˆl P P until convergence Convergence can be detected since the sets of states ( n qˆ represented as OBDDs are 4

41 Future Research Integrate abstraction and compositional reasoning techniques into current verification systems Continue research on the use of symmetry to reason about complex systems Develop methods for verifying parameterized designs Investigate the use of induction with model checking techniques Develop practical tools for reasoning about realtime and hybrid systems Combine model checking techniques with deductive approaches to verification so that control and data can both be handled Develop tool interfaces that are suitable for system designers 4